CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Jonathan Trostle

doi:10.3390/cryptography2040042

CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Cryptography ◽

10.3390/cryptography2040042 ◽

2018 ◽

Vol 2 (4) ◽

pp. 42

Author(s):

Jonathan Trostle

Keyword(s):

Block Cipher ◽

Energy Savings ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Computational Overhead ◽

Initialization Vector ◽

Wireless Environments ◽

Security Bound ◽

Associated Data ◽

Short Messages

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds.

Download Full-text

Cryptanalysis of PMACx, PMAC2x, and SIVx

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.162-176 ◽

2017 ◽

pp. 162-176

Author(s):

Kazuhiko Minematsu ◽

Tetsu Iwata

Keyword(s):

Provable Security ◽

Block Cipher ◽

Query Complexity ◽

Block Length ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Pseudorandom Functions ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Download Full-text

Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.203-227 ◽

2017 ◽

pp. 203-227

Author(s):

Anne Canteaut ◽

Eran Lambooij ◽

Samuel Neves ◽

Shahram Rasoolzadeh ◽

Yu Sasaki ◽

...

Keyword(s):

Block Cipher ◽

Current Paper ◽

Inner Function ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Binary Matrix ◽

Exact Probability ◽

The Core ◽

Differential Characteristic ◽

Lightweight Block Cipher

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, pind, and exact probability, pexact. It turns out that pexact is larger than pind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, pind of 2−48 is improved to pexact of 2−43. For the 80-bit key version, pind of 2−68 is improved to pexact of 2−62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: pind of 2−128 is improved to pexact of 2−96, which allows to extend the attack by two rounds.

Download Full-text

Efficient Length Doubling From Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.253-270 ◽

2017 ◽

pp. 253-270 ◽

Cited By ~ 2

Author(s):

Yu Long Chen ◽

Atul Luykx ◽

Bart Mennink ◽

Bart Preneel

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Arbitrary Length ◽

Pseudorandom Permutation ◽

Cryptographic Primitive ◽

Length Data ◽

Tweakable Block Cipher ◽

Integral Data

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

Download Full-text

An Efficient Authenticated-Encryption with Associated-Data Block Cipher Mode for Wireless Sensor Networks

Lecture Notes in Computer Science - Wired/Wireless Internet Communications ◽

10.1007/978-3-642-13315-2_31 ◽

2010 ◽

pp. 375-385 ◽

Cited By ~ 3

Author(s):

A. A. Adekunle ◽

S. R. Woodhead

Keyword(s):

Wireless Sensor Networks ◽

Sensor Networks ◽

Block Cipher ◽

Data Block ◽

Wireless Sensor ◽

Authenticated Encryption ◽

Associated Data

Download Full-text

Reconsidering the Security Bound of AES-GCM-SIV

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i4.240-267 ◽

2017 ◽

pp. 240-267 ◽

Cited By ~ 1

Author(s):

Tetsu Iwata ◽

Yannick Seurin

Keyword(s):

Research Group ◽

Security Analysis ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Simple Modification ◽

Security Guarantees ◽

Security Bound ◽

Key Derivation

We make a number of remarks about the AES-GCM-SIV nonce-misuse resistant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty.

Download Full-text

Distinguishing Attack on NORX Permutation

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2018.i1.57-73 ◽

2018 ◽

pp. 57-73

Author(s):

Tao Huang ◽

Hongjun Wu

Keyword(s):

Authentication Scheme ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Distinguishing Attack ◽

Caesar Competition ◽

Security Bound

NORX is a permutation-based authentication scheme which is currently a third-round candidate of the ongoing CAESAR competition. The security bound of NORX is derived from the sponge construction applied to an ideal underlying permutation. In this paper, we show that the NORX core permutation is non-ideal with a new distinguishing attack. More specifically, we can distinguish NORX64 permutation with 248.5 queries and distinguish NORX32 permutation with 264.7 queries using carefully crafted differential-linear attacks. We have experimentally verified the distinguishing attack on NORX64 permutation. Although the distinguishing attacks reveal the weakness of the NORX permutation, it does not directly threat the security of the NORX authenticated encryption scheme.

Download Full-text

Tightness of the Suffix Keyed Sponge Bound

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i4.195-212 ◽

2020 ◽

pp. 195-212

Author(s):

Christoph Dobraunig ◽

Bart Mennink

Keyword(s):

Side Channel ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Side Channel Attacks ◽

Key Recovery ◽

Security Proofs ◽

Generic Attacks ◽

Key Recovery Attacks ◽

Security Bound

Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.

Download Full-text

ESTATE: A Lightweight and Low Energy Authenticated Encryption Mode

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.350-389 ◽

2020 ◽

pp. 350-389

Author(s):

Avik Chakraborti ◽

Nilanjan Datta ◽

Ashwin Jha ◽

Cuauhtemoc Mancillas-López ◽

Mridul Nandi ◽

...

Keyword(s):

Block Cipher ◽

Primitive Element ◽

Low Energy ◽

Authenticated Encryption ◽

Area Efficiency ◽

Starting State ◽

Encryption Schemes ◽

Implementation Costs ◽

Additional Circuitry ◽

Short Messages

NIST has recently initiated a standardization project for efficient lightweight authenticated encryption schemes. SUNDAE, a candidate in this project, achieves optimal state size which results in low circuit overhead on top of the underlying block cipher. In addition, SUNDAE provides security in nonce-misuse scenario as well. However, in addition to the block cipher circuit, SUNDAE also requires some additional circuitry for multiplication by a primitive element. Further, it requires an additional block cipher invocation to create the starting state. In this paper, we propose a new lightweight and low energy authenticated encryption family, called ESTATE, that significantly improves the design of SUNDAE in terms of implementation costs (both hardware area and energy) and efficient processing of short messages. In particular, ESTATE does not require an additional multiplication circuit, and it reduces the number of block cipher calls by one. Moreover, it provides integrity security even under the release of unverified plaintext (or RUP) model. ESTATE is based on short-tweak tweakable block ciphers (or tBC, small ’t’ denotes short tweaks) and we instantiate it with two recently designed tBCs: TweAES and TweGIFT. We also propose a low latency variant of ESTATE, called sESTATE, that uses a round-reduced (6 rounds) variant of TweAES called TweAES-6. We provide comprehensive FPGA based hardware implementation for all the three instances. The implementation results depict that ESTATE_TweGIFT-128 (681 LUTs, 263 slices) consumes much lesser area as compared to SUNDAE_GIFT-128 (931 LUTs, 310 slices). When we moved to the AES variants, along with the area-efficiency (ESTATE_TweAES consumes 1901 LUTs, 602 slices while SUNDAE_AES-128 needs 1922 LUTs, 614 slices), we also achieve higher throughput for short messages (For 16-byte message, a throughput of 1251.10 and 945.36 Mbps for ESTATE_TweAES and SUNDAE_AES-128 respectively).

Download Full-text

Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i4.119-146 ◽

2020 ◽

pp. 119-146

Author(s):

Donghoon Chang ◽

Nilanjan Datta ◽

Avijit Dutta ◽

Bart Mennink ◽

Mridul Nandi ◽

...

Keyword(s):

Block Cipher ◽

Block Size ◽

Unified Model ◽

Constant Time ◽

Encryption Scheme ◽

Security Model ◽

Authenticated Encryption ◽

Encryption Schemes ◽

Plaintext Awareness ◽

Mixing Functions

Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality.

Download Full-text

Six shades lighter: a bit-serial implementation of the AES family

Journal of Cryptographic Engineering ◽

10.1007/s13389-021-00265-8 ◽

2021 ◽

Author(s):

Sergio Roldán Lombardía ◽

Fatih Balli ◽

Subhadeep Banik

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Authenticated Encryption ◽

Current Standard ◽

Asic Circuit ◽

The Family ◽

Encryption And Decryption ◽

Preliminary Version ◽

Reduction In Area ◽

Bit Serial

AbstractRecently, cryptographic literature has seen new block cipher designs such as , or that aim to be more lightweight than the current standard, i.e., . Even though family of block ciphers were designed two decades ago, they still remain as the de facto encryption standard, with being the most widely deployed variant. In this work, we revisit the combined one-in-all implementation of the family, namely both encryption and decryption of each as a single ASIC circuit. A preliminary version appeared in Africacrypt 2019 by Balli and Banik, where the authors design a byte-serial circuit with such functionality. We improve on their work by reducing the size of the compact circuit to 2268 GE through 1-bit-serial implementation, which achieves 38% reduction in area. We also report stand-alone bit-serial versions of the circuit, targeting only a subset of modes and versions, e.g., and . Our results imply that, in terms of area, and can easily compete with the larger members of recently designed family, e.g., , . Thus, our implementations can be used interchangeably inside authenticated encryption candidates such as , or in place of .

Download Full-text