Authenticated encryption

About: Authenticated encryption is a research topic. Over the lifetime, 1328 publications have been published within this topic receiving 25968 citations. The topic is also known as: AEAD & Authenticated Encryption with Associated Data.

A low-area ASIC implementation of AEGIS128 — A fast authenticated encryption algorithm

Abstract: Due to the lack of proper dedicated authenticated encryption algorithms, the CAESAR cryptographic competition aims to find new such algorithms. The goal of authenticated encryption is to provide both confidentiality and authenticity within a single algorithm. This paper introduces the first application-specific integrated circuit of AEGIS128, which is one promising submission to the CAESAR competition. The dedicated hardware design is optimized towards yielding the smallest area for AEGIS128. Using a 013 μm low-leakage process from Faraday Technology, the design requires merely 13,558 gate equivalents or 0.06942 mm2. Simulations of this design at a clock frequency of 100MHz result in 65 Mbps data throughput.

Provably Secure Searchable Attribute-Based Authenticated Encryption Scheme.

Abstract: In cloud storage system, attribute-based encryption can support fine-gained access control over encrypted data. Furthermore, searchable attribute-based encryption can allow data users to retrieve encrypted data from a cloud storage system. However, these encryption algorithms cannot provide authenticity. In this paper, we propose a new concept—–searchable attribute-based authenticated encryption and establish its security model framework. Then, we embed ingeniously search mechanism into keypolicy attribute-based signcryption, and present a concrete searchable attribute-based authenticated encryption scheme. Finally, according to the proposed framework, our scheme is proven to achieve (1) Ciphertext indistinguishability under the Decisional Bilinear Diffie-Hellman Exponent hardness assumption; (2) Existential unforgeability based on the hardness assumption of Computational Diffie-Hellman Exponent problem; (3) Selective security against chosen-keyword attack under the Decisional Linear hardness assumption; (4) Keyword secrecy based on the one-way hardness of hash function.

Scheme Optimization in Key Management with Cryptograph Methods

Abstract: System optimization for key management is an essential method to facilitate the wide application of key management in cryptography protocols. In the paper, we presented a threshold recovering algorithm for key distribution protocols. In the algorithm, the private keys from KGC (Key Generating Center) is encrypted and then shared among the applier members. The attack on the encrypted private keys and the threshold scheme proves computationally infeasible with exponent complexity. Besides, the threshold recovering algorithm is independent of the KGC without leakage of private information of the subgroup; therefore the threshold recovering of private keys renders effective protection for the secrecy of private parameters and applier identity. As to the efficiency of key management algorithms, we presented improved authenticated encryption scheme for key management. In the scheme, the secret transmission of essential parameters is reinforced with integrity and authenticity verification algorithms in an integrated mode; thus greatly improves the efficiency of key management.

Collision Attacks against CAESAR Candidates - Forgery and Key-Recovery against AEZ and Marble.

Abstract: In this paper we study authenticated encryption algorithms inspired by the OCB mode (Offset Codebook). These algorithms use secret offsets (masks derived from a whitening key) to turn a block cipher into a tweakable block cipher, following the XE or XEX construction. OCB has a security proof up to 2 queries, and a matching forgery attack was described by Ferguson, where the main step of the attack recovers the whitening key. In this work we study recent authenticated encryption algorithms inspired by OCB, such as Marble, AEZ, and COPA. While Ferguson’s attack is not applicable to those algorithms, we show that it is still possible to recover the secret mask with birthday complexity. Recovering the secret mask easily leads to a forgery attack, but it also leads to more devastating attacks, with a key-recovery attack against Marble and AEZ v2 and v3 with birthday complexity. For Marble, this clearly violates the security claims of full n-bit security. For AEZ, this matches the security proof, but we believe it is nonetheless a quite undesirable property that collision attacks allow to recover the master key, and more robust designs would be desirable. Our attack against AEZ is generic and independent of the internal permutation (in particular, it still works with the full AES), but the keyrecovery is specific to the key derivation used in AEZ v2 and v3. Against Marble, the forgery attack is generic, but the key-recovery exploits the structure of the E permutation (4 AES rounds). In particular, we introduce a novel cryptanalytic method to attack 3 AES rounds followed by 3 inverse AES rounds, which can be of independent interest.