Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                



Dates are inconsistent

Dates are inconsistent

64 results sorted by ID

2024/1969 (PDF) Last updated: 2024-12-05
SoK: Security of the Ascon Modes
Charlotte Lefevre, Bart Mennink
Secret-key cryptography

The Ascon authenticated encryption scheme and hash function of Dobraunig et al (Journal of Cryptology 2021) were recently selected as winner of the NIST lightweight cryptography competition. The mode underlying Ascon authenticated encryption (Ascon-AE) resembles ideas of SpongeWrap, but not quite, and various works have investigated the generic security of Ascon-AE, all covering different attack scenarios and with different bounds. This work systemizes knowledge on the mode security of...

2024/1382 (PDF) Last updated: 2024-09-03
Universal Context Commitment without Ciphertext Expansion
Arghya Bhattacharjee, Ritam Bhaumik, Chandranan Dhar
Secret-key cryptography

An ongoing research challenge in symmetric cryptography is to design an authenticated encryption (AE) with a commitment to the secret key or preferably to the entire context. One way to achieve this is to use a transform on an existing AE scheme, if possible with no output length expansion. At EUROCRYPT'22, Bellare and Hoang proposed the HtE transform, which lifts key-commitment to context-commitment. In the same year at ESORICS'22, Chan and Rogaway proposed the CTX transform, which works on...

2024/743 (PDF) Last updated: 2024-05-15
Improved Conditional Cube Attacks on Ascon AEADs in Nonce-Respecting Settings -- with a Break-Fix Strategy
Kai Hu
Secret-key cryptography

The best-known distinguisher on 7-round Ascon-128 and Ascon-128a AEAD uses a 60-dimensional cube where the nonce bits are set to be equal in the third and fourth rows of the Ascon state during initialization (Rohit et al. ToSC 2021/1). It was not known how to use this distinguisher to mount key-recovery attacks. In this paper, we investigate this problem using a new strategy called \textit{break-fix} for the conditional cube attack. The idea is to introduce slightly-modified cubes which...

2024/731 (PDF) Last updated: 2024-09-09
Toward Full $n$-bit Security and Nonce Misuse Resistance of Block Cipher-based MACs
Wonseok Choi, Jooyoung Lee, Yeongmin Lee
Secret-key cryptography

In this paper, we study the security of MAC constructions among those classified by Chen et al. in ASIACRYPT '21. Precisely, $F^{\text{EDM}}_{B_2}$ (or $\mathsf{EWCDM}$ as named by Cogliati and Seurin in CRYPTO '16), $F^{\text{EDM}}_{B_3}$, $F^{\text{SoP}}_{B_2}$, $F^{\text{SoP}}_{B_3}$ (all as named by Chen et al.) are proved to be fully secure up to $2^n$ MAC queries in the nonce-respecting setting, improving the previous bound of $\frac{3n}{4}$-bit security. In particular,...

2024/579 (PDF) Last updated: 2024-04-15
Tight Multi-user Security of Ascon and Its Large Key Extension
Bishwajit Chakraborty, Chandranan Dhar, Mridul Nandi
Secret-key cryptography

The Ascon cipher suite has recently become the preferred standard in the NIST Lightweight Cryptography standardization process. Despite its prominence, the initial dedicated security analysis for the Ascon mode was conducted quite recently. This analysis demonstrated that the Ascon AEAD mode offers superior security compared to the generic Duplex mode, but it was limited to a specific scenario: single-user nonce-respecting, with a capacity strictly larger than the key size. In this paper, we...

2024/343 Last updated: 2024-04-08
Partial Differential Fault Analysis on Ascon
Yang Gao
Attacks and cryptanalysis

Authenticated Encryption with Associated Data (AEAD) is a trend in applied cryptography because it combine confidentiality, integrity, and authentication into one algorithm and is more efficient than using block ciphers and hash functions separately. The Ascon algorithm, as the winner in both the CAESAR competition and the NIST LwC competition, will soon become the AEAD standard for protecting the Internet of Things and micro devices with limited computing resources. We propose a partial...

2024/084 (PDF) Last updated: 2024-05-24
Efficient Instances of Docked Double Decker With AES, and Application to Authenticated Encryption
Christoph Dobraunig, Krystian Matusiewicz, Bart Mennink, Alexander Tereschenko
Secret-key cryptography

A tweakable wide blockcipher is a construction which behaves in the same way as a tweakable blockcipher, with the difference that the actual block size is flexible. Due to this feature, a tweakable wide blockcipher can be directly used as a strong encryption scheme that provides full diffusion when encrypting plaintexts to ciphertexts and vice versa. Furthermore, it can be the basis of authenticated encryption schemes fulfilling the strongest security notions. In this paper, we present three...

2023/1704 (PDF) Last updated: 2024-03-02
On Overidealizing Ideal Worlds: Xor of Two Permutations and its Applications
Wonseok Choi, Minki Hhan, Yu Wei, Vassilis Zikas
Secret-key cryptography

Security proofs of symmetric-key primitives typically consider an idealized world with access to a (uniformly) random function. The starting point of our work is the observation that such an ideal world can lead to underestimating the actual security of certain primitives. As a demonstrating example, $\mathsf{XoP2}$, which relies on two independent random permutations, has been proven to exhibit superior concrete security compared to $\mathsf{XoP}$, which employs a single permutation with...

2023/1431 (PDF) Last updated: 2023-09-21
Forgery Attacks on Several Beyond-Birthday-Bound Secure MACs
Yaobin Shen, François-Xavier Standaert, Lei Wang
Secret-key cryptography

At CRYPTO'18, Datta et al. proposed nPolyMAC and proved the security up to 2^{2n/3} authentication queries and 2^{n} verification queries. At EUROCRYPT'19, Dutta et al. proposed CWC+ and showed the security up to 2^{2n/3} queries. At FSE'19, Datta et al. proposed PolyMAC and its key-reduced variant 2k-PolyMAC, and showed the security up to 2^{2n/3} queries. This security bound was then improved by Kim et al. (EUROCRYPT'20) and Datta et al (FSE'23) respectively to 2^{3n/4} and in the...

2023/1361 (PDF) Last updated: 2023-09-11
Let's Go Eevee! A Friendly and Suitable Family of AEAD Modes for IoT-to-Cloud Secure Computation
Amit Singh Bhati, Erik Pohle, Aysajan Abidin, Elena Andreeva, Bart Preneel
Secret-key cryptography

IoT devices collect privacy-sensitive data, e.g., in smart grids or in medical devices, and send this data to cloud servers for further processing. In order to ensure confidentiality as well as authenticity of the sensor data in the untrusted cloud environment, we consider a transciphering scenario between embedded IoT devices and multiple cloud servers that perform secure multi-party computation (MPC). Concretely, the IoT devices encrypt their data with a lightweight symmetric cipher and...

2023/326 (PDF) Last updated: 2023-03-06
A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality
Jean Liénardy, Frédéric Lafitte
Attacks and cryptanalysis

OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key...

2023/241 (PDF) Last updated: 2023-02-21
Lynx: Family of Lightweight Authenticated Encryption Schemes based on Tweakable Blockcipher
Munawar Hasan, Donghoon Chang
Secret-key cryptography

The widespread deployment of low-power and handheld devices opens an opportunity to design lightweight authenticated encryption schemes. The schemes so proposed must also prove their resilience under various security notions. Romulus-N1 is an authenticated encryption scheme with associated data based on a tweakable blockcipher, a primary variant of Romulus-N family which is NIST (National Institute of Standards and Technology) lightweight cryptography competition finalist; provides beyond...

2022/1776 (PDF) Last updated: 2022-12-29
Offset-Based BBB-Secure Tweakable Block-ciphers with Updatable Caches
Arghya Bhattacharjee, Ritam Bhaumik, Mridul Nandi
Secret-key cryptography

A nonce-respecting tweakable blockcipher is the building-block for the OCB authenticated encryption mode. An XEX-based TBC is used to process each block in OCB. However, XEX can provide at most birthday bound privacy security, whereas in Asiacrypt 2017, beyond-birthday-bound (BBB) forging security of OCB3 was shown by Bhaumik and Nandi. In this paper we study how at a small cost we can construct a nonce-respecting BBB-secure tweakable blockcipher. We propose the OTBC-3 construction, which...

2022/1122 (PDF) Last updated: 2022-08-29
Practical Related-Key Forgery Attacks on the Full TinyJAMBU-192/256
Orr Dunkelman, Eran Lambooij, Shibam Ghosh
Attacks and cryptanalysis

TinyJambu is one of the finalists in the NIST lightweight cryptography competition. It has undergone extensive analysis in the recent years as both the keyed permutation as well as the mode are new designs. In this paper we present a related-key forgery attackon the updated TinyJambu scheme with 256- and 192-bit keys. We introduce a high probability related-key differential attack were the differences are only introduced into the key state. Therefore, the characteristic is applicable to the...

2022/1012 (PDF) Last updated: 2023-02-15
Nonce-Misuse Resilience of Romulus-N and GIFT-COFB
Akiko Inoue, Chun Guo, Kazuhiko Minematsu
Secret-key cryptography

We analyze nonce-misuse resilience (NMRL) security of Romulus-N and GIFT-COFB, the two finalists of NIST Lightweight Cryptography project for standardizing lightweight authenticated encryption. NMRL, introduced by Ashur et al. at CRYPTO 2017, is a relaxed security notion from a stronger, nonce-misuse resistance notion. We proved that Romulus-N and GIFT-COFB have nonce-misuse resilience. For Romulus-N, we showed the perfect privacy (NMRL-PRIV) and n/2-bit authenticity (NMRL-AUTH) with...

2022/304 (PDF) Last updated: 2022-03-07
Multi-User BBB Security of Public Permutations Based MAC
Yu Long Chen, Avijit Dutta, Mridul Nandi
Secret-key cryptography

At CRYPTO 2019, Chen et al. have shown a beyond the birthday bound secure $n$-bit to $n$-bit PRF based on public random permutations. Followed by the work, Dutta and Nandi have proposed a beyond the birthday bound secure nonce based MAC $\textsf{nEHtM}_p$ based on public random permutation. In particular, the authors have shown that $\textsf{nEHtM}_p$ achieves tight $2n/3$-bit security ({\em with respect to the state size of the permutation}) in the single-user setting, and their proven...

2022/299 (PDF) Last updated: 2022-03-07
Related-Tweakey Impossible Differential Attack on Reduced-Round SKINNY-AEAD M1/M3
Yanhong Fan,Muzhou Li,Chao Niu,Zhenyu Lu,Meiqin Wang
Secret-key cryptography

SKINNY-AEAD is one of the second-round candidates of the Lightweight Cryptography Standardization project held by NIST. SKINNY-AEAD M1 is the primary member of six SKINNY-AEAD schemes, while SKINNY-AEAD M3 is another member with a small tag. In the design document, only security analyses of their underlying primitive SKINNY-128-384 are provided. Besides, there are no valid third-party analyses on SKINNY-AEAD M1/M3 according to our knowledge. Therefore, this paper focuses on constructing the...

2022/140 (PDF) Last updated: 2022-02-09
On the Related-Key Attack Security of Authenticated Encryption Schemes
Sebastian Faust, Juliane Krämer, Maximilian Orlt, Patrick Struck
Secret-key cryptography

Related-key attacks (RKA) are powerful cryptanalytic attacks, where the adversary can tamper with the secret key of a cryptographic scheme. Since their invention, RKA security has been an important design goal in cryptography, and various works aim at designing cryptographic primitives that offer protection against related-key attacks. At EUROCRYPT'03, Bellare and Kohno introduced the first formal treatment of related-key attacks focusing on pseudorandom functions and permutations. This was...

2021/1696 (PDF) Last updated: 2024-05-12
Categorization of Faulty Nonce Misuse Resistant Message Authentication
Yu Long Chen, Bart Mennink, Bart Preneel
Secret-key cryptography

A growing number of lightweight block ciphers are proposed for environments such as the Internet of Things. An important contribution to the reduced implementation cost is a block length n of 64 or 96 bits rather than 128 bits. As a consequence, encryption modes and message authentication code (MAC) algorithms require security beyond the 2^{n/2} birthday bound. This paper provides an extensive treatment of MAC algorithms that offer beyond birthday bound PRF security for both nonce-respecting...

2021/1573 (PDF) Last updated: 2021-12-03
Improved Security Bound of \textsf{(E/D)WCDM}
Nilanjan Datta, Avijit Dutta, Kushankur Dutta
Secret-key cryptography

In CRYPTO'16, Cogliati and Seurin proposed a block cipher based nonce based MAC, called {\em Encrypted Wegman-Carter with Davies-Meyer} (\textsf{EWCDM}), that gives $2n/3$ bit MAC security in the nonce respecting setting and $n/2$ bit security in the nonce misuse setting, where $n$ is the block size of the underlying block cipher. However, this construction requires two independent block cipher keys. In CRYPTO'18, Datta et al. came up with a single-keyed block cipher based nonce based MAC,...

2021/1556 (PDF) Last updated: 2021-11-29
Diving Deep into the Weak Keys of Round Reduced Ascon
Raghvendra Rohit, Santanu Sarkar
Secret-key cryptography

At ToSC 2021, Rohit \textit{et al.} presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer's security claims of nonce-respecting setting and data limit of $2^{64}$ blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) $2^{60}$ data while the data complexity of key recovery attacks exactly equals $2^{64}$. Whether there are any practical distinguishers and key recovery...

2021/1168 (PDF) Last updated: 2021-09-17
Toward a Fully Secure Authenticated Encryption Scheme From a Pseudorandom Permutation (Full Version)
Wonseok Choi, Byeonghak Lee, Jooyoung Lee, Yeongmin Lee
Secret-key cryptography

In this paper, we propose a new block cipher-based authenticated encryption scheme, dubbed the Synthetic Counter with Masking~(SCM) mode. SCM follows the NSIV paradigm proposed by Peyrin and Seurin~(CRYPTO 2016), where a keyed hash function accepts a nonce N with associated data and a message, yielding an authentication tag T, and then the message is encrypted by a counter-like mode using both T and N. Here we move one step further by encrypting nonces; in the encryption part, the inputs to...

2021/1154 (PDF) Last updated: 2021-09-14
1, 2, 3, Fork: Counter Mode Variants based on a Generalized Forkcipher
Elena Andreeva, Amit Singh Bhati, Bart Preneel, Damian Vizar
Secret-key cryptography

A multi-forkcipher (MFC) is a generalization of the forkcipher (FC) primitive introduced by Andreeva et al. at ASIACRYPT'19. An MFC is a tweakable cipher that computes $s$ output blocks for a single input block, with $s$ arbitrary but fixed. We define the MFC security in the ind-prtmfp notion as indistinguishability from $s$ tweaked permutations. Generalizing tweakable block ciphers (TBCs, $s = 1$), as well as forkciphers ($s=2$), MFC lends itself well to building simple-to-analyze modes of...

2021/648 (PDF) Last updated: 2022-02-22
Security of COFB against Chosen Ciphertext Attacks
Mustafa Khairallah
Secret-key cryptography

COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to the birthday bound in the nonce-respecting model. However, the designers offer multiple versions of the analysis with different details and the implications of attacks against the scheme are not...

2021/194 (PDF) Last updated: 2021-02-24
Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon
Raghvendra Rohit, Kai Hu, Sumanta Sarkar, Siwei Sun
Secret-key cryptography

Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schl{ä}ffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to $7$ (out of $12$) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of $2^{64}$...

2020/1524 (PDF) Last updated: 2021-04-07
Nonce-Misuse Security of the SAEF Authenticated Encryption mode
Elena Andreeva, Amit Singh Bhati, Damian Vizar
Secret-key cryptography

ForkAE is a NIST lightweight cryptography candidate that uses the forkcipher primitive in two modes of operation -- SAEF and PAEF -- optimized for authenticated encryption of the shortest messages. SAEF is a sequential and online AEAD that minimizes the memory footprint compared to its alternative parallel mode PAEF, catering to the most constrained devices. SAEF was proven AE secure against nonce-respecting adversaries. Due to their more acute and direct exposure to device misuse and...

2020/1161 (PDF) Last updated: 2020-10-05
KVaC: Key-Value Commitments for Blockchains and Beyond
Shashank Agrawal, Srinivasan Raghuraman
Cryptographic protocols

As blockchains grow in size, validating new transactions becomes more and more resource intensive. To deal with this, there is a need to discover compact encodings of the (effective) state of a blockchain -- an encoding that allows for efficient proofs of membership and updates. In the case of account-based cryptocurrencies, the state can be represented by a key-value map, where keys are the account addresses and values consist of account balance, nonce, etc. We propose a new commitment...

2020/1145 (PDF) Last updated: 2020-09-21
Improved Security Analysis for Nonce-based Enhanced Hash-then-Mask MACs
Wonseok Choi, Byeonghak Lee, Yeongmin Lee, Jooyoung Lee
Secret-key cryptography

In this paper, we prove that the nonce-based enhanced hash-then-mask MAC ($\mathsf{nEHtM}$) is secure up to $2^{\frac{3n}{4}}$ MAC queries and $2^n$ verification queries (ignoring logarithmic factors) as long as the number of faulty queries $\mu$ is below $2^\frac{3n}{8}$, significantly improving the previous bound by Dutta et al. Even when $\mu$ goes beyond $2^{\frac{3n}{8}}$, $\mathsf{nEHtM}$ enjoys graceful degradation of security. The second result is to prove the security of PRF-based...

2020/509 (PDF) Last updated: 2020-05-05
BBB Secure Nonce Based MAC Using Public Permutations
Avijit Dutta, Mridul Nandi
Secret-key cryptography

In the recent trend of CAESAR competition and NIST light-weight competition, cryptographic community have witnessed the submissions of several cryptographic schemes that are build on public random permutations. Recently, in CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing beyond birthday bound PRFs from public random permutations and they proposed two instances of such PRFs. In this work, we extend this research direction by proposing a nonce-based MAC...

2020/114 (PDF) Last updated: 2020-10-01
A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer
Antoine Delignat-Lavaud, Cédric Fournet, Bryan Parno, Jonathan Protzenko, Tahina Ramananandro, Jay Bosamiya, Joseph Lallemand, Itsaka Rakotonirina, Yi Zhou
Implementation

We investigate the security of the QUIC record layer, as standardized by the IETF in draft version 30. This version features major differences compared to Google's original protocol and prior IETF drafts. We model packet and header encryption, which uses a custom construction for privacy. To capture its goals, we propose a security definition for authenticated encryption with semi-implicit nonces. We show that QUIC uses an instance of a generic construction parameterized by a standard...

2019/1359 (PDF) Last updated: 2020-01-13
Universal Forgery Attack against GCM-RUP
Yanbin Li, Gaëtan Leurent, Meiqin Wang, Wei Wang, Guoyan Zhang, Yu Liu
Secret-key cryptography

Authenticated encryption (AE) schemes are widely used to secure communications because they can guarantee both confidentiality and authenticity of a message. In addition to the standard AE security notion, some recent schemes offer extra robustness, i.e. they maintain security in some misuse scenarios. In particular, Ashur, Dunkelman and Luykx proposed a generic AE construction at CRYPTO'17 that is secure even when releasing unverified plaintext (the RUP setting), and a concrete...

2019/1351 (PDF) Last updated: 2019-11-27
Speeding Up OMD Instantiations in Hardware
Diana Maimut, Alexandru Stefan Mega
Implementation

Particular instantiations of the Offset Merkle Damgaard authenticated encryption scheme (OMD) represent highly secure alternatives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding-up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results...

2019/992 (PDF) Last updated: 2020-07-10
Duel of the Titans: The Romulus and Remus Families of Lightweight AEAD Algorithms
Tetsu Iwata, Mustafa Khairallah, Kazuhiko Minematsu, Thomas Peyrin
Secret-key cryptography

In this article, we propose two new families of very lightweight and efficient authenticated encryption with associated data (AEAD) modes, Romulus and Remus, that provide security beyond the birthday bound with respect to the block-length $n$. The former uses a tweakable block cipher (TBC) as internal primitive and can be proven secure in the standard model. The later uses a block cipher (BC) as internal primitive and can be proven secure in the ideal cipher model. Both our modes allow to...

2019/879 (PDF) Last updated: 2019-11-22
Cube-Based Cryptanalysis of Subterranean-SAE
Fukang Liu, Takanori Isobe, Willi Meier
Secret-key cryptography

Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate...

2019/127 (PDF) Last updated: 2019-02-13
Beyond Birthday Bound Secure MAC in Faulty Nonce Model
Avijit Dutta, Mridul Nandi, Suprita Talnikar
Secret-key cryptography

Encrypt-then-MAC (EtM) is a popular mode for authenticated encryption (AE). Unfortunately, almost all designs following the EtM paradigm, including the AE suites for TLS, are vulnerable against nonce misuse. A single repetition of the nonce value reveals the hash key, leading to a universal forgery attack. There are only two authenticated encryption schemes following the EtM paradigm which can resist nonce misuse attacks, the GCM-RUP (CRYPTO-17) and the GCM/2+ (INSCRYPT-12). However, they...

2018/1012 (PDF) Last updated: 2018-10-24
The authenticated encryption schemes Kravatte-SANE and Kravatte-SANSE
Guido Bertoni, Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche, Ronny Van Keer
Secret-key cryptography

This note defines Kravatte-SANE and Kravatte-SANSE. Both are session authenticated encryption schemes and differ in their robustness with respect to nonce misuse. They are defined as instances of modes on top of the deck function Kravatte, where a deck function is a keyed function with variable-length input strings, an arbitrary-length output and certain incrementality properties.

2018/767 (PDF) Last updated: 2019-03-14
Xoodoo cookbook
Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche, Ronny Van Keer

This document presents Xoodoo, a 48-byte cryptographic permutation that allows very efficient symmetric crypto on a wide range of platforms and a suite of cryptographic functions built on top of it. The central function in this suite is Xoofff, obtained by instantiating Farfalle with Xoodoo. Xoofff is what we call a deck function and can readily be used for MAC computation, stream encryption and key derivation. The suite includes two session authenticated encryption (SAE) modes: Xoofff-SANE...

2018/500 (PDF) Last updated: 2018-06-08
Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC
Nilanjan Datta, Avijit Dutta, Mridul Nandi, Kan Yasuda

In CRYPTO 2016, Cogliati and Seurin have proposed a highly secure nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer ($\textsf{EWCDM}$) construction, as $\textsf{E}_{K_2}\bigl(\textsf{E}_{K_1}(N)\oplus N\oplus \textsf{H}_{K_h}(M)\bigr)$ for a nonce $N$ and a message $M$. This construction achieves roughly $2^{2n/3}$ bit MAC security with the assumption that $\textsf{E}$ is a PRP secure $n$-bit block cipher and $\textsf{H}$ is an almost xor universal $n$-bit hash function. In...

2018/464 (PDF) Last updated: 2024-06-07
Cryptanalysis of MORUS
Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Gaëtan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki, Benoît Viguier
Secret-key cryptography

MORUS is a high-performance authenticated encryption algorithm submitted to the CAESAR competition, and recently selected as a finalist.There are three versions of MORUS: MORUS-640 with a 128-bit key, and MORUS-1280 with 128-bit or 256-bit keys. For all versions the security claim for confidentiality matches the key size.In this paper, we analyze the components of this algorithm (initialization, state update and tag generation), and report several results. As our main result, we present a...

2018/075 (PDF) Last updated: 2018-07-27
MILP-aided Cube-attack-like Cryptanalysis on Keccak Keyed Modes
Wenquan Bi, Xiaoyang Dong, Zheng Li, Rui Zong, Xiaoyun Wang

Cube-attack-like cryptanalysis was proposed by Dinur et al. at EUROCRYPT 2015, which recovers the key of Keccak keyed modes in a divide-and-conquer manner. In their attack, one selects cube variables manually, which leads to more key bits involved in the key-recovery attack, so the complexity is too high unnecessarily. In this paper, we introduce a new MILP model and make the cube attacks better on the Keccak keyed modes. Using this new MILP tool, we find the optimal cube variables for...

2018/025 (PDF) Last updated: 2018-01-07
Hedged Nonce-Based Public-Key Encryption: Adaptive Security under Randomness Failures
Zhengan Huang, Junzuo Lai, Wenbin Chen, Man Ho Au, Zhen Peng, Jin Li

Nowadays it is well known that randomness may fail due to bugs or deliberate randomness subversion. As a result, the security of traditional public-key encryption (PKE) cannot be guaranteed any more. Currently there are mainly three approaches dealing with the problem of randomness failures: deterministic PKE, hedged PKE, and nonce-based PKE. However, these three approaches only apply to different application scenarios respectively. Since the situations in practice are dynamic and very...

2017/1030 (PDF) Last updated: 2018-09-14
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-based Constructions
Ling Song, Jian Guo, Danping Shi, San Ling

In this paper, we propose a new MILP modeling to find better or even optimal choices of conditional cubes, under the general framework of conditional cube attacks. These choices generally find new or improved attacks against the keyed constructions based on Keccak permutation and its variants, including Keccak-MAC, KMAC, Keyak, and Ketje, in terms of attack complexities or the number of attacked rounds. Interestingly, conditional cube attacks were applied to round-reduced Keccak-MAC, but not...

2017/831 (PDF) Last updated: 2018-03-22
Security Proof of JAMBU under Nonce Respecting and Nonce Misuse Cases
Geng Wang, Haiyang Zhang, Fengmei Liu
Secret-key cryptography

JAMBU is an AEAD mode of operation which entered the third round of CAESAR competition. However, it does not have a security proof like other modes of operation do, and there was a cryptanalysis result that has overthrown the security claim under nonce misuse case by the designers. In this paper, we complement the shortage of the scheme by giving security proofs of JAMBU both under nonce respecting case and nonce misuse case. We prove that JAMBU under nonce respecting case has a slightly...

2017/804 (PDF) Last updated: 2017-08-29
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Zheng Li, Wenquan Bi, Xiaoyang Dong, Xiaoyun Wang
Secret-key cryptography

Conditional cube attack is an efficient key-recovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.'s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and do not multiply with the conditional cube variable in the 2nd round. Then the key-recovery attack is launched. The...

2017/498 (PDF) Last updated: 2017-09-01
Full-State Keyed Duplex With Built-In Multi-User Support
Joan Daemen, Bart Mennink, Gilles Van Assche
Secret-key cryptography

The keyed duplex construction was introduced by Bertoni et al.(SAC 2011) and recently generalized to full-state absorption by Mennink et al.(ASIACRYPT 2015). We present a generalization of the full-state keyed duplex that natively supports multiple instances by design, and perform a security analysis that improves over that of Mennink et al. in terms of a more modular security analysis and a stronger and more adaptive security bound. Via the introduction of an additional parameter to the...

2017/431 (PDF) Last updated: 2017-05-22
Understanding RUP Integrity of COLM
Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on...

2017/332 (PDF) Last updated: 2017-04-18
Reforgeability of Authenticated Encryption Schemes
Christian Forler, Eik List, Stefan Lucks, Jakob Wenzel
Secret-key cryptography

This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: j-Int-CTXT, which is derived from the notion INT-CTXT. Second, we define an attack scenario called j-IV-Collision Attack (j-IV-CA), wherein an adversary tries to construct j...

2016/1098 (PDF) Last updated: 2016-11-22
Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP
Zhiyuan Guo, Wenling Wu, Renzhang Liu, Liting Zhang

The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. Besides providing plenty of inherent variability, such a design builds a tweakable block cipher from some lower level primitive. In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (introduced at CRYPTO 2015), which is constructed from a...

2016/832 (PDF) Last updated: 2016-08-30
Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?
Colin Chaigneau, Henri Gilbert

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we...

2016/732 (PDF) Last updated: 2016-09-26
Nonlinear Invariant Attack --Practical Attack on Full SCREAM, iSCREAM, and Midori64
Yosuke Todo, Gregor Leander, Yu Sasaki
Secret-key cryptography

In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack...

2016/623 (PDF) Last updated: 2016-06-17
EnCounter: On Breaking the Nonce Barrier in Differential Fault Analysis with a Case-Study on PAEQ
Dhiman Saha, Dipanwita Roy Chowdhury

This work exploits internal differentials within a cipher in the context of Differential Fault Analysis (DFA). This in turn overcomes the nonce barrier which acts as a natural counter-measure against DFA. We introduce the concept of internal differential fault analysis which requires only one faulty ciphertext. In particular, the analysis is applicable to parallelizable ciphers that use the counter-mode. As a proof of concept we develop an internal differential fault attack called EnCounter...

2016/436 (PDF) Last updated: 2016-05-04
Cryptanalysis of Reduced NORX
Nasour Bagheri, Tao Huang, Keting Jia, Florian Mendel, Yu Sasaki

NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 (out of 4) rounds. The time complexity of the attack for NORX32 and...

2016/047 (PDF) Last updated: 2016-01-19
Comb to Pipeline: Fast Software Encryption Revisited
Andrey Bogdanov, Martin M. Lauridsen, Elmar Tischhauser
Implementation

AES-NI, or Advanced Encryption Standard New Instructions, is an extension of the x86 architecture proposed by Intel in 2008. With a pipelined implementation utilizing AES-NI, parallelizable modes such as AES-CTR become extremely efficient. However, out of the four non-trivial NIST-recommended encryption modes, three are inherently sequential: CBC, CFB, and OFB. This inhibits the advantage of using AES-NI significantly. Similar observations apply to CMAC, CCM and a great deal of other modes....

2015/1049 (PDF) Last updated: 2017-05-22
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers
Thomas Peyrin, Yannick Seurin
Secret-key cryptography

We propose the Synthetic Counter-in-Tweak (SCT) mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme (with associated data). The SCT mode combines in a SIV-like manner a Wegman-Carter MAC inspired from PMAC for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many...

2015/999 (PDF) Last updated: 2022-03-16
Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption
Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves

A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete...

2015/424 (PDF) Last updated: 2015-05-05
FIDES: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware
Begül Bilgin, Andrey Bogdanov, Miroslav Knežević, Florian Mendel, Qingju Wang
Secret-key cryptography

In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called FIDES. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively. This is at least two times smaller than its closest competitors Hummingbird-2 and Grain-128a. While being extremely compact, Fides is both throughput and latency efficient, even in its most...

2015/392 (PDF) Last updated: 2016-04-11
Forgery Attacks on round-reduced ICEPOLE-128
Christoph Dobraunig, Maria Eichlseder, Florian Mendel
Secret-key cryptography

ICEPOLE is a family of authenticated encryptions schemes submitted to the ongoing CAESAR competition and in addition presented at CHES 2014. To justify the use of ICEPOLE, or to point out potential weaknesses, third-party cryptanalysis is needed. In this work, we evaluate the resistance of ICEPOLE-128 against forgery attacks. By using differential cryptanalysis, we are able to create forgeries from a known ciphertext-tag pair with a probability of $2^{-60.3}$ for a round-reduced version of...

2014/931 (PDF) Last updated: 2020-06-24
Cryptanalysis of JAMBU
Thomas Peyrin, Siang Meng Sim, Lei Wang, Guoyan Zhang
Secret-key cryptography

In this article, we analyse the security of the authenticated encryption mode JAMBU, a submission to the CAESAR competition that remains currently unbroken. We show that the security claims of this candidate regarding its nonce-misuse resistance can be broken. More precisely, we explain a technique to guess in advance a ciphertext block corresponding to a plaintext that has never been queried before (nor its prefix), thus breaking the confidentiality of the scheme when the attacker can make...

2014/613 (PDF) Last updated: 2014-08-13
A Security Analysis of the Composition of ChaCha20 and Poly1305
Gordon Procter
Secret-key cryptography

This note contains a security reduction to demonstrate that Langley's composition of Bernstein's ChaCha20 and Poly1305, as proposed for use in IETF protocols, is a secure authenticated encryption scheme. The reduction assumes that ChaCha20 is a PRF, that Poly1305 is epsilon-almost-Delta-universal, and that the adversary is nonce respecting.

2014/317 (PDF) Last updated: 2014-10-02
Analysis of NORX: Investigating Differential and Rotational Properties
Jean-Philippe Aumasson, Philipp Jovanovic, Samuel Neves

This paper presents a thorough analysis of the AEAD scheme NORX, focussing on differential and rotational properties. We first introduce mathematical models that describe differential propagation with respect to the non-linear operation of NORX. Afterwards, we adapt a framework previously proposed for ARX designs allowing us to automatise the search for differentials and characteristics. We give upper bounds on the differential probability for a small number of steps of the NORX core...

2013/791 (PDF) Last updated: 2014-05-14
APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography
Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, Kan Yasuda
Secret-key cryptography

The domain of lightweight cryptography focuses on cryptographic algorithms for extremely constrained devices. It is very costly to avoid nonce reuse in such environments, because this requires either a secure pseudorandom number generator (PRNG), or non-volatile memory to store a counter. At the same time, a lot of cryptographic schemes actually require the nonce assumption for their security. In this paper, we propose APE as the first permutation-based authenticated encryption scheme that...

2011/644 (PDF) Last updated: 2013-12-13
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
Ewan Fleischmann, Christian Forler, Stefan Lucks, Jakob Wenzel
Secret-key cryptography

On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only --~in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse resistant schemes for Authenticated Encryption....

2006/094 (PDF) (PS) Last updated: 2006-03-09
Cryptanalysis of the MEM Mode of Operation
Peng Wang, Dengguo Feng, Wenling Wu
Secret-key cryptography

The MEM mode is a nonce-based enciphering mode of operation proposed by Chakraborty and Sarkar, which was claimed to be secure against symmetric nonce respecting adversaries. We show that this is not correct by using two very simple attcks. One attack need one decryption and one decryption queries, and the other only need one encryption query.

2006/062 Last updated: 2006-07-30
A New Mode of Encryption Secure Against Symmetric Nonce Respecting Adversaries
Debrup Chakraborty, Palash Sarkar
Secret-key cryptography

We present MEM, which is a new mode of encryption using a block cipher. MEM is proved to be a strong pseudo-random permutation (SPRP) against {\em symmetric} nonce respecting adversaries, where a symmetric nonce respecting adversary is one which does not repeat nonces to either the encryption or the decryption oracle. Against such adversaries, MEM provides a secure, length preserving, tagless mode of encryption. In our construction, the number of block cipher calls is approximately half that...

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.