Showing papers on "Sponge function published in 2014"

Beyond 2 c /2 Security in Sponge-Based Authenticated Encryption Modes

Abstract: The Sponge function is known to achieve 2 c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min {2 c/2,2 κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions are designed to comply with the classical 2 c/2 security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min {2 b/2,2 c ,2 κ } asymptotically, with b > c the permutation size, by proving that the CAESAR submission NORX achieves this bound. Furthermore, we show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. For instance, NORX64 can increase its rate and decrease its capacity by 128 bits and Ascon-128 can encrypt three times as fast, both without affecting the security level of their underlying modes in the ideal permutation model.

The Making of KECCAK

Abstract: The sponge function KECCAK is the versatile successor of SHA-1 and the SHA-2 series of hash functions. Its structure and components are quite different from its predecessors, and at first sight it seems like a complete break with the past. In this article, researchers show that KECCAK is the endpoint of a long learning process involving many intermediate designs, mostly gradual changes, but also some drastic changes of direction. Researchers take off from their attempts at fixing PANAMA [26], resulting in RADIOGATUN [4], and their insights on trail backtracking applied to generalizations of PANAMA and RADIOGATUN, known as alternating-input and belt-and-mill structures. They explain how they originally proposed the sponge construction to compactly express security claims for their designs and how they finally decided to use it in an actual design which would become KECCAK. Then, they explain the design choices made in KECCAK and how some of its building blocks can be traced back to its predecessor, RADIOGATUN, and even earlier.

APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

Abstract: The domain of lightweight cryptography focuses on cryptographic algorithms for extremely constrained devices. It is very costly to avoid nonce reuse in such environments, because this requires either a hardware source of randomness, or non-volatile memory to store a counter. At the same time, a lot of cryptographic schemes actually require the nonce assumption for their security. In this paper, we propose APE as the first permutation-based authenticated encryption scheme that is resistant against nonce misuse. We formally prove that APE is secure, based on the security of the underlying permutation. To decrypt, APE processes the ciphertext blocks in reverse order, and uses inverse permutation calls. APE therefore requires a permutation that is both efficient for forward and inverse calls. We instantiate APE with the permutations of three recent lightweight hash function designs: Quark, Photon, and Spongent. For any of these permutations, an implementation that sup- ports both encryption and decryption requires less than 1.9 kGE and 2.8 kGE for 80-bit and 128-bit security levels, respectively.

PAEQ: Parallelizable Permutation-Based Authenticated Encryption

Abstract: We propose a new authenticated encryption scheme PAEQ, which employs a fixed public permutation. In contrast to the recent sponge-based proposals, our scheme is fully parallelizable. It also allows flexible key and nonce length, and is one of the few which achieves 128-bit security for both confidentiality and data authenticity with the same key length.

Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector

Abstract: We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with associated data (AEAD) and deterministic authenticated encryption (DAE) with associated data. Several schemes are presented and rigourously analysed. A major component of the constructions is a keyed hash function having provably low collision and differential probabilities. Methods are described to efficiently extend such hash functions to take multiple inputs. In particular, double-input hash functions are required for the construction of AEAD schemes. An important practical aspect of our work is that a designer can combine off-the-shelf stream ciphers with off-the-shelf hash functions to obtain secure primitives for MAC, AE, AEAD and DAE(AD).

Authenticated Encryption: Toward Next-Generation Algorithms

Abstract: Wondering whether researchers have a cryptographic tool able to provide both confidentiality (privacy) and integrity (authenticity) of a message? They do: authenticated encryption (AE), a symmetric-key mechanism that transforms a message into a ciphertext. This article discusses standard AE algorithms, classic security models' shortcomings for AE algorithms, and related attacks. Motivated by these attacks, the crypto community started CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) to promote the development of next-generation AE algorithms.

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software.

Abstract: Authenticated encryption (AE) has recently gained renewed interest due to the ongoing CAESAR competition. This paper deals with the performance of block cipher modes of operation for AE in parallel software. We consider the example of the AES on Intel’s new Haswell microarchitecture that has improved instructions for AES and finite field multiplication. As opposed to most previous high-performance software implementations of operation modes – that have considered the encryption of single messages – we propose to process multiple messages in parallel. We demonstrate that this message scheduling is of significant advantage for most modes. As a baseline for longer messages, the performance of AES-CBC encryption on a single core increases by factor 6.8 when adopting this approach. For the first time, we report optimized AES-NI implementations of the novel AE modes OTR, CLOC, COBRA, SILC, McOE-G, POET and Julius – both with single and multiple messages. For almost all AE modes considered, we obtain a consistent speed-up when processing multiple messages in parallel. Notably, among the nonce-based modes, CCM, CLOC and SILC get by factor 3.7 faster, achieving a performance comparable to GCM (the latter, however, possessing classes of weak keys), with OCB3 still performing at only 0.77 cpb. Among the nonce-misuse resistant modes, McOE-G receives a speed-up by more than factor 4 with a performance of about 1.62 cpb, with COPA consistently performing best at 1.45 cpb.

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function.

Abstract: In this paper we mount the cube attack on the Keccak sponge function. The cube attack, formally introduced in 2008, is an algebraic technique applicable to cryptographic primitives whose output can be described as a low-degree polynomial in the input. Our results show that 5and 6-round Keccak sponge function is vulnerable to this technique. All the presented attacks have practical complexities and were verified on a desktop PC.

A Lightweight Cryptographic System for Implantable Biosensors

Abstract: This paper presents a lightweight cryptographic system integrated onto a multi-function implantable biosensor prototype. The resulting heterogeneous system provides a unique and fundamental capability by immediately encrypting and signing the sensor data upon its creation within the body. By providing these security services directly on the implantable sensor, a number of low-level attacks can be prevented. This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode. The security module consists of the DuplexSponge security core and the interface wrapper. The security core occupies only 1550 gate- equivalents, which is the smallest authenticated encryption core reported to date. The circuit is fabricated using 0.18 μm CMOS technology and uses a supply voltage of 1.8 V. The simulated power consumption of the complete cryptosystem with a 500 KHz clock is below 7 μW.

CASH: Cellular Automata Based Parameterized Hash

Abstract: In this paper, we propose a new Cellular Automata (CA) based scalable parameterized hash function family named CASH The construction of CASH is inspired by sponge function and the internal round transformation employs linear CA For the first time, we have managed to merge the classical add-round-constant and subsequent diffusion layers The primitive function of CASH family is proved to be secure against the state-of-the-art attacks All the designs are implemented on Xilinx Virtex-6 FPGAs and compared with the best reported results in literature The results show that CASH outperforms the SHA-3 finalists with respect to throughput and throughput/area

Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function.

Abstract: In this paper, we comprehensively study the resistance of keyed variants of SHA-3 (Keccak) against algebraic attacks. This analysis covers a wide range of key recovery, MAC forgery and other types of attacks, breaking up to 9 rounds (out of the full 24) of the Keccak internal permutation much faster than exhaustive search. Moreover, some of our attacks on the 6-round Keccak are completely practical and were verified on a desktop PC. Our methods combine cube attacks (an algebraic key recovery attack) and related algebraic techniques with structural analysis of the Keccak permutation. These techniques should be useful in future cryptanalysis of Keccak and similar designs. Although our attacks break more rounds than previously published techniques, the security margin of Keccak remains large. For Keyak – a Keccak-based authenticated encryption scheme – the nominal number of rounds is 12 and therefore its security margin is smaller (although still sufficient).

Two complementary approaches for studying the effects of SEUs on HDL-based designs

Abstract: In this paper, a comparison between two HDL-based fault-injection methods, FT-UNSHADES and NETFI, is presented. Fault-injection campaigns were performed on a third party example, named KECCAK sponge function family circuit dedicated for cryptography which is available as an open core. The comparison of both methodologies shows a similarity in the results and enlightens a problem that affects fault-injection systems related to how the synthesis and the simulation is made.

Fast software encryption : 20th International Workshop, FSE 2013, Singapore, March 11-13, 2013 : revised selected papers

Abstract: Block Ciphers.- Lightweight Block Ciphers.- Tweakable Block Ciphers.- Stream Ciphers.- Hash Functions.- Message Authentication Codes.- Provable Security.- Implementation Aspects.- Lightweight Authenticated Encryption.- Boolean Functions.

A low-area ASIC implementation of AEGIS128 — A fast authenticated encryption algorithm

Abstract: Due to the lack of proper dedicated authenticated encryption algorithms, the CAESAR cryptographic competition aims to find new such algorithms. The goal of authenticated encryption is to provide both confidentiality and authenticity within a single algorithm. This paper introduces the first application-specific integrated circuit of AEGIS128, which is one promising submission to the CAESAR competition. The dedicated hardware design is optimized towards yielding the smallest area for AEGIS128. Using a 013 μm low-leakage process from Faraday Technology, the design requires merely 13,558 gate equivalents or 0.06942 mm2. Simulations of this design at a clock frequency of 100MHz result in 65 Mbps data throughput.