Abstract
The duplex construction is already well analyzed with many papers proving its security in the random permutation model. However, so far, the first phase of the duplex, where the state is initialized with a secret key and an initialization vector (\( IV \)), is typically analyzed in a worst case manner. More detailed, it is always assumed that the adversary is allowed to choose the \( IV \) at will. However, in practice, the adversary can be stripped of its power to control the \( IV \) in several ways. One prominent way of doing this is the use of a nonce (\( IV \)) masked with a secret, as done in AES-GCM in TLS 1.3. In this paper, we analyze how the security of the duplex construction changes if restrictions on the choice of the \( IV \) are imposed. In particular, we evaluate several strategies that can achieve this, varying from the \( IV \) on key case over the global nonce case to the random \( IV \) case. We apply our findings to duplex-based encryption and authenticated encryption, compare the different strategies, and discuss the practical applications of our results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The update is fairly straightforward, merely replacing \(\boldsymbol{K}[\delta ]\parallel IV \) with \(\textsf{initL}(\boldsymbol{K},\delta ,i)\parallel \textsf{initR}(\boldsymbol{K},\delta ,i)\).
- 3.
This could be improved by conditioning on which keys in \(\boldsymbol{K}\) actually collide, but the gain in following this avenue is negligible as this is not the main term anyway.
References
Bao, Z., et al.: PHOTON-beetle authenticated encryption and hash family. Finalist of NIST lightweight cryptography standardization process (2021)
Beierle, C., et al.: Lightweight AEAD and hashing using the sparkle permutation family. IACR Trans. Symmetric Cryptol. 2020(S1), 208–261 (2020). https://doi.org/10.13154/tosc.v2020.iS1.208-261
Bellare, M., Namprempre, C.: Authenticated Encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73. ACM (1993). https://doi.org/10.1145/168588.168596
Bellare, M., Tackmann, B.: The Multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Bernstein, D.J., et al.: Gimli: second round submission to NIST lightweight cryptography (2019)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007 (2007)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the Sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The KECCAK SHA-3 submission. SHA-3 competition (round 3) (2011)
Biham, E.: How to decrypt or even substitute DES-encrypted messages in 2\({}^{\text{28 }}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002). https://doi.org/10.1016/S0020-0190(02)00269-7
Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Xoodyak, a lightweight cryptographic scheme. IACR Trans. Symmetric Cryptol. 2020(S1), 60–87 (2020). https://doi.org/10.13154/tosc.v2020.iS1.60-87
Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Xoodyak, a lightweight cryptographic scheme. Final Round Submission to NIST Lightweight Cryptography (2021)
Daemen, J., Mennink, B., Van Assche, G.: Full-State keyed duplex with built-in multi-user support. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 606–637. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_21
Dobraunig, C., et al.: ISAP v2.0. IACR Trans. Symmetric Cryptol. 2020(S1), 390–416 (2020). https://doi.org/10.13154/tosc.v2020.iS1.390-416
Dobraunig, C., et al.: ISAP v2. Final round submission to NIST lightweight cryptography (2021)
Dobraunig, C., Eichlseder, M., Mangard, S., Mendel, F., Unterluggauer, T.: ISAP - towards side-channel secure authenticated encryption. IACR Trans. Symmetric Cryptol. 2017(1), 80–105 (2017). https://doi.org/10.13154/tosc.v2017.i1.80-105
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: ASCON v1.2. Winning submission to NIST lightweight cryptography (2021)
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: ASCON v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021). https://doi.org/10.1007/s00145-021-09398-9
Dobraunig, C., Mennink, B.: Leakage resilience of the duplex construction. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 225–255. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_8
Dobraunig, C., Mennink, B., Primas, R.: Leakage and tamper resilient permutation-based cryptography. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, 7–11 November 2022, pp. 859–873. ACM (2022). https://doi.org/10.1145/3548606.3560635
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997). https://doi.org/10.1007/s001459900025
Krawczyk, H.: The Order of encryption and authentication for protecting communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_19
Mennink, B.: Understanding the duplex and its security. IACR Trans. Symmetric Cryptol. 2023(2), 1–46 (2023). https://doi.org/10.46586/tosc.v2023.i2.1-46
Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_19
Rescorla, E.: The Transport layer security (TLS) protocol version 1.3. RFC 8446 (2018). https://www.rfc-editor.org/info/rfc8446
Smith, B.: Re: [TLS] Pull Request: removing the AEAD explicit IV. Mail to IETF TLS Working Group (2015). https://mailarchive.ietf.org/arch/msg/tls/2BLiJrJxKveoVjRCZhvkgGq-ksg
Acknowledgements
We want to thank the authors of [13] for the many insightful discussions. Bart Mennink is supported by the Netherlands Organisation for Scientific Research (NWO) under grant VI.Vidi.203.099.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Dobraunig, C., Mennink, B. (2024). Generalized Initialization of the Duplex Construction. In: Pöpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14584. Springer, Cham. https://doi.org/10.1007/978-3-031-54773-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-54773-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54772-0
Online ISBN: 978-3-031-54773-7
eBook Packages: Computer ScienceComputer Science (R0)