Authenticated Encryption with Association Data(AEAD)

Nimantha Fernando
7 min readJul 20, 2020

--

What AEAD is?, and its significance when compared to traditional approaches.

AEAD stands for Authenticated Encryption with Association Data. Authenticated Encryption(AE) is a system which provides both confidentiality and authenticity by typically using a single key. Eventhough AE provides the confidentiality and integrity, it is still not secure from the replay attacks. This is where it adds the Associated Data to the message to authenticate the cipher text .In this AEAD method, there will be a packet header which travel alongside the ciphertext and must get authenticated with it.

AEAD encryption

Associated Data is the significance between AEAD and the traditional approaches. Traditional approaches does not use Associated Data for the authentication. When compares to the traditional approaches, AEAD is more secure with authenticity and the confidentiality. And on of the most important detail is that associated data doesn’t need to be stored or transmitted with the ciphertext. Any context dependent non-secret values that both parties are able to correctly infer can be useful as associated data. As an examples, if the both parties are executing a complex protocol that’s been formulated in terms of a state machine, so both parties can always tell their own state and that which an honest counterparty should be in, then those states can be used as AD.

There are several AE algorithms,

  • CCM (Counter with CBC-MAC)
  • GCM (Galois Counter Mode)
  • OCB (Offset Code Book)
  • Key Wrap
  • EAX
  • Encrypt-then-MAC (EtM)

How key AEAD modes GCM and OCB work?

GCM

GCM stands for Galois Counter Mode. This method is designed to be parallelizable for high throughput with low cost and low latency. GCM is constructed with the block size of 128 bits of block cipher. GCM provides assurance of the authenticity of the confidential data up to 64GB per invocation. GCM uses 2 functions. They are,

· GCTR (CTR mode with the counters set by a simple increment by one operation)

· GHASH (keyed hash function)

Both of these functions will be used within the algorithms for encryption and decryption in GCM mode.

GHASH algorithm

Input: bit string X such that len(X) = 128m for some integer m

Output: block Ym

Steps:

  1. Let X1, X2, … , X , X m-1 denote the unique sequence of blocks such that X = X1 || X2 || … || Xm-1 || Xm.
  2. Let Y0 be the ‘zero block’ ,0128
  3. For i=1, …, m , let Yi = (Yi-1 ‘xor’ Xi ). H
  4. Return Ym

Following figure illustrates the GHASH function.

GHASH function

GCTR algorithm

Input: bit string X of arbitrary length, initial counter block

Output: bit string Y of bit length len(X)

Steps:

  1. Let n = [len(X) / 128]
  2. Let X1, X2, … , Xn-1, Xn denote the unique sequence of bit strings such that X = X1 || X2 || … || Xn-1 || Xn; X1, X2,…, Xn-1 are complete blocks.
  3. Let CB1 = ICB
  4. For i=2 to n, let CBi =inc(CBi-1)
  5. For i=1 to n-1, let Yi = Xi CIPHK(CBi)
  6. Let Yn* = Xn* ‘xor’ MSBlen(Xn) (CIPHK (CBn))
  7. Let Y=Y1 || Y2 || … || Yn*
  8. Return Y

Following figure illustrates the GCTR function.

GCTR function

Using these both functions, GCM algorithm do the authenticated encryption.

GCM algorithm

Input: valid initialization vector IV, valid plaintext P, valid additional authenticated data A

Output: ciphertext C, authentication tag T

Steps:

1. Let H = CIPHK (0128)

2. Define a bock, J0 as follows:

a) If len(IV) =96 , then J0 = IV || 0311

b) If len(IV) !=96 ,then J0 = GHASHH(IV|| 0s ) where s=128.[len(IV)/128]-len(IV)

3. Let C= GCTRk(inc(J0), P)

4. Let u=128.[len(C)/128]-len(C) and let v=128.[len(A)/128]-len(A)

5. Define a block , S as follows:

S= GHASHH( A|| 0v ||C ||0u||[len(A)]64|| [len(C)]64)

6. Let T=MSBt(GCTRK(J0,S))

7. Return (C,T)

At the beginning hash subkey for the GHASH function is generated by applying the block cipher to “zero” block. Then the counter block is generated from the initialized vector. Then a counter block is generated from IV. If IV is 96 bits then the padding string 0311 is appended to the IV to form the counter block. If IV != 96 bits then IV is padded with the minimum number of 0 bits so that the length is a multiple of the block size and the GHASH function is applied to this string to form the counter block. Then the incrementing function is applied to the counter block which was generated in previous step to produce the initial counter block for an invocation of the GCTR function on the ciphertext. Plaintext for the given IV will be the output of this invocation of the GCTR function. Additional Authenticated Data and the ciphertext are each appended with the minimum number of bits so that the bit lengths of the resulting strings are multiples of the block size. GHASH function is applied to the result to produce a single output block. Then this output block is encrypted using the GCTR function with the counter block that was generated in step 2 and the result is truncated to the specified tag length to form the authentication tag. After that the ciphertext and the tag are returned as the output.

Following figure illustrates the GCM mode in authenticated encryption.

GCM operation

OCB

OCB is a blockcipher-based mode of operation that simultaneously provides both privacy and authenticity for a user-supplied plaintext. It achieves authenticated encryption in almost the same amount of time as the CTR mode, achieves privacy alone. So one of the key objective of OCB mode is efficiency. This efficiency is achieved by minimizing the number of encryptions required per message and by allowing for parallel operation on the blocks of a message.

Let M be the message we want to encrypt, A be the associated data, K be the OCB encryption key and N be the 96 bit nonce. First break M into 128 bit blocks as M= M1 …Mm.

Checksum is the 128 bit string . Checksum = M1 … Mm . The tag length of the scheme (τ ) is a number between 0 and 128. Encryption structure of OCB mode is same as the ECB mode . In this method, different offets (Z1,Z2…) are used to produce different ciphertext from same message blocks.

Brief comparison of modes CCM, GCM, and OCB

CCM

  • Message authentication is done on the plaintext.
  • Encryption and MAC could happen in parallel but generally do not
  • Performance costs essentially 2 x AES operations per block
  • Cannot be parallelized
  • CCM ciphers are available in OpenSSL as of TLS 1.3 , but disabled by default.

GCM

  • GCM ciphers are the most widely used block ciphers worldwide. Mandatory as of TLS 1.2 and used by default by most clients.
  • Message authentication is done on the ciphertext. Most implementations auth and decryption happen in parallel for performance reasons.
  • Performance costs 1 x AES operation and 1 x GHASH per block (GHASH generally faster than AES )
  • Encrypt/Decrypt of multiple blocks can be parallelized nicely

OCB

  • Fastest encryption mode form 3 of the modes
  • OCB is simple and clean and easy to implement in either hardware or software.
  • OCB accomplishes its work without bringing in the machinery of universal hashing .
  • In OCB, plaintext provided can be any length as the associated data.
  • OCB encrypt the plaintext without padding it to some convenient length string.
  • OCB is online .

Present state of usage of the different modes

CCM

CCM mode is used in IEEE 802.11i (as CCMP, an encryption algorithm for WPA2), IPsec ,TLS 1.2 and Bluetooth Low Energy(Bluetooth 4.0). It is also available for TLS 1.3 but not enabled by default in OpenSSL.

GCM

GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad. ANSI (INCITS) Fibre Channel Security Protocolsm(FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH, TLS 1.2 and 1.3. Not only that, GCM also included in the NSA Suite B Cryptography and its latest replacement in 2018 Commercial National Security Algorithm (CNSA) suite. Alson SoftEther VPN server and client as well as OpenVPN since version 2.4 also uses the GCM mode.

OBC

OCB mode is listed as an optional method in the IEEE 802.11 wireless security standard as an alternative to CCM. OCB mode can be used in software licensed under the GNU General Public License without cost as well as for any non commercial , non government application. The algorithm is free to use in software not developed and node sold inside the US.

References

Web.cs.ucdavis.edu. 2020. OCB — An Authenticated-Encryption Scheme — Background — Rogaway. [online] Available at: <https://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm> [Accessed 18 July 2020].

Crypto Wiki. 2020. OCB Mode. [online] Available at: <https://cryptography.fandom.com/wiki/OCB_mode> [Accessed 18 July 2020].

Vocal.com. 2020. GCM And GMAC Authenticated Encryption Algorithms. [online] Available at: <https://www.vocal.com/cryptography/gcm-and-gmac-authenticated-encryption-algorithms/> [Accessed 18 July 2020].

David Ireland, w., 2020. AES-GCM Authenticated Encryption. [online] Cryptosys.net. Available at: <https://www.cryptosys.net/pki/manpki/pki_aesgcmauthencryption.html> [Accessed 18 July 2020].

2020. [ebook] Available at: <https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf> [Accessed 18 July 2020].

2020. [ebook] Available at: <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf> [Accessed 18 July 2020].

2020. [ebook] Available at: <https://web.cs.ucdavis.edu/~rogaway/ocb/gcm.pdf> [Accessed 18 July 2020].

contact me for any concerns Nimantha Fernando on twitter.

--

--

Nimantha Fernando

computer engineering undergraduate, business development member at AIESEC in JLC , ENSHIN karate yellow belt holder