DOCSLIB.ORG

ACE: an Authenticated Encryption and Hash Algorithm Submission to the NIST LWC Competition

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
ACE: an Authenticated Encryption and Hash Algorithm Submission to the NIST LWC Competition ACE: An Authenticated Encryption and Hash Algorithm Submission to the NIST LWC Competition Submitters/Designers: Mark Aagaard, Riham AlTawy, Guang Gong, Kalikinkar Mandal, and Raghvendra Rohit∗ ∗Corresponding submitter: Email: [email protected] Tel: +1-519-888-4567 x45650 Communication Security Lab Department of Electrical and Computer Engineering University of Waterloo 200 University Avenue West Waterloo, ON, N2L 3G1, CANADA http://comsec.uwaterloo.ca/ March 29, 2019 Contents 1 Introduction4 1.1 Notations..................................5 1.2 Outline....................................6 2 Specification7 2.1 Parameters.................................7 2.1.1 ACE AEAD algorithm.......................7 2.1.2 ACE Hash algorithm........................8 2.2 Recommended Parameter Set.......................8 2.3 The ACE Permutation...........................8 2.3.1 The nonlinear function SB-64 ...................8 2.3.2 Round and step constants.....................9 2.4 AEAD Algorithm: ACE- -128 ...................... 10 2.4.1 Rate and capacityAE part of state.................. 12 2.4.2 Padding............................... 12 2.4.3 Loading key and nonce....................... 13 2.4.4 Initialization............................. 13 2.4.5 Processing associated data..................... 13 2.4.6 Encryption............................. 13 2.4.7 Finalization............................. 14 2.4.8 Decryption............................. 14 2.5 Hash Algorithm: ACE- -256 ........................ 14 2.5.1 Message paddingH.......................... 15 2.5.2 Loading initialization vector.................... 15 2.5.3 Initialization............................. 15 2.5.4 Absorbing and squeezing...................... 15 3 Security Claims 17 4 Security Analysis 18 4.1 Diffusion................................... 18 4.2 Differential and Linear Cryptanalysis................... 18 ii ACE: Submission to the NIST LWC competition 4.2.1 Expected bounds on the maximum probabilities of differential and linear characteristics...................... 19 4.3 Algebraic Properties............................ 19 4.4 Self Symmetry-based Distinguishers.................... 21 4.5 Security of ACE- -128 and ACE- -256 ................. 22 AE H 5 Design Rationale 23 5.1 Choice of the Mode: sLiSCP Sponge Mode................ 23 5.2 ACE State Size............................... 24 5.3 ACE Step Function............................. 25 5.4 Nonlinear Layer: Simeck box (SB-64)................... 25 5.5 Linear Layer: π = (3; 2; 0; 4; 1)....................... 26 5.6 Round and Step Constants......................... 26 5.6.1 Rationale.............................. 26 5.6.2 Generation of round and step constants.............. 26 5.7 Number of Rounds and Steps....................... 28 5.8 Choice of Rate Positions.......................... 29 5.9 Statement.................................. 29 6 Hardware Design and Analysis 30 6.1 Hardware Design Principles........................ 30 6.2 Interface and Top-level Module...................... 31 6.3 The ACE module .............................. 32 6.3.1 ACE datapath............................ 32 6.3.2 ACE FSM and lfsr c........................ 34 6.4 Hardware Implementation Results..................... 34 6.4.1 Hardware tools configuration.................... 34 6.4.2 Performance results......................... 35 7 Efficiency Analysis in Software 36 7.1 Software: High-performance CPU..................... 36 7.2 Software: Microcontroller.......................... 39 A Other NIST-LWC Submissions 45 B Test Vectors 46 B.1 Simeck Sbox................................. 46 B.2 ACE Permutation.............................. 47 B.3 ACE- -128 ................................. 47 B.4 ACE-AE-256 ................................. 47 H C Constants: Sequence to Hex Conversion 48 iii Chapter 1 Introduction ACE, often known as one of the strongest cards in a deck of cards, is an 320-bit lightweight permutation. It is designed to achieve a balance between hardware cost and software efficiency for both Authenticated Encryption with Associated Data (henceforth \AEAD") and hashing functionalities, while providing sufficient security margins. To accomplish these goals, ACE components and its mode of operation are adopted from well known and analyzed cryptographic primitives. In a nutshell, the design of ACE, its security, functionalities and the features it offers are described as follows. ACE core operations. Bitwise XORs and ANDs, left cyclic shifts and 64-bit word • shuffles ACE nonlinear layer. Unkeyed round-reduced Simeck block cipher [27] with block- • size of 64-bits, which provides good cryptographic properties and low hardware cost ACE linear layer. Five 64-bit words are shuffled in an (3; 2; 0; 4; 1) order, which • offers good resistance against differential and linear cryptanalysis ACE security. Simple analysis and good bounds for security using automated tools • such as CryptoSMT solver [22] and Gurobi [1] Functionality. All-in-one primitive, provides both AEAD and hashing functionali- • ties using the same hardware circuit ACE mode of operation. Unified sponge duplex mode [4] with keyed initialization • and finalization phases forthe AEAD algorithm Security of ACE modes. 128-bit security • Hardware performance. Achieves a throughput of 476 Mbps and has an area of • 4286 GE in CMOS 65 nm ASIC Software performance. Bit-sliced implementation of ACE permutation achieves a • speed of 9.97 cycles/byte. 4 ACE: Submission to the NIST LWC competition 1.1 Notations Notation Description X Y; X Y; X Y bitwise AND, XOR and concatenation of X and Y ⊕ jj X length of X in bits j j 0; 1 n, 0; 1 ?, φ length n bitstring, variable length bitstring, empty string f g f g 1n, 0n length n bitstring with all 1's, 0's Li left cyclic shift operator, i.e., for x 0; 1 n, i 2 f g L (x) = (xi; xi+1; : : : ; xn 1; x0; x1; : : : ; xi 1) − − word a 64-bit binary string S 320 bit state of ACE Sr;Sc r-bit rate part and c-bit capacity part of S (r = 64; c = 256) A; B; C; D; E Five 64-bit words of S, i.e., S = A B C D E jj jj jj jj Si state at i-th iteration (also step) of ACE permutation A[j] j-th byte of word A starting from right i i i A1;A0 upper and lower half of word A K; N; T key, nonce and tag k; n; t length of key, nonce and tag in bits (k = n = t = 128) AD; M; C associated data, plaintext and ciphertext (in blocks ADi;Mi;Ci) IV; iv fixed initialization vector and its length in bits H; h message digest (in blocks Hi) and its length, h = 256 ` length of X in words where X AD; M; C; H X 2 f g step one round of ACE permutation (see Figure 2.1) round one round of Simeck unkeyed function (see Figure 2.2) SB-64 nonlinear operation of ACE permutation u number of rounds, u = 8 s number of steps, s = 16 i i i rc0; rc1; rc2 8-bit round constants i i i sc0; sc1; sc2 8-bit step constants ACE- -k ACE AEAD algorithm (k = 128) AE ACE- -h ACE Hash algorithm (h = 256) H 5 ACE: Submission to the NIST LWC competition 1.2 Outline The rest of the document is organized as follows. In Chapter2, we present the com- plete specification of the ACE permutation, ACE AEAD and ACE hash algrithms. We summarize the security claims of our submission in Chapter3 and provide the detailed security analyis in Chapter4. In Chapter5, we present the rationale behind our design and justify the parameter choices. The details of our hardware implementations and performance results in CMOS 65 nm ASIC and FPGA are provided in Chapter6. In Chapter7, we discuss the efficiency of ACE in software including bit-sliced and micro- controller implementations. Finally, we conclude with references and test vectors in AppendixB. 6 Chapter 2 Specification 2.1 Parameters ACE is an 320-bit permutation that operates in an unified duplex sponge mode [4] and offers both AEAD and hashing functionalities in a single hardware circuit. The AEAD algorithm (ACE- -k) and the hash algorithm (ACE- -h) are parameterized by the size k of the secretAE key and the length of the messageH digest h in bits, respectively. Both the algorithms process the same amount of data per permutation call (i.e, rate r is same) and hence r value is ignored in the individual parameters' description. 2.1.1 ACE AEAD algorithm The AEAD algorithm ACE- -k is a combination of two algorithms, an authenticated encryption algorithm ACE- AEand the verified decryption algorithm ACE- . An authenticated encryptionE algorithm ACE- takes as input a secret keyD K of length k bits, a public message number N (nonce) ofE size n bits, a block header AD (a.k.a, associated data) and a message M. The output of ACE- is an authenticated ciphertext C of same length as M, and an authentication tag T Eof size t bits. Mathematically, ACE- is defined as E k n t ACE- : 0; 1 0; 1 0; 1 ∗ 0; 1 ∗ 0; 1 ∗ 0; 1 E f g × f g × f g × f g ! f g × f g with ACE- (K; N; AD; M) = (C; T ): E The decryption and verification algorithm takes as input the secret key K, nonce N, associated data AD, ciphertext C and tag T , and outputs the plaintext M of same length as C only if the verification of tag is correct, and if the tag verification fails. More formally, ? ACE- (K; N; AD; C; T ) M; : D 2 f ?g 7 ACE: Submission to the NIST LWC competition 2.1.2 ACE Hash algorithm A hash algorithm takes as input a message M, and the standard initialization vector IV of length iv bits, and returns a fixed size output H, called hash or message digest. Formally, the hash algorithm using ACE permutation is specified by iv h ACE- -h : 0; 1 ∗ 0; 1 0; 1 H f g × f g ! f g with H = ACE- -h(M; IV ). H Note that IV and N refer to two different things. IV is for a hash function and is fixed, while N is for an AEAD algorithm and never repeated for a fixed key. 2.2 Recommended Parameter Set In Table 2.1, we list the recommended parameter set for the AEAD and hash fuction- alities using the ACE permutation.
Load more

Recommended publications
  • SHA-3 Update
    SHA+3%update% %% % Quynh%Dang% Computer%Security%Division% ITL,%NIST% IETF%86% SHA-3 Competition 11/2/2007% SHA+3%CompeDDon%Began.% 10/2/2012% Keccak&announced&as&the&SHA13&winner.& IETF%86% Secure Hash Algorithms Outlook ► SHA-2 looks strong. ► We expect Keccak (SHA-3) to co-exist with SHA-2. ► Keccak complements SHA-2 in many ways. Keccak is good in different environments. Keccak is a sponge - a different design concept from SHA-2. IETF%86% Sponge Construction Sponge capacity corresponds to a security level: s = c/2. IETF%86% SHA-3 Selection ► We chose Keccak as the winner because of many different reasons and below are some of them: ► It has a high security margin. ► It received good amount of high-quality analyses. ► It has excellent hardware performance. ► It has good overall performance. ► It is very different from SHA-2. ► It provides a lot of flexibility. IETF%86% Keccak Features ► Keccak supports the same hash-output sizes as SHA-2 (i.e., SHA-224, -256, -384, -512). ► Keccak works fine with existing applications, such as DRBGs, KDFs, HMAC and digital signatures. ► Keccak offers flexibility in performance/security tradeoffs. ► Keccak supports tree hashing. ► Keccak supports variable-length output. IETF%86% Under Consideration for SHA-3 ► Support for variable-length hashes ► Considering options: ► One capacity: c = 512, with output size encoding, ► Two capacities: c = 256 and c = 512, with output size encoding, or ► Four capacities: c = 224, c = 256, c=384, and c = 512 without output size encoding (preferred by the Keccak team). ► Input format for SHA-3 hash function(s) will contain a padding scheme to support tree hashing in the future.
    [Show full text]
  • Lecture9.Pdf
    Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256
    [Show full text]
  • GCM) for Confidentiality And
    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
    [Show full text]
  • Speeding up OMD Instantiations in Hardware
    Speeding Up OMD Instantiations in Hardware Diana Maimuţ1[0000−0002−9541−5705] and Alexandru Ştefan Mega1,2[0000−0002−9541−1114] 1 Advanced Technologies Institute 10 Dinu Vintilă, Bucharest, Romania {diana.maimut,ati}@dcti.ro 2 Politehnica University of Bucharest Bucharest, Romania [email protected] Abstract. Particular instantiations of the Offset Merkle Damgård au- thenticated encryption scheme (OMD) represent highly secure alterna- tives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding- up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD. Keywords: Authenticated encryption, pseudorandom function, compression function, provable security, FPGA, hardware optimization, nonce respecting ad- versaries. 1 Introduction Authenticated encryption (AE) primitives ensure both message confidentiality and authenticity. Initially, AE algorithms achieved confidentiality and integrity by combining two distinct cryptographic primitives (one for each of the two goals). Around two decades ago the perspective of having a unique primitive for confidentiality and integrity started to appear. Rogaway [16] extended AE schemes by adding a new type of input for associated data (AD) and, thus, AEAD (authenticated encryption with associated data) was the next step. Such a model is helpful in real world scenario in which part of the message (e.g. a header) needs only to be authenticated.
    [Show full text]
  • Hashes, Macs & Authenticated Encryption Today's Lecture Hashes
    Today’s Lecture • Hashes and Message Authentication Codes Hashes, MACs & • Properties of Hashes and MACs Authenticated Encryption • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC ICS Lecture 4 • Authenticated Encryption – CCM Hashes Signatures l A hash of any message is a short string • Using RSA Epub(Dpriv(M)) = M generated from that message. • This can be used to sign messages. l The hash of a message is always the same. l Any small change makes the hash totally • Sign a message with the private key and this can be different. verified with the public key. l It is very hard to go from the hash to the message. • Any real crypto suite will not use the same key for encryption and signing. l It is very unlikely that any two different messages have the same hash. – as this can be used to trick people into decrypting. Signatures Uses of Hashing Alice has a signing key Ks • Download/Message verification and wants to sign message M Plain Text • Tying parts of a message together (hash the whole message) Detached Signature: Dks(#(M)) RSA decrypt with key ks SHA hash • Hash message, then sign the hash. • Protect Passwords Signed: M,Dks(#(M)) – Store the hash, not the password 1 Attacks on hashes Birthday Paradox • Preimage Attack: Find a message for a • How many people do you need to ask given hash: very hard. before you find 2 that have the same birthday? • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • 23 people, gives (23*22)/2 = 253 pairs.
    [Show full text]
  • Message Authentication Codes
    MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1.
    [Show full text]
  • Authenticated Encryption Mode IAPM Using SHA-3'S Public Random
    Authenticated Encryption Mode IAPM using SHA-3’s Public Random Permutation Charanjit Jutla IBM T. J. Watson Research Center New York 10598 Abstract. We study instantiating the random permutation of the block- cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft stan- dard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random per- mutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composabil- ity result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key- dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES. 1 Introduction Symmetric key encryption of bulk data is usually performed using either a stream cipher or a block cipher. A long message is divided into small fixed-size blocks and encryption is performed by either a stream-cipher mode or a block-cipher mode employing a cryptographic primitive that operates on blocks.
    [Show full text]
  • Stronger Security Variants of GCM-SIV
    Stronger Security Variants of GCM-SIV Tetsu Iwata1 and Kazuhiko Minematsu2 1 Nagoya University, Nagoya, Japan, [email protected] 2 NEC Corporation, Kawasaki, Japan, [email protected] Abstract. At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity.
    [Show full text]
  • CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion
    cryptography Article CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion Jonathan Trostle Independent Researcher, Washington, DC 98684, USA; [email protected] or [email protected]; Tel.: +1-360-253-8417 Received: 21 September 2018; Accepted: 4 December 2018; Published: 19 December 2018 Abstract: In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds. Keywords: energy constrained cryptography; authenticated encryption; misuse resistance 1. Introduction The current paradigm of providing confidentiality and integrity protection for distributed applications through the use of encryption combined with MAC’s (Message Authentication Codes) is reasonably efficient for many environments.
    [Show full text]
  • LAC: a Lightweight Authenticated Encryption Cipher
    LAC: A Lightweight Authenticated Encryption Cipher Version 1 | 15 March 2014 Designers and Submitters: Lei Zhang, Wenling Wu, Yanfeng Wang, Shengbao Wu, Jian Zhang fzhanglei, wwl, wangyanfeng, wushengbao, [email protected] Trusted Computing and Information Assurance Laboratory Institute of Software, Chinese Academy of Sciences Contents 1 Introduction 1 2 Specification 2 2.1 Symbols and Notations . 2 2.2 Specification of LAC . 2 2.3 Description of LBlock-s . 4 2.4 Round-reduced LBlock-s . 5 2.5 Encryption/Authentication Procedure . 5 2.6 Decryption/Verification Procedure . 6 3 Security Goals 7 4 Security Analysis 8 4.1 Extinguishing Differentials Analysis . 8 4.2 State Recovery . 8 4.3 Key Recovery . 8 4.4 Forgery without State Recovery . 9 4.5 Distinguishing Attack . 9 4.6 Guess-and-Determine Attack . 9 4.7 Slide Attack . 9 5 Features 11 5.1 Main Features . 11 5.2 Hardware Performance Evaluation . 11 5.3 Software Performance Evaluation . 12 5.4 Potential Applications . 13 5.5 Security and Performance Comparison . 13 6 Design Rationale 14 6.1 Structure . 14 6.2 The Underlying Encryption Cipher LBlock-s . 14 6.3 Parameter Choices . 15 7 Intellectual Property 16 8 Consent 17 9 Test Vector 18 i Chapter 1 Introduction LAC is a lightweight authenticated encryption cipher based on a similar structure of ALE [2] and a simplified version of the lightweight block cipher LBlock as underlying primitive. The recommended parameter set for LAC is as follows. Recommended Parameter (in bits) Key 80 Public Message Number 64 Secret Message Number 0 Tag 64 Its encryption/authentication procedure accepts an 80-bit master key K, a 64-bit public message number (PMN ), a message m, an associated data α, and outputs the ciphertext c of exactly the same length as message and a 64-bit authentication tag τ.
    [Show full text]
  • Security Analysis of BLAKE2's Modes of Operation
    Security Analysis of BLAKE2’s Modes of Operation Atul Luykx1, Bart Mennink1 and Samuel Neves2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium [email protected], [email protected] 2 CISUC, Dept. of Informatics Engineering, University of Coimbra, Portugal [email protected] Abstract. BLAKE2 is a hash function introduced at ACNS 2013, which has been adopted in many constructions and applications. It is a successor to the SHA-3 finalist BLAKE, which received a significant amount of security analysis. Nevertheless, BLAKE2 introduces sufficient changes so that not all results from BLAKE carry over, meaning new analysis is necessary. To date, all known cryptanalysis done on BLAKE2 has focused on its underlying building blocks, with little focus placed on understanding BLAKE2’s generic security. We prove that BLAKE2’s compression function is indifferentiable from a random function in a weakly ideal cipher model, which was not the case for BLAKE. This implies that there are no generic attacks against any of the modes that BLAKE2 uses. Keywords: BLAKE · BLAKE2 · hash function · indifferentiability · PRF 1 Introduction Widespread adoption of cryptographic algorithms in practice often occurs regardless of their scrutiny by the cryptographic community. Although competitions such as AES and SHA-3 popularize thoroughly analyzed algorithms, they are not the only means with which practitioners find new algorithms. Standards, textbooks, and social media are sometimes more effective than publications and competitions. Nevertheless, analysis of algorithms is important regardless of how they were pop- ularized, and can result in finding insecurities, but also new techniques. For example, the PLAID protocol avoided cryptographic scrutiny by being standardized via the Cards and personal identification subcommittee of ISO, instead of via the Cryptography and security mechanisms working group, and when properly analyzed, PLAID turned out to be significantly weaker than claimed [DFF+14].
    [Show full text]
  • Nist Sp 800-38D
    NIST Special Publication 800-38D Recommendation for Block November, 2007 Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Morris Dworkin C O M P U T E R S E C U R I T Y NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Morris Dworkin C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 November 2007 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Acting Director NIST Special Publication 800-38D Reports on Information Security Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
    [Show full text]