【 摘 要 】

Permutation-based modes have been established for lightweight authenticated encryption, as can be seen from the high interest in the ongoing NIST lightweight competition. However, their security is upper bounded by O ( σ 2 /2 c ) bits, where σ are the number of calls and c is the hidden capacity of the state. The development of more schemes that provide higher security bounds led to the CHES’18 proposal Beetle that raised the bound to O ( rσ /2 c ), where r is the public rate of the state. While authenticated encryption can be performed in an on-line manner, authenticated decryption assumes that the resulting plaintext is buffered and never released if the corresponding tag is incorrect. Since lightweight devices may lack the resources for buffering, additional robustness guarantees, such as integrity under release of unverified plaintexts (I nt -RUP), are desirable. In this stronger setting, the security of the established schemes, including Beetle, is limited by O ( q p q d /2 c ), where q d is the maximal number of decryption queries, and q p that of off-line primitive queries, which motivates novel approaches. This work proposes Oribatida, a permutation-based AE scheme that derives s -bit masks from previous permutation outputs to mask ciphertext blocks. Oribatida can provide a security bound of O ( rσ 2 / c + s ), which allows smaller permutations for the same level of security. It provides a security level dominated by O(σd2/2c)O(\sigma_d^2{/2^c}) under I nt -RUP adversaries, which eliminates the dependency on primitive queries. We prove its security under nonce-respecting and I nt -RUP adversaries. We show that our I nt -RUP bound is tight and show general attacks on previous constructions.

【 授权许可】

CC BY|CC BY-NC-ND   

【 预 览 】

附件列表

Files	Size	Format	View
RO202107200005172ZK.pdf	971KB	PDF	download