Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE

Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality.

Download Full-text

Cryptanalysis of PMACx, PMAC2x, and SIVx

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.162-176 ◽

2017 ◽

pp. 162-176

Author(s):

Kazuhiko Minematsu ◽

Tetsu Iwata

Keyword(s):

Provable Security ◽

Block Cipher ◽

Query Complexity ◽

Block Length ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Pseudorandom Functions ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Download Full-text

An Attribute-Based Searchable Encryption Scheme for Non-Monotonic Access Structure

Handbook of Research on Intrusion Detection Systems - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-2242-4.ch013 ◽

2020 ◽

pp. 263-283 ◽

Cited By ~ 1

Author(s):

Mamta ◽

Brij B. Gupta

Keyword(s):

Access Control ◽

Searchable Encryption ◽

Access Structure ◽

Encryption Scheme ◽

Security Model ◽

Secret Key ◽

Fine Grained ◽

Diffie Hellman ◽

Attribute Based Encryption ◽

Encryption Schemes

Attribute based encryption (ABE) is a widely used technique with tremendous application in cloud computing because it provides fine-grained access control capability. Owing to this property, it is emerging as a popular technique in the area of searchable encryption where the fine-grained access control is used to determine the search capabilities of a user. But, in the searchable encryption schemes developed using ABE it is assumed that the access structure is monotonic which contains AND, OR and threshold gates. Many ABE schemes have been developed for non-monotonic access structure which supports NOT gate, but this is the first attempt to develop a searchable encryption scheme for the same. The proposed scheme results in fast search and generates secret key and search token of constant size and also the ciphertext components are quite fewer than the number of attributes involved. The proposed scheme is proven secure against chosen keyword attack (CKA) in selective security model under Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Download Full-text

Probably Secure Keyed-Function Based Authenticated Encryption Schemes for Big Data

International Journal of Foundations of Computer Science ◽

10.1142/s0129054117400123 ◽

2017 ◽

Vol 28 (06) ◽

pp. 661-682

Author(s):

Rashed Mazumder ◽

Atsuko Miyaji ◽

Chunhua Su

Keyword(s):

Big Data ◽

Research Area ◽

Security Model ◽

Authenticated Encryption ◽

Big Data Applications ◽

Critical Issues ◽

Encryption Schemes ◽

Big Data Application ◽

Probabilistic Encryption ◽

Security Bound

Security, privacy and data integrity are the critical issues in Big Data application of IoT-enable environment and cloud-based services. There are many upcoming challenges to establish secure computations for Big Data applications. Authenticated encryption (AE) plays one of the core roles for Big Data’s confidentiality, integrity, and real-time security. However, many proposals exist in the research area of authenticated encryption. Generally, there are two concepts of nonce respect and nonce reuse under the security notion of the AE. However, recent studies show that nonce reuse needs to sacrifice security bound of the AE. In this paper, we consider nonce respect scheme and probabilistic encryption scheme which are more efficient and suitable for big data applications. Both schemes are based on keyed function. Our first scheme (FS) operates in parallel mode whose security is based on nonce respect and supports associated data. Furthermore, it needs less call of functions/block-cipher. On the contrary, our second scheme is based on probabilistic encryption. It is expected to be a light solution because of weaker security model construction. Moreover, both schemes satisfy reasonable privacy security bound.

Download Full-text

Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.203-227 ◽

2017 ◽

pp. 203-227

Author(s):

Anne Canteaut ◽

Eran Lambooij ◽

Samuel Neves ◽

Shahram Rasoolzadeh ◽

Yu Sasaki ◽

...

Keyword(s):

Block Cipher ◽

Current Paper ◽

Inner Function ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Binary Matrix ◽

Exact Probability ◽

The Core ◽

Differential Characteristic ◽

Lightweight Block Cipher

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, pind, and exact probability, pexact. It turns out that pexact is larger than pind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, pind of 2−48 is improved to pexact of 2−43. For the 80-bit key version, pind of 2−68 is improved to pexact of 2−62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: pind of 2−128 is improved to pexact of 2−96, which allows to extend the attack by two rounds.

Download Full-text

The Area-Latency Symbiosis: Towards Improved Serial Encryption Circuits

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i1.239-278 ◽

2020 ◽

pp. 239-278

Author(s):

Fatih Balli ◽

Andrea Caforio ◽

Subhadeep Banik

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Significant Loss ◽

Authenticated Encryption ◽

End User ◽

Maximum Throughput ◽

Mode Of Operation ◽

Encryption Schemes ◽

Bit Serial

The bit-sliding paper of Jean et al. (CHES 2017) showed that the smallest-size circuit for SPN based block ciphers such as AES, SKINNY and PRESENT can be achieved via bit-serial implementations. Their technique decreases the bit size of the datapath and naturally leads to a significant loss in latency (as well as the maximum throughput). Their designs complete a single round of the encryption in 168 (resp. 68) clock cycles for 128 (resp. 64) bit blocks. A follow-up work by Banik et al. (FSE 2020) introduced the swap-and-rotate technique that both eliminates this loss in latency and achieves even smaller footprints.In this paper, we extend these results on bit-serial implementations all the way to four authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of the swap-and-rotate technique. Our block cipher implementations have the most efficient round operations in the sense that a round function of an n-bit block cipher is computed in exactly n clock cycles. This leads to implementations that are similar in size to the state of the art, but have much lower latency (savings up to 20 percent). We then extend our technique to 4- and 8-bit implementations. Although these results are promising, block ciphers themselves are not end-user primitives, as they need to be used in conjunction with a mode of operation. Hence, in the second part of the paper, we use our serial block ciphers to bootstrap four active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus, SAEAES and SKINNY-AEAD. In the wake of this effort, we provide the smallest block-cipher-based authenticated encryption circuits known in the literature so far.

Download Full-text

Efficient Length Doubling From Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.253-270 ◽

2017 ◽

pp. 253-270 ◽

Cited By ~ 2

Author(s):

Yu Long Chen ◽

Atul Luykx ◽

Bart Mennink ◽

Bart Preneel

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Arbitrary Length ◽

Pseudorandom Permutation ◽

Cryptographic Primitive ◽

Length Data ◽

Tweakable Block Cipher ◽

Integral Data

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

Download Full-text

Understanding RUP Integrity of COLM

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.143-161 ◽

2017 ◽

pp. 143-161

Author(s):

Nilanjan Datta ◽

Atul Luykx ◽

Bart Mennink ◽

Mridul Nandi

Keyword(s):

Time Complexity ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Caesar Competition ◽

Mixing Functions

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

Download Full-text

LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i4.1-38 ◽

2020 ◽

pp. 1-38

Author(s):

Yusuke Naito ◽

Yu Sasaki ◽

Takeshi Sugawara

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Size ◽

Query Complexity ◽

Side Channel ◽

Authenticated Encryption ◽

Implementation Cost ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

State Size

This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.

Download Full-text

CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Cryptography ◽

10.3390/cryptography2040042 ◽

2018 ◽

Vol 2 (4) ◽

pp. 42

Author(s):

Jonathan Trostle

Keyword(s):

Block Cipher ◽

Energy Savings ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Computational Overhead ◽

Initialization Vector ◽

Wireless Environments ◽

Security Bound ◽

Associated Data ◽

Short Messages

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds.

Download Full-text

A NEW CONVERTIBLE AUTHENTICATED ENCRYPTION SCHEME BASED ON THE ELGAMAL CRYPTOSYSTEM

International Journal of Foundations of Computer Science ◽

10.1142/s0129054109006607 ◽

2009 ◽

Vol 20 (02) ◽

pp. 351-359 ◽

Cited By ~ 12

Author(s):

CHENG-CHI LEE ◽

MIN-SHIANG HWANG ◽

SHIANG-FENG TZENG

Keyword(s):

Computational Complexity ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Elgamal Cryptosystem ◽

Encryption Schemes

A convertible authenticated encryption scheme allows a designated receiver to retrieve an authenticated ciphertext and convert the authenticated ciphertext into an ordinary signature. The receiver can prove the dishonesty of the sender to anyone if the sender repudiates his/her signature. Recently, many researchers have proposed convertible authenticated encryption schemes based on cryptological algorithms. In this paper, the authors shall present a new convertible authenticated encryption scheme based on the ElGamal cryptosystem. The proposed scheme is more efficient than Wu-Hsu's scheme in terms of computational complexity.

Download Full-text