Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers

Chakraborti, Avik; Datta, Nilanjan; Nandi, Mridul; Yasuda, Kan

doi:10.46586/tches.v2018.i2.218-241

Cited by 48 publications

(31 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With the advent of public permutation based designs and the efficiencies of evaluating it in the forward direction, numerous public permutation based inverse-free hash and au- However, most of the permutation based cryptographic schemes generally provide lower security bound with respect to the permutation state size. For example, most of the spongebased modes, in general, provides c/2 bits of security (exceptions are [CDNY18,DMA17]), where c < b is the capacity part of the permutation, and b is its total state size. Nevertheless, the state size of a permutation is typically larger than the block size of a message (e.g., state size of KECCAK is 1600 bits), allowing the adequacy of the birthday bound in practice.…”

Section: Permutation Based Cryptographymentioning

confidence: 99%

Permutation Based EDM: An Inverse Free BBB Secure PRF

Dutta¹,

Nandi

Talnikar

2021

ToSC

Self Cite

View full text Add to dashboard Cite

In CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing PRF based on public permutations. They have proposed two beyond the birthday bound secure n-bit to n-bit PRF constructions, i.e., SoEM22 and SoKAC21, which are built on public permutations, where n is the size of the permutation. However, both of their constructions require two independent instances of public permutations. In FSE 2020, Chakraborti et al. have proposed a single public permutation based n-bit to n-bit beyond the birthday bound secure PRF, which they refer to as PDMMAC. Although the construction is minimal in the number of permutations, it requires the inverse call of its underlying permutation in their design. Coming up with a beyond the birthday bound secure public permutation based n-bit to n-bit PRF with a single permutation and two forward calls was left as an open problem in their paper. In this work, we propose pEDM, a single permutation based n-bit to n-bit PRF with two calls that do not require invertibility of the permutation. We have shown that our construction is secured against all adaptive information-theoretic distinguishers that make roughly up to 22n/3 construction and primitive queries. Moreover, we have also shown a matching attack with similar query complexity that establishes the tightness of our security bound.

show abstract

Section: Permutation Based Cryptographymentioning

confidence: 99%

Permutation Based EDM: An Inverse Free BBB Secure PRF

Dutta¹,

Nandi

Talnikar

2021

ToSC

Self Cite

View full text Add to dashboard Cite

show abstract

“…With the rises of the smart home, IoT, and 5G/B5G networks, lightweight authenticated encryption (AE) modes are attracting more and more attentions [20][21][22]. A lightweight AE mode is a lightweight symmetric-key cipher which supports the services of privacy and authenticity of the sensitive data in the devices.…”

Section: Application To Lightweight Authenticated Encryptionmentioning

confidence: 99%

“…Combining equations ( 19) and (20), it is easy to draw the result of eorem 2. According to eorem 2, we can find that these lightweight AE modes ensure about min b/2, c, k − log μ -bit AEsecurity.…”

Section: Application To Lightweight Authenticated Encryptionmentioning

confidence: 99%

Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption

Zhang

Yuan

2020

Security and Communication Networks

View full text Add to dashboard Cite

The Even–Mansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simple structure and strict provable security. Its research has been a hot topic in cryptography. This paper focuses on the problem to minimize the key material of the Even–Mansour cipher while its security bound remains essentially the same. We introduce four structures of the Even–Mansour cipher with a short key and derive their security by Patarin’s H-coefficients technique. These four structures are proven secure up to O˜2k/μ adversarial queries, where k is the bit length of the key material and μ is the maximal multiplicity. Then, we apply them to lightweight authenticated encryption modes and prove their security up to about minb/2,c,k−log μ-bit adversarial queries, where b is the size of the permutation and c is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the t-round iterated Even–Mansour cipher with short keys.

show abstract

“…For the first-order TI, we need bits of the register size. Beetle [ 14 ], a recently proposed design, is provably security up to . To ensure s -bit security, we basically balance r and c to s bits for the second term, but slightly increases c to compensate ‘ ’ in the first term.…”

Section: Introductionmentioning

confidence: 99%

“…Without TI, permutation based schemes achieve the smallest state size by using a small rate, while with TI, TBC based schemes in particular outperform the others. base BC Permutation TBC example mode reference SAEB [ 33 ] Duplex [ 12 , 28 ] Beetle [ 14 ] PFB,Romulus [ 26 , 34 ] Ours Ours w/o TI data block 2 s s 0.5 s key s s s s s s tweak − − − s s s extra state − − − − 0.5 s total 3 s 3 s 3 s 3 s TI protect key …”

Section: Introductionmentioning

confidence: 99%

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Naito

Sasaki

Sugawara

2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

This paper proposes tweakable block cipher (TBC) based modes and that are efficient in threshold implementations (TI). Let t be an algebraic degree of a target function, e.g. (resp. ) for linear (resp. non-linear) function. The d -th order TI encodes the internal state into shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires s -bit block to ensure s -bit security, e.g. PFB and Romulus, while BC requires 2 s -bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of s -bit state with and the first-order TI ( ). Our first design aims to break the barrier of the 3 s -bit state in TI. The block size of an underlying TBC is s /2 bits and the output of TBC is linearly expanded to s bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size 2.5 s bits. We also provide rigorous security proof of . Our second design further increases a parameter : a ratio of the security level s to the block size of an underlying TBC. We prove security of for any under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending SKINNY and provide basic security evaluation. Finally, we give hardware benchmarks of in the first-order TI to show that TI of is smaller than that of PFB by more than one thousand gates and is the smallest within the schemes having 128-bit security.

show abstract

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers

Cited by 48 publications

References 8 publications

Permutation Based EDM: An Inverse Free BBB Secure PRF

Permutation Based EDM: An Inverse Free BBB Secure PRF

Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Contact Info

Product

Resources

About