466 research outputs found
APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography
The domain of lightweight cryptography focuses on cryptographic algorithms for extremely constrained devices. It is very costly to avoid nonce reuse in such environments, because this requires either a hardware source of randomness, or non-volatile memory to store a counter. At the same time, a lot of cryptographic schemes actually require the nonce assumption for their security. In this paper, we propose APE as the first permutation-based authenticated encryption scheme that is resistant against nonce misuse. We formally prove that APE is secure, based on the security of the underlying permutation. To decrypt, APE processes the ciphertext blocks in reverse order, and uses inverse permutation calls. APE therefore requires a permutation that is both efficient for forward and inverse calls. We instantiate APE with the permutations of three recent lightweight hash function designs: Quark, Photon, and Spongent. For any of these permutations, an implementation that sup- ports both encryption and decryption requires less than 1.9 kGE and 2.8 kGE for 80-bit and 128-bit security levels, respectively
09031 Abstracts Collection -- Symmetric Cryptography
From 11.01.09 to 16.01.09, the Seminar 09031 in
``Symmetric Cryptography \u27\u27 was held
in Schloss Dagstuhl~--~Leibniz Center for Informatics.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar as well as abstracts of
seminar results and ideas are put together in this paper. The first section
describes the seminar topics and goals in general.
Links to extended abstracts or full papers are provided, if available
The Moral Character of Cryptographic Work
Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently \textit{political} tool, and it confers on the field an intrinsically \textit{moral} dimension. The Snowden revelations motivate a reassessment of the political and moral positioning of cryptography. They lead one to ask if our inability to effectively address mass surveillance constitutes a failure of our field. I believe that it does. I call for a community-wide effort to develop more effective means to resist mass surveillance. I plea for a reinvention of our disciplinary culture to attend not only to puzzles and math, but, also, to the societal implications of our work
The universality of iterated hashing over variable-length strings
Iterated hash functions process strings recursively, one character at a time.
At each iteration, they compute a new hash value from the preceding hash value
and the next character. We prove that iterated hashing can be pairwise
independent, but never 3-wise independent. We show that it can be almost
universal over strings much longer than the number of hash values; we bound the
maximal string length given the collision probability
Code-Based Game-Playing Proofs and the Security of Triple Encryption
The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key triple-encryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary\u27s maximal advantage is small until it asks about queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and discussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security of the basic CBC~MAC, and the chosen-plaintext-attack security of OAEP
On Committing Authenticated Encryption
We provide a strong definition for committing authenticated-encryption (cAE), as well as a framework that encompasses earlier and weaker definitions. The framework attends not only to what is committed but also the extent to which the adversary knows or controls keys. We slot into our framework strengthened cAE-attacks on GCM and OCB. Our main result is a simple and efficient construction, CTX, that makes a nonce-based AE (nAE) scheme committing. The transformed scheme achieves the strongest security notion in our framework. Just the same, the added computational cost (on top of the nAE scheme\u27s cost) is a single hash over a short string, a cost independent of the plaintext\u27s length. And there is no increase in ciphertext length compared to the base nAE scheme. That such a thing is possible, let alone easy, upends the (incorrect) intuition that you can\u27t commit to a plaintext or ciphertext without hashing one or the other. And it motivates a simple and practical tweak to AE-schemes to make them committing
On generalized Feistel networks
We prove beyond-birthday-bound security for the well-known types of
generalized Feistel networks, including: (1) unbalanced Feistel networks, where the -bit to -bit round functions may have ; (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where -bit to -bit round functions are used to encipher -bit strings for some ; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework we show that, in any of these settings, for
any , with enough rounds, the subject scheme can tolerate CCA attacks of up to adversarial queries, where is the size of the round functions\u27 domain (the size of the larger domain for alternating Feistel). This is asymptotically optimal. Prior analyses for generalized Feistel networks established security to only adversarial queries
Anonymous AE
The customary formulation of authenticated encryption (AE) requires the decrypting party to supply the correct nonce with each ciphertext it decrypts. To enable this, the nonce is often sent in the clear alongside the ciphertext. But doing this can forfeit anonymity and degrade usability. Anonymity can also be lost by transmitting associated data (AD) or a session-ID (used to identify the operative key). To address these issues, we introduce anonymous AE, wherein ciphertexts must conceal their origin even when they are understood to encompass everything needed to decrypt (apart from the receiver\u27s secret state). We formalize a type of anonymous AE we call anAE, anonymous nonce-based AE, which generalizes and strengthens conventional nonce-based AE, nAE. We provide an efficient construction for anAE, NonceWrap, from an nAE scheme and a blockcipher. We prove NonceWrap secure. While anAE does not address privacy loss through traffic-flow analysis, it does ensure that ciphertexts, now more expansively construed, do not by themselves compromise privacy
Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE
Often the simplest way of specifying game-based cryptographic definitions
is apparently barred because the adversary would have some trivial win.
Disallowing or invalidating these wins can
lead to complex or unconvincing definitions.
We suggest a generic way around this difficulty.
We call it indistinguishability up to correctness, or IND|C.
Given games G and H
and a correctness condition C
we define an advantage measure Adv_{G,H,C}^indc wherein
G/H distinguishing attacks are effaced
to the extent that they are inevitable due to C.
We formalize this in the language of oracle silencing,
an alternative to exclusion-style and penalty-style definitions.
We apply our ideas to a domain where game-based definitions have
been cumbersome: stateful authenticated-encryption (sAE).
We rework existing sAE notions and encompass new ones,
like replay-free AE permitting a specified degree of out-of-order message delivery
- …