ELmE: A Misuse Resistant Parallel Authenticated Encryption

Datta, Nilanjan; Nandi, Mridul

doi:10.1007/978-3-319-08344-5_20

Cited by 22 publications

(14 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…5.4, establishing a 2 rn/(r +1) bound for any r , as long as the universal hash function is replaced by a uniform random function, and the adversaries use a limited number of tweaks. In applications where the number of tweaks can be limited to a small number, as might, for example, be the case in certain authenticated encryption schemes [2,26,68], our newly obtained bound on TEM[r ] improves over the state of the art, and even solves the conjecture by Cogliati et al in 2015 [21] for the specific case of uniformly random masking. The replacement of the universal hash function by a uniform random function may in certain settings by a burden, but this condition allows us to make a first step towards solving this conjecture for general masking.…”

Section: Application To Even-mansour and Tweakable Even-mansoursupporting

confidence: 54%

See 1 more Smart Citation

Connecting tweakable and multi-key blockcipher security

Lee

Luykx

Mennink

et al. 2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

The significance of understanding blockcipher security in the multi-key setting is highlighted by the extensive literature on attacks, and how effective key size can be significantly reduced. Nevertheless, little attention has been paid in formally understanding the design of multi-key secure blockciphers. In this work, we formalize the multi-key security of tweakable blockciphers in case of general key derivation functions. We show an equivalence between blockcipher multi-key security and tweakable blockcipher security. Our equivalence connects two objects of study, the iterated Even-Mansour (EUROCRYPT 2012) and the iterated Tweakable Even-Mansour (CRYPTO 2015), which establishes that results in both areas are, to a certain extent, transferable. Using our novel equivalence relation, we derive new bounds for both constructions, pave the path towards the solution of two wellstudied conjectures, and show that, contrary to common knowledge, key derivation functions need not necessarily be pseudorandom functions in order to provide security: for the iterated Even-Mansour universal hash functions suffice.

show abstract

Section: Application To Even-mansour and Tweakable Even-mansoursupporting

confidence: 54%

“…On the one hand, the parameter often plays a significant role in the security bounds, while on the other hand, the values and are often close to each other, and differ at most by a multiplicative constant. For example, for COPA [2], ELmE [26], and SCT [68], we have ≈ 2 .…”

Section: Blockciphers and Tweakable Blockciphersmentioning

confidence: 99%

Connecting tweakable and multi-key blockcipher security

Lee

Luykx

Mennink

et al. 2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

show abstract

“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2 σn/(σ+1) , where n is the size of the blockcipher and σ is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2 σn/(σ+1) is the best one can get without tweak-rekeying, optimal 2 n provable security with tweak-rekeying is impossible.

show abstract

“…Such constructions are very efficient as it doesn't use any non-linear functions and the mode is parallelizable. Infact some of the existing constructions like ELmE [2] and COPA [1] uses this kind of structure (EME with Olmix) as the underlying structure to make the construction online, fully pipelined implementable.…”

Section: Application Of Our Resultmentioning

confidence: 99%

Characterization of EME with Linear Mixing

Datta

Nandi

2014

Advances in Information and Computer Security

Self Cite

View full text Add to dashboard Cite

Abstract. Encrypt-Mix-Encrypt is a type of SPRP based construction, where a masked plaintext is encrypted in ECB mode of, then a non-linear mixing is performed and then again an encryption is performed in ECB mode which is masked to produce the ciphertext. Using the property of the binary field, the authors proved that the construction is not SPRP secure if the mixing used is linear. In this paper, we observe that relaxing the mixing operation to some specific efficient linear mixing provides the PRP property of the construction. Moreover choosing a linear mixing that gives the online property is not a difficult task. We can use this fact to construct an efficient Online PRP using Encrypt-Mix-Encrypt type of construction with the mix operation being a linear online mixing, making the construction efficient and online. We also show that the construction with linear mixing doesn't provide SPRP security even if we perform all the operations in a prime field instead of binary field. Thus, we fully characterize EME with linear mixing.

show abstract

ELmE: A Misuse Resistant Parallel Authenticated Encryption

Cited by 22 publications

References 33 publications

Connecting tweakable and multi-key blockcipher security

Connecting tweakable and multi-key blockcipher security

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Characterization of EME with Linear Mixing

Contact Info

Product

Resources

About