Full-State Keyed Duplex with Built-In Multi-user Support

The keyed duplex construction was introduced by Bertoni et al. (SAC 2011) and recently generalized to full-state absorption by Mennink et al. (ASIACRYPT 2015). We present a generalization of the full-state keyed duplex that natively supports multiple instances by design, and perform a security analysis that improves over that of Mennink et al. in terms of a more modular security analysis and a stronger and more adaptive security bound. Via the introduction of an additional parameter to the analysis, our bound demonstrates a significant security improvement in case of nonce-respecting adversaries. Furthermore, by supporting multiple instances by design, instead of adapting the security model to it, we manage to derive a security bound that is largely independent of the number of instances.

[1]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[2]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[3]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[4]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[5]  Serge Vaudenay,et al.  Boosting OMD for Almost Free Authentication of Associated Data , 2015, FSE.

[6]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[7]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[8]  Palash Sarkar,et al.  New Applications of Time Memory Data Tradeoffs , 2005, ASIACRYPT.

[9]  G. V. Assche,et al.  Sponge Functions , 2007 .

[10]  Bart Mennink,et al.  Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption , 2015, ASIACRYPT.

[11]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[12]  Stefano Tessaro,et al.  The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC , 2015, CRYPTO.

[13]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[14]  Guido Bertoni,et al.  Sponge-Based Pseudo-Random Number Generators , 2010, CHES.

[15]  G. V. Assche,et al.  Permutation-based encryption , authentication and authenticated encryption , 2012 .

[16]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[17]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[18]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[19]  Jean-Sébastien Coron,et al.  Advances in Cryptology – EUROCRYPT 2016 , 2016, Lecture Notes in Computer Science.

[20]  Mihir Bellare,et al.  Hash-Function Based PRFs: AMAC and Its Multi-User Security , 2016, EUROCRYPT.

[21]  Bart Mennink,et al.  Security of Keyed Sponge Constructions Using a Modular Proof Approach , 2015, FSE.

[22]  G. V. Assche,et al.  On the security of the keyed sponge construction , 2011 .

[23]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[24]  Seokhie Hong,et al.  A Keyed Sponge Construction with Pseudorandomness in the Standard Model | NIST , 2012 .

[25]  Yu Sasaki,et al.  How to Incorporate Associated Data in Sponge-Based Authenticated Encryption , 2015, CT-RSA.

[26]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[27]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[28]  Stefano Tessaro,et al.  Provably Robust Sponge-Based PRNGs and KDFs , 2016, EUROCRYPT.

[29]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[30]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[31]  Florian Mendel,et al.  Submission to the CAESAR Competition , 2014 .

[32]  Atul Luykx,et al.  Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes , 2014, IACR Cryptol. ePrint Arch..

[33]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[34]  Rosario Gennaro,et al.  Advances in Cryptology -- CRYPTO 2015 , 2015, Lecture Notes in Computer Science.

[35]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[36]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[37]  Gregor Leander,et al.  Fast Software Encryption , 2015, Lecture Notes in Computer Science.

[38]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[39]  Yusuke Naito,et al.  New Bounds for Keyed Sponges with Extendable Output: Independence Between Capacity and Message Length , 2016, FSE.