Showing papers on "Authenticated encryption published in 2020"

Lightweight Authenticated-Encryption Scheme for Internet of Things Based on Publish-Subscribe Communication

Abstract: The resource-constrained nature and large-scale adoption of Internet of Things (IoT) have a significant challenge for securing IoT applications. This necessitates a robust and lightweight security architecture and schemes as the existing traditional Internet security architecture and protocols require huge resources and lack of end-to-end security mechanism. In this research, a resource efficient end-to-end security scheme has been proposed by offloading computations and storage of security parameters to fog nodes in the vicinity. In addition, a symmetric-key payload encryption has been used to minimize the overhead of message communication in the resource-contested IoT environment. The analysis shows that the proposed scheme outperforms Transport Layer Security (TLS) in resource usage while it maintains equivalent authenticated end-to-end communication between communicating IoT nodes. The proposed end-to-end security scheme saves more communication bandwidth and incurs less overhead as compared to existing TLS-based security schemes. In particular, the proposed system uses less number of handshakes and achieves a decrease in the number of transmitted messages (approximately 184 bytes as compared to compared TSL message size of 332 bytes) for every handshake. Further, it has been demonstrated through experiments that the proposed security method incurs less overheads as compared to the TLS bandwidth consumption considering a single connection session during message subscription.

LAKE-IoD: Lightweight Authenticated Key Exchange Protocol for the Internet of Drone Environment

Abstract: A drone is an unmanned aerial vehicle, which is deployed in a particular Fly Zone (FZ), and used to collect crucial information from its surrounding environment to be transmitted to the server for further processing. Generally, a Mobile User (MU) is required to access the real-time information collected by the drone stationed in a specific FZ securely. Therefore, to ensure secure and reliable communications an Authenticated Key Exchange (AKE) protocol is imperative to the Internet of Drone (IoD) environment. An AKE scheme ensures only authentic MU to access IoD network resources. Upon successful authentication, MU and drone can set up a secret session key for secure communication in the future. This paper presents a novel Lightweight AKE Protocol for IoD Environment (LAKE-IoD), which first ensures the authenticity of MU and also renders session key establishment mechanism between MU and drone with the help of a server. LAKE-IoD is an AKE protocol, which is based on an authenticated encryption scheme AEGIS, hash function, and bit-wise XOR operation. Meticulous formal security verification by employing a software tool known as Scyther and informal security analysis demonstrates that LAKE-IoD is protected against different well-known active and passive security attacks. Additionally, Burrows-Abadi-Needham logic is applied to verify the logical completeness of LAKE-IoD. Furthermore, a comparison of LAKE-IoD with the related schemes shows that LAKE-IoD incurs less communication, computational and storage overhead.

Network Time Security for the Network Time Protocol

Abstract: This memo specifies Network Time Security (NTS), a mechanism for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) to provide cryptographic security for the client-server mode of the Network Time Protocol (NTP). NTS is structured as a suite of two loosely coupled sub-protocols. The first (NTS-KE) handles initial authentication and key establishment over TLS. The second handles encryption and authentication during NTP time synchronization via extension fields in the NTP packets, and holds all required state only on the client via opaque cookies.

Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

Abstract: This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakageresistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multiuser security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook.

Certificateless authenticated encryption with keyword search: Enhanced security model and a concrete construction for industrial IoT

Abstract: The Industrial Internet of Things (IIoT) represents a variety of IoT applications in the industrial sector of economy and is heavily underpinned by computational capabilities of cloud computing to reduce the cost of on-demand services. However, cloud computing does not protect the privacy of the outsourced data unless some form of encryption is applied. Recently, some Certificateless Authenticated Encryption with Keyword Search (CLAEKS) schemes have been proposed. However, it is known in the literature that the security of these schemes is proved based on a weak security model. In this paper, we first provide a more powerful and realistic security model for CLAEKS schemes. Then, we propose a new CLAEKS scheme and prove its security in the enhanced security model. The comparison results show that the proposed CLAEKS scheme is the only existing searchable encryption scheme in the certificateless setting that is secure in the enhanced security model.

Stream cipher designs: a review

Abstract: Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advantagesin speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography.With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is increasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs.To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers.

A Method for Achieving Confidentiality and Integrity in IEC 61850 GOOSE Messages

Abstract: IEC 62351-6 standard stipulates the use of digital signatures for ensuring integrity and authenticity in IEC 61850 Generic Object-Oriented Substation Events (GOOSE) message exchanges. Yet, it does not specify any method for ensuring confidentiality in GOOSE messages. With rapid growth of IEC 61850 from substation automation to power management domain, sensitive data that requires privacy is carried over GOOSE messages. In this letter, a novel method employing Authenticated Encryption with Associated Data (AEAD) algorithms is proposed to achieve both confidentiality and integrity of GOOSE messages. Further, lab tests are run to observe the timing performance and applicability of these algorithms to GOOSE messages with strict timing requirements.

Lightweight AEAD and Hashing using the Sparkle Permutation Family

Abstract: We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ranging from 120 to 250 bits. We also use them to build new sponge-based hash functions, Esch256 and Esch384. Our permutations are among those with the lowest footprint in software, without sacrificing throughput. These properties are allowed by our use of an ARX component (the Alzette S-box) as well as a carefully chosen number of rounds. The corresponding analysis is enabled by the long trail strategy which gives us the tools we need to efficiently bound the probability of all the differential and linear trails for an arbitrary number of rounds. We also present a new application of this approach where the only trails considered are those mapping the rate to the outer part of the internal state, such trails being the only relevant trails for instance in a differential collision attack. To further decrease the number of rounds without compromising security, we modify the message injection in the classical sponge construction to break the alignment between the rate and our S-box layer.

S6AE: Securing 6LoWPAN Using Authenticated Encryption Scheme.

Abstract: IPv6 over Low Power Wireless Personal Area Networks (6LoWPAN) has an ample share in the Internet of Things. Sensor nodes in 6LoWPAN collect vital information from the environment and transmit to a central server through the public Internet. Therefore, it is inevitable to secure communications and allow legitimate sensor nodes to access network resources. This paper presents a lightweight Authentication and Key Exchange (AKE) scheme for 6LoWPAN using an authenticated encryption algorithm and hash function. Upon successful authentication, sensor nodes and the central server can establish the secret key for secure communications. The proposed scheme ensures header verification during the AKE process without using IP security protocol and, thus, has low communication and computational overheads. The logical correctness of the proposed scheme is validated through Burrows–Abadi–Needham logic. Furthermore, automatic security analyses by using AVISPA illustrate that the proposed scheme is resistant to various malicious attacks in 6LoWPANs.

Saturnin: a suite of lightweight symmetric algorithms for post-quantum security

Abstract: The cryptographic algorithms needed to ensure the security of our communications have a cost. For devices with little computing power, whose number is expected to grow significantly with the spread of the Internet of Things (IoT), this cost can be a problem. A simple answer to this problem is a compromise on the security level: through a weaker round function or a smaller number of rounds, the security level can be decreased in order to cheapen the implementation of the cipher. At the same time, quantum computers are expected to disrupt the state of the art in cryptography in the near future. For public key cryptography, the NIST has organized a dedicated process to standardize new algorithms. The impact of quantum computing is harder to assess in the symmetric case but its study is an active research area. In this document, we specify a new block cipher, Saturnin, and its usage in different modes to provide hashing and authenticated encryption in such a way that we can rigorously argue its security in the post-quantum setting. Its security analysis follows naturally from that of the AES, while our use of components that are easily implemented in a bitsliced fashion ensures a low cost for our primitives. Our aim is to provide a new lightweight suite of algorithms that performs well on small devices, in particular micro-controllers, while providing a high security level even in the presence of quantum computers. Saturnin is a 256-bit block cipher with a 256-bit key and an additional 9-bit parameter for domain separation. Using it, we built two authenticated ciphers and a hash function. • Saturnin-CTR-Cascade is an authenticated cipher using the counter mode and a separate MAC. It requires two passes over the data but its implementation does not require the inverse block cipher. • Saturnin-Short is an authenticated cipher intended for messages with a length strictly smaller than 128 bits which uses only one call to Saturnin to provide confidentiality and integrity. • Saturnin-Hash is a 256-bit hash function. In this document, we specify this suite of algorithms and argue about their security in both the classical and the post-quantum setting.

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection

Abstract: In this work we present a duplex-based authenticated encryption scheme \(\textsc {Friet}\) based on a new permutation called \(\textsc {Friet-P}\). We designed \(\textsc {Friet-P}\) with a novel approach for cryptographic permutations and block ciphers that takes fault-attack resistance into account and that we introduce in this paper.

The Subterranean 2.0 Cipher Suite

Abstract: This paper presents the Subterranean 2.0 cipher suite that can be used for hashing, MAC computation, stream encryption and several types of authenticated encryption schemes. At its core it has a duplex object with a 257-bit state and a lightweight single-round permutation. This makes Subterranean 2.0 very well suited for low-area and low-energy implementations in dedicated hardware.

Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography

Abstract: Triggered by the increasing deployment of embedded cryptographic devices (e.g., for the IoT), the design of authentication, encryption and authenticated encryption schemes enabling improved security against side-channel attacks has become an important research direction. Over the last decade, a number of modes of operation have been proposed and analyzed under different abstractions. In this paper, we investigate the practical consequences of these findings. For this purpose, we first translate the physical assumptions of leakage-resistance proofs into minimum security requirements for implementers. Thanks to this (heuristic) translation, we observe that (i) security against physical attacks can be viewed as a tradeoff between mode-level and implementation-level protection mechanisms, and (ii) security requirements to guarantee confidentiality and integrity in front of leakage can be concretely different for the different parts of an implementation. We illustrate the first point by analyzing several modes of operation with gradually increased leakage-resistance. We illustrate the second point by exhibiting leveled implementations, where different parts of the investigated schemes have different security requirements against leakage, leading to performance improvements when high physical security is needed. We finally initiate a comparative discussion of the different solutions to instantiate the components of a leakage-resistant authenticated encryption scheme.

Authenticated secret key generation in delay-constrained wireless systems

Abstract: With the emergence of 5G low-latency applications, such as haptics and V2X, low-complexity and low-latency security mechanisms are needed. Promising lightweight mechanisms include physical unclonable functions (PUF) and secret key generation (SKG) at the physical layer, as considered in this paper. In this framework, we propose (i) a zero round trip time (0-RTT) resumption authentication protocol combining PUF and SKG processes, (ii) a novel authenticated encryption (AE) using SKG, and (iii) pipelining of the AE SKG and the encrypted data transfer in order to reduce latency. Implementing the pipelining at PHY, we investigate a parallel SKG approach for multi-carrier systems, where a subset of the subcarriers are used for SKG and the rest for data transmission. The optimal solution to this PHY resource allocation problem is identified under security, power, and delay constraints, by formulating the subcarrier scheduling as a subset-sum 0−1 knapsack optimization. A heuristic algorithm of linear complexity is proposed and shown to incur negligible loss with respect to the optimal dynamic programming solution. All of the proposed mechanisms have the potential to pave the way for a new breed of latency aware security protocols.

Lightweight Broadcast Authentication Protocol for Edge-Based Applications

Abstract: In this article, we propose a lightweight authentication protocol that provides forward secrecy for edge-based applications. Motivated by the general consensus that centralized authentication solutions are not suitable for an expanding Internet of Things (IoT), our edge-based authentication reduces latency for critical applications, lowers cloud dependency, and employs cryptographic primitives, which are efficiently implemented on resource-constrained low-end devices. Moreover, the edge entity broadcast messages using session keys that are derived securely from a hash function. The protocol utilizes hash chains and authenticated encryption which makes it resilient to quantum attacks. Moreover, entities are not required to hold a permanent master key, and all session keys are derived securely from a hash function. As a use case, we present a smart emergency system where an edge application broadcasts alert messages for individual responder groups when specific events occur. We formally define and prove the main security properties of our protocol, and compare it to other lightweight protocols in terms of security and performance. The computational complexity of our protocol comprises of three decryption operations, two HMAC, and five hash computations. The required storage for each node is 96 B and the communication overhead is only 56 B per session.

Multi-Keyword Certificateless Searchable Public Key Authenticated Encryption Scheme Based on Blockchain

Abstract: As a quite attractive secure search mechanism in cloud environments, searchable encryption allows encrypted files to be searched by keyword and does not reveal any information about original data files. However, most existing searchable encryption schemes only support single keyword ciphertext retrieval, and they cannot resist against inside keyword guessing attacks. Besides, the previous schemes rarely focus on integrity verification and fair transactions without any third party. Focusing on these problems, we propose a multi-keyword certificateless searchable public key authenticated encryption scheme based on blockchain. We use certificateless cryptosystem to encrypt keywords, which avoids the problems of certificate management in traditional cryptosystem and key escrow in identity-based cryptosystem. Our scheme also supports multi-keyword search, which locates encrypted files precisely and returns the desired files. Moreover, we upload the real encrypted files to the cloud server, while the encrypted indexes are put in blockchain, which ensures the anti-tampering, integrity and traceability of the encrypted indexes. The anti-tampering of blockchain also ensures that users can receive accurate search results without any third party verification. Furthermore, we utilize smart contract to track monetary rewards, which enables fair transactions between data owners and users without any trusted third party. We prove that the proposed scheme is secure against inside keyword guessing attacks in the random oracle model. Finally, our performance evaluation shows that the proposed scheme has higher computational performance than other related schemes.

Modeling Advanced Security Aspects of Key Exchange and Secure Channel Protocols

Abstract: Secure communication has become an essential ingredient of our daily life. Mostly unnoticed, cryptography is protecting our interactions today when we read emails or do banking over the Internet, withdraw cash at an ATM, or chat with friends on our smartphone. Security in such communication is enabled through two components. First, two parties that wish to communicate securely engage in a key exchange protocol in order to establish a shared secret key known only to them. The established key is then used in a follow-up secure channel protocol in order to protect the actual data communicated against eavesdropping or malicious modification on the way. In modern cryptography, security is formalized through abstract mathematical security models which describe the considered class of attacks a cryptographic system is supposed to withstand. Such models enable formal reasoning that no attacker can, in reasonable time, break the security of a system assuming the security of its underlying building blocks or that certain mathematical problems are hard to solve. Given that the assumptions made are valid, security proofs in that sense hence rule out a certain class of attackers with well-defined capabilities. In order for such results to be meaningful for the actually deployed cryptographic systems, it is of utmost importance that security models capture the system's behavior and threats faced in that 'real world' as accurately as possible, yet not be overly demanding in order to still allow for efficient constructions. If a security model fails to capture a realistic attack in practice, such an attack remains viable on a cryptographic system despite a proof of security in that model, at worst voiding the system's overall practical security. In this thesis, we reconsider the established security models for key exchange and secure channel protocols. To this end, we study novel and advanced security aspects that have been introduced in recent designs of some of the most important security protocols deployed, or that escaped a formal treatment so far. We introduce enhanced security models in order to capture these advanced aspects and apply them to analyze the security of major practical key exchange and secure channel protocols, either directly or through comparatively close generic protocol designs. Key exchange protocols have so far always been understood as establishing a single secret key, and then terminating their operation. This changed in recent practical designs, specifically of Google's QUIC ("Quick UDP Internet Connections") protocol and the upcoming version 1.3 of the Transport Layer Security (TLS) protocol, the latter being the de-facto standard for security protocols. Both protocols derive multiple keys in what we formalize in this thesis as a multi-stage key exchange (MSKE) protocol, with the derived keys potentially depending on each other and differing in cryptographic strength. Our MSKE security model allows us to capture such dependencies and differences between all keys established in a single framework. In this thesis, we apply our model to assess the security of both the QUIC and the TLS 1.3 key exchange design. For QUIC, we are able to confirm the intended overall security but at the same time highlight an undesirable dependency between the two keys QUIC derives. For TLS 1.3, we begin by analyzing the main key exchange mode as well as a reduced resumption mode. Our analysis attests that TLS 1.3 achieves strong security for all keys derived without undesired dependencies, in particular confirming several of this new TLS version's design goals. We then also compare the QUIC and TLS 1.3 designs with respect to a novel 'zero round-trip time' key exchange mode establishing an initial key with minimal latency, studying how differences in these designs affect the achievable key exchange security. As this thesis' last contribution in the realm of key exchange, we formalize the notion of key confirmation which ensures one party in a key exchange execution that the other party indeed holds the same key. Despite being frequently mentioned in practical protocol specifications, key confirmation was never comprehensively treated so far. In particular, our formalization exposes an inherent, slight difference in the confirmation guarantees both communication partners can obtain and enables us to analyze the key confirmation properties of TLS 1.3. Secure channels have so far been modeled as protecting a sequence of distinct messages using a single secret key. Our first contribution in the realm of channels originates from the observation that, in practice, secure channel protocols like TLS actually do not allow an application to transmit distinct, or atomic, messages. Instead, they provide applications with a streaming interface to transmit a stream of bits without any inherent demarcation of individual messages. Necessarily, the security guarantees of such an interface differ significantly from those considered in cryptographic models so far. In particular, messages may be fragmented in transport, and the recipient may obtain the sent stream in a different fragmentation, which has in the past led to confusion and practical attacks on major application protocol implementations. In this thesis, we formalize such stream-based channels and introduce corresponding security notions of confidentiality and integrity capturing the inherently increased complexity. We then present a generic construction of a stream-based channel based on authenticated encryption with associated data (AEAD) that achieves the strongest security notions in our model and serves as validation of the similar TLS channel design. We also study the security of such applications whose messages are inherently atomic and which need to safely transport these messages over a streaming, i.e., possibly fragmenting, channel. Formalizing the desired security properties in terms of confidentiality and integrity in such a setting, we investigate and confirm the security of the widely adopted approach to encode the application's messages into the continuous data stream. Finally, we study a novel paradigm employed in the TLS 1.3 channel design, namely to update the keys used to secure a channel during that channel's lifetime in order to strengthen its security. We propose and formalize the notion of multi-key channels deploying such sequences of keys and capture their advanced security properties in a hierarchical framework of confidentiality and integrity notions. We show that our hierarchy of notions naturally connects to the established notions for single-key channels and instantiate its strongest security notions with a generic AEAD-based construction. Being comparatively close to the TLS 1.3 channel protocol, our construction furthermore enables a comparative design discussion.

A Secure and Efficient ECC-Based Scheme for Edge Computing and Internet of Things

Abstract: Recent growth in the Internet of Things (IoT) has raised security concerns over the confidentiality of data exchanged between IoT devices and the edge. Many IoT systems adopt asymmetric cryptography to secure their data and communications. A drawback of asymmetric cryptography is the sizeable computation and space requirements. However, elliptic curve cryptography (ECC) is widely used in constrained environments for asymmetric cryptography due its superiority in generating a powerful encryption mechanism with small key sizes. ECC increases device performance and lowers power consumption, meaning it is suitable for diverse applications ranging from the IoT to wireless sensor network (WSN) devices. To ensure the confidentiality and security of data and communications, it is necessary to implement ECC robustly. A special area of focus in this regard is the mapping phase. This study’s objective was to propose a tested and trusted scheme that offers authenticated encryption (AE) via enhancing the mapping phase of a plain text to an elliptic curve to resist several encryption attacks such as Chosen Plaintext Attack (CPA) and Chosen Ciphertext Attack (CCA). The proposed scheme also undertakes evaluation and analysis related to security requirements for specific encryption attributes. Finally, results from a comparison of the proposed scheme and other schemes are presented, evaluating each one’s security characteristics and performance measurements. Our scheme is efficient in a way that makes so suitable to the IoT, and in particular to the Industrial IoT and the new Urbanization where the demands for services are huge.

An Efficient Searchable Public-Key Authenticated Encryption for Cloud-Assisted Medical Internet of Things

Abstract: In recent years, it has become popular to upload patients’ medical data to a third-party cloud server (TCS) for storage through medical Internet of things. It can reduce the local maintenance burden of the medical data and importantly improve accuracy in the medical treatment. As remote TCS cannot be fully trusted, medical data should be encrypted before uploading, to protect patients’ privacy. However, encryption makes search capabilities difficult for patients and doctors. To address this issue, Huang et al. recently put forward the notion of Public-key Authenticated Encryption with Keyword Search (PAEKS) against inside keyword guessing attacks. However, the existing PAEKS schemes rely on time-consuming computation of parings. Moreover, some PAEKS schemes still have security issues in a multiuser setting. In this paper, we propose a new and efficient PAEKS scheme, which uses the idea of Diffie-Hellman key agreement to generate a shared secret key between each sender and receiver. The shared key will be used to encrypt keywords by the sender and to generate search trapdoors by the receiver. We prove that our scheme is semantically secure against inside keyword guessing attacks in a multiuser setting, under the oracle Diffie-Hellman assumption. Experimental results demonstrate that our PAEKS scheme is more efficient than that of previous ones, especially in terms of keyword searching time.

Beyond Birthday Bound Secure Fresh Rekeying: Application to Authenticated Encryption

Abstract: Fresh rekeying is a well-established method to protect a primitive or mode against side-channel attacks: an easy to protect but cryptographically not so involved function generates a subkey from the master key, and this subkey is then used for the block encryption of a single or a few messages. It is an efficient way to achieve side-channel protection, but current solutions only achieve birthday bound security in the block size of the cipher and thus halve its security (except if more involved primitives are employed). We present generalized solutions to parallel block cipher rekeying that, for the first time, achieve security beyond the birthday bound in the block size n. The first solution involves, next to the subkey generation, one multiplication and the core block cipher call and achieves \(2^{2n/3}\) security. The second solution makes two block cipher calls, and achieves optimal \(2^n\) security. Our third solution uses a slightly larger subkey generation function but requires no adaptations to the core encryption and also achieves optimal security. The construction seamlessly generalizes to permutation based fresh rekeying. Central to our schemes is the observation that fresh rekeying and generic tweakable block cipher design are two very related topics, and we can take lessons from the advanced results in the latter to improve our understanding and development of the former. We subsequently use these rekeying schemes in a constructive manner to deliver three authenticated encryption modes that achieve beyond birthday bound security and are easy to protect against side-channel attacks.

Designing Two Secure Keyed Hash Functions Based on Sponge Construction and the Chaotic Neural Network.

Abstract: In this paper, we propose, implement, and analyze the structures of two keyed hash functions using the Chaotic Neural Network (CNN). These structures are based on Sponge construction, and they produce two variants of hash value lengths, i.e., 256 and 512 bits. The first structure is composed of two-layered CNN, while the second one is formed by one-layered CNN and a combination of nonlinear functions. Indeed, the proposed structures employ two strong nonlinear systems, precisely a chaotic system and a neural network system. In addition, the proposed study is a new methodology of combining chaotic neural networks and Sponge construction that is proved secure against known attacks. The performance of the two proposed structures is analyzed in terms of security and speed. For the security measures, the number of hits of the two proposed structures doesn't exceed 2 for 256-bit hash values and does not exceed 3 for 512-bit hash values. In terms of speed, the average number of cycles to hash one data byte (NCpB) is equal to 50.30 for Structure 1, and 21.21 and 24.56 for Structure 2 with 8 and 24 rounds, respectively. In addition, the performance of the two proposed structures is compared with that of the standard hash functions SHA-3, SHA-2, and with other classical chaos-based hash functions in the literature. The results of cryptanalytic analysis and the statistical tests highlight the robustness of the proposed keyed hash functions. It also shows the suitability of the proposed hash functions for the application such as Message Authentication, Data Integrity, Digital Signature, and Authenticated Encryption with Associated Data.

Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction

Abstract: The ongoing NIST lightweight cryptography standardization process highlights the importance of resistance to side-channel attacks, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight sidechannel secure implementations. To address this challenge, our first contribution is to investigate the leakage-resistance of a generic duplex-based stream cipher. When the capacity of the duplex is of c bits, we prove the classical bound, i.e., ≈ 2c/2, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode TETSponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. It offers: (i) provable integrity (resp. confidentiality) guarantees in the presence of leakage during both encryption and decryption (resp. encryption only), (ii) some level of nonce misuse robustness. We conclude that TETSponge is an appealing option for the implementation of low-energy AE in settings where side-channel attacks are a concern. We also provides the first rigorous methodology for the leakage-resistance of sponge/duplex-based AEs based on a minimal non-invertibility assumption on leakages, which leads to various insights on designs and implementations.

Energy Analysis of Lightweight AEAD Circuits

Abstract: The selection criteria for NIST’s Lightweight Crypto Standardization (LWC) have been slowly shifting towards the lightweight efficiency of designs, given that a large number of candidates already establish their security claims on conservative, well-studied paradigms The research community has accumulated a decent level of experience on authenticated encryption primitives, thanks mostly to the recently completed CAESAR competition, with the advent of the NIST LWC, the de facto focus is now on evaluating efficiency of the designs with respect to hardware metrics like area, throughput, power and energy

Deniably authenticated searchable encryption scheme based on Blockchain for medical image data sharing

Abstract: In the cloud applications of medical data based on blockchain, doctors and managers usually want to obtain image data shared by other healthcare institutions. To ensure the privacy and workability of the image data, it is necessary to encrypt plain image data, retrieve cypher data and verify the authenticity of the data. Public key authenticated searchable encryption (PAEKS) is an effective mechanism to realize the privacy and workability properties of data. However, the existing PAEKS schemes are unable to realize the identity privacy protection of the data owner, and the traditional blockchain system (such as the Bitcoin) cannot achieve these goals directly. To overcome the above drawback, we first present a deniably authenticated searchable encryption scheme for medical image data sharing (DASES) that is based on blockchain and deniably authenticated encryption technology. The DASES takes advantage of blockchain technology to ensure the non-tampered, unforgettable and traceability of the image data, and it also avoids the limitation of the blockchain’s own storage and computing power. The DASES can not only withstand inside keyword guessing attack (IKGA) but also provide effective privacy protection and verify the authenticity of medical image data. Hence, it can better protect the privacy of data senders and provide stronger security. Next, we prove that the DASES satisfies the indistinguishability of the ciphertext and trapdoor. It is regrettable that the DASES is less efficient than related schemes in the literature, but its greatest strength is its ability to provide better identity privacy protection and stronger security.

Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality

Abstract: We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably-secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009.

QCB: Efficient Quantum-secure Authenticated Encryption.

Abstract: It was long thought that symmetric cryptography was only mildly affected by quantum attacks, and that doubling the key length was sufficient to restore security. However, recent works have shown that Simon’s quantum period finding algorithm breaks a large number of MAC and authenticated encryption algorithms when the adversary can query the MAC/encryption oracle with a quantum superposition of messages. In particular, the OCB authenticated encryption mode is broken in this setting, and no quantum-secure mode is known with the same efficiency (rate-one and parallelizable). In this paper we generalize the previous attacks, show that a large class of OCB-like schemes is unsafe against superposition queries, and discuss the quantum security notions for authenticated encryption modes. We propose a new rate-one parallelizable mode named QCB inspired by TAE and OCB and prove its security against quantum superposition queries.

ESTATE: A Lightweight and Low Energy Authenticated Encryption Mode

Abstract: NIST has recently initiated a standardization project for efficient lightweight authenticated encryption schemes. SUNDAE, a candidate in this project, achieves optimal state size which results in low circuit overhead on top of the underlying block cipher. In addition, SUNDAE provides security in nonce-misuse scenario as well. However, in addition to the block cipher circuit, SUNDAE also requires some additional circuitry for multiplication by a primitive element. Further, it requires an additional block cipher invocation to create the starting state. In this paper, we propose a new lightweight and low energy authenticated encryption family, called ESTATE, that significantly improves the design of SUNDAE in terms of implementation costs (both hardware area and energy) and efficient processing of short messages. In particular, ESTATE does not require an additional multiplication circuit, and it reduces the number of block cipher calls by one. Moreover, it provides integrity security even under the release of unverified plaintext (or RUP) model. ESTATE is based on short-tweak tweakable block ciphers (or tBC, small ’t’ denotes short tweaks) and we instantiate it with two recently designed tBCs: TweAES and TweGIFT. We also propose a low latency variant of ESTATE, called sESTATE, that uses a round-reduced (6 rounds) variant of TweAES called TweAES-6. We provide comprehensive FPGA based hardware implementation for all the three instances. The implementation results depict that ESTATE_TweGIFT-128 (681 LUTs, 263 slices) consumes much lesser area as compared to SUNDAE_GIFT-128 (931 LUTs, 310 slices). When we moved to the AES variants, along with the area-efficiency (ESTATE_TweAES consumes 1901 LUTs, 602 slices while SUNDAE_AES-128 needs 1922 LUTs, 614 slices), we also achieve higher throughput for short messages (For 16-byte message, a throughput of 1251.10 and 945.36 Mbps for ESTATE_TweAES and SUNDAE_AES-128 respectively).

WAGE: An Authenticated Encryption with a Twist

Abstract: This paper presents WAGE, a new lightweight sponge-based authenticated cipher whose underlying permutation is based on a 37-stage Galois NLFSR over F27. At its core, the round function of the permutation consists of the well-analyzed Welch-Gong permutation (WGP), primitive feedback polynomial, a newly designed 7-bit SB sbox and partial word-wise XORs. The construction of the permutation is carried out such that the design of individual components is highly coupled with cryptanalysis and hardware efficiency. As such, we analyze the security of WAGE against differential, linear, algebraic and meet/miss-in-the-middle attacks. For 128-bit authenticated encryption security, WAGE achieves a throughput of 535 Mbps with hardware area of 2540 GE in ASIC ST Micro 90 nm standard cell library. Additionally, WAGE is designed with a twist where its underlying permutation can be efficiently turned into a pseudorandom bit generator based on the WG transformation (WG-PRBG) whose output bits have theoretically proved randomness properties.