Advancing in Authenticated Encryption

Today, we stand at a point, where countless devices are communicating over publicly accessible networks. One basic need that occurs in such a scenario is the need that messages exchanged between two communicating parties (usually named Alice and Bob) are kept confidential and authentic. In this context, confidentiality means that no one except Alice and Bob should be able to read the message and authenticity means that an alteration of the sent message maliciously, or unintentionally can be detected. Both goals can be achieved by using authenticated encryption (AE). AE fulfills a crucial need because for most applications that we use every day there is not much value in just ensuring that a message is kept confidential. This includes applications with a sole private purpose like instant messaging, but also commercial applications like e-commerce, or online banking. Due to its practical importance, AE is a very active research topic, having a steady stream of new ideas and new designs. So the big question is, which out of the many proposed designs is secure? At the moment, the answer to this question is cryptanalysis. During cryptanalysis, researchers try to find ways to attack the scheme itself, but also weakened versions of it. In this way, the insight into the security of the designs grows over the years. This leaves us with another question, which of the secure designs should be used in practice? In symmetric cryptography, one useful answer is public and open cryptographic competitions. Here, researchers from all over the world submit their best designs and scrutinize the other submissions. Examples of such competitions are the ongoing CAESAR competition and the NIST lightweight call, both searching for AE schemes. In this project, we want to provide advancements to the state-of-the-art in AE. We do this by further scrutinizing the security of the AE scheme Ascon. Ascon, which we co-designed, is one of the seven (out of 57) finalists of CAESAR. Furthermore, the research in the security of Ascon should lead to a submission to the NIST lightweight call. Also, we plan to analyze other design ideas, like parallel permutation-based cryptography or schemes that are resilient against certain classes of side-channel attacks. Analysis of such schemes allows for a better quantification of their strengths and weaknesses, which in turn leads to a better understanding on the design of AE schemes that can potentially be used in further refinements of existing schemes, or even new designs. The fellowship will fund the work of Christoph Dobraunig, which will be mainly conducted at the Radboud University (the Netherlands). There, Christoph will work together with Joan Daemen, a co- designer of AES and SHA-3.

Today, we stand at a point where countless devices are communicating over publicly accessible networks. One basic need that occurs in such a scenario is that messages exchanged between two communicating parties (usually named Alice and Bob) are kept confidential and authentic. In this context, confidentiality means that no one except Alice and Bob can read the message, and authenticity means that an alteration of the sent message - maliciously or unintentionally - can be detected. Both goals can be achieved by using authenticated encryption (AE). AE fulfills a crucial need because, for most applications that we use every day, there is not much value in just ensuring that a message is kept confidential. This includes applications with a sole private purpose like instant messaging and commercial applications like e-commerce or online banking. However, the question is, how do we ensure that the AE-schemes we use are useful and secure? In symmetric cryptography, one answer is a public and open cryptographic competition. Here, researchers from all over the world submit their best designs and scrutinize the other submissions. This project enabled us to contribute to three submissions for the ongoing lightweight cryptography standardization process organized by NIST. At the time of writing (October 2020), all three submissions, Ascon, Elephant, and Isap v2.0, are still participating in the process's second round. From the first to the second round, the initial 56 candidates have been reduced down to 32. In addition, the research conducted in this project aided the standardization process by publishing cryptanalysis of third-party schemes. Naturally, these results do not only help the lightweight cryptography standardization process but also help to grow the insight into the security of AE-designs. However, for many use-cases of AE, cryptanalytic security is not enough. In particular, implementations of AE often have to withstand side-channel attacks (e.g., attacks that aim to extract the secret key from a device using its power consumption) and fault attacks (attacks that induce faults during the computation). In this project, we researched and published implementation-level countermeasures against such side-channel and fault attacks. In particular, those countermeasures are able to provide protection against a new category of fault attacks called statistical ineffective fault attacks and are applicable to a wide-range of AE-schemes. Considering that the AE-scheme Isap v2.0 has been designed to provide increased resilience against certain classes of side-channel attacks, we investigated the leakage resilience of the duplex and the suffix keyed sponge construction. These results are applicable but not limited to Isap v2.0.