sp-AELM: Sponge Based Authenticated Encryption Scheme for Memory Constrained Devices
29 Jun 2015-pp 451-468
TL;DR: This paper proposes another way to handle a long ciphertext with a low buffer size by storing and releasing only one intermediate state, without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag.
Abstract: In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: Releasing unverified plaintext (RUP) or Producing intermediate tags (PIT). In this paper, in addition to these two techniques, we propose another way to handle a long ciphertext with a low buffer size by storing and releasing only one (generally, or only few) intermediate state, without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag. In this paper we explain this generalized technique using our new construction sp-AELM. sp-AELM is a sponge based authenticated encryption scheme that provides support for limited memory devices. We also provide its security proof for privacy and authenticity in an ideal permutation model, using a code based game playing framework. Furthermore, we also present two more variants of sp-AELM that serve the same purpose and are more efficient than sp-AELM.
Citations
More filters
TL;DR: This paper provides the specification of As Con -128 and Ascon -128a, and specifies the hash function Ascon-Hash, and the extendable output function As Con-Xof, and complements the specification by providing a detailed overview of existing cryptanalysis and implementation results.
Abstract: Authenticated encryption satisfies the basic need for authenticity and confidentiality in our information infrastructure. In this paper, we provide the specification of Ascon-128 and Ascon-128a. Both authenticated encryption algorithms provide efficient authenticated encryption on resource-constrained devices and on high-end CPUs. Furthermore, they have been selected as the “primary choice” for lightweight authenticated encryption in the final portfolio of the CAESAR competition. In addition, we specify the hash function Ascon-Hash, and the extendable output function Ascon-Xof. Moreover, we complement the specification by providing a detailed overview of existing cryptanalysis and implementation results.
68 citations
01 Jan 2016
TL;DR: The selected areas in cryptography is universally compatible with any devices to read and is available in the book collection an online access to it is set as public so you can download it instantly.
Abstract: Thank you very much for downloading selected areas in cryptography. As you may know, people have look hundreds times for their favorite novels like this selected areas in cryptography, but end up in infectious downloads. Rather than reading a good book with a cup of tea in the afternoon, instead they are facing with some infectious virus inside their computer. selected areas in cryptography is available in our book collection an online access to it is set as public so you can download it instantly. Our books collection spans in multiple locations, allowing you to get the most less latency time to download any of our books like this one. Merely said, the selected areas in cryptography is universally compatible with any devices to read.
58 citations
08 May 2016
TL;DR: This work revisits the principle of masking and introduces the tweakable Even-Mansour construction, which combines the advantages of word-oriented LFSR- and powering-up-based methods to realize highly efficient, constant-time masking functions.
Abstract: A popular approach to tweakable blockcipher design is via masking, where a certain primitive a blockcipher or a permutation is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction $$\mathsf {MEM}$$MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then $$\mathsf {MEM}$$MEM is a secure tweakable blockcipher upi¾?to the birthday bound. The strengths of $$\mathsf {MEM}$$MEM are exhibited by the design of fully parallelizable authenticated encryption schemes $$\mathsf {OPP}$$OPP nonce-respecting and $$\mathsf {MRO}$$MRO misuse-resistant. If instantiated with a reduced-round BLAKE2b permutation, $$\mathsf {OPP}$$OPP and $$\mathsf {MRO}$$MRO achieve speeds upi¾?to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors.
46 citations
Cites methods from "sp-AELM: Sponge Based Authenticated..."
...Using the masking techniques described later in this paper, OPP has excellent performance when compared to contemporary permutation-based schemes, such as first-round CAESAR [17] submissions Artemia, Ascon, CBEAM, ICEPOLE, Keyak, NORX, π-Cipher, PRIMATEs, and STRIBOB, SpongeWrap schemes in general [11,66], and sp-AELM [1]....
[...]
Journal Article•
TL;DR: CWC as mentioned in this paper is a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data, which is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware and no intellectual property concerns.
Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.
9 citations
04 Dec 2018
TL;DR: A new AE scheme called dAELM, which stands for deterministic authenticated encryption (DAE) scheme for low memory devices, is proposed, which is to use a session key to encrypt a message and share the session key with the user depending upon the verification of a tag.
Abstract: A technique of authenticated encryption for memory constrained devices called sp-AELM was proposed by Agrawal et al. at ACISP 2015. The sp-ALEM construction utilizes a sponge-based primitive to support online encryption and decryption functionalities. Online encryption in the construction is achieved in the standard manner by processing plaintext blocks as they arrive to produce ciphertext blocks. However, decryption is achieved by storing only one intermediate state and releasing it to the user upon correct verification. This intermediate state allows a legitimate user to generate the plaintext herself. However, the scheme is nonce-respecting, i.e., the scheme is insecure if the nonce is repeated. Implementation of a nonce is non-trivial in practice, and reuse of a nonce in an AE scheme is often devastating. In this paper, we propose a new AE scheme called dAELM, which stands for deterministic authenticated encryption (DAE) scheme for low memory devices. DAE is used in domains such as the key wrap, where the available message entropy omits the overhead of a nonce. For limiting memory usage, our idea is to use a session key to encrypt a message and share the session key with the user depending upon the verification of a tag. We provide the security proof of the proposed construction in the ideal cipher model.
3 citations
References
More filters
14 Aug 2013
TL;DR: AEGIS as discussed by the authors uses five AES round functions to process a 16-byte message block one step; AES-256 uses six AES round function rounds for 256-byte messages.
Abstract: This paper introduces a dedicated authenticated encryption algorithm AEGIS; AEGIS allows for the protection of associated data which makes it very suitable for protecting network packets. AEGIS-128 uses five AES round functions to process a 16-byte message block one step; AES-256 uses six AES round functions. The security analysis shows that both algorithms offer a high level of security. On the Intel Sandy Bridge Core i5 processor, the speed of AEGIS is around 0.7i¾?clock cycles/byte cpb for 4096-byte messages. This is comparable in speed to the CTR mode that offers only encryption and substantially faster than the CCM, GCM and OCB modes.
133 citations
05 Feb 2004
TL;DR: CWC as discussed by the authors is a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data, which is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware and no intellectual property concerns.
Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.
123 citations
Posted Content•
TL;DR: C, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data, is introduced, the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, highperformance in software, and no intellectual property concerns.
Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is currently the only such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the only appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the only such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.
96 citations
21 Feb 1996
TL;DR: RKEP works with any conventional block cipher and requires only standard ECB mode block cipher operations on the smartcard, permitting its implementation with off-the-shelf components and there is no storage overhead.
Abstract: This paper describes a simple protocol, the Remotely Keyed Encryption Protocol (RKEP), that enables a secure, but bandwidthlimited, cryptographic smartcard to function as a high-bandwidth secretkey encryption and decryption engine for an insecure, but fast, host processor. The host processor assumes most of the computational and bandwidth burden of each cryptographic operation without ever learning the secret key stored on the card. By varying the parameters of the protocol, arbitrary size blocks can be processed by the host with only a single small message exchange with the card and minimal card computation. RKEP works with any conventional block cipher and requires only standard ECB mode block cipher operations on the smartcard, permitting its implementation with off-the-shelf components. There is no storage overhead. Computational overhead is minimal, and includes the calculation of a cryptographic hash function as well as a conventional cipher function on the host processor.
76 citations
07 Dec 2014
TL;DR: The first formalization of the releasing unverified plaintext (RUP) setting was proposed in this paper, where a plaintext extractor mimicking the decryption oracle is used to fool adversaries without the secret key.
Abstract: Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle, without the secret key. Releasing unverified plaintext to the attacker then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are compared with conventional definitions, and are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes.
69 citations