Cryptanalysis of the MEM Mode of Operation

The MEM mode is a nonce-based enciphering mode of operation proposed by Chakraborty and Sarkar, which was claimed to be secure against symmetric nonce respecting adversaries. We show that this is not correct by using two very simple attcks. One attack need one decryption and one decryption queries, and the other only need one encryption query

Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors

Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors

Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP

The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. Besides providing plenty of inherent variability, such a design builds a tweakable block cipher from some lower level primitive. In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (formally introduced at CRYPTO 2015), which is constructed from a single n-bit permutation P and a function f(k, t) linear in k from some tweak space to {0, 1} n. Based on giant component theorem in random graph theory, we propose a collision-based multi-key attack on TEM-1 in the known-plaintext setting. Furthermore, inspired by the methodology of Fouque et al. presented at ASIACRYPT 2014, we devise a novel way of detecting collisions and eventually obtain a memory-efficient multi-key attack in the adaptive chosen-plaintext setting. As important applications, we utilize our techniques to analyze the authenticated encryption algorithms Minalpher (a second-round candidate of CAESAR) and OPP (proposed at EUROCRYPT 2016) in the multi-key setting. We describe knownplaintext attacks on Minalpher and OPP without nonce misuse, which enable us to recover almost all O(2n/3) independent masks by making O(2n/3) queries per key and costing O(22n/3) memory overall. After defining appropriate iterated functions and accordingly changing the mode of creating chains, we improve the basic blockwiseadaptive chosen-plaintext attack to make it also applicable for the nonce-respecting setting. While our attacks do not contradict the security proofs of Minalpher and OPP in the classical setting, nor pose an immediate threat to their uses, our results demonstrate their security margins in the multi-user setting should be carefully considered. We emphasize this is the very first third-party analysis on Minalpher and OPP

Design and Analysis of Cryptographic Algorithms for Authentication

During the previous decades, the upcoming demand for security in the digital world, e.g., the Internet, lead to numerous groundbreaking research topics in the field of cryptography. This thesis focuses on the design and analysis of cryptographic primitives and schemes to be used for authentication of data and communication endpoints, i.e., users. It is structured into three parts, where we present the first freely scalable multi-block-length block-cipher-based compression function (Counter-bDM) in the first part. The presented design is accompanied by a thorough security analysis regarding its preimage and collision security. The second and major part is devoted to password hashing. It is motivated by the large amount of leaked password during the last years and our discovery of side-channel attacks on scrypt – the first modern password scrambler that allowed to parameterize the amount of memory required to compute a password hash. After summarizing which properties we expect from a modern password scrambler, we (1) describe a cache-timing attack on scrypt based on its password-dependent memory-access pattern and (2) outline an additional attack vector – garbage-collector attacks – that exploits optimization which may disregard to overwrite the internally used memory. Based on our observations, we introduce Catena – the first memory-demanding password-scrambling framework that allows a password-independent memory-access pattern for resistance to the aforementioned attacks. Catena was submitted to the Password Hashing Competition (PHC) and, after two years of rigorous analysis, ended up as a finalist gaining special recognition for its agile framework approach and side-channel resistance. We provide six instances of Catena suitable for a variety of applications. We close the second part of this thesis with an overview of modern password scramblers regarding their functional, security, and general properties; supported by a brief analysis of their resistance to garbage-collector attacks. The third part of this thesis is dedicated to the integrity (authenticity of data) of nonce-based authenticated encryption schemes (NAE). We introduce the so-called j-IV-Collision Attack, allowing to obtain an upper bound for an adversary that is provided with a first successful forgery and tries to efficiently compute j additional forgeries for a particular NAE scheme (in short: reforgeability). Additionally, we introduce the corresponding security notion j-INT-CTXT and provide a comparative analysis (regarding j-INT-CTXT security) of the third-round submission to the CAESAR competition and the four classical and widely used NAE schemes CWC, CCM, EAX, and GCM.Die fortschreitende Digitalisierung in den letzten Jahrzehnten hat dazu geführt, dass sich das Forschungsfeld der Kryptographie bedeutsam weiterentwickelt hat. Diese, im Wesentlichen aus drei Teilen bestehende Dissertation, widmet sich dem Design und der Analyse von kryptographischen Primitiven und Modi zur Authentifizierung von Daten und Kommunikationspartnern. Der erste Teil beschäftigt sich dabei mit blockchiffrenbasierten Kompressionsfunktionen, die in ressourcenbeschränkten Anwendungsbereichen eine wichtige Rolle spielen. Im Rahmen dieser Arbeit präsentieren wir die erste frei skalierbare und sichere blockchiffrenbasierte Kompressionsfunktion Counter-bDM und erweitern somit flexibel die erreichbare Sicherheit solcher Konstruktionen. Der zweite Teil und wichtigste Teil dieser Dissertation widmet sich Passwort-Hashing-Verfahren. Zum einen ist dieser motiviert durch die große Anzahl von Angriffen auf Passwortdatenbanken großer Internet-Unternehmen. Zum anderen bot die Password Hashing Competition (PHC) die Möglichkeit, unter Aufmerksamkeit der Expertengemeinschaft die Sicherheit bestehender Verfahren zu hinterfragen, sowie neue sichere Verfahren zu entwerfen. Im Rahmen des zweiten Teils entwarfen wir Anforderungen an moderne Passwort-Hashing-Verfahren und beschreiben drei Arten von Seitenkanal-Angriffen (Cache-Timing-, Weak Garbage-Collector- und Garbage-Collector-Angriffe) auf scrypt – das erste moderne Password-Hashing-Verfahren welches erlaubte, den benötigten Speicheraufwand zur Berechnung eines Passworthashes frei zu wählen. Basierend auf unseren Beobachtungen und Angriffen, stellen wir das erste moderne PasswordHashing-Framework Catena vor, welches für gewählte Instanzen passwortunabhängige Speicherzugriffe und somit Sicherheit gegen oben genannte Angriffe garantiert. Catena erlangte im Rahmen des PHC-Wettbewerbs besondere Anerkennung für seine Agilität und Resistenz gegen SeitenkanalAngriffe. Wir präsentieren sechs Instanzen des Frameworks, welche für eine Vielzahl von Anwendungen geeignet sind. Abgerundet wird der zweite Teil dieser Arbeit mit einem vergleichenden Überblick von modernen Passwort-Hashing-Verfahren hinsichtlich ihrer funktionalen, sicherheitstechnischen und allgemeinen Eigenschaften. Dieser Vergleich wird unterstützt durch eine kurze Analyse bezüglich ihrer Resistenz gegen (Weak) Garbage-Collector-Angriffe. Der dritte teil dieser Arbeit widmet sich der Integrität von Daten, genauer, der Sicherheit sogenannter Nonce-basierten authentisierten Verschlüsselungsverfahren (NAE-Verfahren), welche ebenso wie Passwort-Hashing-Verfahren in der heutigen Sicherheitsinfrastruktur des Internets eine wichtige Rolle spielen. Während Standard-Definitionen keine Sicherheit nach dem Fund einer ersten erfolgreich gefälschten Nachricht betrachten, erweitern wir die Sicherheitsanforderungen dahingehend wie schwer es ist, weitere Fälschungen zu ermitteln. Wir abstrahieren die Funktionsweise von NAEVerfahren in Klassen, analysieren diese systematisch und klassifizieren die Dritt-Runden-Kandidaten des CAESAR-Wettbewerbs, sowie vier weit verbreitete NAE-Verfahren CWC, CCM, EAX und GCM

Design and Analysis of Cryptographic Algorithms for Authentication

During the previous decades, the upcoming demand for security in the digital world, e.g., the Internet, lead to numerous groundbreaking research topics in the field of cryptography. This thesis focuses on the design and analysis of cryptographic primitives and schemes to be used for authentication of data and communication endpoints, i.e., users. It is structured into three parts, where we present the first freely scalable multi-block-length block-cipher-based compression function (Counter-bDM) in the first part. The presented design is accompanied by a thorough security analysis regarding its preimage and collision security. The second and major part is devoted to password hashing. It is motivated by the large amount of leaked password during the last years and our discovery of side-channel attacks on scrypt – the first modern password scrambler that allowed to parameterize the amount of memory required to compute a password hash. After summarizing which properties we expect from a modern password scrambler, we (1) describe a cache-timing attack on scrypt based on its password-dependent memory-access pattern and (2) outline an additional attack vector – garbage-collector attacks – that exploits optimization which may disregard to overwrite the internally used memory. Based on our observations, we introduce Catena – the first memory-demanding password-scrambling framework that allows a password-independent memory-access pattern for resistance to the aforementioned attacks. Catena was submitted to the Password Hashing Competition (PHC) and, after two years of rigorous analysis, ended up as a finalist gaining special recognition for its agile framework approach and side-channel resistance. We provide six instances of Catena suitable for a variety of applications. We close the second part of this thesis with an overview of modern password scramblers regarding their functional, security, and general properties; supported by a brief analysis of their resistance to garbage-collector attacks. The third part of this thesis is dedicated to the integrity (authenticity of data) of nonce-based authenticated encryption schemes (NAE). We introduce the so-called j-IV-Collision Attack, allowing to obtain an upper bound for an adversary that is provided with a first successful forgery and tries to efficiently compute j additional forgeries for a particular NAE scheme (in short: reforgeability). Additionally, we introduce the corresponding security notion j-INT-CTXT and provide a comparative analysis (regarding j-INT-CTXT security) of the third-round submission to the CAESAR competition and the four classical and widely used NAE schemes CWC, CCM, EAX, and GCM.Die fortschreitende Digitalisierung in den letzten Jahrzehnten hat dazu geführt, dass sich das Forschungsfeld der Kryptographie bedeutsam weiterentwickelt hat. Diese, im Wesentlichen aus drei Teilen bestehende Dissertation, widmet sich dem Design und der Analyse von kryptographischen Primitiven und Modi zur Authentifizierung von Daten und Kommunikationspartnern. Der erste Teil beschäftigt sich dabei mit blockchiffrenbasierten Kompressionsfunktionen, die in ressourcenbeschränkten Anwendungsbereichen eine wichtige Rolle spielen. Im Rahmen dieser Arbeit präsentieren wir die erste frei skalierbare und sichere blockchiffrenbasierte Kompressionsfunktion Counter-bDM und erweitern somit flexibel die erreichbare Sicherheit solcher Konstruktionen. Der zweite Teil und wichtigste Teil dieser Dissertation widmet sich Passwort-Hashing-Verfahren. Zum einen ist dieser motiviert durch die große Anzahl von Angriffen auf Passwortdatenbanken großer Internet-Unternehmen. Zum anderen bot die Password Hashing Competition (PHC) die Möglichkeit, unter Aufmerksamkeit der Expertengemeinschaft die Sicherheit bestehender Verfahren zu hinterfragen, sowie neue sichere Verfahren zu entwerfen. Im Rahmen des zweiten Teils entwarfen wir Anforderungen an moderne Passwort-Hashing-Verfahren und beschreiben drei Arten von Seitenkanal-Angriffen (Cache-Timing-, Weak Garbage-Collector- und Garbage-Collector-Angriffe) auf scrypt – das erste moderne Password-Hashing-Verfahren welches erlaubte, den benötigten Speicheraufwand zur Berechnung eines Passworthashes frei zu wählen. Basierend auf unseren Beobachtungen und Angriffen, stellen wir das erste moderne PasswordHashing-Framework Catena vor, welches für gewählte Instanzen passwortunabhängige Speicherzugriffe und somit Sicherheit gegen oben genannte Angriffe garantiert. Catena erlangte im Rahmen des PHC-Wettbewerbs besondere Anerkennung für seine Agilität und Resistenz gegen SeitenkanalAngriffe. Wir präsentieren sechs Instanzen des Frameworks, welche für eine Vielzahl von Anwendungen geeignet sind. Abgerundet wird der zweite Teil dieser Arbeit mit einem vergleichenden Überblick von modernen Passwort-Hashing-Verfahren hinsichtlich ihrer funktionalen, sicherheitstechnischen und allgemeinen Eigenschaften. Dieser Vergleich wird unterstützt durch eine kurze Analyse bezüglich ihrer Resistenz gegen (Weak) Garbage-Collector-Angriffe. Der dritte teil dieser Arbeit widmet sich der Integrität von Daten, genauer, der Sicherheit sogenannter Nonce-basierten authentisierten Verschlüsselungsverfahren (NAE-Verfahren), welche ebenso wie Passwort-Hashing-Verfahren in der heutigen Sicherheitsinfrastruktur des Internets eine wichtige Rolle spielen. Während Standard-Definitionen keine Sicherheit nach dem Fund einer ersten erfolgreich gefälschten Nachricht betrachten, erweitern wir die Sicherheitsanforderungen dahingehend wie schwer es ist, weitere Fälschungen zu ermitteln. Wir abstrahieren die Funktionsweise von NAEVerfahren in Klassen, analysieren diese systematisch und klassifizieren die Dritt-Runden-Kandidaten des CAESAR-Wettbewerbs, sowie vier weit verbreitete NAE-Verfahren CWC, CCM, EAX und GCM

Misuse Resistant Parallel Authenticated Encryptions

The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex, AEGIS) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, {\em we design a new online secure authenticated encryption, called \tx{ELmE} or Encrypt-Linear mix-Encrypt, which is completely (two-stage) {\bf parallel} (even in associated data) and {\bf pipeline implementable}}. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction and COPA are based on \tx{EME}, an Encrypt-Mix-Encrypt type SPRP constructions (secure against chosen plaintext and ciphertext). Unlike \tx{EME}, we consider (so does COPA) online computable {\bf linear mixing}. In addition with getting rid of bottleneck, our construction optionally supports {\bf intermediate tags} which can be verified faster with less buffer size. Intermediate tag provides security against block-wise adversaries which is meaningful in low-end device implementation

Speeding Up OMD Instantiations in Hardware

Particular instantiations of the Offset Merkle Damgaard authenticated encryption scheme (OMD) represent highly secure alternatives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding-up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD

Analysis Design & Applications of Cryptographic Building Blocks

This thesis deals with the basic design and rigorous analysis of cryptographic schemes and primitives, especially of authenticated encryption schemes, hash functions, and password-hashing schemes. In the last decade, security issues such as the PS3 jailbreak demonstrate that common security notions are rather restrictive, and it seems that they do not model the real world adequately. As a result, in the first part of this work, we introduce a less restrictive security model that is closer to reality. In this model it turned out that existing (on-line) authenticated encryption schemes cannot longer beconsidered secure, i.e. they can guarantee neither data privacy nor data integrity. Therefore, we present two novel authenticated encryption scheme, namely COFFE and McOE, which are not only secure in the standard model but also reasonably secure in our generalized security model, i.e. both preserve full data inegrity. In addition, McOE preserves a resonable level of data privacy. The second part of this thesis starts with proposing the hash function Twister-Pi, a revised version of the accepted SHA-3 candidate Twister. We not only fixed all known security issues of Twister, but also increased the overall soundness of our hash-function design. Furthermore, we present some fundamental groundwork in the area of password-hashing schemes. This research was mainly inspired by the medial omnipresence of password-leakage incidences. We show that the password-hashing scheme scrypt is vulnerable against cache-timing attacks due to the existence of a password-dependent memory-access pattern. Finally, we introduce Catena the first password-hashing scheme that is both memory-consuming and resistant against cache-timing attacks

Forking Sums of Permutations for Optimally Secure and Highly Efficient PRFs

The desirable encryption scheme possesses high PRF security, high efficiency, and the ability to produce variable-length outputs. Since designing dedicated secure PRFs is difficult, a series of works was devoted to building optimally secure PRFs from the sum of independent permutations (SoP), Encrypted Davies-Meyer (EDM), its Dual (EDMD), and the Summation-Truncation Hybrid (STH) for variable output lengths, which can be easily instantiated from existing permutations. For increased efficiency, reducing the number of operations in established primitives has been gaining traction: Mennink and Neves pruned EDMD to FastPRF, and Andreeva et al. introduced ForkCiphers, which take an n-bit input, process it through a reduced-round permutation, fork it into two states, and feed each of them into another reduced-round permutation to produce a 2n-bit output. The constructions above can be used in secure variable-length modes or generalizations such as MultiForkCiphers. In this paper, we suggest a framework of those constructions in terms of the three desiderata: we span the spectrum of (1) output length vs. PRF security, (2) full vs. round-reduced primitives, and (3) fixed- vs. variable-length outputs. From this point of view, we identify remaining gaps in the spectrum and fill them with the proposal of several highly secure and efficient fixed- and variable-output-length PRFs. We fork SoP and STH to ForkPRF and ForkSTH, extend STH to the variable-output-length construction STHCENC, which bridges the gap between CTR mode and CENC,and propose ForkCENC, ForkSTHCENC, ForkEDMD, as well as ForkEDM-CTR as the variable-output-length and round-reduced versions of CENC, STH, FastPRF, and FastPRF\u27s dual, respectively. Using recent results on Patarin\u27s general Mirror Theory, we have proven that almost all our proposed PRFs are optimally secure under the assumption that the permutations are pairwise independent and random and STH achieves the optimal security depending on the output length. Our constructions can be highly efficient in practice. We propose efficient instantiations from round-reduced AES and back it with the cryptanalysis lessons learned from existing earlier analysis of AES-based primitives