We consider the problem of building a secure cloud storage service on top of a public cloud infrastructure where the service provider is not completely trusted by the customer We describe, at a high level, several architectures that combine recent and non-standard cryptographic primitives in order to achieve our goal We survey the benefits such an architecture would provide to both customers and service providers and give an overview of recent advances in cryptography motivated specifically by cloud storage

/pdf/cryptographic-cloud-storage-3uxa4mufav.pdf

Cryptographic cloud storage

A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for optional authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations.

/pdf/grain-128a-a-new-version-of-grain-128-with-optional-32q00hifb4.pdf

Grain-128a: a new version of Grain-128 with optional authentication

https://ro.uow.edu.au/cgi/viewcontent.cgi?article=2088&context=eispapers

Public key encryption with keyword search secure against keyword guessing attacks without random oracle

We reformalize and recast the notion of public key encryption with equality test (PKEET), which was proposed in CT-RSA 2010 and supports to check whether two ciphertexts encrypted under different public keys contain the same message. PKEET has many interesting applications, for example, in constructing searchable encryption and partitioning encrypted data. However, the original PKEET scheme lacks an authorization mechanism for a user to control the comparison of its ciphertexts with others’. In this paper, we study the authorization mechanism for PKEET, and propose four types of authorization policies to enhance the privacy of users’ data. We give the definitions of the policies, propose a PKEET scheme supporting these four types of authorization at the same time, and prove its security based on the computational Diffie–Hellman assumption in the random oracle model. To the best of our knowledge, it is the only PKEET scheme supporting flexible authorization.

Efficient Public Key Encryption With Equality Test Supporting Flexible Authorization

Identity-based encryption with outsourced equality test in cloud computing

As such, public-key encryption with keyword search (a.k.a PEKS or searchable encryption) does not allow the recipient to decrypt keywords i.e. encryption is not invertible. This paper introduces searchable encryption schemes which enable decryption. An additional feature is that the decryption key and the trapdoor derivation key are totally independent, thereby complying with many contexts of application. We put forward a seemingly optimal construction for decryptable searchable encryption which makes use of one KEM, one IDKEM and a couple of hash functions. We define a proper security model for decryptable searchable encryption and show that basic security requirements on the underlying KEM and IDKEM are enough for our generic construction to be strongly secure in the random oracle model.

Decryptable searchable encryption

PRINCE is a lightweight block cipher proposed by Borghoff et al. at Asiacrypt 2012. Due to its originality, novel design and low number of rounds, it has already attracted the attention of a large number of cryptanalysts. Several results on reduced versions have been published to date; the best one is an attack on $8$ rounds out of the total number of $12$. In this paper we improve this result by two rounds: we provide an attack on $10$ rounds of the cipher with a data complexity of $2^{57.94}$ and a time complexity of $2^{60.62}$, corresponding to $118.56$ security bits, instead of $126$ for the generic attacks. Our attack uses multiple differentials and exploits some properties of PRINCE for recovering the whole key. PRINCE is defined as a member of a family of ciphers, differing by the choice of an Sbox among a distinguished set. We also show that the security offered by all the members of the family is not equivalent, by identifying an Sbox for which our attack can be extended up to $11$ rounds with a data complexity of $2^{59.81}$ and a time complexity of $2^{62.43}$.

/pdf/multiple-differential-cryptanalysis-of-round-reduced-prince-1hhalziaxq.pdf

Multiple Differential Cryptanalysis of Round-Reduced PRINCE

In this paper we study authenticated encryption algorithms inspired by the OCB mode Offset Codebook. These algorithms use secret offsets masks derived from a whitening key to turn a block cipher into a tweakable block cipher, following the XE or XEX construction.

OCB has a security proof upi¾?to $$2^{n/2}$$ queries, and a matching forgery attack was described by Ferguson, where the main step of the attack recovers the whitening key. In this work we study recent authenticated encryption algorithms inspired by OCB, such as Marble, AEZ, and COPA. While Ferguson's attack is not applicable to those algorithms, we show that it is still possible to recover the secret mask with birthday complexity. Recovering the secret mask easily leads to a forgery attack, but it also leads to more devastating attacks, with a key-recovery attack against Marble and AEZi¾?v2 andi¾?v3 with birthday complexity.

For Marble, this clearly violates the security claims of full n-bit security. For AEZ, this matches the security proof, but we believe it is nonetheless a quite undesirable property that collision attacks allow to recover the master key, and more robust designs would be desirable.

Our attack against AEZ is generic and independent of the internal permutation in particular, it still works with the full AES, but the key-recovery is specific to the key derivation used in AEZi¾?v2 andi¾?v3. Against Marble, the forgery attack is generic, but the key-recovery exploits the structure of the E permutation 4 AES rounds. In particular, we introduce a novel cryptanalytic method to attack 3 AES rounds followed by 3 inverse AES rounds, which can be of independent interest.

/pdf/collision-attacks-against-caesar-candidates-39omemptk0.pdf

Collision Attacks Against CAESAR Candidates

Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.

/pdf/indifferentiability-with-distinguishers-why-shabal-does-not-5andfc4vfj.pdf

Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

PRINCE is a lightweight block cipher proposed by Borghoff et al. at Asiacrypt 2012. Due to its originality, novel design and low number of rounds, it has already attracted the attention of a large number of cryptanalysts. Several results on reduced versions have been published to date; the best one is an attack on 8 rounds out of the total number of 12. In this paper we improve this result by two rounds: we provide an attack on 10 rounds of the cipher with a data complexity of 2 and a time complexity of 2, corresponding to 118.56 security bits, instead of 126 for the generic attacks. Our attack uses multiple differentials and exploits some properties of PRINCE for recovering the whole key. PRINCE is defined as a member of a family of ciphers, differing by the choice of an Sbox among a distinguished set. We also show that the security offered by all the members of the family is not equivalent, by identifying an Sbox for which our attack can be extended up to 11 rounds with a data complexity of 2 and a time complexity of 2.

/pdf/multiple-di-fferential-cryptanalysis-of-round-reduced-prince-3j73rqptfb.pdf

Thomas Fuhr

Papers

Decryptable searchable encryption

Multiple Differential Cryptanalysis of Round-Reduced PRINCE

Collision Attacks Against CAESAR Candidates

Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

Multiple Di fferential Cryptanalysis of Round-Reduced PRINCE (Full version).