Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes
Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes
Philipp Jovanovic Decentralized 0
Distributed Systems Lab 0
École polytechnique fédérale de Lausanne 0
Lausanne 0
Switzerland 0
Atul Luykx Visa Research 0
Palo Alto 0
USA 0
Yu Sasaki 0
Kan Yasuda NTT Secure Platform Laboratories 0
Tokyo 0
0 Bart Mennink Digital Security Group, Radboud University , Nijmegen , The Netherlands
The Sponge function is known to achieve 2c/2 security, where c is its capacity. This bound was carried over to its keyed variants, such as SpongeWrap, to achieve a min{2c/2, 2κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions were designed to comply with the classical 2c/2 security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min{2b/2, 2c, 2κ }, with b > c the permutation size, by proving that the CAESAR submission NORX achieves this bound. The proof relies on rigorous computation of multi-collision probabilities, which may be of independent interest. We additionally derive a generic attack based on multi-collisions that matches the bound. We show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of some of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. We finally consider the remaining one of the three PRIMATEs, APE, and derive a blockwise adaptive attack in the noncerespecting setting with complexity 2c/2, therewith demonstrating that the techniques cannot be applied to APE.
Authenticated encryption; CAESAR; Ascon; CBEAM; ICEPOLE; Keyak; NORX; PRIMATEs; STRIBOB; Multi-collisions
1. Introduction
Authenticated encryption schemes, cryptographic functions that aim to simultaneously
provide data privacy and integrity, have gained renewed attention in light of the CAESAR
competition [
25
]. A common approach to building such schemes is to design a block
cipher mode of operation, as in CCM [95], OCB1-3 [
55,78,79
], EAX [
14
], GCM [
57
],
COPA [
5
], OTR [
63
], AEZ [
48
], and SCT [
72
]. Nevertheless a significant fraction of the
CAESAR competition submissions use modes of operation for permutations.
Most of the permutation-based modes follow the basic Sponge design [
16
]: a state
is maintained and regularly updated using a permutation. The state is divided into an
outer part of r bits, through which the user enters or extracts data, and an inner part of c
bits, which is out of the user’s control. The rate r determines how much plaintext can be
processed per permutation call, which gives an estimate of the algorithm’s performance.
Keccak, the eventual winner of the competition and now standardized as SHA-3 [
35
],
internally uses the Sponge construction. The Sponge design also found adoption in the
field of lightweight hash functions [
24,45
].
Security of the Sponge construction as a hash function follows from the fact that
the user can only affect the outer state, hence adversaries only succeed with significant
probability if they make on the order of 2c/2 permutation queries, as this many are
needed to produce an inner state collision [
16
]. Bertoni et al. [
17
] proved tightness of
this bound in the indifferentiability framework of Maurer et al. [
56
]. Keyed versions of
the Sponge construction, such as KeyedSponge [
20
] and SpongeWrap [
19
], are proven
up to a similar bound of 2c−a (pseudorandom function security for the former and
privacy and authenticity for the latter), assuming a limit of 2a on online complexity,
but are additionally restricted by the key size κ to 2κ . The permutation-based CAESAR
candidates are no exception and recommend parameters based on either the 2c/2 or 2c−a
bound, as shown in Table 1.
1.1. Beyond Conventional Security
Contrary to intuition, a wide range of permutation-based authenticated
encryption schemes actually achieve significantly higher mode security: the privacy and
authenticity bound on the total complexity can be improved from min{2c/2, 2κ } to
min{2(r+c)/2, 2c, 2κ }. Intuitively, the improvement demonstrates that, in the
noncerespecting setting, inner collisions are not relevant to the adversary; only full state
collisions are. We remark that in the nonce-reuse scenario [
37,80
] the privacy of the
scheme can be broken [19], and for authenticity the old bounds hold at best.
The main proof in this work concerns NORX mode v1 and v2 [
7,8
], but we demonstrate
its applicability to the CAESAR submissions Ascon v1 and v1.1 [
33,34
], CBEAM v1
[
83,84
],1 ICEPOLE v1 and v2 [
65,66
], Keyak v1 [
22
],2 two out of three PRIMATEs v1
and v1.02 [
2,3
], and STRIBOB v1 and v2 [
81,85,86
].3 Additionally, we note that it
1CBEAM was withdrawn after an attack by Minaud [62], but we focus on modes of operation.
2Keyak v2 follows a different design approach.
3Both CBEAM and STRIBOB use the BLNK Sponge mode [
82
].
We remark that ICEPOLE v1,v2 consists of three configurations (two with security level 128 and one with
security level 256) and Keyak v1 of four configurations (one with an 800-bit state and three with a 1600-bit
state)
directly applies to SpongeWrap [
19
] and DuplexWrap [
22
], upon which Keyak v1 is
built.
Our results imply that the initial submissions of these CAESAR candidates were
overly conservative in choosing their parameters, since reducing c would have lead to
the same bound. For instance, Ascon-128 could take (c, r ) = (128, 192) instead of
(256, 64), NORX64 (the proposed mode with 256-bit security) could increase its rate
by 128 bits, and GIBBON-120 and HANUMAN-120 could increase their rate by a factor
of 4, without affecting their mode security levels.
These observations only concern the mode security, where characteristics of the
underlying permutation are set aside. Specifically, the concrete security of the
underlying permutations plays a fundamental role in the choice of parameters. For instance,
the authors of Ascon [
33,34
], NORX [
7,8
], and PRIMATEs [
2,3
] acknowledge that
non-random properties of some of the underlying primitives exist. Furthermore, the
authenticity bound degrades as a function of the number of forgery attempts f :
min{2(r+c)/2, 2c/ f, 2κ }. In practical applications, the amount of forgery attempts may be
limited, but if this is not possible, caution must be taken. We refer to [75] for a discussion.
1.2. Tightness of the Result
The earlier version of this article by Jovanovic et al. [
53
] had a security bound of the
form min{2(r+c)/2, 2c/r, 2κ }, showing a security loss logarithmic relative to the rate.
This loss was, however, not justified by any existing attack; it arose as an artifact of
naively bounding the probability of a multi-collision occurring in the outer state, where
multiple evaluations of the underlying primitive map to the same outer value.
In this article, we thoroughly analyze multi-collisions and derive bounds on the size
of multi-collisions for various possible choices of r and c. Most importantly, we can
conclude that if r c or r c, multi-collisions have no effect on the security. If r ≈ c,
the security loss approaches log12.4cc−2 , as opposed to the factor r loss from [
53
]. We refer
to Table 2 for a comprehensive description of the bound. Note that for all schemes in
Table 1, r c or r c.
The rigorous analysis of multi-collisions relies on an application of Stirling’s
approximation and the Lambert W function. It is not only applicable to Sponge-based modes.
For example, there are quite a few cryptographic schemes that have been attacked
using multi-collisions, such as block-cipher-based hashing schemes [
73
], identification
schemes [
41
], JH hash function [
58
], MDC-2 hash function [
54
], HMAC and ChopMD
MAC [
68
], the LED block cipher [
70
], iterated Even-Mansour [
32
], and strengthened
HMAC [
88
]. Multi-collisions have also influenced various security upper bounds.
Typical examples are the indifferentiability proof for the ChopMD construction [
27
], the
collision resistance proof for the Lesamnta-LW hash function [
46
], and the
indistinguishability proof for RMAC [
52
], where the bound is O(2n/n) due to the existence
of n-collisions. The compression function proposed by Hirose et al. [
47
] has a similar
type of bound. Finally, the recent line of research on the keyed Sponge and Duplex
constructions [
6,18,20,26,31,38,60,69
] strongly relies on “multiplicities.” Some of these
security analyses can be improved using our rigorous analysis of multi-collisions.
For r < c, the old bound of [
53
] is dominated by 2(r+c)/2 and is in fact tight. The new
bound improves over the one of [
53
] for r ≥ c, and in this work we additionally show
that the new bound is tight for all possible choices of (r, c). To this end, we present a
multi-collision-based adversary that meets the bound proven in our analysis. The attack
is described for a generalized Sponge construction that covers CBEAM, ICEPOLE,
Keyak v1, NORX, and STRIBOB. Even for variants with the additional XOR of the
secret key at the end, (Ascon, GIBBON, and HANUMAN, see Fig. 4), a similar adversary
with slightly higher complexity can meet the bound. A comparison of the earlier bound
of [
53
], the new bound, and the attack complexity for the case of c = 256 and r ≥ c is
given in Fig. 1.
1.3. APE
One of the interesting questions triggered by the publication of [
53
] was regarding APE,
the third of the PRIMATEs. In more detail, the schemes listed in Table 1 are proven
to achieve a beyond 2c/2 security level against nonce-respecting adversaries, but the
schemes are insecure against nonce-misusing adversaries. In contrast, APE is proven to
achieve 2c/2 security in the nonce-reuse scenario [
4
], and it is of interest to investigate
what security guarantees APE offers against nonce-respecting adversaries. In this work,
we include an analysis of APE in this setting and show that there exists a nonce-respecting
blockwise adaptive adversary that can break the privacy with a total complexity of about
2c/2. In other words, while APE is more robust against nonce-misusing adversaries up
to common prefix, in the nonce-respecting setting the schemes listed in Table 1 achieve
higher security. (We remark that the analysis in this work can be easily extended to the
case of blockwise adaptive adversaries.)
3
5
2
1
5
2
t
i
b
(
e
t
a
R
>
=
m
o
c
m
m
i
1.4. Publication History and Subsequent Work
An extended abstract of this article has appeared in the proceedings of ASIACRYPT
2014 [
53
]. This article is the full version of [
53
], and additionally includes the proofs
that were absent in the proceedings version. New with respect to the full version of [
53
]
are
(i) a more rigorous analysis of multi-collisions and the therewith induced improved
security bound (Sect. 3),
(ii) the generic attack on Sponge-based authenticated encryption schemes
demonstrating tightness of the bound (Sect. 5),
(iii) a proof that, unlike the schemes of Table 1, APE does not achieve beyond 2c/2
security in the nonce-respecting setting (Sect. 7).
Parts (i) and (ii) are due to Sasaki and Yasuda [90], with whom we have collaborated to
combine their ideas for a complete analysis of the Sponge-based modes.
In response to the observations made in [
53
], the designers of Ascon and NORX have
reconsidered their parameter choices. The new parameter choices are also listed in Table 1
and testify of a significant security gain for Ascon v1.1 [
34
] without sacrificing efficiency,
and a significant efficiency gain for NORX v2 [
8
] without sacrificing security. The
adjustments will make the schemes faster and more competitive. Mihajloska et al. [
61
] recently
generalized the analysis of [
53
] to CAESAR submission π -Cipher [
42,43
], which is
structurally different from NORX in the way it maintains state: a so-called “common
internal state” is used throughout the evaluation.
From a more general perspective, the work has triggered analysis in the direction of
high-efficiency full-state keyed Duplexes [
31,60,89
]. The result of Mennink et al. [
60
]
on the full-state keyed Duplex has triggered the designers of Keyak to perform a major
revision to their scheme. In more detail, Keyak v2 [
23
] is built on top of the “Motorist”
mode, an alternative to the full-state keyed Duplex that was analyzed by Daemen et
al. [
31
]. We remark that the results on the full-state keyed Sponges and Duplexes are
more general than the target design in this work. The most important difference between
[
31,60
] and our work is that we explicitly target nonce-based designs, and this allows
for beyond 2c/2 security. The work has, to certain extent, furthermore triggered the use
of permutations for nonce-reuse secure authenticated encryption schemes [
29,44,59
]
beyond APE.
Parallel to the research on keyed Duplexes is the research on the keyed Sponges,
i.e., keyed versions of the Sponge that only aim for authenticity. Bertoni et al. [
18
]
introduced the original keyed Sponge. Chang et al. [
26
] suggested to put the key in the
inner part of the Sponge. Andreeva et al. [
6
] formalized and improved the analysis of the
outer- and inner-keyed sponges. The analysis was generalized to the full-state Sponge in
[
31,38,60,69
], following upon ideas that date back to the donkeySponge [21]. Beyond
authentication (and encryption), keyed versions of the Sponge have found applications
in reseedable pseudorandom sequence generation [
18,39
].
1.5. Outline
We present our security model in Sect. 2. In Sect. 3, we perform an in-depth analysis
of multi-collisions with respect to Sponges. A security proof for NORX is derived in
Sect. 4. Tightness of the bound is proven in Sect. 5. In Sect. 6, we show that the proof
of NORX generalizes to other CAESAR submissions, as well as to SpongeWrap and
DuplexWrap. We consider the security of APE against nonce-respecting adversaries in
Sect. 7. The work is concluded in Sect. 8, where we also discuss possible generalizations
to Artemia [
1
].
2. Security Model
For n ∈ N, let Perm(n) denote the set of all permutations on n bits. When writing
$
x ←− X for some finite set X , we mean that x gets sampled uniformly at random from
X . For x ∈ {0, 1}n, and a, b ≤ n, we denote by [x ]a and [x ]b the a leftmost and b
rightmost bits of x , respectively. For tuples ( j, k), ( j , k ) we use lexicographical order:
( j, k) > ( j , k ) means that j > j , or j = j and k > k .
Let Π be an authenticated encryption scheme, with an encryption function E and a
decryption function D, where
(C, A) ←− EK (N ; H, M, T )
and
M/⊥ ←− DK (N ; H, C, T ; A).
Here, N denotes a nonce value, H a header, M a message, C a ciphertext, T a trailer,
and A an authentication tag. The values (H, T ) will be referred to as associated data. If
verification is successful, then the decryption function DK outputs M , and ⊥ otherwise.
The scheme Π is also determined by a set of parameters such as the key size, state size,
and block size, but these are left implicit. In addition, we define $ to be an ideal version
of EK , where $ returns (C, A) ←−$ {0, 1}|M|+τ for every query (N ; H, M, T ).
We follow the convention in analyzing modes of operation for permutations by
modeling the underlying permutations as being drawn uniformly at random from Perm(b),
where b is a parameter determined by the scheme.
An adversary A is a probabilistic algorithm that has access to one or more oracles
O, denoted AO. By AO = 1 we denote the event that A, after interacting with O,
outputs 1. We consider adversaries A that have unbounded computational power and
whose complexity is solely measured by the number of queries made to their oracles.
These adversaries have query access to (i) the underlying idealized permutations, (ii)
EK or its counterpart $, and possibly (iii) DK . The key K is randomly drawn from
{0, 1}κ at the beginning of the security experiment. The security definitions below follow
[
11,37,51,77,80
].
Privacy
Let p denote a list of idealized permutations, which Π may depend on. We define the
advantage of an adversary A in breaking the privacy of Π as follows:
AdvpΠriv(A) = Prp,K
Ap±,EK = 1
− Prp,$ A
p±,$ = 1 ,
where the probabilities are taken over the random choices of p, $, K , and A, if any. The
fact that the adversary has access to both the forward and inverse permutations in p is
denoted by p±. We assume that adversary A is nonce-respecting, which means that it
never makes two queries to EK or $ with the same nonce. By AdvpΠriv(q p, qE , λE ) we
denote the maximum advantage taken over all adversaries that query p± at most q p times,
and that make at most qE queries of total length (over all queries) at most λE blocks to EK
or $. We remark that this privacy notion is also known as the indistinguishability under
chosen plaintext attack (IND-CPA) security of an (authenticated) encryption scheme.
Integrity
As above, let p denote the list of underlying idealized permutations of Π . We define the
advantage of an adversary A in breaking the integrity of Π as follows:
AdvaΠuth(A) = Prp,K
Ap±,EK ,DK forges ,
where the probability is taken over the random choices of p, K , and A, if any. We say
that “A forges” if DK ever returns a message other than ⊥ on input of (N ; H, C, T ; A)
where (C, A) has never been output by EK on input of a query (N ; H, M, T ) for some
M . We assume that adversary A is nonce-respecting, which means that it never makes
two queries to EK with the same nonce. Nevertheless, A is allowed to repeat nonces in
decryption queries. By AdvaΠuth(q p, qE , λE , qD, λD) we denote the maximum advantage
taken over all adversaries that query p± at most q p times, make at most qE queries of
total length (over all queries) at most λE blocks to EK , and at most qD queries of total
length at most λD blocks to DK .
3. Multi-Collisions
Consider the following game of balls and bins. Let R ≥ 1 be the number of bins and
σ the number of balls. The σ balls are thrown uniformly at random into the R bins. By
multcol(R, σ, ρ) we denote a ρ-collision, namely the event that there exists a bin that
contains ρ or more balls after all σ balls are thrown.
A folklore result [67, Theorem 3.1], [64, Lemma 5.1] states the following upper bound
on the probability of a ρ-collision for ρ ≥ 2:
1 σ
Pr (multcol(R, σ, ρ)) ≤ Rρ−1 ρ ,
(1)
where R ≥ 1 and σ ≥ ρ. Note that σ can be smaller or larger than R.
The bound of (1) involves a binomial coefficient and hence factorials. To evaluate
these factorials we rely on Stirling’s approximation. Formally, Stirling’s approximation
can be written as an inequality as [
71
]
x ! ≥
√2π x
x x
e
≥
√x
x x
e
,
where π = 3.14 . . . and e = 2.71 . . ., which holds for all x ≥ 1.
For the purpose of the paper we combine inequalities (1) and (2) in the following way.
Let S be some positive number limiting the maximum value of σ , i.e., σ ≤ S. From (1)
and (2), we get
1 σ ρ
Pr (multcol(R, σ, ρ)) ≤ Rρ−1 ρ
≤
S
R
This derivation is identical to that in [67, Theorem 3.1], [64, Lemma 5.1], be it with a
slightly more accurate bound for x !. In the remainder of the section, we will introduce the
Lambert W function in Sect. 3.1, and derive simplified bounds on Pr (multcol(R, σ, ρ))
in Sect. 3.2.
Remark 1. The probability that multcol(R, σ, ρ) occurs can also be bounded using the
Chernoff bound [
28
]. Consider any fixed bin, and for i = 1, . . . , σ , denote
Xi =
1 with probability 1/R ,
0 with probability 1 − 1/R.
Defining X = iσ=1 Xi as the number of balls in that specific bin, the Chernoff bound
states that for any t > 0 [64, Section 4.2],
As in our case the events Xi are mutually independent,
One therefore finds, for any t > 0,
Pr (X ≥ ρ) ≤ Pr et X ≥ etρ
≤
σ
i=1
Ex et X
=
Ex et Xi
=
1 +
Pr (multcol(R, σ, ρ)) ≤ R ·
Ex et X
etρ
.
et − 1 σ
R
Looking ahead, in our applications we will need an upper bound of this term of the form
σ/S, where ρ is a function of R and S. The bound of (4) is more suited for that.
(2)
(3)
(4)
(5)
Likewise, specific variants of (5) such as
Pr (multcol(R, σ, (1 + δ)σ/R)) ≤ R ·
eδ
(1 + δ)1+δ
σ/R
,
obtained from (5) by setting ρ = (1 + δ)σ/R and t = ln(1 + δ) [67, Theorem 4.1], [64,
Theorem 4.4], do not directly seem to give an improved result for our specific parameter
setting.
An alternative approach to bound the probability that multcol(R, σ, ρ) occurs, is via
the first and second moments, as done by Raab and Steger [
74
]. In detail, Raab and Steger
demonstrate that Pr (multcol(R, σ, ρ(R, σ ))) = o(1) for various parameter settings and
choices of ρ as a function of R and σ [74, Theorem 1]. This approach, as well as the
related approaches in the field of cryptography [
10,49
], again does not fit our targeted
upper bound.
3.1. Lambert W Function
Stirling’s approximation contains a “self-exponential” function x x , and we will need to
solve equations of the form
(6)
(7)
(8)
ξ ξ = d
ξ = eW (D) ,
for variable ξ . For this purpose we utilize the Lambert W function [
71
]. Consider the
function f (w) = wew defined for complex numbers w. Then, the Lambert W function
is the inverse relation of f . More precisely, Z = W (Z )eW (Z) is the defining equation
for W , and Eq. (6) can be solved, using W , as
where D := ln d [
30
].
In this work, we can restrict the domain of W to real numbers X ≥ −1/e and the
range to real numbers W (X ) ≥ −1, and we focus on the principal branch Wp, which is
a single-valued function. Hoornar and Hassani [
50
] derived the following inequality on
Wp(X ) for any X ≥ e:
Wp(X ) ≤ ln X − ln ln X + ln(1 + e−1).
Back to (6), when ξ is restricted to real numbers, the solution (7) becomes
ξ = eWp(D) ≤ eln D−ln ln D+ln(1+e−1)
=
(1 + e−1)D
ln D
.
It should be emphasized that this bound is valid only under the condition D ≥ e, or
equivalently, d ≥ ee.
⎧
⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨⎪
⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩⎪ 2
3.2. Bounding Multi-Collision Probability
We will derive Sponge-oriented bounds for ρ. In more detail, consider parameters b, r, c
such that b = r + c, write R = 2r , and S = min{2b/2, 2c}. We will derive choices for ρ
(depending on r and c), such that the probability of a multi-collision of (1) is bounded
by σ/S.
Write b = r + c, R = 2r , and S = min{2b/2, 2c}. Assume that c ≥ 13.
σ
Pr (multcol( R, σ, ρ (r, c))) ≤ S ,
e2(c−r )/2
where β := log2 e + log2 log2 e.
The proof of Lemma 1 is constructive, and the bounds for ρ are derived constructively
rather than simply proven to hold. However, the reasoning is structurally different for
the cases where r < c (cases (i-iv)) and for the cases where r ≥ c (cases (v-vii)).
Proof of Lemma 1(i-iv). For the case r < c, our basic strategy is to bound
Pr (multcol( R, σ, ρ)) by σ/S, where S = 2b/2, by means of setting
ρ :=
θ 2(c−r )/2
for sufficiently large parameter θ . Note that, by the generalized pigeonhole principle,
2(c−r )/2 is the minimum value of ρ when σ reaches S = 2b/2.
Assume that ρ ≥ eS/ R = e2b/2/2r = e2(c−r )/2, i.e., θ ≥ e. Then, (4) becomes
and we start from this equation for the cases (i-iv).
Case (i): r ≤ c/5. Since r ≤ c/5, we have 2(5r−c)/4 ≤ 1. Therefore, the bound of
(9) satisfies
2r
σ
√θ 2(c−r)/2 S
(9)
(10)
.
We can choose the minimum θ := e = 2.71 . . . so that (e/θ )θ2(c−r)/2 = 1,
which implies that (10) is upper bounded by σ/S, as desired. The size of a
multi-collision is bounded by
ρ =
e2(c−r)/2 .
Case (ii): c/5 < r ≤ c − 2log2c. If r > c/5, then the factor 2(5r−c)/4 in the bound
(9) becomes larger than 1, and we need to somehow cancel this factor by
increasing the value of θ . The factor √θ is too small for this purpose,
and hence we aim at the factor (e/θ )θ2(c−r)/2 . The following observation
suggests that we need to increase the value of θ by only a small amount, as
long as r ≤ c − 2 log2 c:
Claim. If r ≤ c − 2 log2 c, then we have 2(c−r)/2 ≥ (5r − c)/4.
Proof of claim. Direct computation yields 2(c−r)/2 ≥ 2log2 c = c ≥ (5r − c)/4.
Hence, it remains to ensure that (e/θ )θ ≤ 1/2. For this we set θ := 3.4, so that
(e/θ )θ = (2.71 . . . /3.4)3.4 = 0.46 . . . ≤ 1/2. Then, the bound of (9) satisfies
by the above claim. The size of a multi-collision is bounded by
ρ =
3.4 · 2(c−r)/2 .
Case (iii): c − 2log2c < r ≤ c − 2log2c + 7.2. This is a technical case to bridge a
gap between case (ii) and case (iv). The reason behind the constant 7.2 will
become clear in the analysis of case (iv).
Set δ := r − c + 2 log2 c, so that δ ∈ (0, 7.2]. Then we have 2(c−r)/2 = 2log2 c−δ/2 =
2−δ/2c ≥ 2−δ/2(5r − c)/4. Hence, the bound of (9) satisfies
and we want to ensure that (e/θ )θ2−δ/2 ≤ 1/2. Given the previous constant 3.4 and
the new factor 2−δ/2, let us put θ := 3.4 · 20.17δ and define ϕ(ζ ) := e/(3.4 ·
20.17ζ ) 3.4·20.17ζ 2−ζ/2
e/(3.4 · 20.17ζ ) 3.4·2−0.33ζ that is defined for real numbers
Claim.
We have ϕ(ζ ) ≤ 0.495 ≤ 1/2.
Proof of claim. The derivative of ϕ is computed as
ϕ (ζ ) = 3.4 · 2−0.33ζ ln 2
and equation ϕ (ζ ) = 0 has a unique solution ζ0 := log2(e0.5/0.33/3.4)/0.17 =
2.47 . . .. Direct computation shows that the second-order derivative ϕ (ζ ) is
positive for ζ ∈ [0, 7.2], implying that ϕ(ζ ) is minimum at ζ0. We already know that
ϕ(0) = (e/3.4)3.4 = 0.46 · · · ≤ 1/2, and so we end the proof by computing
ϕ(7.2) = e/(3.4 · 20.17·7.2) 3.4·2−0.33·7.2 = 0.495 . . . ≤ 1/2.
The value of θ grows as δ increases, from 3.4 to 3.4 · 20.17·7.2 = 7.94 . . . ≤ 8.0.
Case (iv): c−2log2c+7.2 < r < c. The value of θ needs to increase as r approaches to
c, and in general θ cannot be bounded by a constant but is rather a function
of r and c. The Lambert W function can handle such a case, yielding a
fairly sharp bound.
Put ϕ(ζ ) := (e/ζ )ζ 2(c−r)/2 2(5r−c)/4, defined for real numbers ζ ≥ e. Then ϕ(ζ ) is
strictly decreasing. This leads us to solve equation ϕ(ζ ) = 1 to determine the value
of θ , as a function of r and c. Let ζ0 be a solution of this equation. Then the equality
ϕ(ζ0) = 1 becomes (ζ0/e)ζ02(c−r)/2 = 2(5r−c)/4, which is equivalent to
ζ0
e
ζ0/e
= 2(5r−c)/ 4e2(c−r)/2 .
(11)
We can solve Eq. (11) for ζ0 using formula (7) by the Lambert W function, via setting
ξ = ζ0/e and d = 2(5r−c)/4e2(c−r)/2 , as
ζ0
e = eW (E) ,
(12)
where E := ln 2(5r−c)/4e2(c−r)/2 = (5r − c)/ 4e2(c−r)/2 log2 e . Now we want to use
inequality (8) for the function Wp to upper bound ζ0, but for that purpose we need to
make sure that E ≥ e. It is exactly for this reason that we have chosen the constant 7.2,
as shown by the following claim.
Claim. Let c ≥ 13. The inequality
holds for all r ∈ [c − 2 log2 c + 7.2, c ]. (The condition c ≥ 13 is to make the range of
r non-empty.)
,
which leads us to study the function ψ (ω) := 22.6(2ω − 5 log2 ω + 18)/eω log2 e
defined for real numbers ω ≥ 13. We compute the derivative of ψ (ω) as ψ (ω) =
22.6(5 log2 ω + 18 − 5 log2 e)/eω2 log2 e, and equation ψ (ω) = 0 has a unique solution
ω0 = 218/5e = 32.9 . . ., at which ψ (ω0) = 2.75 . . .. Since the second-order derivative
ψ (ω) = 22.6(−10 log2 ω + 36 + 15 log2 e)/eω3 log2 e is positive for 13 ≤ ω <
218/5e3/2 = 54.3 . . ., we conclude that ψ (ω) ≥ 2.75 for all ω ≥ 13, and hence E ≥
2.75 ≥ e for all c ≥ 13 and r ∈ [c − log2 c + 7.2, c ], as desired.
Now we can apply inequality (8) to our case (12) to get
ζ0
e ≤
(1 + e−1)E
ln E
(1 + e−1)(5r − c)/ 2e2(c−r)/2
= 2 log2(5r − c) + r − c − 4 − 2β
.
We compute (1 + e−1)/2 = 0.68 . . . and −4 − 2β = −7.94 . . .. Set
θ := 0.7(5r − c)/2(c−r)/2/ 2 log2(5r − c) + r − c − 8
so that θ ≥ ζ0 and ϕ(θ ) ≤ 1 (recall that ϕ(ζ ) is strictly decreasing). In addition,
since E ≥ e from condition (13), we have θ /e ≥ ζ0/e = eWp(E) ≥ e, meaning
θ ≥ e2 = 7.38 . . .. Therefore, the bound of (9) satisfies
e θ2(c−r)/2 2(5r−c)/4 σ
θ √θ
ϕ(θ ) σ 1 σ σ
S = √θ S ≤ √e2 S ≤ S .
We thus obtain
ρ = θ 2(c−r)/2
=
Proof of Lemma 1(v-vii). The analysis is different from the cases (i-iv) in the sense that
we do not need to rely on the factor √ρ in Stirling’s approximation, and the Lambert W
function is more easily applicable.
Case (v): c ≤ r ≤ c + elog2c − eβ. Consider bound (4). We have R = 2r and S = 2c,
and hence,
Put ϕ(ζ ) := (e/ζ 2r−c)ζ 2r that is defined for real numbers ζ ≥ 2. We see
that ϕ(ζ ) is strictly decreasing, and at ζ = 2 we have ϕ(2) = (e/2)222c−r
which is greater than 1 because 2c ≥ r . So we would like to solve
equation ϕ(ζ ) = 1. Let ζ0 be a solution of this equation. This means that
(ζ02r−c/e)ζ0 = 2r , which is equivalent to
To apply (7) to solve (14), set ξ = ζ02r−c/e and d = 2r2r−c/e. We obtain
ζ02r−c ζ02r−c/e
e
= 2r2r−c/e.
ζ02r−c
e
= eW (G),
(14)
(15)
where G := ln 2r2r−c/e = r 2r−c(ln 2)/e. As r ≥ c ≥ 13 ≥ 11, we have
G ≥ 11 · (ln 2)/e = 2.80 . . . ≥ e. Using (8),
ζ02r−c
e
= eWp(G) ≤
(1 + e−1)G
ln G
(1 + e−1)r 2r−c/e
= log2 r + r − c − β
,
where β = log2 e + log2 log2 e = 1.97 . . .. Since (1 + e−1) = 1.36 . . ., we
can set
ζ0 ≤ ρ :=
.
Case (vi): c + elog2c − eβ < r < 2c. Technically, the bound of case (v) is valid only
for r ≤ 2c. To obtain bounds for r ≥ 2c we perform a different kind of
analysis. We do not start with (4) but go back further to (3), and consider a
simplified bound
ρ :=
r
r − c
(16)
The intuition behind (16) is as follows. The “folklore” approach to
obtaining a ρ-collision on r -bit values takes about 2(ρ−1)r/ρ trials. Suzuki et
al. showed that even under this amount of trials, the probability of finding
a ρ-collision is actually quite low, about 1/ρ! [91,92]. Inspired by this,
we consider equation 2c = 2(ρ−1)r/ρ . Solving this equation for variable ρ
yields ρ = r/(r − c), as desired.
As we will show, the bound (16) “works” not only for r ≥ 2c but for all r > c.
Moreover, it turns out that (16) is actually better than (15) for a large part of r ∈ (c, 2c ],
except where r ≈ c.
Claim. Let r > c. For ρ of (16), we have Pr (multcol(R, σ, ρ)) ≤ σ/S.
Claim. Let r > c ≥ 11. Then, (16) is better (smaller) than (15) if r > c + e log2 r − eβ.
Proof of claim. Define the function
(1 + e−1)u u
Δc(u) := u − c + log2 u − β − u − c
whose domain is the real numbers u ∈ (c, 2c ] with c ≥ 11 and β = log2 e +
log2 log2 e = 1.97 . . .. Then equation Δc(u) = 0 becomes u = c + e log2 u − eβ,
whose solution we denote by u0. We differentiate Δc with respect to u as
∂Δc
∂u =
(1 + e−1)(−c + log2 u − β − log2 e)
(u − c + log2 u − β)2
and at u = u0 we have
∂Δc
using u0 = c + e log2 u0 − eβ. We see that u0 ≥ e log2 e = 3.92 . . . because
r > c ≥ 11.
Note that c + e log2 r − eβ > c + e log2 c − eβ, making the distinction between this
case (vi) and the previous case (v) clear.
Case (vii): 2c ≤ r. In this case, we can use the reasoning of case (vi), with ρ = 2 by
(16).
4. NORX
We introduce NORX at a level required for the understanding of the security proof and
refer to Aumasson et al. [
7,8
] for the formal specification. Let p be a permutation on
b bits. All b-bit state values are split into an outer part of r bits and an inner part of c
bits. We denote the key size of NORX by κ bits, the nonce size by ν bits, and the tag
size by τ bits. The header, message, and trailer can be of arbitrary length and are padded
using 10∗1-padding to a length of a multiple of r bits. Throughout, we denote the r -bit
header blocks by H1, . . . , Hu , message blocks by M1, . . . , Mv, ciphertext blocks by
C1, . . . , Cv, and trailer blocks by T1, . . . , Tw.
Unlike other permutation-based schemes, NORX allows for parallelism in the
encryption part, which is described using a parameter D ∈ {0, . . . , 255} corresponding to the
number of parallel chains. Specifically, if D ∈ {1, . . . , 255} NORX has D parallel
chains, and if D = 0 it has v parallel chains, where v is the block length of M or C .
NORX consists of five proposed parameter configurations: NORX W -R-D for
(W, R, D) ∈ {(64, 4, 1), (32, 4, 1), (64, 6, 1), (32, 6, 1), (64, 4, 4)}. The parameter R
denotes the number of rounds of the underlying permutation p, and W denotes the word
size which we use to set r = 10W and c = 6W . The default key and tag size are
κ = ν = 4W . The corresponding parameters for the two different choices of W , 64 and
32, are given in Table 1.
Although NORX starts with an initialization function init which requires the
parameters (D, R, τ ) as input, as soon as our security experiment starts, we consider (D, R, τ )
fixed and constant. Hence, we can view init as a function that maps (K , N ) to
(K N 0b−κ−ν ) ⊕ const, where const is irrelevant to the mode security analysis of
NORX, and will be ignored in the remaining analysis.
After init is called, the header H is compressed into the rate, then the state is branched
into D states (if necessary), the message blocks are encrypted in a streaming way, the
D states are merged into one state (if necessary), the trailer is compressed, and finally
the tag A is computed. All rounds are preceded with a domain separation constant
XORed into the capacity: 01 for header compression, 02 for message encryption, 04
for trailer compression, and 08 for tag generation. If D = 1, domain separators 10 and
20 are used for branching and merging, along with pairwise distinct lane indices i dk for
k = 1, . . . , D (if D = 1 we write i d1 = 0). In Fig. 2 we depict NORX for D = 1 and
D = 2.
The privacy of NORX is proven in Sect. 4.1 and the integrity in Sect. 4.2. In both proofs
we consider an adversary that makes q p permutation queries and qE encryption queries
of total length λE . In the proof of integrity, the adversary can additionally make qD
decryption queries of total length λD. To aid the analysis, we compute the number of
permutation calls made via the qE encryption queries. The exact same computation holds
for decryption queries with the parameters defined analogously.
Consider a query to EK , consisting of u header blocks, v message blocks, and w trailer
blocks. We denote its corresponding state values by
⎛
⎜ sinit; s0H , . . . , suH ; ⎢
⎝ ⎣
s1M,0, . . . , s1M,v1 ⎤
... ...
sDM,0, . . . , sDM,vD
⎞
⎥ ; s0T , . . . , swT ; stag⎟ ,
⎦ ⎠
(17)
as outlined in Fig. 2. Here, kD=1 vk = v. If there are no branching and merging
phases, i.e., D = 1, then the state values corresponding to the branching and
merging, {s1M,0, . . . , sDM,0} and s0T , are left out of the tuple. Note that the length of this tuple
equals the number of primitive calls made in this encryption query, as every state value
corresponds to the input of exactly one primitive call. A simple calculation shows that
if the j thEK query is of length u + v + w blocks, it results in u + v + w + 3 state values
if D = 1, in u + v + w + D + 4 state values if D > 1, and in u + 2v + w + 4 state
values if D = 0.4 We denote the number of state values by σE, j , where the dependence
on D is suppressed as D does not change during the security game. In other words, σE, j
denotes the number of primitive calls in the j th query to EK . Furthermore, we define σE
to be the total number of primitive evaluations via the encryption queries, and find that
σE :=
"qE σE, j ≤ ⎧⎪⎨ 2λλEE++3q4EqE, i,fifDD==10, ,
j=1 ⎪⎩ λE + ( D + 4)qE , if D > 1.
(18)
This bound is rather tight. Particularly, for D = 0 an adversary can meet this bound by
only making queries without header and trailer. For queries to DK we define σD, j and
σD analogously.
4For D = 0, the original specification dictates an additional 10b−21-padding for every complete message
block. This means that lanes 1, . . . , v − 1 consist of two rounds. We do not take this padding into account,
noting that it is unnecessary for the security analysis.
0
0
d
i
d
i
1
v
,
M1
s v1
,
1
.
.
.
,
M1
s 0,
C
1
v
,
1
1
0
,
1
0
,
M1
s
.
.
.
T
v
C
v
M
C
K
(
t
i
n
i
A
p
p
p
p
p
p
p
p
p
0
0
r
c
8
0
4
0
4
0
2
0
0
1
0
1
0
Mv
s
2
v
,
2
2
v
,
2
0
,
2
0
,
2
A
p
p
p
p
p
p
p
p
0
0
r
c
8
0
4
0
4
0
0
1
1
0
1
0
Hu
s
H0
s
it
n
i
s
2
v
,
M2
s
.
.
.
,
M2
s
0
,
M2
s
=
=
m
.
)
o
t
t
o
b
(
2
D
d
n
a
)
p
o
t
1
4.1. Privacy of NORX
Theorem 1. Let Π = (E , D) be NORX based on an ideal underlying primitive p.
Then,
AdvpΠriv(q p, qE , λE ) ≤
where σE is defined in (18), and where ρ = ρ(r, c) is the function defined in Lemma 1.
Theorem 1 can be interpreted as implying that NORX provides privacy security as long
as the total complexity q p + σE does not exceed min{2b/2, 2κ } and the total number
of primitive queries q p, also known as the offline complexity, does not exceed 2c/ρ.
The presence of the term ρ makes the bound a bit unclear; in Table 2 we give the
main implication of this bound for the various possible values of r and c as outlined in
Lemma 1. See Table 1 for the security level of the various parameter choices of NORX:
for NORX v1 [
7
], we are concerned with case (vi), where ρ = 2.5 = 3 for both
b ∈ {512, 1024}; for NORX v2 [
8
], we are in case (vii), where ρ = 2.
The proof is based on the observation that NORX is indistinguishable from a random
scheme as long as there are no collisions among the (direct and indirect) evaluations
of p. Due to uniqueness of the nonce, state values from evaluations of EK collide with
probability approximately 1/2b. Regarding collisions between direct calls to p and
calls via EK : while these may happen with probability about 1/2c, they turn out not to
significantly influence the bound. The latter is demonstrated in part using the principle
of multiplicities [
18
]: roughly stated, the maximum number of state values with the same
outer part. We use Lemma 1 to bound multiplicities. The formal security proof is more
detailed. Furthermore, we remark that, at the cost of readability and simplicity of the
proof, the bound could be improved by a constant factor.
Proof. Consider any adversary A with access to either ( p±, EK ) or ( p±, $) and whose
goal is to distinguish these two worlds. For brevity, we write
AdvpΠriv(A) = ΔA( p±, EK ; p±, $).
(19)
We start by replacing p± by a random function to simplify analysis. This is done with
a “URP-URF” switch [
13
], in which we make a transition from p± to a primitive f ±
defined as follows (as done by Andreeva et al. [
4
]).
The primitive f ± maintains an initially empty list F of query/response tuples (x , y)
where the set of domain and range values are denoted by dom(F ) and rng(F ),
respectively. For a forward query f (x ) with x ∈ dom(F ), the value in {y | (x , y) ∈ F } which
occurs lexicographically first is returned. For a new forward query f (x ), the response y
is randomly drawn from {0, 1}b, then the tuple (x , y) is added to F . The description for
f −1 is similar. We let abort denote the event that a new query f (x ) results in a value
y where y is already in rng(F ), or a new query f −1(y) results in a value x where x is
already in dom(F ).
set key ∨ multi and also that guess ∨ hit ∨ key ∨ multi has not been set before. For the
analysis of Pr (key ∨ multi) a similar technique is employed.
Event guess. This event can be set in the i th primitive query (for i = 1, . . . , q p) or
in any state evaluation of the j th construction query (for j = 1, . . . , qE ). Denote the
state values of the j th construction query as in (22). Consider any evaluation, assume
this query does not set key ∨ multi and assume that guess ∨ hit ∨ key ∨ multi has
not been set before. Firstly, note that xi = sijnit for some i, j would imply key(i ) and
hence invalidate our assumption. Therefore, we can exclude sijnit from further analysis on
guess. For i = 1, . . . , q p, let ji ∈ {1, . . . , qE } be the number of encryption queries made
before the i th primitive query. Similarly, for j = 1, . . . , qE , denote by i j ∈ {1, . . . , q p}
the number of primitive queries made before the j th encryption query.
– Consider a primitive query (xi , yi ) for i ∈ {1, . . . , q p}, which may be a forward
or an inverse query, and assume it has not been queried to f ± before. If it is a
forward query xi , by ¬multi there are at most ρ state values s with [xi ]r = [s]r ,
and thus xi = s with probability at most ρ/2c. Here, we remark that the inner part
of s is unknown to the adversary and it guesses it with probability at most 1/2c,
as established by Corollary 1. A slightly more complicated reasoning applies for
inverse queries. Denote the query by yi . By ¬multi there are at most ρ state values
s with [yi ]r = [ f (s)]r , hence, using Corollary 1 again, yi = f (s) with probability
at most ρ/2c. If yi equals f (s) for any of these states, then xi = s, otherwise xi = s
with probability at most jji=1 σE, j /2b. Therefore, the probability that guess is
set via a direct query is at most q2pcρ + iq=p 1 jji=1 σ2Eb, j ;
– Next, consider the probability that the j th construction query sets guess, for j ∈
{1, . . . , qE }. For simplicity, first consider D = 1, hence the message is processed
in one lane and we can use state labeling (s j,1, . . . , s j,σE, j ). We range from s j,2 to
s j,σE, j (recall that s j,1 = sijnit can be excluded) and consider the probability that this
state sets guess assuming it has not been set before. Let k ∈ {2, . . . , σE, j }. The state
value s j,k equals f (s j,k−1)⊕v, where v is some value determined by the adversarial
input prior to the evaluation of f (s j,k−1), including input from (H j , M j , T j ) and
constants serving as domain separators. By assumption, guess ∨ hit has not been
set before, and f (s j,k−1) is thus randomly drawn from {0, 1}b. It hits any xi (i ∈
{1, . . . , i j }) with probability at most i j /2b. Next, consider the general case D > 1.
We return to the labeling of (22). A complication occurs for the branching states
s Mj,1,0, . . . , s Mj,D,0 and the merging state s Tj,0. Starting with the branching states, these
are computed from s Hj,u as
s Mj,D,0
⎛ s Mj,1,0 ⎞
.
⎜ .. ⎟ = f (s Hj,u ) ⊕ ⎜
⎝ ⎠ ⎝
where v1, . . . , vD are some distinct values determined by the adversarial input prior
to the evaluation of the j th construction query. These are distinct by the XOR of the
lane numbers i d1, . . . , i dD. Any of these nodes equals xi for i ∈ {1, . . . , q p} with
probability at most i j D/2b. Finally, for the merging node s Tj,0 we can apply the same
analysis, noting that it is derived from a sum of D new f -evaluations. Concluding,
the j th construction query sets guess with probability at most i j σE, j /2b (we always
have in total at most σE, j new state values). Summing over all qE construction
queries, we get qjE=1 i j σE, j /2b.
Concluding,
Pr (guess | ¬(key ∨ multi)) ≤
q pρ
2c +
"qp "ji σE, j
2b +
i=1 j=1
q
E i j σE, j
"
2b
q pρ
= 2c +
q p2σbE .
Here we use that qp jji=1 σE, j + qjE=1 kσ=E,1j i j σE, j = q pσE , which follows from
a simple counting arig=u1ment.
Event hit. We again employ ideas of guess, and particularly that as long as guess ∨ hit
is not set, we can consider all new state values (except for the initial states) to be randomly
drawn from a set of size 2b. Particularly, we can refrain from explicitly discussing the
branching and merging nodes (the detailed analysis of guess applies) and label the states
as (s j,1, . . . , s j,σE, j ). Clearly, s j,1 = s j ,1 for all j, j by uniqueness of the nonce. Any
[sstaj,tke]vκa=lueKs,j,wkhfoicrhkh>ap1pe(nats mwoitsht pσrEo−baqbEiliitny taottmal)oshtitσsEa/n2iκn,iatisaslusmtaitnegvsalju,keiss jg,e1noenralyteidf
randomly. Finally, any two other states s j,k , s j ,k for k, k > 1 collide with probability
at most σE −2qE /2b. Concluding, Pr (hit | ¬(key ∨ multi)) ≤ σ2E /2b + σE /2κ .
Event key. For i ∈ {1, . . . , q p}, the query sets key(i ) if [xi ]κ = K , which happens with
probability 1/2κ (assuming it did not happen in queries 1, . . . , i − 1). The adversary
makes q p attempts, and hence Pr (key) ≤ q p/2κ .
Event multi. Event multi can be related to multcol of Sect. 3, in the following way.
Consider any new state value s j,k−1; then it contributes to the bin α if [ f (s j,k−1)]r = α
or [s j,k ]r = [ f (s j,k−1) ⊕ v]r = α. If a threshold ρ needs to be exceeded for some α,
at least ρ/2 of them are either of the first kind or of the second kind. The event multi
can henceforth be seen as a balls and bins game with 2r bins, σE balls, and threshold
ρ = ρ/2:
Pr (multi) ≤ Pr multcol(2r , σE , ρ ) .
By Lemma 1, we know that Pr multcol(2r , σE , ρ ) ≤ min{2σbE/2,2c} , where ρ is the
function described in Lemma 1 (parameters r, c are implicit). Note that we put ρ = 2ρ .
Addition of the four bounds via (25) gives
Pr (guess ∨ hit) ≤
+
q p + σE .
2κ
4.2. Authenticity of NORX
Theorem 2. Let Π = (E , D) be NORX based on an ideal underlying primitive p.
Then,
AdvaΠuth(q p, qE , λE , qD, λD) ≤
where σE , σD are defined in (18), and where ρ = ρ(r, c) is the function defined in
Lemma 1.
The bound is more complex than the one of Theorem 1, but intuitively implies that
NORX offers integrity as long as it offers privacy and the number of forgery attempts
σD is limited, where the total complexity q p + σE + σD should not exceed 2c/σD. See
Table 1 for the security level for the various parameter choices of NORX. Needless to
say, the exact bound is more fine-grained.
Proof. We consider any adversary A that has access to ( p±, EK , DK ) and attempts to
make DK output a non-⊥ value. As in the proof of Theorem 1, we apply a URP-URF
switch to find
AdvaΠuth(A) = Pr A p±,EK ,DK forges
≤ Pr A f ±,EK ,DK forges
+
(q p + 2σbE++1 σD)2 .
(26)
Then we focus on A having oracle access to ( f ±, EK , DK ). As before, we assume
without loss of generality that the adversary only makes full-block queries.
We inherit terminology from Theorem 1. The state values corresponding to encryption
and decryption queries will both be labeled ( j, k), where j indicates the query and k the
state value within the j th query. If needed we will add another parameter δ ∈ {D, E }
to indicate that a state value sδ, j,k is in the j th query to oracle δ, for δ ∈ {D, E } and
j ∈ {1, . . . , qδ}. Particularly, this means we will either label the state values as in (22)
with a δ appended to the subscript, or simply as (sδ, j,1, . . . , sδ, j,σδ, j ).
As before, we employ the collision events guess and hit, but expanded to the new
notation with δ = E . Next, we define two D-related collision events Dguess and
Dhit. Let i ∈ {1, . . . , q p}, (D, j, k) be a decryption query index, and (δ , j , k ) be an
encryption or decryption query index:
Dguess(i ; j, k)
Dhit( j, k; δ , j , k )
≡
≡
xi = sD, j,k ,
parent(sD, j,k ) = parent(sδ , j ,k ) ∧ sD, j,k = sδ , j ,k ,
We write Dguess = ∨i; j,k Dguess(i ; j, k) and Dhit = ∨ j,k;δ , j ,k Dhit( j, k; δ , j , k ),
and define event = guess ∨ hit ∨ Dguess ∨ Dhit.
Observe that from (26) we get
Pr A f ±,EK ,DK forges ≤ Pr A f ±,EK ,DK forges | ¬event
+ Pr A f ±,EK ,DK sets event .
(27)
A bound on the probability that A sets event is derived in Lemma 4.
The remainder of this proof centers on the probability that A forges given that event
does not happen. Such a forgery requires that [ f (sDtag, j )]τ = A j for some decryption
query j . By ¬event, we know that sDtag, j is a new state value for all j ∈ {1, . . . , qD},
fhoernaclel fj .’sAosuatpruestuulnt,dwereskDtang,oj wistihnadtetpheenjdtehnftoorfgaelrlyoatthteermvpatluisessuacncdesusnfiuflowrmitlhypdriostbraibbuiltietdy
at most 1/2τ . Summing over all qD queries, we get
q
Pr A f ±,EK ,DK forges | ¬event ≤ 2Dτ ,
and the proof is completed via (26, 27) and the bound of Lemma 4, where we again use
that q pσE 2+b σE2/2 ≤ (q p + 2σbE++1 σD)2 .
Lemma 4. Pr A f ±,EK ,DK sets event ≤
, where ρ = ρ(r, c) is the function defined in
Proof. Recall that event = guess ∨ hit ∨ Dguess ∨ Dhit. Employing events key and
multi from Lemma 3, we find:
Pr (guess ∨ hit ∨ Dguess ∨ Dhit)
≤ Pr (guess ∨ hit ∨ Dguess ∨ Dhit | ¬(key ∨ multi))
+ Pr (key ∨ multi) .
(28)
The proof builds upon Lemma 3, and in particular we will use the same proof technique of
running over all queries and computing the probability that a query sets event, assuming
event has not been set before. The bounds on Pr (guess ∨ hit | ¬(key ∨ multi)) and
Pr (key ∨ multi) carry over from Lemma 3 verbatim, where we additionally note that
for a given query, the previous decryption queries are of no influence as by hypothesis
Dguess ∨ Dhit was not set before the query in question. We continue with the analysis
of Dguess and Dhit.
Event Dguess. Note that the adversary may freely choose the outer part in decryption
queries and primitive queries. Indeed, the ciphertext values that A chooses in decryption
queries define the outer parts of the state values. Consequently, Dguess gets set as
soon as there is a primitive state and a decryption state whose capacities are equal. This
happens with probability at most Pr (Dguess | ¬(key ∨ multi)) ≤ q pσD/2c.
Event Dhit. A technicality occurs in that the adversary can reuse nonces in decryption.
To increase readability, we first state that any decryption state s satisfies [s]κ = K only
with probability at most σD/2κ , and in the remainder we can exclude this case. Next, we
define an event innerhit. Let (δ, j, k) and (δ , j , k ) be two decryption query indices,
and let const ∈ {0, 01 ⊕ 02, 01 ⊕ 04, 01 ⊕ 08, 01 ⊕ 10, 02 ⊕ 04, 02 ⊕ 08, 02 ⊕
20, 02 ⊕ 20 ⊕ i di , 04 ⊕ 08}:
innerhit(δ, j, k; δ , j , k ; const) ≡ parent(sδ, j,k ) = parent(sδ , j ,k ) ∧
[sδ, j,k ]c = [sδ , j ,k ]c ⊕ const.
Note that for any choice of indices and const, we have Pr(innerhit(δ, j, k; δ , j , k ;
const)) ≤ 1/2c.
We consider the general case D = 1. Consider the j¯th decryption query
(N ; H, C, T ; A). Say it consists of u header blocks H1 . . . Hu , v ciphertext blocks
C1 . . . Cv, and w trailer blocks T1 . . . Tw, and write its state values as in (17). Let
(Nδ, j ; Hδ, j , Cδ, j , Tδ, j ; Aδ, j ) be an older ciphertext tuple that shares the longest
common blockwise prefix with (N ; H, C, T ; A). Note that this tuple may not be unique (for
instance if N is new), and that it may come from an encryption or decryption query. Say
that this query consists of uδ, j header blocks, vδ, j ciphertext blocks, and wδ, j trailer
blocks, and write its state values as in (22). We proceed with a case distinction.
(1) (N; H, C, T) = (Nδ,j; Hδ,j, Cδ,j, Tδ,j) but A = Aδ,j. In this case the query renders
no new states and Dhit cannot be set by definition;
(2) (N; H, C) = (Nδ,j; Hδ,j, Cδ,j) but T = Tδ,j. Let ∈ {1, . . . , min{w, wδ, j }, ∞}
be minimal such that T = Tδ, j, , where = ∞ means that T is a substring of Tδ, j
(if w < wδ, j ) or vice versa (if w > wδ, j ). We make a further distinction between
= ∞ and < ∞.
= ∞. Note that smTin{w,wδ, j } = sδ, j,min{w,wδ, j } ⊕ 04 ⊕ 08. If this input to
T
f is old, it implies innerhit(δ, j, min{w, wδ, j }; δ , j , k ; 04 ⊕ 08) for some
(δ , j , k ) older than the current query (D, j¯, min{w, wδ, j }), which is the case
with probability at most 1/2c (for all possible index tuples). Otherwise, f
generates a new value and new state value s (swT+1 if w > wδ, j or stag if
w < wδ, j ), which sets Dhit if it sets innerhit with an older state sδ , j ,k under
const = 0. This also happens with probability at most 1/2c for any (δ , j , k ).
This procedure propagates to stag. In total, the j¯th decryption query sets Dhit
wi<th ∞pr.oIbnabthiliistycaastemsTo−s1t = kσs=DδT,1,jj¯, σ−E1+aσnDd,1+sT···+=2σcDsδ,Tj¯,−j,1+⊕(k −(T1) ; 0c) ⊕ (Tδ, j, 0c) =
sδ, j, .5 As before, sT is a new input to f , except if innerhit(δ, j, ; δ , j , k ; 0)
T
for some (δ , j , k ) older than the current query (D, j¯, ). This is the case
5Note that if (δ, j) were not unique, then we similarly have sT−1 = sδT , j , −1 and sT = sδT , j , ⊕
(T 0c) ⊕ (Tδ , j , 0c) = sδT , j , for all other queries (δ , j ) with the same prefix (possibly XORed with
04 ⊕ 08).
with probability at most 1/2c for all possible older queries. The procedure
propagates to stag as before, and the same bound holds;
(3) (N; H) = (Nδ,j; Hδ,j) but C = Cδ,j. The analysis is similar but a special treatment
is required to deal with the merging phase. Consider the ciphertext C to be divided
into blocks Ck, for k = 1, . . . , D and = 1, . . . , vk . Similarly for Cδ, j . For
k = 1, . . . , D, let k ∈ {1, . . . , min{vk , vδ, j,k }, ∞} be minimal such that Ck, k =
Cδ, j,k, k . Again, k = ∞ means that Ck is a substring of Cδ, j,k (if vk ≤ vδ, j,k ) or
vice versa (if vk ≥ vδ, j,k ). We make a further distinction between whether or not
( 1, . . . , D) = (∞, . . . , ∞).
(4) N = Nδ,j but H = Hδ,j. The analysis follows fairly the same principles, albeit
using const ∈ {0, 01 ⊕ 02, 01 ⊕ 04, 01 ⊕ 08, 01 ⊕ 10};
(5) N = Nδ,j. The nonce N is new (hence the query shares no prefix with any older
query). There has not been an earlier state s that satisfies [s]κ = K (by virtue of
the analysis in hit and key, and the first step of this event Dhit). Therefore, sinit is
new by construction and a simplification of above analysis applies.
Summing over all queries:
qD σD, j¯ σ
Pr (Dhit | ¬(key ∨ multi)) ≤ " "
E + σD,1 + · · · + σD, j¯−1 + (k − 1)
2c
σD
+ 2κ
≤
j¯=1 k=1
σ σ
E D +
2c
σD
2
+ σ2Dκ ,
where the last term comes from the exclusion of the event that any decryption state
satisfies [s]κ = K .
Together with the bound of Lemma 3 we find via (28),
(q p + σE )σD + σ 2 /2
D
2c
,
M1 C1
M2 C2
A1
A2
r
c
K N
0
0
. . . . . .
p
p
where ρ = ρ(r, c) is the function defined in Lemma 1.
5. Tightness of the Bound
We derive a generic attack on Sponge-based authenticated encryption schemes. The
attack exploits multi-collisions on the outer part of the internal state. Using the
multicollision bounds of Suzuki et al. [91,92], we demonstrate that the attack actually matches
the proven security bound, meaning that the bounds of Sect. 4 are tight. Therefore, we first
describe our simplified target structure in Sect. 5.1. The attack is described in Sect. 5.2
and evaluated in Sect. 5.3.
5.1. Target Structure
We consider the simplified structure of Fig. 3. Without loss of generality, we consider
a key K ∈ {0, 1}κ , nonce N ∈ {0, 1}b−κ (hence ν = b − κ), and we assume that init
initializes the state as (K , N ) → K N . (The attack can be generalized to the setting
where the key is absorbed in multiple evaluations of p, or where the key is XORed into
the state before outputting A. See also Sect. 5.4.) We consider no associated data, or
in terminology of Sect. 2, we put H, T ← Null. The message size must be at least
one complete block. Note that, in many schemes, the message of one complete block
will expand to two blocks by a padding procedure. We consider a general setting where
the τ -bit authentication tag A may be generated in multiple extraction rounds (two in
Fig. 3), and we assume that τ ≥ c. We ignore minor issues irrelevant to our attack, such
as padding, frame bits, domain separation for message processing and tag generation
parts, and truncation of the tag.
As shown in Fig. 3, the b-bit state after the first permutation call is denoted s1. Its
outer and inner part are denoted [s1]r and [s1]c, respectively. Then, an r -bit message
block M1 is XORed into [s1]r and the first ciphertext block C1 = [s1]r ⊕ M1 is output.
The state is evaluated using the permutation, and the resulting state is s2. Note that the
values Mi and Ci reveal the outer part of state si as [si ]r = Mi ⊕ Ci .
5.2. Distinguishing Attacks via Key Recovery
Let ρ ≥ 2. If 2κ ≤ 2c/ρ a naive key recovery attack can be performed in complexity
2κ , and we assume that 2κ > 2c/ρ.
We first give an overview of the attack. Once a b-bit state in the structure of Fig. 3 is
recovered, the secret key K can be recovered immediately by computing the inverse of
the permutation. Our attack aims to recover the internal state s1 after the first permutation
call. It consists of an online phase followed by an offline phase.
In the online phase, the adversary searches for a ρ-collision on the r -bit value C1.
It makes a certain amount of encryption oracle queries for different N and possibly
different M1. Let q denote the total number of encryption queries needed. The online
phase results in ρ pairs of (N , M1) which produce the same C1 but different [s1]c. The
adversary also stores the tag A for each pair.
In the offline phase, the adversary recovers an inner part [s1]c. Using the value C1,
the same for all tuples, the value [s1]c is exhaustively guessed. In a bit more detail, the
adversary computes the authentication tag A from C1 [s1]c offline, and checks if there
is a match with any stored tag. Because ρ tags are stored, the attack cost is about 2c/ρ.
Once [s1]c is recovered, the adversary can compute p−1((M1 ⊕ C1) [s1]c) and recover
K .
The formal description of the attack is given below. Here, we denote the data D for
the kth block in the j th query by D j,k . We omit the second subscript for the data where
the block length is always 1, e.g., nonce N j .
Online Phase
1. Choose q different pairs (Nq , Mq,1) for i = 1, 2, . . . , q;
2. Query (Ni , Mi,1) for i = 1, 2, . . . , q and receive (Ci,1, Ai,1 Ai,2 . . .);
3. Find a ρ-collision on C·,1;
4. Store ρ triplets of (Ni , Mi,1, Ai,1 Ai,2 . . .) contributing to the ρ-collision. We
denote the colliding value of C·,1 by C , which is also stored.
Offline Phase
1. Re-define the outer part of the state after the computation of [s·,1]r ⊕ M·,1 by C ;
2. Make 2c/ρ guesses for [s·,1]c, denoted by [s j,1]c for j = 1, 2, . . . , 2c/ρ;
3. For each j , generate the tag A j,1 A j,2 . . . with the state C [s j,1]c;
4. Check if A j,1 A j,2 . . . matches one of the ρ values Ai,1 Ai,2 . . . stored in the
online phase. If so, assume that [s j,1]c is the right value. Let i and j be matching
indices;
5. Compute p−1 (Mi ,1 ⊕ C ) [s j ,1]c . If the resulting value matches nonce Ni ,
output the first κ bits of the state as the recovered key K .
5.3. Attack Evaluation
In the online phase, the adversary does not strictly need to choose N and M1, a given list of
q different tuples suffices. Thus, the attack is a known plaintext attack. The data
complexity is q one-block messages and the memory to store q triples (Ni , Mi,1, Ai,1 Ai,2 . . .)
for i = 1, . . . , q is required. The time complexity of at least q memory access is also
required. Intuitively, all the complexities in the online phase are q.
In the offline phase, because ρ candidates are stored in the online phase and 2c/ρ
guesses are examined, one match is expected. If the internal state values match, the
corresponding tag values also match. Thus, the right guess is identified. Due to the
Parameters
c = r = 128
c = r = 256
c = r = 512
assumption that the tag size is at least c bits, the match likely only suggests the right
guess. In addition, we can further filter out the false positive by r bits with the match of N
in the last step. Thus, with a very high probability the key is successfully recovered. For
the complexity, the only important factor is the time complexity of 2c/ρ tag generation
functions.
What remains is to appropriately choose parameters for q and ρ so that the total
complexity max{q, 2c/ρ} is minimized. Suzuki et al. [91, 92] showed that, when c ≤ r ,
the complexity q to find a ρ-collision with probability about 0.5 is given by
(29)
c = r. We demonstrate tightness of the bound for the cases c = r = 128, c = r = 256,
and c = r = 512. Note that, provided κ is large enough, the bound of Theorem 1 is
1.4r
dominated by 2c/α with α = log2 r +r −c−2 (cf., Table 2). In Table 3 we evaluate the
attack complexity so that max{q, 2r /ρ} is minimized. This complexity is always bigger
but very close to the proven bound, which shows tightness of security bound.
c < r. It is common practice to enlarge the rate of Sponge-based authenticated encryption
so that more data can be processed per permutation call. We demonstrate tightness of
our attack for the case of c = 256 and r ∈ [257, 768]. Figure 1 depicts the evaluated
attack complexity and our security bound for c = 256. For the sake of completeness,
it also includes the 2c/r bound of the original ASIACRYPT 2014 article [
53
], which
decreases by approximately a logarithmic factor log2 r .
Note that the adversary needs to find a multi-collision on r bits with only 2c trials.
When the rate increases, and particularly when r > 2c, the adversary cannot even
find an ordinary collision within 2c trials. In this case, the multi-collision-based attack
will not be influential. Due to this, our bound is getting close to 2c when r becomes
large. The advantage of the attack comes from the number of generated multi-collisions.
Considering that the number of multi-collisions can only take discrete values while our
bound can take sequential values, our bound is strictly tight.
c > r. Note that, for c > r , the security bound of Theorem 1 is not dominated by 2c/α
but rather by 2b/2, omitting constants (cf., Table 2). Tightness of the bound follows by
a naive attack that aims to find collisions on the b-bit state.
5.4. Distinguishing Attacks Without Key Recovery
As later explained in Fig. 4, several practical designs use key K for the initialization as
well as for the tag generation. Those schemes cannot be distinguished with a
straightforward application of the above generic procedure, yet it is still possible to distinguish
them by increasing the attack complexity only by 1 bit or so.
We focus on Ascon, GIBBON and HANUMAN, in which K in the tag computation
prevents the adversary from computing tag A offline. This can be solved by extending
the number of message blocks in each query. Instead of the tag Ai,1 Ai,2 . . ., outer parts
of the subsequent blocks [si,2]r [si,3]r . . . take a role of filter to identify the correct
guess. If the number of filtered bits is much bigger than c, a match suggests the correct
guess with very high probability. Owing to the additional message blocks, the attack
complexity increases by 1 bit or so, depending how many message blocks are added.
In HANUMAN, K can be recovered from the internal state by inverting the
permutation to the initial value. Meanwhile in Ascon and GIBBON, K cannot be recovered and
the adversary only can mount distinguishing attacks.
6. Other CAESAR Submissions
In this section we discuss how the mode security proof of NORX generalizes to the
CAESAR submissions Ascon, the BLNK mode underlying CBEAM/STRIBOB,
ICEPOLE, Keyak (v1 only), and two out of the three PRIMATEs. Before doing so, we
make a number of observations and note how the proof can accommodate small design
differences.
– NORX uses domain separation constants at all rounds, but this is not strictly
necessary and other solutions exist. In the privacy and integrity proofs of NORX, and
more specifically at the analysis of state collisions caused by a decryption query
in Lemma 4, the domain separations are only needed at the transitions between
variable-length inputs, such as header to message data or message to trailer data.
This means that the proofs would equally hold if there were simpler transitions at
these positions, such as in Ascon. Alternatively, the domain separation can be done
by using a different primitive, as in GIBBON and HANUMAN, or a slightly more
elaborated padding, as in BLNK, ICEPOLE, and Keyak;
– The extra permutation evaluations at the initialization and finalization of NORX
are not strictly necessary: in the proof we consider the monotone event that no state
collides assuming no earlier state collision occurred. For instance, in the analysis of
Dhit in the proof of Lemma 4, we necessarily have a new input to p at some point,
and consequently all next inputs to p are new (except with some probability);
– NORX starts by initializing the state with init(K , N ) = (K N 0b−κ−ν ) ⊕ const
for some constant const and then permuting this value. Placing the key and nonce
at different positions of the state does not influence the security analysis. The proof
would also work if, for instance, the header is preceded with K N or a properly
padded version thereof and the starting state is 0b;
– In a similar fashion, there is no problem in defining the tag to be a different τ bits
of the final state; for instance, the rightmost τ bits;
– Key additions into the inner part after the first permutation are harmless for the
mode security proof. Particularly, as long as these are done at fixed positions, these
have the same effect as XORing a domain separation constant.
These five modifications allow one to generalize the proof of NORX to Ascon,
CBEAM and STRIBOB, ICEPOLE, Keyak, and two PRIMATEs, GIBBON and
HANUMAN. The only major difference lies in the fact none of these designs accommodates a
trailer, hence all are functions of the form
(C, A) ←− EK (N ; H, M )
and
M/⊥ ←− DK (N ; H, C ; A),
except for one instance of ICEPOLE which accommodates a secret message number.
Additionally, these designs have σδ ≤ λδ + qδ for δ ∈ {D, E } (or σδ ≤ λδ + 2qδ for
CBEAM/STRIBOB). We always write H = (H1, . . . , Hu ) and M = (M1, . . . , Mv)
whenever notation permits. In below sections we elaborate on these designs separately,
where we slightly deviate from the alphabetical order to suit the presentation. Diagrams
of all modes are given in Fig. 4. The parameters and achieved provable security levels
of the schemes are given in Table 1.
We remark that the attack of Sect. 5 carries over to CBEAM and STRIBOB,
ICEPOLE and a simplified version of Keyak v1 (with only one round of key absorption). It
does not apply to Ascon, GIBBON, and HANUMAN due to the additional XOR of the
secret key at the end.
6.1. Ascon
Ascon is a submission by Dobraunig et al. [
33,34
] and is depicted in Fig. 4a. It is
originally defined based on two permutations p1, p2 that differ in the number of underlying
rounds. We discard this difference, considering Ascon with one permutation p.
Ascon initializes its state using init that maps (K , N ) to (0b−κ−ν K N ) ⊕ const,
where const is determined by some design-specific parameters set prior to the security
experiment. The header and message can be of arbitrary length and are padded to length
a multiple of r bits using 10∗-padding. An XOR with 1 separates header processing from
message processing. From the above observations, it is clear that the proofs of NORX
directly carry over to Ascon.
6.2. ICEPOLE
ICEPOLE is a submission by Morawiecki et al. [
65,66
] and is depicted in Fig. 4c. It
is originally defined based on two permutations, p1 and p2, that differ in the
number of underlying rounds. We discard this difference, considering ICEPOLE with one
permutation p.
ICEPOLE initializes its state as NORX does, be it with a different constant. The
header and message can be of arbitrary length and are padded as follows. Every block is
first appended with a frame bit: 0 for header blocks H1, . . . , Hu−1 and message block
Mv, and 1 for header block Hu and message blocks M1, . . . , Mv−1. Then, the blocks are
padded to length a multiple of r bits using 10∗-padding. In other words, every padded
block of r bits contains at most r − 2 data bits. This form of domain separation using
(a) init(K,N)
H1
H...
Hu
M1 C1
M... C...
Mv Cv
K 0c−κ
C1 M1
C... M...
Cv Mv
50
50
K
p
A
K
A
0c−κ K
C1 M1
C... M...
Cv Mv
(Hpad(K,N,H))1 (Hpad(K,N,H))... (Hpad(K,N,H))u C1 M1
C... M...
Cv Mv
00
00
01
11
11
10
M1 C1
M... C...
Mv Cv
p2
p1
p
A
A
A
p
p
N
H1
H1
p2
H1
40
p2
p4
p
H...
0
p
H...
K 0c+1−κ
K 0c+1−κ
K
H1
H...
Hu
M1 C1
M... C...
Mv Cv
Fig. 4. CAESAR submission modes discussed in Sect. 6, a Ascon, b BLNK (used in CBEAM and STRIBOB),
c ICEPOLE, d Keyak v1, e GIBBON (PRIMATEs) and f HANUMAN (PRIMATEs).
frame bits suffices for the proof to go through. One variant of ICEPOLE also allows for
a secret message number Msecret, which consists of one block and is encrypted prior to
the processing of the header, similar to the message. As this secret message number is
of fixed length, no domain separation is required and the proof can easily be adapted.
From above observations, it is clear that the proofs of NORX directly carry over to
ICEPOLE. Without going into detail, we note that the same analysis can be generalized
to the parallelized mode of ICEPOLE [
65,66
].
6.3. Keyak
Keyak v1 is a submission by Bertoni et al. [
22
]. The basic mode for the serial case is
depicted in Fig. 4d, yet due to its hybrid character it is slightly more general in nature.
It is built on top of SpongeWrap [
19
]. We remark that the discussion does not apply to
Keyak v2, which is built on top of the full-state keyed Duplex [
31,60
].
Keyak initializes its state by 0b, and concatenates K , N , and H using a special padding
rule:
Hpad(K , N , H ) = keypack(K , 240)
N
H,
where enc8(x ) is an encoding of x as a byte and keypack(K , ) = enc8( /8) K
10−κ−1 mod ( −8). The key-nonce-header combination Hpad(K , N , H ) and message M
can be of arbitrary length, and are padded as follows: first, every block is appended with
two frame bits, being 00 for header blocks (Hpad(K , N , H ))1, . . . , (Hpad(K , N , H ))u−1
and 01 for (Hpad(K , N , H ))u , and 11 for message blocks M1, . . . , Mv−1 and 10 for
Mv. Then, the blocks are padded to length a multiple of r bits using 10∗1-padding. In
other words, every padded block of r bits contains at most r − 2 data bits. This form of
domain separation using frame bits suffices for the proof to go through. Due to above
observations, our proof readily generalizes to SpongeWrap [
19
] and DuplexWrap [
22
],
and thus to Keyak. Without going into detail, we note that the same analysis can be
generalized to the parallelized mode of Keyak [
22
]. Additionally, Keyak also supports
sessions, where the state is re-used for a next evaluation. Our proof generalizes to this
case, simply with a more extended description of (17).
6.4. BLNK (CBEAM and STRIBOB)
CBEAM and STRIBOB are submissions by Saarinen [
81,83–86
]. Minaud identified an
attack on CBEAM [
62
], but we focus on the modes of operation. Both modes are based
on the BLNK Sponge mode [
82
], which is depicted in Fig. 4b.
The BLNK mode initializes its state by 0b, compresses K into the state (using one
or two permutation calls, depending on κ), and does the same with N . Then, the mode
is similar to SpongeWrap [
19
], though using a slightly more involved domain
separation system similar to the one of NORX. Due to above observations, our proof readily
generalizes to BLNK [
82
], and thus to CBEAM and STRIBOB.
6.5. PRIMATEs: GIBBON and HANUMAN
PRIMATEs is a submission by Andreeva et al. [
2,3
], and consists of three algorithms:
APE, GIBBON, and HANUMAN. The APE mode is the more robust one, and
significantly differs from the other two, and from the other CAESAR submissions discussed
K
A
c K
(N H)1
(N H)...
(N H)u
M1
C1 M...
C... Mv
Cv
p
p
p
p
p
p
0c−1 1
Fig. 5. APE (PRIMATEs) discussed in Sect. 7.
in this work, in the way that ciphertexts are derived and because the mode is secure
against nonce-misusing adversaries up to common prefix [
4
]. (See Sect. 7 for a
discussion on APE.) We now focus on GIBBON and HANUMAN, which are depicted in
Fig. 4e, f. GIBBON is based on three related permutations p = ( p1, p2, p3), where
the difference in p2, p3 is used as domain separation of the header compression and
message encryption phases (the difference of p1 from ( p2, p3) is irrelevant for the mode
security analysis). Similarly, HANUMAN uses two related permutations p = ( p1, p2)
for domain separation.6
GIBBON and HANUMAN initialize their state using init that maps (K , N ) to
0b−κ−ν K N . The header and message can be of arbitrary length, and are padded
to length a multiple of r bits using 10∗-padding. In case the true header (or message)
happens to be a multiple of r bits long, the 10∗-padding is considered to spill over into
the capacity. From above observations, it is clear that the proofs of NORX directly
carry over to GIBBON and HANUMAN. A small difference appears due to the usage
of two different permutations: we need to make two RP-RF switches for each world.
2
Concretely this means that the first term in Theorem 1 becomes 5(qp+σE ) and the first
2b+1
2
term in Theorem 2 becomes 3(qp+2σbE++1σD) .
7. PRIMATEs: APE
Unlike GIBBON and HANUMAN, the APE authenticated encryption scheme follows
a different design strategy. It is depicted in Fig. 5. APE is based on one permutation p,
and characteristic to the design is the way the ciphertexts are derived and verified.
APE uses a key of size c bits, and the initialization init places K into the inner part of
the state. In case of a present nonce N , in APE it is prepended to the header H , denoted
N H . The nonce is of fixed length, and of suggested size 2r bits [
2,3
]. The header and
message can be of arbitrary length and are padded to length a multiple of r bits using
10∗-padding. In case the true header (or message) happens to be a multiple of r bits
long, the 10∗-padding is considered to spill over into the capacity. In case the message
6Vizár [94] pointed out an oversight in the domain separation of an earlier version of HANUMAN. In this
work, we consider the latest version of HANUMAN, with fixed domain separation.
is not a multiple of r bits long, the last ciphertext is derived slightly differently, and we
refer to [
2,3
].
The scheme is designed and proven to be 2c/2 secure against nonce-misusing
adversaries up to common prefix [
4
]. We now consider the security of APE in the
noncerespecting setting, and present an adversary that breaks the privacy with a complexity
of about 2c/2. We assume that the adversary can make blockwise queries to the scheme.
In more detail, upon an authenticated encryption of M1, . . . , Mv, it only needs to input
the j th message block after it receives the j − 1 ciphertext block, for j = 2, . . . , v.
Proposition 1. Let Π = (E , D) be APE based on an ideal underlying primitive p.
Then,
AdvpΠriv(0, qE , λE ) ≥ 1 − 2/2r ,
where all qE queries are of length (2(c+1)/2 + 1)/qE + ρ + 1.
Proof. We first consider a simplified setting, where qE = 1 and λE ≈ 2c/2, and will
generalize the attack to arbitrary qE afterward. Denote ρ = c/r . The adversary makes
one query of length λE = 2(c+1)/2 + ρ + 2 as follows. Let N be some nonce, the header
H is absent. A puts M1 = 0, and Mi = Ci−1 for k ∈ {2, . . . , λE }. If there exist distinct
k, k ∈ {2, . . . , λE − ρ} such that
(Ck , . . . , Ck+ρ ) = (Ck , . . . , Ck +ρ ) ,
(30)
(31)
then it outputs 1; otherwise it outputs 0. Note that if A converses with EK , then (31)
holds if the permutation calls for Mk and Mk are the same. As the outer parts are 0 for
both, this holds with probability at least 1/2c. Therefore, any such k = k exist with
probability at least λE −2ρ−1 /2c. On the other hand, if A converses with $, then this
would only hold with probability λE −2ρ−1 /2(ρ+1)r . Thus,
AdvpΠriv(0, 1, λE ) ≥
λE −2ρ−1
Putting λE = 2(c+1)/2 + ρ + 2 gives 2c ≤ ≤ 2c+1, and subsequently
AdvpΠriv(0, 1, 2(c+1)/2 + ρ + 2) ≥ 1 − 2/2r .
The analysis straightforwardly generalizes to qE queries of total length λE . Denote
μE = λE /qE , without loss of generality assuming that λE is a multiple of qE . For
the j th query for j ∈ {1, . . . , qE }, the adversary proceeds as follows. Let N j be the
unique nonce, the adversary does not query a header, as before. It takes M j,1 = 0,
and sets M j,k = C j,k−1 for k ∈ {2, . . . , μE }. If there exist j, j ∈ {1, . . . , qE } and
k, k ∈ {2, . . . , μE − ρ} with ( j, k) = ( j , k ) such that
(C j,k , . . . , C j,k+ρ ) = (C j ,k , . . . , C j ,k +ρ ) ,
(32)
then it outputs 1; otherwise it outputs 0. The same analysis as before gives
AdvpΠriv(0, qE , qE μE ) ≥
Consequently, for qE μ + (ρ + 1)qE + 1, we have AdvpΠriv(0, qE , 2(c+1)/2 +
(ρ + 1)qE + 1) ≥ 1 − 2/E2=r. E2a(cc+h1o)/f2the qE queries is of length approximately (2(c+1)/2 +
8. Conclusions
In this work we analyzed one of the Sponge-based authenticated encryption designs in
detail, NORX, and proved that it achieves security of approximately min{2b/2, 2c, 2κ },
significantly improving upon the traditional bound of min{2c/2, 2κ }. Additionally, we
showed that this proof straightforwardly generalizes to five other CAESAR modes,
Ascon, BLNK (of CBEAM/STRIBOB), ICEPOLE, Keyak v1, and PRIMATEs. Our
findings indicate an overly conservative parameter choice made by the designers,
implying that some designs can improve speed by a factor of 4 at barely any security loss. It is
expected that the security proofs also generalize to the modes of Artemia [
1
]. However,
this mode is based on the JH hash function [96] and XORs data blocks in both the rate
and inner part. It does not use domain separations, rather it encodes the lengths of the
inputs into the padding at the end [
9
]. Therefore, a generalization of the proof of NORX
to Artemia is not entirely straightforward.
The results in this work are derived in the ideal permutation model, where the
underlying primitive is assumed to be ideal. We acknowledge that this model does not perfectly
reflect the properties of the primitives. For instance, it is stated by the designers of Ascon,
NORX, and PRIMATEs that non-random (but harmless) properties of the underlying
permutation exist. Furthermore, it is important to realize that the proofs of security for
the modes of operation in the ideal model do not have a direct connection with
security analysis performed on the permutations, as is the case with block ciphers modes of
operation. Nevertheless, we can use these proofs as heuristics to guide cryptanalysts to
focus on the underlying permutations, rather than the modes themselves.
Acknowledgements
The authors would like to thank their co-designers of NORX and PRIMATEs and the
designers of Ascon and Keyak for the discussions. In particular, we thank Samuel Neves
for his useful comments. The authors furthermore thank the reviewers for their insightful
comments. Bart Mennink is supported by a postdoctoral fellowship from the Netherlands
Organisation for Scientific Research (NWO) under Veni grant 016.Veni.173.017.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0
International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution,
and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source,
provide a link to the Creative Commons license, and indicate if changes were made.
Appendix: Proof Technique Used in Lemma 3
Formally, the proof technique used in Lemma 3 relies on the following paradigm. Note
that there is an ordering of the q p + σE primitive queries, and we can reformulate
guess( ), hit( ), key( ), and multi( ) for = 1, . . . , q p + σE analogously. Likewise
define event( ) = guess( ) ∨ hit( ) and help( ) = key( ) ∨ multi( ), and define
event(1 . . . ) = event(1) ∨ · · · ∨ event( ) and help(1 . . . ) = help(1) ∨ · · · ∨ help( )
for brevity. Then, we have
≤ Pr event(q p + σE ) | ¬event(1 . . . q p + σE − 1) ∧ ¬help(1 . . . q p + σE )
+ Pr event(1 . . . q p + σE − 1) ∨ help(1 . . . q p + σE ) ,
and inductively Pr (event) ≤ q=p+1 σE Pr(event( ) | ¬event(1 . . . − 1) ∧ ¬help
(1 . . . )) + Pr (help( ) | ¬help(1 . . . − 1)). This formulation would however merely
reduce the readability of the proof.
[90] Y. Sasaki, K. Yasuda, Directly Evaluating Multi-Collisions and Improving Security Bounds. Symmetric
Cryptography, Dagstuhl Seminar 16021 (2016)
[91] K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, Birthday paradox for multi-collisions, in M.S. Rhee, B.
Lee, (eds.) Information Security and Cryptology—ICISC 2006, 9th International Conference, Busan,
Korea, November 30–December 1, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4296
(Springer, 2006), pp. 29–40
[92] K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, Birthday paradox for multi-collisions. IEICE Trans.
91-A(1), 39–45 (2008)
[93] S. Vaudenay, (ed.), Advances in Cryptology—EUROCRYPT 2006, 25th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June
1, 2006, Proceedings, Lecture Notes in Computer Science, vol. 4004 (Springer, 2006)
[94] D. Vizár, Ciphertext forgery on HANUMAN. Cryptology ePrint Archive, Report 2016/697 (2016)
[95] D. Whiting, R. Housley, N. Ferguson, AES Encryption and Authentication Using CTR Mode and
CBC
MAC. IEEE 802.11-02/001r2 (2002)
[96] H. Wu, The Hash Function JH (2011), submission to NIST’s SHA-3 competition
[1] J. Alizadeh , M. Aref , N. Bagheri , Artemia v1 ( 2014 ), submission to CAESAR competition
[2] E. Andreeva , B. Bilgin , A. Bogdanov , A. Luykx , F. Mendel , B. Mennink , N. Mouha , Q. Wang , K. Yasuda , PRIMATEs v1 ( 2014 ), submission to CAESAR competition
[3] E. Andreeva , B. Bilgin , A. Bogdanov , A. Luykx , F. Mendel , B. Mennink , N. Mouha , Q. Wang , K. Yasuda , PRIMATEs v1.1 ( 2016 ), submission to CAESAR competition
[4] E. Andreeva , B. Bilgin , A. Bogdanov , A. Luykx , B. Mennink , N. Mouha , K. Yasuda , APE: authenticated permutation-based encryption for lightweight cryptography , in C. Cid, C. Rechberger, (eds.) Fast Software Encryption-21st International Workshop , FSE 2014, London, UK, March 3- 5 , 2014 . Revised Selected Papers. Lecture Notes in Computer Science , vol. 8540 (Springer, 2014 ), pp. 168 - 186
[5] E. Andreeva , A. Bogdanov , A. Luykx , B. Mennink , E. Tischhauser , K. Yasuda , Parallelizable and authenticated online ciphers , in K. Sako, P. Sarkar, (eds.) Advances in Cryptology-ASIACRYPT 2013-19th International Conference on the Theory and Application of Cryptology and Information Security , Bengaluru, India, December 1- 5 , 2013 , Proceedings, Part I. Lecture Notes in Computer Science , vol. 8269 (Springer, 2013 ), pp. 424 - 443
[6] E. Andreeva , J. Daemen , B. Mennink , G. Van Assche , Security of keyed sponge constructions using a modular proof approach , in G. Leander, (ed.) Fast Software Encryption-22nd International Workshop , FSE 2015, Istanbul, Turkey, March 8- 11 , 2015 , Revised Selected Papers. Lecture Notes in Computer Science , vol. 9054 (Springer, 2015 ), pp. 364 - 384
[7] J. Aumasson , P. Jovanovic , S. Neves, NORX v1 ( 2014 ), submission to CAESAR competition
[8] J. Aumasson , P. Jovanovic , S. Neves, NORX v2 . 0 ( 2015 ), submission to CAESAR competition
[9] N. Bagheri , Padding of Artemia ( 2014 ), CAESAR mailing list
[10] M. Bellare , V.T. Hoang, Identity-based format-preserving encryption , in B.M. Thuraisingham , D. Evans , T. Malkin , D. Xu, (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 , Dallas, TX, USA, October 30-November 03, 2017 (ACM, 2017 ), pp. 1515 - 1532
[11] M. Bellare , C. Namprempre , Authenticated encryption: Relations among notions and analysis of the generic composition paradigm . J. Cryptol . 21 ( 4 ), 469 - 491 ( 2008 )
[12] M. Bellare , P. Rogaway , Code-based game-playing proofs and the security of triple encryption . Cryptology ePrint Archive, Report 2004 /331 ( 2004 )
[13] M. Bellare , P. Rogaway , The security of triple encryption and a framework for code-based game-playing proofs , in Vaudenay [93] , pp. 409 - 426
[14] M. Bellare , P. Rogaway , D. Wagner , The EAX mode of operation , in B.K. Roy, W. Meier, (eds.) Fast Software Encryption, 11th International Workshop, FSE 2004, Delhi, India, February 5- 7 , 2004 , Revised Papers . Lecture Notes in Computer Science , vol. 3017 (Springer, 2004 ), pp. 389 - 407
[15] J. Benaloh , (ed.), Topics in Cryptology-CT-RSA 2014-The Cryptographer's Track at the RSA Conference 2014 , San Francisco, CA, USA, February 25 - 28 , 2014 , in Proceedings, Lecture Notes in Computer Science , vol. 8366 (Springer, 2014 )
[16] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , Sponge Functions . ECRYPT Hash Function Workshop ( 2007 )
[17] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , On the indifferentiability of the sponge construction , in N.P. Smart, (ed.) Advances in Cryptology-EUROCRYPT 2008 , 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques , Istanbul, Turkey, April 13-17 , 2008 . Proceedings. Lecture Notes in Computer Science , vol. 4965 (Springer, 2008 ), pp. 181 - 197
[18] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , Sponge-based pseudo-random number generators , in S. Mangard, F. Standaert , (eds.) Cryptographic Hardware and Embedded Systems, CHES 2010 , 12th International Workshop, Santa Barbara, CA, USA, August 17- 20 , 2010 . Proceedings. Lecture Notes in Computer Science , vol. 6225 (Springer, 2010 ), pp. 33 - 47
[19] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , Duplexing the sponge: Single-pass authenticated encryption and other applications , in A. Miri, S. Vaudenay , (eds.) Selected Areas in Cryptography18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12 , 2011 , Revised Selected Papers. Lecture Notes in Computer Science , vol. 7118 (Springer, 2011 ), pp. 320 - 337
[20] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , On the security of the keyed sponge construction . Symmetric Key Encryption Workshop ( 2011 )
[21] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , Permutation-based encryption, authentication and authenticated encryption . Directions in Authenticated Ciphers ( 2012 )
[22] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , R. Van Keer , Keyak v1 ( 2014 ), submission to CAESAR competition
[23] G. Bertoni , J. Daemen , M. Peeters , G. Van Assche , R. Van Keer , Keyak v2 ( 2015 ), submission to CAESAR competition
[24] A. Bogdanov , M. Knezevic , G. Leander , D. Toz , K. Varici , I. Verbauwhede, spongent: A lightweight hash function , in B. Preneel, T. Takagi , (eds.) Cryptographic Hardware and Embedded Systems-CHES 2011-13th International Workshop , Nara, Japan, September 28-October 1 , 2011 . Proceedings. Lecture Notes in Computer Science , vol. 6917 (Springer, 2011 ), pp. 312 - 325
[25] CAESAR , Competition for Authenticated Encryption: Security, Applicability, and Robustness ( 2014 ). http://competitions.cr.yp.to/caesar.html
[26] D. Chang , M. Dworkin , S. Hong , J. Kelsey , M. Nandi , A Keyed Sponge Construction with Pseudorandomness in the Standard Model . NIST's 3rd SHA-3 Candidate Conference 2012 ( 2012 )
[27] D. Chang , M. Nandi , Improved indifferentiability security analysis of chopmd hash function , in K. Nyberg, (ed.) Fast Software Encryption, 15th International Workshop , FSE 2008, Lausanne, Switzerland, February 10-13 , 2008 , Revised Selected Papers. Lecture Notes in Computer Science , vol. 5086 (Springer, 2008 ), pp. 429 - 443
[28] H. Chernoff , A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations . Ann. Math. Stat. 23 ( 4 ), 493 - 507 ( 1952 )
[29] B. Cogliati , R. Lampe , Y. Seurin , Tweaking even-mansour ciphers , in Gennaro and Robshaw [40] , pp. 189 - 208
[30] R.M. Corless , G.H. Gonnet , D.E.G. Hare , D.J. Jeffrey , D.E. Knuth , On the Lambert W function . Adv. Comput. Math. 5 ( 1 ), 329 - 359 ( 1996 )
[31] J. Daemen , B. Mennink , G. Van Assche , Full-state keyed duplex with built-in multi-user support , in T. Takagi, T. Peyrin , (eds.) Advances in Cryptology-ASIACRYPT 2017-23rd International Conference on the Theory and Applications of Cryptology and Information Security , Hong Kong, China, December 3- 7 , 2017 , Proceedings, Part II. Lecture Notes in Computer Science , vol. 10625 (Springer, 2017 ), pp. 606 - 637
[32] I. Dinur , O. Dunkelman , N. Keller, A. Shamir, Cryptanalysis of iterated even-mansour schemes with two keys , in Sarkar and Iwata [87] , pp. 439 - 457 . http://dx.doi.org/10.1007/978-3- 662 -45611-8_ 23
[33] C. Dobraunig , M. Eichlseder , F. Mendel , M. Schläffer , Ascon v1 ( 2014 ), submission to CAESAR competition
[34] C. Dobraunig , M. Eichlseder , F. Mendel , M. Schläffer , Ascon v1.1 ( 2015 ), submission to CAESAR competition
[35] FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions ( 2015 )
[36] M. Fischlin , J. Coron , (eds.), Advances in Cryptology-EUROCRYPT 2016-35th Annual International Conference on the Theory and Applications of Cryptographic Techniques , Vienna, Austria, May 8- 12 , 2016 , Proceedings, Part I , Lecture Notes in Computer Science, vol. 9665 (Springer, 2016 )
[37] E. Fleischmann , C. Forler , S. Lucks , Mcoe : A family of almost foolproof on-line authenticated encryption schemes, in A . Canteaut, (ed.) Fast Software Encryption-19th International Workshop , FSE 2012, Washington, DC, USA, March 19 -21, 2012 . Revised Selected Papers. Lecture Notes in Computer Science , vol. 7549 (Springer, 2012 ), pp. 196 - 215
[38] P. Gazi , K. Pietrzak , S. Tessaro, The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC , in Gennaro and Robshaw [ 40 ], pp. 368 - 387
[39] P. Gazi , S. Tessaro , Provably robust sponge-based prngs and kdfs , in Fischlin and Coron [36] , pp. 87 - 116
[40] R. Gennaro , M. Robshaw, (eds.), Advances in Cryptology-CRYPTO 2015-35th Annual Cryptology Conference , Santa Barbara, CA, USA, August 16- 20 , 2015 , Proceedings, Part I , Lecture Notes in Computer Science, vol. 9215 , (Springer, 2015 )
[41] M. Girault , J. Stern , On the length of cryptographic hash-values used in identification schemes , in Y. Desmedt, (ed.) Advances in Cryptology-CRYPTO ' 94 , 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21- 25 , 1994 , Proceedings. Lecture Notes in Computer Science , vol. 839 (Springer, 1994 ), pp. 202 - 215
[42] D. Gligoroski , H. Mihajloska , S. Samardjiska , H. Jacobsen , M. El-Hadedy , R. Jensen , π -Cipher v1 ( 2014 ), submission to CAESAR competition
[43] D. Gligoroski , H. Mihajloska , S. Samardjiska , H. Jacobsen , M. El-Hadedy , R. Jensen , π -Cipher v2 . 0 ( 2015 ), submission to CAESAR competition
[44] R. Granger , P. Jovanovic , B. Mennink , S. Neves , Improved masking for tweakable blockciphers with applications to authenticated encryption , in Fischlin and Coron [36] , pp. 263 - 293
[45] J. Guo , T. Peyrin , A. Poschmann , The PHOTON family of lightweight hash functions , in P. Rogaway, (ed.) Advances in Cryptology-CRYPTO 2011-31st Annual Cryptology Conference , Santa Barbara, CA, USA, August 14- 18 , 2011 . Proceedings. Lecture Notes in Computer Science , vol. 6841 (Springer, 2011 ), pp. 222 - 239
[46] S. Hirose , K. Ideguchi , H. Kuwakado , T. Owada , B. Preneel , H. Yoshida , A lightweight 256-bit hash function for hardware and low-end devices: Lesamnta-lw, in K.H . Rhee , D. Nyang , (eds.) Information Security and Cryptology-ICISC 2010 -13th International Conference, Seoul, Korea, December 1- 3 , 2010 , Revised Selected Papers. Lecture Notes in Computer Science , vol. 6829 (Springer, 2010 ), pp. 151 - 168
[47] S. Hirose , H. Kuwakado , H. Yoshida , Compression functions using a dedicated blockcipher for lightweight hashing , in H. Kim, (ed.) Information Security and Cryptology-ICISC 2011 -14th International Conference, Seoul, Korea, November 30-December 2 , 2011 . Revised Selected Papers. Lecture Notes in Computer Science , vol. 7259 (Springer, 2011 ), pp. 346 - 364
[48] V.T. Hoang , T. Krovetz , P. Rogaway , Robust authenticated-encryption AEZ and the problem that it solves , in E. Oswald, M. Fischlin, (eds.) Advances in Cryptology-EUROCRYPT 2015-34th Annual International Conference on the Theory and Applications of Cryptographic Techniques , Sofia, Bulgaria, April 26-30 , 2015 , Proceedings, Part I. Lecture Notes in Computer Science , vol. 9056 (Springer, 2015 ), pp. 15 - 44
[49] V.T. Hoang , S. Tessaro , The multi-user security of double encryption , in J. Coron, J.B. Nielsen , (eds.) Advances in Cryptology-EUROCRYPT 2017-36th Annual International Conference on the Theory and Applications of Cryptographic Techniques , Paris, France, April 30-May 4, 2017 , Proceedings, Part II. Lecture Notes in Computer Science , vol. 10211 ( 2017 ), pp. 381 - 411
[50] A. Hoorfar , M. Hassani, Inequalities on the Lambert W function and hyperpower function. J. Inequal. Pure Appl . Math. 9 ( 2 ) ( 2008 )
[51] T. Iwata , K. Ohashi , K. Minematsu , Breaking and repairing GCM security proofs , in R. Safavi-Naini, R. Canetti , (eds.) Advances in Cryptology-CRYPTO 2012-32nd Annual Cryptology Conference , Santa Barbara, CA, USA, August 19- 23 , 2012 . Proceedings. Lecture Notes in Computer Science , vol. 7417 (Springer, 2012 ), pp. 31 - 49
[52] É. Jaulmes , A. Joux , F. Valette , On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction , in J. Daemen , V. Rijmen , (eds.) Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4- 6 , 2002 , Revised Papers . Lecture Notes in Computer Science , vol. 2365 (Springer, 2002 ), pp. 237 - 251
[53] P. Jovanovic , A. Luykx , B. Mennink , Beyond 2 c/2 security in sponge-based authenticated encryption modes , in Sarkar and Iwata [87] , pp. 85 - 104
[54] L.R. Knudsen , F. Mendel , C. Rechberger , S.S. Thomsen , Cryptanalysis of MDC-2, in A . Joux, (ed.) Advances in Cryptology-EUROCRYPT 2009 , 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques , Cologne, Germany, April 26- 30 , 2009 . Proceedings. Lecture Notes in Computer Science , vol. 5479 (Springer, 2009 ), pp. 106 - 120
[55] T. Krovetz , P. Rogaway , The software performance of authenticated-encryption modes, in A . Joux, (ed.) Fast Software Encryption-18th International Workshop , FSE 2011, Lyngby, Denmark, February 13- 16 , 2011 , Revised Selected Papers. Lecture Notes in Computer Science , vol. 6733 (Springer, 2011 ), pp. 306 - 327
[56] U.M. Maurer , R. Renner , C. Holenstein , Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology , in M. Naor, (ed.) Theory of Cryptography , First Theory of Cryptography Conference, TCC 2004 , Cambridge, MA, USA, February 19 - 21 , 2004 , Proceedings. Lecture Notes in Computer Science , vol. 2951 (Springer, 2004 ), pp. 21 - 39
[57] D.A. McGrew , J. Viega, The security and performance of the galois/counter mode (GCM) of operation, in A . Canteaut, K. Viswanathan , (eds.) Progress in Cryptology-INDOCRYPT 2004 , 5th International Conference on Cryptology in India, Chennai, India, December 20-22 , 2004 , Proceedings. Lecture Notes in Computer Science , vol. 3348 (Springer, 2004 ), pp. 343 - 355
[58] F. Mendel , S. Thomsen , An Observation on JH-512 . Available online ( 2008 )
[59] B. Mennink , XPX: generalized tweakable even-mansour with improved security guarantees , in Robshaw and Katz [76] , pp. 64 - 94
[60] B. Mennink , R. Reyhanitabar , D. Vizár , Security of full-state keyed sponge and duplex: Applications to authenticated encryption , in T. Iwata, J.H. Cheon , (eds.) Advances in Cryptology-ASIACRYPT 2015-21st International Conference on the Theory and Application of Cryptology and Information Security , Auckland, New Zealand, November 29-December 3 , 2015 , Proceedings, Part II. Lecture Notes in Computer Science , vol. 9453 (Springer, 2015 ), pp. 465 - 489
[61] H. Mihajloska , B. Mennink , D. Gligoroski, π -Cipher with Intermediate Tags ( 2016 ), available online
[62] B. Minaud , Re: CBEAM Withdrawn as of today! ( 2014 ), CAESAR mailing list
[63] K. Minematsu , Parallelizable rate-1 authenticated encryption from pseudorandom functions , in P.Q. Nguyen , E. Oswald, (eds.) Advances in Cryptology-EUROCRYPT 2014-33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques , Copenhagen, Denmark, May 11 -15, 2014 . Proceedings. Lecture Notes in Computer Science , vol. 8441 (Springer, 2014 ), pp. 275 - 292
[64] M. Mitzenmacher , E. Upfal, (eds.), Probability and Computing: Randomized Algorithms and Probabilistic Analysis. (Cambridge University Press, New York, 2005 )
[65] P. Morawiecki , K. Gaj , E. Homsirikamol , K. Matusiewicz , J. Pieprzyk , M. Rogawski , M. Srebrny , M. Wójcik , ICEPOLE v1 ( 2014 ), submission to CAESAR competition
[66] P. Morawiecki , K. Gaj , E. Homsirikamol , K. Matusiewicz , J. Pieprzyk , M. Rogawski , M. Srebrny , M. Wójcik , ICEPOLE v2 ( 2015 ), submission to CAESAR competition
[67] R. Motwani , P. Raghavan, (eds.), Randomized Algorithms . (Cambridge University Press, New York, 1995 )
[68] Y. Naito , Y. Sasaki , L. Wang , K. Yasuda , Generic state-recovery and forgery attacks on chopmd-mac and on NMAC/HMAC , in K. Sakiyama, M. Terada, (eds.) Advances in Information and Computer Security-8th International Workshop on Security, IWSEC 2013 , Okinawa, Japan, November 18-20 , 2013 , Proceedings. Lecture Notes in Computer Science , vol. 8231 (Springer, 2013 ), pp. 83 - 98
[69] Y. Naito , K. Yasuda , New bounds for keyed sponges with extendable output: Independence between capacity and message length , in T. Peyrin, (ed.) Fast Software Encryption-23rd International Conference, FSE 2016 , Bochum, Germany, March 20-23, 2016 , Revised Selected Papers. Lecture Notes in Computer Science , vol. 9783 (Springer, 2016 ), pp. 3 - 22
[70] I. Nikolic , L. Wang , S. Wu , Cryptanalysis of round-reduced \mathttled , In S. Moriai, (ed.) Fast Software Encryption-20th International Workshop , FSE 2013, Singapore, March 11 -13, 2013 . Revised Selected Papers. Lecture Notes in Computer Science , vol. 8424 (Springer, 2013 ), pp. 112 - 129
[71] F.W.J. Olver , D.W. Lozier , R.F. Boisvert , C.W. Clark , (eds.), NIST Handbook of Mathematical Functions . (Cambridge University Press, New York, 2010 )
[72] T. Peyrin , Y. Seurin , Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers , in Robshaw and Katz [76] , pp. 33 - 63
[73] B. Preneel , R. Govaerts , J. Vandewalle , On the power of memory in the design of collision resistant hash functions , in J. Seberry, Y. Zheng, (eds.) Advances in Cryptology-AUSCRYPT '92, Workshop on the Theory and Application of Cryptographic Techniques , Gold Coast, Queensland, Australia, December 13-16 , 1992 , Proceedings. Lecture Notes in Computer Science , vol. 718 (Springer, 1992 ), pp. 105 - 121
[74] M. Raab , A . Steger, “Balls into Bins” -A simple and tight analysis , in M. Luby, J.D.P. Rolim , M.J. Serna , (eds.) Randomization and Approximation Techniques in Computer Science, Second International Workshop, RANDOM'98, Barcelona , Spain, October 8- 10 , 1998 , Proceedings. Lecture Notes in Computer Science , vol. 1518 (Springer, 1998 ), pp. 159 - 170
[75] R. Reyhanitabar , Do Sponge-based AE modes have beyond 2c/2 “Security”? ( 2014 ), CAESAR mailing list
[76] M. Robshaw , J. Katz , (eds.), Advances in Cryptology-CRYPTO 2016 -36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14- 18 , 2016 , Proceedings, Part I , Lecture Notes in Computer Science, vol. 9814 (Springer, 2016 )
[77] P. Rogaway , Authenticated-encryption with associated-data , in V. Atluri, (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002 , Washington, DC, USA, November 18 - 22 , 2002 . (ACM, 2002 ), pp. 98 - 107
[78] P. Rogaway , Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC , in P.J. Lee , (ed.) Advances in Cryptology-ASIACRYPT 2004 , 10th International Conference on the Theory and Application of Cryptology and Information Security , Jeju Island, Korea, December 5- 9 , 2004 , Proceedings. Lecture Notes in Computer Science , vol. 3329 (Springer, 2004 ), pp. 16 - 31
[79] P. Rogaway , M. Bellare , J. Black , T. Krovetz, OCB: a block-cipher mode of operation for efficient authenticated encryption , in M.K. Reiter, P. Samarati, (eds.) CCS 2001 , Proceedings of the 8th ACM Conference on Computer and Communications Security , Philadelphia, Pennsylvania, USA, November 6- 8 , 2001 (ACM, 2001 ), pp. 196 - 205
[80] P. Rogaway , T. Shrimpton , A provable-security treatment of the key-wrap problem , in Vaudenay [93] , pp. 373 - 390
[81] M.J.O. Saarinen , Authenticated Encryption from GOST R 34 .11 -2012 LPS Permutation , in CTCrypt 2014 ( 2014 )
[82] M.O. Saarinen , Beyond modes: Building a secure record protocol from a cryptographic sponge permutation , in Benaloh [15] , pp. 270 - 285
[83] M.O. Saarinen , CBEAM: efficient authenticated encryption from feebly one-way φ functions , in Benaloh [15] , pp. 251 - 269
[84] M.J.O. Saarinen , CBEAM r1 ( 2014 ), submission to CAESAR competition
[85] M.J.O. Saarinen , STRIBOB r1 ( 2014 ), submission to CAESAR competition
[86] M.J.O. Saarinen , B.B. Brumley , STRIBOB r2: “WHIRLBOB” ( 2015 ), submission to CAESAR competition
[87] P. Sarkar , T. Iwata , (eds.), Advances in Cryptology-ASIACRYPT 2014-20th International Conference on the Theory and Application of Cryptology and Information Security , Kaoshiung, Taiwan, R.O.C. , December 7- 11 , 2014 . Proceedings, Part I , Lecture Notes in Computer Science, vol. 8873 (Springer, 2014 )
[88] Y. Sasaki , L. Wang , Generic attacks on strengthened HMAC: n-bit secure HMAC requires key in all blocks , in M. Abdalla, R.D. Prisco, (eds.) Security and Cryptography for Networks- 9th International Conference, SCN 2014 , Amalfi, Italy, September 3- 5 , 2014 . Proceedings. Lecture Notes in Computer Science , vol. 8642 (Springer, 2014 ), pp. 324 - 339
[89] Y. Sasaki , K. Yasuda , How to incorporate associated data in sponge-based authenticated encryption , in K. Nyberg, (ed.) Topics in Cryptology-CT-RSA 2015, The Cryptographer's Track at the RSA Conference 2015 , San Francisco, CA, USA, April 20 - 24 , 2015 . Proceedings. Lecture Notes in Computer Science , vol. 9048 (Springer, 2015 ), pp. 353 - 370