Efficient Beyond-Birthday-Bound-Secure Deterministic Authenticated Encryption with Minimal Stretch

2016 ◽  
pp. 317-332 ◽  
Author(s):  
Christian Forler ◽  
Eik List ◽  
Stefan Lucks ◽  
Jakob Wenzel
Keyword(s):  
Authenticated Encryption ◽  
Beyond Birthday Bound ◽  
Deterministic Authenticated Encryption

scholarly journals Cryptanalysis of PMACx, PMAC2x, and SIVx

2017 ◽  
pp. 162-176
Author(s):  
Kazuhiko Minematsu ◽  
Tetsu Iwata
Keyword(s):  
Provable Security ◽  
Block Cipher ◽  
Query Complexity ◽  
Block Length ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

scholarly journals Tweakable Blockciphers for Efficient Authenticated Encryptions with Beyond the Birthday-Bound Security

2017 ◽  
pp. 1-26 ◽  
Author(s):  
Yusuke Naito
Keyword(s):  
Modular Design ◽  
Data Block ◽  
Authenticated Encryption ◽  
Pseudorandom Permutation ◽  
Beyond Birthday Bound ◽  
Tweakable Blockciphers ◽  
Associated Data

Modular design via a tweakable blockcipher (TBC) offers efficient authenticated encryption (AE) schemes (with associated data) that call a blockcipher once for each data block (of associated data or a plaintext). However, the existing efficient blockcipher-based TBCs are secure up to the birthday bound, where the underlying keyed blockcipher is a secure strong pseudorandom permutation. Existing blockcipher-based AE schemes with beyond-birthday-bound (BBB) security are not efficient, that is, a blockcipher is called twice or more for each data block. In this paper, we present a TBC, XKX, that offers efficient blockcipher-based AE schemes with BBB security, by combining with efficient TBC-based AE schemes such as ΘCB3 and

LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security

2020 ◽  
pp. 1-38
Author(s):  
Yusuke Naito ◽  
Yu Sasaki ◽  
Takeshi Sugawara
Keyword(s):  
Block Cipher ◽  
State Of The Art ◽  
Block Size ◽  
Query Complexity ◽  
Side Channel ◽  
Authenticated Encryption ◽  
Implementation Cost ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
State Size

This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.

scholarly journals Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers

2019 ◽  
pp. 66-94
Author(s):  
Yusuke Naito ◽  
Takeshi Sugawara
Keyword(s):  
Block Ciphers ◽  
Block Length ◽  
Authenticated Encryption ◽  
Small Block ◽  
Mode Of Operation ◽  
Common Strategy ◽  
Length Data ◽  
Beyond Birthday Bound ◽  
Data Length ◽  
Security Bound

The use of a small block length is a common strategy when designing lightweight (tweakable) block ciphers (TBCs), and several 64-bit primitives have been proposed. However, when such a 64-bit primitive is used for an authenticated encryption with birthday-bound security, it has only 32-bit data complexity, which is subject to practical attacks. To employ a short block length without compromising security, we propose PFB, a lightweight TBC-based authenticated encryption with associated data mode, which achieves beyond-birthday-bound security. For this purpose, we extend iCOFB, which is originally defined with a tweakable random function. Unlike iCOFB, the proposed method can be instantiated with a TBC using a fixed tweak length and can handle variable-length data. Moreover, its security bound is improved and independent of the data length; this improves the key lifetime, particularly in lightweight blocks with a small size. The proposed method also covers a broader class of feedback functions because of the generalization presented in our proof. We evaluate the concrete hardware performances of PFB, which benefits from the small block length and shows particularly good performances in threshold implementation.

scholarly journals SUNDAE: Small Universal Deterministic Authenticated Encryption for the Internet of Things

2018 ◽  
pp. 1-35
Author(s):  
Subhadeep Banik ◽  
Andrey Bogdanov ◽  
Atul Luykx ◽  
Elmar Tischhauser
Keyword(s):  
Internet Of Things ◽  
Research Effort ◽  
Block Ciphers ◽  
Research Area ◽  
The Internet ◽  
Authenticated Encryption ◽  
Secure Storage ◽  
Constrained Environments ◽  
Deterministic Authenticated Encryption ◽  
The Internet Of Things

Lightweight cryptography was developed in response to the increasing need to secure devices for the Internet of Things. After significant research effort, many new block ciphers have been designed targeting lightweight settings, optimizing efficiency metrics which conventional block ciphers did not. However, block ciphers must be used in modes of operation to achieve more advanced security goals such as data confidentiality and authenticity, a research area given relatively little attention in the lightweight setting. We introduce a new authenticated encryption (AE) mode of operation, SUNDAE, specially targeted for constrained environments. SUNDAE is smaller than other known lightweight modes in implementation area, such as CLOC, JAMBU, and COFB, however unlike these modes, SUNDAE is designed as a deterministic authenticated encryption (DAE) scheme, meaning it provides maximal security in settings where proper randomness is hard to generate, or secure storage must be minimized due to expense. Unlike other DAE schemes, such as GCM-SIV, SUNDAE can be implemented efficiently on both constrained devices, as well as the servers communicating with those devices. We prove SUNDAE secure relative to its underlying block cipher, and provide an extensive implementation study, with results in both software and hardware, demonstrating that SUNDAE offers improved compactness and power consumption in hardware compared to other lightweight AE modes, while simultaneously offering comparable performance to GCM-SIV on parallel high-end platforms.

Efficient beyond-birthday-bound secure authenticated encryption modes

2018 ◽  
Vol 61 (9) ◽  
Author(s):  
Ping Zhang ◽  
Honggang Hu ◽  
Peng Wang
Keyword(s):  
Authenticated Encryption ◽  
Beyond Birthday Bound

scholarly journals AES-LBBB: AES Mode for Lightweight and BBB-Secure Authenticated Encryption

2021 ◽  
pp. 298-333
Author(s):  
Yusuke Naito ◽  
Yu Sasaki ◽  
Takeshi Sugawara
Keyword(s):  
Integrated Circuit ◽  
Internal State ◽  
Authenticated Encryption ◽  
Backward Compatibility ◽  
Current State ◽  
Security Proof ◽  
Application Specific Integrated Circuit ◽  
Standardization Process ◽  
Beyond Birthday Bound ◽  
State Size

In this paper, a new lightweight authenticated encryption scheme AESLBBB is proposed, which was designed to provide backward compatibility with advanced encryption standard (AES) as well as high security and low memory. The primary design goal, backward compatibility, is motivated by the fact that AES accelerators are now very common for devices in the field; we are interested in designing an efficient and highly secure mode of operation that exploits the best of those AES accelerators. The backward compatibility receives little attention in the NIST lightweight cryptography standardization process, in which only 3 out of 32 round-2 candidates are based on AES. Our mode, LBBB, is inspired by the design of ALE in the sense that the internal state size is a minimum 2n bits when using a block cipher of length n bits for the key and data. Unfortunately, there is no security proof of ALE, and forgery attacks have been found on ALE. In LBBB, we introduce an additional feed from block cipher’s output to the key state via a certain permutation λ, which enables us to prove beyond-birthday-bound (BBB) security. We then specify its AES instance, AES-LBBB, and evaluate its performance for (i) software implementation on a microcontroller with an AES coprocessor and (ii) hardware implementation for an application-specific integrated circuit (ASIC) to show that AES-LBBB performs better than the current state-of-the-art Remus-N2 with AES-128.

Sign in / Sign up

Export Citation Format

Share Document