Authenticated encryption

About: Authenticated encryption is a research topic. Over the lifetime, 1328 publications have been published within this topic receiving 25968 citations. The topic is also known as: AEAD & Authenticated Encryption with Associated Data.

Impossible differential attack on Simpira v2

Abstract: Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016, and can be used to construct high throughput block ciphers by using the Even-Mansour construction, permutation-based hashing, and wide-block authenticated encryption. This paper shows a 9-round impossible differential of Simpira-4. To the best of our knowledge, this is the first 9-round impossible differential.To determine some efficient key recovery attacks on its block cipher mode (Even-Mansour construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight 6-round impossible differentials,we propose a series of 7-round key recovery attacks on the block cipher mode; each 6-round impossible differential helps recover 32 bits of the master key (512 bits), and in total, half of the master key bits are recovered. The attacks require $2^{57}$ chosen plaintexts and $2^{57}$ 7-round encryptions.Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode. This helps recover the full key space (512 bits) with a data complexity of $2^{170}$ chosen plaintexts and time complexity of $2^{170}$ 8-round encryptions. Those are the first attacks on the round-reduced Simpira v2 and do not threaten the Even-Mansour mode with the full 15-round Simpira-4.

A generic construction of accountable decryption and its applications

Abstract: We propose a new cryptographic notion called accountable decryption by which, given a ciphertext, a decryptor proves both the correctness of his decryption and the plaintext authenticity to a public verifier We define its security from three aspects: message confidentiality, soundness of verifiability and plaintext authenticity Given any asymmetric or symmetric key encryption scheme, we propose a method to construct the corresponding accountable decryption scheme with provable security To demonstrate its applications, we also present the constructions for predicate encryption and for public-key encryption with keyword search

Simultaneously ensuring privacy and authenticity in digital communication

Abstract: Practice-oriented provable security is a modern approach in cryptography to concretely reduce security of a cryptographic construct to the computational hardness of an underlying problem. This dissertation studies a construct called authenticated encryption scheme, a set of algorithms whose collective purpose is to simultaneously guarantee both privacy and authenticity of the data being transmitted between two parties. First, we focus on the symmetric settings. We define precise security notions for authenticated encryption schemes, show relative strengths among our notions and existing standard notions, and investigate the effectiveness of one of the most popular design methodologies for authenticated encryption schemes, namely the generic composition paradigm. In this paradigm, one combines a standard encryption scheme—a construct whose goal is privacy—and a MAC scheme—a construct whose goal is authenticity—in a modular fashion to obtain an authenticated encryption scheme. The methods we study are Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC . As a case study, we analyze the popular SSH Internet protocol suite, find that its current design yields insecure authenticated encryption schemes, then suggest provably secure fixes. Our proofs model SSH's authenticated encryption mechanism as a case of what we call the Encode-then-Encrypt-and-MAC composition method. Our proofs can thus be generically applied to other schemes employing this composition method. In real applications, symmetric-key cryptography is often used in combination with public-key cryptography. We focus on the most common way to combine public-key cryptography with authenticated encryption schemes. First, two parties run an authenticated key-exchange protocol to obtain a shared session key. Then, they secure successive data transmissions via an authenticated encryption scheme based on the session key. We show that such a communication session meets the notion of a secure channel proposed by Canetti and Krawczyk if and only if the underlying authenticated encryption scheme meets two new, simple definitions of security that we introduce, and the key-exchange protocol is secure. This reduces the secure channel requirements of Canetti and Krawczyk to easier to use, stand-alone security requirements on the underlying authenticated encryption scheme.

The BRUTUS automatic cryptanalytic framework

Abstract: This report summarizes our results from security analysis covering all 57 competitions for authenticated encryption: security, applicability, and robustness (CAESAR) first-round candidates and over 210 implementations. We have manually identified security issues with three candidates, two of which are more serious, and these ciphers have been withdrawn from the competition. We have developed a testing framework, BRUTUS, to facilitate automatic detection of simple security lapses and susceptible statistical structures across all ciphers. From this testing, we have security usage notes on four submissions and statistical notes on a further four. We highlight that some of the CAESAR algorithms pose an elevated risk if employed in real-life protocols due to a class of adaptive-chosen-plaintext attacks. Although authenticated encryption with associated data are often defined (and are best used) as discrete primitives that authenticate and transmit only complete messages, in practice, these algorithms are easily implemented in a fashion that outputs observable ciphertext data when the algorithm has not received all of the (attacker-controlled) plaintext. For an implementor, this strategy appears to offer seemingly harmless and compliant storage and latency advantages. If the algorithm uses the same state for secret keying information, encryption, and integrity protection, and the internal mixing permutation is not cryptographically strong, an attacker can exploit the ciphertext–plaintext feedback loop to reveal Much of this research was carried out during the tenure of an ERCIM “Alain Bensoussan” Fellowship Programme, hosted at Department of Telematics, NTNU, Norway. B Markku-Juhani O. Saarinen m.saarinen@qub.ac.uk; mjos@iki.fi 1 ECIT, Queen’s University of Belfast, Northern Ireland Science Park, Queen’s Road, Queen’s Island, Belfast BT3 9DT, UK secret state information or even keying material. We conclude that the main advantages of exhaustive, automated cryptanalysis are that it acts as a very necessary sanity check for implementations and gives the cryptanalyst insights that can be used to focus more specific attack methods on given candidates.

Progress in cryptology : AFRICACRYPT 2014 : 7th international conference on cryptology in Africa Marrakesh, Morocco, May 28-30, 2014 : proceedings

Abstract: New Results for Rank-Based Cryptography.- Public-Key Cryptography.- Proxy Re-Encryption Scheme Supporting a Selection of Delegatees.- Trapdoor Privacy in Asymmetric Searchable Encryption Schemes.- Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited.- Hash Functions.- Differential Biases in Reduced-Round Keccak.- Practical Distinguishers against 6-Round Keccak-f Exploiting Self-Symmetry.- Preimage Attacks on Reduced-Round Stribog.- Secret-Key Cryptanalysis.- Breaking the IOC Authenticated Encryption Mode.- New Treatment of the BSW Sampling and Its Applications to Stream Ciphers.- Multidimensional Zero-Correlation Linear Cryptanalysis of E2.- Public-Key Cryptanalysis and Number Theory Further Improvement of Factoring RSA Moduli with Implicit Hint.- New Attacks on the RSA Cryptosystem.- Formulae for Computation of Tate Pairing on Hyperelliptic Curve Using Hyperelliptic Nets.- Hardware Implementation.- New Speed Records for Montgomery Modular Multiplication on 8-bit AVR Microcontrollers.- Minimizing S-Boxes in Hardware by Utilizing Linear Transformations.- Efficient Masked S-Boxes Processing - A Step Forward.- A More Efficient AES Threshold Implementation.- Protocols.- Constant Rounds Almost Linear Complexity Multi-party Computation for Prefix Sum.- Position-Based Cryptography from Noisy Channels.- Lattice-Based Cryptography.- A Comparison of the Homomorphic Encryption Schemes FV and YASHE.- Towards Lattice Based Aggregate Signatures.- Public-Key Cryptography.- A Second Look at Fischlin's Transformation.- Anonymous IBE from Quadratic Residuosity with Improved Performance.- Expressive Attribute Based Signcryption with Constant-Size Ciphertext.- Secret-Key Cryptography.-DRECON: DPA Resistant Encryption by Construction.- Counter-bDM: A Provably Secure Family of Multi-Block-Length Compression Functions.- Universal Hash-Function Families: From Hashing to Authentication.