Quantum forgery attacks on COPA,AES-COPA and marble authenticated encryption algorithms

The classic forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms need to query about 2^(n/2) times, and their success probability is not high. To solve this problem, the corresponding quantum forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms are presented. In the quantum forgery attacks on COPA and AES-COPA, we use Simon's algorithm to find the period of the tag generation function in COPA and AES-COPA by querying in superposition, and then generate a forged tag for a new message. In the quantum forgery attack on Marble, Simon's algorithm is used to recover the secret parameter L, and the forged tag can be computed with L. Compared with classic forgery attacks on COPA, AES-COPA and Marble, our attack can reduce the number of queries from O(2^(n/2)) to O(n) and improve success probability close to 100%.Comment: 21 pages, 11 figure

General Classification of the Authenticated Encryption Schemes for the CAESAR Competition

An Authenticated encryption scheme is a scheme which provides privacy and integrity by using a secret key. In 2013, CAESAR (the ``Competition for Authenticated Encryption: Security, Applicability, and Robustness\u27\u27) was co-founded by NIST and Dan Bernstein with the aim of finding authenticated encryption schemes that offer advantages over AES-GCM and are suitable for widespread adoption. The first round started with 57 candidates in March 2014; and nine of these first-round candidates where broken and withdrawn from the competition. The remaining 48 candidates went through an intense process of review, analysis and comparison. While the cryptographic community benefits greatly from the manifold different submission designs, their sheer number implies a challenging amount of study. This paper provides an easy-to-grasp overview over functional aspects, security parameters, and robustness offerings by the CAESAR candidates, clustered by their underlying designs (block-cipher-, stream-cipher-, permutation-/sponge-, compression-function-based, dedicated). After intensive review and analysis of all 48 candidates by the community, the CAESAR committee selected only 30 candidates for the second round. The announcement for the third round candidates was made on 15th August 2016 and 15 candidates were chosen for the third round

Universal Forgery with Birthday Paradox: Application to Blockcipher-based Message Authentication Codes and Authenticated Encryptions

An universal forgery attack means that for any given message $M$, an adversary without the key can forge the corresponding Message Authentication Code (MAC) tag $\tau$, and the pair $(M,\tau)$ can be verified with probability 1. For a idea MAC, the universal forgery attack should be infeasible to be implemented, whose complexity is believed to be min{$(2^n, 2^k)$} queries in the classic setting, where $n$ is the tag length and $k$ is the key length of the MAC, respectively. In this paper, we launch a general universal forgery attack to some blockcipher-based MACs and authenticated encryptions (AEs) using birthday attack, whose complexity is about $O(2^{n/2})$ queries in the classic setting. The attack shows that such MACs and AEs are totally insecure. However, this attack is not applicable in the quantum model, since no inclusion of period in the input messages is guaranteed. We also propose other generic universal forgery attacks using collision finding with structural input messages with complexity of $O(2^{n/2})$, by birthday paradox in the classic setting. Since our attacks are based on the collision finding with fixed but unknown differences (or period), such attacks can also be implemented with only $O(n)$ queries using \textit{Simon\u27s} algorithm in the quantum model, which shows that such MACs and AEs are completely broken in the quantum model. Our attacks can be applied to CBC-MAC, XCBC, EMAC, OMAC, CMAC, PC-MAC, MT-MAC, PMAC, PMAC with parity, LightMAC and some of their variants. Moreover, such attacks are also applicable to the authenticated encryptions of the third round of the CAESAR candidates: CLOC, SILC, AEZ, COLM (including COPA and ELmD) and Deoxys

Can Caesar Beat Galois?

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to “identify a portfolio of authenticated ciphers that offer advantages over [the Galois-Counter Mode with AES]” and are suitable for widespread adoption.” Each of the 15 candidate schemes competing in the currently ongoing 3rd round of CAESAR must clearly declare its security claims, i.e. whether it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting “Robustness” in CAESAR as the ability to mitigate damage when security guarantees are void, we describe attacks with 64-bit complexity or above, and/or with nonce reuse for each of the 15 candidates. We then classify the candidates depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions

Under Pressure: Security of Caesar Candidates beyond their Guarantees

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to ``identify a portfolio of authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption.\u27\u27 Each of the 15 candidate schemes competing in the currently ongoing 3rd round of CAESAR must clearly declare its security claims, i.a. whether or not it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting Robustness in CAESAR as the ability to mitigate damage even if security guarantees are void, we describe attacks with birthday complexity or beyond, and/or with nonce reuse for each of the 15 candidates. We then sort the candidates into classes depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions

Provably Secure Authenticated Encryption

Authenticated Encryption (AE) is a symmetric key cryptographic primitive that ensures confidentiality and authenticity of processed messages at the same time. The research of AE as a primitive in its own right started in 2000. The security goals of AE were captured in formal definitions in the tradition in the tradition of provable security (such as NAE, MRAE, OAE, RAE or the RUP), where the security of a scheme is formally proven assuming the security of an underlying building block. The prevailing syntax moved to nonce-based AE with associated data (which is an additional input that gets authenticated, but not encrypted). Other types of AE schemes appeared as well, e.g. ones that supported stateful sessions. Numerous AE schemes were designed; in the early years, these were almost exclusively blockcipher modes of operation, most notably OCB in 2001, CCM in 2003 and GCM in 2004. At the same time, issues were discovered both with the security and applicability of the most popular AE schemes, and other applications of symmetric key cryptography. As a response, the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) was started in 2013. Its goals were to identify a portfolio of new, secure and reliable AE schemes that would satisfy the needs of practical applications, and also to boost the research in the area of AE. Prompted by CAESAR, 57 new schemes were designed, new types of constructions that gained popularity appeared (such as the Sponge-based AE schemes), and new notions of security were proposed (such as RAE). The final portfolio of the CAESAR competition should be announced in 2018. In this thesis, we push the state of the art in the field of AE in several directions. All of them are related to provable security, in one way, or another. We propose OMD, the first provably secure dedicated AE scheme that is based on a compression function. We further modify OMD to achieve nonce misuse-resistant security (MRAE). We also propose another provably secure variant of OMD called pure OMD, which enjoys a great improvement of performance over OMD. Inspired by the modifications that gave rise to pure OMD, we turn to the popular Sponge-based AE schemes and prove that similar measures can also be applied to the keyed Sponge and keyed Duplex (a variant of the Sponge), allowing a substantial increase of performance without an impact on security. We then address definitional aspects of AE. We critically evaluate the security notion of OAE, whose authors claimed that it provides the best possible security for online schemes under nonce reuse. We challenge these claims, and discuss what are the meaningful requirements for online AE schemes. Based on our findings, we formulate a new definition of online AE security under nonce-reuse, and demonstrate its feasibility. We next turn our attention to the security of nonce-based AE schemes under stretch misuse; i.e. when a scheme is used with varying ciphertext expansion under the same key, even though it should not be. We argue that varying the stretch is plausible, and formulate several notions that capture security in presence of variable stretch. We establish their relations to previous notions, and demonstrate the feasibility of security in this setting. We finally depart from provable security, with the intention to complement it. We compose a survey of universal forgeries, decryption attacks and key recovery attacks on 3rd round CAESAR candidates

Design and Analysis of Cryptographic Algorithms for Authentication

During the previous decades, the upcoming demand for security in the digital world, e.g., the Internet, lead to numerous groundbreaking research topics in the field of cryptography. This thesis focuses on the design and analysis of cryptographic primitives and schemes to be used for authentication of data and communication endpoints, i.e., users. It is structured into three parts, where we present the first freely scalable multi-block-length block-cipher-based compression function (Counter-bDM) in the first part. The presented design is accompanied by a thorough security analysis regarding its preimage and collision security. The second and major part is devoted to password hashing. It is motivated by the large amount of leaked password during the last years and our discovery of side-channel attacks on scrypt – the first modern password scrambler that allowed to parameterize the amount of memory required to compute a password hash. After summarizing which properties we expect from a modern password scrambler, we (1) describe a cache-timing attack on scrypt based on its password-dependent memory-access pattern and (2) outline an additional attack vector – garbage-collector attacks – that exploits optimization which may disregard to overwrite the internally used memory. Based on our observations, we introduce Catena – the first memory-demanding password-scrambling framework that allows a password-independent memory-access pattern for resistance to the aforementioned attacks. Catena was submitted to the Password Hashing Competition (PHC) and, after two years of rigorous analysis, ended up as a finalist gaining special recognition for its agile framework approach and side-channel resistance. We provide six instances of Catena suitable for a variety of applications. We close the second part of this thesis with an overview of modern password scramblers regarding their functional, security, and general properties; supported by a brief analysis of their resistance to garbage-collector attacks. The third part of this thesis is dedicated to the integrity (authenticity of data) of nonce-based authenticated encryption schemes (NAE). We introduce the so-called j-IV-Collision Attack, allowing to obtain an upper bound for an adversary that is provided with a first successful forgery and tries to efficiently compute j additional forgeries for a particular NAE scheme (in short: reforgeability). Additionally, we introduce the corresponding security notion j-INT-CTXT and provide a comparative analysis (regarding j-INT-CTXT security) of the third-round submission to the CAESAR competition and the four classical and widely used NAE schemes CWC, CCM, EAX, and GCM.Die fortschreitende Digitalisierung in den letzten Jahrzehnten hat dazu geführt, dass sich das Forschungsfeld der Kryptographie bedeutsam weiterentwickelt hat. Diese, im Wesentlichen aus drei Teilen bestehende Dissertation, widmet sich dem Design und der Analyse von kryptographischen Primitiven und Modi zur Authentifizierung von Daten und Kommunikationspartnern. Der erste Teil beschäftigt sich dabei mit blockchiffrenbasierten Kompressionsfunktionen, die in ressourcenbeschränkten Anwendungsbereichen eine wichtige Rolle spielen. Im Rahmen dieser Arbeit präsentieren wir die erste frei skalierbare und sichere blockchiffrenbasierte Kompressionsfunktion Counter-bDM und erweitern somit flexibel die erreichbare Sicherheit solcher Konstruktionen. Der zweite Teil und wichtigste Teil dieser Dissertation widmet sich Passwort-Hashing-Verfahren. Zum einen ist dieser motiviert durch die große Anzahl von Angriffen auf Passwortdatenbanken großer Internet-Unternehmen. Zum anderen bot die Password Hashing Competition (PHC) die Möglichkeit, unter Aufmerksamkeit der Expertengemeinschaft die Sicherheit bestehender Verfahren zu hinterfragen, sowie neue sichere Verfahren zu entwerfen. Im Rahmen des zweiten Teils entwarfen wir Anforderungen an moderne Passwort-Hashing-Verfahren und beschreiben drei Arten von Seitenkanal-Angriffen (Cache-Timing-, Weak Garbage-Collector- und Garbage-Collector-Angriffe) auf scrypt – das erste moderne Password-Hashing-Verfahren welches erlaubte, den benötigten Speicheraufwand zur Berechnung eines Passworthashes frei zu wählen. Basierend auf unseren Beobachtungen und Angriffen, stellen wir das erste moderne PasswordHashing-Framework Catena vor, welches für gewählte Instanzen passwortunabhängige Speicherzugriffe und somit Sicherheit gegen oben genannte Angriffe garantiert. Catena erlangte im Rahmen des PHC-Wettbewerbs besondere Anerkennung für seine Agilität und Resistenz gegen SeitenkanalAngriffe. Wir präsentieren sechs Instanzen des Frameworks, welche für eine Vielzahl von Anwendungen geeignet sind. Abgerundet wird der zweite Teil dieser Arbeit mit einem vergleichenden Überblick von modernen Passwort-Hashing-Verfahren hinsichtlich ihrer funktionalen, sicherheitstechnischen und allgemeinen Eigenschaften. Dieser Vergleich wird unterstützt durch eine kurze Analyse bezüglich ihrer Resistenz gegen (Weak) Garbage-Collector-Angriffe. Der dritte teil dieser Arbeit widmet sich der Integrität von Daten, genauer, der Sicherheit sogenannter Nonce-basierten authentisierten Verschlüsselungsverfahren (NAE-Verfahren), welche ebenso wie Passwort-Hashing-Verfahren in der heutigen Sicherheitsinfrastruktur des Internets eine wichtige Rolle spielen. Während Standard-Definitionen keine Sicherheit nach dem Fund einer ersten erfolgreich gefälschten Nachricht betrachten, erweitern wir die Sicherheitsanforderungen dahingehend wie schwer es ist, weitere Fälschungen zu ermitteln. Wir abstrahieren die Funktionsweise von NAEVerfahren in Klassen, analysieren diese systematisch und klassifizieren die Dritt-Runden-Kandidaten des CAESAR-Wettbewerbs, sowie vier weit verbreitete NAE-Verfahren CWC, CCM, EAX und GCM

Design and Analysis of Cryptographic Algorithms for Authentication

During the previous decades, the upcoming demand for security in the digital world, e.g., the Internet, lead to numerous groundbreaking research topics in the field of cryptography. This thesis focuses on the design and analysis of cryptographic primitives and schemes to be used for authentication of data and communication endpoints, i.e., users. It is structured into three parts, where we present the first freely scalable multi-block-length block-cipher-based compression function (Counter-bDM) in the first part. The presented design is accompanied by a thorough security analysis regarding its preimage and collision security. The second and major part is devoted to password hashing. It is motivated by the large amount of leaked password during the last years and our discovery of side-channel attacks on scrypt – the first modern password scrambler that allowed to parameterize the amount of memory required to compute a password hash. After summarizing which properties we expect from a modern password scrambler, we (1) describe a cache-timing attack on scrypt based on its password-dependent memory-access pattern and (2) outline an additional attack vector – garbage-collector attacks – that exploits optimization which may disregard to overwrite the internally used memory. Based on our observations, we introduce Catena – the first memory-demanding password-scrambling framework that allows a password-independent memory-access pattern for resistance to the aforementioned attacks. Catena was submitted to the Password Hashing Competition (PHC) and, after two years of rigorous analysis, ended up as a finalist gaining special recognition for its agile framework approach and side-channel resistance. We provide six instances of Catena suitable for a variety of applications. We close the second part of this thesis with an overview of modern password scramblers regarding their functional, security, and general properties; supported by a brief analysis of their resistance to garbage-collector attacks. The third part of this thesis is dedicated to the integrity (authenticity of data) of nonce-based authenticated encryption schemes (NAE). We introduce the so-called j-IV-Collision Attack, allowing to obtain an upper bound for an adversary that is provided with a first successful forgery and tries to efficiently compute j additional forgeries for a particular NAE scheme (in short: reforgeability). Additionally, we introduce the corresponding security notion j-INT-CTXT and provide a comparative analysis (regarding j-INT-CTXT security) of the third-round submission to the CAESAR competition and the four classical and widely used NAE schemes CWC, CCM, EAX, and GCM.Die fortschreitende Digitalisierung in den letzten Jahrzehnten hat dazu geführt, dass sich das Forschungsfeld der Kryptographie bedeutsam weiterentwickelt hat. Diese, im Wesentlichen aus drei Teilen bestehende Dissertation, widmet sich dem Design und der Analyse von kryptographischen Primitiven und Modi zur Authentifizierung von Daten und Kommunikationspartnern. Der erste Teil beschäftigt sich dabei mit blockchiffrenbasierten Kompressionsfunktionen, die in ressourcenbeschränkten Anwendungsbereichen eine wichtige Rolle spielen. Im Rahmen dieser Arbeit präsentieren wir die erste frei skalierbare und sichere blockchiffrenbasierte Kompressionsfunktion Counter-bDM und erweitern somit flexibel die erreichbare Sicherheit solcher Konstruktionen. Der zweite Teil und wichtigste Teil dieser Dissertation widmet sich Passwort-Hashing-Verfahren. Zum einen ist dieser motiviert durch die große Anzahl von Angriffen auf Passwortdatenbanken großer Internet-Unternehmen. Zum anderen bot die Password Hashing Competition (PHC) die Möglichkeit, unter Aufmerksamkeit der Expertengemeinschaft die Sicherheit bestehender Verfahren zu hinterfragen, sowie neue sichere Verfahren zu entwerfen. Im Rahmen des zweiten Teils entwarfen wir Anforderungen an moderne Passwort-Hashing-Verfahren und beschreiben drei Arten von Seitenkanal-Angriffen (Cache-Timing-, Weak Garbage-Collector- und Garbage-Collector-Angriffe) auf scrypt – das erste moderne Password-Hashing-Verfahren welches erlaubte, den benötigten Speicheraufwand zur Berechnung eines Passworthashes frei zu wählen. Basierend auf unseren Beobachtungen und Angriffen, stellen wir das erste moderne PasswordHashing-Framework Catena vor, welches für gewählte Instanzen passwortunabhängige Speicherzugriffe und somit Sicherheit gegen oben genannte Angriffe garantiert. Catena erlangte im Rahmen des PHC-Wettbewerbs besondere Anerkennung für seine Agilität und Resistenz gegen SeitenkanalAngriffe. Wir präsentieren sechs Instanzen des Frameworks, welche für eine Vielzahl von Anwendungen geeignet sind. Abgerundet wird der zweite Teil dieser Arbeit mit einem vergleichenden Überblick von modernen Passwort-Hashing-Verfahren hinsichtlich ihrer funktionalen, sicherheitstechnischen und allgemeinen Eigenschaften. Dieser Vergleich wird unterstützt durch eine kurze Analyse bezüglich ihrer Resistenz gegen (Weak) Garbage-Collector-Angriffe. Der dritte teil dieser Arbeit widmet sich der Integrität von Daten, genauer, der Sicherheit sogenannter Nonce-basierten authentisierten Verschlüsselungsverfahren (NAE-Verfahren), welche ebenso wie Passwort-Hashing-Verfahren in der heutigen Sicherheitsinfrastruktur des Internets eine wichtige Rolle spielen. Während Standard-Definitionen keine Sicherheit nach dem Fund einer ersten erfolgreich gefälschten Nachricht betrachten, erweitern wir die Sicherheitsanforderungen dahingehend wie schwer es ist, weitere Fälschungen zu ermitteln. Wir abstrahieren die Funktionsweise von NAEVerfahren in Klassen, analysieren diese systematisch und klassifizieren die Dritt-Runden-Kandidaten des CAESAR-Wettbewerbs, sowie vier weit verbreitete NAE-Verfahren CWC, CCM, EAX und GCM