Analysis and design of authenticated ciphers

An authenticated cipher is a symmetric key cryptographic primitive which protects the confidentiality, integrity and authenticity of the data. It is an integration of the existing symmetric key primitives such as block ciphers, stream ciphers and hash functions, and attracts a lot of research interests in recent years, especially after the announcement of the CAESAR competition. In this thesis, we study the analysis and designs of the authenticated ciphers. We begin with an introduction to symmetric key cryptography and authenticated ciphers followed by discussing on the typical methods used in the cryptanalysis and design of authenticated ciphers. Then, several concrete case studies in analyzing the authenticated ciphers are presented. We apply differential-linear cryptanalysis to recover the internal state of ICEPOLE. Differential IV cryptanalysis is used to attack the initialization of the 128-EEA3/128-EIA3 stream cipher ZUC. By exploiting the leaked state from the keystreams, we present a forgery attack on ALE. By exploiting the parameter settings, we present distinguishing and forgery attacks against the authenticated encryption scheme COFFE. We provide a collision attack to break the authentication claim for the authenticated encryption mode IOC. For the design of authenticated ciphers, we propose two schemes, JAMBU and MORUS fulfilling various features. JAMBU is a lightweight authenticated encryption mode which provides an intermediate level of nonce misuse resistance. MORUS is a nonce-based authenticated cipher which is targeted for high performance in both software and hardware.

[1]  Bart Preneel,et al.  Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy , 2007, EUROCRYPT.

[2]  Guy Barwell Forgery on Stateless CMCC , 2014, IACR Cryptol. ePrint Arch..

[3]  Geoff Sullivan,et al.  PURPLE REVEALED: SIMULATION AND COMPUTER-AIDED CRYPTANALYSIS OF ANGOOKI TAIPU B , 2003, Cryptologia.

[4]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[5]  Vincent Rijmen,et al.  ALE: AES-Based Lightweight Authenticated Encryption , 2013, FSE.

[6]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[7]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[8]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[9]  Andrey Bogdanov,et al.  Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware , 2013, CHES.

[10]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[11]  Wei Wang,et al.  New Birthday Attacks on Some MACs Based on Block Ciphers , 2009, CRYPTO.

[12]  Orr Dunkelman,et al.  Cryptanalysis of CTC2 , 2009, CT-RSA.

[13]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[14]  Lee Sangjin,et al.  Differential-Linear Type Attacks on Reduced Rounds of SHACAL-2 , 2005 .

[15]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[16]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[17]  Marian Srebrny,et al.  ICEPOLE: High-speed, Hardware-oriented Authenticated Encryption , 2014, IACR Cryptol. ePrint Arch..

[18]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[19]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[20]  David Naccache,et al.  Offset Merkle-Damgård (OMD) version 2.0 A CAESAR Proposal , 2015 .

[21]  Anne Canteaut,et al.  Sosemanuk, a Fast Software-Oriented Stream Cipher , 2008, The eSTREAM Finalists.

[22]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[23]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[24]  Vincent Rijmen,et al.  Refinements of the ALRED construction and MAC security claims , 2010, IET Inf. Secur..

[25]  Vincent Rijmen,et al.  Zero-Correlation Linear Cryptanalysis of Block Ciphers , 2011, IACR Cryptol. ePrint Arch..

[26]  Jiqiang Lu A methodology for differential-linear cryptanalysis and its applications , 2015, Des. Codes Cryptogr..

[27]  Joos Vandewalle,et al.  Cryptanalysis of SOBER-t32 , 2003, FSE.

[28]  Eli Biham,et al.  Differential-Linear Cryptanalysis of Serpent , 2003, FSE.

[29]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[30]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[31]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[32]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[33]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[34]  Bart Preneel,et al.  Resynchronization Attacks on WG and LEX , 2006, FSE.

[35]  Eli Biham,et al.  Enhancing Differential-Linear Cryptanalysis , 2002, ASIACRYPT.

[36]  A. Biryukov A New 128-bit Key Stream Cipher LEX , 2005 .

[37]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[38]  Gaëtan Leurent,et al.  Differential Forgery Attack Against LAC , 2014, SAC.

[39]  Peter Freeman The Zimmermann Telegram Revisited: A Reconciliation of the Primary Sources , 2006, Cryptologia.

[40]  Shay Gueron,et al.  AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition , 2013 .

[41]  Input Output Chaining ( IOC ) AE Mode Revisited , 2014 .

[42]  Orr Dunkelman,et al.  Cryptanalysis of the Stream Cipher LEX , 2013, Des. Codes Cryptogr..

[43]  Bruce Schneier,et al.  Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive , 2003, FSE.

[44]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[45]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[46]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[47]  Goce Jakimoski,et al.  ASC-1: An Authenticated Encryption Stream Cipher , 2011, Selected Areas in Cryptography.

[48]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[49]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, ASIACRYPT.

[50]  Thomas Peyrin,et al.  Breaking POET Authentication with a Single Query , 2014, IACR Cryptol. ePrint Arch..

[51]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[52]  Tadayoshi Kohno,et al.  CWC: A High-Performance Conventional Authenticated Encryption Mode , 2004, FSE.

[53]  Bart Preneel,et al.  AEGIS: A Fast Authenticated Encryption Algorithm , 2013, Selected Areas in Cryptography.

[54]  Martin Boesgaard,et al.  Rabbit: A New High-Performance Stream Cipher , 2003, FSE.

[55]  Tao Huang,et al.  Leaked-State-Forgery Attack against the Authenticated Encryption Algorithm ALE , 2013, ASIACRYPT.

[56]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[57]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.

[58]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[59]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[60]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[61]  Chris J. Mitchell Cryptanalysis of the EPBC Authenticated Encryption Mode , 2007, IMACC.

[62]  Jérémy Jean,et al.  Cryptanalysis of FIDES , 2014, FSE.

[63]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[64]  Chris J. Mitchell Analysing the IOBC Authenticated Encryption Mode , 2013, ACISP.

[65]  John Viega,et al.  The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[66]  Thomas Peyrin,et al.  Cryptanalysis of JAMBU , 2015, FSE.

[67]  Wu,et al.  JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU , 2015 .

[68]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[69]  Philip Hawkes,et al.  Guess-and-Determine Attacks on SNOW , 2002, Selected Areas in Cryptography.

[70]  Hongjun Wu,et al.  The Stream Cipher HC-128 , 2008, The eSTREAM Finalists.

[71]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[72]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[73]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[74]  Ross Anderson,et al.  Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[75]  Eli Biham,et al.  Miss in the Middle Attacks on IDEA and Khufu , 1999, FSE.

[76]  Kaisa Nyberg,et al.  Multidimensional Linear Cryptanalysis of Reduced Round Serpent , 2008, ACISP.

[77]  Daniel W. Engels,et al.  The Hummingbird-2 Lightweight Authenticated Encryption Algorithm , 2011, RFIDSec.

[78]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[79]  Dengguo Feng,et al.  A Byte-Based Guess and Determine Attack on SOSEMANUK , 2010, ASIACRYPT.

[80]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[81]  Stefan Lucks,et al.  COFFE: Ciphertext Output Feedback Faithful Encryption , 2014, IACR Cryptol. ePrint Arch..

[82]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[83]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[84]  Charanjit S. Jutla,et al.  Encryption Modes with Almost Free Message Integrity , 2001, Journal of Cryptology.

[85]  Dmitry Khovratovich,et al.  The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE , 2013, IACR Cryptol. ePrint Arch..

[86]  Kan Yasuda,et al.  BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption , 2009, Selected Areas in Cryptography.

[87]  Vincent Rijmen,et al.  The Block Cipher Rijndael , 1998, CARDIS.

[88]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[89]  Kris Gaj,et al.  Facts and Myths of Enigma: Breaking Stereotypes , 2003, EUROCRYPT.

[90]  Orr Dunkelman,et al.  A Differential-Linear Attack on 12-Round Serpent , 2008, INDOCRYPT.

[91]  Steve Babbage,et al.  The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[92]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality [including updates through 7/20/2007] , 2004 .

[93]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[94]  Kaisa Nyberg,et al.  Multidimensional Extension of Matsui's Algorithm 2 , 2009, FSE.

[95]  Orr Dunkelman,et al.  A New Attack on the LEX Stream Cipher , 2008, ASIACRYPT.

[96]  Erez Petrank,et al.  CBC MAC for Real-Time Data Sources , 2015, Journal of Cryptology.

[97]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[98]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[99]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[100]  Michael J. Wiener The Full Cost of Cryptanalytic Attacks , 2003, Journal of Cryptology.

[101]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[102]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[103]  Kan Yasuda,et al.  HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption , 2009, FSE.