Permutation-Based Lightweight Authenticated Cipher with Beyond Conventional Security

Zhang, Ping

doi:https://doi.org/10.1155/2021/1468007

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy Protection for 5G-Enabled Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 1468007 | https://doi.org/10.1155/2021/1468007

Permutation-Based Lightweight Authenticated Cipher with Beyond Conventional Security

Ping Zhang¹

Academic Editor: Huaxiong Wang

Received08 Jul 2021

Revised27 Sept 2021

Accepted06 Oct 2021

Published27 Oct 2021

Abstract

Lightweight authenticated ciphers are specially designed as authenticated encryption (AE) schemes for resource-constrained devices. Permutation-based lightweight authenticated ciphers have gained more attention in recent years. However, almost all of permutation-based lightweight AE schemes only ensure conventional security, i.e., about -bit security, where is the capacity of the permutation. This may be vulnerable for an insufficiently large capacity. This paper focuses on the stronger security guarantee and the better efficiency optimization of permutation-based lightweight AE schemes. On the basis of APE series (APE, , , and ), we propose a new improved permutation-based lightweight online AE mode which supports beyond conventional security and concurrent absorption. Then, we derive a simple security proof and prove that enjoys at most about -bit security, where is the rate of the permutation. Finally, we discuss the properties of on the hardware implementation.

1. Introduction

With the widespread rise of the big data, Internet of Things (IoT), and fifth generation (5G) and beyond 5G (B5G) networks, leaks of sensitive data from wireless sensor devices and network platforms have become more serious and more common. The collection of sensitive data has become one of the important targets of cyberattacks by hackers. How can we protect the security of our sensitive data? Cryptography is an important method to protect the security of sensitive data.

Lightweight cryptography focuses on the symmetric-key cryptography, whose goal is to settle the data security of resource-constrained devices in the embedded systems, sensor networks, RFID, and low-cost environments. The feature of the lightweight cryptography is that the implementation costs of hardware devices (such as areas, footprints, latency, and throughput) are as low as possible and the implementation efficiency (rate) is as high as possible, without sacrificing security guarantee.

The research of the lightweight cryptography began in 2004 and has been going on for more than a decade. The lightweight cryptography mainly includes the lightweight cipher and its modes of operation. Lightweight ciphers are designed to protect the privacy (confidentiality) of sensitive data on lightweight devices. Up to now, a large number of lightweight ciphers have been proposed, analyzed, and implemented [1–9]. Lightweight authenticated encryption (AE) modes of operation, also called lightweight authenticated ciphers, achieve both the privacy protection of sensitive data and the integrity verification of all data on lightweight devices. Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) held in 2013 greatly contributed to the vigorous development of lightweight AE modes and produced many excellent schemes, such as Ascon [10] and ACORN [10]. From the perspective of the design method, lightweight AE modes include block-cipher-based lightweight AE modes [11–14], stream-cipher-based lightweight AE modes [15, 16], permutation-based lightweight AE modes [17–20], and hash-based lightweight AE modes [19, 20]. Moreover, permutation-based lightweight AE modes have more advantages and attractions than others due to its simple structure, convenient lookup table, and fast running speed.

Authenticated permutation-based encryption (APE) is the first permutation-based lightweight AE mode with nonce-misuse resistance designed by Andreeva et al. [17]. The idea is inspired from Sponge. The encryption algorithm of APE is online (i.e., the -th block of ciphertext only depends on the first blocks of plaintext), while the decryption algorithm is inverse-online (i.e., the online decryption of the ciphertext blocks is in reverse order). APE is proven up to the conventional security under the random permutation model (RPM), i.e., APE guarantees at most about -bit security, where is the capacity of the permutation.

However, there exist several drawbacks for APE, such as relatively big bandwidth, large hardware footprint, and high computational complexity. To overcome these drawbacks of APE, Sasaki and Yasuda focused on the implementation costs and the proper using of a nonce on resource-constrained devices [18]. On the basis of APE, they described three new online permutation-based lightweight AE modes, called , , and , to meet the requirements of less bandwidths, smaller hardware footprints, and lower computational complexity. They proved that these three lightweight AE schemes also enjoy the conventional security.

Almost all of the previous permutation-based lightweight AE schemes, including APE, , , and , only ensure at most about -bit security. To ensure enough security, one tends to choose a permutation with a big capacity . Table 1 shows security levels of some permutation-based AE modes using recommended parameters.

However, in some special environments, such as an insufficiently large capacity of the permutation or the partial information leakage of permutation by side channel attacks, this security bound is not enough. Moreover, the associated data and the message were handled separately in APE, , , and , which is not highly efficient. Whether can we construct an efficient lightweight AE mode with beyond -bit security?

This paper is devoted to solving the above problem and gives a positive response. On the basis of the current APE, , , and , we propose a novel improved permutation-based lightweight online AE mode . supports strong security guarantee and high efficiency implementation. The concrete contributions include the following:(1)In order to achieve higher efficiency, we consider to put some good factors into , such as inverse-free, stream-cipher encryption, concurrent absorption, and pure permutation. is inverse-free, i.e., the decryption algorithm of does not invoke the inverse of permutation. Besides, it is a stream-cipher encryption mode. For the associated data and the message, utilizes the method of concurrent absorption to process them, which makes the number of invoking the underlying permutation as few as possible. In particular, in view of the performance of on the hardware implementation, is built by the cascade method and has no backward feedback. Therefore, it can be fully pipeline implemented on the hardware. Moreover, just requires the forward permutation circuit for the encryption and decryption circuits. Therefore, the area of the hardware device and the number of the hardware footprints are minimized. utilizes the concurrent absorption method, which greatly reduces the computational complexity on the hardware devices.(2)In order to achieve stronger security, the encryption and authentication parts are considered separately. For the encryption part, we utilize the iterated Even–Mansour cipher with a short key [21] to generate the ciphertext while avoiding the defeat that the current plaintext is XOR-ed with the previous ciphertext. For the authentication part, the authentication tag is generated by the XOR of the rate and the capacity of the last permutation to resist forgery attacks. In this paper, we derive a simple security proof by using a modular proof approach and prove that enjoys at most about -bit AE security under the RPM assumption, where and are, respectively, the rate and the capacity of the permutation. Specifically, given a permutation with parameters , and (or , and ), enjoys at most about 96-bit (or 128-bit) AE security, which is shown in Table 1.

The rest of this paper is organized as follows. Notations and some preliminaries are presented in Section 2. Section 3 describes the security model of lightweight AE schemes. Section 4 provides a new permutation-based lightweight AE mode with beyond conventional security and derives a security proof. Section 5 shows some discussions for . Finally, Section 6 ends up with a conclusion.

2. Preliminaries

Notations. Let denote the set containing all finite bit strings (including the empty string). Let be an integer and be the set of all strings whose lengths are bits. For a finite string , stands for its bit-length. For two finite strings and , let or denote their concatenation and let denote their bitwise XOR operation from the least bit to the most bit. If is a set, let stand for that is uniformly sampled from the finite set . If is a decimal, let be the smallest integer greater than or equal to . Let be the conditional probability that event occurs, giving event .

Strong Pseudorandom Permutation (SPRP). One of the most important security concepts in symmetric ciphers is SPRP. What is SPRP? In a nutshell, if a symmetric cipher is indistinguishable from an ideal random permutation under chosen ciphertext attacks, then this symmetric cipher is an SPRP. The detailed definition is shown as follows.

Let be a symmetric cipher, where is a nonempty key set. Then, for any , is a permutation on bits and is the inverse of . Let be the set of all permutations on bits. Let be a primitive utilized in . Let be an adversary with access to encryption, decryption, and the primitive and its inverse oracles, i.e., . Let be the event that an adversary outputs 1 after interacting with the oracle .

Let , then the SPRP advantage of against is defined as

If the advantage is negligible, the cipher is a secure strong pseudorandom permutation (SPRP).

If the resources (such as the overall running time , the number of querying the encryption and decryption oracles , the total query complexity of the construction , and the number of querying the primitive and its inverse oracles ) used by adversaries are limited, we define the maximum advantage as

Even–Mansour Cipher with a Short Key [21]. Let be a public random -bit permutation, be the capacity of , be the rate of , and . Let be a -bit key set. To minimize the key material of the Even–Mansour cipher and achieve beyond conventional security bound, the Even–Mansour cipher with a short key is presented. The Even–Mansour cipher with a short key is a function that inputs a key and a plaintext and produces a ciphertext , where .

3. Security Model

Syntax of Authenticated Encryption (AE). Let , , , , , and be, respectively, the sets of the keys, nonce, associated data, plaintexts, ciphertexts, and authentication tags. A nonce-based AE with associated data scheme consists of an encryption algorithm and a decryption algorithm : , where the symbol indicates the failure of the decryption oracle. Let be a key, be a nonce, be an associated data, be a plaintext, be a ciphertext, and be an authentication tag, then the syntax is formalized as follows:where if and only if . A secure AE scheme returns if it receives an error pair.

The nonce-based AE with associated data scheme is called as an online AE scheme (or authenticated online cipher) if and only if the -th ciphertext block only depends on the first plaintext blocks , where . That is to say, for any fixed key , nonce , and associated data , if two plaintexts and share an -block common prefix, where , then their encrypted ciphertexts and also share an -block common prefix. Therefore, a secure authenticated online cipher requires that ciphertexts do not reveal any further information about plaintexts than its length and the longest common prefix with previous plaintexts.

Ideal Online Function and Ideal Authenticated Online Cipher. Let be a function randomly chosen from , where and . We define an ideal online function as follows:

Let be a tag-generation function randomly chosen from , and we define an ideal authenticated online cipher as follows:where and .

AE Security Model. The security model of AE schemes includes the conventional security model (privacy and authenticity) [11, 17] and all-in-one AE security model [18, 22–24]. In fact, all-in-one AE security model covers the conventional privacy and authenticity security models. Therefore, we consider all-in-one AE security model. Let be an AE scheme. The all-in-one AE security model is defined as follows.

Definition 1. (AE security [24]). Let be a public random permutation, be a key, and be a -based AE scheme. Let . Then, the AE security advantage of the adversary iswhere is the number of querying the encryption oracle or the decryption oracle , generating at most blocks, is the number of querying the permutation or its inverse , $ is an ideal authenticated online cipher, and stands for the failure of the decryption oracles.

4. APE⁺: Authenticated Permutation-Based Encryption Scheme with Beyond Conventional Security for Lightweight Applications

In this section, we provide a new pure permutation-based lightweight online AE mode which enjoys beyond conventional security. Section 4.1 describes the specification of . Section 4.2 derives the security proofs of .

4.1. : Pure Permutation-Based Lightweight Authenticated Online Cipher

Let be a public -bit random permutation and . Let be a key with -bit, be a nonce, and be an associated data. Let be a plaintext, be the corresponding ciphertext, and be the corresponding authentication tag, where is the block length of the plaintext. Let be the bit-length of the tag and .

To design a lightweight online AE mode with beyond conventional security, we utilize the iterated Even–Mansour cipher with a short key [21] to generate the ciphertext for the encryption part and invoke the Even–Mansour cipher with a short key [21] to generate the authentication tag for the authentication part. Moreover, to prevent forgery attacks, the rate of the last permutation is XOR-ed to the capacity of the last permutation with the short key to realize the authentication tag with a random mask. To make the number of invoking the underlying permutation as few as possible, we utilize the concurrent absorption method [25] to process the associated data and the message. The overview of is shown in Figure 1.

consists of an encryption algorithm and a decryption algorithm . The encryption algorithm takes as input a key , a nonce , an associated data , and a plaintext and returns a ciphertext and a tag . The decryption algorithm takes , , , , and as inputs and returns either or . The encryption and decryption algorithms are depicted in Algorithms 1 and 2.

Input: a key , a nonce , an associated data , and a plaintext
Output: a ciphertext and a tag
(1)	Partition into ,
(2)	Partition into,
(3)
(4)	ifthen
(5)	fordo
(6)
(7)
(8)
(9)	end for
(10)	fordo
(11)
(12)
(13)
(14)	end for
(15)
(16)
(17)	else
(18)	fordo
(19)
(20)
(21)
(22)	end for
(23)	fordo
(24)
(25)
(26)
(27)	end for
(28)
(29)
(30)	end if
(31)	return

Input: a key , a nonce , an associated data , a ciphertext , and a tag
Output: a plaintext or
(1)	Partition into ,
(2)	Partition into ,
(3)
(4)	ifthen
(5)	fordo
(6)
(7)
(8)
(9)	end for
(10)	fordo
(11)
(12)
(13)
(14)	end for
(15)
(16)
(17)	else
(18)	fordo
(19)
(20)
(21)
(22)	end for
(23)	fordo
(24)
(25)
(26)
(27)	end for
(28)
(29)
(30)	end if
(31)	ifthen
(32)	return
(33)	else
(34)	return (INVALID)
(35)	end if

4.2. Beyond Conventional Security of

APE, , , and only ensure at most about adversarial queries (i.e., -bit security). is a pure permutation-based lightweight AE scheme with beyond conventional security. Besides, is also an authenticated online cipher. In this section, we prove that enjoys at most about -bit AE security. Let stand for our scheme with a permutation .

Theorem 1. Let be a public-bit random permutation and. Then,whereis the base of the natural logarithm.

Proof. We utilize the modular proof approach. First, our scheme can be described as a scheme based on an Even–Mansour cipher with a short key , i.e., can be represented as , where is the secret key. Then, we replace the Even–Mansour modular structure of our scheme by the random permutation and rename the new scheme as . There exists a nontrivial gap for this replacement. According to the definition of the AE security, we haveIt follows that we need to calculate the upper bounds of and . First, according to the advantage of the Even–Mansour cipher with a short key [21], we havewhere is the maximal multiplicity. Now, we consider the rationality of . The probability that the multiplicity exceeds is upper bounded by , which is very close to zero. By Stirling’s approximation, this probability is also bounded by , where . Assume that and , and we have . It follows thatThen, we need to compute the following advantage:Now, we replace the random permutation by the random function and rename the new scheme as . According the hybrid argument and the RP/RF switch lemma, we haveNext, we need to evaluate . According to the definitions of privacy and authenticity [17], we havewhereIn the first step, we calculate the PRIV advantage . Assume that the adversary queries to the encryption oracle and gains the corresponding responses . Here, the adversary is deterministic and adaptive, i.e., each query of the adversary is completely determined by the previous query-response pairs , where and are distinct.
Let us define some symbols for the -th encryption query-response pair , where . Let and be, respectively, the block lengths of the associated data and the plaintext . Then, and . Here, we assume that the block length of the associated data is always less than or equal to the block length of the plaintext. Let and be the inputs and outputs of the random function , where for and for .
We define an event Coll that stands for a collision between the inputs of the random function . For an authenticated online cipher, we consider that any two distinct queries share a common prefix, where . The adversary is nonce-misuse; therefore, is a common prefix. We consider the following cases: Case 1: if is fully common, then . Assume that and have an -longest common prefix, i.e., and , where ( means ). Therefore, and . The event Coll occurs if one of the following collisions happens:(1) for , where .(2) for , where .(3) for , where .(4) for , where . Let be the maximum block length of the plaintext, i.e., , and let . Therefore, after removing the duplicate conditions, the probability that the event Coll occurs is Case 2: if but and have an -longest common prefix, then and , where . We assume that and have a -longest common prefix, where . Then, and . Case 2.1: if , then . Therefore, and . The probability that the event Coll occurs is the same with Case 1. Case 2.2: if , then . Therefore, and . The event Coll occurs if one of the following collisions happens:(1) for , where .(2) for , where .(3) for , where .(4) for , where .It follows that, in Case 2.2, the probability that the event Coll occurs isSummarizing the above mutually exclusive cases, the probability that the event Coll occurs isIf the event Coll does not occur, all inputs of are fresh, except that the inputs from the common prefix are equal. Therefore, is indistinguishable from $. In the nonce-misuse setting, we haveIn the second step, we evaluate the AUTH advantage . Assume that the adversary makes nontrivial forgery attempts to the decryption oracle after querying encryption oracles, where and . Here, we define an event Forge that some decryption queries among forgery attempts do not return . If the event Forge does not occur, the responses of querying and are identical. Therefore, by the total probability formula, we haveThe probability that the event Coll happens is similar to the PRIV advantage except that we need to consider an extra query complexity—the decryption query complexity under the forgery attempts, i.e., , where is the total query complexity of the encryption and decryption queries.
To compute the probability , we consider the following cases: Case 1: is new, i.e., , where . For each forgery attempt, the probability of correctly guessing the image of a new point for the adversary is at most . Case 2: is old, but is new. We further analyze this case as follows. Case 2.1: is new, i.e., . The image of this new point under a new random function is uniform, random, and independent. Therefore, the probability for correctly guessing the tag is at most . Case 2.2: is old, but is new. Under the condition of the event Coll, the input of the last random function is new. The outputs of with distinct inputs are random and independent. Therefore, the probability for correctly guessing the same tag is at most .Summarizing the above two cases, the successful probability of forgery attempts is upper bounded by .
Therefore, according the sugar water inequality , where and , and , we haveTherefore, combining (1)–(6), we can obtain the result of Theorem 1.
According to Theorem 1, the AE security of is up to adversarial queries against nonce-misusing adversaries. In other words, ensures at most about -bit AE security, which is a beyond conventional (-bit) security.

5. Discussions

The original intention of designing our scheme is to achieve higher efficiency, better performance, and stronger security on the lightweight devices. is an improved version of APE series (including APE, , , and ). Therefore, inherits most of the advantages of APE series. Besides, it has the following advantages in the hardware implementation:(1) is a pure permutation-based lightweight online AE mode with concurrent absorption. The rate of processing the associated data and the message is faster on hardware devices.(2) is inverse-free, i.e., its decryption circuit does not invoke the inverse of permutation. Moreover, it is a stream-cipher encryption mode.(3) is built by the cascade method and has no backward feedback. Therefore, it can be fully pipeline implemented.(4)To the best of our knowledge, is the first AE mode which supports beyond conventional security against blockwise adaptive adversaries in the lightweight devices.(5)APE series and are designed and have proven security against nonce-misusing adversaries up to common prefix. Jovanovic et al. showed an attack on APE with a complexity of about in the nonce-respecting setting (here, “nonce-respecting” means that the nonce is never repeated in the encryption queries) according to the defect [26]. If there exists such that , the adversary breaks the privacy with a complexity of about in the nonce-respecting setting. In fact, this attack also works for APE series. This defect exists in , , and , while it does not exist in . Therefore, is robust against this kind of attack.

Table 2 shows the comparison of permutation-based lightweight AE modes. From the perspective of hardware implementation costs, just needs the permutation circuit on hardware devices as its encryption and decryption algorithms only call the permutation . Therefore, the area of the hardware device and the number of hardware footprints are minimized. From the perspective of the efficiency, the bandwidth of implementing is . Moreover, the computational costs of the encryption and decryption algorithms are as we utilize the method of concurrent absorption to process the associated data and the message. Therefore, the computational complexity is obviously reduced. From the perspective of the security, enjoys at most about -bit AE security, which is a great contribution of this paper. Fixing a permutation with recommended parameters , and , APE series ensure at most about 80-bit security while enjoys at most about 96-bit security. Security levels of permutation-based AE modes using recommended parameters are shown in Table 1.

This paper just focuses on the single-key security of . Recently, the multikey or multiuser security and related-key security are also very hot research topics of lightweight ciphers. The implementation of on the hardware circuit and the security under the multikey or multiuser and related-key settings are our next important works.

6. Conclusions

Most of the devices widely used in smart home and Internet of Things are resource constrained. The privacy security and authenticity security of data from these devices are crucial in the process of data transmission. The lightweight AE modes designed by permutations have more advantages and attractions for the protection of data security due to its simple structure, convenient lookup table, and fast running speed. However, almost all of permutation-based lightweight AE modes enjoy conventional security. In this paper, we discuss the problem of whether can we design an efficient lightweight AE mode to achieve beyond conventional security bound for permutation-based lightweight ciphers. We propose a new permutation-based lightweight AE mode with beyond conventional security, derive its security proof, and discuss the properties of . has proven AE security up to about adversarial queries and it is robust, where and are, respectively, the rate and the capacity of the permutation. is an improved version of APE series and inherits most of the advantages of APE series. It is well suited for the protection of the data security in some special environments, such as an insufficiently large capacity of the permutation or the partial information leakage of permutation by side channel attacks.

Data Availability

The data used to support the findings of the study are available within the article.

Conflicts of Interest

The author declares that there are no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant no. 61902195), Natural Science Fund for Colleges and Universities in Jiangsu Province (General Program, Grant no. 19KJB520045), and NUPTSF (Grant no. NY219131).

References

C. Beierle, G. Leander, A. Moradi, and S. Rasoolzadeh, “CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks,” IACR Transactions on Symmetric Cryptology, vol. 2019, no. 1, pp. 5–45, 2019.
View at: Publisher Site | Google Scholar
A. Bogdanov, L. R. Knudsen, and G. Leander, “Present: an ultra-lightweight block cipher,” in Lecture Notes in Computer Science 4727, P. Paillier and I. Verbauwhede, Eds., pp. 450–466, Springer-Verlag, Berlin, Germany, 2007.
View at: Google Scholar
W. Wu and L. Zhang, “Lblock: a lightweight block cipher,” in Lecture Notes in Computer Science, J. López and G. Tsudik, Eds., pp. 327–344, Springer-Verlag, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
A. R. Raza, K. Mahmood, M. F. Amjad, H. Abbas, and M. Afzal, “On the efficiency of software implementations of lightweight block ciphers from the perspective of programming languages,” Future Generation Computer Systems, vol. 104, pp. 43–59, 2020.
View at: Publisher Site | Google Scholar
B. Rashidi, “High-throughput and flexible ASIC implementations of SIMON and SPECK lightweight block ciphers,” International Journal of Circuit Theory and Applications, vol. 47, no. 8, pp. 1254–1268, 2019.
View at: Google Scholar
P. Li, S. Zhou, B. Ren et al., “Efficient implementation of lightweight block ciphers on volta and pascal architecture,” Journal of Information Security and Applications, vol. 47, pp. 235–245, 2019.
View at: Publisher Site | Google Scholar
Y. Wei, P. Xu, and Y. Rong, “Related-key impossible differential cryptanalysis on lightweight cipher TWINE,” Journal of Ambient Intelligence and Humanized Computing, vol. 10, no. 2, pp. 509–517, 2019.
View at: Publisher Site | Google Scholar
D. Dinu, Y. L. Corre, D. Khovratovich, L. Perrin, J. Großschädl, and A. Biryukov, “Triathlon of lightweight block ciphers for the internet of things,” Journal of Cryptographic Engineering, vol. 9, no. 3, pp. 283–302, 2019.
View at: Publisher Site | Google Scholar
T. Hiscock, O. Savry, and L. Goubin, “Lightweight instruction-level encryption for embedded processors using stream ciphers,” Microprocessors and Microsystems, vol. 64, pp. 43–52, 2019.
View at: Publisher Site | Google Scholar
F. Farnoud, A. Abubakr, K. J. Peter, and G. Kris, “Faceoff between the CAESAR lightweight finalists: ACORN vs. Ascon,” in Proceedings of the International Conference on Field-Programmable Technology, pp. 330–333, Naha, Japan, December 2018.
View at: Google Scholar
Z. Bao, J. Guo, T. Iwata, and K. Minematsu, “ZOCB and ZOTR: tweakable blockcipher modes for authenticated encryption with full absorption,” IACR Transactions on Symmetric Cryptology, vol. 2019, no. 2, pp. 1–54, 2019.
View at: Publisher Site | Google Scholar
Y. Naito and T. Sugawara, “Lightweight authenticated encryption mode of operation for tweakable block ciphers,” IACR Trans. Cryptogr. Hardw. Embed. Syst., vol. 2020, no. 1, pp. 66–94, 2020.
View at: Google Scholar
J. Mohsen, B. Nasour, and N. Zeinolabedin, “Lightweight implementation of SILC, CLOC, AES-JAMBU and COLM authenticated ciphers,” Microprocessors and Microsystems, vol. 72, Article ID 102925, 2020.
View at: Google Scholar
N. Yusuke, S. Yu, and S. Takeshi, “Lightweight authenticated encryption mode suitable for threshold implementation,” in Lecture Notes in Computer Science 12106, C. Anne and I. Yuval, Eds., pp. 705–735, Springer-Verlag, Berlin, Germany, 2020.
View at: Google Scholar
B. Andrey, M. Florian, R. Francesco, R. Vincent, and T. Elmar, “ALE: AES-based lightweight authenticated encryption,” in Lecture Notes in Computer Science 8424, M. Shiho, Ed., pp. 447–466, Springer-Verlag, Berlin, Germany, 2013.
View at: Google Scholar
W. E. Daniel, O. S. J. Markku, S. Peter, and M. S. Eric, “The hummingbird-2 lightweight authenticated encryption algorithm,” in Lecture Notes in Computer Science 7055, M. Shiho, Ed., pp. 19–31, Springer-Verlag, Berlin, Germany, 2011.
View at: Google Scholar
E. Andreeva, B. Bilgin, A. Bogdanov et al., “APE: authenticated permutation-based encryption for lightweight cryptography,” in Lecture Notes in Computer Science 8540, C. Cid and C. Rechberger, Eds., pp. 168–186, Springer-Verlag, Berlin, Germany, 2014.
View at: Google Scholar
Y. Sasaki and K. Yasuda, “Optimizing online permutation-based ae schemes for lightweight applications,” IEICE - Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 102, no. 1, pp. 35–47, 2019.
View at: Publisher Site | Google Scholar
H. Kim and K. Kim, “Preliminary design of a novel lightweight authenticated encryption scheme based on the sponge function,” in Proceedings of the 10th Asia Joint Conference on Information Security, pp. 110-111, Kaohsiung City, Taiwan, May 2015.
View at: Publisher Site | Google Scholar
A. Chakraborti, N. Datta, M. Nandi, and K. Yasuda, “Beetle family of lightweight and secure authenticated encryption ciphers,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 2, pp. 218–241, 2018.
View at: Publisher Site | Google Scholar
P. Zhang and Q. Yuan, “Minimizing key materials: the even-mansour cipher revisited and its application to lightweight authenticated encryption,” Security and Communication Networks, vol. 2020, Article ID 41801391, 2020.
View at: Publisher Site | Google Scholar
P. Rogaway and T. Shrimpton, “A provable-security treatment of the key-wrap problem,” in Lecture Notes in Computer Science 4004, S. Vaudenay, Ed., pp. 373–390, Springer-Verlag, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
C. Namprempre, P. Rogaway, and T. Shrimpton, “Reconsidering generic composition,” in Lecture Notes in Computer Science 8441, P. Q. Nguyen and E. Oswald, Eds., pp. 257–274, Springer-Verlag, Berlin, Germany, 2014.
View at: Publisher Site | Google Scholar
R. Granger, P. Jovanovic, B. Mennink, and S. Neves, “Improved masking for tweakable blockciphers with applications to authenticated encryption,” in Lecture Notes in Computer Science 9665, M. Fischlin and J. S. Coron, Eds., pp. 263–293, Springer-Verlag, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
Y. Sasaki and K. Yasuda, “How to incorporate associated data in sponge-based authenticated encryption,” in Lecture Notes in Computer Science 9048, K. Nyberg, Ed., pp. 353–370, Springer-Verlag, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
P. Jovanovic, A. Luykx, B. Mennink, Y. Sasaki, and K. Yasuda, “Beyond conventional security in sponge-based authenticated encryption modes,” Journal of Cryptology, vol. 32, no. 3, pp. 895–940, 2019.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Ping Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

508

Downloads

462

Citations

Security and Communication Networks

Security and Privacy Protection for 5G-Enabled Internet of Things

Permutation-Based Lightweight Authenticated Cipher with Beyond Conventional Security

Abstract

1. Introduction

2. Preliminaries

3. Security Model

4. APE+: Authenticated Permutation-Based Encryption Scheme with Beyond Conventional Security for Lightweight Applications

4.1. : Pure Permutation-Based Lightweight Authenticated Online Cipher

4.2. Beyond Conventional Security of

5. Discussions

6. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright

4. APE⁺: Authenticated Permutation-Based Encryption Scheme with Beyond Conventional Security for Lightweight Applications