28 research outputs found
Improved Authenticity Bound of EAX, and Refinements
EAX is a mode of operation for blockciphers to implement an authenticated encryption. The original paper of EAX proved that EAX is unforgeable up to data with one verification query. However, this generally guarantees a rather weak bound for the unforgeability under multiple verification queries, i.e., only data is acceptable.
This paper provides an improvement over the previous security proof, by showing that EAX is unforgeable up to data with multiple verification queries. Our security proof is based on the techniques appeared in a paper of FSE 2013 by Minematsu et al. which studied the security of a variant of EAX called EAX-prime.
We also provide some ideas to reduce the complexity of EAX while keeping our new security bound. In particular, EAX needs three blockcipher calls and keep them in memory as a pre-processing, and our proposals can effectively reduce three calls to one call. This would be useful when computational power and memory are constrained
On Modes of Operations of a Block Cipher for Authentication and Authenticated Encryption
This work deals with the various requirements of encryption and authentication in cryptographic applications. The approach
is to construct suitable modes of operations of a block cipher to achieve the relevant goals. A variety
of schemes suitable for specific applications are presented. While none of the schemes are built completely from scratch,
there is a common unifying framework which connects them. All the schemes described have been implemented and the implementation
details are publicly available. Performance figures are presented when the block cipher is the AES and the Intel AES-NI
instructions are used. These figures suggest that the constructions presented here compare well with previous works
such as the famous OCB mode of operation. In terms of features, the constructions provide several new offerings which
are not present in earlier works. This work significantly widens the range of choices of an actual designer of
cryptographic system
Cryptanalysis of OCB<sub>2</sub>:Attacks on Authenticity and Confidentiality
We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably-secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009.
An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in XEX mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2\u27s security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. To our understanding, as a direct consequence of our findings, OCB2 is currently in a process of removal from ISO standards. Our attacks do not apply to OCB1 and OCB3, and our privacy attacks on OCB2 require an active adversary
Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions
This paper proposes a new scheme for authenticated encryption (AE) which is typically realized as a blockcipher mode of operation.
The proposed scheme has attractive features for fast and compact operation.
When it is realized with a blockcipher, it requires one blockcipher call to process one input block (i.e. rate-1), and uses the encryption function of the blockcipher for both encryption and decryption.
Moreover, the scheme enables one-pass, parallel operation under two-block partition.
The proposed scheme thus attains similar characteristics as the seminal OCB mode, without using the inverse blockcipher.
The key idea of our proposal is a novel usage of two-round Feistel permutation, where the round functions are derived from the theory of tweakable blockcipher.
We also provide basic software results, and describe some ideas on using a non-invertible primitive, such as a keyed hash function
Authenticated Encryption with Small Stretch (or, How to Accelerate AERO)
Standard form of authenticated encryption (AE) requires the ciphertext to be expanded by
the nonce and the authentication tag. These expansions can be problematic
when messages are relatively short and communication cost is high.
To overcome the problem we propose a new form of AE scheme, MiniAE, which expands the ciphertext only by the single variable integrating nonce and tag.
An important feature of MiniAE is that it requires the receiver to be stateful not only for detecting replays but also for detecting forgery of any type.
McGrew and Foley already proposed a scheme having this feature, called AERO, however,
there is no formal security guarantee based on the provable security framework.
We provide a provable security analysis for MiniAE, and
show several provably-secure schemes using standard symmetric crypto primitives.
This covers a generalization of AERO, hence our results imply a provable security of AERO.
Moreover, one of our schemes has a similar structure as OCB mode of operation and enables rate-1 operation, i.e. only one blockcipher call to process one input block. This implies that the computation cost of MiniAE can be as small as encryption-only schemes
Duplexing the sponge: single-pass authenticated encryption and other applications
This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and, at no extra cost, provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in
Pseudo-Random Functions and Parallelizable Modes of Operations of a Block Cipher
This paper considers the construction and analysis of pseudo-random functions (PRFs) with
specific reference to modes of operations of a block cipher. In the context of message
authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how
to reduce the analysis of relevant PRFs to some probability calculations. In the first part of
the paper, we revisit this result and use it to prove a general result on constructions
which use a PRF with a ``small\u27\u27 domain to build a PRF with a ``large\u27\u27 domain. This result
is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The
first scheme, called {\iPMAC}, is based on a block cipher and improves upon the well-known PMAC
algorithm. The improvements consist in faster masking operations and the removal of a design
stage discrete logarithm computation. The second scheme, called {\VPMAC}, uses a keyed
compression function rather than a block cipher. The only previously known compression function
based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein.
{\VPMAC} improves upon PCS by requiring lesser number of calls to the compression function.
The second part of the paper takes a new look at the construction and analysis of modes
of operations for authenticated encryption (AE) and for authenticated encryption with associated
data (AEAD). Usually, the most complicated part in the security analysis of such modes is
the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and
later Rogaway had suggested that this analysis is simplified by using a primitive called a
tweakable block cipher
(TBC). In contrast, we take a direct approach. We prove a general result which shows that the
authentication security of an AE scheme can be proved from the privacy of the scheme and
by showing a certain associated function to be a PRF. Two new AE schemes \sym{PAE} and
\sym{PAE}-1 are described and analysed using this approach. In particular, it is shown that
the authentication security of \sym{PAE} follows easily from the security of {\iPMAC}. As a
result, no separate extensive analysis of the authentication security of \sym{PAE} is required.
An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and
it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in
contrast to the TBC based approach, we take a direct approach based on a simple masking strategy.
Our idea uses double encryption of a fixed string and achieves the same effect of mask separation
as in the TBC based approach.
Using this idea, two new AEAD schemes \sym{PAEAD} and \sym{PAEAD}-1 are described.
An important application of AEAD schemes is in the encryption of IP packets. The new schemes
offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode.
These improvements include providing a wider variety of easily reconfigurable family of
schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and
uniform processing of only full-block messages
Analysis and Design of Symmetric Cryptographic Algorithms
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptanalytic aspects of those attacks. In particular, we target
block ciphers with a lightweight and (often) non-bijective key schedule where
the derived subkeys are (almost) independent from each other. An attacker who is
able to reconstruct one of the subkeys is thus not necessarily able to directly
retrieve other subkeys or even the secret master key by simply reversing the key
schedule. We introduce a framework based on differential fault analysis that
allows to attack block ciphers with an arbitrary number of independent subkeys
and which rely on a substitution-permutation network. These methods are then
applied to the lightweight block ciphers LED and PRINCE and we show in both
cases how to recover the secret master key requiring only a small number of
fault injections. Moreover, we investigate approaches that utilize algebraic
instead of differential techniques for the fault analysis and discuss advantages
and drawbacks. At the end of the first part of the dissertation, we explore
fault-based attacks on the block cipher Bel-T which also has a lightweight key
schedule but is not based on a substitution-permutation network but instead on
the so-called Lai-Massey scheme. The framework mentioned above is thus not
usable against Bel-T. Nevertheless, we also present techniques for the case of
Bel-T that enable full recovery of the secret key in a very efficient way using
differential fault analysis.
In the second part of the thesis, we focus on authenticated encryption
schemes. While regular ciphers only protect privacy of processed data,
authenticated encryption schemes also secure its authenticity and integrity.
Many of these ciphers are additionally able to protect authenticity and
integrity of so-called associated data. This type of data is transmitted
unencrypted but nevertheless must be protected from being tampered with during
transmission. Authenticated encryption is nowadays the standard technique to
protect in-transit data. However, most of the currently deployed schemes have
deficits and there are many leverage points for improvements. With NORX we
introduce a novel authenticated encryption scheme supporting associated data.
This algorithm was designed with high security, efficiency in both hardware and
software, simplicity, and robustness against side-channel attacks in mind. Next
to its specification, we present special features, security goals,
implementation details, extensive performance measurements and discuss
advantages over currently deployed standards. Finally, we describe our
preliminary security analysis where we investigate differential and rotational
properties of NORX. Noteworthy are in particular the newly developed
techniques for differential cryptanalysis of NORX which exploit the power of
SAT- and SMT-solvers and have the potential to be easily adaptable to other
encryption schemes as well.Diese Doktorarbeit beschäftigt sich mit der Analyse und dem Entwurf von
symmetrischen kryptographischen Algorithmen.
Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen
auf kryptographische Schaltungen, welche dem Gebiet der aktiven
Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer
Schlüssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk
liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere
beschäftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine
(oft) nicht-bijektive Schlüsselexpansion besitzen, bei denen die erzeugten
Teilschlüssel voneinander (nahezu) unabhängig sind. Ein Angreifer, dem es
gelingt einen Teilschlüssel zu rekonstruieren, ist dadurch nicht in der Lage
direkt weitere Teilschlüssel oder sogar den Hauptschlüssel abzuleiten indem er
einfach die Schlüsselexpansion umkehrt. Wir stellen Techniken basierend auf
differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu
analysieren, welche eine beliebige Anzahl unabhängiger Teilschlüssel einsetzen
und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im
Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und
wir zeigen in beiden Fällen wie der komplette geheime Schlüssel mit einigen
wenigen Fehlerinjektionen rekonstruiert werden kann. Darüber hinaus untersuchen
wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse
einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der
Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre
Bel-T, welche ebenfalls eine leichtgewichtige Schlüsselexpansion besitzt jedoch
nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten
Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T
nicht angewandt werden. Nichtsdestotrotz werden wir auch für den Fall von Bel-T
Verfahren vorstellen, die in der Lage sind den vollständigen geheimen Schlüssel
sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren.
Im zweiten Teil der Doktorarbeit beschäftigen wir uns mit authentifizierenden
Verschlüsselungsverfahren. Während gewöhnliche Chiffren nur die Vertraulichkeit
der verarbeiteten Daten sicherstellen, gewährleisten authentifizierende
Verschlüsselungsverfahren auch deren Authentizität und Integrität. Viele dieser
Chiffren sind darüber hinaus in der Lage auch die Authentizität und Integrität
von sogenannten assoziierten Daten zu gewährleisten. Daten dieses Typs werden in
nicht-verschlüsselter Form übertragen, müssen aber dennoch gegen unbefugte
Veränderungen auf dem Transportweg geschützt sein. Authentifizierende
Verschlüsselungsverfahren bilden heutzutage die Standardtechnologie um Daten
während der Übertragung zu beschützen. Aktuell eingesetzte Verfahren weisen
jedoch oftmals Defizite auf und es existieren vielfältige Ansatzpunkte für
Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes
Verschlüsselungsverfahren vor, welches assoziierte Daten unterstützt. Dieser
Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen
Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und
Robustheit gegenüber Seitenkanalangriffen entwickelt. Neben der Spezifikation
präsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details
zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile
gegenüber aktuellen Standards. Schließlich stellen wir Ergebnisse unserer
vorläufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle
Merkmale und Rotationseigenschaften von NORX konzentrieren. Erwähnenswert sind
dabei vor allem die für die differenzielle Kryptoanalyse von NORX entwickelten
Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurückgreifen und das
Potential besitzen relativ einfach auch auf andere Verschlüsselungsverfahren
übertragen werden zu können
Bypassing Modern CPU Protections With Function-Oriented Programming
Over the years, code reuse attacks such as return-oriented programming (ROP) and jump-oriented programming (JOP) have been a primary target to gain execution on a system via buffer overflow, memory corruption, and code flow hijacking vulnerabilities. However, new CPU-level protections have introduced a variety of hurdles. ARM has designed the “Pointer Authentication” and “Branch Target Identification” mechanisms to handle the authentication of memory addresses and pointers, and Intel has followed through with its Shadow Stack and Indirect Branch Targeting mechanisms, otherwise known as Control-Flow Enforcement Technology. As intended, these protections make it nearly impossible to utilize regular code reuse methods such as ROP and JOP.
The inclusion of these new protections has left gaps in the system\u27s security where the use of function-based code reuse attacks are still possible. This research demonstrates a novel approach to utilizing Function-Oriented Programming (FOP) as a technique to utilize in such environments. The design and creation of the “FOP Mythoclast” tool to identify FOP gadgets within Intel and ARM environments demonstrates not only a proof of concept (PoC) for FOP, but further cements its ability to thrive in diverse constrained environments. Additionally, the demonstration of FOP within the Linux kernel showcases the ability of FOP to excel in complex and real-world situations. This research concludes with potential solutions for mitigating FOP without adversely affecting system performance
Ongoing Research Areas in Symmetric Cryptography
This report is a deliverable for the ECRYPT European network of excellence in cryptology. It gives a brief summary of some of the research trends in symmetric cryptography at the time of writing. The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the recently proposed algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)