On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In ...

Leakage-resilient cryptography is about security in the presence of leakage from side-channels. In this paper, we present several issues of the RCB block cipher mode. Agrawal et al [2] proposed recently RCB as a leakage-resilient authenticated encryption (AE) scheme. Our main result is that RCB fails to provide authenticity, even in the absence of leakage.

In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called Fides. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively. This is at least two times smaller than its closest competitors Hummingbird-2 and Grain-12...

Widespread use of pervasive devices has resulted in security problems which can not be solved by conventional algorithms and approaches. These devices are not only extremely resourceconstrained, but most of them also require high performance – with respect to available resources – in terms of security, speed and latency. Especially for authenticated encryption, such performance can not be achie...

Grain-128AEAD is a lightweight authenticated encryption stream cipher and one of the finalists in National Institute Standards Technology (NIST) Lightweight Cryptography (LWC) project. This paper provides an independent third-party analysis against fault attacks. We investigate application three differential attack models on Grain-128AEAD. All these attacks can recover initial state First, we d...

We propose a block-cipher mode of operation, EAX, for authenticated-encryption with associateddata (AEAD). Given a nonce N , a message M , and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N, M, H E {0, 1} are arbitrary, and the mode uses 2→M/n∈ + →H/n∈ + →N/n∈ block-cipher calls when these strings are nonempty and n is the block length of the unde...

The Cipher Block Chaining { Message Authentication Code (CBC MAC) speciies that a message x = x 1 x m be authenticated among parties who share a secret key a by tagging x with a preex of f (m) a (x) def = f a (f a (f a (f a (x 1)x 2) x m?1)x m) ; where f is some underlying block cipher (eg. f = DES). This method is a pervasively used international and U.S. standard. We provide its rst formal ju...

FIDES is a lightweight authenticated cipher, presented at CHES 2013. The cipher has two version, providing either 80-bit or 96bit security. In this paper, we describe internal state-recovery attacks on both versions of FIDES, and show that once we recover the internal state, we can use it to immediately forge any message. Our attacks are based on a guess-and-determine algorithm, exploiting the ...