Abstract: Device-to-device (D2D) communication is a direct means of communication between devices without an intermediate node, and it helps to expand cell coverage and to increase radio frequency reuse in a 5G network. Moreover, D2D communication is a core technology of 5G vehicle-to-everything (V2X) communication, which is an essential technology for autonomous driving. However, typical D2D communication in an 4G network which is typical telecommunication network has various security challenges including impersonation, eavesdropping, privacy sniffing, free-riding attack, etc. Moreover, when IoT technology emerges with 5G networks in massive machine type communication (mMTC) and ultra-reliable low latency communication (URLLC) application scenarios, these security challenges are more crucial and harder to mitigate because of the resource-constrained nature of IoT devices. To solve the security challenges in a 5G IoT environment, we need a lightweight and secure D2D communication system that can provide secure authentication, data confidentiality/integrity and anonymity. In this paper, we survey and analyze existing results about secure D2D communication systems in terms of their security considerations and limitations. Then, we lastly propose a secure D2D communication system to address the aforementioned security challenges and the limitations of the existing results. The proposed secure D2D communication was designed based on elliptic curve cryptography (ECC) and lightweight authenticated encryption with associated data (AEAD) ciphers to cover resource-constrained IoT devices.

Abstract: The National Institute of Standards and Technology (NIST) is in the process of selecting one or more authenticated encryption and hashing schemes suitable for constrained environments through a public, competition-like process. In February 2019, 57 candidate algorithms were submitted to NIST for consideration. Among these, 56 were accepted as first-round candidates in April 2019, marking the beginning of the first round of the NIST Lightweight Cryptography Standardization Process. Due to the large number of submissions and the short timeline of the process, NIST has decided to eliminate some of the algorithms from consideration early in the first evaluation phase in order to focus analysis on the more promising submissions. This report describes the evaluation criteria and selection process based on public feedback and internal review of the first-round candidates and provides the list of 32 candidate algorithms selected for the second round of the evaluation process.

Abstract: In 2017, the notion of public key authenticated encryption with keyword search (PAEKS) and its security model was defined by Huang and Li. Their main motivation was providing security against inside keyword guessing attacks (KGA). They also proposed a concrete PAEKS scheme secure in their proposed model. In this study, the authors first show that their security model has an important drawback and therefore, cannot handle multi-user settings. As such settings are a necessity in the public-key environment, it is vital to improving the model to capture multiple users. This is what they do in the first part of this study. Then, they consider Huang and Li's PAEKS scheme and prove that it is not secure against inside (and even outside) KGA. Finally, they propose a modified scheme to fix the problem without any additional communication or computation costs. They further prove that the new scheme is secure in the improved model.

Abstract: In the coming years, sensors will likely have a permeated every aspect of our life. Several works explain how the Internet of things (IoT) will have an impact on almost all aspects of our life and why security is at the top of the list of IoT challenges. Constrained nodes constitute a significant portion of devices in IoT. These nodes are characterized by severe constraints on power, memory, and processing resources, therefore, do not support conventional security protocols such as Transport Layer Security (TLS). Message Queue Telemetry Transport (MQTT) is a lightweight communication protocol particularly adapted for constrained nodes. Security solution, in MQTT protocol, can be achieved in multiple layers. To ensure end-to-end encryption, Authenticated Encryption with Associated Data (AEAD) is one of the most recommended solutions. Actually, the Advanced Encryption Standard (AES) is one of the most widely used standard encryption methods. However, constrained nodes processors did not have hardware support for AES and the physical-layer packet size of these nodes is limited. This paper proposes ChaCha20-Po1y1305 AEAD as a solution to secure constrained nodes communication over MQTT/MQTT-SN. ChaCha20 and Poly1305 are respectively lightweight stream cipher and one-time authenticator which continue gain popularity from crypto community. A prototype of the proposed solution is implemented on constrained nodes like Arduino UNO. The paper mainly provides results related to memory footprint and execution time. These results indicate that the proposed scheme requires small amount of memory and present low processing time.

Abstract: Highly efficient encryption and authentication of short messages is an essential requirement for enabling security in constrained scenarios such as the CAN FD in automotive systems (max. message size 64 bytes), massive IoT, critical communication domains of 5G, and Narrowband IoT, to mention a few. In addition, one of the NIST lightweight cryptography project requirements is that AEAD schemes shall be “optimized to be efficient for short messages (e.g., as short as 8 bytes)”. In this work we introduce and formalize a novel primitive in symmetric cryptography called a forkcipher. A forkcipher is a keyed function expanding a fixed-length input to a fixed-length output. We define its security as indistinguishability under chosen ciphertext attack. We give a generic construction validation via the new iterate-fork-iterate design paradigm. We then propose ForkSkinny as a concrete forkcipher instance with a public tweak and based on SKINNY: a tweakable lightweight block cipher constructed using the TWEAKEY framework. We conduct extensive cryptanalysis of ForkSkinny against classical and structure-specific attacks. We demonstrate the applicability of forkciphers by designing three new provably-secure, nonce-based AEAD modes which offer performance and security tradeoffs and are optimized for efficiency of very short messages. Considering a reference block size of 16 bytes, and ignoring possible hardware optimizations, our new AEAD schemes beat the best SKINNY-based AEAD modes. More generally, we show forkciphers are suited for lightweight applications dealing with predominantly short messages, while at the same time allowing handling arbitrary messages sizes. Furthermore, our hardware implementation results show that when we exploit the inherent parallelism of ForkSkinny we achieve the best performance when directly compared with the most efficient mode instantiated with the SKINNY block cipher.

Abstract: With the integration of Narrowband Internet of Things (NB-IoT) technology coming into our lives, more and more NB-IoT terminals are connected to the network to meet various requirements of users. However, the traditional authentication process between the NB-IoT devices and the 5G core network brings heavy communication and storage overheads. Besides, large-scale connected NB-IoT devices are vulnerable to attacks from adversaries, especially for devices that are used to collect and transmit sensitive data and information. Therefore, it is extremely important to simplify the authentication process and ensure the security and privacy of the data transmission process. In this paper, we propose a certificateless multi-party authenticated encryption scheme for NB-IoT terminals in 5G networks. The proposed scheme not only achieves multi-party authentication in the access authentication process but also provides identity anonymity and non-repudiation. The processes of access authentication and data transmission are combined into one process in our scheme. When multiple NB-IoT terminals simultaneously perform access authentication, the information of terminals and encrypted private data are sent to the Access and Mobility Management (AMF), and the AMF verifies the validity and security of the data by verifying the generated certificateless aggregated authenticated ciphertexts. Security analysis and experimental results show that our scheme is secure and efficient.

Abstract: This memo specifies two authenticated encryption algorithms that are nonce misuse-resistant - that is that they do not fail catastrophically if a nonce is repeated.

Abstract: CoAP is an application layer protocol designed for resource-constrained devices in Internet-of-Things (IoT). Object Security of CoAP (OSCoAP) is an IETF draft for addressing security issues with CoAP messages that can arise with the use of intermediate proxies. These proxies are employed for better performance, scalability and offloading expensive operations. OSCoAP adopts the counter with cipher block chaining message authentication code (CCM) mode of authenticated encryption with associated data (AEAD) that simultaneously ensures confidentiality, integrity, and authentication of the messages. The current implementation of CCM for OSCoAP is carried out in software. In this paper, we propose a cross-layer approach towards exploiting the CCM for OSCoAP using mac-layer security suite in IoT devices. The motivation is based on the fact that most of these devices are equipped with 802.15.4 radio chips. The IEEE 802.15.4 standard mandates the availability of some security features for mac-layer encryption in these radio chips including the CCM. We propose an algorithm that takes advantage of these on-board features by efficiently implementing the CCM operations for OSCoAP. The results show that our implementation of CCM is memory efficient, save up to 10 times more energy, improves battery life by 30% and is 37% faster than state of the art software implementation of CCM for OSCoAP.

Abstract: In this paper, we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext–ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.

Abstract: In cloud storage, how to search sensitive data efficiently and securely is a challenging problem. The searchable encryption technique provides a secure storage method without loss of data confidentiality and utilization. As an important branch of searchable encryption, public-key encryption with keyword search (PEKS) is widely studied by scholars. However, most of the traditional PEKS schemes are vulnerable to the inside keyword guessing attack (IKGA) or some other weaknesses. Resisting the inside keyword guessing attack is likely to become a must-have property of all new PEKS schemes. For a long time, mitigating IKGA has been inefficient and difficult, and thus most existing PEKS schemes fail in achieving their security goals. To improve the security and efficiency of PEKS, we define the notion of Dual-server Public-key Authenticated Encryption with Keyword Search (DPAEKS), which protects against IKGA with high computation efficiency, and supports the authentication property. Then, we provide a construction of DPAEKS without bilinear pairings, which is secure against IKGA by leveraging two servers that do not cooperate. Experimental results obtained using a real-world dataset show that our scheme is highly efficient and provides strong security, making it suitable for deployment in practical applications.

Abstract: Encrypt-then-MAC (EtM) is a popular mode for authenticated encryption (AE). Unfortunately, almost all designs following the EtM paradigm, including the AE suites for TLS, are vulnerable against nonce misuse. A single repetition of the nonce value reveals the hash key, leading to a universal forgery attack. There are only two authenticated encryption schemes following the EtM paradigm which can resist nonce misuse attacks, the GCM-RUP (CRYPTO-17) and the \(\mathsf {GCM/2}^{+} \) (INSCRYPT-12). However, they are secure only up to the birthday bound in the nonce respecting setting, resulting in a restriction on the data limit for a single key. In this paper we show that nEHtM, a nonce-based variant of EHtM (FSE-10) constructed using a block cipher, has a beyond birthday bound (BBB) unforgeable security that gracefully degrades under nonce misuse. We combine nEHtM with the CENC (FSE-06) mode of encryption using the EtM paradigm to realize a nonce-based AE, CWC+. CWC+ is very close (requiring only a few more xor operations) to the CWC AE scheme (FSE-04) and it not only provides BBB security but also gracefully degrading security on nonce misuse.

Abstract: We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers full leakage-resistance, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. Moreover, the leakage integrity bound is asymptotically optimal in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static and incremental associated data efficiently. Concretely, TEDT encourages so-called leveled implementations, in which two TBCs are implemented: the first one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy-efficient protections and performs the bulk of the computation. As a result, TEDT leads to more energy-efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution.

Abstract: Certificateless Public-key Authenticated Encryption with Keyword Search (CLPAEKS) is derived from the Public-key Authenticated Encryption with Keyword Search (PAEKS) and simultaneously combines the features of the Public Key Cryptography (CLPKC). In a CLPAEKS scheme, the ciphertext is designed to meet the need for both confidentiality and authentication, i.e., on one hand, the ciphertext is the encryption of the keyword; on the other hand, adversaries are incapable of generating a valid ciphertext without the owner’s private key. He et al. formalized security models for CLPAEKS and proposed a CLPAEKS scheme. However, we find their models are incomplete to capture the security requirements for CLPAEKS and re-formalize the security requirements for CLPAEKS in terms of trapdoor privacy and ciphertext indistinguishability. Besides, we point out that their scheme is vulnerable to the Keyword Guessing Attack (KGA) by a malicious receiver, which is not considered in their security model. Then we modify He et al.’s scheme and prove that the new scheme meets the new security requirements.

Abstract: Robustly reusable Fuzzy Extractor (rrFE) considers reusability and robustness simultaneously. We present two approaches to the generic construction of rrFE. Both of approaches make use of a secure sketch and universal hash functions. The first approach also employs a special pseudo-random function (PRF), namely unique-input key-shift (ui-ks) secure PRF, and the second uses a key-shift secure auxiliary-input authenticated encryption (AIAE). The ui-ks security of PRF (resp. key-shift security of AIAE), together with the homomorphic properties of secure sketch and universal hash function, guarantees the reusability and robustness of rrFE. Meanwhile, we show two instantiations of the two approaches respectively. The first instantiation results in the first rrFE from the LWE assumption, while the second instantiation results in the first rrFE from the DDH assumption over non-pairing groups.

Abstract: Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILP-modeling process.Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256.Compared to previous results that are valid only when the key size $>204$ and the tweak size $<52$, our method can attack 10-round Deoxys-BC-256 as long as the key size $\\geq174$ and the tweak size $\\leq82$. For the popular setting in which the key size is 192 bits, we can attack one round more than previous studies.Note that this paper only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

Abstract: The most important security requirements to secure electronic mail (e-mail) systems are: confidentiality, authentication, non-repudiation and data integrity. In conventional e-mail systems, Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) digital envelops are used to satisfy these security requirements. However, confidentiality and authentication are performed in two different phases, which increases computations and leads to more energy consumption. Moreover, the receiver can easily reveal the source of the message, violating the sender's privacy. In this paper, we propose a low-cost deniably authenticated encryption scheme (DA-ENS), where all the cryptographic primitives are being performed in a single logical step to achieve these goals. Experimental results show that our scheme, DA-ENS, achieves low computational cost and communication overhead at 80-bit, 112-bit, 128-bit, 192-bit and 256-bit security levels. Energy consumption is shown to be reduced to 80%, 67%, 42%, 62% and 48% compared to similar schemes SL+BF, LXJ+BF, Fagen Li et al. (FL), AJL and CZJZJSZ respectively. Also, we have proven that, our scheme DA-ENS is provably secure in random oracle model.

Abstract: The concept of deniably authenticated encryption (DAE) is presently significant in cryptography due to its security properties and wide range of application. It achieves deniable authentication and confidentiality in a simultaneous manner. It has merited application in e-voting systems, e-mail systems and confidential online negotiation. Although several DAE schemes have been proposed recently, we point out that those constructions are either weak against masquerading attacks or inherent key escrow problem. As a remedy, we propose a certificateless deniably authenticated encryption (CLDAE) scheme that is provably secure. Typically, we can obtain this goal using the “deniable authentication followed by certificateless encryption” approach. However, this approach is computationally expensive and complex to design since it is a combination of two cryptographic constructions. In contrast, our CLDAE scheme is a single cryptographic construction but it concurrently accomplishes the requirements of public key encryption and deniable authentication at a relatively lower cost. For instance, our simulation results at 80 bits of security level shows up to be approximately 43.3 and $$30.4\%$$ respectively faster than two “deniable authentication followed by certificateless encryption” schemes. Moreover, the communication overhead of our CLDAE scheme is 12.9 and $$34.9\%$$ lesser than that of those two schemes respectively. Finally, to demonstrate the significance of our CLDAE scheme, we apply it to a real world application such as e-voting system.

Abstract: In the field of social survey of misconduct and legal consultation, the features of confidentiality, integrity, deniable authentication, and non-repudiation are needed for the sake of preserving privacy For this special kind of application scenario, we propose an efficient deniable authentication encryption scheme Our scheme can achieve the four secure features in a single logical step And compared with the latest scheme, our scheme reduces the computational cost of encryption by about 30%, reduces computational cost of decryption by about 50%, and reduces the length of ciphertext by about 33% Its security is shown in the random oracle model

Abstract: Data Distribution Service (DDS) is a realtime peer-to-peer protocol that serves as a scalable middleware between distributed networked systems found in many Industrial IoT domains such as automotive, medical, energy, and defense. Since the initial ratification of the standard, specifications have introduced a Security Model and Service Plugin Interface (SPI) architecture, facilitating authenticated encryption and data centric access control while preserving interoperable data exchange. However, as Secure DDS v1.1, the default plugin specifications presently exchanges digitally signed capability lists of both participants in the clear during the crypto handshake for permission attestation; thus breaching confidentiality of the context of the connection. In this work, we present an attacker model that makes use of network reconnaissance afforded by this leaked context in conjunction with formal verification and model checking to arbitrarily reason about the underlying topology and reachability of information flow, enabling targeted attacks such as selective denial of service, adversarial partitioning of the data bus, or vulnerability excavation of vendor implementations.

Abstract: Cryptographic algorithms that can simultaneously provide both encryption and authentication play an increasingly important role in modern security architectures and protocols (e.g. TLS v1.3). Dozens of authenticated encryption systems have been designed in the past five years, which has initiated a large body of research in cryptanalysis. The interest in authenticated encryption has further risen after the National Institute of Standards and Technology (NIST) announced an initiative to standardize “lightweight” authenticated ciphers and hash functions that are suitable for resource-constrained devices. However, while there already exist some cryptanalytic results on these recent designs, little is known about their performance, especially when they are executed on small 8, 16, and 32-bit microcontrollers. In this paper, we introduce an open-source benchmarking tool suite for a fair and consistent evaluation of Authenticated Encryption with Associated Data (AEAD) algorithms written in C or assembly language for 8-bit AVR, 16-bit MSP430, and 32-bit ARM Cortex-M3 platforms. The tool suite is an extension of the FELICS benchmarking framework and provides a new AEAD-specific low-level API that allows users to collect very fine-grained and detailed results for execution time, RAM consumption, and binary code size in a highly automated fashion. FELICS-AEAD comes with two pre-defined evaluation scenarios, which were developed to resemble security-critical operations commonly carried out by real IoT applications to ensure the benchmarks are meaningful in practice. We tested the AEAD tool suite using five authenticated encryption algorithms, namely AES-GCM and the CAESAR candidates ACORN, ASCON, Ketje-Jr, and NORX, and present some preliminary results.

Abstract: Deoxys-BC is the core internal tweakable block cipher of the authenticated encryption schemes Deoxys-I and Deoxys-II. Deoxys-II is one of the six schemes in the final portfolio of the CAESAR competition, while Deoxys-I is a 3rd round candidate. By well studying the new method proposed by Cid et al. at ToSC 2017 and BDT technique proposed by Wang and Peyrin at ToSC 2019, we find a new 11-round related-tweakey boomerang distinguisher of Deoxys-BC-384 with probability of \(2^{-118.4}\), and give a related-tweakey rectangle attack on 13-round Deoxys-BC-384 with a data complexity of \(2^{125.2}\) and time complexity of \(2^{186.7}\), and then apply it to analyze 13-round Deoxys-I-256-128 in this paper. This is the first time that an attack on 13-round Deoxys-I-256-128 is given, while the previous attack on this version only reaches 12 rounds.

Abstract: Due to the massive growth of data and security concerns, data of patients would be encrypted and outsourced to the cloud server for feature matching in various medical scenarios, such as personal health record systems, actuarial judgments and diagnostic related groups. Public key encryption with equality test (PKEET) is a useful utility for encrypted feature matching. Authorized tester could perform data matching on encrypted data without decrypting. Unfortunately, due to the limited terminology in medicine, people within institutions may illegally use data, trying to obtain information through traversal methods. In this paper we propose a new PKEET notion, called public-key authenticated encryption with designated equality test (PKAE-DET), which could resist this kind of attacks launched by an inside adversary, known as offline message recovery attacks (OMRA). We propose a concrete construction of PKAE-DET, which only requires one single server to perform the feature matching job securely, and does not require any group mechanism. We prove its security based on some simple mathematical assumptions. Experimental results show that our scheme has efficiency comparable with those PKEET schemes which do not resist OMRA attacks or require group mechanism. We further show how our scheme could be effectively used in diagnostic related groups in medicine, demonstrating its practicability.

Abstract: Dynamic security zones in Multiprocessor System-on-Chip (MP-SoC) has been used to isolate sensitive applications from possible attackers. These physical wrappers are usually configured through programmable hardware firewalls. Previous works have shown the efficiency of this security mechanism against a wide variety of attacks. However, the security zone configuration is performed in an unprotected way, exposing the system to attacks caused by rogue firewall update. In this work we propose CAESAR-MPSoC, an enhanced MPSoC able to ensure the protected configuration of the firewalls through encrypted and authenticated reconfiguration packets. To this end, we present two contributions. First, we integrate two CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) hardware IP cores, ASCON and AEGIS, into MPSoCs. Second, we developed a light-weight interface that allows to plug-in the different CAESAR cores into MPSoC environment. Third, we show the protected configuration of security zones. Fourth, we evaluate the security, area and cost of CAESAR-MPSoC. The results show that our solution is feasible and effective to allow the protected and efficient security zone configuration.

Abstract: Forward Secrecy (FS) is a security property in key-exchange algorithms which guarantees that a compromise in the secrecy of a long-term private-key does not compromise the secrecy of past session keys. With a growing awareness of long-term mass surveillance programs by governments and others, FS has become widely regarded as a highly desirable property. This is particularly true in the TLS protocol, which is used to secure Internet communication. In this paper, we investigate FS in pre-TLS 1.3 protocols, which do not mandate FS, but are still widely used today. We conduct an empirical analysis of over 10 million TLS servers from three different datasets using a novel heuristic approach. Using a modern TLS client handshake algorithms, our results show 5.37% of top domains, 7.51% of random domains, and 26.16% of random IPs do not select FS key-exchange algorithms. Surprisingly, 39.20% of the top domains, 24.40% of the random domains, and 14.46% of the random IPs that do not select FS, do support FS. In light of this analysis, we discuss possible paths toward forward secure Internet traffic. As an improvement of the current state, we propose a new client-side mechanism that we call “Best Effort Forward Secrecy” (BEFS), and an extension of it that we call “Best Effort Forward Secrecy and Authenticated Encryption” (BESAFE), which aims to guide (force) misconfigured servers to FS using a best effort approach. Finally, within our analysis, we introduce a novel adversarial model that we call “discriminatory” adversary, which is applicable to the TLS protocol.

Abstract: We define ZOCB and ZOTR for nonce-based authenticated encryption with associated data, and analyze their provable security. These schemes use a tweakable blockcipher (TBC) as the underlying primitive, and fully utilize its input to process a plaintext and associated data (AD). This property is commonly referred to as full absorption, and this has been explored for schemes based on a permutation or a pseudorandom function (PRF). Our schemes improve the efficiency of TBC-based counterparts of OCB and OTR called OCB3 (Krovetz and Rogaway, FSE 2011) and OTR (Minematsu, EUROCRYPT 2014). Specifically, ΘCB3 and OTR have an independent part to process AD, and our schemes integrate this process into the encryption part of a plaintext by using the tweak input of the TBC. Up to a certain length of AD, ZOCB and ZOTR completely eliminate the independent process for it. Even for longer AD, our schemes process it efficiently by fully using the tweak input of the TBC. For this purpose, based on previous tweak extension schemes for TBCs, we introduce a scheme called XTX*. To our knowledge, ZOCB and ZOTR are the first efficiency improvement of ΘCB3 and OTR in terms of the number of TBC calls. Compared to Sponge-based and PRF-based schemes, ZOCB and ZOTR allow fully parallel computation of the underlying primitive, and have a unique design feature that an authentication tag is independent of a part of AD. We present experimental results illustrating the practical efficiency gain and clarifying the efficiency cost for it with a concrete instantiation. The results show that for long input data, our schemes have gains, while we have efficiency loss for short input data.

Abstract: This paper presents a performance comparison of new authenticated encryption (AE) algorithms which are aimed at providing better security and resource efficiency compared to existing standards. Specifically, these algorithms improve the security of existing AE standards by providing a critical property termed nonce-misuse resistance. This paper addresses algorithm to architectural mappings of several candidates from the ongoing Competition for AE: Security, Applicability, and Robustness as well as a submission from the Crypto Forum Research Group. Implementations of the architectures on both field-programmable gate arrays and application-specific integrated circuits platforms are provided and compared with the architecture of a popular standard: Advanced Encryption Standard in Galois Counter mode (AES-GCM). Optimizations that are applicable to AE, in general, and nonce-misuse-resistant architectures, in particular, are presented. A hardware–software codesign approach to optimization is also discussed. The implementations via proposed optimizations demonstrate that new AE algorithms can provide comparable performance as standard AES-GCM while enhancing security and resource utilization for specific use-case scenarios.

Abstract: Ineffective Fault Analysis (SIFA) was introduced as a new approach to attack block ciphers at CHES 2018. Since then, they have been proven to be a powerful class of attacks, with an easy to achieve fault model. One of the main benefits of SIFA is to overcome detection-based and infection-based countermeasures. In this paper we explain how the principles of SIFA can be applied to GIMLI, an authenticated encryption cipher participating the NIST-LWC competition. We identified two possible rounds during the intialization phase of GIMLI to mount our attack. If we attack the first location we are able to recover 3 bits of the key uniquely and the parity of 8 key-bits organized in 3 sums using 180 ineffective faults per biased single intermediate bit. If we attack the second location we are able to recover 15 bits of the key uniquely and the parity of 22 key-bits organized in 7 sums using 340 ineffective faults per biased intermediate bit. Furthermore, we investigated the influence of the fault model on the rate of ineffective faults in GIMLI. Finally, we verify the efficiency of our attacks by means of simulation.