APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

Andreeva, Elena; Bilgin, Begül; Bogdanov, Andrey; Luykx, Atul; Mennink, Bart; Mouha, Nicky; Yasuda, Kan

doi:10.1007/978-3-662-46706-0_9

Cited by 49 publications

(75 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We show that McOE-G [23] achieves PA1 if the plaintext is padded so that the ciphertext becomes twice as long. We also prove that APE [2], an online deterministic AE scheme with offline decryption, achieves PA1.…”

Section: Analysis Of Authenticated Encryption Schemesmentioning

confidence: 86%

“…E for integral associated data and message blocks is given in Fig. 4; we refer to [2] for a formal specification.…”

Section: Discussionmentioning

confidence: 99%

“…, M 1 R ← R. We focus on information-theoretic adversaries D with additional forward and inverse access to the underlying primitives p, p −1 . The proof borrows ideas from APE's original privacy and authenticity proof [2]. Particularly, we again perform a PRP-PRF switch to replace the permutation by random functions (f, f −1 ), which provide a random answer from R × C to every new query, and abort if this leads to a collision.…”

Section: Discussionmentioning

confidence: 99%

“…Online Scheme PA1 PA2 Remark random CTR, CBC [35] nonce OCB [39] GCM [33], SpongeWrap [16] CCM [47] not online [41] arbitrary COPA [3] privacy up to prefix McOE-G [23] ′′ APE [2] ′′, backwards decryption SIV [40], BTM [27], HBS [28] privacy up to repetition Encode-then-Encipher [12] ′′, VIL SPRP, padding…”

Section: Typementioning

confidence: 99%

“…If we do not require the decryption to be online, then we can achieve PA1 without significant ciphertext expansion. An example of a scheme that falls into this category is the recently-introduced APE mode [2], whose decryption is backward (and hence not online). See App.…”

Section: ⊓ ⊔mentioning

confidence: 99%

See 4 more Smart Citations

How to Securely Release Unverified Plaintext in Authenticated Encryption

Andreeva

Bogdanov

Luykx

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle without the secret key. Releasing unverified plaintext then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity of ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes.

show abstract

Section: Analysis Of Authenticated Encryption Schemesmentioning

confidence: 86%

“…E for integral associated data and message blocks is given in Fig. 4; we refer to [2] for a formal specification.…”

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Typementioning

confidence: 99%

Section: ⊓ ⊔mentioning

confidence: 99%

See 3 more Smart Citations

How to Securely Release Unverified Plaintext in Authenticated Encryption

Andreeva

Bogdanov

Luykx

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

A simple authentication encryption scheme

Mazumder

Miyaji

2017

Concurrency and Computation

View full text Add to dashboard Cite

An authentication encryption (AE) scheme satisfies to transfer an authenticated data between 2 parties or more. There are vast applications of the AE such as access control, encryption, enhancing trust between multiple parties, and assure the originality of a message. However, the main challenge of the AE is to maintain low-cost features for its construction. Furthermore, there is another emerging issue of Internet of Things (IoT) in the field of data and network communication.The numbers of application of the IoT are increasing expeditiously, where various kinds of device have been used such as IoT-end device, constrained device, and RfID. Moreover, the main challenge of the IoT-end devices and resource constrained devices is to keep a certain level of security bound including minimum cost. However, the IoT-end devices, resource constrained devices, and RfID have lack of resources such as memory, power, and processors. Interestingly, the AE can play a vital role between data acquisition (sensors, actuators) and data aggregation of usual platform of the IoT. Thus, the construction of the AE should satisfy the properties of low-cost, least resources, and less operating-time. Though, there are many familiar constructions of AE such as OTR, McOE, POE, OAE, APE, COPE, CLOC, and SILK but most of the schemes depend on the features of nonce and associate data. In the aspect of security, the usage of nonce and associated data are adequate.However, these 2 features increase the overhead cost. Therefore, we propose a simple construction of IV-based AE where blockcipher compression function is used as encryption function. Our proposed scheme's efficiency-rate is 1 with reasonable privacy-security bound. In addition, it can encrypt arbitrary length of message in each iteration without padding.

show abstract

Quantum Key Recovery Attacks On Prøst‐COPA and Prøst‐OTR Using Simon's Algorithm

Liu,

Zhang

2024

Adv Quantum Tech

View full text Add to dashboard Cite

Due to its innovative and performance advantages, Prøst‐COPA and Prøst‐OTR have attracted widespread attention. For the Prøst‐COPA without associated data and with associated data, the corresponding quantum key recovery attacks are proposed using Simon's algorithm, respectively. In the first scenario, the messages are used to calculate the Message Authentication Code (MAC) and construct a period function to recover the secret parameter . Then, utilizing ciphertext, a periodic function is constructed with a periodic value equal to the key value. MAC is calculated from messages and the associated data in the second scenario. Considering the impact of the associated data on the periodicity of the function, the messages are treated as a constant and further construct two periodic functions to recover the secret parameter and the key. For Prøst‐OTR, by constructing two periodic functions using two tags with different numbers of message blocks, the secret parameter can be recovered, and then the key can be recovered using Simon's algorithm. Compared to the classical attacks, the quantum‐based methods only require quantum queries (where is the message block size), resulting in an exponential speed acceleration and the success probability of the method is close to 1. These methods also show a lower query complexity than the state‐of‐the‐art quantum methods.

show abstract

APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

Cited by 49 publications

References 25 publications

How to Securely Release Unverified Plaintext in Authenticated Encryption

How to Securely Release Unverified Plaintext in Authenticated Encryption

A simple authentication encryption scheme

Quantum Key Recovery Attacks On Prøst‐COPA and Prøst‐OTR Using Simon's Algorithm

Contact Info

Product

Resources

About