×

Duplexing the sponge: Single-pass authenticated encryption and other applications. (English) Zbl 1292.94030

Miri, Ali (ed.) et al., Selected areas in cryptography. 18th international workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011. Revised selected papers. Berlin: Springer (ISBN 978-3-642-28495-3/pbk). Lecture Notes in Computer Science 7118, 320-337 (2012).
Summary: This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and-at no extra cost-provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.
For the entire collection see [Zbl 1234.94005].

MSC:

94A60 Cryptography

Software:

Grain; Quark; Keccak; spongent
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A lightweight hash. In: Mangard and Standaert [20], pp. 1–15 · Zbl 1297.94043 · doi:10.1007/978-3-642-15031-9_1
[2] Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) · Zbl 0973.68059 · doi:10.1007/3-540-44448-3_41
[3] Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM (ed.) ACM Conference on Computer and Communications Security 1993, pp. 62–73 (1993) · doi:10.1145/168588.168596
[4] Bellare, M., Yee, B.: Forward-security in private-key cryptography. Cryptology ePrint Archive, Report 2001/035 (2001), http://eprint.iacr.org/
[5] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop (May 2007), public comment to NIST, from http://www.csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html · Zbl 1149.94304
[6] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008), http://sponge.noekeon.org/ · Zbl 1149.94304 · doi:10.1007/978-3-540-78967-3_11
[7] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard and Standaert [20], pp. 33–47 · Zbl 1297.94050 · doi:10.1007/978-3-642-15031-9_3
[8] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. Cryptology ePrint Archive, Report 2011/499 (2011), http://eprint.iacr.org/ · Zbl 1292.94030
[9] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop (SKEW) (February 2011) · Zbl 1149.94304
[10] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The keccak reference (January 2011), http://keccak.noekeon.org/ · Zbl 1306.94028
[11] Biryukov, A. (ed.): FSE 2007. LNCS, vol. 4593. Springer, Heidelberg (2007) · Zbl 1143.68002
[12] Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: A Lightweight Hash Function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011) · Zbl 05954906 · doi:10.1007/978-3-642-23951-9_21
[13] Desai, A., Hevia, A., Yin, Y.L.: A Practice-Oriented Treatment of Pseudorandom Number Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 368–383. Springer, Heidelberg (2002) · Zbl 1056.94513 · doi:10.1007/3-540-46035-7_24
[14] Dworkin, M.: Request for review of key wrap algorithms. Cryptology ePrint Archive, Report 2004/340 (2004), http://eprint.iacr.org/
[15] ECRYPT Network of excellence, The SHA-3 Zoo (2011), http://ehash.iaik.tugraz.at/index.php/The_SHA-3_Zoo
[16] Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 330–346. Springer, Heidelberg (2003) · Zbl 1254.68115 · doi:10.1007/978-3-540-39887-5_24
[17] Gorski, M., Lucks, S., Peyrin, T.: Slide Attacks on a Class of Hash Functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 143–160. Springer, Heidelberg (2008) · Zbl 1206.94067 · doi:10.1007/978-3-540-89255-7_10
[18] Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011) · Zbl 1287.94069 · doi:10.1007/978-3-642-22792-9_13
[19] Knudsen, L., Rechberger, C., Thomsen, S.: The Grindahl hash functions. In: Biryukov [11], pp. 39–57 · Zbl 1186.94456 · doi:10.1007/978-3-540-74619-5_3
[20] Mangard, S., Standaert, F.-X. (eds.): CHES 2010. LNCS, vol. 6225. Springer, Heidelberg (2010) · Zbl 1193.68012
[21] Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004) · Zbl 1197.94196 · doi:10.1007/978-3-540-24638-1_2
[22] Muller, F.: Differential attacks against the Helix stream cipher. In: Roy and Meier [30], pp. 94–108 · Zbl 1079.68557 · doi:10.1007/978-3-540-25937-4_7
[23] NIST, AES key wrap specification (November 2001)
[24] Paul, S., Preneel, B.: Solving Systems of Differential Equations of Addition. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 75–88. Springer, Heidelberg (2005) · Zbl 1127.94354 · doi:10.1007/11506157_7
[25] Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011) · Zbl 1290.94155 · doi:10.1007/978-3-642-20465-4_27
[26] Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security 2002 (CCS 2002), pp. 98–107. ACM Press (2002) · doi:10.1145/586110.586125
[27] Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003) · Zbl 05453902 · doi:10.1145/937527.937529
[28] Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: CCS 2001: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 196–205. ACM, New York (2001)
[29] Rogaway, P., Shrimpton, T.: A Provable-Security Treatment of the Key-Wrap Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) · Zbl 1140.94369 · doi:10.1007/11761679_23
[30] Roy, B., Meier, W. (eds.): FSE 2004. LNCS, vol. 3017. Springer, Heidelberg (2004) · Zbl 1051.68023
[31] Whiting, D., Schneier, B., Lucks, S., Muller, F.: Fast encryption and authentication in a single cryptographic primitive, ECRYPT Stream Cipher Project Report 2005/027 (2005), http://www.ecrypt.eu.org/stream/phelixp2.html
[32] Wu, H., Preneel, B.: Differential-linear attacks against the stream cipher Phelix. In: Biryukov [11], pp. 87–100 · Zbl 1186.94475 · doi:10.1007/978-3-540-74619-5_6
[33] Ågren, M., Hell, M., Johansson, T., Meier, W.: A new version of Grain-128 with authentication. In: Symmetric Key Encryption Workshop, SKEW (February 2011)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.