Showing papers on "Authenticated encryption published in 2016"

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

Abstract: The use of e-payment system for electronic trade is on its way to make daily life more easy and convenient. Contrarily, there are a number of security issues to be addressed, user anonymity and fair exchange have become important concerns along with authentication, confidentiality, integrity and non-repudiation. In a number of existing e-payment schemes, the customer pays for the product before acquiring it. Furthermore, many such schemes require very high computation and communication costs. To address such issues recently Yang et al. proposed an authenticated encryption scheme and an e-payment scheme based on their authenticated encryption. They excluded the need of digital signatures for authentication. Further they claimed their schemes to resist replay, man-in-middle, impersonation and identity theft attack while providing confidentiality, authenticity, integrity and privacy protection. However our analysis exposed that Yang et al.'s both authenticated encryption scheme and e-payment system are vulnerable to impersonation attack. An adversary just having knowledge of public parameters can easily masquerade as a legal user. Furthermore, we proposed improved authenticated encryption and e-payment schemes to overcome weaknesses of Yang et al.'s schemes. We prove the security of our schemes using automated tool ProVerif. The improved schemes are more robust and more lightweight than Yang et al.'s schemes which is evident from security and performance analysis.

The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3

Abstract: We initiate the study of multi-user mu security of authenticated encryption AE schemes as a way to rigorously formulate, and answer, questions about the "randomized nonce" mechanism proposed for the use of the AE scheme GCM in TLSi¾?1.3. We 1 Give definitions of mu ind indistinguishability and mu kr key recovery security for AE 2 Characterize the intent of nonce randomization as being improved mu security as a defense against mass surveillance 3 Cast the method as a new AE scheme RGCM 4 Analyze and compare the mu security of both GCM and RGCM in the model where the underlying block cipher is ideal, showing that the mu security of the latter is indeed superior in many practical contexts to that of the former, and 5 Propose an alternative AE scheme XGCM having the same efficiency as RGCM but better mu security and a more simple and modular design.

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers

Abstract: We propose the Synthetic Counter-in-Tweak $$\mathsf {SCT}$$ mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme with associated data. The $$\mathsf {SCT}$$ mode combines in a SIV-like manner a Wegman-Carter MAC inspired from $$\mathsf {PMAC}$$ for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many previous authenticated encryption modes, $$\mathsf {SCT}$$ enjoys provable security beyond the birthday bound and even upi¾?to roughly $$2^n$$ tweakable block cipher calls, where n is the block length, when the tweak length is sufficiently large in the nonce-respecting scenario where nonces are never repeated. In addition, $$\mathsf {SCT}$$ ensures security upi¾?to the birthday bound even when nonces are reused, in the strong nonce-misuse resistance sense MRAE of Rogaway and Shrimpton EUROCRYPTi¾?2006. To the best of our knowledge, this is the first authenticated encryption mode that provides at the same time close-to-optimal security in the nonce-respecting scenario and birthday-bound security for the nonce-misuse scenario. While two passes are necessary to achieve MRAE-security, our mode enjoys a number of desirable features: it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages compared to other nonce-misuse resistant schemes no precomputation is required and it allows incremental update of associated data.

A survey of lightweight stream ciphers for embedded systems

Abstract: Pervasive computing constitutes a growing trend, aiming to embed smart devices into everyday objects. The limited resources of these devices and the ever-present need for lower production costs, lead to the research and development of lightweight cryptographic mechanisms. Block ciphers, the main symmetric key cryptosystems, perform well in this field. Nevertheless, stream ciphers are also relevant in ubiquitous computing applications, as they can be used to secure the communication in applications where the plaintext length is either unknown or continuous, like network streams. This paper provides the latest survey of stream ciphers for embedded systems. Lightweight implementations of stream ciphers in embedded hardware and software are examined as well as relevant authenticated encryption schemes. Their speed and simplicity enable compact and low-power implementations, allow them to excel in applications pertaining to resource-constrained devices. The outcomes of the International Organization for Standardization/International Electrotechnical Commission 29192-3 standard and the cryptographic competitions eSTREAM and Competition for Authenticated Encryption: Security, Applicability, and Robustness are summarized along with the latest results in the field. However, cryptanalysis has proven many of these schemes are actually insecure. From the 31 designs that are examined, only six of them have been found to be secure by independent cryptanalysis. A constrained benchmark analysis is performed on low-cost embedded hardware and software platforms. The most appropriate and secure solutions are then mapped in different types of applications. Copyright © 2015 John Wiley & Sons, Ltd.

How Secure is TextSecure

Abstract: Instant Messaging has gained popularity by users for both private and business communication as low-cost short message replacement on mobile devices. However, before releases about mass surveillance performed by intelligence services such as NSA and GCHQ and Facebook's acquisition of WhatsApp, most mobile messaging apps did not protect confidentiality or integrity of the messages. A messaging app that claims to provide secure instant messaging and has attracted a lot of attention is TextSecure. Besides numerous direct installations, its protocol is part of Android's most popular aftermarket firmware Cyanogen-Mod. TextSecure's successor Signal continues to use the underlying protocol for text messaging. In this paper, we present the first complete description of TextSecure's complex cryptographic protocol, provide a security analysis of its three main components (key exchange, key derivation and authenticated encryption), and discuss the main security claims of TextSecure. Furthermore, we formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes

Abstract: Since the first demonstration of fault attacks by Boneh et al. on RSA, a multitude of fault attack techniques on various cryptosystems have been proposed. Most of these techniques, like Differential Fault Analysis, Safe Error Attacks, and Collision Fault Analysis, have the requirement to process two inputs that are either identical or related, in order to generate pairs of correct/faulty ciphertexts. However, when targeting authenticated encryption schemes, this is in practice usually precluded by the unique nonce required by most of these schemes.

Breaking Symmetric Cryptosystems using Quantum Period Finding

Abstract: Due to Shor's algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it. We study applications of a quantum procedure called Simon's algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon's algorithm: finding a collision requires $\Omega(2^{n/2})$ queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only $O(n)$ queries in the quantum model. We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure with a quantum-secure PRF. Second, we show that Simon's algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.

ELmD: A Pipelineable Authenticated Encryption and Its Hardware Implementation

Abstract: Authenticated encryption schemes which resist misuse of nonce at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions like McOE, sponge-type authenticated encryptions (such as duplex) and COPA. Only the last one is almost parallelizable except that for associated data processing, the final block-cipher call is sequential (it needs to wait for the encryption of all the previous ones). In this paper, we design a new online secure authenticated encryption, called ELmD or Encrypt-Linear mix-Decrypt, which is completely (two-stage) parallel (even in associated data) and fully pipeline implementable . It also provides full privacy when associated data is not repeated. Like COPA, our construction is based on EME, an Encrypt-Mix-Encrypt type SPRP construction (secure against chosen plaintext and ciphertext). But unlike EME, we have used an online computable efficient linear mixing instead of a non-linear mixing. We have also provided the hardware implementation of the construction and compare the performance with similar constructions like COPA and EME2.

Efficient Deniably Authenticated Encryption and Its Application to E-Mail

Abstract: Confidentiality and authentication are two main security goals in secure electronic mail (e-mail). Pretty good privacy (PGP) and secure/multipurpose internet mail extensions (S/MIME) are two famous secure e-mail solutions. Both PGP and S/MIME use digital envelope to provide message confidentiality and digital signature to provide message authentication. However, these methods have the following two weaknesses: 1) digital signature provides non-repudiation evidence of sender that is not desired in some e-mail applications and 2) efficiency is low, since these methods use two kinds of public key cryptographic primitives: public key encryption and digital signature. To overcome the above two weaknesses, we introduce a new concept called deniably authenticated encryption that can achieve confidentiality, integrity, and deniable authentication in a logical single step. We first propose a deniably authenticated encryption scheme and prove its security in the random oracle model. Then, we design a secure e-mail protocol using the proposed deniably authenticated encryption scheme. The deniable authentication property protects senders’ privacy.

Stronger Security Variants of GCM-SIV

Abstract: At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity. The provable security results are obtained under the standard assumption that the blockcipher is a pseudorandom permutation.

From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS

Abstract: Authentication and authenticated encryption with associated data AEAD are applied in cryptographic protocols to provide message integrity. The definitions in the literature and the constructions used in practice all protect against forgeries, but offer varying levels of protection against replays, reordering, and drops. As a result of the lack of a systematic hierarchy of authentication and AEAD security notions, gaps have arisen in the literature, specifically in the provable security analysis of the Transport Layer Security TLS protocol. We present a hierarchy of authentication and AEAD security notions, interpolating between the lowest level of protection against forgeries and the highest level against forgeries, replays, reordering, and drops. We show generically how to construct higher level schemes from a basic scheme and appropriate use of sequence numbers, and apply that to close the gap in the analysis of TLS record layer encryption.

Full key recovery of ACORN with a single fault

Abstract: The ongoing CAESAR competition launched in 2013, aimed to design authenticated encryption schemes for different applications and environments, attracted 57 submissions as candidates. Out of the 57 round 1 submissions, only 29 candidates were selected for round 2. Each of these candidates is to be analyzed carefully. Among these 29 candidates, ACORN is a family of Lightweight Authenticated Ciphers with Associated Data (AEAD). In this paper we propose a hard fault attack on both the versions of ACORN in a nonce-respecting scenario whereby a random bit of the fifth LFSR is permanently stuck at the value '1' before the driving procedure of the encryption device. Without the repetition of the same key-IV pair, this is the first work that we are aware of, where the secret key can be recovered fully with a computational complexity well below the limit of brute force search. With hard fault at a certain position the attack complexity reduces to 255.85.

An authentication scheme with identity-based cryptography for M2M security in cyber-physical systems

Abstract: The Internet has made the world smaller while there is still a gap between the cyber world and our physical world. In the future cyber-physical system (CPS), all objects in cyber world and physical world would be connected, and the concepts of cyber world and physical world will no longer exist. The speed of information transmitting and processing will be faster, the abilities of controlling facilities and handling events will be more powerful, and our lives will be better. In the CPS, machine to machine (M2M) communication is in charge of data collecting and transmitting, which utilizes both wireless and wired systems to monitor physical or environmental conditions and exchange the information among different systems without direct human intervention. As a part of CPS, M2M communication is considerably important while being fragile at the same time because M2M communication still faces lots of security threats that are not only from outside but also from inside. In traditional M2M communication, the M2M service provider (MSP) is always assumed to be trusted. However, the MSP could be compromised in real world. In that case, the previous security solutions would fail because the most confidential materials are kept in the MSP by the conventional solutions. How to protect the entire system from the compromised MSP is one important problem the paper intends to solve. In addition, the communication bandwidth and energy resource for the M2M devices are precious. Another issue the paper is addressing is the design of efficient security schemes being able to save both energy and communication bandwidth. In this paper, an authentication scheme applying authenticated identity-based cryptography without key-escrow mechanism has been proposed. In the proposed scheme, only partial secrets instead of full secrets are stored in the MSP, which could prevent the compromised MSP from endangering the whole system. The authenticated encryption property of the proposed scheme could leave out the work of signature generation, transmission, and verification so as to save the computation and communication resource of the whole system. The security analysis with Burrows–Abadi–Needham logic (BAN Logic) and Simple Promela Interpreter (SPIN) shows that the proposed scheme is well designed and could withstand Man-in-the-Middle attacks, impersonation attacks, replay attacks, DoS attacks, and compromised attacks. Copyright © 2016 John Wiley & Sons, Ltd.

SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition.

Abstract: Free to read on publisher website We investigate six authenticated encryption schemes (ACORN, ASCON-128a, ICEPOLE-128a, Ketje Jr, MORUS, and NORX-32) from the CAESAR competition. We aim at state recovery attacks using a SAT solver as a main tool. Our analysis reveals that these schemes, as submitted to CAESAR, provide strong resistance against SAT-based state recoveries. To shed a light on their security margins, we also analyse modified versions of these algorithms, including round-reduced variants and versions with higher security claims. Our attacks on such variants require only a few known plaintext-ciphertext pairs and small memory requirements (to run the SAT solver), whereas time complexity varies from very practical (few seconds on a desktop PC) to ‘theoretical’ attacks.

Nonlinear Invariant Attack

Abstract: In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the tweakable block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying tweakable block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.

An SDN-based approach to enhance the end-to-end security: SSL/TLS case study

Abstract: End-to-end encryption is becoming the norm for many applications and services. While this improves privacy of individuals and organizations, the phenomenon also raises new kinds of challenges. For instance, with the increase of devices using encryption, the volumes of outdated, exploitable encryption software also increases. This may create some distrust amongst the users against security unless its quality is enforced in some ways. Unfortunately, deploying new mechanisms at the end-points of the communication is challenging due to the sheer volume of devices, and modifying the existing services may not be feasible either. Hence, we propose a novel method for improving the quality of the secure sessions in a centralized way based on the SDN architecture. Instead of inspecting the encrypted traffic, our approach enhances the quality of secure sessions by analyzing the plaintext handshake messages exchanged between a client and server. We exploit the fact that many of today's security protocols negotiate the security parameters such as the protocol version, encryption algorithms or certificates in plaintext in a protocol handshake before establishing a secure session. By verifying the negotiated information in the handshake, our solution can improve the security level of SSL/TLS sessions. While the approach can be extended to many other protocols, we focus on the SSL/TLS protocol in this paper because of its wide-spread use. We present our implementation for the OpenDaylight controller and evaluate its overhead to SSL/TLS session establishment in terms of latency.

Identity-Concealed Authenticated Encryption and Key Exchange

Abstract: Identity concealment and zero-round trip time (0-RTT) connection are two of current research focuses in the design and analysis of secure transport protocols, like TLS1.3 and Google's QUIC, in the client-server setting. In this work, we introduce a new primitive for identity-concealed authenticated encryption in the public-key setting, referred to as higncryption, which can be viewed as a novel monolithic integration of public-key encryption, digital signature, and identity concealment. We then present the security definitional framework for higncryption, and a conceptually simple (yet carefully designed) protocol construction. As a new primitive, higncryption can have many applications. In this work, we focus on its applications to 0-RTT authentication, showing higncryption is well suitable to and compatible with QUIC and OPTLS, and on its applications to identity-concealed authenticated key exchange (CAKE) and unilateral CAKE (UCAKE). Of independent interest is a new concise security definitional framework for CAKE and UCAKE proposed in this work, which unifies the traditional BR and (post-ID) frameworks, enjoys composability, and ensures very strong security guarantee. Along the way, we make a systematically comparative study with related protocols and mechanisms including Zheng's signcryption, one-pass HMQV, QUIC, TLS1.3 and OPTLS, most of which are widely standardized or in use.

EnCounter: On Breaking the Nonce Barrier in Differential Fault Analysis with a Case-Study on PAEQ

Abstract: This work exploits internal differentials within a cipher in the context of Differential Fault Analysis (DFA). This in turn overcomes the nonce barrier which acts as a natural counter-measure against DFA. We introduce the concept of internal differential fault analysis which requires only one faulty ciphertext. In particular, the analysis is applicable to parallelizable ciphers that use the counter-mode. As a proof of concept we develop an internal differential fault attack called Open image in new window on PAEQ which is an AES based parallelizable authenticated cipher presently in the second round of on-going CAESAR competition. The attack is able to uniquely retrieve the key of three versions of full-round PAEQ of key-sizes 64, 80 and 128 bits with complexities of about \(2^{16}\), \(2^{16}\) and \(2^{50}\) respectively. Finally, this work addresses in detail the instance of fault analysis with varying amounts of partial state information and also presents the first analysis of PAEQ.

Authenticated Encryption with Variable Stretch

Abstract: In conventional authenticated-encryption (AE) schemes, the ciphertext expansion, a.k.a. stretch or tag length, is a constant or a parameter of the scheme that must be fixed per key. However, using variable-length tags per key can be desirable in practice or may occur as a result of a misuse. The RAE definition by Hoang, Krovetz, and Rogaway (Eurocrypt 2015), aiming at the best-possible AE security, supports variable stretch among other strong features, but achieving the RAE goal incurs a particular inefficiency: neither encryption nor decryption can be online. The problem of enhancing the well-established nonce-based AE (nAE) model and the standard schemes thereof to support variable tag lengths per key, without sacrificing any desirable functional and efficiency properties such as online encryption, has recently regained interest as evidenced by extensive discussion threads on the CFRG forum and the CAESAR competition. Yet there is a lack of formal definition for this goal. First, we show that several recently proposed heuristic measures trying to augment the known schemes by inserting the tag length into the nonce and/or associated data fail to deliver any meaningful security in this setting. Second, we provide a formal definition for the notion of nonce-based variable-stretch AE (nvAE) as a natural extension to the traditional nAE model. Then, we proceed by showing a second modular approach to formalizing the goal by combining the nAE notion and a new property we call key-equivalent separation by stretch (kess). It is proved that (after a mild adjustment to the syntax) any nAE scheme which additionally fulfills the kess property will achieve the nvAE goal. Finally, we show that the nvAE goal is efficiently and provably achievable; for instance, by simple tweaks to off-the-shelf schemes such as OCB.

Lightweight authenticated encryption for embedded on-chip systems

Abstract: Embedded systems are routinely deployed in critical infrastructures nowadays, therefore their security is increasingly important. This, combined with the pressing requirement of deploying massive numbers of low-cost and low-energy embedded devices, stimulates the evolution of lightweight cryptography and other green-computing security mechanisms. New crypto-primitives are being proposed that offer moderate security and produce compact implementations. In this article, we present a lightweight authenticated encryption scheme based on the integrated hardware implementation of the lightweight block cipher PRESENT and the lightweight hash function SPONGENT. The presented combination of a cipher and a hash function is appropriate for implementing authenticated encryption schemes that are commonly utilized in one-way and mutual authentication protocols. We exploit their inner structure to discover hardware elements usable by both primitives, thus reducing the circuit’s size. The integrated versions demonstrate a 27% reduction in hardware area compared to the simple combination of the two primitives. The resulting solution is ported on a field-programmable gate array FPGA and a complete security application with input/output from a universal asynchronous receiver/transmitter UART gate is created. In comparison with similar implementations in hardware and software, the proposed scheme represents a better overall status.

RIV for Robust Authenticated Encryption

Abstract: Typical AE schemes are supposed to be secure when used as specified. However, they can --- and often do --- fail miserably when used improperly. As a partial remedy, Rogaway and Shrimpton proposed nonce-misuse-resistant AE MRAE and the first MRAE scheme SIV "Synthetic Initialization Vector". This paper proposes RIV "Robust Initialization Vector", which extends the generic SIV construction by an additional call to the internal PRF. RIV inherits the full security assurance from SIV, but unlike SIV and other MRAE schemes, RIV is also provably secure when releasing unverified plaintexts. This follows a recent line of research on "Robust Authenticated Encryption", similar to the CAESAR candidate AEZ. An AES-based instantiation of RIV runs at less than 1.5 cpb on current x64 processors. Unlike the proposed instantiation of AEZ, which gains speed by relying on reduced-round AES, our instantiation of RIV is provably secure under the single assumption of the AES being secure.

Post-Quantum Security Models for Authenticated Encryption

Abstract: We propose a security model for evaluating the security of authenticated encryption schemes in the post-quantum setting. Our security model is based on a combination of the classical Bellare-Namprempre security model for authenticated encryption together with modifications from Boneh and Zhandry to handle message authentication against quantum adversaries. We give a generic construction based on the Bellare-Namprempre model for producing an authenticated encryption protocol from any quantum-resistant symmetric-key encryption scheme together with any authentication scheme digital signature scheme or MAC admitting a classical security reduction to a quantum-computationally hard problem. We give examples of suitable authentication schemes under the quantum random oracle model using the Boneh-Zhandry transformation. We also provide tables of communication overhead calculations and comparisons for various choices of component primitives in our construction.

Breaking into the KeyStore: A Practical Forgery Attack Against Android KeyStore

Abstract: We analyze the security of Android KeyStore, a system service whose purpose is to shield users credentials and cryptographic keys. The KeyStore protects the integrity and the confidentiality of keys by using a particular encryption scheme. Our main results are twofold. First, we formally prove that the used encryption scheme does not provide integrity, which means that an attacker is able to undetectably modify the stored keys. Second, we exploit this flaw to define a forgery attack breaching the security guaranteed by the KeyStore. In particular, our attack allows a malicious application to make mobile apps to unwittingly perform secure protocols using weak keys. The threat is concrete: the attacker goes undetected while compromising the security of users. Our findings highlight an important fact: intuition often goes wrong when security is concerned. Unfortunately, system designers still tend to choose cryptographic schemes not for their proved security but for their apparent simplicity. We show, once again, that this is not a good choice, since it usually results in severe consequences for the whole underlying system.

On modes of operations of a block cipher for authentication and authenticated encryption

Abstract: This work deals with the various requirements of encryption and authentication in cryptographic applications The approach is to construct suitable modes of operations of a block cipher to achieve the relevant goals A variety of schemes suitable for specific applications are presented While none of the schemes are built completely from scratch, there is a common unifying framework which connects them All the schemes described have been implemented and the implementation details are publicly available Performance figures are presented when the block cipher is the AES and the Intel AES-NI instructions are used These figures suggest that the constructions presented here compare well with previous works such as the famous OCB mode of operation In terms of features, the constructions provide several new offerings which are not present in earlier works This work significantly widens the range of choices of an actual designer of cryptographic system

Efficient Design Strategies Based on the AES Round Function

Abstract: We show several constructions based on the AES round function that can be used as building blocks for MACs and authenticated encryption schemes. They are found by a search of the space of all secure constructions based on an efficient design strategy that has been shown to be one of the most optimal among all the considered. We implement the constructions on the latest Intel's processors. Our benchmarks show that on Intel Skylake the smallest construction runs at 0.188 c/B, while the fastest at only 0.125 c/B, i.e. five times faster than AES-128.

A comprehensive study on security attacks on SSL/TLS protocol

Abstract: Secure Socket Layer (SSL) protocol was introduced in 1994 and was later renamed as transport layer security (TLS) protocol for securing transport layer. SSL/TLS protocol is used for securing communication on the network by ensuring data confidentiality, data integrity and authenticity between the communicating party. Authentication of the communicating party and securing transfer of data is done through certificates, key exchange and cipher suites. Security issues were found during evolutionary development of SSL/TLS protocol. The paper gives a detailed chronological order of attacks of past 22 years on SSL/TLS protocol.

A compact, ultra-low power AES-CCM IP core for wireless body area networks

Abstract: This paper presents a compact, ultra-low power AES-CCM authenticated encryption IP core for WBANs by combining a low area 8-bit AES encryption core, iterative structure and other optimized circuits. The proposed AES-CCM IP core can be used for the message security at the MAC level, e.g. message encryption and authentication, based on AES forward cipher function with a 128-bit key for counter and cipher block chaining modes of operations. The implementation results show that the proposed AES-CCM IP core achieves a very high resource efficiency and ultra-low power consumption while meeting the requirement of operation speed in WBANs.

Identity-based deniable authenticated encryption and its application to e-mail system

Abstract: An authenticated encryption (AE) scheme simultaneously achieves two security goals: confidentiality and authenticity. AE can be divided into symmetric AE and asymmetrical (public key) AE. In a symmetric AE scheme, deniability is gained automatically. However, a public key AE scheme can not gain deniability automatically; on the contrary, it provides non-repudiation. In this paper, we address a question on deniability of public key AE. Of course, we can achieve this goal by "deniable authentication followed by encryption" method. However, such method has the following two weaknesses: (1) the computational cost and communication overhead are the sum of two cryptographic primitives; (2) it is complex to design cryptographic protocols with deniable authentication and confidentiality using two cryptographic primitives. To overcome the two weaknesses, we propose a new concept called deniable authenticated encryption (DAE) that can achieve both the functions of deniable authentication and public key encryption simultaneously, at a cost significantly lower than that required by the "deniable authentication followed by encryption" method. This single cryptographic primitive can simplify the design of cryptographic protocols with deniable authentication and confidentiality. In particular, we construct an identity-based deniable authenticated encryption (IBDAE) scheme. Our construction uses tag-key encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) hybrid techniques, which is more practical for true applications. We show how to construct an IBDAE scheme using an identity-based deniable authenticated tag-KEM (IBDATK) and a DEM. We also propose an IBDATK scheme and prove its security in the random oracle model. For typical security level, our scheme is at least 50.7 and 22.7 % faster than two straightforward "deniable authentication followed by encryption" schemes, respectively. The communication overhead is respectively reduced at least 21.3 and 31.1 %. An application of IBDAE to an e-mail system is described.

Differential Fault Analysis on Tiaoxin and AEGIS Family of Ciphers

Abstract: Tiaoxin and AEGIS are two second round candidates of the ongoing CAESAR competition for authenticated encryption. In 2014, Brice Minaud proposed a distinguisher for AEGIS-256 that can be used to recover bits of a partially known message, encrypted \(2^{188}\) times, regardless of the keys used. Also he reported a correlation between AEGIS-128 ciphertexts at rounds i and \(i + 2\), although the biases would require \(2^{140}\) data to be detected. Apart from that, to the best of our knowledge, there is no known cryptanalysis of AEGIS or Tiaoxin. In this paper we propose differential fault analyses of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting. Analysis shows that the secret key of Tiaoxin can be recovered with 384 single bit faults and the states of AEGIS-128, AEGIS-256 and AEGIS-128L can be recovered respectively with 384, 512 and 512 single bit faults. Considering multi byte fault, the number of required faults and re-keying reduces 128 times.