Security analysis of NIST-LWC contest finalists

Dissertação de mestrado integrado em Informatics EngineeringTraditional cryptographic standards are designed with a desktop and server environment in mind, so, with the relatively recent proliferation of small, resource constrained devices in the Internet of Things, sensor networks, embedded systems, and more, there has been a call for lightweight cryptographic standards with security, performance and resource requirements tailored for the highly-constrained environments these devices find themselves in. In 2015 the National Institute of Standards and Technology began a Standardization Process in order to select one or more Lightweight Cryptographic algorithms. Out of the original 57 submissions ten finalists remain, with ASCON and Romulus being among the most scrutinized out of them. In this dissertation I will introduce some concepts required for easy understanding of the body of work, do an up-to-date revision on the current situation on the standardization process from a security and performance standpoint, a description of ASCON and Romulus, and new best known analysis, and a comparison of the two, with their advantages, drawbacks, and unique traits.Os padrões criptográficos tradicionais foram elaborados com um ambiente de computador e servidor em mente. Com a proliferação de dispositivos de pequenas dimensões tanto na Internet of Things, redes de sensores e sistemas embutidos, apareceu uma necessidade para se definir padrões para algoritmos de criptografia leve, com prioridades de segurança, performance e gasto de recursos equilibrados para os ambientes altamente limitados em que estes dispositivos operam. Em 2015 o National Institute of Standards and Technology lançou um processo de estandardização com o objectivo de escolher um ou mais algoritmos de criptografia leve. Das cinquenta e sete candidaturas originais sobram apenas dez finalistas, sendo ASCON e Romulus dois desses finalistas mais examinados. Nesta dissertação irei introduzir alguns conceitos necessários para uma fácil compreensão do corpo deste trabalho, assim como uma revisão atualizada da situação atual do processo de estandardização de um ponto de vista tanto de segurança como de performance, uma descrição do ASCON e do Romulus assim como as suas melhores análises recentes e uma comparação entre os dois, frisando as suas vantagens, desvantagens e aspectos únicos

INT-RUP Security of SAEB and TinyJAMBU

The INT-RUP security of an authenticated encryption (AE) scheme is a well studied problem which deals with the integrity security of an AE scheme in the setting of releasing unverified plaintext model. Popular INT-RUP secure constructions either require a large state (e.g. GCM-RUP, LOCUS, Oribatida) or employ a two-pass mode (e.g. MON- DAE) that does not allow on-the-fly data processing. This motivates us to turn our attention to feedback type AE constructions that allow small state implementation as well as on-the-fly computation capability. In CT- RSA 2016, Chakraborti et al. have demonstrated a generic INT-RUP attack on rate-1 block cipher based feedback type AE schemes. Their results inspire us to study about feedback type AE constructions at a reduced rate. In this paper, we consider two such recent designs, SAEB and TinyJAMBU and we analyze their integrity security in the setting of releasing unverified plaintext model. We found an INT-RUP attack on SAEB with roughly 232 decryption queries. However, the concrete analysis shows that if we reduce its rate to 32 bits, SAEB achieves the desired INT-RUP security bound without any additional overhead. Moreover, we have also analyzed TinyJAMBU, one of the finalists of the NIST LwC, and found it to be INT-RUP secure. To the best of our knowledge, this is the first work reporting the INT-RUP security analysis of the block cipher based single state, single pass, on-the-fly, inverse-free authenticated ciphers

RUP Security of the SAEF Authenticated Encryption mode

ForkAE is a family of authenticated encryption (AE) schemes using a forkcipher as a building block. ForkAE was published in Asiacrypt\u2719 and is a second-round candidate in the NIST lightweight cryptography process. ForkAE comes in several modes of operation: SAEF, PAEF, and rPAEF. SAEF is optimized for authenticated encryption of short messages and processes the message blocks in a sequential and online manner. SAEF requires a smaller internal state than its parallel sibling PAEF and is better fitted for devices with smaller footprint. At SAC 2020 it was shown that SAEF is also an online nonce misuse-resistant AE (OAE) and hence offers enhanced security against adversaries that make blockwise adaptive encryption queries. It has remained an open question if SAEF resists attacks against blockwise adaptive decryption adversaries, or more generally when the decrypted plaintext is released before the verification (RUP). RUP security is a particularly relevant security target for lightweight (LW) implementations of AE schemes on memory-constrained devices or devices with stringent real-time requirements. Surprisingly, very few NIST lightweight AEAD candidates come with any provable guarantees against RUP. In this work, we show that the SAEF mode of operation of the ForkAE family comes with integrity guarantees in the RUP setting. The RUP integrity (INT-RUP) property was defined by Andreeva et~al.~in Asiacrypt\u2714. Our INT-RUP proof is conducted using the coefficient H technique and it shows that, without any modifications, SAEF is INT-RUP secure up to the birthday bound, i.e., up to $2^{n/2}$ processed data blocks, where $n$ is the block size of the forkcipher. The implication of our work is that SAEF is indeed RUP secure in the sense that the release of unverified plaintexts will not impact its ciphertext integrity

Grain boundary oxidation and fatigue crack growth at elevated temperatures

Fatigue crack growth rate at elevated temperatures can be accelerated by grain boundary oxidation. Grain boundary oxidation kinetics and the statistical distribution of grain boundary oxide penetration depth were studied. At a constant delta K-level and at a constant test temperature, fatigue crack growth rate, da/dN, is a function of cyclic frequency, nu. A fatigue crack growth model of intermittent micro-ruptures of grain boundary oxide is constructed. The model is consistent with the experimental observations that, in the low frequency region, da/dN is inversely proportional to nu, and fatigue crack growth is intergranular

Hybrid User Pairing for Spectral and Energy Efficiencies in Multiuser MISO-NOMA Networks with SWIPT

In this paper, we propose a novel hybrid user pairing (HUP) scheme in multiuser multiple-input single-output nonorthogonal multiple access networks with simultaneous wireless information and power transfer. In this system, two information users with distinct channel conditions are optimally paired while energy users perform energy harvesting (EH) under non-linearity of the EH circuits. We consider the problem of jointly optimizing user pairing and power allocation to maximize the overall spectral efficiency (SE) and energy efficiency (EE) subject to userspecific quality-of-service and harvested power requirements. A new paradigm for the EE-EH trade-off is then proposed to achieve a good balance of network power consumption. Such design problems are formulated as the maximization of nonconcave functions subject to the class of mixed-integer non-convex constraints, which are very challenging to solve optimally. To address these challenges, we first relax binary pairing variables to be continuous and transform the design problems into equivalent non-convex ones, but with more tractable forms. We then develop low-complexity iterative algorithms to improve the objectives and converge to a local optimum by means of the inner approximation framework. Simulation results show the convergence of proposed algorithms and the SE and EE improvements of the proposed HUP scheme over state-of-the-art designs. In addition, the effects of key parameters such as the number of antennas and dynamic power at the BS, target data rates, and energy threshold, on the system performance are evaluated to show the effectiveness of the proposed schemes in balancing resource utilization

The INT-RUP Security of OCB with Intermediate (Parity) Checksum

OCB is neither integrity under releasing unvieried plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we x the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modied schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a \prove-then-prune approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations)

Heat transfer characteristics of an emergent strand

A mathematical model was developed to describe the heat transfer characteristics of a hot strand emerging into a surrounding coolant. A stable strand of constant efflux velocity is analyzed, with a constant (average) heat transfer coefficient on the sides and leading surface of the strand. After developing a suitable governing equation to provide an adequate description of the physical system, the dimensionless governing equation is solved with Laplace transform methods. The solution yields the temperature within the strand as a function of axial distance and time. Generalized results for a wide range of parameters are presented, and the relationship of the results and experimental observations is discussed

Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE

International audienceAuthenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functional-ity gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality

Fixed-range optimum trajectories for short-haul aircraft

An algorithm, based on the energy-state method, is derived for calculating optimum trajectories with a range constraint. The basis of the algorithm is the assumption that optimum trajectories consist of, at most, three segments: an increasing energy segment (climb); a constant energy segment (cruise); and a decreasing energy segment (descent). This assumption allows energy to be used as the independent variable in the increasing and decreasing energy segments, thereby eliminating the integration of a separate adjoint differential equation and simplifying the calculus of variations problem to one requiring only pointwise extremization of algebraic functions. The algorithm is used to compute minimum fuel, minimum time, and minimum direct-operating-cost trajectories, with range as a parameter, for an in-service CTOL aircraft and for an advanced STOL aircraft. For the CTOL aircraft and the minimum-fuel performance function, the optimum controls, consisting of air-speed and engine power setting, are continuous functions of the energy in both climb and descent as well as near the maximum or cruise energy. This is also true for the STOL aircraft except in the descent where at one energy level a nearly constant energy dive segment occurs, yielding a discontinuity in the airspeed at that energy. The reason for this segment appears to be the relatively high fuel flow at idle power of the engines used by this STOL aircraft. Use of a simplified trajectory which eliminates the dive increases the fuel consumption of the total descent trajectory by about 10 percent and the time to fly the descent by about 19 percent compared to the optimum