Search

KR-102965275-B1 - AUTHENTICATED ENCRYPTION METHOD AND APPARATUS THEREOF

KR102965275B1KR 102965275 B1KR102965275 B1KR 102965275B1KR-102965275-B1

Abstract

An authentication encryption method is provided according to an embodiment of the present application. The authentication encryption method may include the steps of: obtaining an encryption key, plaintext, associated data, a first nonce, and a second nonce; generating an original authentication tag by applying a hash function to an authentication target message comprising the plaintext, associated data, and the second nonce; generating a key stream for encrypting the plaintext and the original authentication tag through a block cipher based on the encryption key and the first nonce; generating a ciphertext by combining a first portion of the plaintext and the key stream; and generating an encrypted authentication tag by combining the original authentication tag and the second portion of the key stream.

Inventors

  • 김호원
  • 손준영
  • 강은세
  • 고세화

Assignees

  • 부산대학교 산학협력단

Dates

Publication Date
20260513
Application Date
20251110

Claims (14)

  1. In the authentication encryption method, A step of obtaining an encryption key, plaintext, associated data, a first nonce, and a second nonce; A step of generating an original authentication tag by applying a hash function to an authentication target message including the plaintext, the associated data, and the second nonce; A step of generating a keystream for encrypting the plaintext and the original authentication tag through a block cipher based on the encryption key and the first nonce; A step of generating a ciphertext by combining the plaintext and a first portion of the keystream; and The method includes the step of generating an encrypted authentication tag by combining the original authentication tag and the second part of the keystream. The step of generating the key stream is performed by generating an initial counter block by concatenating a predetermined bit sequence to the first nonce, generating subsequent counter blocks sequentially by increasing a portion of the value of the previous counter block, and encrypting each counter block with the block cipher.
  2. In paragraph 1, A method comprising the step of generating the original authentication tag, which includes sequentially concatenating the plaintext length information and the plaintext, the associated data length information and the associated data, and the second nonce length information and the second nonce to generate the authentication target message.
  3. In paragraph 1, The above second nonce is a one-time secret value uniquely generated for each record to be encrypted.
  4. A method according to claim 1, wherein the first nonce and the second nonce are derived from a common secret value so as to be computationally independent of each other through domain separation.
  5. delete
  6. In paragraph 1, The above initial counter block is generated by sequentially connecting a first predetermined bit sequence and a second predetermined bit sequence to the first nonce.
  7. In paragraph 1, A method further comprising the step of transmitting the above ciphertext and the above encrypted authentication tag.
  8. In paragraph 1, The above hash function is a method that can be selected or replaced independently of the above block cipher.
  9. In paragraph 1, The above hash function is a cryptographic hash function that satisfies preimage resistance, second preimage resistance, and collision resistance.
  10. In the authentication encryption method, A step of obtaining a ciphertext, an encrypted authentication tag, an encryption key, a first nonce, a second nonce, and associated data; A step of restoring a keystream based on the encryption key and the first nonce; A step of restoring a plaintext candidate by combining the above ciphertext and the first part of the above keystream; A step of restoring an original authentication tag candidate by combining the encrypted authentication tag and the second part of the keystream; A step of calculating a verification authentication tag by applying a hash function to a verification message including the plaintext candidate, the associated data, and the second nonce; and The method includes a step of determining the validity of the plaintext candidate by comparing whether the original authentication tag candidate and the verification authentication tag match. A method for restoring the key stream by generating an initial counter block by concatenating a predetermined bit sequence to the first nonce, generating subsequent counter blocks sequentially by increasing a portion of the value of the previous counter block, and encrypting each counter block with a block cipher.
  11. In Paragraph 10, A method in which the comparison between the original authentication tag candidate and the verification authentication tag is performed through a constant-time comparison.
  12. A computer program stored on a computer-readable recording medium to execute a method according to any one of paragraphs 1 through 4 and paragraphs 6 through 11.
  13. As an authentication encryption device, Memory in which a program for performing authentication encryption is stored; and A processor comprising: by executing the above program, obtaining an encryption key, plaintext, associated data, a first nonce, and a second nonce; applying a hash function to an authentication target message including the plaintext, the associated data, and the second nonce to generate an original authentication tag; generating a keystream for encrypting the plaintext and the original authentication tag through a block cipher based on the encryption key and the first nonce; generating a ciphertext by combining the plaintext and a first portion of the keystream; and generating an encrypted authentication tag by combining the original authentication tag and a second portion of the keystream. The above processor is a device that generates an initial counter block by concatenating a predetermined bit sequence to the first nonce, sequentially generates subsequent counter blocks by increasing a portion of the value of the previous counter block, and generates the key stream by encrypting each counter block with the block cipher.
  14. As an authentication encryption device, Memory in which a program for performing authentication encryption is stored; and A processor comprising, by executing the above program, obtaining a ciphertext, an encrypted authentication tag, an encryption key, a first nonce, a second nonce, and associated data; restoring a keystream based on the encryption key and the first nonce; restoring a plaintext candidate by combining the ciphertext and a first portion of the keystream; restoring an original authentication tag candidate by combining the encrypted authentication tag and a second portion of the keystream; calculating a verification authentication tag by applying a hash function to a verification message including the plaintext candidate, the associated data, and the second nonce, and determining the validity of the plaintext candidate by comparing whether the original authentication tag candidate and the verification authentication tag match, and The above processor is a device that generates an initial counter block by concatenating a predetermined bit sequence to the first nonce, generates subsequent counter blocks sequentially by increasing a portion of the value of the previous counter block, and recovers the key stream by encrypting each counter block with a block cipher.

Description

Authenticated Encryption Method and Apparatus Thereof This application relates to an authentication encryption method and apparatus. Authenticated Encryption with Associated Data (AEAD) is a symmetric-key-based cryptographic technology that simultaneously guarantees the confidentiality and integrity of data. AEAD is essential in modern security protocols such as Transport Layer Security (TLS) 1.3, and as encryption across internet traffic becomes widespread, the impact of AEAD's computational efficiency on overall system performance increases. Current standard AEAD methods widely used include AES-GCM (Galois/Counter Mode), ChaCha20-Poly1305, and AES-CCM (Counter with CBC-MAC). These current standard AEAD methods have a limitation in that the encryption layer and the MAC (Message Authentication Code) layer cannot be separated. In other words, since AEAD guarantees interoperability and security based on a configuration where the encryption layer and the MAC layer are combined, interoperability and security cannot be maintained if the MAC layer is replaced arbitrarily. Specific problems arise from the use of such fixed MAC layer techniques. The AES-GCM method has a structure in which the encryption layer, Counter Mode, and the MAC layer, GHASH, are fixedly combined. The GHASH is based on Carry-less Multiplication (CLMUL) operations over a finite field. Due to this structural combination, it exhibits excellent performance in CPU environments that support dedicated hardware-accelerated instructions such as CLMUL, but it has the disadvantage that it cannot be replaced with other authentication methods on platforms without acceleration capabilities, even though the GHASH operation causes a performance bottleneck. The ChaCha20-Poly1305 architecture features a fixed coupling of the encryption layer ChaCha20 and the MAC layer Poly1305. Since Poly1305 is based on general arithmetic operations without specific encryption acceleration instructions, it is considered a good alternative in pure software environments. However, because Poly1305 relies internally on modular multiplication, it exhibits the highest efficiency on platforms equipped with wide integer multipliers. Consequently, even if the platform is not optimized for modular multiplication, users cannot select a MAC layer other than Poly1305. The AES-CCM method consists of a fixed combination of the encryption layer, Counter Mode, and the MAC layer, CBC-MAC. The CBC-MAC operation has a sequential structure in which the encryption result of each data block is used as the input value for the next block. Therefore, parallel processing is difficult in the CBC-MAC operation method because each step must wait for the completion of the previous step. As a result, there is a structural limitation in that it cannot be replaced with another MAC capable of parallelization, even in environments requiring high throughput. In short, the aforementioned conventional major AEAD methods have the MAC layer fixedly coupled with the encryption layer. As a result, they lack the structural flexibility to replace only the MAC layer to suit the hardware characteristics of the platform or the requirements of the application service (e.g., low latency for short messages). A brief description of each drawing is provided to help to better understand the drawings cited in this application. FIG. 1 is a flowchart of an authentication encryption method according to an embodiment of the present application. FIG. 2 is a flowchart of an authentication encryption method according to an embodiment of the present application. FIG. 3 is a block diagram of an authentication encryption device according to an embodiment of the present application. FIG. 4 is a diagram illustrating an authentication encryption process according to an embodiment of the present application. The technical concept of the present application is subject to various modifications and may have various embodiments, and specific embodiments are illustrated in the drawings and described in detail. However, this is not intended to limit the technical concept of the present application to specific embodiments, and it should be understood that it includes all modifications, equivalents, and substitutions that fall within the scope of the technical concept of the present application. In explaining the technical concept of the present application, detailed descriptions of related prior art are omitted if it is determined that such descriptions may unnecessarily obscure the essence of the present application. The terms used herein are for describing embodiments and are not intended to limit or/or restrict the present application. Singular expressions include plural expressions unless the context clearly indicates otherwise. Additionally, numbers used herein (e.g., First, Second, etc.) are merely identifiers to distinguish one component from another. In this specification, when it is stated that a part is connected to another part, this incl