scholarly journals Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption

2020 ◽  
Vol 2020 ◽  
pp. 1-6
Author(s):  
Ping Zhang ◽  
Qian Yuan
Keyword(s):  
Open Problem ◽  
Provable Security ◽  
Simple Structure ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Maximal Multiplicity ◽  
Symmetric Key ◽  
Security Bound

The Even–Mansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simple structure and strict provable security. Its research has been a hot topic in cryptography. This paper focuses on the problem to minimize the key material of the Even–Mansour cipher while its security bound remains essentially the same. We introduce four structures of the Even–Mansour cipher with a short key and derive their security by Patarin’s H-coefficients technique. These four structures are proven secure up to O˜2k/μ adversarial queries, where k is the bit length of the key material and μ is the maximal multiplicity. Then, we apply them to lightweight authenticated encryption modes and prove their security up to about minb/2,c,k−log μ-bit adversarial queries, where b is the size of the permutation and c is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the t-round iterated Even–Mansour cipher with short keys.

scholarly journals Provably Quantum-Secure Tweakable Block Ciphers

2021 ◽  
pp. 337-377
Author(s):  
Akinori Hosoyamada ◽  
Tetsu Iwata
Keyword(s):  
Polynomial Time ◽  
Provable Security ◽  
Block Cipher ◽  
Block Ciphers ◽  
Quantum Superposition ◽  
Quantum Cryptanalysis ◽  
Classical Setting ◽  
Time Quantum ◽  
Symmetric Key ◽  
Arbitrary Quantum

Recent results on quantum cryptanalysis show that some symmetric key schemes can be broken in polynomial time even if they are proven to be secure in the classical setting. Liskov, Rivest, and Wagner showed that secure tweakable block ciphers can be constructed from secure block ciphers in the classical setting. However, Kaplan et al. showed that their scheme can be broken by polynomial time quantum superposition attacks, even if underlying block ciphers are quantum-secure. Since then, it remains open if there exists a mode of block ciphers to build quantum-secure tweakable block ciphers. This paper settles the problem in the reduction-based provable security paradigm. We show the first design of quantum-secure tweakable block ciphers based on quantum-secure block ciphers, and present a provable security bound. Our construction is simple, and when instantiated with a quantum-secure n-bit block cipher, it is secure against attacks that query arbitrary quantum superpositions of plaintexts and tweaks up to O(2n/6) quantum queries. Our security proofs use the compressed oracle technique introduced by Zhandry. More precisely, we use an alternative formalization of the technique introduced by Hosoyamada and Iwata.

scholarly journals Stronger Security Variants of GCM-SIV

2016 ◽  
pp. 134-157 ◽  
Author(s):  
Tetsu Iwata ◽  
Kazuhiko Minematsu
Keyword(s):  
Provable Security ◽  
Query Complexity ◽  
Authenticated Encryption ◽  
Standard Assumption ◽  
Distinguishing Attack ◽  
Pseudorandom Permutation ◽  
Minor Variant ◽  
A Minor ◽  
Security Bound ◽  
Provably Secure

At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity. The provable security results are obtained under the standard assumption that the blockcipher is a pseudorandom permutation.

scholarly journals A Brief Review on Methodology of Cryptanalysis

2019 ◽  
pp. 85-93
Author(s):  
K V Srinivasa Rao ◽  
M M Naidu ◽  
R. Satya Prasad
Keyword(s):  
Provable Security ◽  
Block Ciphers ◽  
Secret Key ◽  
Rigorous Analysis ◽  
Distinguishing Attack ◽  
Cipher Text ◽  
Security Models ◽  
Cryptographic Primitive ◽  
Symmetric Key

Cryptanalysis comes into deferent forms in order to support that rigorous analysis of the structure cryptographic primitive to evaluate and verify its claimed security margins. This analysis will follow the attack models represented previously in order to exploit possible weakness in the primitive. Thus, achieving the associated attack goals which will vary from a distinguishing attack to a total break that is defined based on the security margins or claims of the primitive under study. For example, for a hash function, total break constitutes finding a collision or obtaining the message from the hash value. While in block ciphers it revolves around recovering the secret key. When it comes to the claimed security margins, the design approaches will follow certain security models as in provable security or practical security or a mixture of both. The role of cryptanalyst is to subject these primitives to different existing categories of cryptanalysis approaches and tailor new ones that will push the design’s security margins if possible to new limits where these attacks are not applicable any more This chapter will introduce the prominent methods of cryptanalysis that utilize certain behavior in the cipher structure. Such behavior disturbs the assumed randomness of the output or the cipher text. This Paper will explore the basic definitions of prominent cryptanalysis methods that targets the specific structure of a cipher namely differential and linear cryptanalysis and their different variants. It will also discuss other potential crytpanalytic methods that are usually used in symmetric-key ciphers analysis especially block ciphers.

scholarly journals ZMAC+ – An Efficient Variable-output-length Variant of ZMAC

2017 ◽  
pp. 306-325 ◽  
Author(s):  
Eik List ◽  
Mridul Nandi
Keyword(s):  
Hash Function ◽  
Block Ciphers ◽  
Message Authentication ◽  
Authentication Codes ◽  
Message Authentication Codes ◽  
Length Variant ◽  
Symmetric Key ◽  
Security Bound

There is an ongoing trend in the symmetric-key cryptographic community to construct highly secure modes and message authentication codes based on tweakable block ciphers (TBCs). Recent constructions, such as Cogliati et al.’s HaT or Iwata et al.’s ZMAC, employ both the n-bit plaintext and the t-bit tweak simultaneously for higher performance. This work revisits ZMAC, and proposes a simpler alternative finalization based on HaT. As a result, we propose HtTBC, and call its instantiation with ZHash as a hash function ZMAC+. Compared to HaT, ZMAC+ (1) requires only a single key and a single primitive. Compared to ZMAC, our construction (2) allows variable, per-query parametrizable output lengths. Moreover, ZMAC+ (3) avoids the complex finalization of ZMAC and (4) improves the security bound from Ο(σ2/2n+min(n,t)) to Ο(q/2n + q(q + σ)/2n+min(n,t)) while retaining a practical tweak space.

scholarly journals Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers

2019 ◽  
pp. 66-94
Author(s):  
Yusuke Naito ◽  
Takeshi Sugawara
Keyword(s):  
Block Ciphers ◽  
Block Length ◽  
Authenticated Encryption ◽  
Small Block ◽  
Mode Of Operation ◽  
Common Strategy ◽  
Length Data ◽  
Beyond Birthday Bound ◽  
Data Length ◽  
Security Bound

The use of a small block length is a common strategy when designing lightweight (tweakable) block ciphers (TBCs), and several 64-bit primitives have been proposed. However, when such a 64-bit primitive is used for an authenticated encryption with birthday-bound security, it has only 32-bit data complexity, which is subject to practical attacks. To employ a short block length without compromising security, we propose PFB, a lightweight TBC-based authenticated encryption with associated data mode, which achieves beyond-birthday-bound security. For this purpose, we extend iCOFB, which is originally defined with a tweakable random function. Unlike iCOFB, the proposed method can be instantiated with a TBC using a fixed tweak length and can handle variable-length data. Moreover, its security bound is improved and independent of the data length; this improves the key lifetime, particularly in lightweight blocks with a small size. The proposed method also covers a broader class of feedback functions because of the generalization presented in our proof. We evaluate the concrete hardware performances of PFB, which benefits from the small block length and shows particularly good performances in threshold implementation.

scholarly journals Six shades lighter: a bit-serial implementation of the AES family

2021 ◽  
Author(s):  
Sergio Roldán Lombardía ◽  
Fatih Balli ◽  
Subhadeep Banik
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Current Standard ◽  
Asic Circuit ◽  
The Family ◽  
Encryption And Decryption ◽  
Preliminary Version ◽  
Reduction In Area ◽  
Bit Serial

AbstractRecently, cryptographic literature has seen new block cipher designs such as , or that aim to be more lightweight than the current standard, i.e., . Even though family of block ciphers were designed two decades ago, they still remain as the de facto encryption standard, with being the most widely deployed variant. In this work, we revisit the combined one-in-all implementation of the family, namely both encryption and decryption of each as a single ASIC circuit. A preliminary version appeared in Africacrypt 2019 by Balli and Banik, where the authors design a byte-serial circuit with such functionality. We improve on their work by reducing the size of the compact circuit to 2268 GE through 1-bit-serial implementation, which achieves 38% reduction in area. We also report stand-alone bit-serial versions of the circuit, targeting only a subset of modes and versions, e.g., and . Our results imply that, in terms of area, and can easily compete with the larger members of recently designed family, e.g., , . Thus, our implementations can be used interchangeably inside authenticated encryption candidates such as , or in place of .

scholarly journals Efficient Implementation of PRESENT and GIFT on Quantum Computers

2021 ◽  
Vol 11 (11) ◽  
pp. 4776
Author(s):  
Kyungbae Jang ◽  
Gyeongju Song ◽  
Hyunjun Kim ◽  
Hyeokdong Kwon ◽  
Hyunji Kim ◽  
...  
Keyword(s):  
Block Cipher ◽  
Search Algorithm ◽  
Block Ciphers ◽  
Quantum Circuits ◽  
Security Level ◽  
Symmetric Key ◽  
Grover Search ◽  
Target Block ◽  
Symmetric Key Cryptography ◽  
Grover Search Algorithm

Grover search algorithm is the most representative quantum attack method that threatens the security of symmetric key cryptography. If the Grover search algorithm is applied to symmetric key cryptography, the security level of target symmetric key cryptography can be lowered from n-bit to n2-bit. When applying Grover’s search algorithm to the block cipher that is the target of potential quantum attacks, the target block cipher must be implemented as quantum circuits. Starting with the AES block cipher, a number of works have been conducted to optimize and implement target block ciphers into quantum circuits. Recently, many studies have been published to implement lightweight block ciphers as quantum circuits. In this paper, we present optimal quantum circuit designs of symmetric key cryptography, including PRESENT and GIFT block ciphers. The proposed method optimized PRESENT and GIFT block ciphers by minimizing qubits, quantum gates, and circuit depth. We compare proposed PRESENT and GIFT quantum circuits with other results of lightweight block cipher implementations in quantum circuits. Finally, quantum resources of PRESENT and GIFT block ciphers required for the oracle of the Grover search algorithm were estimated.

scholarly journals Cryptanalysis of PMACx, PMAC2x, and SIVx

2017 ◽  
pp. 162-176
Author(s):  
Kazuhiko Minematsu ◽  
Tetsu Iwata
Keyword(s):  
Provable Security ◽  
Block Cipher ◽  
Query Complexity ◽  
Block Length ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Sign in / Sign up

Export Citation Format

Share Document