Advertisement

Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications

  • Guido Bertoni
  • Joan Daemen
  • Michaël Peeters
  • Gilles Van Assche
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7118)

Abstract

This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and–at no extra cost–provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.

Keywords

sponge functions duplex construction authenticated encryption key wrapping provable security pseudo-random bit sequence generator Keccak 

References

  1. 1.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A lightweight hash. In: Mangard and Standaert [20], pp. 1–15Google Scholar
  2. 2.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM (ed.) ACM Conference on Computer and Communications Security 1993, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bellare, M., Yee, B.: Forward-security in private-key cryptography. Cryptology ePrint Archive, Report 2001/035 (2001), http://eprint.iacr.org/
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop (May 2007), public comment to NIST, from http://www.csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008), http://sponge.noekeon.org/ CrossRefGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard and Standaert [20], pp. 33–47Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. Cryptology ePrint Archive, Report 2011/499 (2011), http://eprint.iacr.org/
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop (SKEW) (February 2011)Google Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The keccak reference (January 2011), http://keccak.noekeon.org/
  11. 11.
    Biryukov, A. (ed.): FSE 2007. LNCS, vol. 4593. Springer, Heidelberg (2007)MATHGoogle Scholar
  12. 12.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: A Lightweight Hash Function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Desai, A., Hevia, A., Yin, Y.L.: A Practice-Oriented Treatment of Pseudorandom Number Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 368–383. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Dworkin, M.: Request for review of key wrap algorithms. Cryptology ePrint Archive, Report 2004/340 (2004), http://eprint.iacr.org/
  15. 15.
    ECRYPT Network of excellence, The SHA-3 Zoo (2011), http://ehash.iaik.tugraz.at/index.php/The_SHA-3_Zoo
  16. 16.
    Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 330–346. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Gorski, M., Lucks, S., Peyrin, T.: Slide Attacks on a Class of Hash Functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 143–160. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Knudsen, L., Rechberger, C., Thomsen, S.: The Grindahl hash functions. In: Biryukov [11], pp. 39–57Google Scholar
  20. 20.
    Mangard, S., Standaert, F.-X. (eds.): CHES 2010. LNCS, vol. 6225. Springer, Heidelberg (2010)MATHGoogle Scholar
  21. 21.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Muller, F.: Differential attacks against the Helix stream cipher. In: Roy and Meier [30], pp. 94–108Google Scholar
  23. 23.
    NIST, AES key wrap specification (November 2001)Google Scholar
  24. 24.
    Paul, S., Preneel, B.: Solving Systems of Differential Equations of Addition. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 75–88. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security 2002 (CCS 2002), pp. 98–107. ACM Press (2002)Google Scholar
  27. 27.
    Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003)CrossRefGoogle Scholar
  28. 28.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: CCS 2001: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 196–205. ACM, New York (2001)Google Scholar
  29. 29.
    Rogaway, P., Shrimpton, T.: A Provable-Security Treatment of the Key-Wrap Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Roy, B., Meier, W. (eds.): FSE 2004. LNCS, vol. 3017. Springer, Heidelberg (2004)Google Scholar
  31. 31.
    Whiting, D., Schneier, B., Lucks, S., Muller, F.: Fast encryption and authentication in a single cryptographic primitive, ECRYPT Stream Cipher Project Report 2005/027 (2005), http://www.ecrypt.eu.org/stream/phelixp2.html
  32. 32.
    Wu, H., Preneel, B.: Differential-linear attacks against the stream cipher Phelix. In: Biryukov [11], pp. 87–100Google Scholar
  33. 33.
    Ågren, M., Hell, M., Johansson, T., Meier, W.: A new version of Grain-128 with authentication. In: Symmetric Key Encryption Workshop, SKEW (February 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Guido Bertoni
    • 1
  • Joan Daemen
    • 1
  • Michaël Peeters
    • 2
  • Gilles Van Assche
    • 1
  1. 1.STMicroelectronicsBelgium
  2. 2.NXP SemiconductorsBelgium

Personalised recommendations