Advertisement

Full-State Keyed Duplex with Built-In Multi-user Support

  • Joan DaemenEmail author
  • Bart Mennink
  • Gilles Van Assche
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)

Abstract

The keyed duplex construction was introduced by Bertoni et al. (SAC 2011) and recently generalized to full-state absorption by Mennink et al. (ASIACRYPT 2015). We present a generalization of the full-state keyed duplex that natively supports multiple instances by design, and perform a security analysis that improves over that of Mennink et al. in terms of a more modular security analysis and a stronger and more adaptive security bound. Via the introduction of an additional parameter to the analysis, our bound demonstrates a significant security improvement in case of nonce-respecting adversaries. Furthermore, by supporting multiple instances by design, instead of adapting the security model to it, we manage to derive a security bound that is largely independent of the number of instances.

Keywords

Duplex construction Full-state Distinguishing bounds Authenticated encryption 

Notes

Acknowledgement

Bart Mennink is supported by a postdoctoral fellowship from the Netherlands Organisation for Scientific Research (NWO) under Veni grant 016.Veni.173.017.

References

  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar and Iwata [45], pp. 105–125Google Scholar
  2. 2.
    Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander [36], pp. 364–384Google Scholar
  3. 3.
    Aumasson, J., Jovanovic, P., Neves, S.: NORX v3.0 (2016). Submission to CAESAR Competition. https://competitions.cr.yp.to/round3/norxv30.pdf
  4. 4.
    Bellare, M., Bernstein, D.J., Tessaro, S.: Hash-function based PRFs: AMAC and its multi-user security. In: Fischlin and Coron [28], pp. 566–595Google Scholar
  5. 5.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_18 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM (1993)Google Scholar
  7. 7.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_3 CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop 2007, May 2007Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_11 CrossRefGoogle Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_3 CrossRefGoogle Scholar
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri and Vaudenay [39], pp. 320–337Google Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, January 2011Google Scholar
  13. 13.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop, February 2011Google Scholar
  14. 14.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Permutation-based encryption, authentication and authenticated encryption. In: Directions in Authenticated Ciphers, July 2012Google Scholar
  15. 15.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje V2, September 2016Google Scholar
  16. 16.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje V2, document version 2.2, September 2016Google Scholar
  17. 17.
    Biham, E.: How to decrypt or even substitute DES-encrypted messages in \({2}^{\text{28 }}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved time-memory trade-offs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006).  https://doi.org/10.1007/11693383_8 CrossRefGoogle Scholar
  19. 19.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23951-9_21 CrossRefGoogle Scholar
  20. 20.
    CAESAR: Competition for authenticated encryption: security, applicability, and robustness, November 2014. http://competitions.cr.yp.to/caesar.html
  21. 21.
    Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: NIST SHA-3 Workshop, March 2012Google Scholar
  22. 22.
    Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri and Vaudenay [39], pp. 293–319Google Scholar
  23. 23.
    Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_19 CrossRefGoogle Scholar
  24. 24.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2016). Submission to CAESAR Competition. http://ascon.iaik.tugraz.at
  25. 25.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-57332-1_17 CrossRefGoogle Scholar
  26. 26.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015)Google Scholar
  28. 28.
    Fischlin, M., Coron, J.-S. (eds.): EUROCRYPT 2016, Part I. LNCS, vol. 9665. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3 zbMATHGoogle Scholar
  29. 29.
    Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro and Robshaw [31], pp. 368–387Google Scholar
  30. 30.
    Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin and Coron [28], pp. 87–116 (2016)Google Scholar
  31. 31.
    Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015, Part I. LNCS, vol. 9215. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6 zbMATHGoogle Scholar
  32. 32.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_13 CrossRefGoogle Scholar
  33. 33.
    Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_1 CrossRefGoogle Scholar
  34. 34.
    Hong, J., Sarkar, P.: New applications of time memory data tradeoffs. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 353–372. Springer, Heidelberg (2005).  https://doi.org/10.1007/11593447_19 CrossRefGoogle Scholar
  35. 35.
    Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2c/2 security in sponge-based authenticated encryption modes. In: Sarkar and Iwata [45], pp. 85–104Google Scholar
  36. 36.
    Leander, G. (ed.): FSE 2015. LNCS, vol. 9054. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5 zbMATHGoogle Scholar
  37. 37.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_2 CrossRefGoogle Scholar
  38. 38.
    Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_19 CrossRefGoogle Scholar
  39. 39.
    Miri, A., Vaudenay, S. (eds.): SAC 2011. LNCS, vol. 7118. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0 zbMATHGoogle Scholar
  40. 40.
    Mouha, N., Luykx, A.: Multi-key security: the Even-Mansour construction revisited. In: Gennaro and Robshaw [31], pp. 209–223Google Scholar
  41. 41.
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13051-4_19 CrossRefGoogle Scholar
  42. 42.
    Naito, Y., Yasuda, K.: New bounds for keyed sponges with extendable output: independence between capacity and message length. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 3–22. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_1 CrossRefGoogle Scholar
  43. 43.
    Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04159-4_21 CrossRefGoogle Scholar
  44. 44.
    Reyhanitabar, R., Vaudenay, S., Vizár, D.: Boosting OMD for almost free authentication of associated data. In: Leander [36], pp. 411–427Google Scholar
  45. 45.
    Sarkar, P., Iwata, T. (eds.): ASIACRYPT 2014, Part I. LNCS, vol. 8873. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8 zbMATHGoogle Scholar
  46. 46.
    Sasaki, Y., Yasuda, K.: How to incorporate associated data in sponge-based authenticated encryption. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 353–370. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16715-2_19 Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Joan Daemen
    • 1
    • 2
    Email author
  • Bart Mennink
    • 1
    • 3
  • Gilles Van Assche
    • 2
  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands
  2. 2.STMicroelectronicsDiegemBelgium
  3. 3.CWIAmsterdamThe Netherlands

Personalised recommendations