Browse Proceedings

We provide new bounds for the pseudo-random function security of keyed sponge constructions. For the case $$c\le b/2$$c the capacity and b the permutation size, our result improves over all previously-known bounds. A remarkable aspect of our bound is ...

Typical AE schemes are supposed to be secure when used as specified. However, they can --- and often do --- fail miserably when used improperly. As a partial remedy, Rogaway and Shrimpton proposed nonce-misuse-resistant AE MRAE and the first MRAE scheme ...

Lightweight cryptography strives to protect communication in constrained environments without sacrificing security. However, security often conflicts with efficiency, shown by the fact that many new lightweight block cipher designs have block sizes as ...

Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term ...

Filter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function. However, RØnjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent ...

In this article, we analyze the circulant structure of generalized circulant matrices to reduce the search space for finding lightweight MDS matrices. We first show that the implementation of circulant matrices can be serialized and can achieve similar ...

In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. The key contribution of the present paper is constructing MDS matrices with entries in the set of $$m\times m$$ non-singular ...

We explore the feasibility of applying SAT solvers to optimizing implementations of small functions such as S-boxes for multiple optimization criteria, e.g., the number of nonlinear gates and the number of gates. We provide optimized implementations for ...

We provide further evidence that implementing software countermeasures against timing attacks is a non-trivial task and requires domain-specific software development processes: we report an implementation bug in the s2n library, recently released by AWS ...

Implementations of white-box cryptography aim to protect a secret key in a white-box environment in which an adversary has full control over the execution process and the entire environment. Its fundamental principle is the map of the cryptographic ...

Masking is a popular countermeasure to thwart side-channel attacks on embedded systems. Many proposed masking schemes, even carrying "security proofs", are eventually broken because they are flawed by design. The security validation process is nowadays ...

Side-channel attacks are an important concern for the security of cryptographic algorithms. To counteract it, a recent line of research has investigated the use of software encoding functions such as dual-rail rather than the well known masking ...

Key schedules in block ciphers are often highly simplified, which causes weakness that can be exploited in many attacks. At ASIACRYPT 2011, Dunkelman et al. proposed a technique using the weakness in the key schedule of AES, called key-bridging ...

In recent years, Mixed Integer Linear Programming MILP has been successfully applied in searching for differential characteristics and linear approximations in block ciphers and has produced the significant results for some ciphers such as SIMON a ...

We propose the first adaptation of Matsui's algorithm for finding the best differential and linear trails to the class of ARX ciphers. It is based on a branch-and-bound search strategy, does not use any heuristics and returns optimal results. The ...

In typical applications of homomorphic encryption, the first step consists for Alice to encrypt some plaintext m under Bob's public key $$\mathsf {pk}$$ and to send the ciphertext $$c = \mathsf {HE}_{\mathsf {pk}}m$$ to some third-party evaluator ...

We show several constructions based on the AES round function that can be used as building blocks for MACs and authenticated encryption schemes. They are found by a search of the space of all secure constructions based on an efficient design strategy ...

Ciphers that do not use S-boxes have been discussed for the demand on lightweight cryptosystems, and their round functions consist of and, rotation, and xor. Especially, the Simonï źfamily is one of the most famous ciphers, and there are many ...

We introduce the high-degree indicator matrix HDIM, an object closely related with both the linear approximation table and the algebraic normal form ANF of a permutation. We show that the HDIM of a Feistel Network contains very specific patterns ...

Integral attacks form a powerful class of cryptanalytic techniques that have been widely used in the security analysis of block ciphers. The integral distinguishers are based on balanced properties holding with probability one. To obtain a distinguisher ...

While impossible differential cryptanalysis is a well-known and popular cryptanalytic method, errors in the analysis are often discovered and many papers in the literature present flaws. Wishing to solve that, Boura et al.ï ź[1] presented at ASIACRYPT'...

Simon is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts' attention and varieties of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis ...

In recent work, Bellare, Hoang, and Keelveedhi CRYPTO 2013 introduced a new abstraction called Universal Computational Extractors UCEs, and showed how they can replace random oracles ROs across a wide range of cryptosystems. We formulate a new framework,...

In an order-preserving encryption scheme, the encryption algorithm produces ciphertexts that preserve the order of their plaintexts. Order-preserving encryption schemes have been studied intensely in the last decade, and yet not much is known about the ...

We reconsider the formalization of known-key attacks against ideal primitive-based block ciphers. This was previously tackled by Andreeva, Bogdanov, and Mennink FSEï ź2013, who introduced the notion of known-key indifferentiability. Our starting point ...

Universal hash functions UHFs have been extensively used in the design of cryptographic schemes. If we consider the related-key attack RKA against these UHF-based schemes, some of them may not be secure, especially those using the key of UHF as a part ...

In this paper, we propose a guess and determine attack against some variants of the $$\pi $$-Cipher family of authenticated ciphers. This family of ciphers is a second-round candidate of the CAESAR competition. More precisely, we show a key recovery ...

NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level ...

The hash function Kupyna was recently published as the Ukrainian standard DSTU 7564:2014. It is structurally very similar to the SHA-3 finalist GrØstl, but differs in details of the round transformations. Most notably, some of the round constants are ...