APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

The domain of lightweight cryptography focuses on cryptographic algorithms for extremely constrained devices. It is very costly to avoid nonce reuse in such environments, because this requires either a hardware source of randomness, or non-volatile memory to store a counter. At the same time, a lot of cryptographic schemes actually require the nonce assumption for their security. In this paper, we propose APE as the first permutation-based authenticated encryption scheme that is resistant against nonce misuse. We formally prove that APE is secure, based on the security of the underlying permutation. To decrypt, APE processes the ciphertext blocks in reverse order, and uses inverse permutation calls. APE therefore requires a permutation that is both efficient for forward and inverse calls. We instantiate APE with the permutations of three recent lightweight hash function designs: Quark, Photon, and Spongent. For any of these permutations, an implementation that sup- ports both encryption and decryption requires less than 1.9 kGE and 2.8 kGE for 80-bit and 128-bit security levels, respectively.

[1]  Goce Jakimoski,et al.  ASC-1: An Authenticated Encryption Stream Cipher , 2011, Selected Areas in Cryptography.

[2]  G. V. Assche,et al.  Permutation-based encryption , authentication and authenticated encryption , 2012 .

[3]  Tadayoshi Kohno,et al.  Attacking and repairing the winZip encryption scheme , 2004, CCS '04.

[4]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[5]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[6]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[7]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[8]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[9]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[10]  G. V. Assche,et al.  Sponge Functions , 2007 .

[11]  Dmitry Khovratovich,et al.  Key Wrapping with a Fixed Permutation , 2014, CT-RSA.

[12]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[13]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[14]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[15]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[16]  Vincent Rijmen,et al.  ALE: AES-Based Lightweight Authenticated Encryption , 2013, FSE.

[17]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[18]  Chanathip Namprempre,et al.  On-line Ciphers and the Hash-CBC Constructions , 2012, Journal of Cryptology.

[19]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[20]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[21]  Kevin Marquet,et al.  The GLUON Family: A Lightweight Hash Function Family Based on FCSRs , 2012, AFRICACRYPT.

[22]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[23]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[24]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[25]  Seokhie Hong,et al.  A Keyed Sponge Construction with Pseudorandomness in the Standard Model | NIST , 2012 .

[26]  Haibin Zhang,et al.  Online Ciphers from Tweakable Blockciphers , 2011, CT-RSA.

[27]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[28]  Hongjun Wu The Misuse of RC4 in Microsoft Word and Excel , 2005, IACR Cryptol. ePrint Arch..