Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation

  • Markku-Juhani O. Saarinen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8366)


BLINKER is a light-weight cryptographic suite and record protocol built from a single permutation. Its design is based on the Sponge construction used by the SHA-3 algorithm KECCAK. We examine the SpongeWrap authenticated encryption mode and expand its padding mechanism to offer explicit domain separation and enhanced security for our specific requirements: shared secret half-duplex keying, encryption, and a MAC-and-continue mode. We motivate these enhancements by showing that unlike legacy protocols, the resulting record protocol is secure against a two-channel synchronization attack while also having a significantly smaller implementation footprint. The design facilitates security proofs directly from a single cryptographic primitive (a single security assumption) rather than via idealization of multitude of algorithms, paddings and modes of operation. The protocol is also uniquely suitable for an autonomous or semi-autonomous hardware implementation of protocols where the secrets never leave the module, making it attractive for smart card and HSM designs.


Lightweight Security Sponge-based Protocols Sponge Construction Autonomous Hardware Encryption Half-duplex security BLINKER 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Hell, M., Johansson, T., Meier, W.: Grain - a stream cipher for constrained environments. International Journal of Wireless and Mobile Computing, Special Issue on Security of Computer Network and Mobile Systems 2(1), 86–93 (2006)Google Scholar
  3. 3.
    Gren, M.A., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. International Journal of Wireless and Mobile Computing 5(1), 48–59 (2011)CrossRefGoogle Scholar
  4. 4.
    Engels, D., Fan, X., Gong, G., Hu, H., Smith, E.M.: Ultra-lightweight cryptography for low-cost RFID tags: Hummingbird algorithm and protocol. Technical Report CACR-2009-29, University of Waterloo (2009)Google Scholar
  5. 5.
    Engels, D., Saarinen, M.-J.O., Schweitzer, P., Smith, E.M.: The hummingbird-2 lightweight authenticated encryption algorithm. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 19–31. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Bilgin, B., Bogdanov, A., Knežević, M., Mendel, F., Wang, Q.: fides: Lightweight authenticated cipher with side-channel resistance for constrained hardware. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 142–158. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Yalçın, T., Kavun, E.B.: On the implementation aspects of sponge-based authenticated encryption for pervasive devices. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 141–157. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  8. 8.
    NIST: NIST selects winner of secure hash algorithm (SHA-3) competition. NIST Tech Beat Newsletter (October 2, 2012)Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference, version 3.0. NIST SHA3 Submission Document (January 2011)Google Scholar
  10. 10.
    Kelsey, J.: SHA3: Where we’ve been, where we’re going. Talk Given at RSA Security Conference USA 2013 (February 2013)Google Scholar
  11. 11.
    Kelsey, J.: SHA3: Past, present, and future. Invited Talk Given at CHES 2013 (August 2013)Google Scholar
  12. 12.
    Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. IETF RFC 6101 (Historic) (August 2011)Google Scholar
  13. 13.
    Ylönen, T., Lonvick, C.: The secure shell (SSH) protocol architecture. IETF RFC 4251 (Standards Track) (January 2006)Google Scholar
  14. 14.
    Ylönen, T., Lonvick, C.: The secure shell (SSH) transport layer protocol. IETF RFC 4253 (Standards Track) (January 2006)Google Scholar
  15. 15.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. IETF RFC 5246 (Standards Track) (August 2008)Google Scholar
  16. 16.
    Kent, S., Seo, K.: Security architecture for the internet protocol. IETF RFC 4301 (Standards Track) (December 2005)Google Scholar
  17. 17.
    Kent, S.: IP authentication header. IETF RFC 4302 (Standards Track) (December 2005)Google Scholar
  18. 18.
    Kent, S.: IP encapsulating security payload (ESP). IETF RFC 4303 (Standards Track) (December 2005)Google Scholar
  19. 19.
    Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W., Zorn, G.: Point-to-point tunneling protocol (PPTP). IETF RFC 2637 (July 1999)Google Scholar
  20. 20.
    IEEE: IEEE standard for information technology - telecommunications and information exchange between systems - local and metropolitan area networks - specific requirements. part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. amendment 6: Medium access control (MAC) security enhancements (July 2004)Google Scholar
  21. 21.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    AlFardan, N.J., Paterson, K.G.: Lucky thirteen: Breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy 2013 (to appear, 2013)Google Scholar
  24. 24.
    Bellare, M., Canetti, R., Krawczyk, H.: Message authentication using hash functions - the HMAC construction. CryptoBytes 2(1) (1996)Google Scholar
  25. 25.
    NIST: Advanced Encryption Standard (AES). Federal Information Processing Standards 197 (2001)Google Scholar
  26. 26.
    Dworkin, M.: Recommendation for block cipher modes of operation. Special Publication 800-38A (December 2001)Google Scholar
  27. 27.
    Rivest, R.: The RC4 encryption algorithm (March 1992)Google Scholar
  28. 28.
    NIST: Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800-38D (2007)Google Scholar
  29. 29.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). IETF RFC 3610 (September 2003)Google Scholar
  30. 30.
    NIST: Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-4 (March 2012)Google Scholar
  31. 31.
    Simon, D., Aboba, B., Hurst, R.: The EAP-TLS authentication protocol. IETF RFC 5216 (March 2008)Google Scholar
  32. 32.
    UKPA: Acquirers’ interface requirements for electronic data capture terminals. UKPA / APACS Standard 40, incorporated into Standard 70 Book 2, 4 & 5 (2007)Google Scholar
  33. 33.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) CCS 2001: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 196–205. ACM (2001)Google Scholar
  34. 34.
    Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security (TISSEC) 6(3), 365–403 (2003)CrossRefGoogle Scholar
  35. 35.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: Single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  36. 36.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Permutation-based encryption, authentication and authenticated encryption. In: DIAC 2012 (2012),
  37. 37.
    Saarinen, M.J.O.: Developing a grey hat C2 and RAT for APT security training and assessment. In: GreHack 2013 Hacking Conference, Grenoble, France, November 15, 2013 (to appear)Google Scholar
  38. 38.
    Bellovin, S.M.: Problem areas for the IP security protocols. In: Proc. Sixth USENIX Security Symposium, pp. 205–214 (1996)Google Scholar
  39. 39.
    Mitchell, J., Shmatikov, V., Stern, U.: Finite-state analysis of SSL 3.0. In: USENIX Security Symposium 1998, 201–216. USENIX (1998)Google Scholar
  40. 40.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: The Second USENIX Workshop on Electronic Commerce Proceedings, pp. 29–40. USENIX Press (November 1996)Google Scholar
  41. 41.
    Degabriele, J.P., Paterson, K.G.: Attacking the IPsec standards in encryption-only configurations. In: IEEE Symposium on Security and Privacy, pp. 335–349. IEEE Computer Society (2007)Google Scholar
  42. 42.
    Degabriele, J.P., Paterson, K.G.: On the (in)security of IPsec in MAC-then-encrypt configurations. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 493–504. ACM (2010)Google Scholar
  43. 43.
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size does matter: Attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  44. 44.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: A systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  45. 45.
    International Standardization Organization: ISO/IEC 7816-4:2013 Identification cards – Integrated circuit cards – Part 4: Organization, security and commands for interchange (2013)Google Scholar
  46. 46.
    International Standardization Organization: ISO/IEC 18000-63. Information technology – Radio frequency identification for item management – Part 6: Parameters for air interface communications at 860 MHz to 960 MHz Type C (2012)Google Scholar
  47. 47.
    MODBUS: MODBUS Application Protocol Specification V1.1B (April 2012),
  48. 48.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sponge functions. In: Ecrypt Hash Workshop 2007 (May 2007)Google Scholar
  49. 49.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sakura: a flexible coding for tree hashing. IACR ePrint 2013/213 (April 2013),
  50. 50.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: On the security of the keyed sponge construction. In: SKEW 2011 Symmetric Key Encryption Workshop (February 2011)Google Scholar
  51. 51.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  52. 52.
    Ferguson, N., Schneier, B.: Practical Cryptography. John Wiley & Sons (2003)Google Scholar
  53. 53.
    Saarinen, M.-J.O.: CBEAM: Efficient authenticated encryption from feebly one-way phi functions. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, Springer, Heidelberg (2014)Google Scholar
  54. 54.
    Chang, S., Perlner, R., Burr, W.E., Turan, M.S., Kelsey, J.M., Paul, S., Bassham, L.E.: Third-round report of the SHA-3 cryptographic hash algorithm competition. Technical Report NISTIR 7896, National Institute of Standards and Technology (November 2012)Google Scholar
  55. 55.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  56. 56.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: quark: A lightweight hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  57. 57.
    Aumasson, J.P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A lightweight hash. Journal of Cryptology (2012), doi: 10.1007/s00145-012-9125-6Google Scholar
  58. 58.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: A lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  59. 59.
    Bernstein, D.J.: Curve25519: New diffie-hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Markku-Juhani O. Saarinen
    • 1
  1. 1.Kudelski SecuritySwitzerland

Personalised recommendations