Key Encapsulation from Noisy Key Agreement in the Quantum Random Oracle Model

A multitude of post-quantum key encapsulation mechanisms (KEMs) and public key encryption (PKE) schemes implicitly rely on a protocol by which Alice and Bob exchange public messages and converge on secret values that are identical up to some small noise. By our count, 24 out of 49 KEM or PKE submissions to the NIST Post-Quantum Cryptography Standardization project follow this strategy. Yet the notion of a noisy key agreement (NKA) protocol lacks a formal definition as a primitive in its own right. We provide such a formalization by defining the syntax and security for an NKA protocol. This formalization brings out four generic problems, called A and B State Recovery, Noisy Key Search and Noisy Key Distinguishing, whose solutions must be hard in the quantum computing model. Informally speaking, these can be viewed as noisy, quantum-resistant counterparts of the problems arising from the classical Diffie-Hellman type protocols. We show that many existing proposals contain an NKA component that fits our formalization and we reveal the induced concrete hardness assumptions. The question arises whether considering NKA as an independent primitive can help provide modular designs with improved efficiency and/or proofs. As the second contribution of this paper, we answer this question positively by presenting a generic transform from a secure NKA protocol to an IND-CCA secure KEM in the quantum random oracle model, with a security bound tightly related to the NKD problem. This transformation is essentially the same as that of the NIST candidate Ramstake. While establishing the security of Ramstake was our initial objective, the collection of tools that came about as a result of this journey is of independent interest

Power Yoga: Variable-Stretch Security of CCM for Energy-Efficient Lightweight IoT

The currently ongoing NIST LWC project aims at identifying new standardization targets for lightweight authenticated encryption with associated data (AEAD) and (optionally) lightweight cryptographic hashing. NIST has deemed it important for performance and cost to be optimized on relevant platforms, especially for short messages. Reyhanitabar, Vaudenay and Vizár (Asiacrypt 2016) gave a formal treatment for security of nonce-based AEAD with variable stretch, i.e., when the length of the authentication tag is changed between encryptions without changing the key. They argued that AEAD supporting variable stretch is of practical interest for constrained applications, especially low-power devices operated by battery, due to the ability to flexibly trade communication overhead and level of integrity. In this work, we investigate this hypothesis with affirmative results. We present vCCM, a variable-stretch variant of the standard CCM and prove it is secure when used with variable stretch. We then experimentally measure the energy consumption of a real-world wireless sensor node when encrypting and sending messages with vCCM and CCM, respectively. Our projections show that the flexible trade of integrity level and ciphertext expansion can lead up to 21% overall energy consumption reduction in certain scenarios. As vCCM is obtained from the widely-used CCM by a black-box transformation, allowing any existing CCM implementations to be reused as-is, our results can be immediately put to use in practice. vCCM is all the more relevant because neither the NIST LWC project, nor any of the candidates give a consideration for the support of variable stretch and the related integrity-overhead trade-off

Misuse-Resistant Variants of the OMD Authenticated Encryption Mode

We present two variants of OMD which are robust against nonce misuse. Security of OMD---a CAESAR candidate---relies on the assumption that implementations always ensure correct use of nonce (a.k.a. message number); namely that, the nonce never gets repeated. However, in some application environments, this non-repetitiveness requirement on nonce might be compromised or ignored, yielding to full collapse of the security guaranty. We aim to reach maximal possible level of robustness against repeated nonces, as defined by Rogaway and Shrimpton (FSE 2006) under the name misuse-resistant AE (MRAE). Our first scheme, called misuse-resistant OMD (MR-OMD), is designed to be substantially similar to OMD while achieving stronger security goals; hence, being able to reuse any existing common code/hardware. Our second scheme, called parallelizable misuse-resistant OMD (PMR-OMD), further deviates from the original OMD design in its encryption process, providing a parallelizable algorithm, in contrast with OMD and MR-OMD which have serial encryption/decryption processes. Both MR-OMD and PMR-OMD are single-key mode of operation. It is known that maximally robust MRAE schemes are necessarily two-pass, a price paid compared to a one-pass scheme such as OMD. Nevertheless, in MR-OMD and PMR-OMD, we combine the two passes in a way that minimizes the incurred additional cost: the overhead incurred by the second pass in our two-pass variants is about 50 % of the encryption time for OMD

Contributions to the theory and application of cryptographic hash functions

Cryptographic hash functions have been used to a great extent in many applications; most importantly, as building blocks for digital signature schemes and message authentication codes (MACs), as well as in commitment schemes, password protection, key derivation, and almost every practical cryptographic protocol. Unlike many other cryptographic primitives which are usually intended to fulfill specific security notions, hash functions, as workhorses of cryptography, are often expected to satisfy a wide and application dependent spectrum of security notions, ranging from merely being a one-way function to acting as a truly random function or random oracle (ideal hash). In this Thesis, we revisit the theory and application of cryptographic hash functions. We provide new contributions to this field, which has been explored for over three decades, yet remains a highly active and interesting area of research. We pursue, in particular, a line of research considering essential theoretical questions in regard to the security features of hash functions, including formal definitions of security notions, the relationships among different security notions, and the possibility of designing property-preserving domain extension transforms for hash functions. First, we study notions of security for cryptographic hash functions. Our main goal in this part is to consider the two essential theoretical questions in regard to security notions for hash functions; namely, formal definitions of security notions and the relationships among different security notions. Our contribution in this part includes: a clear categorization of security notions, the introduction of a new set of enhanced security notions and, most importantly, a full picture of the relationships among the security notions. We then investigate the property preservation capabilities of domain extension transforms for hash functions. Almost all cryptographic hash functions are designed based on the following two-step approach: first, a compression function is designed which is only capable of hashing fixed-length messages, then, a domain extension transform is applied to obtain a full-fledged hash function. The possibility of designing a property-preserving domain extension transform, which is also known as a property-preserving mode of operation, is an important problem to be considered with regard to the construction of secure hash functions. We make the following two contributions. Firstly, we analyse the most powerful multi-property-preserving (MPP) domain extension transforms for hash functions in the literature, and provide a full picture of their MPP capabilities with regard to a large collection of known security notions. Secondly, we investigate the capabilities of several different domain extension transforms in regard to preserving an interesting recently proposed security notion, called enhanced target collision resistance (eTCR). Finally, as an interesting application of hash functions, we consider manual channel message authentication protocols using hash functions. In the manual channel model for message authentication, also known as the two-channel or SAS-based model, the sender and the receiver are assumed to have access to a low-bandwidth auxiliary channel, ensuring authentication, in addition to a typical insecure channel; however, neither they share any secret information nor there is any trusted public key infrastructure (PKI). We investigate the problem of random oracle instantiation for a three-round interactive message authentication protocol (IMAP). We also provide an efficient non-interactive message authentication protocol (NIMAP) in the manual channel model that is based on an eTCR hash function

On capabilities of hash domain extenders to preserve enhanced security properties

In this paper, we study property preservation capabilities of several domain extension transforms for hash functions with respect to multiple enhanced security notions. The transforms investigated include MD with strengthening padding (sMD), HAIFA, Enveloped Shoup (ESh) and Nested Linear Hash (nLH). While the first two transforms and their straightforward variants are among the most popular ones in practical hash designs including several SHA-3 candidates, the last two transforms (i.e. ESh and nLH) are mainly of a theoretical interest in the analysis of multi-property-preservation (MPP) capabilities of hash domain extenders. The security notions considered are the enhanced (or strengthened) variants of the traditional properties (collision resistance, second-preimage resistance, and preimage resistance) for the setting of dedicated-key hash functions. The results show that most of these enhanced security notions are not preserved by the investigated domain extenders. This might seem a bit disappointing from a provable security viewpoint, that advocates MPP paradigm (i.e. the more properties preserved simultaneously by a transform the more popular is the transform from a theoretical viewpoint); however, it is worth stressing that the mere fact that a domain extender fails to preserve a property P does not imply that a hash function built upon it is insecure. Rather, it just implies that security of the hash function in the sense of the property P cannot be deduced based on the assumption that the underlying compression function possesses P. 2012 Springer-Verlag

Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption

© International Association for Cryptologic Research 2015. We provide a security analysis for full-state keyed Sponge and full-state Duplex constructions. Our results can be used for making a large class of Sponge-based authenticated encryption schemes more efficient by concurrent absorption of associated data and message blocks. In particular, we introduce and analyze a new variant of Sponge Wrap with almost free authentication of associated data. The idea of using full-state message absorption for higher efficiency was first made explicit in the Donkey Sponge MAC construction, but without any formal security proof. Recently, Gaži, Pietrzak and Tessaro (CRYPTO 2015) have provided a proof for the fixed-output-length variant of Donkey Sponge. Yasuda and Sasaki (CT-RSA 2015) have considered partially full-state Sponge-based authenticated encryption schemes for efficient incorporation of associated data. In this work, we unify, simplify, and generalize these results about the security and applicability of full-state keyed Sponge and Duplex constructions; in particular, for designing more efficient authenticated encryption schemes. Compared to the proof of Gaži et al., our analysis directly targets the original Donkey Sponge construction as an arbitrary-output-length function. Our treatment is also more general than that of Yasuda and Sasaki, while yielding a more efficient authenticated encryption mode for the case that associated data might be longer than messages.status: publishe

Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles

Abstract. We revisit the problem of building dual-model secure (DMS) hash functions that are simultaneously provably collision resistant (CR) in the standard model and provably pseudorandom oracle (PRO) in an idealized model. Designing a DMS hash function was first investigated by Ristenpart and Shrimpton (ASIACRYPT 2007); they put forth a generic approach, called Mix-Compress-Mix (MCM), and showed the feasibility of the MCM approach with a secure (but inefficient) construction. An improved construction was later presented by Lehmann and Tessaro (ASIACRYPT 2009). The proposed construction by Ristenpart and Shrimpton requires a non-invertible (pseudo-) random injection oracle (PRIO) and the Lehmann-Tessaro construction requires a non-invertible random permutation oracle (NIRP). Despite showing the feasibility of realizing PRIO and NIRP objects in theory–using ideal ciphers and (trapdoor) one-way permutations – these constructions suffer from several efficiency and implementation issues as pointed out by their designers and briefly reviewed in this paper. In contrast to the previous constructions, we show that constructing a DMS hash function does not require any PRIO or NIRP, and hence there is no need for additional (trapdoor) one-way permutations. In fact, Ristenpart and Shrimpton posed the question of whether MCM is secure under easy-to-invert mixing steps as an open problem in their paper. We resolve this question in the affirmative in the fixed-input-length (FIL) hash setting. More precisely, we show that one can sandwich a provably CR function, which is sufficiently compressing, between two rando