Evolution of Format Preserving Encryption on IoT Devices: FF1+

The Internet of Things (IoT) is a network of interconnected low-power sensing devices designed to interact and communicate with each other. To avoid compromising user privacy, it is necessary to encrypt these channels. We introduce Format Preserving Encryption (FPE), a modern cryptosystem that allows full customization of the ciphertext, while offering comparable security to AES. To gauge the performance of FPE, we compare the NIST-approved FF1 algorithm against several symmetric and asymmetric encryption schemes on a Raspberry Pi 3. While suitable for small plaintexts, FF1 breaks down for longer character strings. We propose a modified algorithm, FF1+, that implements dynamic round selection and key scheduling. Significant performance improvements are observed in our results, thus demonstrating FF1+ as a viable cryptosystem for IoT devices

Symmetric block ciphers with a block length of 32 bit

Subject of the thesis at hand is the analysis of symmetric block ciphers with a block length of 32 bit. It is meant to give a comprising overview over the topic of 32 bit block ciphers. The topic is divided in the examination of three questions. It contains a list of state of the art block ciphers with a block length of 32 bit. The block ciphers are being described, focussing on the encryption function. An SPN-based cipher with 32 bit block length is being proposed by rescaling the AES cipher. The 32 bit block length results in certain security issues. These so called risk factors are analysed and mitigating measures are proposed. The result of the thesis is, that 32 bit block ciphers can be implemented in a secure manner. The use of 32 bit ciphers should be limited to specific use-cases and with a profound risk analysis, to determine the protection class of the data to be encrypted

Secure ADS-B: Towards Airborne Communications Security in the Federal Aviation Administration\u27s Next Generation Air Transportation System

The U.S. Congress has mandated that all aircraft operating within the National Airspace System, military or civilian, be equipped with ADS-B transponders by the year 2020. The ADS-B aircraft tracking system, part of the Federal Aviation Administration\u27s NextGen overhaul of the Air Transportation System, replaces Radar-based surveillance with a more accurate satellite-based surveillance system. However, the unencrypted nature of ADS-B communication poses an operational security risk to military and law enforcement aircraft conducting sensitive missions. The non-standard format of its message and the legacy communication channels used by its transponders make the ADS-B system unsuitable for traditional encryption mechanisms. FPE, a recent development in cryptography, provides the ability to encrypt arbitrarily formatted data without padding or truncation. Indeed, three new algorithms recommended by the NIST, may be suitable for encryption of ADS-B messages. This research assesses the security and hardware performance characteristics of the FF1, FF2, and FF3 algorithms, in terms of entropy of ciphertext, operational latency and resource utilization when implemented on a Field-Programmable Gate Array. While all of the algorithms inherit the security characteristics of the underlying AES block cipher, they exhibit differences in their performance profiles. Findings demonstrate that a Bump-in-the-Wire FPE cryptographic engine is a suitable solution for retrofitting encryption to ADS-B communication

A new method for format preserving encryption in high-data rate communications

In some encryption systems it is necessary to preserve the format and length of the encrypted data. This kind of encryption is called FPE (Format Preserving Encryption). Currently, only two AES (Advanced Encryption Standard) modes of operation recommended by the NIST (National Institute of Standards and Technology) are able to implement FPE algorithms, FF1 and FF3. These modes work in an electronic codebook fashion and can be configured to encrypt databases with an arbitrary format and length. However, there are no stream cipher proposals able to implement FPE encryption for high data rate information flows. The main novelty of this work is a new block cipher operation mode proposal to implement an FPE algorithm in a stream cipher fashion. It has been called CTR-MOD and it is based on a standard block cipher working in CTR (Counter) mode and a modulo operation. The confidentiality of this mode is analyzed in terms of its IND- CPA (Indistinguishability under Chosen Plaintext Attack) advantage of any adversary attacking it. Moreover, the encryption scheme has been implemented on an FPGA (Field Programmable Gate Array) and has been integrated in a Gigabit Ethernet interface to test an encrypted optical link with a real high data rate traffic flow

Attacks Only Get Better: How to Break FF3 on Large Domains

We improve the attack of Durak and Vaudenay (CRYPTO\u2717) on NIST Format-Preserving Encryption standard FF3, reducing the running time from $O(N^5)$ to $O(N^{17/6})$ for domain $Z_N \times Z_N$. Concretely, DV\u27s attack needs about $2^{50}$ operations to recover encrypted 6-digit PINs, whereas ours only spends about $2^{30}$ operations. In realizing this goal, we provide a pedagogical example of how to use distinguishing attacks to speed up slide attacks. In addition, we improve the running time of DV\u27s known-plaintext attack on 4-round Feistel of domain $Z_N \times Z_N$ from $O(N^3)$ time to just $O(N^{5/3})$ time. We also generalize our attacks to a general domain $Z_M \times Z_N$, allowing one to recover encrypted SSNs using about $2^{50}$ operations. Finally, we provide some proof-of-concept implementations to empirically validate our results

Adiantum: length-preserving encryption for entry-level processors

We present HBSH, a simple construction for tweakable length-preserving encryption which supports the fastest options for hashing and stream encryption for processors without AES or other crypto instructions, with a provable quadratic advantage bound. Our composition Adiantum uses NH, Poly1305, XChaCha12, and a single AES invocation. On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages at 10.6 cycles per byte, over five times faster than AES-256-XTS, with a constant-time implementation. We also define HPolyC which is simpler and has excellent key agility at 13.6 cycles per byte

ZCZ - Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Strong Pseudo-random Permutations (SPRPs) are important for various applications. In general, it is desirable to base an SPRP on a single-keyed primitive for minimizing the implementation costs. For constructions built on classical block ciphers, Nandi showed at ASIACRYPT\u2715 that at least two calls to the primitive per processed message block are required for SPRP security, assuming that all further operations are linear. The ongoing trend of using tweakable block ciphers as primitive has already led to MACs or encryption modes with high security and efficiency properties. Thus, three interesting research questions are hovering in the domain of SPRPs: (1) if and to which extent the bound of two calls per block can be reduced with a tweakable block cipher, (2) how concrete constructions could be realized, and (3) whether full $n$-bit security is achievable from primitives with $n$-bit state size. The present work addresses all three questions. Inspired by Iwata et al.\u27s ZHash proposal at CRYPTO\u2717, we propose the ZCZ (ZHash-Counter-ZHash) construction, a single-key variable-input-length SPRP based on a single tweakable block cipher whose tweak length is at least its state size. ZCZ possesses close to optimal properties with regards to both performance and security: not only does it require only asymptotically $3\ell/2$ calls to the primitive for $\ell$-block messages, but we also show that this figure is close to the minimum by an PRP distinguishing attack on any construction with tweak size of $\tau = n$ bits and fewer than $(3\ell-1)/2$ calls to the same primitive. Moreover, it provides optimal $n$-bit security for a primitive with $n$-bit state and tweak size

Hardware-Assisted Secure Computation

The theory community has worked on Secure Multiparty Computation (SMC) for more than two decades, and has produced many protocols for many settings. One common thread in these works is that the protocols cannot use a Trusted Third Party (TTP), even though this is conceptually the simplest and most general solution. Thus, current protocols involve only the direct players---we call such protocols self-reliant. They often use blinded boolean circuits, which has several sources of overhead, some due to the circuit representation and some due to the blinding. However, secure coprocessors like the IBM 4758 have actual security properties similar to ideal TTPs. They also have little RAM and a slow CPU.We call such devices Tiny TTPs. The availability of real tiny TTPs opens the door for a different approach to SMC problems. One major challenge with this approach is how to execute large programs on large inputs using the small protected memory of a tiny TTP, while preserving the trust properties that an ideal TTP provides. In this thesis we have investigated the use of real TTPs to help with the solution of SMC problems. We start with the use of such TTPs to solve the Private Information Retrieval (PIR) problem, which is one important instance of SMC. Our implementation utilizes a 4758. The rest of the thesis is targeted at general SMC. Our SMC system, Faerieplay, moves some functionality into a tiny TTP, and thus avoids the blinded circuit overhead. Faerieplay consists of a compiler from high-level code to an arithmetic circuit with special gates for efficient indirect array access, and a virtual machine to execute this circuit on a tiny TTP while maintaining the typical SMC trust properties. We report on Faerieplay\u27s security properties, the specification of its components, and our implementation and experiments. These include comparisons with the Fairplay circuit-based two-party system, and an implementation of the Dijkstra graph shortest path algorithm. We also provide an implementation of an oblivious RAM which supports similar tiny TTP-based SMC functionality but using a standard RAM program. Performance comparisons show Faerieplay\u27s circuit approach to be considerably faster, at the expense of a more constrained programming environment when targeting a circuit

Robust Authenticated-Encryption: AEZ and the Problem that it Solves

With a scheme for \textit{robust} authenticated-encryption a user can select an arbitrary value $\lambda \ge 0$ and then encrypt a plaintext of any length into a ciphertext that\u27s $\lambda$ characters longer. The scheme must provide all the privacy and authenticity possible for the requested~$\lambda$. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call \textit{prove-then-prune}: prove security and then instantiate with a \textit{scaled-down} primitive (e.g., reducing rounds for blockcipher calls)

Encriptación sobre Capa Física para Ethernet Óptico de Alta Velocidad

INTRODUCCIÓN-------------------------Hoy en día, los enlaces ópticos con tasas de transmisión de hasta 100 Gbps y superiores son ya una realidad. Gracias a los avances logrados en las comunicaciones ópticas durante las últimas décadas es posible afrontar anchos de banda cada vez mayores, lo que satisface las demandas de las aplicaciones más exigentes [CIS16], como por ejemplo las basadas en cloud computing o big data. Por otro lado, la seguridad en la información sigue siendo un asunto de gran importancia en las comunicaciones ya que el volumen de amenazas en la red se ha incrementado durante los últimos años [CIS18]. Los fallos en la seguridad podrían llevar al mal funcionamiento de un servicio o la pérdida de confidencialidad en datos críticos de los clientes. En un sistema de comunicaciones por capas, como por ejemplo en el modelo OSI (Open System Interconnection) o TCP/IP (Transmission Control Protocol/Internet Protocol), se pueden llevar a cabo tanto ataques pasivos como activos en los diferentes niveles de la comunicación. Dependiendo de las capas de comunicación utilizadas, distintos mecanismos pueden ser adoptados para lograr la seguridad de la información. Por ejemplo, protocolos estandarizados tales como MACsec [IEE06] o IPsec [KEN05] son empleados normalmente en la capa 2 (capa de enlace de datos) y capa 3 (capa de red), respectivamente. En ambos casos la encriptación es llevada a cabo en cada trama o paquete de datos de forma individual. Para el caso particular de las redes ópticas, el análisis de las amenazas en su capa 1 (capa física) también es considerado crítico para garantizar unas comunicaciones seguras [SKO16], [FUR14]. En este caso se pueden destacar tres tipos de ataques: ataques de inserción de señal, ataques por splitting y ataques a las infraestructuras físicas. Los ataques por splitting son normalmente empleados para espionaje pasivo o para producir degradación en la señal [SKO16], estos se pueden llevar a cabo fácilmente gracias a técnicas de derivación en la fibra. De hecho, hoy en día ya existen métodos de bajo coste para interceptar la señal óptica gracias a dispositivos de acoplamiento óptico y conversores electroópticos sin la necesidad de interferir perceptiblemente en las comunicaciones [ZAF11]. Con el fin de tratar estas amenazas y proteger la confidencialidad de los datos en la capa física, varios mecanismos relacionados con tecnologías fotónicas han sido propuestos [FOK11], por ejemplo OCDM (Optical Code Division Multiplexing) [JI17], SCOC (Secure Communications using Optical Chaos) [HIZ10] o QKD (Quantum Key Distribution) [ELK13]. Otras técnicas, también relacionadas con protocolos de capa física, cifran la información a nivel de bit independientemente de la tecnología fotónica empleada, como la encriptación de los datos del payload en las tramas OTN (Optical Transport Network) [GUA16]. Algunas de las ventajas reivindicadas por estas técnicas de encriptación consisten en cifrar la información “al vuelo” introduciendo un overhead nulo en los datos y una latencia muy baja (en el rango de nanosegundos) en la información transmitida [GUA16]. De hecho, hoy en día ya están disponibles en el mercado equipos de comunicaciones OTN que realizan el cifrado a la velocidad de línea sin mermar el throughput, es decir consiguiendo un rendimiento de la transmisión del 100% [MIC16]. Esto contrasta con lo que hacen ciertos protocolos en otras capas de comunicación [KOL13], [XEN06]. Por ejemplo, IPsec generalmente introduce latencias en el rango de milisegundos. Además, el overhead introducido por IPsec durante el cifrado limita el rendimiento de transmisión a valores entre el 20% y el 90% de la máxima tasa de datos posible sin encriptación [TRO05], [KOL13]. Aparte de lograr la confidencialidad, alguno de los métodos mencionados anteriormente también es capaz de conseguir privacidad contra intrusos pasivos [FOK11], entendiendo esta como la amenaza cuando dichos intrusos pueden detectar simplemente la presencia de comunicaciones, aunque sean incapaces de descifrar el contenido de la información de las mismas. Esta habilidad puede ofrecer seguridad contra ataques basados en el análisis de los patrones del tráfico, que permitirían revelar información del comportamiento de una compañía o instalación. Dentro de los estándares de comunicaciones ópticas, Ethernet es uno de los más empleados hoy día. Un claro ejemplo es el acceso a las redes de transporte ópticas donde este estándar es utilizado normalmente cuando las tasas de acceso superan el gigabit por segundo. Tal y como se muestra en la Fig.1-1, algunas tecnologías de acceso en los tramos de última milla de las CEN (Carrier Ethernet Networks) son Ethernet sobre fibra (Fibra Directa con Ethernet, Ethernet sobre SONET/SDH, Ethernet sobre PON), Ethernet sobre PDH o Ethernet inalámbrico [MET09]. Dos de los estándares ópticos Ethernet más empleados hoy en día son los denominados 1000Base-X y 10GBase-R con tasas de transmisión de 1 Gbps y 10 Gbps, respectivamente.OBJETIVOS-------------------En el caso de las comunicaciones sobre Ethernet óptico no existe ningún mecanismo que logre la mencionada privacidad al mismo tiempo que la confidencialidad, sin que además introduzca un overhead o latencias indeseadas. El objetivo de esta tesis es el de proporcionar soluciones a dos de los estándares ópticos Ethernet más empleados, tales como 1000Base-X o 10GBase-R, logrando las características citadas anteriormente. En general los principales aspectos que se pretenden desarrollar en esta tesis son los siguientes: • Realizar propuestas viables de modificación de ambos estándares, 1000Base-X y 10GBase-R, de forma que se pueda llevar a cabo la encriptación en la capa física. • Lograr la compatibilidad de las nuevas arquitecturas de encriptación con dichos estándares de forma que el hardware electrónico más dependiente del medio de transmisión, como los módulos ópticos SFP, los SERDES o los circuitos de recuperación de reloj y datos, no necesite modificaciones adicionales. • Realizar un estudio de los posibles esquemas de encriptación por streaming que sean capaces de cifrar datos a velocidades superiores a 1 Gbps y adaptarlos a las arquitecturas propuestas. • Estudiar posibles mecanismos para llevar a cabo la sincronización de los módulos de encriptación entre dos terminales remotos.• Lograr que las soluciones propuestas lleven a cabo la encriptación introduciendo la menor latencia posible, al menos en un orden de magnitud igual o inferior al de soluciones en otros estándares de comunicaciones como OTN. • Llevar a cabo un análisis de la seguridad de las soluciones propuestas, incluyendo el estudio de la capacidad de privacidad en las comunicaciones. • Proponer un esquema de chequeo de integridad, autenticación y refresco de claves a nivel de capa física. • Llevar a cabo la implementación y verificación física de las soluciones propuestas.PUBLICACIONES----------------------------[PER19a] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Chaotic Encryption Applied to Optical Ethernet in Industrial Control Systems". IEEE Transactions on Instrumentation and Measurement, 68(12):4876–4886, Dec 2019. [PER19b] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Physical Layer Encryption for Industrial Ethernet in Gigabit Optical Links". IEEE Transactions on Industrial Electronics, 66(4):3287–3295, April 2019. [PER19c] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Chaotic Encryption for 10-Gb Ethernet Optical Links". IEEE Transactions on Circuits and Systems I: Regular Papers, 66(2):859–868, Feb. 2019. [PER19d] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Self-Synchronized Encryption for Physical Layer in 10Gbps Optical Links". IEEE Transactions on Computers, 68(6):899–911, June 2019. [PER19e] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Self-Synchronized Encryption Using an FPE Block Cipher for Gigabit Ethernet". In 2019 15th Conference on Ph.D Research in Microelectronics and Electronics (PRIME), pages 81–84, Lausanne, Switzerland, July 2019. [PER20a] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "A New Method for Format Preserving Encryption in High-Data Rate Communications". IEEE Access, 8:21003–21016, 2020. [PER20b] A. Pérez-Resa, M. Garcia-Bosque, C. Sánchez-Azqueta, and S. Celma. "Self-synchronized Encryption for Physical Layer in 1Gbps Ethernet Optical Links". IEEE Access, Pending Acceptance.<br /