Authenticated Encryption Scheme Research Articles

Enhanced Message Authentication Encryption Scheme Based on Physical-Layer Key Generation in Resource-Limited Internet of Things

Enhanced Message Authentication Encryption Scheme Based on Physical-Layer Key Generation in Resource-Limited Internet of Things

Single-Query Quantum Hidden Shift Attacks

Quantum attacks using superposition queries are known to break many classically secure modes of operation. While these attacks do not necessarily threaten the security of the modes themselves, since they rely on a strong adversary model, they help us to draw limits on their provable security.Typically these attacks use the structure of the mode (stream cipher, MAC or authenticated encryption scheme) to embed a period-finding problem, which can be solved with a dedicated quantum algorithm. The hidden period can be recovered with a few superposition queries (e.g., O(n) for Simon’s algorithm), leading to state or key-recovery attacks. However, this strategy breaks down if the period changes at each query, e.g., if it depends on a nonce.In this paper, we focus on this case and give dedicated state-recovery attacks on the authenticated encryption schemes Rocca, Rocca-S, Tiaoxin-346 and AEGIS- 128L. These attacks rely on a procedure to find a Boolean hidden shift with a single superposition query, which overcomes the change of nonce at each query. This approach has the drawback of a lower success probability, meaning multiple independent (and parallelizable) runs are needed.We stress that these attacks do not break any security claim of the authors, and do not threaten the schemes if the adversary only makes classical queries.

Twinkle: A family of Low-latency Schemes for Authenticated Encryption and Pointer Authentication

In this paper, we aim to explore the design of low-latency authenticated encryption schemes particularly for memory encryption, with a focus on the temporal uniqueness property. To achieve this, we present the low-latency Pseudo-Random Function (PRF) called Twinkle with an output up to 1152 bits. Leveraging only one block of Twinkle, we developed Twinkle-AE, a specialized authenticated encryption scheme with six variants covering different cache line sizes and security requirements. We also propose Twinkle-PA, a pointer authentication algorithm, which takes a 64-bit pointer and 64-bit context as input and outputs a tag of 1 to 32 bits. We conducted thorough security evaluations of both the PRFs and these schemes, examining their robustness against various common attacks. The results of our cryptanalysis indicate that these designs successfully achieve their targeted security objectives. Hardware implementations using the FreePDK45nm library show that Twinkle-AE achieves an encryption and authentication latency of 3.83 ns for a cache line. In comparison, AES-CTR with WC-MAC scheme and Ascon-128a achieve latencies of 9.78 ns and 27.30 ns, respectively. Moreover, Twinkle-AE is also most area-effective for the 1024-bit cache line. For the pointer authentication scheme Twinkle-PA, the latency is 2.04 ns, while QARMA-64-sigma0 has a latency of 5.57 ns.

Enhancing the Security of Classical Communication with Post-Quantum Authenticated-Encryption Schemes for the Quantum Key Distribution

This research aims to establish a secure system for key exchange by using post-quantum cryptography (PQC) schemes in the classic channel of quantum key distribution (QKD). Modern cryptography faces significant threats from quantum computers, which can solve classical problems rapidly. PQC schemes address critical security challenges in QKD, particularly in authentication and encryption, to ensure the reliable communication across quantum and classical channels. The other objective of this study is to balance security and communication speed among various PQC algorithms in different security levels, specifically CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon, which are finalists in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization project. The quantum channel of QKD is simulated with Qiskit, which is a comprehensive and well-supported tool in the field of quantum computing. By providing a detailed analysis of the performance of these three algorithms with Rivest–Shamir–Adleman (RSA), the results will guide companies and organizations in selecting an optimal combination for their QKD systems to achieve a reliable balance between efficiency and security. Our findings demonstrate that the implemented PQC schemes effectively address security challenges posed by quantum computers, while keeping the the performance similar to RSA.

ZLR: a fast online authenticated encryption scheme achieving full security

AbstractOnline authenticated encryption has been considered of practical relevance in light-weight environments due to low latency and constant memory usage. In this paper, we propose a new tweakable block cipher-based online authenticated encryption scheme, dubbed , and its domain separation variant, dubbed . and follow the Encrypt-Mix-Encrypt paradigm. However, in contrast to existing schemes using the same paradigm such as and , and enjoy n-bit security by using larger internal states with an efficient -like hashing algorithm. In this way, 2n-bit blocks are processed with only a single primitive call for hashing and two primitive calls for encryption and decryption, when they are based on an n-bit tweakable block cipher using n-bit (resp. 2n-bit) tweaks for (resp. ). Furthermore, they support pipelined computation as well as online nonce-misuse resistance. To the best of our knowledge, and are the first pipelineable tweakable block cipher-based online authenticated encryption schemes of rate-2/3 that provide n-bit security with online nonce-misuse resistance.

High throughput acceleration of NIST lightweight authenticated encryption schemes on GPU platform

High throughput acceleration of NIST lightweight authenticated encryption schemes on GPU platform

Lynx: Family of Lightweight Authenticated Encryption Schemes Based on Tweakable Blockcipher

Lynx: Family of Lightweight Authenticated Encryption Schemes Based on Tweakable Blockcipher

Differential-Linear Cryptanalysis of GIFT family and GIFT-based Ciphers

At CHES 2017, Banik et al. proposed a lightweight block cipher GIFT consisting of two versions GIFT-64 and GIFT-128. Recently, there are lots of authenticated encryption schemes that adopt GIFT-128 as their underlying primitive, such as GIFT-COFB and HyENA. To promote a comprehensive perception of the soundness of the designs, we evaluate their security against differential-linear cryptanalysis. For this, automatic tools have been developed to search differential-linear approximation for the ciphers based on S-boxes. With the assistance of the automatic tools, we find 13-round differential-linear approximations for GIFT-COFB and HyENA. Based on the distinguishers, 18-round key-recovery attacks are given for the message processing phase and initialization phase of both ciphers. Moreover, the resistance of GIFT-64/128 against differential-linear cryptanalysis is also evaluated. The 12-round and 17-round differential-linear approximations are found for GIFT-64 and GIFT-128 respectively, which lead to 18-round and 19-round key-recovery attacks respectively. Here, we stress that our attacks do not threaten the security of these ciphers.

The COLM Authenticated Encryption Scheme

The COLM Authenticated Encryption Scheme

Constructing Committing and Leakage-Resilient Authenticated Encryption

The main goal of this work is to construct authenticated encryption (AE) hat is both committing and leakage-resilient. As a first approach for this we consider generic composition as a well-known method for constructing AE schemes. While the leakage resilience of generic composition schemes has already been analyzed by Barwell et al. (Asiacrypt’17), for committing security this is not the case. We fill this gap by providing a separate analysis of the generic composition paradigms with respect to committing security, giving both positive and negative results: By means of a concrete attack, we show that Encrypt-then-MAC is not committing. Furthermore, we prove that Encrypt-and-MAC is committing, given that the underlying schemes satisfy security notions we introduce for this purpose. We later prove these new notions achievable by providing schemes that satisfy them. MAC-then-Encrypt turns out to be more difficult due to the fact that the tag is not outputted alongside the ciphertext as it is done for the other two composition methods. Nevertheless, we give a detailed heuristic analysis of MAC-then-Encrypt with respect to committing security, leaving a definite result as an open task for future work. Our results, in combination with the fact that only Encrypt-then-MAC yields leakage-resilient AE schemes, show that one cannot obtain AE schemes that are both committing and leakage-resilient via generic composition. As a second approach for constructing committing and leakage-resilient AE, we develop a generic transformation that turns an arbitrary AE scheme into one that fulfills both properties. The transformation relies on a keyed function that is both binding, i.e., it is hard to find key-input pairs that result in the same output, and leakage-resilient pseudorandom.

Tightening Leakage Resilience of the Suffix Keyed Sponge

Lightweight cryptographic constructions are often optimized on multiple aspects that put the security bounds to the limit. In this respect, it is important to obtain security bounds that are tight and give an accurate and exact indication of the generic security. However, whereas for black-box security bounds it has become common practice to argue tightness of security bounds, for leakage resilience security bounds this is not the case. This is unfortunate, as for leakage resilience results, tightness is even more important as there is already a lossiness incurred in capturing the actual leakage by a theoretical model in the first place.In this work, we consider the SuKS (Suffix Keyed Sponge) PRF construction and investigate tightness of the leakage resilience bound of Dobraunig and Mennink (ToSC 2019). We observe that, although their black-box security result is tight, their leakage resilience bound is not tight in their bounded leakage term λ. We observe that this is caused by the fact that parts of the security bound contain a term covering multicollisions and a term covering leakage, but an adversary is unable to combine both. We next consider improved security of the SuKS for two types of leakage: fixed position leakage, where the adversary directly learns the value of λ bits of a secret state, and Hamming weight leakage, where the Hamming weight of a fixed part of the state is leaked. For fixed position leakage, a very generous form of bounded leakage, we improve the original bound by making wise use of the multicollision limit function of Daemen et al. (ASIACRYPT 2017). For the more realistic setting of Hamming weight leakage, we structurally revisit the multicollision limit function analysis by including Hamming weight in the computation, a problem that is difficult on its own due to the non-uniform character of this type of leakage. In both cases, we improve and tighten the leakage resilience bound of Dobraunig and Mennink. The improved bound for the SuKS has immediate consequences for the leakage resilience of the NIST lightweight cryptography competition finalist ISAP v2, an authenticated encryption scheme that uses the SuKS internally.

Old School, New Primitive: Toward Scalable PUF-Based Authenticated Encryption Scheme in IoT

The Internet of Things (IoT) facilitates the information exchange between people and smart devices. It needs cryptographic measures to secure its communications and interconnected objects. However, cyber-physical attacks pose a great challenge to the protection of secret keys inside. Physically Unclonable Function (PUF) is a promising hardware primitive with unclonable structures providing tamper evidence for a device. Moreover, a PUF instance has a unique set of randomized challenge-response pairs. Although it can be integrated into a security scheme to replace long-term keys, designing a dedicated PUF-based cryptographic algorithm that supports peer-to-peer communication remains a challenging field to explore. In this paper, we propose SPEAR, a scalable PUF-based authenticated encryption scheme that uses no cryptographic primitives other than PUF and hash functions. SPEAR can be deployed on peer IoT devices that have performed a handshake protocol to obtain shared credentials. Its security under the chosen ciphertext attack is formally proved using the game-playing technique, and it is still secure when attackers physically extract the credentials. In addition, we give a variant, xSPEAR, to involve associated data and avoid the nonce reuse problem. Compared to other PUF-based ciphers, it performs better in terms of storage overhead and PUF evaluation times. SPEAR first realizes scalable authenticated encryption based on PUF and can be a practical solution for IoT.

IoT Edge Device Security: An Efficient Lightweight Authenticated Encryption Scheme Based on LED and PHOTON

IoT devices and embedded systems are deployed in critical environments, emphasizing attributes like power efficiency and computational capabilities. However, these constraints stress the paramount importance of device security, stimulating the exploration of lightweight cryptographic mechanisms. This study introduces a lightweight architecture for authenticated encryption tailored to these requirements. The architecture combines the lightweight encryption of the LED block cipher with the authentication of the PHOTON hash function. Leveraging shared internal operations, the integration of these bases optimizes area–performance tradeoffs, resulting in reduced power consumption and a reduced logic footprint. The architecture is synthesized and simulated using Verilog HDL, Quartus II, and ModelSim, and implemented on Cyclone FPGA devices. The results demonstrate a substantial 14% reduction in the logic area and up to a 46.04% decrease in power consumption in contrast to the individual designs of LED and PHOTON. This work highlights the potential for using efficient cryptographic solutions in resource-constrained environments.

ESCI-AKA: Enabling Secure Communication in an IoT-Enabled Smart Home Environment Using Authenticated Key Agreement Framework

Smart home environments are a vital component of the larger ecosystem within smart cities, aiming to revolutionize residential living through the integration of Internet of Things (IoT) devices and advanced technologies. However, ensuring robust security and preserving privacy in these interconnected ecosystems present significant challenges. During the monitoring and controlling tasks in the smart home environment, diverse commands are exchanged between the IoT device and the user over the public Internet. The public Internet is open and vulnerable to various security attacks, which can corrode the monitoring and controlling operation of the smart home. In addition, conventional security algorithms are inappropriate for IoT devices deployed in the smart home. However, various pernicious security attacks are equally efficacious in the resource-limited smart home environment. Thus, various authenticated encryption schemes are proposed to enable security services in resource-constricted smart home environments. This paper presents a lightweight and efficient authentication framework for a smart home environment by leveraging the features of an authenticated encryption scheme and the hash function called “ESCI-AKA”. ESCI-AKA checks the authenticity of the user at the local device and exchanges three messages among the user, gateway, and smart embedded device for establishing a secure channel for indecipherable communication by setting a session key. In addition, we corroborate the security of the established session key through the random oracle model and informal security analysis. Moreover, the Scyther tool is employed for the security validation of ESCI-AKA. Finally, the performance comparison of ESCI-AKA and other eminent security frameworks explicates that ESCI-AKA requires low computational and communication costs while providing robust security features.

CMAF-IIoT: Chaotic map-based authentication framework for Industrial Internet of Things

The Industrial Internet of Things (IIoT) revolutionizes industrial production using smart devices (SMDs) deployed in IIoT environments. These SMDs collect and transmit information from target fields for analysis and can be controlled remotely. In emergency situations, real-time access to specific SMD information is crucial for prompt actions. However, ensuring secure and reliable communication between users and SMDs in untrusted channels is a significant challenge. Privacy concerns and the limitations of existing authentication frameworks further exacerbate this challenge, necessitating a lightweight cryptography-based authentication framework. This framework is essential to enable secure and reliable communication in the diverse IIoT environment while addressing privacy leakage threats and the computational constraints of IoT devices. Recently, various lightweight cryptography-based authenticated encryption (AE) schemes have been proposed to enable encryption and decryption services for resource-constrained IIoT devices. ASCON, an efficient AE scheme, offers confidentiality, integrity, and authenticity in a single encryption and decryption operation, reducing the number of cryptographic operations required for authentication framework design. This paper presents CMAF-IIoT, a chaotic map and resource-efficient AE scheme (ASCON)-based authentication framework for IIoT, addressing the aforementioned challenges. CMAF-IIoT ensures reliable communication between SMDs and users. The framework begins with user-performed local authentication on their smart devices, followed by the establishment of a session key with the SMD after mutual authentication with the gateway. Using the session key, users securely access real-time information from SMDs deployed in the IIoT environment. The security of CMAF-IIoT is validated through formal and informal security analyses. Additionally, the efficiency of CMAF-IIoT is evaluated in terms of communication, computational, and storage costs. The results indicate that CMAF-IIoT requires [6.67% to 53.33%] low storage cost, [45.13% to 65.87%] low computational cost, and [16.46% to 83.29%] low communication cost compared to contrasted authentication frameworks. These findings highlight the viability of CMAF-IIoT for the IIoT environment, as it provides resource efficiency and enhanced security features.

Understanding the Duplex and Its Security

At SAC 2011, Bertoni et al. introduced the keyed duplex construction as a tool to build permutation based authenticated encryption schemes. The construction was generalized to full-state absorption by Mennink et al. (ASIACRYPT 2015). Daemen et al. (ASIACRYPT 2017) generalized it further to cover much more use cases, and proved security of this general construction, and Dobraunig and Mennink (ASIACRYPT 2019) derived a leakage resilience security bound for this construction. Due to its generality, the full-state keyed duplex construction that we know today has plethora applications, but the flip side of the coin is that the general construction is hard to grasp and the corresponding security bounds are very complex. Consequently, the state-of-the-art results on the full-state keyed duplex construction are not used to the fullest. In this work, we revisit the history of the duplex construction, give a comprehensive discussion of its possibilities and limitations, and demonstrate how the two security bounds (of Daemen et al. and Dobraunig and Mennink) can be interpreted in particular applications of the duplex.

CADF-CSE: Chaotic map-based authenticated data access/sharing framework for IoT-enabled cloud storage environment

Data is an essential asset of an organization or individual in this information age. Secure and resource-efficient data communication has become paramount in the IoT-enabled cloud storage environment. The users must communicate with the cloud storage servers to access, store, and share the data utilizing the public communication channel, which is exposed to various security threats. Moreover, various security frameworks have been presented to render secure data access, storage, and sharing functionalities for the cloud storage environment. Most of them are complicated and incapacitated of resisting various security attacks. Thus, it is imperative to design a secure and resource-efficient data access, storage, and sharing framework for the cloud storage environment. This paper presents a chaotic map-based authenticated data access/sharing framework for the IoT-enabled cloud storage environment (CADF-CSE). CADF-CSE is designed using the chaotic map, authenticated encryption scheme (AEGIS), and one-way hash function (Esch256). The proposed CADF-CSE comprises three significant phases user access control, data storage, and data sharing. The user access control phase enables the user and cloud server to attain mutual authentication followed by the secret session key establishment. Using the established SK during the access control phase user and cloud server exchange information securely across the public Internet. The data storage phase facilitates the data owner to store the data on a cloud server in encrypted form, where encryption is performed with a secret key derived from the user’s biometric. The data-sharing phase enables users to access the data from the cloud server after acquiring mutual permission from the cloud server and the data owner. In addition, an explication of the CADF-CSE through formal and informal analysis shows its resilience to various security attacks. Finally, the performance comparison explicates that CADF-CSE renders better security features while requiring lower computational and communication costs than the related security frameworks.

Subverting Telegram’s End-to-End Encryption

Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2EE protocol is susceptible to fairly efficient algorithm substitution attacks. While official Telegram clients should be protected against this type of attack due their open-source nature and reproducible builds, this could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients. We provide an efficient algorithm substitution attack against MTProto2.0 — the underlying authenticated encryption scheme — that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency. This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either through a targeted attack or a compromised third-party app. Our attack exploits MTProto2.0’s degree of freedom in choosing the random padding length and padding value. Accordingly, we strongly recommend that Telegram should revise MTProto2.0’s padding methodology. In particular, we show that a minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios. As a side-effect, we generalize the underlying mode of operation in MTProto2.0, as MTProto-G, and show that this generalization is a multi-user secure deterministic authenticated encryption scheme.

A more efficient public-key authenticated encryption scheme with keyword search

To realize ciphertext retrieval without decryption in the public key settings, Boneh et al. in 2004 proposed a cryptographic primitive named Public-key Encryption with Keyword Search (PEKS) and proposed the first PEKS scheme. Following Boneh et al.’s work, various PEKS schemes were proposed; however, most schemes are vulnerable to inside keyword guessing attacks (IKGA). Huang and Li proposed a new primitive named Public-key Authenticated Encryption with Keyword Search (PAEKS) in 2017, which resists the IKGA in the setting of only one test server. Their main idea to resist IKGA is to require the data sender to authenticate the ciphertext while encrypting a keyword. However, in the era of big data, as the number of encrypted files increases, huge storage overhead and heavy retrieval costs become problems in PAEKS. In this paper, we proposed a new PAEKS scheme that costs low storage space and supports fast search. We introduced the ciphertext deduplication into PAEKS to reduce storage space and leveraged the inverted index to accelerate the retrieval process. We simulated the proposed scheme and several related schemes with a desktop computer. The experiment results show that our proposed scheme is of lower storage overhead and higher retrieval efficiency compared with related schemes.

MILP‐based security evaluation for AEGIS/Tiaoxin‐346/Rocca

AbstractIn this paper, the security of Advanced Encryption Standard‐based authenticated encryption schemes, including AEGIS family, Tiaoxin‐346, and Rocca by mixed integer linear programming tools is examined. Specifically, for the initialisation phase of AEGIS, Tiaoxin‐346, and Rocca, the security against differential attacks and integral attacks is evaluated by estimating the lower bounds for the number of active S‐boxes and utilising division property, respectively. In addition to the estimations of initialisation phases, the security of the encryption phases of AEGIS, Tiaoxin‐346, and Rocca against distinguishing attacks on keystream is evaluated by exploiting integral properties. As a result, the authors show that the initialisation phases of AEGIS‐128/128L/256, Tiaoxin‐346, and Rocca are secure against differential attacks after 4/3/6, 5, and 6 rounds, respectively. Regarding integral attacks, the distinguisher is found on 6/6/7, 15, and 7 rounds in the initialisation phases of AEGIS‐128/128L/256, Tiaoxin‐346, and Rocca, respectively. Additionally, the integral distinguisher is presented on 2/2/4, 4, and 4 rounds in the encryption phases of AEGIS‐128/128L/256, Tiaoxin‐346, and Rocca, respectively. As far as it is known, this study’s results are the first distinguishing attacks on the keystream on AEGIS, Tiaoxin‐346, and Rocca without relying on weak keys.