Authenticated Encryption Research Articles

Enhanced Message Authentication Encryption Scheme Based on Physical-Layer Key Generation in Resource-Limited Internet of Things

Enhanced Message Authentication Encryption Scheme Based on Physical-Layer Key Generation in Resource-Limited Internet of Things

FEDT: Forkcipher-based Leakage-resilient Beyond-birthday-secure AE

There has been a notable surge of research on leakage-resilient authenticated encryption (AE) schemes, in the bounded as well as the unbounded leakage model. The latter has garnered significant attention due to its detailed and practical orientation. Designers have commonly utilized (tweakable) block ciphers, exemplified by the TEDT scheme, achieving 𝒪 ( n − log ( n 2 ) ) -bit integrity under leakage and comparable AE security in the black-box setting. However, the privacy of TEDT was limited by n / 2 -bits under leakage; TEDT2 sought to overcome these limitations by achieving improved security with 𝒪 ( n − log n ) -bit integrity and privacy under leakage. This work introduces FEDT, an efficient leakage-resilient authenticated encryption (AE) scheme based on fork-cipher. Compared to the state-of-the-art schemes TEDT and TEDT2, which process messages with a rate of 1 / 2 block per primitive call for encryption and one for authentication, FEDT doubles their rates at the price of a different primitive. FEDT employs a more parallelizable tree-based encryption compared to its predecessors while maintaining 𝒪 ( n − log n ) -bit security for both privacy and integrity under leakage. FEDT prioritizes high throughput at the cost of increased latency. For settings where latency is important, we propose FEDT*, which combines the authentication part of FEDT with a CTR-based encryption. FEDT* offers security equivalent to FEDT while increasing the encryption rate of 4 / 3 and reducing the latency.

A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers

We analyze the multi-user (mu) security of a family of nonce-based authentication encryption (nAE) schemes based on a tweakable block cipher (TBC). The starting point of our work is an analysis of the mu security of the SCT-II mode which underlies the nAE scheme Deoxys-II, winner of the CAESAR competition for the defense-in-depth category. We extend this analysis in two directions, as we detail now. First, we investigate the mu security of several TBC-based variants of the counter encryption mode (including CTRT, the encryption mode used within SCT-II) that differ by the way a nonce, a random value, and a counter are combined as tweak and plaintext inputs to the TBC to produce the keystream blocks that will mask the plaintext blocks. Then, we consider the authentication part of SCT-II and study the mu security of the nonce-based MAC Nonce-as-Tweak (NaT) built from a TBC and an almost universal (AU) hash function. We also observe that the standard construction of an AU hash function from a (T)BC can be proven secure under the assumption that the underlying TBC is unpredictable rather than pseudorandom, allowing much better conjectures on the concrete AU advantage. This allows us to derive the mu security of the family of nAE modes obtained by combining these encryption/MAC building blocks through the NSIV composition method. Some of these modes require an underlying TBC with a larger tweak length than what is usually available for existing ones. We then show the practicality of our modes by instantiating them with two new TBC constructions, Deoxys-TBC-512 and Deoxys-TBC-640, which can be seen as natural extensions of the Deoxys-TBC family to larger tweak input sizes. Designing such TBCs with unusually large tweaks is prone to pitfalls: Indeed, we show that a large-tweak proposal for SKINNY published at EUROCRYPT 2020 presents an inherent construction flaw. We therefore provide a sound design strategy to construct large-tweak TBCs within the Superposition Tweakey (STK) framework, leading to new Deoxys-TBC and SKINNY variants. We provide software benchmarks indicating that while ensuring a very high security level, the performances of our proposals remain very competitive.

Multiplex: TBC-Based Authenticated Encryption with Sponge-Like Rate

Authenticated Encryption (AE) modes of operation based on Tweakable Block Ciphers (TBC) usually measure efficiency in the number of calls to the underlying primitive per message block. On the one hand, many existing solutions reach a primitive-rate of 1, meaning that each n-bit block of message asymptotically needs a single call to the TBC with output length n. On the other hand, while these modes look optimal in a blackbox setting, they become less attractive when leakage comes into play, since all these calls must then be equally well protected to maintain security. Leakage-resistant modes improve this situation, by generating ephemeral keys every constant number of calls. However, rekeying is inherently suboptimal in primitive-rate, since a TBC call can only be used either to refresh a key or to encrypt a block. Even worse, existing solutions achieving almost n bits of security for n-bit secret keys have at most a primitive-rate 2/3. Hence the question: Can we design a highly-secure TBC-based rekeying mode with “nearly optimal” primitive-rate? We answer this question positively with Multiplex, a new mode that has primitive-rate d/(d + 1) given a TBC with a dn-bit tweak. Multiplex achieves n − log2(dn) bits of security for both (i) misuse-resilience CCA confidentiality security in the blackbox setting and (ii) Ciphertext Integrity with Misuse-resistant and unbounded Leakage in encryption and decryption (CIML2). It also provides (iii) confidentiality with leakage up to the birthday bound. Furthermore, Multiplex can run d + 1 calls in parallel in each iteration. The combination of these features gives a mode of operation that inherits most of the good implementation features and flexibility of a sponge construction – therefore paving the way towards sound comparisons between TBC-based and permutation-based AE.

Differential fault attack on SPN-based sponge and SIV-like AE schemes

Differential fault attack on SPN-based sponge and SIV-like AE schemes

EFFICIENT MULTI-AUTHORITY ACCESS CONTROL USING CIPHERTEXT POLICY -HIERARCHICAL ATTRIBUTE BASED ENCRYPTION IN CLOUD STORAGE

The goal of this research is to improve the security of cloud-based data storage systems by presenting the Cloud Secure Storage Mechanism based on Data Dispersion and Encryption (CPHABE). The User Frame, Authority Login, Cloud Server Login, and Data Owner Login are the four separate components that make up the system. By providing file names and requesting transformation keys from the authority for decryption, users start downloads. Requests for transformation keys, upload information, and key creation are handled by the authority. Owner identities, file names, encrypted content, gate types, and storage size graphs are all managed by cloud servers. Partially decrypted data, such as user identities, file names, transformation keys, data owner IDs, and partially decrypted content, is sent in response to user requests. Data owners may use the system to explore files, obtain keys, and apply hybrid encryption methods including Authenticated Encryption (AE) and Key Encapsulation Mechanism (KEM). This all-encompassing strategy guarantees strong encryption, data dispersion, and security measures, offering a stable foundation for cloud storage systems. Keywords: Cloud Storage, Security Mechanism, Encryption

Lynx: Family of Lightweight Authenticated Encryption Schemes Based on Tweakable Blockcipher

Lynx: Family of Lightweight Authenticated Encryption Schemes Based on Tweakable Blockcipher

Security Analysis of the Symmetric Cryptosystem TinyJambu

Symmetric cryptography provides the best examples of cryptosystems to be applied in lightweight environments (e.g., IoT). A representative example is the cryptosystem TinyJambu, one of the ten finalists in the NIST Lightweight Cryptography Standardization Project. It is an authentication encryption with associated data scheme that is extremely lightweight and fast. In this work, we analyze the security of TinyJambu from two distinct and non-symmetric points of view: (1) the improvement of the best cryptanalytical attack found in the literature and (2) a randomness analysis of the generated sequences. Concerning item (1), we launched a differential forgery attack with probability 2−65.9487, which was improved considerably compared with previous numerical results. Concerning item (2), we analyzed the degree of randomness of the TinyJambu keystream sequences with a complete and powerful battery of statistical tests. This non-symmetric study shows the weakness of TinyJambu against cryptanalytic attacks as well as the strength of TinyJambu against statistical analysis.

Secured Framework with a Hash Function-Enabled Keyword Search in Cloud Storage Services

As with IoT devices, cloud computation increases its applicability to other areas that use the information and puts it in a commonplace that is necessary for computing and analysis. These devices need the cloud to store and retrieve data since they are unable to store and process data on their own. Cloud computing offers a variety of services to consumers, including IaaS, PaaS, and SaaS. The usage of cloud resources for data storage that may be accessible by all users associated with cloud computing is a key disadvantage of cloud computing. Without disclosing the data’s contents, the usage of Public Key Encryptions with Keyword Search (PEKS) secures publicly encrypted keys against third-party search capabilities that are not trustworthy. PEKs provide a security risk every time Interior Keywords Guessing Attacks (IKGA) are discovered in the system since an unauthorized service estimates the keywords in the trapdoor. This issue can be resolved using various methodologies such as the Certificateless Fleshed Public Key Authenticated Encryption of Keyword Search (CL-HPAEKS), which also uses Altered Elliptic Curve Cryptography (MECC), and the Mutation Centred Flower Pollinations Algorithm (CM-FPA), which uses optimization in keys to be improving the algorithm’s performance. The system’s security is achieved by adding a Message Fragments 5 (MD5) scramble mechanism. The proposed system achieves system security of 96%, and it takes less time to implement than earlier encryption methods.

Constructing Committing and Leakage-Resilient Authenticated Encryption

The main goal of this work is to construct authenticated encryption (AE) hat is both committing and leakage-resilient. As a first approach for this we consider generic composition as a well-known method for constructing AE schemes. While the leakage resilience of generic composition schemes has already been analyzed by Barwell et al. (Asiacrypt’17), for committing security this is not the case. We fill this gap by providing a separate analysis of the generic composition paradigms with respect to committing security, giving both positive and negative results: By means of a concrete attack, we show that Encrypt-then-MAC is not committing. Furthermore, we prove that Encrypt-and-MAC is committing, given that the underlying schemes satisfy security notions we introduce for this purpose. We later prove these new notions achievable by providing schemes that satisfy them. MAC-then-Encrypt turns out to be more difficult due to the fact that the tag is not outputted alongside the ciphertext as it is done for the other two composition methods. Nevertheless, we give a detailed heuristic analysis of MAC-then-Encrypt with respect to committing security, leaving a definite result as an open task for future work. Our results, in combination with the fact that only Encrypt-then-MAC yields leakage-resilient AE schemes, show that one cannot obtain AE schemes that are both committing and leakage-resilient via generic composition. As a second approach for constructing committing and leakage-resilient AE, we develop a generic transformation that turns an arbitrary AE scheme into one that fulfills both properties. The transformation relies on a keyed function that is both binding, i.e., it is hard to find key-input pairs that result in the same output, and leakage-resilient pseudorandom.

A circuit area optimization of MK-3 S-box

In MILCOM 2015, Kelly et al. proposed the authentication encryption algorithm MK-3, which applied the 16-bit S-box. This paper aims to implement the 16-bit S-box with less circuit area. First, we classified the irreducible polynomials over F2n\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{2^n}$$\\end{document} into three kinds. Then we compared the logic gates required for multiplication over the finite field constructed by the three types of irreducible polynomials. According to the comparison result, we constructed the composite fields, F(24)2\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{(2^4)^2}$$\\end{document} and F(28)2\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{(2^8)^2}$$\\end{document}. Based on the isomorphism of finite fields, the operations over F216\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{2^{16}}$$\\end{document} can be conducted over F(28)2\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{(2^8)^2}$$\\end{document}. Similarly, elements over F28\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{2^8}$$\\end{document} can be mapped to the corresponding elements over F(24)2\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{(2^4)^2}$$\\end{document}. Next, the SAT solver was used to optimize the operations over smaller field F24\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\mathbb {F}_{2^4}$$\\end{document}. At last, the architecture of the optimized MK-3 S-box was worked out. Compared with the implementation proposed by the original designer, the circuit area of the MK-3 S-box in this paper is reduced by at least 55.9%.

Efficient Crypto Engine for Authenticated Encryption, Data Traceability, and Replay Attack Detection Over CAN Bus Network

Efficient Crypto Engine for Authenticated Encryption, Data Traceability, and Replay Attack Detection Over CAN Bus Network

PAESS: Public-Key Authentication Encryption With Similar Data Search for Pay-Per-Query

PAESS: Public-Key Authentication Encryption With Similar Data Search for Pay-Per-Query

Retracted: A Comprehensive Review of Lightweight Authenticated Encryption for IoT Devices

Retracted: A Comprehensive Review of Lightweight Authenticated Encryption for IoT Devices

Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode

Context-committing security of authenticated encryption (AE) that prevents ciphertexts from being decrypted with distinct decryption contexts, (K,N,A) comprising a key K, a nonce N, and associate data A is an active research field motivated by several real-world attacks. In this paper, we study the context-committing security of Ascon, the lightweight permutation-based AE selected by the NIST LWC in 2023, for cryptanalysis on primitive and proof on mode. The attacker’s goal is to find a collision of a ciphertext and a tag with distinct decryption contexts in which an attacker can control all the parameters including the key. First, we propose new attacks with primitives that inject differences in N and A. The new attack on Ascon-128 improves the number of rounds from 2 to 3 and practically generates distinct decryption contexts. The new attack also works in a practical complexity on 3 rounds of Ascon-128a. Second, we prove the context-committing security of Ascon with zero padding, namely Ascon-zp, in the random permutation model. Ascon-zp achieves min {t+z/2 , n+t−k−ν/2 , c/2}-bit security with a t-bit tag, a z-bit padding, an n-bit state, a ν-bit nonce, and a c-bit inner part. This bound corresponds to min {64 + z/2 , 96} with Ascon-128 and Ascon-128a, and min {64 + z/2 , 80} with Ascon-80pq. The original Ascon (z = 0) achieves 64-bit security bounded by a generic birthday attack. By appending zeroes to the plaintext, the security can be enhanced up to 96 bits for Ascon-128 and Ascon-128a and 80 bits for Ascon-80pq.

DMCLAEKS: Pairing-free designated-tester multi-recipient certificateless authenticated encryption with keyword search for concealing search patterns

Modern Industrial Internet of Things (IIoT) technologies, such as smart grids, 5G-enabled unmanned aerial vehicles (UAV), and supply chain 4.0, can be leveraged to promote intelligent management. Yet, IIoT systems create enormous volumes of data that must be outsourced to the cloud for storage and to provide end-users with search capabilities. The outsourcing of IIoT data to a third-party cloud service provider (CSP) creates a number of data leakage issues. Recently, Certificateless Authenticated Encryption with Keyword Search (CLAEKS) was proposed to address the issue of encrypted data querying in cloud-assisted IIoT. But so far, the majority of existing techniques depend on expensive bilinear pairing, and they are all single-receiver. In addition, these methods are extremely vulnerable to keyword guessing attacks and do not hide the search pattern, making it simple for an attacker to deduce the search content. In this paper, we present a rapid and trustworthy designed-tester multi-recipient CLAEKS (dMCLAEKS) protocol with the numerous advantages: (1) no expensive bilinear pairing procedures; (2) supporting for ciphertexts with multiple recipients; (3) defending against Inside Keyword Guess Attacks (IKGA); (4) incapability to determine search pattern. A comparative between our suggested scheme and other similar schemes is also offered to demonstrate that the proposed method is stronger overall.

IoT-Applicable Generalized Frameproof Combinatorial Designs

Secret sharing schemes are widely used to protect data by breaking the secret into pieces and sharing them amongst various members of a party. In this paper, our objective is to produce a repairable ramp scheme that allows for the retrieval of a share through a collection of members in the event of its loss. Repairable Threshold Schemes (RTSs) can be used in cloud storage and General Data Protection Regulation (GDPR) protocols. Secure and energy-efficient data transfer in sensor-based IoTs is built using ramp-type schemes. Protecting personal privacy and reinforcing the security of electronic identification (eID) cards can be achieved using similar schemes. Desmedt et al. introduced the concept of frameproofness in 2021, which motivated us to further improve our construction with respect to this framework. We introduce a graph theoretic approach to the design for a well-rounded and easy presentation of the idea and clarity of our results. We also highlight the importance of secret sharing schemes for IoT applications, as they distribute the secret amongst several devices. Secret sharing schemes offer superior security in lightweight IoT compared to symmetric key encryption or AE schemes because they do not disclose the entire secret to a single device, but rather distribute it among several devices.

MMM: Authenticated Encryption with Minimum Secret State for Masking

We propose a new authenticated encryption (AE) mode MMM that achieves the minimum memory size with masking. Minimizing the secret state is the crucial challenge in the low-memory AE suitable for masking. Here, the minimum secret state is s + b bits, composed of s bits for a secret key and b bits for a plaintext block. HOMA appeared in CRYPTO 2022 achieved this goal with b = 64, but choosing a smaller b was difficult because b = s/2 is bound to the block size of the underlying primitive, meaning that a block cipher with an unrealistically small block size (e.g., 8 bits) is necessary for further improvement. MMM addresses the issue by making b independent of the underlying primitive while achieving the minimum (s + b)-bit secret state. Moreover, MMM provides additional advantages over HOMA, including (i) a better rate, (ii) the security under the multi-user model, (iii) and a smaller transmission cost. We instantiate two variants, MMM-8 (with b = 8) and MMM-64 (with b = 64), using the standard tweakable block cipher SKINNY-64/192. With a (d + 1)-masking scheme, MMM-8 (resp. MMM-64) is smaller by 56d + 184 (resp. 128) bits compared with HOMA. As a result of hardware performance evaluation, MMM-8 and MMM-64 achieved smaller circuit areas than HOMA with all the examined protection orders d ∈ [0, 5]. MMM-8’s circuit area is only 81% of HOMA with d = 5, and MMM-64 achieves more than x3 speed-up with a smaller circuit area.

LMCLAEKS: LWE-assisted multi-recipient certificateless authenticated encryption with keyword search

In Industrial Internet of Things (IIoT) environments, interconnected gadgets and sensors produce large-scale, dynamic, and private data by the arrival of the fourth industrial revolution. Such data must be stored by cloud service providers (CSP) and is capable of accessed by consumers. To guarantee data privacy, Public-key Encryption with Keyword Search (PEKS) is a cryptographic primitive designed to resolve this challenge, which is troubled by costly certificate management and key escrow problem. The majority of current PEKS schemes rely on expensive bilinear paring and single-receiver, which are highly vulnerable to keyword guessing attacks (KGA) and have low computational efficiency. Consequently, we propose an Multi-recipient Certificateless Authenticated Encryption with Keyword Search (MCLAEKS) scheme, which has the following advantages: 1) hiding search pattern; 2) data allows multiple consumers; 3) involving no costly bilinear pairing operations; 4) resisting Inside Keyword Guessing Attacks (IKGA). The comparison and analysis of performance indicate that the proposed scheme is more efficient than existing PEKS schemes and is suitable for the IIoT environment.

CMAF-IIoT: Chaotic map-based authentication framework for Industrial Internet of Things

The Industrial Internet of Things (IIoT) revolutionizes industrial production using smart devices (SMDs) deployed in IIoT environments. These SMDs collect and transmit information from target fields for analysis and can be controlled remotely. In emergency situations, real-time access to specific SMD information is crucial for prompt actions. However, ensuring secure and reliable communication between users and SMDs in untrusted channels is a significant challenge. Privacy concerns and the limitations of existing authentication frameworks further exacerbate this challenge, necessitating a lightweight cryptography-based authentication framework. This framework is essential to enable secure and reliable communication in the diverse IIoT environment while addressing privacy leakage threats and the computational constraints of IoT devices. Recently, various lightweight cryptography-based authenticated encryption (AE) schemes have been proposed to enable encryption and decryption services for resource-constrained IIoT devices. ASCON, an efficient AE scheme, offers confidentiality, integrity, and authenticity in a single encryption and decryption operation, reducing the number of cryptographic operations required for authentication framework design. This paper presents CMAF-IIoT, a chaotic map and resource-efficient AE scheme (ASCON)-based authentication framework for IIoT, addressing the aforementioned challenges. CMAF-IIoT ensures reliable communication between SMDs and users. The framework begins with user-performed local authentication on their smart devices, followed by the establishment of a session key with the SMD after mutual authentication with the gateway. Using the session key, users securely access real-time information from SMDs deployed in the IIoT environment. The security of CMAF-IIoT is validated through formal and informal security analyses. Additionally, the efficiency of CMAF-IIoT is evaluated in terms of communication, computational, and storage costs. The results indicate that CMAF-IIoT requires [6.67% to 53.33%] low storage cost, [45.13% to 65.87%] low computational cost, and [16.46% to 83.29%] low communication cost compared to contrasted authentication frameworks. These findings highlight the viability of CMAF-IIoT for the IIoT environment, as it provides resource efficiency and enhanced security features.