Abstract
Abstract Permutation-based modes have been established for lightweight authenticated encryption, as can be seen from the high interest in the ongoing NIST lightweight competition. However, their security is upper bounded by O(σ 2/2 c ) bits, where σ are the number of calls and c is the hidden capacity of the state. The development of more schemes that provide higher security bounds led to the CHES’18 proposal Beetle that raised the bound to O(rσ/2 c ), where r is the public rate of the state. While authenticated encryption can be performed in an on-line manner, authenticated decryption assumes that the resulting plaintext is buffered and never released if the corresponding tag is incorrect. Since lightweight devices may lack the resources for buffering, additional robustness guarantees, such as integrity under release of unverified plaintexts (Int-RUP), are desirable. In this stronger setting, the security of the established schemes, including Beetle, is limited by O(qpqd /2 c ), where qd is the maximal number of decryption queries, and qp that of off-line primitive queries, which motivates novel approaches. This work proposes Oribatida, a permutation-based AE scheme that derives s-bit masks from previous permutation outputs to mask ciphertext blocks. Oribatida can provide a security bound of O(rσ 2/ c+s ), which allows smaller permutations for the same level of security. It provides a security level dominated by O ( σ d 2 / 2 c ) O(\sigma_d^2{/2^c}) under Int-RUP adversaries, which eliminates the dependency on primitive queries. We prove its security under nonce-respecting and Int-RUP adversaries. We show that our Int-RUP bound is tight and show general attacks on previous constructions.
Highlights
1.1 Permutation-based ModesPermutation-based modes have been established for various applications of symmetric-key cryptography during the previous decade
We briefly recall Ψr before we describe the details of Simon, provide an overview of existing cryptanalysis, and close with a discussion of the implications on SimP
For Simon-96-96, the authors found iterative key differentials for up to 20 rounds. It remains unclear if this yields an impossible differential; in the best case, a key-iterated 20-round distinguisher could be extended by 2 + 2 + 2 wrapping rounds: two more blank rounds where one key word is not used, plus two rounds where the key difference can be canceled by the state differences, plus two outermost rounds since the result of the non-linear function is independent of the key and predictable in Simon
Summary
Permutation-based modes have been established for various applications of symmetric-key cryptography during the previous decade. The sponge [17] and duplex [15] modes transform an internal n-bit state iteratively with a public permutation. Both modes absorb an input stream block-wise to generate a pseudo-random output stream. While sponges separate the input (absorption) and output (squeezing) phases, the duplex mode generates the i-th output block directly after the i-th input block has been absorbed. In both modes, an n-bit permutation absorbs the data in r-bit chunks, where the outer part of the state r < n is called the rate. Security guarantees such as I -RUP represent valuable additional levels of robustness
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
