scholarly journals Understanding RUP Integrity of COLM

2017 ◽  
pp. 143-161
Author(s):  
Nilanjan Datta ◽  
Atul Luykx ◽  
Bart Mennink ◽  
Mridul Nandi
Keyword(s):  
Time Complexity ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Caesar Competition ◽  
Mixing Functions

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

scholarly journals Distinguishing Attack on NORX Permutation

2018 ◽  
pp. 57-73
Author(s):  
Tao Huang ◽  
Hongjun Wu
Keyword(s):  
Authentication Scheme ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Distinguishing Attack ◽  
Caesar Competition ◽  
Security Bound

NORX is a permutation-based authentication scheme which is currently a third-round candidate of the ongoing CAESAR competition. The security bound of NORX is derived from the sponge construction applied to an ideal underlying permutation. In this paper, we show that the NORX core permutation is non-ideal with a new distinguishing attack. More specifically, we can distinguish NORX64 permutation with 248.5 queries and distinguish NORX32 permutation with 264.7 queries using carefully crafted differential-linear attacks. We have experimentally verified the distinguishing attack on NORX64 permutation. Although the distinguishing attacks reveal the weakness of the NORX permutation, it does not directly threat the security of the NORX authenticated encryption scheme.

scholarly journals Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE

2020 ◽  
pp. 119-146
Author(s):  
Donghoon Chang ◽  
Nilanjan Datta ◽  
Avijit Dutta ◽  
Bart Mennink ◽  
Mridul Nandi ◽  
...  
Keyword(s):  
Block Cipher ◽  
Block Size ◽  
Unified Model ◽  
Constant Time ◽  
Encryption Scheme ◽  
Security Model ◽  
Authenticated Encryption ◽  
Encryption Schemes ◽  
Plaintext Awareness ◽  
Mixing Functions

Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality.

scholarly journals Conditional Cube Attack on Round-Reduced ASCON

2017 ◽  
pp. 175-202 ◽  
Author(s):  
Zheng Li ◽  
Xiaoyang Dong ◽  
Xiaoyun Wang
Keyword(s):  
Time Complexity ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Key Space ◽  
Cube Attack ◽  
Linear Layer ◽  
Non Linear ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Total Time Complexity

This paper evaluates the secure level of authenticated encryption Ascon against cube-like method. Ascon submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced Ascon, whose structure is similar to Keccak keyed modes. However, for Ascon the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round Ascon, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced Ascon, and translate the previous theoretic 6-round attack with 266 time complexity to a practical one with 240 time complexity. Moreover, we propose the first 7-round key-recovery attack on Ascon. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about 2103.9. In addition, for a weak-key subset, whose size is 2117, the attack is more efficient and costs only 277 time complexity. Those attacks do not threaten the full round (12 rounds) Ascon.

Improvement of Tseng et al.'s authenticated encryption scheme with message linkages

2005 ◽  
Vol 162 (3) ◽  
pp. 1475-1483 ◽  
Author(s):  
Zhang Zhang ◽  
Shunsuke Araki ◽  
Guozhen Xiao
Keyword(s):  
Encryption Scheme ◽  
Authenticated Encryption

scholarly journals Cryptanalysis of PMACx, PMAC2x, and SIVx

2017 ◽  
pp. 162-176
Author(s):  
Kazuhiko Minematsu ◽  
Tetsu Iwata
Keyword(s):  
Provable Security ◽  
Block Cipher ◽  
Query Complexity ◽  
Block Length ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Sign in / Sign up

Export Citation Format

Share Document