Filters








36 Hits in 1.4 sec

Analyzing Multi-key Security Degradation [chapter]

Atul Luykx, Bart Mennink, Kenneth G. Paterson
2017 Lecture Notes in Computer Science  
Atul Luykx is supported by a Fellowship from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen).  ...  Following the analysis of Luykx and Paterson, one would infer that the safety margin decreases proportionately with µ in the multi-key case.  ...  [1] , Mouha and Luykx [41] , Tessaro [50] , and Fouque et al. [25] . However, there is no systematic treatment of the problem like that provided in our work.  ... 
doi:10.1007/978-3-319-70697-9_20 fatcat:hfuouu2axjdz3ghiz25bppr7qy

Two-permutation-based hashing with binary mixing

Atul Luykx, Bart Mennink, Bart Preneel, Laura Winnen
2015 Journal of Mathematical Cryptology  
AbstractWe consider the generic design of compression functions based on two
doi:10.1515/jmc-2015-0015 fatcat:mim5mbep4fauhbeu6iufyy74vu

Boosting Authenticated Encryption Robustness with Minimal Modifications [chapter]

Tomer Ashur, Orr Dunkelman, Atul Luykx
2017 Lecture Notes in Computer Science  
Secure and highly efficient authenticated encryption (AE) algorithms which achieve data confidentiality and authenticity in the symmetric-key setting have existed for well over a decade. By all conventional measures, AES-OCB seems to be the AE algorithm of choice on any platform with AES-NI: it has a proof showing it is secure assuming AES is, and it is one of the fastest out of all such algorithms. However, algorithms such as AES-GCM and ChaCha20+Poly1305 have seen more widespread adoption,
more » ... spread adoption, even though they will likely never outperform AES-OCB on platforms with AES-NI. Given the fact that changing algorithms is a long and costly process, some have set out to maximize the security that can be achieved with the already deployed algorithms, without sacrificing efficiency: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM's underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to improve GCM's multi-user security. We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms can be used for applications where defense in depth is critical. We formalize and illustrate how GCM and ChaCha20+Poly1305 offer varying degrees of resilience to nonce misuse, as they can recover quickly from repeated nonces, as opposed to OCB, which loses all security. More surprisingly, by introducing minor tweaks such as an additional XOR, we can create a GCM variant which provides security even when unverified plaintext is released.
doi:10.1007/978-3-319-63697-9_1 fatcat:qaix7jnghzhjdd3ljnwjkst7ze

Optimal Forgeries Against Polynomial-Based MACs and GCM [chapter]

Atul Luykx, Bart Preneel
2018 Lecture Notes in Computer Science  
As shown by Luykx, Mennink, and Paterson [LMP17], the attacks' success probability will not improve in the multi-key setting.  ... 
doi:10.1007/978-3-319-78381-9_17 fatcat:o3lwy47tqbaepkw74tdhezl65e

A MAC Mode for Lightweight Block Ciphers [chapter]

Atul Luykx, Bart Preneel, Elmar Tischhauser, Kan Yasuda
2016 Lecture Notes in Computer Science  
Atul Luykx is supported by a Ph.D. Fellowship from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen).  ... 
doi:10.1007/978-3-662-52993-5_3 fatcat:tvtoldxhovfkdnprmy25du3m3m

Multi-key Security: The Even-Mansour Construction Revisited [chapter]

Nicky Mouha, Atul Luykx
2015 Lecture Notes in Computer Science  
At ASIACRYPT 1991, Even and Mansour introduced a block cipher construction based on a single permutation. Their construction has since been lauded for its simplicity, yet also criticized for not providing the same security as other block ciphers against generic attacks. In this paper, we prove that if a small number of plaintexts are encrypted under multiple independent keys, the Even-Mansour construction surprisingly offers similar security as an ideal block cipher with the same block and key
more » ... same block and key size. Note that this multi-key setting is of high practical relevance, as real-world implementations often allow frequent rekeying. We hope that the results in this paper will further encourage the use of the Even-Mansour construction, especially when the secure and efficient implementation of a key schedule would result in a significant overhead.
doi:10.1007/978-3-662-47989-6_10 fatcat:o3izd5smcrcvloiybvbbfvfcje

Understanding RUP Integrity of COLM

Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi
2017 IACR Transactions on Symmetric Cryptology  
The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the
more » ... hly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA's XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.
doi:10.46586/tosc.v2017.i2.143-161 fatcat:an4sxv7v5nby5ckmkzy6docv7a

Understanding RUP Integrity of COLM

Nilanjan Datta, Atul Luykx, Bart Mennink, Mridu Nandi
2017 IACR Transactions on Symmetric Cryptology  
The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the
more » ... hly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA's XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.
doi:10.13154/tosc.v2017.i2.143-161 dblp:journals/tosc/DattaLMN17 fatcat:al4rc55izfalve2xfpamrerlb4

Parallelizable and Authenticated Online Ciphers [chapter]

Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Elmar Tischhauser, Kan Yasuda
2013 Lecture Notes in Computer Science  
Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern general-purpose CPUs or dedicated hardware. We propose the first parallelizable online cipher, COPE. It performs two calls to the underlying block cipher per plaintext block and is fully parallelizable in both
more » ... allelizable in both encryption and decryption. COPE is proven secure against chosenplaintext attacks assuming the underlying block cipher is a strong PRP. We then extend COPE to create COPA, the first parallelizable, online authenticated cipher with nonce-misuse resistance. COPA only requires two extra block cipher calls to provide integrity. The privacy and integrity of the scheme is proven secure assuming the underlying block cipher is a strong PRP. Our implementation with Intel AES-NI on a Sandy Bridge CPU architecture shows that both COPE and COPA are about 5 times faster than their closest competition: TC1, TC3, and McOE-G. This high factor of advantage emphasizes the paramount role of parallelizability on up-to-date computing platforms.
doi:10.1007/978-3-642-42033-7_22 fatcat:gebtjfht55fxti3yqflwhoafnu

Security Analysis of BLAKE2's Modes of Operation

Atul Luykx, Bart Mennink, Samuel Neves
2016 IACR Transactions on Symmetric Cryptology  
We adopt the model of Mouha and Luykx [ML15] to PRF-security. We refer to Bellare et al. [BBT16] for a more general discussion on multi-key security of PRFs.  ... 
doi:10.46586/tosc.v2016.i1.158-176 fatcat:nvk3lsi3ifenrbjhrhjbycctju

Provable Security of BLAKE with Non-ideal Compression Function [chapter]

Elena Andreeva, Atul Luykx, Bart Mennink
2013 Lecture Notes in Computer Science  
We analyze the security of the SHA-3 finalist BLAKE. The BLAKE hash function follows the HAIFA design methodology, and as such it achieves optimal preimage, second preimage and col lision resistance, and is indifferentiable from a random oracle up to approximately 2 n/2 assuming the underlying compression function is ideal. In our work we show, however, that the compression function employed by BLAKE exhibits a non random behavior and is in fact differentiable in only 2 n/4 queries. Our attack
more » ... ueries. Our attack on the indifferentiability of the BLAKE compression function undermines the provable security strength of BLAKE not only with respect to its overall indifferentiability, but also its collision and (second) preimage security in the ideal model. Our next contribution is the restoration of the security results for BLAKE in the ideal model by refining the level of modularity and assuming that BLAKE's underlying block cipher is an ideal cipher. We prove that BLAKE is optimally collision, second preimage, and preimage secure (up to a constant). We go on to show that BLAKE is still indifferentiable from a random oracle up to the old bound of 2 n/2 queries, albeit under a weaker assumption: the ideality of its block cipher.
doi:10.1007/978-3-642-35999-6_21 fatcat:utn5dn5atvhdvdgbuq4ag6hbky

Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes

Philipp Jovanovic, Atul Luykx, Bart Mennink, Yu Sasaki, Kan Yasuda
2018 Journal of Cryptology  
The Sponge function is known to achieve 2 c/2 security, where c is its capacity. This bound was carried over to its keyed variants, such as SpongeWrap, to achieve a min{2 c/2 , 2 κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions were designed to comply with the classical 2 c/2 security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min{2 b/2 , 2 c , 2 κ }, with b > c the
more » ... > c the permutation size, by proving that the CAESAR submission NORX achieves this bound. The proof relies on rigorous computation of multi-collision probabilities, which may be of independent interest. We additionally derive a generic attack based on multi-collisions that matches the bound. We show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of some of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. We finally consider the remaining one of the three PRIMATEs, APE, and derive a blockwise adaptive attack in the noncerespecting setting with complexity 2 c/2 , therewith demonstrating that the techniques cannot be applied to APE.
doi:10.1007/s00145-018-9299-7 fatcat:jqdqmvr2wnec3ip5qy5gmy3hl4

Connecting tweakable and multi-key blockcipher security

Jooyoung Lee, Atul Luykx, Bart Mennink, Kazuhiko Minematsu
2017 Designs, Codes and Cryptography  
Multi-Key Security Mouha and Luykx [ML15] formalized the notion of multi-key security of blockciphers, and applied it to one round of Even-Mansour (cf. Section 5.1).  ...  While earlier definitions, including Mouha and Luykx [ML15] , only considered independent, uniformly generated keys, we introduce KDFs in the definition of multi-key security, and say that the combination  ... 
doi:10.1007/s10623-017-0347-3 fatcat:slpezhutubfhllxafjxo7pwsvm

Efficient Length Doubling From Tweakable Block Ciphers

Yu Long Chen, Atul Luykx, Bart Mennink, Bart Preneel
2017 IACR Transactions on Symmetric Cryptology  
Atul Luykx is supported by a Fellowship from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen) and in part by NSF grants CNS-1314885 and CNS-1717542  ... 
doi:10.46586/tosc.v2017.i3.253-270 fatcat:ccaqbjztgzex5fsasx2qwvtw6u

Efficient Length Doubling From Tweakable Block Ciphers

Yu Long Chen, Atul Luykx, Bart Mennink, Bart Preneel
2017 IACR Transactions on Symmetric Cryptology  
Atul Luykx is supported by a Fellowship from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen) and in part by NSF grants CNS-1314885 and CNS-1717542  ... 
doi:10.13154/tosc.v2017.i3.253-270 dblp:journals/tosc/ChenLMP17 fatcat:746lj4x5rbd6rls2xzpic7blki
« Previous Showing results 1 — 15 out of 36 results