scholarly journals Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

Cryptography ◽  
2020 ◽  
Vol 4 (3) ◽  
pp. 23
Author(s):  
Takeshi Sugawara
Keyword(s):  
Block Cipher ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Schedule ◽  
Backward Compatibility ◽  
Mode Of Operation ◽  
Large Memory ◽  
Extended States ◽  
Lightweight Block Cipher ◽  
The Cost

SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI.

scholarly journals Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

2020 ◽  
pp. 289-312 ◽  
Author(s):  
Christoph Dobraunig ◽  
Yann Rotella ◽  
Jan Schoone
Keyword(s):  
Block Cipher ◽  
Slow Growth ◽  
Higher Order ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Recovery ◽  
Linear Layer ◽  
Depth Analysis ◽  
Key Recovery Attack ◽  
The Cost

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

scholarly journals Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

2017 ◽  
pp. 203-227
Author(s):  
Anne Canteaut ◽  
Eran Lambooij ◽  
Samuel Neves ◽  
Shahram Rasoolzadeh ◽  
Yu Sasaki ◽  
...  
Keyword(s):  
Block Cipher ◽  
Current Paper ◽  
Inner Function ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Binary Matrix ◽  
Exact Probability ◽  
The Core ◽  
Differential Characteristic ◽  
Lightweight Block Cipher

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, pind, and exact probability, pexact. It turns out that pexact is larger than pind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, pind of 2−48 is improved to pexact of 2−43. For the 80-bit key version, pind of 2−68 is improved to pexact of 2−62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: pind of 2−128 is improved to pexact of 2−96, which allows to extend the attack by two rounds.

scholarly journals The Area-Latency Symbiosis: Towards Improved Serial Encryption Circuits

2020 ◽  
pp. 239-278
Author(s):  
Fatih Balli ◽  
Andrea Caforio ◽  
Subhadeep Banik
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Significant Loss ◽  
Authenticated Encryption ◽  
End User ◽  
Maximum Throughput ◽  
Mode Of Operation ◽  
Encryption Schemes ◽  
Bit Serial

The bit-sliding paper of Jean et al. (CHES 2017) showed that the smallest-size circuit for SPN based block ciphers such as AES, SKINNY and PRESENT can be achieved via bit-serial implementations. Their technique decreases the bit size of the datapath and naturally leads to a significant loss in latency (as well as the maximum throughput). Their designs complete a single round of the encryption in 168 (resp. 68) clock cycles for 128 (resp. 64) bit blocks. A follow-up work by Banik et al. (FSE 2020) introduced the swap-and-rotate technique that both eliminates this loss in latency and achieves even smaller footprints.In this paper, we extend these results on bit-serial implementations all the way to four authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of the swap-and-rotate technique. Our block cipher implementations have the most efficient round operations in the sense that a round function of an n-bit block cipher is computed in exactly n clock cycles. This leads to implementations that are similar in size to the state of the art, but have much lower latency (savings up to 20 percent). We then extend our technique to 4- and 8-bit implementations. Although these results are promising, block ciphers themselves are not end-user primitives, as they need to be used in conjunction with a mode of operation. Hence, in the second part of the paper, we use our serial block ciphers to bootstrap four active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus, SAEAES and SKINNY-AEAD. In the wake of this effort, we provide the smallest block-cipher-based authenticated encryption circuits known in the literature so far.

scholarly journals Pyjamask: Block Cipher and Authenticated Encryption with Highly Efficient Masked Implementation

2020 ◽  
pp. 31-59
Author(s):  
Dahmun Goudarzi ◽  
Jérémy Jean ◽  
Stefan Kölbl ◽  
Thomas Peyrin ◽  
Matthieu Rivain ◽  
...  
Keyword(s):  
Block Cipher ◽  
High Order ◽  
Side Channel ◽  
Design Rationale ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Standardization Process ◽  
Very High ◽  
Better Than ◽  
Provably Secure

This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process. Pyjamask targets side-channel resistance as one of its main goal. More precisely, it strongly minimizes the number of nonlinear gates used in its internal primitive in order to allow efficient masked implementations, especially for high-order masking in software. Compared to other block ciphers, our proposal has thus among the smallest number of binary AND computations per input bit at the time of writing. Even though Pyjamask minimizes such an important criterion, it remains rather lightweight and efficient, thanks to a general bitslice construction that enables to computation of all nonlinear gates in parallel. For authenticated encryption, we adopt the provably secure AEAD mode OCB which has been extensively studied and has the benefit to offer full parallelization. Of course, other block cipher-based modes can be considered as well if other performance profiles are to be targeted.The paper first gives the specification of the Pyjamask block cipher and the associated AEAD proposal. We also provide a detailed design rationale for the block cipher which is guided by our aim of software efficiency in the presence of high-order masking. The security of the design is analyzed against most commonly known cryptanalysis techniques. We finally describe efficient (masked) implementations in software and provide implementation results with aggressive performances for masking of very high orders (up to 128). We also provide a rough estimation of the hardware performances which remain much better than those of an AES round-based implementation.

scholarly journals A fundamental flaw in the ++AE authenticated encryption mode

2018 ◽  
Vol 12 (1) ◽  
pp. 37-42
Author(s):  
Hassan Qahur Al Mahri ◽  
Leonie Simpson ◽  
Harry Bartlett ◽  
Ed Dawson ◽  
Kenneth Koon-Ho Wong
Keyword(s):  
Block Cipher ◽  
Authenticated Encryption ◽  
Forgery Attack ◽  
Mathematical Proofs ◽  
Mode Of Operation ◽  
Public Message ◽  
Integrity Check

Abstract In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a plaintext message and then constructing multiple forged messages in which the most significant bit of certain blocks is flipped. All of these plaintext messages will generate the same authentication tag. This forgery attack is deterministic and guaranteed to pass the ++AE integrity check. The success of the attack is independent of the underlying block cipher, key or public message number. We outline the mathematical proofs for the flaw in the ++AE algorithm. We conclude that ++AE is insecure as an authenticated encryption mode of operation.

scholarly journals Hybrid lightweight Signcryption scheme for IoT

2021 ◽  
Vol 11 (1) ◽  
pp. 391-398
Author(s):  
M. Sruthi ◽  
Rajkumar Rajasekaran
Keyword(s):  
Conventional Method ◽  
Block Cipher ◽  
Resource Constrained ◽  
Session Key ◽  
Lightweight Cryptography ◽  
Lightweight Block Cipher ◽  
Signcryption Scheme ◽  
Resource Constrained Devices ◽  
Constrained Devices

Abstract The information transmitted in IoT is susceptible to affect the user’s privacy, and hence the information ought to be transmitted securely. The conventional method to assure integrity, confidentiality, and non-repudiation is to first sign the message and then encrypt it. Signcryption is a technique where the signature and the encryption are performed in a single round. The current Signcryption system uses traditional cryptographic approaches that are overloaded for IoT, as it consists of resource-constrained devices and uses the weak session key to encrypt the data. We propose a hybrid Signcryption scheme that employs PRESENT, a lightweight block cipher algorithm to encrypt the data, and the session key is encrypted by ECC. The time taken to signcrypt the proposed Signcryption is better when compared to current Signcryption techniques, as it deploys lightweight cryptography techniques that are devoted to resource-constrained devices.

Improved Meet-in-the-Middle Attacks on Reduced-Round Kiasu-BC and Joltik-BC

2019 ◽  
Vol 62 (12) ◽  
pp. 1761-1776 ◽  
Author(s):  
Ya Liu ◽  
Yifan Shi ◽  
Dawu Gu ◽  
Zhiqiang Zeng ◽  
Fengyu Zhao ◽  
...  
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Caesar Competition ◽  
Encryption Algorithms ◽  
Lightweight Block Cipher

Abstract Kiasu-BC and Joltik-BC are internal tweakable block ciphers of authenticated encryption algorithms Kiasu and Joltik submitted to the CAESAR competition. Kiasu-BC is a 128-bit block cipher, of which tweak and key sizes are 64 and 128 bits, respectively. Joltik-BC-128 is a 64-bit lightweight block cipher supporting 128 bits tweakey. Its designers recommended the key and tweak sizes are both 64 bits. In this paper, we propose improved meet-in-the-middle attacks on 8-round Kiasu-BC, 9-round and 10-round Joltik-BC-128 by exploiting properties of their structures and using precomputation tables and the differential enumeration. For Kiasu-BC, we build a 5-round distinguisher to attack 8-round Kiasu-BC with $2^{109}$ plaintext–tweaks, $2^{112.8}$ encrytions and $2^{92.91}$ blocks. Compared with previously best known cryptanalytic results on 8-round Kiasu-BC under chosen plaintext attacks, the data and time complexities are reduced by $2^{7}$ and $2^{3.2}$ times, respectively. For the recommended version of Joltik-BC-128, we construct a 6-round distinguisher to attack 9-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{56.6}$ encryptions and $2^{52.91}$ blocks, respectively. Compared with previously best known results, the data and time complexities are reduced by $2^7$ and $2^{5.1}$ times, respectively. In addition, we present a 6.5-round distinguisher to attack 10-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{101.4}$ encryptions and $2^{76.91}$ blocks.

Improving the Cost of 4G/LTE Algorithm by Using OLBCA Lightweight Block Cipher Algorithm

2019 ◽  
Vol 16 (3) ◽  
pp. 964-967
Author(s):  
Sufyan Salim Mahmood Aldabbagh ◽  
Alyaa Ghanim Suliaman ◽  
Khalid Abdulkareem Al-Enezi ◽  
Abdulrahman Yousef Alenezi
Keyword(s):  
Block Cipher ◽  
Lightweight Block Cipher ◽  
4G Lte ◽  
The Cost

scholarly journals Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

2017 ◽  
Vol 2017 ◽  
pp. 1-12 ◽  
Author(s):  
Guoyong Han ◽  
Wenying Zhang
Keyword(s):  
Computational Complexity ◽  
Block Cipher ◽  
Data Complexity ◽  
Key Schedule ◽  
Lightweight Block Cipher

Biclique cryptanalysis is a typical attack through finding a biclique which is a type of bipartite diagram to reduce the computational complexity. By investigating the subkey distribution and the encryption structure, we find out a weakness in the key schedule of Piccolo-80. A 6-round biclique is constructed for Piccolo-80 and a 7-round biclique for Piccolo-128. Then a full round biclique cryptanalysis of Piccolo is presented. The results of the attacks are with data complexity of 240and 224chosen ciphertexts and with computational complexity of 279.22and 2127.14, respectively. They are superior to other known results of biclique cryptanalytic on Piccolo.

Sign in / Sign up

Export Citation Format

Share Document