Nilanjan Datta

ELmE: A Misuse Resistant Parallel Authenticated Encryption

The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, we design a new online secure authenticated encryption, called ELmE or Encrypt-Linear mix-Encrypt, which is completely (two-stage) parallel (even in associated data) and pipeline implementable. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction is based on EME, an Encrypt-Mix-Encrypt type SPRP constructions (secure against chosen plaintext and ciphertext). But unlike EME, we have used an online computable efficient linear mixing instead of a non-linear mixing. Our construction optionally supports intermediate tags which can be verified faster with less buffer size. Intermediate tag provides security against block-wise adversaries which is meaningful in low-end device implementation.

ELmD: A Pipelineable Authenticated Encryption and Its Hardware Implementation

Authenticated encryption schemes which resist misuse of nonce at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions like McOE, sponge-type authenticated encryptions (such as duplex) and COPA. Only the last one is almost parallelizable except that for associated data processing, the final block-cipher call is sequential (it needs to wait for the encryption of all the previous ones). In this paper, we design a new online secure authenticated encryption, called ELmD or Encrypt-Linear mix-Decrypt, which is completely (two-stage) parallel (even in associated data) and fully pipeline implementable. It also provides full privacy when associated data is not repeated. Like COPA, our construction is based on EME, an Encrypt-Mix-Encrypt type SPRP construction (secure against chosen plaintext and ciphertext). But unlike EME, we have used an online computable efficient linear mixing instead of a non-linear mixing. We have also provided the hardware implementation of the construction and compare the performance with similar constructions like COPA and EME2.

Generalizing PMAC Under Weaker Assumptions

In this paper, we study the security of PMAC-type constructions generalizing the underlying primitive to keyed functions. We first consider the construction with two different primitives: one for intermediate calls and another for finalization. While the security of original PMAC was based on the assumption that the primitive (block ciphers) is a pseudo-random permutation (PRP), here we show that for MAC security of the construction, we just need MAC security of the internal primitives and privacy-preserving MAC (PP-MAC) security for the finalization primitive. As PP-MAC is strictly weaker than a pseudo-random function (PRF), this shows that PRF assumption on underlying primitives is not a necessary condition to achieve MAC security of PMAC type constructions. In the context, we also show that for PRF security of the construction, we only need the finalization primitive to be PRF secure. The requirement on the internal primitive reduces from PRF to just a secure MAC. Moreover, we show that for MAC security of the construction, PRF security of underlying primitive is not essential. We claim that, if we restrict to use only one primitive (as two keys are required, if two different primitives are used) then for MAC security, the primitive only needs to be PP-MAC secure. This essentially makes the construction single key PP-MAC domain extender, having the parallelizability advantage over iCBC-MAC. We also show that, if we want the construction to be PRF secure, then we need the underlying primitive to be PRF secure. This can be thought as an alternative proof of the original PMAC, not restricted to block-ciphers only but takes care any keyed functions.

On the optimality of non-linear computations for symmetric key primitives

Abstract A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with ℓ {\ell} block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate ℓ ′ {\ell^{\prime}} block outputs and show that at least ( ℓ + ℓ ′ - 1 ) {(\ell+\ell^{\prime}-1)} block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to ℓ ′ {\ell^{\prime}} blocks only. If ℓ = ℓ ′ {\ell=\ell^{\prime}} , in order to achieve SPRP security, the mode requires at least 2 ⁢ ℓ {2\ell} many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least 2 ⁢ r - 1 {2r-1} many and overall at least 2 ⁢ r ⁢ ℓ - 1 {2r\ell-1} many block-functions for ℓ {\ell} many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least 2 ⁢ r {2r} non-linear block-functions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least ℓ {\ell} many block-function invocations to process an ℓ {\ell} block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than ℓ {\ell} or (ii) the number of extra non-linear block-functions required to generate the tag depends on ℓ {\ell} .

Equivalence between MAC, WCR and PRF for Blockcipher Based Constructions

In FSE’10, Nandi proved a sufficient condition of pseudo random function (PRF) for affine domain extensions (ADE), a wide class of blockcipher based domain extensions. This sufficient condition is satisfied by all known ADE, however, it is not a characterization of PRF. In this paper we completely characterize the ADE and show that weaker security notions message authentication code (MAC) and weakly collision resistant (WCR) are indeed equivalent to PRF.

Characterization of EME with Linear Mixing

EME is a SPRP or strong pseudorandom permutation construction which uses a nonlinear mixing in between two encryption layers. The designers of EME have shown that the construction is not SPRP secure if the mixing layer of EME is replaced by any linear mixing over a binary field. In this paper, we complete their observation by showing SPRP-insecurity even if we have linear mixing over any non-binary prime field. We have some positive result that PRP (pseudorandom permutation) and online PRP security can be achieved for certain types of linear mixing functions. In fact, we fully characterize all those linear mixing for which (online) PRP security is achieved and demonstrate attacks for all other linear mixing functions.