309 research outputs found
One-Key Compression Function Based MAC with Security beyond Birthday Bound
Ga{\v z}i et al. [CRYPTO 2014] analyzed the NI-MAC construction proposed by
An and Bellare [CRYPTO 1999] and gave a tight birthday-bound
of , as an improvement over the previous bound of . In this paper, we design a simple extension of NI-MAC, called NI-MAC, and prove that it has security bound beyond birthday (BBB) of order provided . Our construction not only lifts the security of NI-MAC beyond birthday, it also reduces the number of keys from 2 (NI uses 2 independent
keys) to 1. Before this work, Yasuda had proposed [FSE 2008] a single
fixed-keyed compression function based BBB-secure MAC with security bound that uses an extra mask, requires a storage space to store the mask.
However, our proposed construction NI does not require any extra mask and thereby
has reduced the state size compared to Yasuda\u27s proposal [FSE 2008] with providing the same order of security bound for light-weight application
A Pseudorandom-Function Mode Based on Lesamnta-LW and the MDP Domain Extension and Its Applications
This paper discusses a mode for pseudorandom functions (PRFs) based on the hashing mode of Lesamnta-LW and the domain extension called Merkle-Damgård with permutation (MDP). The hashing mode of Lesamnta-LW is a plain Merkle-Damgård iteration of a block cipher with its key size half of its block size. First, a PRF mode is presented which produces multiple independent PRFs with multiple permutations and initialization vectors if the underlying block cipher is a PRP. Then, two applications of the PRF mode are presented. One is a PRF with minimum padding. Here, padding is said to be minimum if the produced message blocks do not include message blocks only with the padded sequence for any non-empty input message. The other is a vector-input PRF using the PRFs with minimum padding.This work was supported in part by JSPS KAKENHI GrantNumber JP16H02828.IEICE Transactions Online TOP (https://search.ieice.org/
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers
We propose the Synthetic Counter-in-Tweak (SCT) mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme (with associated data). The SCT mode combines in a SIV-like manner a Wegman-Carter MAC inspired from PMAC for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many previous authenticated encryption modes, SCT enjoys provable security beyond the birthday bound (and even up to roughly tweakable block cipher calls, where is the block length, when the tweak length is sufficiently large) in the nonce-respecting scenario where nonces are never repeated. In addition, SCT ensures security up to the birthday bound even when nonces are reused, in the strong nonce-misuse resistance sense (MRAE) of Rogaway and Shrimpton (EUROCRYPT 2006). To the best of our knowledge, this is the first authenticated encryption mode that provides at the same time close-to-optimal security in the nonce-respecting scenario and birthday-bound security for the nonce-misuse scenario. While two passes are necessary to achieve MRAE-security, our mode enjoys a number of desirable features: it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages compared to other nonce-misuse resistant schemes (no precomputation is required) and it allows incremental update of associated data
A Tweak for a PRF Mode of a Compression Function and Its Applications
We discuss a tweak for the domain extension called Merkle-Damgård
with Permutation (MDP), which was presented at ASIACRYPT 2007.
We first show that MDP may produce multiple independent pseudorandom
functions (PRFs) using a single secret key and multiple permutations
if the underlying compression function is a PRF against related-key
attacks with respect to the permutations.
Using this result, we then construct a hash-function-based MAC function,
which we call FMAC, using a compression function as its underlying primitive.
We also present a scheme to extend FMAC so as to take as input a
vector of strings
Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF
SUM-ECBC (Yasuda, CT-RSA 2010) is the first beyond birthday bound (BBB) secure block cipher based deterministic MAC. After this work, some more BBB secure deterministic MACs have been proposed, namely PMAC_Plus (Yasuda, CRYPTO 2011), 3kf9 (Zhang et al., ASIACRYPT 2012) and LightMAC_Plus (Naito, ASIACRYPT 2017). In this paper, we have abstracted out the inherent design principle of all these BBB secure MACs and present a generic design paradigm to construct a BBB secure pseudo random function, namely Double-block Hash-then- Sum or in short (DbHtS). A DbHtS construction, as the name implies, computes a double block hash on the message and then sum the encrypted output of the two hash blocks. Our result renders that if the underlying hash function meets certain security requirements (namely cover-free and block-wise universal advantage is low), DbHtS construction provides 2n/3-bit security. We demonstrate the applicability of our result by instantiating all the existing beyond birthday secure deterministic MACs (e.g., SUM-ECBC, PMAC_Plus, 3kf9, LightMAC_Plus) as well as a simple two-keyed variant for each of them and some algebraic hash based constructions
Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption
A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to
significantly outperform their closest competitors
Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption
A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors
Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers
We give an overview of our critiques of “proofs” of security and a guide to
our papers on the subject that have appeared over the past decade and a half. We also
provide numerous additional examples and a few updates and errata
Channel Based Relay Attack Detection Protocol
A relay attack is a potentially devastating form of a man-in-the-middle attack, that can circumvent any challenge-response authentication protocol. A relay attack also has no known cryptographic solution. This thesis proposes the usage of reciprocal channel state information in a wireless system to detect the presence of a relay attack. Through the usage of an open source channel state information tool, a challenge-response authentication Channel Based Relay Attack Detection Protocol is designed and implemented using IEEE 802.11n (WiFi) in detail. The proposed protocol adapts ideas from solutions to other problems, to create a novel solution to the relay attack problem. Preliminary results are done to show the practicality of using channel state information for randomness extraction. As well, two novel attacks are proposed that could be used to defeat the protocol and other similar protocols. To handle these attacks, two modifications are given that only work with the Channel Based Relay Attack Detection Protocol
Physical one-way functions
Thesis (Ph. D.)--Massachusetts Institute of Technology, School of Architecture and Planning, Program in Media Arts and Sciences, 2001.Includes bibliographical references (p. 149-154).Modern cryptography relies on algorithmic one-way functions - numerical functions which are easy to compute but very difficult to invert. This dissertation introduces physical one-way firnctions and physical one-way hash functions as primitives for physical analogs of cryptosystems. Physical one-way functions are defined with respect to a physical probe and physical system in some unknown state. A function is called a physical one-way function if (a) there exists a deterministic physical interaction between the probe and the system which produces an output in constant time (b) inverting the function using either computational or physical means is difficult (c) simulating the physical interaction is computationally demanding and (d) the physical system is easy to make but difficult to clone. Physical one-way hash functions produce fixed-length output regardless of the size of the input. These hash functions can be obtained by sampling the output of physical one-way functions. For the system described below, it is shown that there is a strong correspondence between the properties of physical one-way hash functions and their algorithmic counterparts. In particular, it is demonstrated that they are collision-resistant and that they exhibit the avalanche effect, i.e., a small change in the physical system causes a large change in the hash value. An inexpensive prototype authentication system based on physical one-way hash functions is designed, implemented, and analyzed.(cont.) The prototype uses a disordered three-dimensional microstructure as the underlying physical system and coherent radiation as the probe. It is shown that the output of the interaction between the physical system and the probe can be used to robustly derive a unique tamper-resistant identifier at a very low cost per bit. The explicit use of three-dimensional structures marks a departure from prior efforts. Two protocols, including a one-time pad protocol, that illustrate the utility of these hash functions are presented and potential attacks on the authentication system are considered. Finally, the concept offabrication complexity is introduced as a way of quantifying the difficulty of materially cloning physical systems with arbitrary internal states. Fabrication complexity is discussed in the context of an idealized machine - a Universal Turing Machine augmented with a fabrication head - which transforms algorithmically minimal descriptions of physical systems into the systems themselves.by Pappu Srinivasa Ravinkanth.Ph.D
- …