Abstract
One of the finalists in the NIST Lightweight Cryptography competition is \(\mathsf {Elephant}\) v2, a parallelizable, permutation-based authenticated encryption scheme. The original first/second-round submission \(\mathsf {Elephant}\) v1/v1.1 was proven secure against nonce-respecting adversaries in the single-user setting. For the final round, the mode has undergone certain subtle modifications, the most important one being a change in the authentication portion of the mode. These changes require a new dedicated security proof.
In this work, we prove the security of the \(\mathsf {Elephant}\) v2 mode. First of all, our proof shows that \(\mathsf {Elephant}\) v2 is indeed a secure authenticated encryption scheme and that its security against nonce-respecting adversaries is on par with that of \(\mathsf {Elephant}\) v1/v1.1. In addition, our security analysis is in the multi-user setting and demonstrates that \(\mathsf {Elephant}\) v2 fares well if multiple devices use \(\mathsf {Elephant}\) v2 with independent keys. Moreover, our proof shows that \(\mathsf {Elephant}\) v2 even ensures authenticity under nonce misuse.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In our application, the tweak space is of a specific form and cannot be conveniently expressed as a set of binary strings.
- 2.
As a matter of fact, in \(\mathsf {Elephant}\) v2, the nonce is smaller than the state size of the permutation and is appended with associated data bits. This does not change the overall argument.
- 3.
In the original analysis of \(\mathsf {MEM} \) [20] (that was about single-user security only), the mask involves a computation \(\mathsf {P}(K\Vert N)\) for nonce N. This not only complicates the values that have to be revealed; it also results in a larger view and hence a higher collision probability among tuples in the view.
References
Banik, S., et al.: GIFT-COFB v1.1. submission to NIST Lightweight Cryptography (2021)
Beierle, C., et al.: Schwaemm and Esch: lightweight authenticated encryption and hashing using the sparkle permutation family. Submission to NIST Lightweight Cryptography (2021)
Beierle, C., et al.: Lightweight AEAD and hashing using the sparkle permutation family. IACR Trans. Symmetric Cryptol. 2020(S1), 208–261 (2020)
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_18
Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Bernstein, D.J.: How to stretch random functions: the security of protected counter sums. J. Cryptol. 12(3), 185–192 (1999)
Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_10
Beyne, T., Chen, Y.L., Dobraunig, C., Mennink, B.: Elephant v1.1. Submission to NIST Lightweight Cryptography (2019)
Beyne, T., Chen, Y.L., Dobraunig, C., Mennink, B.: Dumbo, Jumbo, and Delirium: parallel authenticated encryption for the lightweight circus. IACR Trans. Symmetric Cryptol. 2020(S1), 5–30 (2020)
Beyne, T., Chen, Y.L., Dobraunig, C., Mennink, B.: Status update on Elephant. Note at NIST Lightweight Cryptography (2020)
Beyne, T., Chen, Y.L., Dobraunig, C., Mennink, B.: Elephant v2. Submission to NIST Lightweight Cryptography (2021)
Biham, E.: How to decrypt or even substitute DES-encrypted messages in \(2^{28}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)
Chen, S., Steinberger, J.P.: Tight security bounds for key-alternating ciphers. In: Nguyen and Oswald [25], pp. 327–350
Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Xoodyak, a lightweight cryptographic scheme. IACR Trans. Symmetric Cryptol. 2020(S1), 60–87 (2020)
Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R., Mella, S.: Xoodyak, a lightweight cryptographic scheme. Submission to NIST Lightweight Cryptography (2021)
Daemen, J., Mennink, B., Van Assche, G.: Full-state keyed duplex with built-in multi-user support. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 606–637. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_21
Dobraunig, C., et al.: ISAP v2.0. IACR Trans. Symmetric Cryptol. 2020(S1), 390–416 (2020)
Dobraunig, C., et al.: ISAP v2. Submission to NIST Lightweight Cryptography (2021)
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2. Submission to NIST Lightweight Cryptography (2021)
Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_11
Khairallah, M.: Weak keys in the rekeying paradigm: application to COMET and mixFeed. IACR Trans. Symmetric Cryptol. 2019(4), 272–289 (2019)
Luykx, A., Mennink, B., Paterson, K.G.: Analyzing multi-key security degradation. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 575–605. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_20
Luykx, A., Preneel, B., Tischhauser, E., Yasuda, K.: A MAC mode for lightweight block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 43–59. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_3
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering Generic Composition. In: Nguyen and Oswald [25], pp. 257–274 (2014)
Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15
NIST: Lightweight Cryptography, February 2019. https://csrc.nist.gov/Projects/Lightweight-Cryptography
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_24
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Acknowledgments
This work was supported in part by the Research Council KU Leuven: GOA TENSE (C16/15/058). Tim Beyne and Yu Long Chen are supported by a Ph.D. Fellowship from the Research Foundation - Flanders (FWO). Christoph Dobraunig is supported by the Austrian Science Fund (FWF): J 4277-N38. Bart Mennink is supported by the Netherlands Organisation for Scientific Research (NWO) under grant VI.Vidi.203.099.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1 (on SiM)
A Proof of Theorem 1 (on SiM)
The proof closely follows Granger et al. [20], just like that of Beyne et al. [9] did, and is performed using the H-coefficient technique [13, 27]. The main difference is in the fact that we consider multi-user security, where the adversary can query \(\mu \ge 1\) construction oracles.
Let \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\), \(\mathsf {P}\xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(n)\), and \(\widetilde{\pi }_1,\ldots ,\widetilde{\pi }_\mu \xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(\mathcal {T},n)\), where \(\mathcal {T}\) is \(2^{-\alpha }\)-proper with respect to LFSRs \((\varphi _1,\ldots ,\varphi _z)\). Consider a computationally unbounded adversary \(\mathcal {A}\) that tries to distinguish \(\mathcal {O} := ((\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu ,\mathsf {P}^{\pm })\) from \(\mathcal {P} := ((\widetilde{\pi }_j)_{j=1}^\mu ,\mathsf {P}^{\pm })\). Without loss of generality, we can consider it to be deterministic: for any probabilistic adversary there exists a deterministic one that has at least the same success probability. The interaction of \(\mathcal {A}\) with its oracle (\(\mathcal {O}\) or \(\mathcal {P}\)) is gathered in a view \(\nu \). Denote by \(D_{\mathcal {O}}\) (resp., \(D_{\mathcal {P}}\)) the probability distribution of views in interaction with \(\mathcal {O}\) (resp., \(\mathcal {P}\)). Denote by \(\mathcal {V}\) the set of “attainable views”, i.e., views \(\nu \) such that \(\mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) >0\).
Lemma 1 (H-coefficient technique)
Consider a partition \(\mathcal {V}=\mathcal {V}_{\mathrm {good}}\cup \mathcal {V}_{\mathrm {bad}}\) of the set of views into “good” and “bad” views. Let \(\varepsilon \in [0,1]\) be such that \(\frac{\mathbf {Pr}\left( D_{\mathcal {O}}=\nu \right) }{\mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) } \ge 1-\varepsilon \) for all \(\nu \in \mathcal {V}_{\mathrm {good}}\). Then,
For view \(\nu = \{(x_1,y_1),\ldots ,(x_q,y_q)\}\) consisting of q input/output tuples, we denote by \(\mathcal {O}\vdash \nu \) the event that oracle \(\mathcal {O}\) satisfies that \(\mathcal {O}(x_i)=y_i\) for all \(i=\{1,\ldots ,q\}\).
The remainder of the proof is structured as follows. We specify the views of an adversary in Sect. A.1 and define the bad views in Sect. A.2. The probability of bad views is analyzed in Sect. A.3 and the probability ratio for good views is considered in Sect. A.4. Section A.5 concludes the proof.
1.1 A.1 Views
The adversary can make q construction queries to \((\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu \) or \((\widetilde{\pi })_{j=1}^\mu \), all in forward direction only. Each such query is made for user index \(j_i\in \{1,\ldots ,\mu \}\), some tweak \(\bar{a}_i=(a_1,\ldots ,a_z)_i\), and message input \(M_i\), and results in an output \(C_i\). The q queries are summarized in a view
The adversary can make p primitive queries to \(\mathsf {P}^{\pm }\), and these are likewise summarized in a view
After the conversation of \(\mathcal {A}\) with its oracle, but before it makes its final decision, we reveal the key material used in the interaction. This can be done without loss of generality; it only improves the adversarial success probability. The first values that are revealed are values \(K_1,\ldots ,K_\mu \). In the real world, these are the keys \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) that are actually used by the construction oracle; in the ideal world, these are dummy keys \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\). The second values that are revealed are values \(L_1,\ldots ,L_\mu \in \{0,1\}^{n}\). In the real world, these are the values \(L_j=\mathsf {P}(K_j\Vert 0^{n-k})\) for \(j=1,\ldots ,\mu \); in the ideal world, these are dummy keys \(L_1,\ldots ,L_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\).Footnote 3 The revealed data is summarized in a view
(Note that in the single-user setting, where \(\mu =1\), \(\nu _k\) is a singleton.) The complete view is defined as \(\nu =(\nu _c,\nu _p,\nu _k)\). We assume that the adversary never makes any duplicate query, hence \(\nu _c\) and \(\nu _p\) contain no duplicate elements.
1.2 A.2 Definition of Good and Bad Views
In the real world, all tuples in \(\nu _p\) define exactly one input-output pair for \(\mathsf {P}\). Likewise, the tuples in \(\nu _k\) are input-output pairs for \(\mathsf {P}\). Using these tuples, one can observe that any tuple \((j_i,\bar{a}_i,M_i,C_i)\in \nu _c\) also defines an input-output pair for \(\mathsf {P}\), namely
see (7), where we define \(\bar{\varphi }^{\bar{a}_i}:=\varphi _z^{{a_z}_i}\circ \cdots \circ \varphi _1^{{a_1}_i}\) for brevity. If among all these \(q+p+\mu \) input-output pairs defined by \(\nu \), there are two that have colliding input or output values, we consider \(\nu \) to be a bad view. Formally, \(\nu \) is called “bad” if one of the following conditions is satisfied, where we recall that the user index j in a tuple in \(\nu _c\) determines which key tuple from \(\nu _k\) has to be used:
We write \(\mathrm {bad}=\mathrm {bad}_{c,c}\vee \mathrm {bad}_{c,p}\vee \mathrm {bad}_{c,k}\vee \mathrm {bad}_{p,k}\vee \mathrm {bad}_{k,k}\).
The definition of bad events differs from the single-user analysis of Beyne et al. [9] in the adjustment of bad events \(\mathrm {bad}_{c,k}\) and \(\mathrm {bad}_{p,k}\) and the addition of the bad event \(\mathrm {bad}_{k,k}\). The events \(\mathrm {bad}_{c,k}\) and \(\mathrm {bad}_{p,k}\) have been adjusted as construction or permutation queries may now collide with \(\mu \) different key tuples. The addition of the new bad event \(\mathrm {bad}_{k,k}\) come from the fact that different key tuples might collide.
1.3 A.3 Probability of Bad View in Ideal World
Our goal is to bound \(\mathbf {Pr}\left( D_{\mathcal {P}}\in \mathcal {V}_{\mathrm {bad}}\right) \), the probability of a bad view in the ideal world \(\mathcal {P}=((\widetilde{\pi }_j)_{j=1}^\mu ,\mathsf {P}^{\pm })\). For brevity, denote by \(D_{\mathcal {P}}\propto \mathrm {bad}\) the event that \(D_{\mathcal {P}}\) satisfies \(\mathrm {bad}\). By the union bound,
We will analyze the five probabilities separately, thereby noticing that (i) \(K_1,\) \(\smash {\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}}\) and \(\smash {L_1,\ldots ,L_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}}\) are random variables in the ideal world, and (ii) as the adversary only makes forward construction queries, each tuple \((j,\bar{a},M,C)\in \nu _c\) satisfies that C is randomly drawn from a set of size at least \(2^n-q\).
Event \(\mathrm {bad}_{c,c}\). For \(\mathrm {bad}_{c,c}\), let \((j,\bar{a},M,C),(j',\bar{a}',M',C')\in \nu _c\) be any two distinct tuples. If \(j=j'\) and \(\bar{a}=\bar{a}'\), then necessarily \(M\ne M'\) and \(C\ne C'\), and \(\mathrm {bad}_{c,c}\) holds with probability 0. Otherwise, if \(j=j'\) but \(\bar{a}\ne \bar{a}'\), we can deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 2 of Definition 1, that event \(\mathrm {bad}_{c,c}\) holds with probability at most \(2/2^{\alpha }\). Finally, if \(j\ne j'\), the subkeys \(L_j,L_{j'}\) are independent and we can likewise deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 1 of Definition 1, that event \(\mathrm {bad}_{c,c}\) holds with probability at most \(2/2^{\alpha }\). Thus, summing over all \({q\atopwithdelims ()2}\) possible choices of queries,
Event \(\mathrm {bad}_{c,p}\). For \(\mathrm {bad}_{c,p}\), let \((j,\bar{a},M,C)\in \nu _c\) and \((X,Y)\in \nu _p\) be any two tuples. We can deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 1 of Definition 1, that event \(\mathrm {bad}_{c,p}\) holds with probability at most \(2/2^{\alpha }\). Thus, summing over all qp possible choices of queries,
Event \(\mathrm {bad}_{c,k}\). For \(\mathrm {bad}_{c,k}\), let \((j,\bar{a},M,C)\in \nu _c\) and \((K,L)\in \nu _k\) be any two tuples. We consider the two equations of \(\mathrm {bad}_{c,k}\) separately. For the first equation,
we will use that \(L_j\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\) is a randomly generated value independent of K. We can deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 1 of Definition 1, that this equation holds with probability at most \(1/2^{\alpha }\).
For the second equation,
it might be that \(L=L_j\), and we cannot rely on Definition 1. Instead, we will use that all construction queries are made in the forward direction, and that C is randomly drawn from a set of size at least \(2^n-q\) elements. The above equation thus holds with probability at most \(1/(2^n-q)\).
Thus, summing over all \(\mu q\) possible choices of queries,
Event \(\mathrm {bad}_{p,k}\). For \(\mathrm {bad}_{p,k}\), let \((X,Y)\in \nu _p\) and \((K,L)\in \nu _k\) be any two tuples. As \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and \(L\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), the tuples set \(\mathrm {bad}_{p,k}\) with probability at most \(1/2^k + 1/2^n\). Thus, summing over all \(\mu p\) possible choices of queries,
Event \(\mathrm {bad}_{k,k}\). For \(\mathrm {bad}_{k,k}\), let \((K,L),(K',L')\in \nu _k\) be any two distinct tuples. As \(K,K'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and \(L,L'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), the tuples set \(\mathrm {bad}_{k,k}\) with probability at most \(1/2^k + 1/2^n\). Thus, summing over all \({\mu \atopwithdelims ()2}\) possible choices of queries,
Conclusion. Concluding, we obtain for (20):
using that \(2^n-q\ge 2^{n-1}\).
1.4 A.4 Probability Ratio for Good Views
Consider any good view \(\nu \in \mathcal {V}_{\mathrm {good}}\). We will prove the inequality \(\mathbf {Pr}\left( D_{\mathcal {O}}=\nu \right) \ge \mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) \). The proof is a direct generalization of that of Granger et al. [20], noting that in our case, we consider multi-user security. The proof is included for completeness.
Real World. In the real world \(\mathcal {O} = ((\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu ,\mathsf {P}^{\pm })\), goodness of the view means that \(\nu =(\nu _c,\nu _p,\nu _k)\) defines exactly \(q+p+\mu \) input-output pairs for \(\mathsf {P}\), and no two of them collide on the input or output, and \(\nu _k\) consists of random values \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\). Therefore, we obtain:
Ideal World. In the ideal world \(\mathcal {P} = ((\widetilde{\pi }_j)_{j=1}^\mu ,\mathsf {P}^{\pm })\), the view \(\nu =(\nu _c,\nu _p,\nu _k)\) consists of three lists of independent tuples: \(\nu _c\) defines exactly q input-output pairs for \(\widetilde{\pi }_j\), \(\nu _p\) defines exactly p input-output pairs for \(\mathsf {P}\), and \(\nu _k\) consists of \(\mu \) random tuples \((K_1,L_1),\ldots ,(K_\mu ,L_\mu )\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\times \{0,1\}^{n}\). For counting, it is convenient to group the tuples in \(\nu _c\) depending on the user index j and tweak value \(\bar{a}\). For \(J\in \{1,\ldots ,\mu \}\) and \(T\in \mathcal {T}\), define
where \(\sum _{(J,T)\in \{1,\ldots ,\mu \}\times \mathcal {T}} q_{J,T} = q\). We obtain:
using that for any \(\sigma +\tau \le 2^n\) we have \(\frac{(2^n-\sigma )!}{2^n!}\cdot \frac{(2^n-\tau )!}{2^n!}\le \frac{(2^n-(\sigma +\tau ))!}{2^n!}\).
Conclusion. Combining (22) and (23), we obtain that for any good view \(\nu \in \mathcal {V}_{\mathrm {good}}\):
1.5 A.5 Conclusion
By the H-coefficient technique (Lemma 1), we directly obtain from (21) and (24):
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Beyne, T., Chen, Y.L., Dobraunig, C., Mennink, B. (2022). Multi-user Security of the Elephant v2 Authenticated Encryption Mode. In: AlTawy, R., Hülsing, A. (eds) Selected Areas in Cryptography. SAC 2021. Lecture Notes in Computer Science, vol 13203. Springer, Cham. https://doi.org/10.1007/978-3-030-99277-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-99277-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-99276-7
Online ISBN: 978-3-030-99277-4
eBook Packages: Computer ScienceComputer Science (R0)