Nonce Misuse Research Articles

A Comprehensive Review of Lightweight Authenticated Encryption for IoT Devices

Internet of Things (IoT) is a promising technology for creating smart environments, smart systems, and smart services. Since security is a fundamental requirement of IoT platforms, solutions that can provide both encryption and authenticity simultaneously have recently attracted much attention from academia and industry. This article analyses in detail state-of-the-art lightweight authenticated encryption (LAE) targeted to IoT systems. This work provides a thorough description of the algorithms, and the study systematically classifies them to facilitate understanding of relevant intricacies of the schemes. Among reviewed algorithms, there is a trade-off to retain design security, resources cost, and efficient performance. ACORN is the effective scheme on various platforms in terms of utilization of resources and power consumption, while MORUS and AES-CLOC are the fastest in hardware platforms. However, they are susceptible to misuse despite their resistance to side channel attacks. In contrast, JOLTICK, PRIMATESs, COLM, DeoxysII, OCB, and AES-JAMBU are provably resistant to nonce misuse. The challenges for possible future research are summarized. Overall, the article provides researchers and developers with practical guidance on various design aspects and limitations as well as open research challenges in the current lightweight authenticated encryption for IoT.

Improved Security Bound of (E/D)WCDM

In CRYPTO’16, Cogliati and Seurin proposed a block cipher based nonce based MAC, called Encrypted Wegman-Carter with Davies-Meyer (EWCDM), that gives 2n/3 bit MAC security in the nonce respecting setting and n/2 bit security in the nonce misuse setting, where n is the block size of the underlying block cipher. However, this construction requires two independent block cipher keys. In CRYPTO’18, Datta et al. came up with a single-keyed block cipher based nonce based MAC, called Decrypted Wegman-Carter with Davies-Meyer (DWCDM), that also provides 2n/3 bit MAC security in the nonce respecting setting and n/2 bit security in the nonce misuse setting. However, the drawback of DWCDM is that it takes only 2n/3 bit nonce. In fact, authors have shown that DWCDM cannot achieve beyond the birthday bound security with n bit nonces. In this paper, we prove that DWCDM with 3n/4 bit nonces provides MAC security up to O(23n/4) MAC queries against all nonce respecting adversaries. We also improve the MAC bound of EWCDM from 2n/3 bit to 3n/4 bit. The backbone of these two results is a refined treatment of extended mirror theory that systematically estimates the number of solutions to a system of bivariate affine equations and non-equations, which we apply on the security proofs of the constructions to achieve 3n/4 bit security.

1, 2, 3, Fork: Counter Mode Variants based on a Generalized Forkcipher

A multi-forkcipher (MFC) is a generalization of the forkcipher (FC) primitive introduced by Andreeva et al. at ASIACRYPT’19. An MFC is a tweakable cipher that computes s output blocks for a single input block, with s arbitrary but fixed. We define the MFC security in the ind-prtmfp notion as indistinguishability from s tweaked permutations. Generalizing tweakable block ciphers (TBCs, s = 1), as well as forkciphers (s = 2), MFC lends itself well to building simple-to-analyze modes of operation that support any number of cipher output blocks.Our main contribution is the generic CTR encryption mode GCTR that makes parallel calls to an MFC to encrypt a message M. We analyze the set of all 36 “simple and natural” GCTR variants under the nivE security notion by Peyrin and Seurin rom CRYPTO’16. Our proof method makes use of an intermediate abstraction called tweakable CTR (TCTR) that captures the core security properties of GCTR common to all variants, making their analyses easier. Our results show that many of the schemes achieve from well beyond birthday bound (BBB) to full n-bit security under nonce respecting adversaries and some even BBB and close to full n-bit security in the face of realistic nonce misuse conditions.We finally present an efficiency comparison of GCTR using ForkSkinny (an MFC with s = 2) with the traditional CTR and the more recent CTRT modes, both are instantiated with the SKINNY TBC. Our estimations show that any GCTR variant with ForkSkinny can achieve an efficiency advantage of over 20% for moderately long messages, illustrating that the use of an efficient MFC with s ≥ 2 brings a clear speed-up.

Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction

The ongoing NIST lightweight cryptography standardization process highlights the importance of resistance to side-channel attacks, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight sidechannel secure implementations. To address this challenge, our first contribution is to investigate the leakage-resistance of a generic duplex-based stream cipher. When the capacity of the duplex is of c bits, we prove the classical bound, i.e., ≈ 2c/2, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode TETSponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. It offers: (i) provable integrity (resp. confidentiality) guarantees in the presence of leakage during both encryption and decryption (resp. encryption only), (ii) some level of nonce misuse robustness. We conclude that TETSponge is an appealing option for the implementation of low-energy AE in settings where side-channel attacks are a concern. We also provides the first rigorous methodology for the leakage-resistance of sponge/duplex-based AEs based on a minimal non-invertibility assumption on leakages, which leads to various insights on designs and implementations.

Architectural Optimization of Parallel Authenticated Encryption Algorithm for Satellite Application

High-speed data communication is becoming essential for many applications, including satellite communication. The security algorithms associated with the communication of information are also required to have high-speed for coping up with the communication speed. Moreover, the Authenticated Encryption (AE) algorithms provide high-speed communication and security services include data encryption, authentication, and integrity. The AE algorithms are available with serial and parallel architectures; among them, the Galois Counter Mode (GCM) algorithm has a parallel architecture. The Synthetic Initialization Vector (SIV) mode in the AES-GCM-SIV algorithm provides the nonce misuse protection using the GCM algorithm. Besides, reduced data throughput is provided using the AES-GCM-SIV algorithm as compared to the AES-GCM algorithm. This work introduced a parallel algorithm with re-keying and randomization of the initialization vector for high data throughput, nonce misuse protection, and side-channel attack protection. The implementation of the proposed algorithm is performed on Field Programmable Gate Array (FPGA) and it’s compared with the FPGA implementations of AES-GCM, AES-GCM-SIV, and recently introduced algorithms. The optimization of the proposed algorithm and security analysis is presented for space application using different optimizations and a combination of optimizations.

Optimizing Online Permutation-Based AE Schemes for Lightweight Applications

We explore ways to optimize online, permutation-based authenticated encryption (AE) schemes for lightweight applications. The lightweight applications demand that AE schemes operate in resource-constrained environments, which raise two issues: 1) implementation costs must be low, and 2) ensuring proper use of a nonce is difficult due to its small size and lack of randomness. Regarding the implementation costs, recently it has been recognized that permutation-based (rather than block-cipher-based) schemes frequently show advantages. However, regarding the security under nonce misuse, the standard permutation-based duplex construction cannot ensure confidentiality. There exists one permutation-based scheme named APE which offers certain robustness against nonce misuse. Unfortunately, the APE construction has several drawbacks such as ciphertext expansion and bidirectional permutation circuits. The ciphertext expansion would require more bandwidth, and the bidirectional circuits would require a larger hardware footprint. In this paper, we propose new constructions of online permutation-based AE that require less bandwidth, a smaller hardware footprint and lower computational costs. We provide security proofs for the new constructions, demonstrating that they are as secure as the APE construction.

<inline-formula><tex-math id="M1">\begin{document}$\textsf{DWCDM+}$\end{document}</tex-math></inline-formula>: A BBB secure nonce based MAC

In CRYPTO 2016, Cogliati and Seurin have proposed a nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer ($\textsf{EWCDM}$), from an $n$-bit block cipher $\textsf{E}$ and an $n$-bit almost xor universal hash function$\textsf{H}$ as \begin{document}$\textsf{E}_{K_2}\bigl(\textsf{E}_{K_1}(N)\oplus N\oplus \textsf{H}_{K_h}(M)\bigr),$ \end{document} for a nonce $N$ and a message $M$ that provides roughly $2n/3$-bit MAC security. However, obtaining the similar security using a single block cipher key was posed as an open research problem. In this paper, we present Decrypted Wegman-Carter with Davies-Meyer ($\textsf{DWCDM+}$) construction based on a single block cipher key that provides $2n/3$-bit MAC security from an $n$-bit block cipher $\textsf{E}$ and an $n$-bit $k$-regular ($\forall k \leq n$), almost xor universal hash function $\textsf{H}$ as \begin{document} $ \textsf{E}^{-1}_{K}\bigl(\textsf{E}_{K}(N)\oplus N \oplus \textsf{H}_{K_h}(M)\bigr). $ \end{document} $\textsf{DWCDM+}$ is structurally very similar to its predecessor $\textsf{EWCDM}$ except that the facts that (i) the number of block cipher keys reduced from $2$ to $1$ and (ⅱ) the outer encryption call is replaced by a decryption one. To make the construction truely single-keyed, here we derive the hash key $K_h$ as the block cipher output of a fixed string $0^{n-2} \| 10$ as long as the hash key is of $n$ bits. We show that if the nonce space is restricted to $(n-1)$ bits, $\textsf{DWCDM+}$ is secured roughly up to $2^{2n/3}$ MAC queries ($2^{n/2}$ MAC queries) and $2^n$ verification queries against nonce respecting (nonce misuse resp.) adversaries.

CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds.

Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP

The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. Besides providing plenty of inherent variability, such a design builds a tweakable block cipher from some lower level primitive. In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (formally introduced at CRYPTO 2015), which is constructed from a single n-bit permutation P and a function f(k, t) linear in k from some tweak space to {0, 1} n. Based on giant component theorem in random graph theory, we propose a collision-based multi-key attack on TEM-1 in the known-plaintext setting. Furthermore, inspired by the methodology of Fouque et al. presented at ASIACRYPT 2014, we devise a novel way of detecting collisions and eventually obtain a memory-efficient multi-key attack in the adaptive chosen-plaintext setting. As important applications, we utilize our techniques to analyze the authenticated encryption algorithms Minalpher (a second-round candidate of CAESAR) and OPP (proposed at EUROCRYPT 2016) in the multi-key setting. We describe knownplaintext attacks on Minalpher and OPP without nonce misuse, which enable us to recover almost all O(2n/3) independent masks by making O(2n/3) queries per key and costing O(22n/3) memory overall. After defining appropriate iterated functions and accordingly changing the mode of creating chains, we improve the basic blockwiseadaptive chosen-plaintext attack to make it also applicable for the nonce-respecting setting. While our attacks do not contradict the security proofs of Minalpher and OPP in the classical setting, nor pose an immediate threat to their uses, our results demonstrate their security margins in the multi-user setting should be carefully considered. We emphasize this is the very first third-party analysis on Minalpher and OPP.