scholarly journals Tightness of the Suffix Keyed Sponge Bound

2020 ◽  
pp. 195-212
Author(s):  
Christoph Dobraunig ◽  
Bart Mennink
Keyword(s):  
Side Channel ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Security Proofs ◽  
Generic Attacks ◽  
Key Recovery Attacks ◽  
Security Bound

Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.

scholarly journals Speed Optimizations in Bitcoin Key Recovery Attacks

2016 ◽  
Vol 67 (1) ◽  
pp. 55-68 ◽  
Author(s):  
Nicolas Courtois ◽  
Guangyan Song ◽  
Ryan Castellucci
Keyword(s):  
Elliptic Curve ◽  
State Of The Art ◽  
The State ◽  
Side Channel ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attacks

Abstract In this paper, we study and give the first detailed benchmarks on existing implementations of the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies. Our implementation improves the state of the art by a factor of 2.5 with a focus on the cases, where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation. We also give some examples of passwords which we have cracked, showing that brain wallets are not secure in practice even for quite complex passwords.

scholarly journals Efficient Side-Channel Secure Message Authentication with Better Bounds

2020 ◽  
pp. 23-53
Author(s):  
Chun Guo ◽  
François-Xavier Standaert ◽  
Weijia Wang ◽  
Yu Yu
Keyword(s):  
Time Complexity ◽  
Side Channel ◽  
Message Authentication ◽  
Security Threat ◽  
Cryptographic Primitives ◽  
Key Recovery ◽  
Leakage Resilience ◽  
Authentication Schemes ◽  
Key Recovery Attacks ◽  
Provably Secure

We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when most intermediate values during tag computation and verification are leaked (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-then-MAC paradigm T = TGenK(H(M)). When the domain of the MAC function TGenK is {0, 1}128, e.g., when instantiated with the AES, forgery is possible within time 264 and data complexity 1. To dismiss such cheap attacks, we propose two modes: LRW1-based Hash-then-MAC (LRWHM) that is built upon the LRW1 tweakable blockcipher of Liskov, Rivest, and Wagner, and Rekeying Hash-then-MAC (RHM) that employs internal rekeying. Built upon secure AES implementations, LRWHM is provably secure up to (beyond-birthday) 278.3 time complexity, while RHM is provably secure up to 2121 time. Thus in practice, their main security threat is expected to be side-channel key recovery attacks against the AES implementations. Finally, we benchmark the performance of instances of our modes based on the AES and SHA3 and confirm their efficiency.

scholarly journals Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs

2020 ◽  
pp. 307-335 ◽  
Author(s):  
Prasanna Ravi ◽  
Sujoy Sinha Roy ◽  
Anupam Chattopadhyay ◽  
Shivam Bhasin
Keyword(s):  
Experimental Validation ◽  
Error Correcting Codes ◽  
Public Key ◽  
Side Channel ◽  
Public Key Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Binary Information ◽  
Channel Information ◽  
Standardization Process

In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM) secure in the chosen ciphertext model (IND-CCA security). We show that the EM side-channel information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary information about the output of decryption, typically concealed within IND-CCA secure PKE/KEMs, thereby enabling our attacks. Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) enabling us to distinguish based on the value/validity of decrypted codewords. We also identified similar vulnerabilities in the Fujisaki-Okamoto transform which leaks information about decrypted messages applicable to schemes that do not use ECC. We subsequently exploit these vulnerabilities to demonstrate practical attacks applicable to six CCA-secure lattice-based PKE/KEMs competing in the second round of the NIST standardization process. We perform experimental validation of our attacks on implementations taken from the open-source pqm4 library, running on the ARM Cortex-M4 microcontroller. Our attacks lead to complete key-recovery in a matter of minutes on all the targeted schemes, thus showing the effectiveness of our attack.

scholarly journals CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Cryptography ◽  
2018 ◽  
Vol 2 (4) ◽  
pp. 42
Author(s):  
Jonathan Trostle
Keyword(s):  
Block Cipher ◽  
Energy Savings ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Computational Overhead ◽  
Initialization Vector ◽  
Wireless Environments ◽  
Security Bound ◽  
Associated Data ◽  
Short Messages

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds.

scholarly journals Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

2016 ◽  
pp. 114-133 ◽  
Author(s):  
Colin Chaigneau ◽  
Henri Gilbert
Keyword(s):  
Block Cipher ◽  
Encryption Algorithm ◽  
Instruction Set ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Security Properties ◽  
Software Implementations ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

scholarly journals Reconsidering the Security Bound of AES-GCM-SIV

2017 ◽  
pp. 240-267 ◽  
Author(s):  
Tetsu Iwata ◽  
Yannick Seurin
Keyword(s):  
Research Group ◽  
Security Analysis ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Simple Modification ◽  
Security Guarantees ◽  
Security Bound ◽  
Key Derivation

We make a number of remarks about the AES-GCM-SIV nonce-misuse resistant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty.

Sign in / Sign up

Export Citation Format

Share Document