Cryptanalysis of PMACx, PMAC2x, and SIVx

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Download Full-text

LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i4.1-38 ◽

2020 ◽

pp. 1-38

Author(s):

Yusuke Naito ◽

Yu Sasaki ◽

Takeshi Sugawara

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Size ◽

Query Complexity ◽

Side Channel ◽

Authenticated Encryption ◽

Implementation Cost ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

State Size

This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.

Download Full-text

Efficient Length Doubling From Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.253-270 ◽

2017 ◽

pp. 253-270 ◽

Cited By ~ 2

Author(s):

Yu Long Chen ◽

Atul Luykx ◽

Bart Mennink ◽

Bart Preneel

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Arbitrary Length ◽

Pseudorandom Permutation ◽

Cryptographic Primitive ◽

Length Data ◽

Tweakable Block Cipher ◽

Integral Data

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

Download Full-text

Stronger Security Variants of GCM-SIV

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i1.134-157 ◽

2016 ◽

pp. 134-157 ◽

Cited By ~ 1

Author(s):

Tetsu Iwata ◽

Kazuhiko Minematsu

Keyword(s):

Provable Security ◽

Query Complexity ◽

Authenticated Encryption ◽

Standard Assumption ◽

Distinguishing Attack ◽

Pseudorandom Permutation ◽

Minor Variant ◽

A Minor ◽

Security Bound ◽

Provably Secure

At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity. The provable security results are obtained under the standard assumption that the blockcipher is a pseudorandom permutation.

Download Full-text

Close to Optimally Secure Variants of GCM

Security and Communication Networks ◽

10.1155/2018/9715947 ◽

2018 ◽

Vol 2018 ◽

pp. 1-12

Author(s):

Ping Zhang ◽

Hong-Gang Hu ◽

Qian Yuan

Keyword(s):

Block Cipher ◽

Positive Response ◽

Block Size ◽

Hybrid Technique ◽

Authenticated Encryption ◽

Pseudorandom Functions ◽

Pseudorandom Permutation ◽

Mode Of Operation ◽

Universal Hash Function ◽

Provably Secure

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about 2n/2 adversarial queries if all nonces used in the encryption oracle are never repeated, where n is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately 2n/67(n-1)2 and 2n/67 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works.

Download Full-text

Provably secure proxy convertible authenticated encryption scheme based on RSA

Information Sciences ◽

10.1016/j.ins.2014.03.075 ◽

2014 ◽

Vol 278 ◽

pp. 577-587 ◽

Cited By ~ 4

Author(s):

Tzong-Sun Wu ◽

Han-Yu Lin

Keyword(s):

Encryption Scheme ◽

Authenticated Encryption ◽

Provably Secure

Download Full-text

Provably secure convertible multi-authenticated encryption scheme

IET Information Security ◽

10.1049/iet-ifs.2011.0162 ◽

2012 ◽

Vol 6 (2) ◽

pp. 65 ◽

Cited By ~ 2

Author(s):

Q. Xie

Keyword(s):

Encryption Scheme ◽

Authenticated Encryption ◽

Provably Secure

Download Full-text

Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.203-227 ◽

2017 ◽

pp. 203-227

Author(s):

Anne Canteaut ◽

Eran Lambooij ◽

Samuel Neves ◽

Shahram Rasoolzadeh ◽

Yu Sasaki ◽

...

Keyword(s):

Block Cipher ◽

Current Paper ◽

Inner Function ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Binary Matrix ◽

Exact Probability ◽

The Core ◽

Differential Characteristic ◽

Lightweight Block Cipher

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, pind, and exact probability, pexact. It turns out that pexact is larger than pind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, pind of 2−48 is improved to pexact of 2−43. For the 80-bit key version, pind of 2−68 is improved to pexact of 2−62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: pind of 2−128 is improved to pexact of 2−96, which allows to extend the attack by two rounds.

Download Full-text

Pyjamask: Block Cipher and Authenticated Encryption with Highly Efficient Masked Implementation

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.31-59 ◽

2020 ◽

pp. 31-59

Author(s):

Dahmun Goudarzi ◽

Jérémy Jean ◽

Stefan Kölbl ◽

Thomas Peyrin ◽

Matthieu Rivain ◽

...

Keyword(s):

Block Cipher ◽

High Order ◽

Side Channel ◽

Design Rationale ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

Standardization Process ◽

Very High ◽

Better Than ◽

Provably Secure

This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process. Pyjamask targets side-channel resistance as one of its main goal. More precisely, it strongly minimizes the number of nonlinear gates used in its internal primitive in order to allow efficient masked implementations, especially for high-order masking in software. Compared to other block ciphers, our proposal has thus among the smallest number of binary AND computations per input bit at the time of writing. Even though Pyjamask minimizes such an important criterion, it remains rather lightweight and efficient, thanks to a general bitslice construction that enables to computation of all nonlinear gates in parallel. For authenticated encryption, we adopt the provably secure AEAD mode OCB which has been extensively studied and has the benefit to offer full parallelization. Of course, other block cipher-based modes can be considered as well if other performance profiles are to be targeted.The paper first gives the specification of the Pyjamask block cipher and the associated AEAD proposal. We also provide a detailed design rationale for the block cipher which is guided by our aim of software efficiency in the presence of high-order masking. The security of the design is analyzed against most commonly known cryptanalysis techniques. We finally describe efficient (masked) implementations in software and provide implementation results with aggressive performances for masking of very high orders (up to 128). We also provide a rough estimation of the hardware performances which remain much better than those of an AES round-based implementation.

Download Full-text

Improvement of Provably Secure Self-Certified Proxy Convertible Authenticated Encryption Scheme

2012 Fourth International Conference on Intelligent Networking and Collaborative Systems ◽

10.1109/incos.2012.44 ◽

2012 ◽

Cited By ~ 1

Author(s):

Qi Xie ◽

Guilin Wang ◽

Fubiao Xia ◽

Deren Chen

Keyword(s):

Encryption Scheme ◽

Authenticated Encryption ◽

Provably Secure

Download Full-text

CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Cryptography ◽

10.3390/cryptography2040042 ◽

2018 ◽

Vol 2 (4) ◽

pp. 42

Author(s):

Jonathan Trostle

Keyword(s):

Block Cipher ◽

Energy Savings ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Computational Overhead ◽

Initialization Vector ◽

Wireless Environments ◽

Security Bound ◽

Associated Data ◽

Short Messages

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds.

Download Full-text