## Beyond conventional security in sponge-based authenticated encryption modes.(English)Zbl 1443.94064

Summary: The Sponge function is known to achieve $$2^{c/2}$$ security, where $$c$$ is its capacity. This bound was carried over to its keyed variants, such as SpongeWrap, to achieve a $$\min \{2^{c/2},2^\kappa \}$$ security bound, with $$\kappa$$ the key length. Similarly, many CAESAR competition submissions were designed to comply with the classical $$2^{c/2}$$ security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of $$\min \{2^{b/2},2^c,2^\kappa \}$$, with $$b>c$$ the permutation size, by proving that the CAESAR submission NORX achieves this bound. The proof relies on rigorous computation of multi-collision probabilities, which may be of independent interest. We additionally derive a generic attack based on multi-collisions that matches the bound. We show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of some of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. We finally consider the remaining one of the three PRIMATEs, APE, and derive a blockwise adaptive attack in the nonce-respecting setting with complexity $$2^{c/2}$$, therewith demonstrating that the techniques cannot be applied to APE.

### MSC:

 94A60 Cryptography 94A62 Authentication, digital signatures and secret sharing

### Software:

spongent ; CBEAM; DLMF; McOE
Full Text:

### References:

 [1] J. Alizadeh, M. Aref, N. Bagheri, Artemia v1 (2014), submission to CAESAR competition [2] E. Andreeva, B. Bilgin, A. Bogdanov, A. Luykx, F. Mendel, B. Mennink, N. Mouha, Q. Wang, K. Yasuda, PRIMATEs v1 (2014), submission to CAESAR competition [3] E. Andreeva, B. Bilgin, A. Bogdanov, A. Luykx, F. Mendel, B. Mennink, N. Mouha, Q. Wang, K. Yasuda, PRIMATEs v1.1 (2016), submission to CAESAR competition [4] E. Andreeva, B. Bilgin, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, APE: authenticated permutation-based encryption for lightweight cryptography, in C. Cid, C. Rechberger, (eds.) Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, March 3-5, 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540 (Springer, 2014), pp. 168-186 · Zbl 1382.94044 [5] E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, E. Tischhauser, K. Yasuda, Parallelizable and authenticated online ciphers, in K. Sako, P. Sarkar, (eds.) Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8269 (Springer, 2013), pp. 424-443 · Zbl 1327.94026 [6] E. Andreeva, J. Daemen, B. Mennink, G. Van Assche, Security of keyed sponge constructions using a modular proof approach, in G. Leander, (ed.) Fast Software Encryption—22nd International Workshop, FSE 2015, Istanbul, Turkey, March 8-11, 2015, Revised Selected Papers. Lecture Notes in Computer Science, vol. 9054 (Springer, 2015), pp. 364-384 · Zbl 1382.94045 [7] J. Aumasson, P. Jovanovic, S. Neves, NORX v1 (2014), submission to CAESAR competition [8] J. Aumasson, P. Jovanovic, S. Neves, NORX v2.0 (2015), submission to CAESAR competition [9] N. Bagheri, Padding of Artemia (2014), CAESAR mailing list [10] M. Bellare, V.T. Hoang, Identity-based format-preserving encryption, in B.M. Thuraisingham, D. Evans, T. Malkin, D. Xu, (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30-November 03, 2017 (ACM, 2017), pp. 1515-1532 [11] Bellare, M.; Namprempre, C., Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, J. Cryptol., 21, 469-491, (2008) · Zbl 1161.94435 [12] M. Bellare, P. Rogaway, Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Report 2004/331 (2004) [13] M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Vaudenay [93], pp. 409-426 · Zbl 1140.94321 [14] M. Bellare, P. Rogaway, D. Wagner, The EAX mode of operation, in B.K. Roy, W. Meier, (eds.) Fast Software Encryption, 11th International Workshop, FSE 2004, Delhi, India, February 5-7, 2004, Revised Papers. Lecture Notes in Computer Science, vol. 3017 (Springer, 2004), pp. 389-407 · Zbl 1079.68537 [15] J. Benaloh, (ed.), Topics in Cryptology—CT-RSA 2014—The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25-28, 2014, in Proceedings, Lecture Notes in Computer Science, vol. 8366 (Springer, 2014) · Zbl 1283.94001 [16] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge Functions. ECRYPT Hash Function Workshop (2007) [17] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction, in N.P. Smart, (ed.) Advances in Cryptology—EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 181-197 · Zbl 1149.94304 [18] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge-based pseudo-random number generators, in S. Mangard, F. Standaert, (eds.) Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6225 (Springer, 2010), pp. 33-47 · Zbl 1297.94050 [19] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Duplexing the sponge: Single-pass authenticated encryption and other applications, in A. Miri, S. Vaudenay, (eds.) Selected Areas in Cryptography—18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7118 (Springer, 2011), pp. 320-337 · Zbl 1292.94030 [20] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the security of the keyed sponge construction. Symmetric Key Encryption Workshop (2011) · Zbl 1149.94304 [21] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Permutation-based encryption, authentication and authenticated encryption. Directions in Authenticated Ciphers (2012) [22] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, R. Van Keer, Keyak v1 (2014), submission to CAESAR competition [23] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, R. Van Keer, Keyak v2 (2015), submission to CAESAR competition [24] A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, I. Verbauwhede, spongent: A lightweight hash function, in B. Preneel, T. Takagi, (eds.) Cryptographic Hardware and Embedded Systems—CHES 2011—13th International Workshop, Nara, Japan, September 28-October 1, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6917 (Springer, 2011), pp. 312-325 [25] CAESAR, Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014). http://competitions.cr.yp.to/caesar.html [26] D. Chang, M. Dworkin, S. Hong, J. Kelsey, M. Nandi, A Keyed Sponge Construction with Pseudorandomness in the Standard Model. NIST’s 3rd SHA-3 Candidate Conference 2012 (2012) [27] D. Chang, M. Nandi, Improved indifferentiability security analysis of chopmd hash function, in K. Nyberg, (ed.) Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5086 (Springer, 2008), pp. 429-443 · Zbl 1154.68385 [28] Chernoff, H., A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations, Ann. Math. Stat., 23, 493-507, (1952) · Zbl 0048.11804 [29] B. Cogliati, R. Lampe, Y. Seurin, Tweaking even-mansour ciphers, in Gennaro and Robshaw [40], pp. 189-208 · Zbl 1369.94526 [30] Corless, RM; Gonnet, GH; Hare, DEG; Jeffrey, DJ; Knuth, DE, On the Lambert $${W}$$ function, Adv. Comput. Math., 5, 329-359, (1996) · Zbl 0863.65008 [31] J. Daemen, B. Mennink, G. Van Assche, Full-state keyed duplex with built-in multi-user support, in T. Takagi, T. Peyrin, (eds.) Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10625 (Springer, 2017), pp. 606-637 · Zbl 1417.94055 [32] I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Cryptanalysis of iterated even-mansour schemes with two keys, in Sarkar and Iwata [87], pp. 439-457. http://dx.doi.org/10.1007/978-3-662-45611-8_23 · Zbl 1306.94048 [33] C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer, Ascon v1 (2014), submission to CAESAR competition [34] C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer, Ascon v1.1 (2015), submission to CAESAR competition [35] FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015) [36] M. Fischlin, J. Coron, (eds.), Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9665 (Springer, 2016) · Zbl 1339.94004 [37] E. Fleischmann, C. Forler, S. Lucks, Mcoe: A family of almost foolproof on-line authenticated encryption schemes, in A. Canteaut, (ed.) Fast Software Encryption—19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7549 (Springer, 2012), pp. 196-215 · Zbl 1312.94113 [38] P. Gazi, K. Pietrzak, S. Tessaro, The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC, in Gennaro and Robshaw [40], pp. 368-387 · Zbl 1375.94127 [39] P. Gazi, S. Tessaro, Provably robust sponge-based prngs and kdfs, in Fischlin and Coron [36], pp. 87-116 · Zbl 1347.94033 [40] R. Gennaro, M. Robshaw, (eds.), Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9215, (Springer, 2015) · Zbl 1319.94002 [41] M. Girault, J. Stern, On the length of cryptographic hash-values used in identification schemes, in Y. Desmedt, (ed.) Advances in Cryptology—CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings. Lecture Notes in Computer Science, vol. 839 (Springer, 1994), pp. 202-215 · Zbl 0939.94541 [42] D. Gligoroski, H. Mihajloska, S. Samardjiska, H. Jacobsen, M. El-Hadedy, R. Jensen, $$\pi$$-Cipher v1 (2014), submission to CAESAR competition [43] D. Gligoroski, H. Mihajloska, S. Samardjiska, H. Jacobsen, M. El-Hadedy, R. Jensen, $$\pi$$-Cipher v2.0 (2015), submission to CAESAR competition [44] R. Granger, P. Jovanovic, B. Mennink, S. Neves, Improved masking for tweakable blockciphers with applications to authenticated encryption, in Fischlin and Coron [36], pp. 263-293 · Zbl 1384.94065 [45] J. Guo, T. Peyrin, A. Poschmann, The PHOTON family of lightweight hash functions, in P. Rogaway, (ed.) Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6841 (Springer, 2011), pp. 222-239 · Zbl 1287.94069 [46] S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel, H. Yoshida, A lightweight 256-bit hash function for hardware and low-end devices: Lesamnta-lw, in K.H. Rhee, D. Nyang, (eds.) Information Security and Cryptology—ICISC 2010—13th International Conference, Seoul, Korea, December 1-3, 2010, Revised Selected Papers. Lecture Notes in Computer Science, vol. 6829 (Springer, 2010), pp. 151-168 · Zbl 1292.94078 [47] S. Hirose, H. Kuwakado, H. Yoshida, Compression functions using a dedicated blockcipher for lightweight hashing, in H. Kim, (ed.) Information Security and Cryptology—ICISC 2011—14th International Conference, Seoul, Korea, November 30-December 2, 2011. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7259 (Springer, 2011), pp. 346-364 · Zbl 1365.94434 [48] V.T. Hoang, T. Krovetz, P. Rogaway, Robust authenticated-encryption AEZ and the problem that it solves, in E. Oswald, M. Fischlin, (eds.) Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015), pp. 15-44 · Zbl 1365.94485 [49] V.T. Hoang, S. Tessaro, The multi-user security of double encryption, in J. Coron, J.B. Nielsen, (eds.) Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30-May 4, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10211 (2017), pp. 381-411 · Zbl 1415.94438 [50] A. Hoorfar, M. Hassani, Inequalities on the Lambert $${W}$$ function and hyperpower function. J. Inequal. Pure Appl. Math. 9(2) (2008) · Zbl 1163.33326 [51] T. Iwata, K. Ohashi, K. Minematsu, Breaking and repairing GCM security proofs, in R. Safavi-Naini, R. Canetti, (eds.) Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7417 (Springer, 2012), pp. 31-49 · Zbl 1294.94053 [52] É. Jaulmes, A. Joux, F. Valette, On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction, in J. Daemen, V. Rijmen, (eds.) Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers. Lecture Notes in Computer Science, vol. 2365 (Springer, 2002), pp. 237-251 · Zbl 1045.94523 [53] P. Jovanovic, A. Luykx, B. Mennink, Beyond 2 c/2 security in sponge-based authenticated encryption modes, in Sarkar and Iwata [87], pp. 85-104 · Zbl 1306.94065 [54] L.R. Knudsen, F. Mendel, C. Rechberger, S.S. Thomsen, Cryptanalysis of MDC-2, in A. Joux, (ed.) Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26-30, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5479 (Springer, 2009), pp. 106-120 · Zbl 1239.94056 [55] T. Krovetz, P. Rogaway, The software performance of authenticated-encryption modes, in A. Joux, (ed.) Fast Software Encryption—18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 6733 (Springer, 2011), pp. 306-327 · Zbl 1307.94119 [56] U.M. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in M. Naor, (ed.) Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004, Cambridge, MA, USA, February 19-21, 2004, Proceedings. Lecture Notes in Computer Science, vol. 2951 (Springer, 2004), pp. 21-39 · Zbl 1197.94196 [57] D.A. McGrew, J. Viega, The security and performance of the galois/counter mode (GCM) of operation, in A. Canteaut, K. Viswanathan, (eds.) Progress in Cryptology—INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3348 (Springer, 2004), pp. 343-355 · Zbl 1113.94315 [58] F. Mendel, S. Thomsen, An Observation on JH-512. Available online (2008) [59] B. Mennink, XPX: generalized tweakable even-mansour with improved security guarantees, in Robshaw and Katz [76], pp. 64-94 · Zbl 1351.94058 [60] B. Mennink, R. Reyhanitabar, D. Vizár, Security of full-state keyed sponge and duplex: Applications to authenticated encryption, in T. Iwata, J.H. Cheon, (eds.) Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29-December 3, 2015, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9453 (Springer, 2015), pp. 465-489 · Zbl 1382.94142 [61] H. Mihajloska, B. Mennink, D. Gligoroski, $$\pi$$-Cipher with Intermediate Tags (2016), available online [62] B. Minaud, Re: CBEAM Withdrawn as of today! (2014), CAESAR mailing list [63] K. Minematsu, Parallelizable rate-1 authenticated encryption from pseudorandom functions, in P.Q. Nguyen, E. Oswald, (eds.) Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441 (Springer, 2014), pp. 275-292 · Zbl 1332.94091 [64] M. Mitzenmacher, E. Upfal, (eds.), Probability and Computing: Randomized Algorithms and Probabilistic Analysis. (Cambridge University Press, New York, 2005) · Zbl 1092.60001 [65] P. Morawiecki, K. Gaj, E. Homsirikamol, K. Matusiewicz, J. Pieprzyk, M. Rogawski, M. Srebrny, M. Wójcik, ICEPOLE v1 (2014), submission to CAESAR competition [66] P. Morawiecki, K. Gaj, E. Homsirikamol, K. Matusiewicz, J. Pieprzyk, M. Rogawski, M. Srebrny, M. Wójcik, ICEPOLE v2 (2015), submission to CAESAR competition [67] R. Motwani, P. Raghavan, (eds.), Randomized Algorithms. (Cambridge University Press, New York, 1995) · Zbl 0849.68039 [68] Y. Naito, Y. Sasaki, L. Wang, K. Yasuda, Generic state-recovery and forgery attacks on chopmd-mac and on NMAC/HMAC, in K. Sakiyama, M. Terada, (eds.) Advances in Information and Computer Security—8th International Workshop on Security, IWSEC 2013, Okinawa, Japan, November 18-20, 2013, Proceedings. Lecture Notes in Computer Science, vol. 8231 (Springer, 2013), pp. 83-98 · Zbl 1414.94914 [69] Y. Naito, K. Yasuda, New bounds for keyed sponges with extendable output: Independence between capacity and message length, in T. Peyrin, (ed.) Fast Software Encryption—23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016, Revised Selected Papers. Lecture Notes in Computer Science, vol. 9783 (Springer, 2016), pp. 3-22 · Zbl 1387.94094 [70] I. Nikolic, L. Wang, S. Wu, Cryptanalysis of round-reduced $${\setminus }$$mathttled, In S. Moriai, (ed.) Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11-13, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8424 (Springer, 2013), pp. 112-129 [71] F.W.J. Olver, D.W. Lozier, R.F. Boisvert, C.W. Clark, (eds.), NIST Handbook of Mathematical Functions. (Cambridge University Press, New York, 2010) · Zbl 1198.00002 [72] T. Peyrin, Y. Seurin, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, in Robshaw and Katz [76], pp. 33-63 · Zbl 1351.94063 [73] B. Preneel, R. Govaerts, J. Vandewalle, On the power of memory in the design of collision resistant hash functions, in J. Seberry, Y. Zheng, (eds.) Advances in Cryptology—AUSCRYPT ’92, Workshop on the Theory and Application of Cryptographic Techniques, Gold Coast, Queensland, Australia, December 13-16, 1992, Proceedings. Lecture Notes in Computer Science, vol. 718 (Springer, 1992), pp. 105-121 · Zbl 0869.94023 [74] M. Raab, A. Steger, “Balls into Bins”—A simple and tight analysis, in M. Luby, J.D.P. Rolim, M.J. Serna, (eds.) Randomization and Approximation Techniques in Computer Science, Second International Workshop, RANDOM’98, Barcelona, Spain, October 8-10, 1998, Proceedings. Lecture Notes in Computer Science, vol. 1518 (Springer, 1998), pp. 159-170 [75] R. Reyhanitabar, Do Sponge-based AE modes have beyond $$2^{c/2}$$ “Security”? (2014), CAESAR mailing list [76] M. Robshaw, J. Katz, (eds.), Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9814 (Springer, 2016) · Zbl 1344.94001 [77] P. Rogaway, Authenticated-encryption with associated-data, in V. Atluri, (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, November 18-22, 2002. (ACM, 2002), pp. 98-107 [78] P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in P.J. Lee, (ed.) Advances in Cryptology—ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3329 (Springer, 2004), pp. 16-31 [79] P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: a block-cipher mode of operation for efficient authenticated encryption, in M.K. Reiter, P. Samarati, (eds.) CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 6-8, 2001 (ACM, 2001), pp. 196-205 [80] P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in Vaudenay [93], pp. 373-390 · Zbl 1140.94369 [81] M.J.O. Saarinen, Authenticated Encryption from GOST R 34.11-2012 LPS Permutation, in CTCrypt 2014 (2014) [82] M.O. Saarinen, Beyond modes: Building a secure record protocol from a cryptographic sponge permutation, in Benaloh [15], pp. 270-285 · Zbl 1337.94067 [83] M.O. Saarinen, CBEAM: efficient authenticated encryption from feebly one-way $$\phi$$ functions, in Benaloh [15], pp. 251-269 · Zbl 1337.94066 [84] M.J.O. Saarinen, CBEAM r1 (2014), submission to CAESAR competition [85] M.J.O. Saarinen, STRIBOB r1 (2014), submission to CAESAR competition [86] M.J.O. Saarinen, B.B. Brumley, STRIBOB r2: “WHIRLBOB” (2015), submission to CAESAR competition [87] P. Sarkar, T. Iwata, (eds.), Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014. Proceedings, Part I, Lecture Notes in Computer Science, vol. 8873 (Springer, 2014) [88] Y. Sasaki, L. Wang, Generic attacks on strengthened HMAC: n-bit secure HMAC requires key in all blocks, in M. Abdalla, R.D. Prisco, (eds.) Security and Cryptography for Networks—9th International Conference, SCN 2014, Amalfi, Italy, September 3-5, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8642 (Springer, 2014), pp. 324-339 · Zbl 1423.68158 [89] Y. Sasaki, K. Yasuda, How to incorporate associated data in sponge-based authenticated encryption, in K. Nyberg, (ed.) Topics in Cryptology—CT-RSA 2015, The Cryptographer’s Track at the RSA Conference 2015, San Francisco, CA, USA, April 20-24, 2015. Proceedings. Lecture Notes in Computer Science, vol. 9048 (Springer, 2015), pp. 353-370 · Zbl 1382.94158 [90] Y. Sasaki, K. Yasuda, Directly Evaluating Multi-Collisions and Improving Security Bounds. Symmetric Cryptography, Dagstuhl Seminar 16021 (2016) [91] K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, Birthday paradox for multi-collisions, in M.S. Rhee, B. Lee, (eds.) Information Security and Cryptology—ICISC 2006, 9th International Conference, Busan, Korea, November 30-December 1, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4296 (Springer, 2006), pp. 29-40 · Zbl 1272.94064 [92] K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, Birthday paradox for multi-collisions. IEICE Trans. 91-A(1), 39-45 (2008) · Zbl 1272.94064 [93] S. Vaudenay, (ed.), Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28-June 1, 2006, Proceedings, Lecture Notes in Computer Science, vol. 4004 (Springer, 2006) · Zbl 1108.94002 [94] D. Vizár, Ciphertext forgery on HANUMAN. Cryptology ePrint Archive, Report 2016/697 (2016) [95] D. Whiting, R. Housley, N. Ferguson, AES Encryption and Authentication Using CTR Mode and CBC-MAC. IEEE 802.11-02/001r2 (2002) [96] H. Wu, The Hash Function JH (2011), submission to NIST’s SHA-3 competition
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.