scholarly journals Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

2017 ◽  
pp. 203-227
Author(s):  
Anne Canteaut ◽  
Eran Lambooij ◽  
Samuel Neves ◽  
Shahram Rasoolzadeh ◽  
Yu Sasaki ◽  
...  
Keyword(s):  
Block Cipher ◽  
Current Paper ◽  
Inner Function ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Binary Matrix ◽  
Exact Probability ◽  
The Core ◽  
Differential Characteristic ◽  
Lightweight Block Cipher

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, pind, and exact probability, pexact. It turns out that pexact is larger than pind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, pind of 2−48 is improved to pexact of 2−43. For the 80-bit key version, pind of 2−68 is improved to pexact of 2−62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: pind of 2−128 is improved to pexact of 2−96, which allows to extend the attack by two rounds.

scholarly journals Cryptanalysis of PMACx, PMAC2x, and SIVx

2017 ◽  
pp. 162-176
Author(s):  
Kazuhiko Minematsu ◽  
Tetsu Iwata
Keyword(s):  
Provable Security ◽  
Block Cipher ◽  
Query Complexity ◽  
Block Length ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

scholarly journals Efficient Length Doubling From Tweakable Block Ciphers

2017 ◽  
pp. 253-270 ◽  
Author(s):  
Yu Long Chen ◽  
Atul Luykx ◽  
Bart Mennink ◽  
Bart Preneel
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Arbitrary Length ◽  
Pseudorandom Permutation ◽  
Cryptographic Primitive ◽  
Length Data ◽  
Tweakable Block Cipher ◽  
Integral Data

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

scholarly journals CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Cryptography ◽  
2018 ◽  
Vol 2 (4) ◽  
pp. 42
Author(s):  
Jonathan Trostle
Keyword(s):  
Block Cipher ◽  
Energy Savings ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Computational Overhead ◽  
Initialization Vector ◽  
Wireless Environments ◽  
Security Bound ◽  
Associated Data ◽  
Short Messages

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds.

Improved Meet-in-the-Middle Attacks on Reduced-Round Kiasu-BC and Joltik-BC

2019 ◽  
Vol 62 (12) ◽  
pp. 1761-1776 ◽  
Author(s):  
Ya Liu ◽  
Yifan Shi ◽  
Dawu Gu ◽  
Zhiqiang Zeng ◽  
Fengyu Zhao ◽  
...  
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Caesar Competition ◽  
Encryption Algorithms ◽  
Lightweight Block Cipher

Abstract Kiasu-BC and Joltik-BC are internal tweakable block ciphers of authenticated encryption algorithms Kiasu and Joltik submitted to the CAESAR competition. Kiasu-BC is a 128-bit block cipher, of which tweak and key sizes are 64 and 128 bits, respectively. Joltik-BC-128 is a 64-bit lightweight block cipher supporting 128 bits tweakey. Its designers recommended the key and tweak sizes are both 64 bits. In this paper, we propose improved meet-in-the-middle attacks on 8-round Kiasu-BC, 9-round and 10-round Joltik-BC-128 by exploiting properties of their structures and using precomputation tables and the differential enumeration. For Kiasu-BC, we build a 5-round distinguisher to attack 8-round Kiasu-BC with $2^{109}$ plaintext–tweaks, $2^{112.8}$ encrytions and $2^{92.91}$ blocks. Compared with previously best known cryptanalytic results on 8-round Kiasu-BC under chosen plaintext attacks, the data and time complexities are reduced by $2^{7}$ and $2^{3.2}$ times, respectively. For the recommended version of Joltik-BC-128, we construct a 6-round distinguisher to attack 9-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{56.6}$ encryptions and $2^{52.91}$ blocks, respectively. Compared with previously best known results, the data and time complexities are reduced by $2^7$ and $2^{5.1}$ times, respectively. In addition, we present a 6.5-round distinguisher to attack 10-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{101.4}$ encryptions and $2^{76.91}$ blocks.

scholarly journals Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

Cryptography ◽  
2020 ◽  
Vol 4 (3) ◽  
pp. 23
Author(s):  
Takeshi Sugawara
Keyword(s):  
Block Cipher ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Schedule ◽  
Backward Compatibility ◽  
Mode Of Operation ◽  
Large Memory ◽  
Extended States ◽  
Lightweight Block Cipher ◽  
The Cost

SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI.

scholarly journals DIFFERENTIAL CRYPTANALYSIS OF THE LIGHTWEIGHT BLOCK CIPHER CYPRESS-256

2020 ◽  
pp. 273-281
Author(s):  
Mariia Rodinko ◽  
Roman Oliynykov ◽  
Khalicha Yubuzova
Keyword(s):  
Block Cipher ◽  
Differential Cryptanalysis ◽  
Hamming Weight ◽  
Differential Characteristic ◽  
Lightweight Block Cipher

This paper presents the results of differential cryptanalysis of the lightweight block cipher Cypress-256. The method for searching multi-round differential characteristic of the block cipher Cypress-256 is proposed. The searching assumes 1) building a big set of one-round differential characteristics and search for possible combinations of one-round characteristics into multi-round ones; 2) extending one-round differential characteristics with the probability up to certain threshold into multi-round characteristics. The following experiments show that the most probable one-round differential characteristics have input differences with 4-6 active bits which are distributed between different words. Besides that, high-probable one-round differential characteristics, which output differences have a small Hamming weight, cannot be extended to build high-probable multi-round differential characteristics. Due to application of the method assuming extension of one-round differential characteristics into multi-round ones, the differential characteristic up to 6 rounds was built, so 10-round block cipher Cypress-256 is resistant to differential cryptanalysis according to the requirements of practical criterion.

scholarly journals Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE

2020 ◽  
pp. 119-146
Author(s):  
Donghoon Chang ◽  
Nilanjan Datta ◽  
Avijit Dutta ◽  
Bart Mennink ◽  
Mridul Nandi ◽  
...  
Keyword(s):  
Block Cipher ◽  
Block Size ◽  
Unified Model ◽  
Constant Time ◽  
Encryption Scheme ◽  
Security Model ◽  
Authenticated Encryption ◽  
Encryption Schemes ◽  
Plaintext Awareness ◽  
Mixing Functions

Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality.

scholarly journals Six shades lighter: a bit-serial implementation of the AES family

2021 ◽  
Author(s):  
Sergio Roldán Lombardía ◽  
Fatih Balli ◽  
Subhadeep Banik
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Current Standard ◽  
Asic Circuit ◽  
The Family ◽  
Encryption And Decryption ◽  
Preliminary Version ◽  
Reduction In Area ◽  
Bit Serial

AbstractRecently, cryptographic literature has seen new block cipher designs such as , or that aim to be more lightweight than the current standard, i.e., . Even though family of block ciphers were designed two decades ago, they still remain as the de facto encryption standard, with being the most widely deployed variant. In this work, we revisit the combined one-in-all implementation of the family, namely both encryption and decryption of each as a single ASIC circuit. A preliminary version appeared in Africacrypt 2019 by Balli and Banik, where the authors design a byte-serial circuit with such functionality. We improve on their work by reducing the size of the compact circuit to 2268 GE through 1-bit-serial implementation, which achieves 38% reduction in area. We also report stand-alone bit-serial versions of the circuit, targeting only a subset of modes and versions, e.g., and . Our results imply that, in terms of area, and can easily compete with the larger members of recently designed family, e.g., , . Thus, our implementations can be used interchangeably inside authenticated encryption candidates such as , or in place of .

Improvement of Tseng et al.'s authenticated encryption scheme with message linkages

2005 ◽  
Vol 162 (3) ◽  
pp. 1475-1483 ◽  
Author(s):  
Zhang Zhang ◽  
Shunsuke Araki ◽  
Guozhen Xiao
Keyword(s):  
Encryption Scheme ◽  
Authenticated Encryption

Protecting lightweight block cipher implementation in mobile big data computing

2016 ◽  
Vol 11 (2) ◽  
pp. 252-264
Author(s):  
Weidong Qiu ◽  
Bozhong Liu ◽  
Can Ge ◽  
Lingzhi Xu ◽  
Xiaoming Tang ◽  
...  
Keyword(s):  
Big Data ◽  
Block Cipher ◽  
Mobile Big Data ◽  
Lightweight Block Cipher ◽  
Big Data Computing
Sign in / Sign up

Export Citation Format

Share Document