Results 1 - 10
of
25
Quark: A lightweight hash
- in Mangard and Standaert [21
"... The need for lightweight (that is, compact, low-power, low-energy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security an ..."
Abstract
-
Cited by 40 (0 self)
- Add to MetaCart
(Show Context)
The need for lightweight (that is, compact, low-power, low-energy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security and performance. The ongoing SHA-3 Competition will not help, as it concerns general-purpose designs and focuses on software performance. This paper thus proposes a novel design philosophy for lightweight hash functions, based on the sponge construction in order to minimize memory requirements. Inspired by the stream cipher Grain and by the block cipher KATAN (amongst the lightest secure ciphers), we present the hash function family Quark, composed of three instances: u-Quark, d-Quark, and s-Quark. As a sponge construction, Quark can be used for message authentication, stream encryption, or authenticated encryption. Our hardware evaluation shows that Quark compares well to previous tentative lightweight hash functions. For example, our lightest instance u-Quark conjecturally provides at least 64-bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gate-equivalents, and consumes in average 2.44 µW at 100 kHz in 0.18 µm ASIC. For 112-bit security, we propose s-Quark, which can be implemented with 2296 gate-equivalents with a power consumption of 4.35 µW.
FIDES: Lightweight authenticated cipher with side-channel resistance for constrained hardware
- In CHES 2013, LNCS
"... Abstract. In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called Fides. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit securit ..."
Abstract
-
Cited by 9 (2 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called Fides. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively. This is at least two times smaller than its closest competitors Hummingbird-2 and Grain-128a. While being extremely compact, Fides is both throughput and latency efficient, even in its most serial implementations. This is attained by our novel sponge-like design approach. Moreover, cryptographically optimal 5-bit and 6-bit S-boxes are used as basic nonlinear components while paying a special attention on the simplicity of providing first order side-channel resistance with threshold implementation.
B.: Beyond 2c/2 security in sponge-based authenticated encryption modes. Cryptology ePrint Archive, Report 2014/373
, 2014
"... Abstract. The Sponge function is known to achieve 2c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min{2c/2, 2κ} security bound, with κ the key length. Similarly, many CAESAR competition sub-missions are designed ..."
Abstract
-
Cited by 9 (0 self)
- Add to MetaCart
(Show Context)
Abstract. The Sponge function is known to achieve 2c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min{2c/2, 2κ} security bound, with κ the key length. Similarly, many CAESAR competition sub-missions are designed to comply with the classical 2c/2 security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min{2b/2, 2c, 2κ}, with b> c the permutation size, by proving that the CAESAR submission NORX achieves this bound. Furthermore, we show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. For instance, NORX64 can increase its rate and decrease its capacity with 128 bits and Ascon-128 can encrypt three times as fast, both without affecting the provable security level.
Power Analysis of Hardware Implementations Protected with Secret Sharing. IACR Cryptology ePrint Archive Report 2013/67
, 2013
"... Abstract—We analyze the security of three-share hardware implementations against differential power analysis and ad-vanced variants such as mutual information analysis. We present dedicated distinguishers that allow to recover secret key bits from any cryptographic primitive that is implemented as a ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Abstract—We analyze the security of three-share hardware implementations against differential power analysis and ad-vanced variants such as mutual information analysis. We present dedicated distinguishers that allow to recover secret key bits from any cryptographic primitive that is implemented as a sequence of quadratic functions. Starting from the analytical treatment of such distinguishers and information-theoretic arguments, we derive the success probability and required number of traces in the presence of algorithmic noise. We show that attacks on three-share hardware implementation require a number of traces that scales in the third power of the algorithmic noise variance. Finally, we apply and test our model on KECCAK in a keyed mode. Keywords-power analysis; quadratic functions; secret sharing schemes; mutual information analysis; Keccak I.
Pipelineable On-Line Encryption
"... Abstract. Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been per-formed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secu ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been per-formed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against malicious mes-sage modifications. Unfortunately, all published on-line ciphers so far are either inherently sequential, or lack a CCA-security proof. This paper introduces POE, a family of on-line ciphers that combines provable security against chosen-ciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an ǫ-AXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for differ-ent platforms. Moreover, this paper introduces POET, a provably secure on-line AE scheme, which inherits pipelineability and chosen-ciphertext-security from POE and provides additional resistance against nonce-misuse attacks.
Overview of the Candidates for the Password Hashing Competition And their Resistance against Garbage-Collector Attacks
"... Abstract. In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functional-ity, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general proper-ties, e.g., memory ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract. In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functional-ity, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general proper-ties, e.g., memory usage and flexibility of the underlying primitives. Fur-thermore, we formally introduce two kinds of attacks, called Garbage-Collector and Weak Garbage-Collector Attack, exploiting the memory management of a candidate. Note that we consider all candidates which are not yet withdrawn from the competition.
STRIBOB: Authenticated Encryption from GOST R 34.11-2012 LPS Permutation
"... Abstract. Authenticated encryption algorithms protect both the confidentiality and integrity of messages with a single processing pass. We show how to utilize the L ◦ P ◦ S transform of the Russian GOST R 34.11-2012 standard hash “Streebog ” to build an efficient, lightweight algorithm for Authentic ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Authenticated encryption algorithms protect both the confidentiality and integrity of messages with a single processing pass. We show how to utilize the L ◦ P ◦ S transform of the Russian GOST R 34.11-2012 standard hash “Streebog ” to build an efficient, lightweight algorithm for Authenticated Encryption with Associated Data (AEAD) via the Sponge con-struction. The proposed algorithm “StriBob ” has attractive security properties, is faster than the Streebog hash alone, twice as fast as the GOST 28147-89 encryption algorithm, and requires only a modest amount of running-time memory. StriBob is a Round 1 candidate in the CAESAR competition.
Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function
"... Abstract. In this paper, we comprehensively study the resistance of keyed variants of SHA-3 (Keccak) against algebraic attacks. This analysis covers a wide range of key recovery, MAC forgery and other types of attacks, breaking up to 9 rounds (out of the full 24) of the Keccak internal permutation m ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we comprehensively study the resistance of keyed variants of SHA-3 (Keccak) against algebraic attacks. This analysis covers a wide range of key recovery, MAC forgery and other types of attacks, breaking up to 9 rounds (out of the full 24) of the Keccak internal permutation much faster than exhaustive search. Moreover, some of our attacks on the 6-round Keccak are completely practical and were verified on a desktop PC. Our methods combine cube attacks (an algebraic key recovery attack) and related algebraic techniques with structural analysis of the Keccak permutation. These techniques should be useful in future cryptanalysis of Keccak and similar designs. Although our attacks break more rounds than previously published techniques, the security margin of Keccak remains large. For Keyak – a Keccak-based authenticated encryption scheme – the nominal number of rounds is 12 and therefore its security margin is smaller (although still sufficient).
COFFE: Ciphertext Output Feedback Faithful Encryption On-Line Authenticated Encryption Without a Block Cipher
"... Abstract. In this paper we introduce the first authenticated encryption scheme based on a hash function, called COFFE. This research has been motivated by the challenge to fit se-cure cryptography into constrained devices – some of these devices have to use a hash function, anyway, and the challenge ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper we introduce the first authenticated encryption scheme based on a hash function, called COFFE. This research has been motivated by the challenge to fit se-cure cryptography into constrained devices – some of these devices have to use a hash function, anyway, and the challenge is to avoid the usage of an additional block cipher to provide authenti-cated encryption. COFFE satisfies the common security requirements regarding authenticated encryption, i.e., IND-CPA- and INT-CTXT-security. Beyond that, it provides the following additional security features: resistance against side-channel attacks and INT-CTXT security in the nonce-misuse scenario. It also support failure-friendly authentication under reasonable assumptions.
Tradeoff Cryptanalysis of Memory-Hard Functions
"... Abstract. We explore time-memory and other tradeoffs for memory-hard functions, which are sup-posed to impose significant computational and time penalties if less memory is used than intended. We analyze three finalists of the Password Hashing Competition: Catena, which was presented at Asiacrypt 20 ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract. We explore time-memory and other tradeoffs for memory-hard functions, which are sup-posed to impose significant computational and time penalties if less memory is used than intended. We analyze three finalists of the Password Hashing Competition: Catena, which was presented at Asiacrypt 2014, yescrypt and Lyra2. We demonstrate that Catena’s proof of tradeoff resilience is flawed, and attack it with a novel pre-computation tradeoff. We show that using M4/5 memory instead of M we have no time penalties and reduce the AT cost by the factor of 25. We further generalize our method for a wide class of schemes with predictable memory access. For a wide class of data-dependent schemes, which addresses memory unpredictably, we develop a novel ranking tradeoff and show how to decrease the time-memory and the time-area product by significant factors. We then apply our method to yescrypt and Lyra2 also exploiting the iterative structure of their internal compression functions. The designers confirmed our attacks and responded by adding a new mode for Catena and tweaking Lyra2.
