18 research outputs found
PA1 Security on Release of Unverified Plaintext in Encrypt-then-MAC AE Schemes
At ASIACRYPT 2014, Andreeva et al. put forward a definition for security of authenticated encryption under release of unverified plaintext. They introduced two notions of plaintext awareness (PA1 and its stronger sibling PA2), suggested to be used in conjunction with confidentiality in case of release of unverified plaintext, as well as the notion of integrity under release of unverified plaintext (INT-RUP). Various efforts have been made to develop a unified model (e.g., Ashur et al., CRYPTO 2017, Chang et al., ToSC 2019(4)). With respect to the analysis of existing and new modes under release of unverified plaintext, most research however has focused on INT-RUP security only. Plaintext awareness is less studied and understood.
In this work, we take a detailed look at the original definitions of PA1 and PA2 security. We observe that the definitions leave too much room for interpretation, and claimed results such as PA1 security of Encrypt-then-MAC are unjustified. The core of the issue lies in the fact that PA1 security is necessarily tied to the implementation of the scheme. To resolve this, we present refined definitions of PA1 and PA2 security. We argue that even for these refined definitions, there is no implementation of Encrypt-and-MAC that is PA1 (nor PA2) secure. For MAC-then-Encrypt, results depend on the actual scheme, as we demonstrate using a negative result and a positive result (from literature, on Romulus-M). Furthermore, we formally prove for Encrypt-then-MAC that (i) there exist implementations that are PA1 insecure and (ii) there exist implementations that are PA1 secure. In other words, Encrypt-then-MAC is insecure under the old definition but secure under the new definition, provided a proper implementation is used. We apply this observation to Isap v2, finalist in the NIST Lightweight Cryptography competition, where we additionally deal with the complication that the same key is used for encryption and authentication
Tight security analysis of the public Permutation-based {{\textsf{PMAC_Plus}}}
In CRYPTO 2011, Yasuda proposed a variable input-length PRF based on an n-bit block cipher, called PMAC Plus. PMAC Plus is a rate-1 construction and inherits the well-known PMAC parallel network with a low additional cost. However, unlike PMAC, PMAC Plus is secure roughly up to 22n/3 queries. Later in CRYPTO 2018, Leurent et al., and then Lee et al. in EUROCRYPT 2020 established a tight security bound of 23n/4 on PMAC Plus. In this paper, we propose a public permutation-based variable input-length PRF called pPMAC Plus. We show that pPMAC Plus is secure against all adversaries that make at most 22n/3 queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of PMAC Plus with the two-round iterated Even-Mansour cipher can yield a beyond-birthday-secure PRF based on public permutations. Altogether, the solution incurs (2ℓ + 4) permutation calls, whereas our proposal requires only (ℓ + 2) permutation calls, ℓ being the maximum number of message blocks
Permutation Based EDM: An Inverse Free BBB Secure PRF
In CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing PRF based on public permutations. They have proposed two beyond the birthday bound secure n-bit to n-bit PRF constructions, i.e., SoEM22 and SoKAC21, which are built on public permutations, where n is the size of the permutation. However, both of their constructions require two independent instances of public permutations. In FSE 2020, Chakraborti et al. have proposed a single public permutation based n-bit to n-bit beyond the birthday bound secure PRF, which they refer to as PDMMAC. Although the construction is minimal in the number of permutations, it requires the inverse call of its underlying permutation in their design. Coming up with a beyond the birthday bound secure public permutation based n-bit to n-bit PRF with a single permutation and two forward calls was left as an open problem in their paper. In this work, we propose pEDM, a single permutation based n-bit to n-bit PRF with two calls that do not require invertibility of the permutation. We have shown that our construction is secured against all adaptive information-theoretic distinguishers that make roughly up to 22n/3 construction and primitive queries. Moreover, we have also shown a matching attack with similar query complexity that establishes the tightness of our security bound
Beyond Birthday Bound Secure MAC in Faulty Nonce Model
Encrypt-then-MAC (EtM) is a popular mode for authenticated encryption (AE). Unfortunately, almost all designs following the EtM paradigm, including the AE suites for TLS, are vulnerable against nonce misuse. A single repetition of the nonce value reveals the hash key, leading to a universal forgery attack. There are only two authenticated encryption schemes following the EtM paradigm which can resist nonce misuse attacks, the GCM-RUP (CRYPTO-17) and the GCM/2+ (INSCRYPT-12). However, they are secure only up to the birthday bound in the nonce respecting setting, resulting in a restriction on the data limit for a single key. In this paper we show that nEHtM, a nonce-based variant of EHtM (FSE-10) constructed using a block cipher, has a beyond birthday bound (BBB) unforgeable security that gracefully degrades under nonce misuse. We combine nEHtM with the CENC (FSE-06) mode of encryption using the EtM paradigm to realize a nonce-based AE, CWC+. CWC+ is very close (requiring only a few more xor operations) to the CWC AE scheme (FSE-04) and it not only provides BBB security but also gracefully degrading security on nonce misuse
Tight Security Analysis of the Public Permutation-Based PMAC_Plus
Yasuda proposed a variable input-length PRF in CRYPTO 2011, called \textsf{PMAC_Plus}, based on an -bit block cipher. \textsf{PMAC_Plus} is a rate- construction and inherits the well-known parallel network with a low additional cost. However, unlike , \textsf{PMAC_Plus} is secure roughly up to queries. Zhang et al. proposed \textsf{3kf9} in ASIACRYPT 2012, Naito proposed \textsf{LightMAC_Plus} in ASIACRYPT 2017, and Iwata et al. proposed \textsf{GCM-SIV2} in FSE 2017 -- all of them secure up to around queries. Their structural designs and corresponding security proofs were unified by Datta et al. in their framework {\em Double-block Hash-then-Sum} (\textsf{DbHtS}). Leurent et al. in CRYPTO 2018 and then Lee et al. in EUROCRYPT 2020 established a tight security bound of on \textsf{DbHtS}. That \textsf{PMAC_Plus} provides security for roughly up to queries is a consequence of this result. In this paper, we propose a public permutation-based variable input-length PRF called {\textsf{pPMAC_Plus}}. We show that {\textsf{pPMAC_Plus}} is secure against all adversaries that make at most queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of {\textsf{pPMAC_Plus}} with the two-round iterated Even-Mansour cipher can yield a beyond the birthday bound secure PRF based on public permutations. Altogether, the solution incurs permutation calls, whereas our proposal requires only permutation calls, being the maximum number of message blocks
Tight Multi-User Security Bound of DbHtS
In CRYPTO’21, Shen et al. proved that Two-Keyed-DbHtS construction is secure up to 22n/3 queries in the multi-user setting independent of the number of users. Here the underlying double-block hash function H of the construction realized as the concatenation of two independent n-bit keyed hash functions (HKh,1,HKh,2), and the security holds under the assumption that each of the n-bit keyed hash function is universal and regular. The authors have also demonstrated the applicability of their result to the key-reduced variants of DbHtS MACs, including 2K-SUM-ECBC, 2K-PMAC_Plus and 2K-LightMAC_Plus without requiring domain separation technique and proved 2n/3-bit multi-user security of these constructions in the ideal cipher model. Recently, Guo and Wang have invalidated the security claim of Shen et al.’s result by exhibiting three constructions, which are instantiations of the Two-Keyed-DbHtS framework, such that each of their n-bit keyed hash functions are O(2−n) universal and regular, while the constructions themselves are secure only up to the birthday bound. In this work, we show a sufficient condition on the underlying Double-block Hash (DbH) function, under which we prove an improved 3n/4-bit multi-user security of the Two-Keyed-DbHtS construction in the ideal-cipher model. To be more precise, we show that if each of the n-bit keyed hash function is universal, regular, and cross-collision resistant then it achieves the desired security. As an instantiation, we show that two-keyed Polyhash-based DbHtS construction is multi-user secure up to 23n/4 queries in the ideal-cipher model. Furthermore, due to the generic attack on DbHtS constructions by Leurent et al. in CRYPTO’18, our derived bound for the construction is tight
A Combinatorial Approach to IoT Data Security
This article explores the potential of Secret Sharing-Based Internet of Things (SBIoT) as a promising cryptographic element across diverse applications, including secure data storage in commercial cloud systems (Datachest), smart home environments (encompassing sensors, cameras, smart locks, and smart assistants), and e-health applications (protecting patient data and medical records). Beyond these applications, the paper makes two key contributions: the introduction of a novel cheater identification algorithm designed to verify the correct submission of shares during secret reconstruction, and empirical validation through experimental studies to support the theoretical advancements. This multifaceted approach not only demonstrates the versatility of SBIoT but also proposes innovative mechanisms to enhance security and integrity, contributing to the development of a more robust cryptographic framework.
This article expands upon the work presented in the poster A Combinatorial Approach to IoT Data Security at IWSEC 2023, Yokohama, Japan
Tight Multi-User Security Bound of
In CRYPTO\u2721, Shen et al. have proved in the ideal cipher model that construction is secure up to queries in the multi-user setting independent of the number of users, where the underlying double-block hash function of the \textsf{Two-Keyed-DbHtS} construction is realized as the concatenation of two independent -bit keyed hash functions such that each of the -bit keyed hash function is universal and regular. They have also demonstrated the applicability of their result to the key-reduced variants of \textsf{DbHtS} MACs, including \textsf{2K-SUM-ECBC}, \textsf{2K-PMAC_Plus} and \textsf{2K-LightMAC_Plus} without requiring domain separation technique and proved -bit multi-user security of these constructions in the ideal cipher model. Recently, Guo and Wang have invalidated the security claim of Shen et al.\u27s result by exhibiting three constructions, which are the instantiations of the framework, such that each of their -bit keyed hash functions being universal and regular, while the constructions themselves are secure only up to the birthday bound. In this work, we show a sufficient condition on the underlying Double-block Hash () function, under which we prove -bit multi-user security of the construction in the ideal-cipher model. As an instantiation, we show that two-keyed Polyhash-based construction is multi-user secure up to queries in the ideal-cipher model. Furthermore, due to the generic attack on constructions by Ga\ etan et al. in CRYPTO\u2718, our derived bound for the construction is tight
Access Structure Hiding Verifiable Tensor Designs
The field of verifiable secret sharing schemes was introduced by Verheul et al. and has evolved over time, including well-known examples by Feldman and Pedersen. Stinson made advancements in combinatorial design-based secret sharing schemes in 2004. Desmedt et al. introduced the concept of frameproofness in 2021, while recent research by Sehrawat et al. in 2021 focuses on LWE-based access structure hiding verifiable secret sharing with malicious-majority settings. Furthermore, Roy et al. combined the concepts of reparable threshold schemes by Stinson et al. and frameproofness by Desmedt et al. in 2023, to develop extendable tensor designs built from balanced incomplete block designs, and also presented a frameproof version of their design.
This paper explores ramp-type verifiable secret sharing schemes, and the application of hidden access structures in such cryptographic protocols. Inspired by Sehrawat et al.\u27s access structure hiding scheme, we develop an -almost access structure hiding scheme, which is verifiable as well as frameproof. We detail how the concept -almost hiding is important for incorporating ramp schemes, thus making a fundamental generalisation of this concept
