Chapter 2 provides a practical method, i.e., changing the counter incrementing function of the CTR mode from the modular addition to a simple operation in the finite field, in order to avoid the security proof flaw discovered by Iwata et al. and repair GCM. By applying this method, the security bounds of GCM can be improved by a factor of about 220. We also give security proofs for the revised mode of operation, named LGCM. Two implementation alternatives of LGCM are discussed for thwart- ing timing-based side-channel attacks. Preliminary results of this chapter have been published in our paper [128].
Chapter 3 analyzes MAC forgery attacks and weak key classes of polynomial-based MAC algorithms including the one used in GCM, based on the recent work of Saarinen, Procter and Cid. We reveal (and demonstrate by practical examples) that hash col- lisions are not necessarily required for forgeries of GCM-like polynomial-based MAC schemes, and polynomials with non-zero constant terms can be used for the attacks. These remove certain restrictions of MAC forgery attacks proposed by Procter and Cid. Based on the discoveries on MAC forgeries, we show that all non-singleton sub- sets (i.e., with more than one element) of authentication keys are weak key classes, if the final masking by block ciphers is computed additively. This is an extension to the previous analysis result of Procter and Cid. Furthermore, based on a special struc- ture of GCM, we show how to turn these forgery attacks into birthday-bound-based attacks by querying the encryption oracle instead of the verification or decryption oracle. This can significantly increase success probabilities and avoid certain coun- termeasures. At last, we indicate that even if GCM is changed to the MAC-then-Enc paradigm to make it more difficult for adversaries to attack MAC schemes, which is one of the options mentioned in [100], our MAC forgery attacks can still work. The content of this chapter has also appeared in our paper [128].
into consecutive sub-ciphers by guessing certain intermediate states, then MITM attacks are applied to these sub-ciphers separately, and finally results are brought together to eliminate wrong secret keys. We apply this multidimensional approach to the KATAN block cipher family, and obtain the best cryptanalysis results so far. Our new attacks can recover the master keys of 175-round KATAN32, 130-round KATAN48, and 112-round KATAN64 faster than exhaustive search, and thus have reached many more rounds than the existing attacks. New attacks on 115-round KATAN32 and 100-round KATAN48 are also proposed in order to show that this new kind of attacks can be more efficient than the existing ones. This work has been published in our paper [126].
Chapter 5 proposes two novel password hashing algorithms, Pleco and Plectron, based upon several well-studied cryptographic structures and primitives. The nov- elty in the designs of Pleco and Plectron is the combination of symmetric-key and asymmetric-key algorithms that offers a twofold benefit: 1) Since the tools to crypt- analyzing asymmetric-key algorithms are quite different from those for symmetric-key ones, the composition of symmetric-key and asymmetric-key components will make cryptanalysis much harder. The basic idea is analogous to the designs of ARX (ad- ditions, rotations and XORs) based cryptographic primitives [13, 22, 93] and the block cipher IDEA [78], in which different operations are alternatively applied; 2) The asymmetric-key components not only make our scheme provably secure (the one-wayness of Pleco is as strong as the hard problem of integer factorization), but also enable server-specific computational shortcuts as a result of faster expo- nentiation via the Chinese Remainder Theorem when factors of moduli are known by legitimate users. In addition to describing the Pleco and Plectron designs in great detail, we theoretically prove their security with respect to one-wayness and collision resistance. Pleco and Plectron are also designed to be sequential memory-hard to thwart brute-force attacks using dedicated hardware. Our work on these two password hashing designs has been published in [123]. Interested readers may refer to [125] for our latest progress.
Chapter 6 presents the design of Loxin, an innovative framework for password-less cloud authentication systems. After an initial registration process, Loxin enables a user to access multiple cloud services or web applications with only a few taps on his/her mobile devices. This salient feature comes from the adoption of asymmetric-key, i.e., public-key, cryptosystems and cloud-based push message services. Different from most existing cloud login/authentication solutions, the servers of Loxin are not able to generate users’ credentials. Therefore, even if a Loxin server is compromised, the
attacker cannot impersonate a user in order to access cloud services. As a potential application, we have followed the Loxin security framework to build a password-less mobile payment solution for tackling the MintChip Challenge [89]. The main content of this chapter has published in our paper [124].
Chapter 2
Repairing the Galois/Counter Mode of
Operation
This chapter investigates the provable security of the Galois/Counter Mode (GCM). As we have mentioned in Section 1.2.2, GCM has been adopted by many security standards and protocols for protecting cloud communications and storage. First, Section 2.1 describes the detailed design of GCM along with the security proof flaw discovered by Iwata et al. Next, a simple operation over the finite field is introduced in Section 2.2, followed by our method for repairing GCM described in Section 2.3. After that, Section 2.4 presents the methods of implementing the revised GCM for preventing side-channel attacks based on timing information. The last section summarizes the chapter.