Theses

Permanent URI for this collectionhttp://164.52.219.250:4000/handle/10263/2744

Browse

Subject: search.filters.subject.Provable Security

Search Results

Now showing 1 - 4 of 4
  • No Thumbnail Available
    Item
    Provable Security in Idealised Models
    (Indian Statistical Institute, Kolkata, 2024-07) Dhar, Chandranan
    This thesis is a compilation of provable security analyses of various cryptographic constructions in idealised models. The first construction examined is the ABR hash. We revisit the existing proof of the ABR hash in the random oracle model and identify significant errors in the proof. Although we are unable to correct the original proof, we establish the security of the ABR tree of height 3 from scratch, addressing the first non-trivial case. As our second contribution, we conduct a tight and comprehensive security analysis of the Ascon AEAD mode in the random permutation model. We show that the efficiency of Ascon can be increased by 50%, and the tag size can be halved without losing any security. In the third contribution, we extend our security analysis of Ascon to the multiuser setting, providing tight security bounds for both nonce-respecting and noncemisuse adversaries. Additionally, we propose LK-Ascon, a variant of Ascon with a key size of up to 256 bits, offering improved multi-user security compared to Ascon. As the final contribution, we introduce PACT, a transform that converts any authenticated encryption mode into a context-committing one without any output length expansion. PACT achieves this with a single call to a collision-resistant unkeyed hash function and one call to a block cipher, with the analysis performed in the ideal cipher model. We also propose comPACT, a faster version of PACT which gives a nonce-respecting committing authenticated encryption scheme.
  • No Thumbnail Available
    Item
    Design and Analysis of Some Symmetric Key Schemes for Encryption and Authentication
    (Indian Statistical Institute, Kolkata, 2024) Kundu, Samir
    This thesis mainly focuses on the design and analysis of tweakable enciphering schemes (TESs) and message authentication codes (MACs). Tweakable enciphering schemes are length preserving encryption schemes that provide security of a strong tweakable pseudorandom permutation. There are several constructions of TES using block ciphers as the main cryptographic primitive. Recently, public random permutations have been widely considered as a replacement for block ciphers in several cryptographic schemes, including Authenticated Encryption (AE) schemes, MACs, etc. However, to the best of our knowledge, a systematic study of constructing TESs using public random permutations is missing. We fill this gap by constructing TES using public permutations. We propose two main constructions with several variants. The basic construction, which we call ppTES is generically constructed using a public random permutation, a length expanding pseudorandom function (PRF) based on public random permutations and an almost xor-universal and almost-regular (AXUAR) hash function. We show a concrete instantiation of ppTES and prove its security using the H-Coefficient technique. ppTES requires both forward and inverse calls to the public random permutation. Most public random permutations are designed with the goal of making the forward calls extremely fast. Thus, a TES construction that does not need computing the inverse of a permutation will have better efficiency. This fact leads us to design a TES that uses a public permutation but does not require the inverse calls to the permutation. We call this construction as IpTES. In addition to a public permutation, IpTES uses an AXUAR hash function. To ensure the inverse free property, we suitably use a two-round Feistel structure. We prove that IpTES is a birthday bound secure public permutation based TES. The rest of the work is on MACs. TrCBC is a variant of the famous CBC MAC which was proposed by Zhang et al. in 2012. It was claimed that TrCBC is a secure MAC with significant efficiency advantages over other secure variants of CBC. The authors also mentioned the only disadvantage of TrCBC to be the fact that it produces shorter tags; in particular, it was claimed that TrCBC can only produce secure tags of length less than n=2, where n is the block length of the underlying block cipher. We mount a concrete practical attack on TrCBC. We show that with high probability, an adversary can forge TrCBC with tag length n=2 􀀀 1 with just three queries. We discuss some general scenarios of our concrete attack and also do a detailed analysis of the authors’ security claims of TrCBC. Next, we study variable output length pseudorandom functions and their use in constructing secure MACs, which can produce tags of varying lengths using the same key. In this regard, we propose a generic construction of converting a fixed output length PRF to a variable output length PRF and discuss its utility in constructing MACs. We also propose some modifications to the famous block cipher based MAC called PMAC to equip it to produce tags of varying lengths. Finally, we do an extensive study of a newly proposed MAC, 2k-LightMAC_Plus. 2k-LightMAC_Plus was proposed by Datta et al. in FSE 2018, where the author proved that the scheme provides 2n=3 bits of security. We improve this bound and show that 2k-LightMAC_Plus provably achieves 3n=4 bit security. We also exhibit a matching attack on the construction and hence establish that our bound is tight. Our proof uses several components of Mirror Theory.
  • No Thumbnail Available
    Item
    Tight Security of PMAC-type and CBC-type Message Authentication Codes
    (Indian Statistical Institute, Kolkata, 2023-07) Chattopadhyay, Soumya
    Message Authentication Codes (or MACs) are symmetric-key primitives that ensure the authenticity as well as the integrity of messages. The sender generates an authen- tication tag (based on a message and a secret key) which can be verified on the re- ceiver’s end. Two paradigms for building block cipher based MACs of the form Hash- then-PRP: 1) Parallelizable or PMAC-type, 2) Sequential or CBC-type. PMAC, sPMAC, PMAC1, LightMAC etc. are examples of PMAC-type MACs. Whereas OMAC, XCBC, TMAC, GCBC are examples of CBC-type MACs. Obtaining length independent (tight) bounds for these constructions has been a challenging problem. The goal of this thesis is to obtain length independent (tight) bounds for as many important constructions as possible and devise a novel technique that can be employed for various constructions and has a scope of generalization. PMAC-TYPE MACS: Firstly, in chapter 3, we demonstrate why a claim about tight se- curity of a PMAC variant proposed by Naito is wrong. Together with that, we state a necessary and sufficient condition to correctly establish that claim. Secondly, in the same chapter, we propose a variant of PMAC1 which has tight security for a rea- sonable range of message lengths. Then we prove the tight security of sPMAC for a weaker notion of independence (of hash). Next, in chapter 4, we analyze secu- rity bounds for LightMAC: We show tight security of 1k-LightMAC (single-key version of the original LightMAC) which holds for a range of lengths (both upper and lower bounded). Moreover, we show an attack on 1k-LightMAC for sufficiently small-length messages. Besides we propose two new variants of 1k-LightMAC, namely, LightMAC- swp and LightMAC-ds, both of which achieve length independent tight security for a fairly good range of lengths. Here we employ a novel sampling technique, dubbed “Reset-sampling”, as a subroutine of H-coefficient setup. It helps get tight bounds. Then, in the last chapter (5) of this part, we try to get a generalized view of the PMAC family. We develop technical concepts necessary to cover a large class of parallelizable MACs of the form hash-then-PRP. As the main results of this chapter, we prove the se- curity bound in terms of the collision probability of the underlying hash function, both for independent keys and single-keyed versions of a generic member of the PMAC family. As a corollary to this, we apply this result to get birthday-bound security for a simplified version of PMAC+, under some assumptions. Moreover, a similar bound for 1k-LightMAC as well follows directly from the main result. CBC-TYPE MACS: In chapter 6, we obtain O( q2 2n + qℓ2 2n ) bound for OMAC using reset- sampling . This is the best-known bound for it. Although it is not “length independent” in an exact sense, it behaves almost like a birthday bound with some consideration. We obtain similar bounds for XCBC and TMAC also. In this way, we become successful in establishing tight security for all CBC-MAC variants, except the original one.
  • No Thumbnail Available
    Item
    Provable Security of Symmetric-keyCryptographic Schemes
    (Indian Statistical Institute, Kolkata, 2019-10) Jha, Ashwin
    Abstract: A symmetric-key cryptographic scheme is deemed to be provably secure if one can formally argue that it is secure given the hardness of some underlying computational problem. This thesis is a study of the provable security of symmetric-key cryptographic schemes, encompassing major information security goals, viz. data authentication, encryption and authenticated encryption. Along the way, we provide quantitative (better security bounds) and/or qualitative (relaxation in security preconditions) improvements in the provable security of several schemes. Among authentication schemes, we study CBC-MAC and XMAC family of message authentication codes. In case of the CBC-MAC family, we provide improved security bounds for several members, and in case of the XMAC family, we generalize the underlying counter-based encoding to derive simplified security arguments and several efficient variants. Among encryption schemes, we explore possible ways to construct beyond-the-birthday bound online ciphers using tweakable block ciphers. We show that an existing BBB scheme POEx is only birthday bound secure, and as a consequence propose a variant called XTC that achieves (almost) optimal security. On a related topic, we study the security of CLRW2, a tweakable block cipher construction based on block ciphers. We show tight security for CLRW2 under the assumption that the underlying hash functions are 3-wise AXU hash. We conclude our study with an exploration of the scope of random read access in OCB authentication encryption scheme. We observe that the existing versions of OCB are highly inefficient in random read access due to a strong assumption (AXU hash) on the underlying mask generating function. We define a relaxed notion of universal hash, called locally imperfect XOR universal (LIXU), and show that generalized OCB is secure even under this relaxed notion. Finally, we give some efficient candidates for LIXU hash that are apt for efficient random read access in OCB.