We propose Chaskey: a very efficient Message Authentication Code (MAC) algorithm for 32-bit microcontrollers. It is intended for applications that require 128-bit security, yet cannot implement standard MAC algorithms because of stringent requirements on speed, energy consumption, or code size. Chaskey is a permutation-based MAC algorithm that uses the Addition-Rotation-XOR (ARX) design methodology. We prove that Chaskey is secure in the standard model, based on the security of an underlying Even-Mansour block cipher. Chaskey is designed to perform well on a wide range of 32-bit microcontrollers. Our benchmarks show that on the ARM Cortex-M3/M4, our Chaskey implementation reaches a speed of 7.0 cycles/byte, compared to 89.4 cycles/byte for AES-128-CMAC. For the ARM Cortex-M0, our benchmark results give 16.9 cycles/byte and 136.5 cycles/byte for Chaskey and AES-128-CMAC respectively.

https://lirias.kuleuven.be/bitstream/123456789/463157/2/article-2441.pdf

Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers

/pdf/chaskey-an-efficient-mac-algorithm-for-32-bit-3qjfjri8e9.pdf

Unequivocally, a single man in possession of a strong password is not enough to solve the issue of security. Studies indicate that passwords have been subjected to various attacks, regardless of the applied protection mechanisms due to the human factor. The keystone for the adoption of more efficient authentication methods by the different markets is the trade-off between security and usability. To bridge the gap between user-friendly interfaces and advanced security features, the Fast Identity Online (FIDO) alliance defined several authentication protocols. Although FIDO's biometric-based authentication is not a novel concept, still daunts end users and developers, which may be a contributor factor obstructing FIDO's complete dominance of the digital authentication market. This paper traces the evolution of FIDO protocols, by identifying the technical characteristics and security requirements of the FIDO protocols throughout the different versions while providing a comprehensive study on the different markets (e.g., digital banking, social networks, e-government, etc.), applicability, ease of use, extensibility and future security considerations. From the analysis, we conclude that there is currently no dominant version of a FIDO protocol and more importantly, earlier FIDO protocols are still applicable to emerging vertical services.

How many FIDO protocols are needed? Surveying the design, security and market perspectives.

The best existing bounds on the concrete security of key-alternating ciphers Chen and Steinberger, EUROCRYPT '14 are only asymptotically tight, and the quantitative gap with the best existing attacks remains numerically substantial for concrete parameters. Here, we prove exact bounds on the security of key-alternating ciphers and extend them to XOR cascades, the most efficient construction for key-length extension. Our bounds essentially match, for any possible query regime, the advantage achieved by the best existing attack.

Our treatment also extends to the multi-user regime. We show that the multi-user security of key-alternating ciphers and XOR cascades is very close to the single-user case, i.e., given enough rounds, it does not substantially decrease as the number of users increases. On the way, we also provide the first explicit treatment of multi-user security for key-length extension, which is particularly relevant given the significant security loss of block ciphers even if ideal in the multi-user setting.

The common denominator behind our results are new techniques for information-theoretic indistinguishability proofs that both extend and refine existing proof techniques like the H-coefficient method.

/pdf/key-alternating-ciphers-and-key-length-extension-exact-1cn4ck4rfl.pdf

Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security

We propose the Synthetic Counter-in-Tweak $$\mathsf {SCT}$$ mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme with associated data. The $$\mathsf {SCT}$$ mode combines in a SIV-like manner a Wegman-Carter MAC inspired from $$\mathsf {PMAC}$$ for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many previous authenticated encryption modes, $$\mathsf {SCT}$$ enjoys provable security beyond the birthday bound and even upi¾?to roughly $$2^n$$ tweakable block cipher calls, where n is the block length, when the tweak length is sufficiently large in the nonce-respecting scenario where nonces are never repeated. In addition, $$\mathsf {SCT}$$ ensures security upi¾?to the birthday bound even when nonces are reused, in the strong nonce-misuse resistance sense MRAE of Rogaway and Shrimpton EUROCRYPTi¾?2006. To the best of our knowledge, this is the first authenticated encryption mode that provides at the same time close-to-optimal security in the nonce-respecting scenario and birthday-bound security for the nonce-misuse scenario. While two passes are necessary to achieve MRAE-security, our mode enjoys a number of desirable features: it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages compared to other nonce-misuse resistant schemes no precomputation is required and it allows incremental update of associated data.

/pdf/counter-in-tweak-authenticated-encryption-modes-for-4ch19hia5n.pdf

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers

A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P 1,..., P t : {0,1} n → {0,1} n and a key k = k 0 ∥ ... ∥ k t ∈ {0,1} n(t + 1) by setting E k (x) = k t ⊕ P t (k t − 1 ⊕ P t − 1( ⋯ k 1 ⊕ P 1(k 0 ⊕ x) ⋯ )). The indistinguishability of E k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P 1, …, P t was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be $2^{\frac{t}{t+1}n}$ queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of $2^{\frac{2}{3}n}$ for t ≥ 2, Steinberger (2012) proved security of $2^{\frac{3}{4}n}$ for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of $2^{\frac{t}{t+2}n}$ for all even values of t, thus “barely” falling short of the desired $2^{\frac{t}{t+1}n}$.

/pdf/tight-security-bounds-for-key-alternating-ciphers-vbe69o9tn7.pdf

Tight Security Bounds for Key-Alternating Ciphers

The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations P1,…,P r as follows: given a sequence of n-bit round keys k0,…,k r , an n-bit plaintext x is encrypted by xoring round key k0, applying permutation P1, xoring round key k1, etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations P1,…,P r are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT 2014), who proved that the r-round Even-Mansour cipher is indistinguishable from a truly random permutation up to $ \mathcal{O} (2^{\frac{rn}{r+1}})$ queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that the round keys k0,…,k r and the permutations P1,…,P r are independent. In particular, for two rounds, the current state of knowledge is that the block cipher E(x) = k2 ⊕ P2(k1 ⊕ P1(k0 ⊕ x)) is provably secure up to $ \mathcal{O} (2^{2n/3})$ queries of the adversary, when k0, k1, and k2 are three independent n-bit keys, and P1 and P2 are two independent random n-bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher from just one n-bit key and one n-bit permutation. Our answer is positive: when the three n-bit round keys k0, k1, and k2 are adequately derived from an n-bit master key k, and the same permutation P is used in place of P1 and P2, we prove a qualitatively similar $ \widetilde{ \mathcal{O} } (2^{2n/3})$ security bound (in the random permutation model). To the best of our knowledge, this is the first “beyond the birthday bound” security result for AES-like ciphers that does not assume independent round keys.

/pdf/minimizing-the-two-round-even-mansour-cipher-1ftwha9s5f.pdf

Minimizing the Two-Round Even-Mansour Cipher

A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1} n → {0, 1} and a key k = k0‖ · · · ‖kt ∈ {0, 1} n(t+1) by setting Ek(x) = kt ⊕Pt(kt−1 ⊕Pt−1(· · · k1 ⊕P1(k0 ⊕x) · · · )). The indistinguishability of Ek from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1, . . . , Pt was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be 2 t t+1 n queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of 2 2 3 n for t ≥ 2, Steinberger (2012) proved security of 2 3 4 n for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of 2 t t+2 n for all even values of t, thus “barely” falling short of the desired 2 t t+1 . Our contribution in this work is to prove the long-sought-for security bound of 2 t t+1 , up to a constant multiplicative factor depending on t. Our method is essentially an application of Patarin’s H-coefficient technique.

/pdf/tight-security-bounds-for-key-alternating-ciphers-4t3dq4t10e.pdf

Tight security bounds for key-alternating ciphers.

/pdf/minimizing-the-two-round-even-mansour-cipher-7ycmk0k0d6.pdf

We carry out the first provable security analysis of the new FIDO2 protocols, the promising FIDO Alliance’s proposal for a standard for passwordless user authentication Our analysis covers the core components of FIDO2: the W3C’s Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2)

Shan Chen

Papers

Tight Security Bounds for Key-Alternating Ciphers

Minimizing the Two-Round Even-Mansour Cipher

Tight security bounds for key-alternating ciphers.

Minimizing the Two-Round Even-Mansour Cipher

Provable Security Analysis of FIDO2