SimpleENC and SimpleENCsmall -- an Authenticated Encryption Mode for the Lightweight Setting

Block cipher modes of operation provide a way to securely encrypt using a block cipher, and different modes of operation achieve different tradeoffs of security, performance and simplicity. In this paper, we present a new authenticated encryption scheme that is designed for the lightweight cryptography setting, but can be used in standard settings as well. Our mode of encryption is extremely simple, requiring only a single block cipher primitive (in forward direction) and minimal padding, and supports streaming (online encryption). In addition, our mode achieves very strong security bounds, and can even provide good security when the block size is just 64 bits. As such, it is highly suitable for lightweight settings, where the lifetime of the key and/or overall amount encrypted may be high. Our new scheme can be seen as an improved version of CCM that supports streaming, and provides much better bounds

GLEVIAN and VIGORNIAN: Robust beyond-birthday AEAD modes

The National Cyber Security Centre (NCSC) is the government organisation responsible for mitigating cyber security risks to the UK. Our work securing UK public- and private-sector networks involves (amongst many other security measures) research into cryptographic design, primarily to protect data requiring long-term security or data for which we have a particularly low tolerance of risk to its transmission and storage. Our algorithms prioritise robustness over other important considerations, such as performance, more highly than other designs. We present GLEVIAN and VIGORNIAN: two AEAD modes with proofs of beyond-birthday security, security against nonce misuse, and against the release of unverified plaintext – both of the latter in strong notions of these security properties. We discuss our hierarchy of requirements for AEAD modes, and the rationale for the design choices made. GLEVIAN and VIGORNIAN demonstrate we can achieve significantly improved robustness over GCM for use cases where some performance degradation is acceptable. We are not aware of other designs offering exactly the security properties of GLEVIAN and VIGORNIAN, and are publishing our designs to support the research that will inform the recently announced effort by NIST to standardise new modes of operation. We believe our work could be of interest to those with use cases similar to ours, and we offer suggestions for future research that might build on the work in this paper

Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation

Abstract. BLINKER is a light-weight cryptographic suite and record protocol built from a single permutation. Its design is based on the Sponge construction used by the SHA-3 algorithm KECCAK. We examine the SpongeWrap authen-ticated encryption mode and expand its padding mechanism to offer explicit do-main separation and enhanced security for our specific requirements: shared se-cret half-duplex keying, encryption, and a MAC-and-continue mode. We motivate these enhancements by showing that unlike legacy protocols, the resulting record protocol is secure against a two-channel synchronization attack while also having a significantly smaller implementation footprint. The design facilitates security proofs directly from a single cryptographic primitive (a single security assump-tion) rather than via idealization of multitude of algorithms, paddings and modes of operation. The protocol is also uniquely suitable for an autonomous or semi-autonomous hardware implementation of protocols where the secrets never leave the module, making it attractive for smart card and HSM designs

AES-GCM-SIV: Specification and Analysis

In this paper, we describe and analyze the security of the AES-GCM-SIV mode of operation, as defined in the CFRG specification \cite{CFRG}. This mode differs from the original GCM-SIV mode that was designed in \cite{GL2015} in two main aspects. First, the CTR encryption uses a 127-bit pseudo-random counter instead of a 95-bit pseudo-random value concatenated with a 32-bit counter. This construction leads to improved security bounds when encrypting short messages. In addition, a new key derivation function is used for deriving a fresh set of keys for each nonce. This addition allows for encrypting up to $2^{50}$ messages with the same key, compared to the significant limitation of only $2^{32}$ messages that were allowed with GCM-SIV (which inherited this same limit from AES-GCM). As a result, the new construction is well suited for real world applications that need a nonce-misuse resistant Authenticated Encryption scheme. We explain the limitations of GCM-SIV, which motivate the new construction, prove the security properties of AES-GCM-SIV, and show how these properties support real usages. Implementations are publicly available in \cite{ShayGit}. We remark that AES-GCM-SIV is already integrated into Google\u27s BoringSSL library \cite{BoringSSL}, and its deployment for ticket encryption in QUIC \cite{QUIC} is underway

Duel of the Titans: The Romulus and Remus Families of Lightweight AEAD Algorithms

In this article, we propose two new families of very lightweight and efficient authenticated encryption with associated data (AEAD) modes, Romulus and Remus, that provide security beyond the birthday bound with respect to the block-length $n$. The former uses a tweakable block cipher (TBC) as internal primitive and can be proven secure in the standard model. The later uses a block cipher (BC) as internal primitive and can be proven secure in the ideal cipher model. Both our modes allow to switch very easily from nonce-respecting to nonce-misuse scenario. Previous constructions, such as ThetaCB, are quite computationally efficient, yet needing a large memory for implementation, which makes them unsuitable for platforms where lightweight cryptography should play a key role. Romulus and Remus break this barrier by introducing a new architecture evolved from a BC mode COFB. They achieve the best of what can be possible with TBC -- the optimal computational efficiency (rate-1 operation) and the minimum state size of a TBC mode (i.e., $(n+t)$-bit for $n$-bit block, $t$-bit tweak TBC), with almost equivalent provable security as ThetaCB. Actually, our comparisons show that both our designs present superior performances when compared to all other recent lightweight AEAD modes, being BC-based, TBC-based or sponge-based, in the nonce-respecting or nonce-misuse scenario. We eventually describe how to instantiate Romulus and Remus modes using the Skinny lightweight tweakable block cipher proposed at CRYPTO 2016, including the hardware implementation results

TEDT, a Leakage-Resilient AEAD mode for High (Physical) Security Applications

We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers asymptotically optimal security in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It offers KDM security in the multi-user setting, that is, its security is maintained even if key-dependent messages are encrypted. (iv) It offers full leakage-resilience, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. (v) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static & incremental associated data efficiently. Concretely, TEDT encourages leveled implementations, in which two TBCs are implemented: one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy efficient protections and performs the bulk of the computation. As a result, TEDT leads to considerably more energy efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution

Efficient Implementation of IEEE 802.11i Wi-Fi Security (WPA2-PSK) Standard Using FPGA

The rationale behind the thesis was to design efficient implementations of cryptography algorithms used for Wi-Fi Security as per IEEE 802.11i Wi-Fi Security (WPA2-PSK) standard. The focus was on software implementation of Password-Based Key Derivation Function 2 (PBKDF2) using Keyed-Hash Message Authentication Code (HMAC)-SHA1, which is used for authentication, and, hardware implementation of AES-256 cipher, which is used for data confidentiality. In this thesis, PBKDF2 based on HMAC-SHA1 was implemented on software using C programming language, and, AES-256 was implemented on hardware using Verilog HDL. The overall implementation was designed and tested on Nexys4 FPGA board. The performance of the implementation was compared with other existing designs. Latency (us) was used as the performance metric for PBKDF2, whereas, throughput (Gb/s), resource utilization (Number of Slices), efficiency (Kb/s per slice) and latency (ns) were used as performance metrics for AES-256. MRF24WG0MA PMOD Wi-Fi module was the 2.4 GHz Wi-Fi module which was interfaced with Nexys4 FPGA board for wireless communication. When the correct security credentials were entered in the implemented system interfaced to the Wi-Fi module, it was successfully authenticated by a 2.4 GHz wireless router (or mobile hotspot) configured to work in WPA2-PSK security mode. Once this system was authenticated, the implemented AES-256 cipher within the system was used to provide a layer of encryption over the data being communicated in the network

On the Post-Quantum Security of Classical Authenticated Encryption Schemes

We study the post-quantum security of authenticated encryption (AE) schemes, designed with classical security in mind. Under superposition attacks, many CBC-MAC variants have been broken, and AE modes employing those variants, such as EAX and GCM, thus fail at authenticity. As we show, the same modes are IND-qCPA insecure, i.e., they fail to provide privacy under superposition attacks. However, a constrained version of GCM is IND-qCPA secure, and a nonce-based variant of the CBC-MAC is secure under superposition queries. Further, the combination of classical authenticity and classical chosen-plaintext privacy thwarts attacks with superposition chosen-ciphertext and classical chosen-plaintext queries -a security notion that we refer to as IND-qdCCA. And nonce-based key derivation allows generically turning an IND-qdCCA secure scheme into an IND-qCCA secure scheme

Analysis and Design of Authentication and Encryption Algorithms for Secure Cloud Systems

Along with the fast growth of networks and mobile devices, cloud computing has become one of the most attractive and effective technologies and business solutions nowadays. Increasing numbers of organizations and customers are migrating their businesses and data to the cloud due to the flexibility and cost-efficiency of cloud systems. Preventing unauthorized access of sensitive data in the cloud has been one of the biggest challenges when designing a secure cloud system, and it strongly relies on the chosen authentication and encryption algorithms for providing authenticity and confidentiality, respectively. This thesis investigates various aspects of authentication and encryption algorithms for securing cloud systems, including authenticated encryption modes of operation, block ciphers, password hashing algorithms, and password-less/two-factor authentication mechanisms. Improving Authenticated Encryption Modes. The Galois/Counter Mode (GCM) is an authenticated encryption mode of operation for block ciphers. It has been widely adopted by many network standards and protocols that protect the security of cloud communications, such as TLS v1.2, IEEE 802.1AE and IPsec. Iwata et al. recently found a flaw in GCM's original proofs for non-96-bit nonce cases, and then presented new security bounds for GCM. The new bounds imply that the success probabilities of adversaries for attacking GCM are much larger than the originally expected ones. We propose a simple change to repair GCM. When applied, it will improve the security bounds by a factor of about $2^{20}$ while maintaining most of the original proofs. Analyzing Polynomial-Based Message Authentication Codes. We investigate attacks on polynomial-based message authentication code (MAC) schemes including the one adopted in GCM. We demonstrate that constructing successful forgeries of these MAC schemes does not necessarily require hash collisions. This discovery removes certain restrictions in the attacks previously proposed by Procter and Cid. Moreover, utilizing a special design of GCM for processing non-96-bit nonces, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Therefore, by considering the birthday attacks and the security proof flaw found by Iwata et al., cloud system designers should avoid using GCM with non-96-bit nonces if they do not revise the design of GCM. Analyzing Block Ciphers. We propose a new framework for analyzing symmetric-key ciphers by guessing intermediate states to divide ciphers into small components. This framework is suitable for lightweight ciphers with simple key schedules and block sizes smaller than key lengths. Using this framework, we design new attacks on the block cipher family KATAN. These attacks can recover the master keys of 175-round KATAN32, 130-round KATAN48 and 112-round KATAN64 faster than exhaustive search, and thus reach many more rounds than the existing attacks. We also provide new attacks on 115-round KATAN32 and 100-round KATAN48 in order to demonstrate that this new kind of attack can be more time-efficient and memory-efficient than the existing ones. Designing Password Hashing Algorithms. Securely storing passwords and deriving cryptographic keys from passwords are also crucial for most secure cloud system designs. However, choices of well-studied password hashing algorithms are extremely limited, as their security requirements and design principles are different from common cryptographic primitives. We propose two practical password hashing algorithms, Pleco and Plectron. They are built upon well-understood cryptographic algorithms, and combine the advantages of symmetric-key and asymmetric-key primitives. By employing the Rabin cryptosystem, we prove that the one-wayness of Pleco is at least as strong as the hard problem of integer factorization. In addition, both password hashing algorithms are designed to be sequential memory-hard, in order to thwart large-scale password searching using parallel hardware, such as GPUs, FPGAs, and ASICs. Designing Password-less/Two-Factor Authentication Mechanisms. Motivated by a number of recent industry initiatives, we propose Loxin, an innovative solution for password-less authentication for cloud systems and web applications. Loxin aims to improve on passwords with respect to both usability and security. It utilizes push message services for mobile devices to initiate authentication transactions based on asymmetric-key cryptography, and enables users to access multiple services by using pre-owned identities, such as email addresses. In particular, the Loxin server cannot generate users' authentication credentials, thereby eliminating the potential risk of credential leakage if the Loxin server gets compromised. Furthermore, Loxin is fully compatible with existing password-based authentication systems, and thus can serve as a two-factor authentication mechanism

Authenticated Encryption for Very Short Inputs

We study authenticated encryption (AE) modes dedicated to very short messages, which are crucial for Internet-of-things applications. Since the existing general-purpose AE modes need at least three block cipher calls for non-empty messages, we explore the design space for AE modes that use at most two calls. We proposed a family of AE modes, dubbed Manx, that work when the total input length is less than $2n$ bits, using an $n$-bit block cipher. Notably, the second construction of Manx can encrypt almost n-bit plaintext and saves one or two block cipher calls from the standard modes, such as GCM or OCB, keeping the comparable provable security. We also present benchmarks on popular 8/32-bit microprocessors using AES. Our results show the clear advantage of Manx over the previous modes for such short messages