Provably Secure Authenticated Encryption

Authenticated Encryption (AE) is a symmetric key cryptographic primitive that ensures confidentiality and authenticity of processed messages at the same time. The research of AE as a primitive in its own right started in 2000. The security goals of AE were captured in formal definitions in the tradition in the tradition of provable security (such as NAE, MRAE, OAE, RAE or the RUP), where the security of a scheme is formally proven assuming the security of an underlying building block. The prevailing syntax moved to nonce-based AE with associated data (which is an additional input that gets authenticated, but not encrypted). Other types of AE schemes appeared as well, e.g. ones that supported stateful sessions. Numerous AE schemes were designed; in the early years, these were almost exclusively blockcipher modes of operation, most notably OCB in 2001, CCM in 2003 and GCM in 2004. At the same time, issues were discovered both with the security and applicability of the most popular AE schemes, and other applications of symmetric key cryptography. As a response, the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) was started in 2013. Its goals were to identify a portfolio of new, secure and reliable AE schemes that would satisfy the needs of practical applications, and also to boost the research in the area of AE. Prompted by CAESAR, 57 new schemes were designed, new types of constructions that gained popularity appeared (such as the Sponge-based AE schemes), and new notions of security were proposed (such as RAE). The final portfolio of the CAESAR competition should be announced in 2018. In this thesis, we push the state of the art in the field of AE in several directions. All of them are related to provable security, in one way, or another. We propose OMD, the first provably secure dedicated AE scheme that is based on a compression function. We further modify OMD to achieve nonce misuse-resistant security (MRAE). We also propose another provably secure variant of OMD called pure OMD, which enjoys a great improvement of performance over OMD. Inspired by the modifications that gave rise to pure OMD, we turn to the popular Sponge-based AE schemes and prove that similar measures can also be applied to the keyed Sponge and keyed Duplex (a variant of the Sponge), allowing a substantial increase of performance without an impact on security. We then address definitional aspects of AE. We critically evaluate the security notion of OAE, whose authors claimed that it provides the best possible security for online schemes under nonce reuse. We challenge these claims, and discuss what are the meaningful requirements for online AE schemes. Based on our findings, we formulate a new definition of online AE security under nonce-reuse, and demonstrate its feasibility. We next turn our attention to the security of nonce-based AE schemes under stretch misuse; i.e. when a scheme is used with varying ciphertext expansion under the same key, even though it should not be. We argue that varying the stretch is plausible, and formulate several notions that capture security in presence of variable stretch. We establish their relations to previous notions, and demonstrate the feasibility of security in this setting. We finally depart from provable security, with the intention to complement it. We compose a survey of universal forgeries, decryption attacks and key recovery attacks on 3rd round CAESAR candidates

Ciphertext Forgery on HANUMAN

HANUMAN is a mode of operation of a keyless cryptographic permutation for nonce-based authenticated encryption with associated data, included among the modes bundled in the PRIMATEs candidate in the currently ongoing CAESAR competition. HANUMAN is a sponge-like mode whose design and security argument are inspired by the SpongeWrap construction. We identify a flaw in the domain separation of HANUMAN, and show how to exploit it to efficiently produce ciphertext forgeries

Under Pressure: Security of Caesar Candidates beyond their Guarantees

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to ``identify a portfolio of authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption.\u27\u27 Each of the 15 candidate schemes competing in the currently ongoing 3rd round of CAESAR must clearly declare its security claims, i.a. whether or not it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting Robustness in CAESAR as the ability to mitigate damage even if security guarantees are void, we describe attacks with birthday complexity or beyond, and/or with nonce reuse for each of the 15 candidates. We then sort the candidates into classes depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions

Cryptanalysis of Chosen Symmetric Homomorphic Schemes

Since Gentry’s breakthrough result was introduced in the year 2009, the homomorphic encryption has become a very popular topic. The main contribution of Gentry’s thesis was, that it has proven, that it actually is possible to design a fully homomorphic encryption scheme. However ground-breaking Gentry’s result was, the designs, that employ the bootstrapping technique suffer from terrible performance both in key generation and homomorphic evaluation of circuits. Some authors tried to design schemes, that could evaluate homomorphic circuits of arbitrarily many inputs without need of bootstrapping. This paper introduces notion of symmetric homomorphic encryption, analyses the security of four such proposals, published in three different papers. Our result is a known plaintext key-recovery attack on every one of these schemes

Cryptanalysis of Enhanced MORE

Fully homomorphic encryption (FHE) has been among the most popular research topics of the last decade. While the bootstrapping-based, public key cryptosystems that follow Gentry's original design are getting more and more efficient, their performance is still far from being practical. This lead to several attempts to construct symmetric FHE schemes that would not be as inefficient as their public key counterparts. Unfortunately, most such schemes were also based on (randomized) linear transformations, and shown completely insecure. One such broken scheme was the Matrix Operation for Randomization and Encryption (MORE). In a recent paper, Hariss, Noura and Samhat propose Enhanced MORE, which is supposed to improve over MORE's weaknesses. We analyze Enhanced MORE, discuss why it does not improve over MORE, and show that it is even less secure by presenting a highly efficient ciphertext-only decryption attack. We implement the attack and confirm its correctness

DiAE: Re-rolling the DiSE

The notion of distributed authenticated encryption was formally introduced by Agrawal et al. in ACM CCS 2018. In their work, they propose the DiSE construction building upon a distributed PRF (DPRF), a commitment scheme and a PRG. We show that most of their constructions do not meet some of the claimed security guarantees. In fact, all the concrete instantiations of DiSE, as well as multiple follow-up papers (one accepted at ACM CCS 2021), fail to satisfy their strongly-secure definitions. We give simple fixes for these constructions and prove their security. We also propose a new construction DiAE using an encryptment instead of a commitment. This modification dispenses with the need to buffer the entire message throughout the encryption protocol, which in turn enables implementations with constant RAM footprint and online message encryption. This is particularly interesting for constrained IoT devices. Finally, we implement and benchmark DiAE and show that it performs similarly to the original DiSE construction

Misuse-Resistant Variants of the OMD Authenticated Encryption Mode

We present two variants of OMD which are robust against nonce misuse. Security of OMD---a CAESAR candidate---relies on the assumption that implementations always ensure correct use of nonce (a.k.a. message number); namely that, the nonce never gets repeated. However, in some application environments, this non-repetitiveness requirement on nonce might be compromised or ignored, yielding to full collapse of the security guaranty. We aim to reach maximal possible level of robustness against repeated nonces, as defined by Rogaway and Shrimpton (FSE 2006) under the name misuse-resistant AE (MRAE). Our first scheme, called misuse-resistant OMD (MR-OMD), is designed to be substantially similar to OMD while achieving stronger security goals; hence, being able to reuse any existing common code/hardware. Our second scheme, called parallelizable misuse-resistant OMD (PMR-OMD), further deviates from the original OMD design in its encryption process, providing a parallelizable algorithm, in contrast with OMD and MR-OMD which have serial encryption/decryption processes. Both MR-OMD and PMR-OMD are single-key mode of operation. It is known that maximally robust MRAE schemes are necessarily two-pass, a price paid compared to a one-pass scheme such as OMD. Nevertheless, in MR-OMD and PMR-OMD, we combine the two passes in a way that minimizes the incurred additional cost: the overhead incurred by the second pass in our two-pass variants is about 50 % of the encryption time for OMD

CENC is Optimally Secure

At FSE 2006, Iwata introduced the CENC encryption mode and proved its security up to 2^{2n/3} plaintext blocks processed in total. He conjectured optimal security up to a constant. In this brief note, we confirm this conjecture. Rather than proving it ourselves, we point out that the conjecture\u27s proof follows as a corollary of Patarin\u27s ``Theorem P_i xor P_j for any xi_max\u27\u27 from 2010. This connection appears to have remained unnoticed, and the sole purpose of this brief note is to make the connection explicit

Power Yoga: Variable-Stretch Security of CCM for Energy-Efficient Lightweight IoT

The currently ongoing NIST LWC project aims at identifying new standardization targets for lightweight authenticated encryption with associated data (AEAD) and (optionally) lightweight cryptographic hashing. NIST has deemed it important for performance and cost to be optimized on relevant platforms, especially for short messages. Reyhanitabar, Vaudenay and Vizár (Asiacrypt 2016) gave a formal treatment for security of nonce-based AEAD with variable stretch, i.e., when the length of the authentication tag is changed between encryptions without changing the key. They argued that AEAD supporting variable stretch is of practical interest for constrained applications, especially low-power devices operated by battery, due to the ability to flexibly trade communication overhead and level of integrity. In this work, we investigate this hypothesis with affirmative results. We present vCCM, a variable-stretch variant of the standard CCM and prove it is secure when used with variable stretch. We then experimentally measure the energy consumption of a real-world wireless sensor node when encrypting and sending messages with vCCM and CCM, respectively. Our projections show that the flexible trade of integrity level and ciphertext expansion can lead up to 21% overall energy consumption reduction in certain scenarios. As vCCM is obtained from the widely-used CCM by a black-box transformation, allowing any existing CCM implementations to be reused as-is, our results can be immediately put to use in practice. vCCM is all the more relevant because neither the NIST LWC project, nor any of the candidates give a consideration for the support of variable stretch and the related integrity-overhead trade-off