Misuse Resistant Parallel Authenticated Encryptions

The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex, AEGIS) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, {\em we design a new online secure authenticated encryption, called \tx{ELmE} or Encrypt-Linear mix-Encrypt, which is completely (two-stage) {\bf parallel} (even in associated data) and {\bf pipeline implementable}}. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction and COPA are based on \tx{EME}, an Encrypt-Mix-Encrypt type SPRP constructions (secure against chosen plaintext and ciphertext). Unlike \tx{EME}, we consider (so does COPA) online computable {\bf linear mixing}. In addition with getting rid of bottleneck, our construction optionally supports {\bf intermediate tags} which can be verified faster with less buffer size. Intermediate tag provides security against block-wise adversaries which is meaningful in low-end device implementation

Designing Full-Rate Sponge based AEAD modes

Sponge based constructions have gained significant popularity for designing lightweight authenticated encryption modes. Most of the authenticated ciphers following the Sponge paradigm can be viewed as variations of the Transform-then-permute construction. It is known that a construction following the Transform-then-permute paradigm provides security against any adversary having data complexity $D$ and time complexity $T$ as long as $DT \ll 2^{b-r}$. Here, $b$ represents the size of the underlying permutation, while $r$ pertains to the rate at which the message is injected. The above result demonstrates that an increase in the rate leads to a degradation in the security of the constructions, with no security guaranteed to constructions operating at the full rate, where $r=b$. This present study delves into the exploration of whether adding some auxiliary states could potentially improve the security of the Transform-then-permute construction. Our investigation yields an affirmative response, demonstrating that a special class of full rate Transform-then-permute with additional states, dubbed frTtP+, can indeed attain security when operated under a suitable feedback function and properly initialized additional state. To be precise, we prove that frTtP+ provides security as long as $D \ll 2^{s/2}$ and $T \ll 2^{s}$, where $s$ denotes the size of the auxiliary state in terms of bits. To demonstrate the applicability of this result, we show that the construction $Orange-Zest_{mod}$ belongs to this class, thereby obtaining the desired security. In addition, we propose a family of full-rate Transform-then-permute construction with a Beetle-like feedback function, dubbed \textsf{fr-Beetle}, which also achieves the same level of security

Impact of tomato juice on radiation side effects and select inflammatory mediators in prostate cancer patients undergoing intensity modulated radiation therapy

This pilot study assessed tolerance of different volumes of processed tomato juice consumed daily and its impact on serum lycopene, selected serum inflammatory mediator levels and radiation-induced side effects in men with localized prostate cancer undergoing radiation therapy. Participants (n = 17) were randomized into control group or one of three intervention groups (4 oz, 8 oz or 12 oz of processed tomato juice daily). Non-Hispanic Whites comprised 71% of study participants. Tumor staging ranged from T1c-2cN0M0, with 71% of participant tumors in the T1cN0M0 stage. Participants tolerated daily tomato juice supplementation without any adverse gastrointestinal (GI) effects. Serum lycopene decreased in control group participants, while increasing from 0.33±0.11 ìg/mL (baseline) to 0.41± 0.12 ìg/mL (endpoint) in the intervention group. No correlation between serum and dietary lycopene was detected. Control group participants lost weight, while participants in the intervention groups did not. Not surprisingly, participants exhibited systemic inflammation at baseline. Overtime, increased c-reactive protein (CRP) and interleukin-6 (IL-6) was observed in control group, while decreases in serum CRP, IL-6 and prostaglandin E2 (PGE2) levels were observed in intervention groups (p>0.05). No statistically significant within group differences were detected for CRP. Within group differences were statistically significant for 12 oz group only, when comparing baseline and endpoint with midpoint levels (p = 0.014) for IL-6, and when comparing PGE2 baseline levels with midpoint and endpoint (p = 0.003). We observed no statistical correlation between inflammatory markers, cancer characteristics and dietary or serum lycopene, or acute side effects of treatment. Lower performance score was observed in intervention group participants. Daily tomato juice intake appeared to offer a GI protective effect during the first three weeks of treatment. Based on the results of this study, daily consumption of processed tomato juice (at least 8-12 oz) may decrease serum levels of CRP, IL-6 and PGE2; lower performance status score; and offer a protective GI effect during radiotherapy for prostate cancer. This information may assist in improving patient tolerance and minimize acute side-effects of radiation therapy in men with localized prostate cancer undergoing intensity modulated radiation therapy

Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF

SUM-ECBC (Yasuda, CT-RSA 2010) is the first beyond birthday bound (BBB) secure block cipher based deterministic MAC. After this work, some more BBB secure deterministic MACs have been proposed, namely PMAC_Plus (Yasuda, CRYPTO 2011), 3kf9 (Zhang et al., ASIACRYPT 2012) and LightMAC_Plus (Naito, ASIACRYPT 2017). In this paper, we have abstracted out the inherent design principle of all these BBB secure MACs and present a generic design paradigm to construct a BBB secure pseudo random function, namely Double-block Hash-then- Sum or in short (DbHtS). A DbHtS construction, as the name implies, computes a double block hash on the message and then sum the encrypted output of the two hash blocks. Our result renders that if the underlying hash function meets certain security requirements (namely cover-free and block-wise universal advantage is low), DbHtS construction provides 2n/3-bit security. We demonstrate the applicability of our result by instantiating all the existing beyond birthday secure deterministic MACs (e.g., SUM-ECBC, PMAC_Plus, 3kf9, LightMAC_Plus) as well as a simple two-keyed variant for each of them and some algebraic hash based constructions

The Iterated Random Function Problem

At CRYPTO 2015, Minaud and Seurin introduced and studied the iterated random permutation problem, which is to distinguish the $r$-th iterate of a random permutation from a random permutation. In this paper, we study the closely related iterated random function problem, and prove the first almost-tight bound in the adaptive setting. More specifically, we prove that the advantage to distinguish the $r$-th iterate of a random function from a random function using $q$ queries is bounded by $O(q^2r(\log r)^3/N)$, where $N$ is the size of the domain. In previous work, the best known bound was $O(q^2r^2/N)$, obtained as a direct result of interpreting the iterated random function problem as a special case of CBC-MAC based on a random function. For the iterated random function problem, the best known attack has an advantage of $\Omega(q^2r/N)$, showing that our security bound is tight up to a factor of $(\log r)^3$

Single Key Variant of PMAC_Plus

At CRYPTO 2011, Yasuda proposed the PMAC_Plus message authentication code based on an n-bit block cipher. Its design principle inherits the well known PMAC parallel network with a low additional cost. PMAC_Plus is a rate-1 construction like PMAC (i.e., one block cipher call per n-bit message block) but provides security against all adversaries (under black-box model) making queries altogether consisting of roughly upto 22n/3 blocks (strings of n-bits). Even though PMAC_Plus gives higher security than the standard birthday bound security, with currently available best bound, it provides weaker security than PMAC for certain choices of adversaries. Moreover, unlike PMAC, PMAC_Plus operates with three independent block cipher keys. In this paper, we propose 1k-PMAC_Plus, the first rate-1 single keyed block cipher based BBB (Beyond Birthday Bound) secure (in standard model) deterministic MAC construction without arbitrary field multiplications. 1k-PMAC_Plus, as the name implies, is a simple one-key variant of PMAC_Plus. In addition to the key reduction, we obtain a higher security guarantee than what was proved originally for PMAC_Plus, thus an improvement in two directions

ISAP+: ISAP with Fast Authentication

This paper analyses the lightweight, sponge-based NAEAD mode $\textsf{ISAP}$, one of the finalists of the NIST Lightweight Cryptography (LWC) standardisation project, that achieves high-throughput with inherent protection against differential power analysis (DPA). We observe that $\textsf{ISAP}$ requires $256$-bit capacity in the authentication module to satisfy the NIST LWC security criteria. In this paper, we study the analysis carefully and observe that this is primarily due to the collision in the associated data part of the hash function which can be used in the forgery of the mode. However, the same is not applicable to the ciphertext part of the hash function because a collision in the ciphertext part does not always lead to a forgery. In this context, we define a new security notion, named $\textsf{2PI+}$ security, which is a strictly stronger notion than the collision security, and show that the security of a class of encrypt-then-hash based MAC type of authenticated encryptions, that includes $\textsf{ISAP}$, reduces to the $\textsf{2PI+}$ security of the underlying hash function used in the authentication module. Next we investigate and observe that a feed-forward variant of the generic sponge hash achieves better $\textsf{2PI+}$ security as compared to the generic sponge hash. We use this fact to present a close variant of $\textsf{ISAP}$, named $\textsf{ISAP+}$, which is structurally similar to $\textsf{ISAP}$, except that it uses the feed-forward variant of the generic sponge hash in the authentication module. This improves the overall security of the mode, and hence we can set the capacity of the ciphertext part to $192$ bits (to achieve a higher throughput) and yet satisfy the NIST LWC security criteria

tHyENA: Making HyENA Even Smaller

This paper proposes a lightweight short-tweak tweakable blockcipher (tBC) based authenticated encryption (AE) scheme tHyENA, a tweakable variant of the high profile NIST LWC competition submission HyENA. tHyENA is structurally similar to HyENA, however, proper usage of short-tweaks for the purpose of domain separation, makes the design much simpler compact. We know that HyENA already achieves a very small hardware footprint, and tHyENA further optimizes it. To realize our claim, we provide NIST API compliant hardware implementation details and benchmark for tHyENA against HyENA and several other well-known sequential feedback-based designs. The implementation results depict that when instantiated with the tBC TweGIFT, tHyENA achieves an extremely low hardware footprint - consuming only around 680 LUTs and 260 slices while maintaining the full rate and the almost birthday bound security. To the best of our knowledge, this figure is significantly better than all the known implementation results of other lightweight ciphers with sequential structures

Light-OCB: Parallel Lightweight Authenticated Cipher with Full Security

This paper proposes a lightweight authenticated encryption (AE) scheme, called Light-OCB, which can be viewed as a lighter variant of the CAESAR winner OCB as well as a faster variant of the high profile NIST LWC competition submission LOCUS-AEAD. Light-OCB is structurally similar to LOCUS-AEAD and uses a nonce-based derived key that provides optimal security, and short-tweak tweakable blockcipher (tBC) for efficient domain separation. Light-OCB improves over LOCUS-AEAD by reducing the number of primitive calls, and thereby significantly optimizing the throughput. To establish our claim, we provide FPGA hardware implementation details and benchmark for Light-OCB against LOCUS-AEAD and several other well-known AEs. The implementation results depict that, when instantiated with the tBC TweGIFT64, Light-OCB achieves an extremely low hardware footprint - consuming only around 1128 LUTs and 307 slices (significantly lower than that for LOCUS-AEAD) while maintaining a throughput of 880 Mbps, which is almost twice that of LOCUS-AEAD. To the best of our knowledge, this figure is significantly better than all the known implementation results of other lightweight ciphers with parallel structures

Elastic-Tweak: A Framework for Short Tweak Tweakable Block Cipher

Tweakable block cipher (TBC), a stronger notion than standard block ciphers, has wide-scale applications in symmetric-key schemes. At a high level, it provides flexibility in design and (possibly) better security bounds. In multi-keyed applications, a TBC with short tweak values can be used to replace multiple keys. However, the existing TBC construction frameworks, including TWEAKEY and XEX, are designed for general purpose tweak sizes. Specifically, they are not optimized for short tweaks, which might render them inefficient for certain resource constrained applications. So a dedicated paradigm to construct short-tweak TBCs (tBC) is highly desirable. In this paper, as a first contribution, we present a dedicated framework, called the Elastic-Tweak framework (ET in short), to convert any reasonably secure SPN block cipher into a secure tBC. We apply the ET framework on GIFT and AES to construct efficient tBCs, named TweGIFT and TweAES. These short-tweak TBCs have already been employed in recent NIST lightweight competition candidates, LOTUS-LOCUS and ESTATE. As our second contribution, we show some concrete applications of ET-based tBCs, which are better than their block cipher counterparts in terms of key size, state size, number of block cipher calls, and short message processing. Some notable applications include, Twe-FCBC (reduces the key size of FCBC and gives better security than CMAC), Twe-LightMAC Plus (better rate than LightMAC Plus), Twe-CLOC, and Twe-SILC (reduces the number of block cipher calls and simplifies the design of CLOC and SILC)