期刊论文详细信息
Journal of mathematical cryptology
The Oribatida v1.3 Family of Lightweight Authenticated Encryption Schemes
article
Arghya Bhattacharjee1  Cuauhtemoc Mancillas López2  Eik List3  Mridul Nandi1 
[1] Applied Statistics Unit, Indian Statistical Institute;Computer Science Department;Bauhaus-Universität Weimar
关键词: Authenticated encryption;    permutation;    provable security;   
DOI  :  10.1515/jmc-2020-0018
学科分类:社会科学、人文和艺术(综合)
来源: De Gruyter
PDF
【 摘 要 】

Permutation-based modes have been established for lightweight authenticated encryption, as can be seen from the high interest in the ongoing NIST lightweight competition. However, their security is upper bounded by O ( σ 2 /2 c ) bits, where σ are the number of calls and c is the hidden capacity of the state. The development of more schemes that provide higher security bounds led to the CHES’18 proposal Beetle that raised the bound to O ( rσ /2 c ), where r is the public rate of the state. While authenticated encryption can be performed in an on-line manner, authenticated decryption assumes that the resulting plaintext is buffered and never released if the corresponding tag is incorrect. Since lightweight devices may lack the resources for buffering, additional robustness guarantees, such as integrity under release of unverified plaintexts (I nt -RUP), are desirable. In this stronger setting, the security of the established schemes, including Beetle, is limited by O ( q p q d /2 c ), where q d is the maximal number of decryption queries, and q p that of off-line primitive queries, which motivates novel approaches. This work proposes Oribatida, a permutation-based AE scheme that derives s -bit masks from previous permutation outputs to mask ciphertext blocks. Oribatida can provide a security bound of O ( rσ 2 / c + s ), which allows smaller permutations for the same level of security. It provides a security level dominated by O(σd2/2c)O(\sigma_d^2{/2^c}) under I nt -RUP adversaries, which eliminates the dependency on primitive queries. We prove its security under nonce-respecting and I nt -RUP adversaries. We show that our I nt -RUP bound is tight and show general attacks on previous constructions.

【 授权许可】

CC BY|CC BY-NC-ND   

【 预 览 】
附件列表
Files Size Format View
RO202107200005172ZK.pdf 971KB PDF download
  文献评价指标  
  下载次数:10次 浏览次数:0次