Abstracts for DIAC

Abstracts and slides of invited talks

Joan Daemen (STMicroelectronics, Belgium)
Permutation-based encryption, authentication and authenticated encryption
slides.
In the last few years, Guido Bertoni, Michaël Peeters, Gilles Van Assche and I have proposed modes for encryption, MAC and authenticated encryption based on fixed-width permutations by means of the sponge and duplex constructions. Our permutation-based approach is scalable and suitable for high-end CPUs as well as resource-constrained platforms. The latter is illustrated by the small Keccak instances and the sponge functions Quark, Photon and Spongent, all addressing lightweight applications.
The sponge and duplex constructions split the width b of the permutation in a capacity c and a rate r: b = r + c. They process r bits per call to the permutation and their generic security strength level in unkeyed mode is c/2. A desired security strength level of k bits limits the rate to at most b - 2k. For keyed modes and bounded data complexity, a security strength level above c/2 can be proven. For MAC computation, encryption and even authenticated encryption with a passive adversary, it comes very close to c. This allows increasing the rate to almost b - k. Moreover, for most use cases the requirements on the underlying permutation can be relaxed, allowing to increase the efficiency even further.
Clearly permutation-based constructions are not new. Concrete examples that are older than the sponge construction include the hash functions Snefru, FFT-Hash and SMASH, the Even-Mansour block cipher construction, stream ciphers Salsa and ChaCha and even Pelican-MAC. In my talk I will present our permutation-based approach in this context and will try to convince you that it is quite competitive with block cipher based modes.

David McGrew (Cisco Systems, USA)
Authenticated Encryption in Practice
slides.
Over the last decade, authenticated encryption has become accepted as the appropriate way to provide symmetric confidentiality services. It has been adopted into many standards, though in many cases it is currently an option that is not typically exercised. This talk reviews issues that have arisen in the use of authenticated encryption in practice, and considers the role of authenticated encryption in cryptographic architectures.

Phillip Rogaway (University of California, Davis, USA)
The Evolution of Authenticated Encryption
slides
Nowhere has the promise of practice-oriented provable security been more successful than in the area of authenticated encryption. In this talk I will look back and and survey how the provable-security approach has led not just to high-assurance blockcipher-based AE schemes, but, also, how it has led to a blossoming of security notions, attacks, design goals, and designs.

Palash Sarkar (Indian Statistical Institute, Kolkata, India)
On Some Constructions for Authenticated Encryption with Associated Data
slides
Two approaches to achieving authenticated encryption with associated data (AEAD) will be considered.
The first approach is to use certain block cipher modes of operations which make a single pass over the message. For this approach, both tweakable block cipher based constructions and direct constructions will be described. Both types of constructions yield families of AEAD functionalities which offer high efficiency along with other desirable features such as easy reconfigurability.
In the second approach, a stream cipher supporing an initialisation vector is used in conjunction with a hash function with provably low differential probabilities. Several possibilities will be outlined, both with and without the requirement of authenticating associated data. This approach gives efficient solutions for stream ciphers which are either very fast in software or have very low hardware footprint.
Security of the constructions are derived using the `provable security' methodology for the single-user setting. Issues related to security in the multi-user setting will be briefly mentioned.

Panel discussion: Requirements for Authenticated Encryption

Bart Preneel (moderator)
Panelists are David McGrew, Mats Näslund, Kaisa Nyberg, Phil Rogaway
The links go to their slides, if provided.

Abstracts and slides of contributed talks

Title: Stronger Security Guarantees for Authenticated Encryption Schemes
slides
Authors: Alexandra Boldyreva, Jean Paul Degabriele, Kenneth G. Paterson, and Martijn Stam
Affiliations: Georgia Institute of Technology; Royal Holloway, University of London; University of Bristol
We here refer to recent and upcoming research that is relevant to Authenticated Encryption (AE) schemes as used in practice. This research leads directly to novel design criteria for authenticated encryption schemes. The first piece of research considers the security of symmetric encryption in the presence of ciphertext fragmentation, which is a setting that commonly arises in practice. Recent attacks have shown that provably secure AE schemes may become insecure when used in this setting. We propose a theoretical framework for the analysis of AE schemes in the presence of ciphertext fragmentation. This framework enables us to study the relationship between confidentiality, the ability to hide boundaries between ciphertexts, and the resistance of schemes to Denial of Service attacks. It also leads to new designs for AE schemes. The second piece of research relates to distinguishable decryption failures. Most security proofs implicitly assume that an adversary is unable to distinguish distinct failure events that occur during the decryption of a ciphertext. Practice has shown that this assumption is not well justified: implementations often leak information that allows an adversary to distinguish among decryption failures, either through error messages or timing, thereby opening up avenues of attack. Our upcoming work analyses the security of AE schemes in the setting where failure events are distinguishable, providing new models and security relations for this setting. From this work, we can extract design criteria which protect implementations against such error-based side channel attacks.

Title: Lightweight AES-Based Authenticated Encryption
Authors: Andrey Bogdanov, Florian Mendel, Francesco Regazzoni and Vincent Rijmen
Affiliations: KU Leuven, Belgium, ALaRI - USI, Switzerland, TU Graz, Austria
In this paper, we propose an Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES-128 key schedule. ALE is an on-line single-pass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces.
We provide an optimized low-area implementation of ALE in ASIC hardware and demonstrate that its area is about 2.5 kGE which is almost two times smaller than that of the lightweight implementations for AES-OCB and ASC-1 using the same lightweight AES engine. At the same time, it is at least 2.5 times more performant than the alternatives by requiring only about 4 AES rounds to both encrypt and authenticate a 128-bit data block.

Title: Hash-CFB
slides
Authors: Christian Forler and David McGrew and Stefan Lucks and Jakob Wenzel
Affiliations: Bauhaus-University Weimar and Cisco Systems, USA
This paper presents a mode of operation for authenticated encryption -- with the very unusual property of employing a hash function as the underlying primitive, rather than a block cipher, used in so many authenticated encryption modes. This research has been motivated by the challenge to fit secure cryptography into constrained devices --~some of these devices have to use a hash function, anyway, and the challenge is to avoid the usage of an additional block cipher. Beyond that, our mode has some unique security features, namely some form of resistance against side-channel attacks, and a misuse-resistant and failure-friendly authentication.

Title: Suggestions for Hardware Evaluation of Cryptographic Algorithms
slides
Authors: Frank K. Gurkaynak
Affiliations: Microelectronics Design Center, ETH Zurich, Switzerland
Public competitions to determine new cryptographic standards such as the search for AES, SASC, SHA-3 have been very successful. Many researchers contribute to such competitions to evaluate different aspects of the candidates among others also the performance of hardware and software implementations. While significant effort has been put into hardware evaluations, somehow the result of these studies could not reliable be tabulated, at least not with the same efficiency as it was done for software evaluations. This paper investigates different shortcomings of current hardware evaluations and proposes changes to future calls, so that the results of hardware evaluators can be combined and compared more reliably.

Title: AEGIS: A Fast Authenticated Encryption Algorithm
slides
Authors: Hongjun Wu, Bart Preneel
Affiliations: Nanyang Technological University, Katholieke Universiteit Leuven
This paper introduces a dedicated authenticated encryption algorithm AEGIS, which is efficient for protecting internet packets. AEGIS-128 uses five AES round functions to process a 16-byte message block (one step); AES-256 uses six AES round functions. On the Intel Sandy Bridge Core i5 processor, the speeds of AEGIS-128, AEGIS-256 are around 0.64 cycles/byte (cpb) and 0.71 cpb, respectively. Our analysis shows that AEGIS offers a very high security level.

Title: Authenticated encryption in civilian space missions: context and requirements
slides
Authors: Ignacio Aguilar Sanchez, Daniel Fischer
Affiliations: European Space Agency
This white paper discusses issues, concerns, constraints and requirements for future authenticated encryption concepts in the context of space missions and spacecraft in particular. Following an introduction a brief description of the approach to securing space missions is given. The two fundamental security problems in protecting space mission operations affecting the end-to-end radio and data communications between spacecraft and ground systems are explained. Typical security function implementations in spacecraft are recalled. Finally, a brief discussion of each of the identified issues, concerns, constraints and requirements suggested to be considered for future authenticated encryption is provided.

Title: SipHash: a fast short-input PRF
slides
Authors: Jean-Philippe Aumasson and Daniel J. Bernstein
Affiliations: NAGRA, Switzerland and University of Illinois at Chicago, IL, USA
SipHash is a family of pseudorandom functions optimized for short inputs. Target applications include network traffic authentication and hash-table lookups protected against hash-flooding denial-of-service attacks. SipHash is simpler than MACs based on universal hashing, and faster on short inputs. Compared to dedicated designs for hash-table lookup, SipHash has well-defined security goals and competitive performance. For example, SipHash processes a 16-byte input with a fresh key in 140 cycles on an AMD FX-8150 processor, which is much faster than state-of-the-art MACs. We propose that hash tables switch to SipHash as a hash function.

Title: Heavy Quark for secure AEAD
slides
Authors: Jean-Philippe Aumasson and Simon Knellwolf and Willi Meier
Affiliations: NAGRA, Switzerland and FHNW, Switzerland, and FHNW, Switzerland
Lightweight primitives are generally limited to 80- or 128-bit securit y, because lightweight applications seldom need more than this. However, non-lig htweight platforms like multimedia systems-on-chip would also greatly benefit fr om a smaller hardware footprint, as it reduces development and integration costs , and leaves more circuit area to another component, or to add another functiona lity. Such systems sometimes need up to 256-bit security, for example to ensure a consistent security level across primitives. This paper thus breaks with the t radition and proposes a 256-bit authenticated encryption scheme with associated data (AEAD), based on the lightweight design Quark. We create a new Quark instan ce to use in a custom SpongeWrap mode, offering one-pass AEAD supporting arbitra ry interleaving of encrypted and associated data, as well as a range of trade-of fs between security and usage limit. More than a new primitive, this work provid es insights on the scalability of lightweight designs to higher security levels: our new design c-Quark has internal state of 384 bits, and allows the implement ation of 256-bit AEAD with in the order of 4000 GE.

Title: Cryptanalysis of EAX-Prime
slides
Authors: Kazuhiko Minematsu, Stefan Lucks, Hiraku Morita, and Tetsu Iwata
Affiliations: NEC corporation (Minematsu), Bauhaus-Universitat Weimar (Lucks), Nagoya University (Morita and Iwata)
EAX' (EAX-prime) is an authenticated encryption (AE) specified by ANSI C12.22 as a standard security function used for a smart grid. EAX' is based on EAX, a provably secure AE proposed by Bellare, Rogaway, and Wagner.
This paper presents simple and efficient forgery attacks, distinguishers, and message recovery attacks against EAX' using single-block cleartext and plaintext.

Title: How Fast Can a Two-Pass Mode Go? A Parallel Deterministic Authenticated Encryption Mode for AES-NI (Extended Abstract of Work in Progress)
slides
Authors: Kazumaro Aoki, Tetsu Iwata, Kan Yasuda
Affiliations: NTT, Nagoya University
We present a mode of operation for deterministic authenticated encryption. Our design is entirely blockcipher-based, like SIV from Eurocrypt 2006. Unlike SIV, however, our mode is fully parallelizable, both in its authentication and encryption parts. The basic idea is a combination of PMAC for authentication and the CTR mode for encryption. Our implementation yields 2.047 cpb for Intel's Sandy Bridge microarchitecture, which contrasts with 2.900 cpb of the GCM mode in OpenSSL 1.0.1c.

Title: A Do-It-All-Cipher for RFID: Design Requirements (Extended Abstract)
Authors: Markku-Juhani O. Saarinen and Daniel Engels
Affiliations: Revere Security, United States of America
Recent years have seen significant progress in the development of lightweight symmetric cryptoprimitives. The main concern of the designers of these primitives has been to minimize the number of gate equivalents (GEs) of the hardware implementation. However, there are numerous additional requirements that are present in real-life RFID systems. We give an overview of requirements emerging or already present in the widely deployed EPCGlobal Gen2 and ISO / IEC 18000-63 passive UHF RFID air interface standards. Lightweight stateful authenticated encryption algorithms seem to offer the most complete set of features for this purpose. In this work we give a Gen2-focused "lessons learned" overview of the challenges and related developments in RFID cryptography and propose what we see as appropriate design criteria for a cipher (dubbed "Do-It-All-Cipher" or DIAC) for the Internet of Things. We also comment on the applicability of NSA's new SIMON and SPECK proposals for this purpose.

Title: An Improved Hardware Implementation of the Grain-128a Stream Cipher
slides.
The software mentioned on the slides can be found at http://web.it.kth.se/~dubrova/fib2gal.html.
Authors: Shohreh Sharif Mansouri and Elena Dubrova
Affiliations: KTH
In this paper we study efficient hardware implementations of the Grain-128a family of stream ciphers. To achieve higher throughput compared to the standard design, we apply four different techniques in combination: isolation of the authentication section, Fibonacci-to-Galois transformation of the feedback shift registers, multi-frequency implementation and internal pipelining. The combined effects of all these techniques, when a two-level pipeline is used, enable an average 52% increase in throughput among all the ciphers. All techniques are standard cell techniques and are therefore easy to apply. They introduce an average 9% area penalty and an average 5% power overhead.