Abstract: The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto protocol standard for secured Internet and mobile applications. TLS supports several symmetric encryption options, including a scheme based on the RC4 stream cipher. In this paper, we present ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption. Our attacks build on recent advances in the statistical analysis of RC4, and on new findings announced in this paper. Our results are supported by an experimental evaluation of the feasibility of the attacks. We also discuss countermeasures.

Abstract: This paper introduces a dedicated authenticated encryption algorithm AEGIS; AEGIS allows for the protection of associated data which makes it very suitable for protecting network packets. AEGIS-128 uses five AES round functions to process a 16-byte message block one step; AES-256 uses six AES round functions. The security analysis shows that both algorithms offer a high level of security. On the Intel Sandy Bridge Core i5 processor, the speed of AEGIS is around 0.7i¾?clock cycles/byte cpb for 4096-byte messages. This is comparable in speed to the CTR mode that offers only encryption and substantially faster than the CCM, GCM and OCB modes.

Abstract: In this paper, we propose a new Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES-128 key schedule. ALE is an online single-pass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces.

Abstract: In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called Fides. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively. This is at least two times smaller than its closest competitors Hummingbird-2 and Grain-128a. While being extremely compact, Fides is both throughput and latency efficient, even in its most serial implementations. This is attained by our novel sponge-like design approach. Moreover, cryptographically optimal 5-bit and 6-bit S-boxes are used as basic nonlinear components while paying a special attention on the simplicity of providing first order side-channel resistance with threshold implementation.

Abstract: The Transport Layer Security (TLS) protocol aims to provide condentiality and integrity of data in transit across untrusted networks. TLS has become the de facto protocol standard for secured Internet and mobile applications. TLS supports several symmetric encryption options, including a scheme based on the RC4 stream cipher. In this paper, we present ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption. Variants of these attacks also apply to WPA, a prominent IEEE standard for wireless network encryption. Our attacks build on recent advances in the statistical analysis of RC4, and on new ndings announced in this paper. Our results are supported by an experimental evaluation of the feasibility of the attacks. We also discuss countermeasures.

Abstract: Network on Chip (NoC) is an emerging solution to the existing scalability problems with System on Chip (SoC). However, it is exposed to security threats like extraction of secret information from IP cores. In this paper we present an Authenticated Encryption (AE)-based security framework for NoC based systems. The security framework resides in Network Interface (NI) of every IP core allowing secure communication among such IP cores. The secure cores can communicate using permanent keys whereas temporary session keys are used for communication between secure and non-secure cores. A traffic limiting counter is used to prevent bandwidth denial and access rights table avoids unauthorized memory accesses. We simulated and implemented our framework using Verilog/VHDL modules on top of NoCem emulator. The results showed tolerable area overhead and did not affect the network performance apart from some initial latency.

Abstract: We present the Protected-IV construction PIV a simple, modular method for building variable-input-length tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthday-bound secure tweakable ciphers with performance competitive with existing birthday-bound-limited constructions. As part of our design space exploration, we give two fully instantiated PIV constructions, TCT 1 and TCT 2; the latter is fast and has beyond birthday-bound security, the former is faster and has birthday-bound security. Finally, we consider a generic method for turning a VIL tweakable cipher like PIV into an authenticated encryption scheme that admits associated data, can withstand nonce-misuse, and allows for multiple decryption error messages. Thus, the method offers robustness even in the face of certain sidechannels, and common implementation mistakes.

Abstract: Security is an important concern in any modern network. This also applies to Wireless Sensor Networks (WSNs), especially those used in applications that monitor sensitive information (e.g., health care applications). However, the highly constrained nature of sensors imposes a difficult challenge: their reduced availability of memory, processing power and energy hinders the deployment of many modern cryptographic algorithms considered secure. For this reason, the choice of the most memory-, processing- and energy-efficient security solutions is of vital importance in WSNs. To date, a number of extensive analyses comparing different encryption algorithms and key management schemes have been developed, while very little attention has been given to message authentication solutions. In this paper, aiming to close this gap, we identify cipher-based Message Authentication Codes (MACs) and Authenticated Encryption with Associated Data (AEAD) schemes suitable for WSNs and then evaluate their features and performance on a real platform (TelosB). As a result of this analysis, we identify the recommended choices depending on the characteristics of the target network and available hardware.

Abstract: Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM) In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function Finally, we greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class

Abstract: ALE is a new authenticated encryption algorithm published at FSE 2013. The authentication component of ALE is based on the strong Pelican MAC, and the authentication security of ALE is claimed to be 128-bit. In this paper, we propose the leaked-state-forgery attack LSFA against ALE by exploiting the state information leaked from the encryption of ALE. The LSFA is a new type of differential cryptanalysis in which part of the state information is known and exploited to improve the differential probability. Our attack shows that the authentication security of ALE is only 97-bit. And the results may be further improved to around 93-bit if the whitening key layer is removed. We implemented our attacks against a small version of ALE using 64-bit block size instead of 128-bit block size. The experimental results match well with the theoretical results.

Abstract: Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. We also greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class. Finally, we demonstrate that these algebraic properties and corresponding attacks are highly relevant to GCM/2, a variant of GCM designed to increase the efficiency in software.

Abstract: We study homomorphic authenticated encryption, where privacy and authenticity of data are protected simultaneously. We define homomorphic versions of various security notions for privacy and authenticity, and investigate relations between them. In particular, we show that it is possible to give a natural definition of IND-CCA for homomorphic authenticated encryption, unlike the case of homomorphic encryption. Also, we construct a homomorphic authenticated encryption scheme supporting arithmetic circuits, which is chosen-ciphertext secure both for privacy and authenticity. Our scheme is based on the error-free approximate GCD assumption.

Abstract: We present the Protected-IV construction (PIV) a simple, modular method for building variable-input-length tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthday-bound secure tweakable ciphers with performance competitive with existing birthday-bound-limited constructions. As part of our design space exploration, we give two fully instantiated PIV constructions, TCT1 and TCT2; the latter is fast and has beyond birthday-bound security, the former is faster and has birthday-bound security. Finally, we consider a generic method for turning a VIL tweakable cipher (like PIV) into an authenticated encryption scheme that admits associated data, can withstand nonce-misuse, and allows for multiple decryption error messages. Thus, the method offers robustness even in the face of certain sidechannels, and common implementation mistakes.

Abstract: We show how to produce a forged ciphertext, tag pair for the scheme ALE with data and time complexity of $$2^{102}$$ ALE encryptions of short messages and the same number of authentication attempts. We use a differential attack based on a local collision, which exploits the availability of extracted state bytes to the adversary. Our approach allows for a time-data complexity tradeoff, with an extreme case of a forgery produced after $$2^{119}$$ attempts and based on a single authenticated message. Our attack is further turned into a state recovery and a universal forgery attack with a time complexity of $$2^{120}$$ verification attempts using only a single authenticated 48-byte message.

Abstract: A server apparatus supporting authenticated encryption in a network, comprising a receiver configured to receive an unencrypted segment, a processor configured to selecting an encryption key, an initialization vector, and an additional authentication data (AAD), encrypt the segment, configuring the segment for transfer in a Dynamic Adaptive Streaming over Hypertext Transfer Protocol (HTTP) (DASH) media, assign a segment number to the encrypted segment, append an authentication tag to the encrypted segment, store the encrypted segment with the appended authentication tag, and update a Media Presentation Description (MPD) associated with the encrypted segment with the appended authentication tag, wherein the MPD comprises an @aadBase attribute with an AAD base value, wherein the AAD value is the sum of the segment number and the @aadBase attribute value, and a transmitter configured to transmit the encrypted segment with the appended authentication tag to a destination.

Abstract: OCB is an efficient, rate-1, single-key block-cipher mode of operation for nonce-based authenticated encryption. The OCB mode uses the block-cipher inverse for decryption, and existing security proofs of OCB are all based on the assumption that the underlying cipher is a strong pseudo-random permutation (SPRP). In this work, this assumption is substantially weakened. Namely, we show that, for the security of OCB, we only need to assume that the cipher is a)asecure as a plain PRP (under chosen-plaintext attacks), and b)aunpredictable, which is a notion strictly weaker than being pseudo-random, under chosen-ciphertext attacks. We also point out that, in the case of tag truncation, our security reduction would become "better" (in the sense of assumptions we have to make) if OCB were equipped with two independent block-cipher keys. To our knowledge, in the area of authenticated encryption, our result is the first example to show that the number of keys makes a fundamental difference in the essential requirements of the underlying cipher.

Abstract: On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block-cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse-resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. But they can not perfom on-line encryption. This work introduces a new family of OAE schemes –called McOE– dealing both with noncerespecting and with general adversaries. Furthermore, we present two block-cipher-based family members, i.e., McOE-X and McOE-G. In contrast to other published OAE, they provably guarantee reasonable security against general adversaries as well as standard security against noncerespecting adversaries.

Abstract: Protecting the confidentiality and integrity of a configuration bitstream is essential for the dynamic partial reconfiguration (DPR) of field-programmable gate arrays (FPGAs). This is because erroneous or falsified bitstreams can cause fatal damage to FPGAs. In this paper, we present a high-speed and area-efficient bitstream protection scheme for DPR systems using the Advanced Encryption Standard with Galois/ Counter Mode (AES-GCM), which is an authenticated encryption algorithm. Unlike many previous studies, our bitstream protection scheme also provides a mechanism for error recovery and tamper resistance against configuration block deletion, insertion, and disorder. The implementation and evaluation results show that our DPR scheme achieves a higher performance, in terms of speed and area, than previous methods. key words: dynamic partial reconfiguration (DPR), field-programmable gate array (FPGA), Advanced Encryption Standard (AES), Galois/Counter Mode (GCM), authenticated encryption

Abstract: In this paper a light symmetric encryption algorithm is presented for resource constrained applications like RFID systems. In this algorithm some extra bits are distributed among plaintext bits where the location of these bits inside the cipher text is the secret key. The algorithm provides confidentiality, authentication, and integrity services. Experimental results confirm that its area overhead and power overhead is less than other known symmetric algorithms proposed for RFID systems.

Abstract: The idea of combining a very simple form of added plaintext redundancy with a special mode of data encryption to provide data integrity is an old one; however, despite its wide deployment in protocols such as Kerberos, it has largely been superseded by provably secure authenticated encryption techniques. In this paper we cryptanalyse a block cipher mode of operation called IOBC, possibly the only remaining encryption mode designed for such use that has not previously been analyzed. We show that IOBC is subject to known-plaintext-based forgery attacks with a complexity of around 2 n/3, where n is the block cipher block length.

Abstract: The authentication encryption (AE) scheme based on the duplex construction can no be paralellized at the algorithmic level. To be competitive with some block cipher based modes like OCB (Offset CodeBook) or GCM (Galois Counter Mode), a scheme should allow parallel processing. In this note we show how parallel AE can be realized within the framework provided by the duplex construction. The first variant, pointed by the duplex designers, is a tree-like structure. Then we simplify the scheme replacing the final node by the bitwise xor operation and show that such a scheme has the same security level. 1 Duplex construction In 2010 Bertoni et al. introduced the duplex construction which provides the framework for an authenticated encryption scheme [3]. In this section we briefly discuss the construction with focus on the authenticated encryption. The duplex construction can be seen as a particular way to use the sponge construction [2], hence it inherits its security properties. The construction is based on the fixed permutation (or transformation) and allows the alternation of input and output blocks at the same rate as the sponge construction. Figure 1 shows the duplex construction. Similarly as in the sponge construction, there are two parameters: r (bitrate) and c (capacity). The sum of those two parameters makes the state size. Different values for bitrate and capacity give trade-offs between speed and security. A higher bitrate gives a faster construction at the expense of a lower security. Upon initialization all the bits of the state are set to zero. The duplex construction accepts input calls (denoted by in in Figure 1) to the underlying permutation f . The padded input strings have the size of r bits. After a call to the permutation f , an output r-bit string is returned (denoted by zn in Figure 1). Please note that the capacity part of the state is never directly manipulated by an input string in, nor is included in output strings zn. The authentication encryption scheme with associated data (AEAD) can be realized with the duplex construction. A secret key K, and message blocks Bi (optionally with associated data Ai) are processed as follows. Fig. 1. Duplex construction r f c pad i0 z0 pad i1

Abstract: Since its acceptance as the adopted authenticated encryption algorithm, AES-GCM has been utilized in various security-constrained applications. This paper describes the benefits of adding key-synthesized property to AES-GCM using FPGAs. Presented architectures can be used for applications which require encryption and authentication with slow changing keys like Virtual Private Networks (VPNs). Our architectures were evaluated using Virtex4 and Virtex5 FPGAs. It is shown that the performance of the presented AES-GCM architecture outperforms the previously reported ones.

Abstract: EAX is a mode of operation for blockciphers to implement an authenticated encryption. The original paper of EAX proved that EAX is unforgeable up to O(2 n/2) data with one verification query. However, this generally guarantees a rather weak bound for the unforgeability under multiple verification queries, i.e., only (2 n/3) data is acceptable. This paper provides an improvement over the previous security proof, by showing that EAX is unforgeable up to O(2 n/2) data with multiple verification queries. Our security proof is based on the techniques appeared in a paper of FSE 2013 by Minematsu et al. which studied the security of a variant of EAX called EAX-prime. We also provide some ideas to reduce the complexity of EAX while keeping our new security bound. In particular, EAX needs three blockcipher calls and keep them in memory as a pre-processing, and our proposals can effectively reduce three calls to one call. This would be useful when computational power and memory are constrained.

Abstract: Authenticated encryption schemes are cryptographic primitives that are used to simultaneously protect the confidentiality and authenticity of communications. In 2003, Tseng et al. proposed two efficient authenticated encryption schemes with message linkages for message flows. Two years later, Zhang et al. pointed out that these two schemes lack the non-repudiation property and presented a new authenticated encryption scheme to surmount these weaknesses. Besides, in 2006, Hwang et al. presented another forgery attack against the original schemes and proposed some modified schemes to repair these flaws. In this paper, we show that the new authenticated encryption scheme proposed by Zhang et al. does not satisfy its claimed non-repudiation and authentication properties. We also present an attack against Hwang et al.'s scheme that allows a dishonest referee to decrypt all the future and past authenticated ciphertext between the contending parties. Furthermore, we present a simple fix to prevent these attacks.

Abstract: The invention relates to the technical field of identity authentication, and particularly relates to authenticated encryption equipment and method with a wireless communication function. According to the authenticated encryption equipment with the wireless communication function provided by the invention, various terminal users are connected with a bank server by using special safe authenticated encryption equipment. The authenticated encryption equipment with the wireless communication function provided by the invention has a direct working mode and an indirect working mode. The direct working mode refers to a mode that the equipment provided by the invention and terminal equipment are respectively connected with the bank server to form two different SSL (Secure Sockets Layer) communication links. The indirect working mode refers to a mode that the equipment provided by the invention is provided with a USB (Universal Serial Bus) interface, and is connected with the terminal equipment through a USB data wire, so as to form an SSL communication link. The equipment provided by the invention not only can ensure the security of an electronic bank transaction, but also is adaptive to various terminals simultaneously, so that the safe authentication of the electronic bank transaction is unrelated to the terminal type. The authenticated encryption equipment with the wireless communication function provided by the invention has the advantages that not only can the long-distance audit be realized by using the direct working mode, but also the near-distance audit can be realized by using the indirect working mode. The problem that the conventional safe authenticated encryption equipment is inconvenient to use can be solved. The authenticated encryption equipment with the wireless communication function provided by the invention has the beneficial effects that the problem that an E-bank transaction is unrelated to the terminal type can be solved on the premise of the safe transaction; and the strong applicability is realized.

Abstract: Since its acceptance as the adopted authenticated encryption algorithm, AES-GCM has been utilized in various security-constrained applications. This paper describes the benefits of adding key-synthesized property to AES-GCM using FPGAs. Presented architectures can be used for applications which require encryption and authentication with slow changing keys like Virtual Private Networks (VPNs). Three methods are selected to implement the SubBytes of AES to increase the flexibility of the presented work. Furthermore, we propose a protocol to protect the bitstream of the proposed architectures. Our architectures were evaluated using Virtex5 and Virtex4 FPGAs. It is shown that the performance of the presented AES-GCM architectures outperforms the previously reported ones.

Abstract: The utility model relates to the technical field of identity authentication, and particularly relates to an authenticated encryption device with a wireless communication function. According to the authenticated encryption device, various terminal users are connected with a bank server by using a special safety encryption authenticated device. The authenticated encryption device has a direct working mode and an indirect working mode. The direct working mode refers to a mode that the device provided by the utility model and a terminal device are respectively connected with the bank server to form two different SSL (Secure Sockets Layer) communication links. The indirect working mode refers to a mode that the device provided by the utility model is provided with a USB (Universal Serial Bus) interface, and is connected with the terminal device through a USB data wire, so as to form an SSL communication link. The device provided by the utility model not only can ensure the security of an electronic bank transaction, but also is adaptive to various terminals simultaneously, so that the safety authentication of the electronic bank transaction is unrelated to the terminal type. The authenticated encryption device with the wireless communication function has the advantages that not only can the long-distance audit be realized by using the direct working mode, but also the near-distance audit can be realized by using the indirect working mode. The problem that a conventional safe authenticated encryption device is inconvenient to use can be solved. The authenticated encryption device with the wireless communication function has the beneficial effects that the problem that an E-bank transaction is unrelated to the terminal type can be solved on the premise of the safe transaction; and the strong applicability is realized.

Abstract: We present an efficient key wrapping scheme that uses a single wide permutation and does not rely on block ciphers. The scheme is capable of wrapping keys up to 1400 bits long and processing arbitrarily long headers. Our scheme easily delivers the security level of 128 bits or higher with the master key of the same length. The permutation can be taken from the sponge hash functions such as SHA-3 (Keccak), Quark, Photon, Spongent. We also present a simple proof of security within the concept of Deterministic Authenticated Encryption (DAE) introduced by Rogaway and Shrimpton. We extend the setting by allowing the adversary to query the permutation and following the indifferentiability setting in the security proof of the sponge construction.