HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

The Area-Latency Symbiosis: Towards Improved Serial Encryption Circuits

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i1.239-278 ◽

2020 ◽

pp. 239-278

Author(s):

Fatih Balli ◽

Andrea Caforio ◽

Subhadeep Banik

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Significant Loss ◽

Authenticated Encryption ◽

End User ◽

Maximum Throughput ◽

Mode Of Operation ◽

Encryption Schemes ◽

Bit Serial

The bit-sliding paper of Jean et al. (CHES 2017) showed that the smallest-size circuit for SPN based block ciphers such as AES, SKINNY and PRESENT can be achieved via bit-serial implementations. Their technique decreases the bit size of the datapath and naturally leads to a significant loss in latency (as well as the maximum throughput). Their designs complete a single round of the encryption in 168 (resp. 68) clock cycles for 128 (resp. 64) bit blocks. A follow-up work by Banik et al. (FSE 2020) introduced the swap-and-rotate technique that both eliminates this loss in latency and achieves even smaller footprints.In this paper, we extend these results on bit-serial implementations all the way to four authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of the swap-and-rotate technique. Our block cipher implementations have the most efficient round operations in the sense that a round function of an n-bit block cipher is computed in exactly n clock cycles. This leads to implementations that are similar in size to the state of the art, but have much lower latency (savings up to 20 percent). We then extend our technique to 4- and 8-bit implementations. Although these results are promising, block ciphers themselves are not end-user primitives, as they need to be used in conjunction with a mode of operation. Hence, in the second part of the paper, we use our serial block ciphers to bootstrap four active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus, SAEAES and SKINNY-AEAD. In the wake of this effort, we provide the smallest block-cipher-based authenticated encryption circuits known in the literature so far.

BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption

Selected Areas in Cryptography - Lecture Notes in Computer Science ◽

10.1007/978-3-642-05445-7_20 ◽

2009 ◽

pp. 313-330 ◽

Cited By ~ 26

Author(s):

Tetsu Iwata ◽

Kan Yasuda

Keyword(s):

Authenticated Encryption ◽

Free Mode ◽

Deterministic Authenticated Encryption

A fundamental flaw in the ++AE authenticated encryption mode

Journal of Mathematical Cryptology ◽

10.1515/jmc-2016-0037 ◽

2018 ◽

Vol 12 (1) ◽

pp. 37-42

Author(s):

Hassan Qahur Al Mahri ◽

Leonie Simpson ◽

Harry Bartlett ◽

Ed Dawson ◽

Kenneth Koon-Ho Wong

Keyword(s):

Block Cipher ◽

Authenticated Encryption ◽

Forgery Attack ◽

Mathematical Proofs ◽

Mode Of Operation ◽

Public Message ◽

Integrity Check

Abstract In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a plaintext message and then constructing multiple forged messages in which the most significant bit of certain blocks is flipped. All of these plaintext messages will generate the same authentication tag. This forgery attack is deterministic and guaranteed to pass the ++AE integrity check. The success of the attack is independent of the underlying block cipher, key or public message number. We outline the mathematical proofs for the flaw in the ++AE algorithm. We conclude that ++AE is insecure as an authenticated encryption mode of operation.

LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i4.1-38 ◽

2020 ◽

pp. 1-38

Author(s):

Yusuke Naito ◽

Yu Sasaki ◽

Takeshi Sugawara

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Size ◽

Query Complexity ◽

Side Channel ◽

Authenticated Encryption ◽

Implementation Cost ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

State Size

This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.

Efficient Beyond-Birthday-Bound-Secure Deterministic Authenticated Encryption with Minimal Stretch

Information Security and Privacy - Lecture Notes in Computer Science ◽

10.1007/978-3-319-40367-0_20 ◽

2016 ◽

pp. 317-332 ◽

Cited By ~ 4

Author(s):

Christian Forler ◽

Eik List ◽

Stefan Lucks ◽

Jakob Wenzel

Keyword(s):

Authenticated Encryption ◽

Beyond Birthday Bound ◽

Deterministic Authenticated Encryption

Improved Leakage-Resistant Authenticated Encryption based on Hardware AES Coprocessors

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i3.641-676 ◽

2021 ◽

pp. 641-676

Author(s):

Olivier Bronchain ◽

Charles Momin ◽

Thomas Peters ◽

François-Xavier Standaert

Keyword(s):

Encryption Scheme ◽

Authenticated Encryption ◽

Mode Of Operation ◽

Secure Software ◽

Software Updates ◽

Leakage Resilient

We revisit Unterstein et al.’s leakage-resilient authenticated encryption scheme from CHES 2020. Its main goal is to enable secure software updates by leveraging unprotected (e.g., AES, SHA256) coprocessors available on low-end microcontrollers. We show that the design of this scheme ignores an important attack vector that can significantly reduce its security claims, and that the evaluation of its leakage-resilient PRF is quite sensitive to minor variations of its measurements, which can easily lead to security overstatements. We then describe and analyze a new mode of operation for which we propose more conservative security parameters and show that it competes with the CHES 2020 one in terms of performances. As an additional bonus, our solution relies only on AES-128 coprocessors, an

A New Mode of Operation for Incremental Authenticated Encryption with Associated Data

Lecture Notes in Computer Science - Selected Areas in Cryptography – SAC 2015 ◽

10.1007/978-3-319-31301-6_23 ◽

2016 ◽

pp. 397-416 ◽

Cited By ~ 5

Author(s):

Yu Sasaki ◽

Kan Yasuda

Keyword(s):

Authenticated Encryption ◽

Mode Of Operation ◽

Associated Data

The offset codebook (OCB) block cipher mode of operation for authenticated encryption

Cryptologia ◽

10.1080/01611194.2017.1422048 ◽

2018 ◽

Vol 42 (2) ◽

pp. 135-145 ◽

Cited By ~ 4

Author(s):

William Stallings

Keyword(s):

Block Cipher ◽

Authenticated Encryption ◽

Mode Of Operation

Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

Cryptography ◽

10.3390/cryptography4030023 ◽

2020 ◽

Vol 4 (3) ◽

pp. 23

Author(s):

Takeshi Sugawara

Keyword(s):

Block Cipher ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

Key Schedule ◽

Backward Compatibility ◽

Mode Of Operation ◽

Large Memory ◽

Extended States ◽

Lightweight Block Cipher ◽

The Cost

SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI.