Authenticated encryption is when you sign a message with your private key forming a digital signature, then add that and the message together and encrypt it using the person your sending to’s public key so only they can access it.

Does Bitcoin use this? Or only send off the transaction with the digital signature?

Hi, I'm looking at a proposed fix for the lorawan IOT protocol.

This fix used authenticated encryption with aees-ccm-128 for both creating mac tags and encrypting.

The entire handshake protocol looks like this (lower part is cropped out since it is not that important):

https://preview.redd.it/hqp74fz40gy71.png?width=1049&format=png&auto=webp&s=eedd9685ee76bad7d91b63e9872c9d00956b60cd

But well, the mac tag for message 3 is for example made like:

mac = AES-CCM-128(k3,IV3, p1,A)

Where k3 is a key, IV3 is a an init vector, and p1 is a empty string, and A is called "associated data" and is some data connected to the current message

Then encryption is made like:

C = AES-CCM-128(k3,IV, p2, A2)

So, here it basically does the same thing, except that p2 is not an empty string, and now contains the mac.

Firstly, I understand that aes-ccm gives us authenticated encrpytion. But I was thinking that since it is authenticated, why do we then need to run it twice? once for mac tag and then once for encryption?

And then I was wondering what the two last argument are made for? both the "p" and "A" fields are things that are passed to the encryption, but I don't understand why they are given in two pairs? arent they just both things to be encrypted?

This all started with RFC 8439 (previously RFC 7539), that describes an AEAD construction using Chacha20 and Poly1305. My problem with this RFC is, they modified Daniel Bernstein's original design a little bit: the 64-bit nonce and 64-bit counter have been replaced by a 96-bit nonce and 32-bit counter.

This modification bothers me. At a first glance, it has nothing but drawbacks: 96 bits nonces may be bigger, but they're still not big enough to be selected at random. On the other hand, reducing the counter to 32-bits puts practically attainable limits to message lengths (256 GiB).

The RFC itself tells us they did it to be "more consistent" with RFC 5116, which recommends (but does not mandate) 96-bit nonces. It also gives some insight about how nonces might be designed. Here's what they recommend:

• Implementations should support 96-bit nonces.
• Nonces should be divided in a fixed part, and a counter part.
• The fixed part identifies the device who performs encryption, and must remain unchanged.
• The counter part should be monotonically increasing (like a counter).
• The counter part should be 32-bit wide.

We can see how this enables group discussion among several devices that trust each other: mutable state stays local to each device, and we guaranteed nonce will not be reused.

There's also advice about how to handle partially implicit nonces (that aren't entirely transmitted over the network, but partially inferred from context):

• The fixed part is divided into a fixed common sub-part and a fixed distinct sub-part.
• The common sub-part is identical for all devices, and may be implicit (not sent over the network).
• The distinct sub-part must be different for all devices, and must be explicit.
• The counter must be explicit.

They did all this to follow what was reputed to be best practice at the time (2008, so DJB's Salsa and Chacha were brand new). We could see then why we'd want 96-bit nonces. Thing is, I'm not sure I agree with RFC 5116:

• Limiting the counter part of the nonce to 32-bits puts a practical limit on the number of message we can send. 4 billion is an easy to exceed number.
• Reserving 64-bit for the fixed part seems way overkill. 8 bits (up to 256 devices) potentially covers most use cases. Even if it doesn't, 16 bits ought to be enough (beyond 65K participant, the secret key is not so secret any more).

It see

What is authenticated encryption? I understand what confidentiality gives, but it talks about something called the authenticity of data.... what exactly does that mean? Is it integrity? or some form of authentication? I have looked around and seem to be getting mixed message regarding the meaning.

in this wikipedia article there are various options, but not a simple E(M, H(M)) (where E is symmetric encryption, H is a cryptographic hash function and , is concatenation) for providing both encryption and authentication. Could you tell me why is that not enough? What are the possible attacks against it?

• GitHub: https://github.com/iqlusioninc/aes-sid
• Rust implementation: https://crates.io/crates/aes-sid
• /r/rust thread: https://www.reddit.com/r/rust/comments/fyndol/ann_aessid_v010_aesbased_synthetic_ids/

Background

Many databases use auto-incrementing primary keys to identify records. This is extremely convenient for many reasons but has some security drawbacks:

• Leaks information (e.g. record count, lexicographic ordering of records)
• URLs containing such identifiers are guessable

The latter has been a longstanding source of problems, such as leaking the e-mail addresses of all iPad users to the recent "Zoom Bombing" problem.

Many schemes exist to "mask"/"encrypt" integers. These range from awful (e.g. fixed XOR mask) to slightly less awful (AES in ECB mode). AES-SID provides a scheme using authenticated encryption, ensuring identifiers are non-malleable and therefore offer the attacker only chance advantage at guessing one correctly.

Construction

AES-SID is an experimental scheme I started working on as a "pandemic project" shortly before the "Zoom Bombing" phenomenon started gaining a lot of attention, which so happens to be potentially applicable to solving it. Zoom URLs are low-entropy and easily guessable/enumerable (among other issues), problems which can be addressed by converting them into higher entropy uniformly random IDs. By using a deterministic ID encryption scheme for this purpose, the encrypted IDs can be serialized as UUIDs in a way that's straightforward to retrofit onto systems based on integer primary keys.

AES-SID is a simplification of the original AES-SIV "key wrapping" scheme designed by Phil Rogaway and described in the paper and described in the paper The SIV Mode of Operation for Deterministic Authenticated-Encryption (Key Wrap) and Misuse-Resistant Nonce-Based Authenticated-Encryption.

Here is a pseudocode description of the scheme (see the project repo for a full comparison of AES-SIV vs AES-SID):

enc_key = KDF(key, 0, Kenclen)
prf_key = KDF(key, Kenclen, Ktotal)
siv = PRF(prf_key, plaintext)[0..8bytes]
ciphertext = siv || AES-CTR(enc_key, siv, plaintext)

Where the terms (not already described above) are as fol

I'm working on a lightweight protocol that needs authentication and encryption of packets. The problem is essentially authenticated encryption with associated data, where the header information is the associated data that needs to be authenticated but not encrypted. I had an idea for how to accomplish this but I can't seem to find any information on anyone doing it the same way - which is concerning. I can still change tack to the classic encrypt-then-MAC approach, but I'm trying to understand what the drawbacks are of my approach.

The packet would be laid out in 2 sections: a header that is not encrypted that contains a nonce and a CRC of the plaintext, and the payload which is encrypted. Both sections must be authenticated.

Overview of structure

My plan is to use BLAKE2xs as the cryptographic hash, which can be used as a KDF. The basic premise of the idea is that the shared secret AND the associated data are used as the input to the BLAKE2xs KDF, and an output key is generated that is the same length as the payload. That key is XORed with the payload to keep it confidential.

During reception the first step would be to run the KDF with the associated data & secret, then XOR the resulting key with the payload. The CRC of the plaintext is then verified.

The advantage I see with this approach is that I'm not running multiple cryptographic operations on my microcontroller for each packet. The potential disadvantages I see are that the KDF+XOR encryption perhaps isn't strong, and I think it runs afoul of the "cyptographic doom principle" since the authentication step happens after decryption.

I couldn't find any information on similar schemes online, so I haven't seen any analysis of it. My assumption is that it is not used because it is severely flawed. Are there disadvantages I'm not seeing, or are the disadvantages I listed more damning than I realize? Thanks for taking a look.

Using something like ChaCha20-Poly1305,

I understand you encrypt with a nonce+key and then get ciphertext+Mac...

Does this mean your partner needs the same MAC secret on their side to verify? if so using modern libs, how is it recommended to transmit the MAC?

Thanks

_BP

I've just released version v0.3.1 of the chacha20 and chacha20poly1305 crates by the RustCrypto Project (the new without-a-hyphen GitHub Org , not the old with-a-hyphen unmaintained crate).

This is the biggest release in awhile and includes the following noteworthy announcements:

chacha20 v0.3.1 - shoot-yourself-in-the-foot unauthenticated stream cipher used to implement chacha20poly1305 (and now also provides CryptoRng)

• All dependencies (stream-cipher, rand_core, and zeroize) are now optional, and the rng feature now depends exclusively on the rand_core crate. With chacha20 = { version = "0.3", default-features = false, features = ["rng"] }, the only dependency is the rand_core crate.
• The buffering logic has been dramatically improved. The RNG no longer performs any buffering whatsoever.
• ChaCha8 / ChaCha8Rng / ChaCha8RngCore and ChaCha12 / ChaCha12Rng / ChaCha12RngCore are now available.
• It now supports an AVX2 backend (implemented in terms of core::arch intrinsics) which brings its performance to ~1.4 cycles/byte when using that backend. The implementation is based on Goll, M., and Gueron,S.: Vectorization of ChaCha Stream Cipher (2013). Below is the performance improvement over the previous SSE2 backend according to criterion: Benchmark Results

If you'd like to use it for a CryptoRng, particularly with the high-performance ChaCha8Rng, it now has first-class support under the rng feature, and ideally could be the ChaCha RNG provider for the rand crate.

chacha20poly1305 v0.3.1 - high-level AEAD mode intended to be directly used in applications

• ChaCha8Poly1305/ChaCha12Poly1305 reduced round variants
• Upgrade to chacha20 v0.3; adds AVX2 backend w\ +60% perf : Benchmark Results

While benchmarking Monocypher, I've noticed strange (yet consistent) timings from libsodium (on my core i5 skylake laptop):

Chacha20         :  1925 megabytes  per second
Poly1305         :  1191 megabytes  per second
Auth'd encryption:  1016 megabytes  per second

The benchmark uses crypto_stream_chacha20_xor(), crypto_onetimeauth(), and crypto_aead_xchacha20poly1305_ietf_encrypt_detached() respectively.

I've looked ath their AEAD function, and it looks like a straightforward implementation that just uses their chacha20 and poly1305 algorithms. But if they did that, I would expect authenticated encryption to have a throughput of only 736 megabytes per second (1/ (1/1925 + 1/1191)). Monocypher, on the same benchmark, follow this rule (chacha20 is much slower, but the timings make sense).

So there's an unexplained 300 megabytes per second here, and I have no idea where it might come from. Surely libsodium doesn't use faster core algorithms for authenticated encryption? I though it would combine them in clever ways, but it doesn't look like it does. Any idea what might be going on here?

(For reference, here's the benchmark's source code, in case someone finds a flaw.)

The ciphers I am currently looking into are: Simon, Aes-copa, OMAC

Hi all, I've used lots of signed cookies (e.g HMAC) and JSON Web Tokens (JWTs).

They're great for storing sessions without a database! ...as long as you don't have sensitive information inside, because it's all visible to the client.

So, how about not just signing, but also encrypting?

My research is pointing me to aes-256-gcm as good algorithm that both encrypts and signs a plaintext. The aes-256 part is a standard algorithm, and the gcm part means that it also allows to verify the authenticity of the message (which apparently isn't a given with other algorithms).

Here's my understanding of how the process works on node.js, and I'm looking for feedback.

• Start with a JSON payload, which contains the session contents.
• Generate a random 12-byte initialization vector.
• Encrypt the payload with aes-256-gcm (crypto.createCipheriv('aes-256-gcm', key, iv))
• Get the "authentication tag" which serves as the authenticity signature (cipher.getAuthTag())

The result is 3 values, which can be then base64 encoded and concatenate together to form a signed, encrypted token:

1. The initialization vector
2. The auth tag
3. The ciphertext

Decryption uses crypto.createDecipheriv('aes-256-gcm', key, iv) and decipher.setAuthTag(authTag) which succeeds if the authentication tag is verified, and throws an exception otherwise.

I'm looking for feedback on this process. Is this a proper use of GCM? Does this make cryptographic sense?

Inside the payload, JWT claims can be used (like an expiry time) and can be checked as a second step, after decryption.

Are there caveats I should look out for? Is this paying a high price in performance, as opposed to just HMAC signing? Does the tradeoff make sense?

Announcing the initial release of aes-sid: an experimental scheme providing a non-malleable encoding of 64-bit integers as 128-bit ciphertexts (or UUIDs):

• GitHub: https://github.com/iqlusioninc/aes-sid
• crates.io: https://crates.io/crates/aes-sid
• docs.rs: https://docs.rs/aes-sid/
• /r/crypto discussion: https://www.reddit.com/r/crypto/comments/fyn8cs/aesbased_synthetic_ids_aessid_authenticated/?

Many databases use auto-incrementing primary keys to identify records. This is extremely convenient for many reasons but has some security drawbacks:

• Leaks information (e.g. record count, lexicographic ordering of records)
• URLs containing such identifiers are guessable

The latter has been a longstanding source of problems, such as leaking the e-mail addresses of all iPad users to the recent "Zoom Bombing" problem.

Many schemes exist to "mask"/"encrypt" integers. These range from awful (e.g. fixed XOR mask) to slightly less awful (AES in ECB mode). AES-SID provides a scheme using authenticated encryption, ensuring identifiers are non-malleable and therefore offer the attacker only chance advantage at guessing one correctly.

AES-SID provides a deterministic, non-malleable encryption of integers as uniformly random 128-bit strings, which can be conveniently serialized as UUIDs.

Note that this is an experimental scheme which is presently explicitly labeled as "DO NOT USE THIS CODE IN PRODUCTION!" until I'm able to solicit more feedback on it. With that said I believe this approach represents the state-of-the-art in solving this problem.