60 research outputs found
RMAC -- A Lightweight Authentication Protocol for Highly Constrained IoT Devices
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These
devices mainly comprise RFID (Radio-Frequency IDentification) or WSN (Wireless Sensor Networks) components.
Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary
to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption
or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT
devices (which has very limited processing and storage capacities). In this paper we introduce a new authentication
protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol
et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses
simple and lightweight algorithms.We also prove that RMAC is at least as secure as the MM protocol and thus secure
against man-in-the-middle attacks
Generic Attack on Iterated Tweakable FX Constructions
International audienceTweakable block ciphers are increasingly becoming a common primitive to build new resilient modes as well as a concept for multiple dedicated designs. While regular block ciphers define a family of permutations indexed by a secret key, tweakable ones define a family of permutations indexed by both a secret key and a public tweak. In this work we formalize and study a generic framework for building such a tweakable block cipher based on regular block ciphers, the iterated tweakable FX construction, which includes many such previous constructions of tweakable block ciphers. Then we describe a cryptanal-ysis from which we can derive a provable security upper-bound for all constructions following this tweakable iterated FX strategy. Concretely, the cryptanalysis of r rounds of our generic construction based on n-bit block ciphers with κ-bit keys requires O(2 r r+1 (n+κ)) online and offline queries. For r = 2 rounds this interestingly matches the proof of the particular case of XHX2 by Lee and Lee (ASIACRYPT 2018) thus proving for the first time its tightness. In turn, the XHX and XHX2 proofs show that our generic cryptanalysis is information theoretically optimal for 1 and 2 rounds
Tight Security Bounds for Triple Encryption
In this paper, we revisit the old problem asking the exact provable security of triple encryption in the ideal cipher model. For a blockcipher with key length k and block size n, triple encryption is known to be secure up to 2^{k+min{k/2,n/2}} queries, while the best attack requires 2^{k+min{k,n/2}} query complexity. So there is a gap between the upper and lower bounds for the security of triple encryption. We close this gap by proving the security up to 2^{k+min{k,n/2}} query complexity. With the DES parameters, triple encryption is secure up to 2^{82.5} queries, greater than the current bound of 2^{78.3} and comparable to 2^{83.5} for 2-XOR-cascade.
We also analyze the security of two-key triple encryption, where the first and the third keys are identical. We prove that two-key triple encryption is secure up to 2^{k+min{k,n/2}} queries to the underlying blockcipher and 2^{min{k,n/2}} queries to the outer permutation. For the DES parameters, this result is interpreted as the security of two-key triple encryption up to 2^{32} plaintext-ciphertext pairs and 2^{81.7} blockcipher encryptions
Tight security bounds for multiple encryption
Multiple encryption---the practice of composing a blockcipher several
times with itself under independent keys---has received considerable
attention of late from the standpoint of provable security. Despite
these efforts proving definitive security bounds (i.e., with matching
attacks) has remained elusive even for the special case of triple
encryption. In this paper we close the gap by improving both the best
known attacks and best known provable security, so that both bounds
match. Our results apply for arbitrary number of rounds and show that
the security of -round multiple encryption is precisely
where
and where is the even
integer closest to and greater than or equal to , for all
. Our technique is based on Patarin\u27s H-coefficient
method and reuses a combinatorial result of Chen and Steinberger
originally required in the context of key-alternating ciphers
The Multi-User Security of Double Encryption
It is widely known that double encryption does not substantially
increase the security of a block cipher. Indeed, the classical
meet-in-the middle attack recovers the -bit secret key at the cost
of roughly off-line enciphering operations, in addition to very
few known plaintext-ciphertext pairs. Thus, essentially as efficiently
as for the underlying cipher with a -bit key.
This paper revisits double encryption under the lens of multi-user
security.
We prove that its security degrades only very mildly with an
increasing number of users, as opposed to single encryption, where
security drops linearly. More concretely, we give a tight bound for
the multi-user security of double encryption as a pseudorandom
permutation in the ideal-cipher model, and describe matching attacks.
Our contribution is also conceptual: To prove our result, we enhance
and generalize the generic technique recently proposed by Hoang and
Tessaro for lifting single-user to multi-user security. We believe
this technique to be broadly applicable
New Key Recovery Attacks on Minimal Two-Round Even-Mansour Ciphers
Chen et al. proved that two variants of the two-round n-bit
Even-Mansour ciphers are secure up to 22n/3 queries against distinguish-
ing attacks. These constructions can be regarded as minimal two-round
Even-Mansour ciphers delivering security beyond the birthday bound,
since removing any component from the ciphers causes security to drop
back to 2n/2 queries. On the other hand, for the minimal two-round con-
structions, the proved lower bounds on the product of data and time
complexities (DT) against the other attacks including key recovery at-
tacks is 2n. However, an attack requiring DT close to the lower bound
has not been known yet, and thus its tightness is not clear. In this pa-
per, we propose new key recovery attacks on the two minimal two-round
Even-Mansour ciphers by using the advanced meet-in-the-middle tech-
nique. In particular, we introduce novel matching techniques called partial
invariable pair and matching with input-restricted public permutation
, which enable us to compute one of permutations without knowing
a part of the key information. Moreover, we present two improvements of
the proposed attack: one significantly reduces data complexity and the
other reduces time complexity by dynamically finding partial invariant
pairs. Compared with the previously known attacks, when blocksize is
64 bits, our attacks drastically reduce the required data from 245 to 226
with keeping time complexity required by the previous attacks, though
our attack requires chosen plaintexts. Importantly, the previous attacks
never break the birthday barrier of data complexity due to the usage
of multicollisions in the internal state. Furthermore, by increasing time
complexity up to 262, the required data is further reduced to 28, and
DT = 270 which is close to the proved lower bound 264. We show that
our data-optimized attack on the minimal two-round Even-Mansour ci-
phers requires DT = 2n+6 in general cases. This implies that adding
one round does not sufficiently improve the security against key recovery
attacks of the Even-Mansour ciphers
Minimizing the Two-Round Even-Mansour Cipher
The -round (iterated) \emph{Even-Mansour cipher} (also known as \emph{key-alternating cipher}) defines a block cipher from fixed public -bit permutations as follows: given a sequence of -bit round keys , an -bit plaintext is encrypted by xoring round key , applying permutation , xoring round key , etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT~2014), who proved that the -round Even-Mansour cipher is indistinguishable from a truly random permutation up to queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that \emph{the round keys and the permutations are independent}. In particular, for two rounds, the current state of knowledge is that the block cipher is provably secure up to queries of the adversary, when , , and are three independent -bit keys, and and are two independent random -bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher \emph{from just one -bit key and one -bit permutation}. Our answer is positive: when the three -bit round keys , , and are adequately derived from an -bit master key , and the same permutation is used in place of and , we prove a qualitatively similar security bound (in the random permutation model). To the best of our knowledge, this is the first ``beyond the birthday bound\u27\u27 security result for AES-like ciphers that does not assume independent round keys
Key-alternating Ciphers and Key-length Extension: Exact Bounds and Multi-user Security
The best existing bounds on the concrete security of key-alternating
ciphers (Chen and Steinberger, EUROCRYPT \u2714) are only
asymptotically tight, and the quantitative gap with the best existing
attacks remains numerically substantial for concrete parameters. Here,
we prove exact bounds on the security of key-alternating ciphers and
extend them to XOR cascades, the most efficient construction for key-length
extension. Our bounds essentially match, for any possible query
regime, the advantage achieved by the best existing attack.
Our treatment also extends to the multi-user regime. We show that the
multi-user security of key-alternating ciphers and XOR cascades is very close to the single-user case, i.e., given enough rounds, it does not substantially decrease as the number of users increases. On the way, we also
provide the first explicit treatment of multi-user security for key-length
extension, which is particularly relevant given the significant security loss
of block ciphers (even if ideal) in the multi-user setting.
The common denominator behind our results are new techniques for
information-theoretic indistinguishability proofs that both extend and
refine existing proof techniques like the H-coefficient method
Super-Linear Time-Memory Trade-Offs for Symmetric Encryption
We build symmetric encryption schemes from a pseudorandom
function/permutation with domain size which have very high
security -- in terms of the amount of messages they can securely
encrypt -- assuming the adversary has bits of memory. We aim
to minimize the number of calls we make to the underlying
primitive to achieve a certain , or equivalently, to maximize the
achievable for a given . We target in
particular , in contrast to recent works (Jaeger and
Tessaro, EUROCRYPT \u2719; Dinur, EUROCRYPT \u2720) which aim to beat the
birthday barrier with one call when .
Our first result gives new and explicit bounds for the
Sample-then-Extract paradigm by Tessaro and Thiruvengadam (TCC
\u2718). We show instantiations for which .
If , Thiruvengadam and Tessaro\u27s weaker bounds
only guarantee when . In contrast, here,
we show this is true already for .
We also consider a scheme by Bellare, Goldreich and Krawczyk (CRYPTO
\u2799) which evaluates the primitive on independent random
strings, and masks the message with the XOR of the outputs. Here, we
show , using new combinatorial bounds
on the list-decodability of XOR codes which are of independent
interest. We also study best-possible attacks against this
construction
- …