Public key authenticated encryption with keyword search (PAEKS) has been proposed, where a sender's secret key is required for encryption, and a trapdoor is associated with not only a keyword but also the sender. This setting allows us to prevent information leakage of keyword from trapdoors. Liu et al. (ASIACCS 2022) proposed a generic construction of PAEKS based on word-independent smooth projective hash functions (SPHFs) and PEKS. In this paper, we propose a new generic construction of PAEKS, which is more efficient than Liu et al.'s in the sense that we only use one SPHF, but Liu et al. used two SPHFs. In addition, for consistency we considered a security model that is stronger than Liu et al.'s. Briefly, Liu et al. considered only keywords even though a trapdoor is associated with not only a keyword but also a sender. Thus, a trapdoor associated with a sender should not work against ciphertexts generated by the secret key of another sender, even if the same keyword is associated. That is, in the previous definitions, there is room for a ciphertext to be searchable even though the sender was not specified when the trapdoor is generated, that violates the authenticity of PAKES. Our consistency definition considers a multi-sender setting and captures this case. In addition, for indistinguishability against chosen keyword attack (IND-CKA) and indistinguishability against inside keyword guessing attack (IND-IKGA), we use a stronger security model defined by Qin et al. (ProvSec 2021), where an adversary is allowed to query challenge keywords to the encryption and trapdoor oracles. We also highlight several issues associated with the Liu et al. construction in terms of hash functions, e.g., their construction does not satisfy the consistency that they claimed to hold.

Hirose, Kuwakado and Yoshida proposed a nonce-based authenticated encryption scheme Lae0 based on Lesamnta-LW in 2019. Lesamnta-LW is a block-cipher-based iterated hash function included in the ISO/IEC 29192-5 lightweight hash-function standard. They also showed that Lae0 satisfies both privacy and authenticity if the underlying block cipher is a pseudorandom permutation. Unfortunately, their result implies only about 64-bit security for instantiation with the dedicated block cipher of Lesamnta-LW. In this paper, we analyze the security of Lae0 in the ideal cipher model. Our result implies about 120-bit security for instantiation with the block cipher of Lesamnta-LW.

In this paper, we analyze the security of an end-to-end encryption scheme (E2EE) of LINE, a.k.a Letter Sealing. LINE is one of the most widely-deployed instant messaging applications, especially in East Asia. By a close inspection of their protocols, we give several attacks against the message integrity of Letter Sealing. Specifically, we propose forgery and impersonation attacks on the one-to-one message encryption and the group message encryption. All of our attacks are feasible with the help of an end-to-end adversary, who has access to the inside of the LINE server (e.g. service provider LINE themselves). We stress that the main purpose of E2EE is to provide a protection against the end-to-end adversary. In addition, we found some attacks that even do not need the help of E2E adversary, which shows a critical security flaw of the protocol. Our results reveal that the E2EE scheme of LINE do not sufficiently guarantee the integrity of messages compared to the state-of-the-art E2EE schemes such as Signal, which is used by WhatApp and Facebook Messenger. We also provide some countermeasures against our attacks. We have shared our findings with LINE corporation in advance. The LINE corporation has confirmed our attacks are valid as long as the E2E adversary is involved, and officially recognizes our results as a vulnerability of encryption break.

We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.

An Authenticated Encryption scheme is used to guarantee both privacy and authenticity of digital data. At FSE 2014, an authenticated encryption scheme called CLOC was proposed. CLOC is designed to handle short input data efficiently without needing heavy precomputation nor large memory. This is achieved by making various cases of different treatments in the encryption process depending on the input data. Five tweak functions are used to handle the conditional branches, and they are designed to satisfy 55 differential probability constraints, which are used in the security proof of CLOC. In this paper, we show that all these 55 constraints are necessary. This shows the design optimality of the tweak functions in CLOC in that the constraints cannot be relaxed, and hence the specification of the tweak functions cannot be simplified.

Protecting the confidentiality and integrity of a configuration bitstream is essential for the dynamic partial reconfiguration (DPR) of field-programmable gate arrays (FPGAs). This is because erroneous or falsified bitstreams can cause fatal damage to FPGAs. In this paper, we present a high-speed and area-efficient bitstream protection scheme for DPR systems using the Advanced Encryption Standard with Galois/Counter Mode (AES-GCM), which is an authenticated encryption algorithm. Unlike many previous studies, our bitstream protection scheme also provides a mechanism for error recovery and tamper resistance against configuration block deletion, insertion, and disorder. The implementation and evaluation results show that our DPR scheme achieves a higher performance, in terms of speed and area, than previous methods.

Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. In [17], Osaki and Iwata showed that the UCC-then-CBC key wrapping scheme, a key wrapping scheme that uses the UCC hash function and CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. Furthermore, we consider the scheme that incorporates the use of headers. To handle such a setting, we generalize the previous definition of the UCC hash function to the variable input length setting and to take the header as its input, and show an efficient construction that meets the definition.

Authenticated encryption schemes are very useful for private and authenticated communication. In 2010, Rasslan and Youssef showed that the Hwang et al.'s authenticated encryption scheme is not secure by presenting a message forgery attack. However, Rasslan and Youssef did not give how to solve the security issue. In this letter, we give an improvement of the Hwang et al.'s scheme. The improved scheme not only solves the security issue of the original scheme, but also maintains its efficiency.

Tseng et al. proposed two efficient authenticated encryption schemes with message linkages for message flows. Hwang et al. (IEICE Trans. Inf. and Syst., Vol. E89-D, No. 4, April 2006) presented a forgery attack against these two schemes and proposed an improvement that they claim resists such attacks. In this paper, we show that the improved authenticated encryption schemes proposed by Hwang et al. are not secure by presenting another message forgery attack against these improved schemes.

Security and privacy of wireless sensor networks are key research issues recently. Most existing researches regarding wireless sensor networks security consider homogenous sensor networks. To achieve better security and performance, we adopt a heterogeneous wireless sensor network (HWSN) model that consists of physically different types of sensor nodes. This paper presents a secure message distribution scheme with configurable privacy for HWSNs, which takes advantage of powerful high-end sensor nodes. The scheme establishes a message distribution topology in an efficient and secure manner. The sensor node only need generate one signature for all the messages for all the users, which can greatly save the communication and computation cost of the sensor node. On the other hand, the user can only know the messages that let him know based on a pre-set policy, which can meet the requirement of the privacy. We show that the scheme has small bandwidth requirements and it is resilient against the node compromise attack.

SOBER-128 is a stream cipher designed by Rose and Hawkes in 2003. It can be also used for generating Message Authentication Codes (MACs) and an authenticated encryption. The developers claimed that it is difficult to forge MACs generated by both functions of SOBER-128, though, the security assumption in the proposal paper is not realistic in some instances. In this paper, we examine the security of these message authentication mechanisms of SOBER-128 under security channel model. As a result, we show that both a MAC generation and an authenticated encryption are vulnerable against differential cryptanalysis. The success probabilities of the MAC forgery attack are estimated at 2-6 and 2-27 respectively. In addition, we show that some secret bits are revealed if a key is used many times.

In 2000, Wang et al. proposed a (t,n) threshold signature scheme with (k,l) threshold shared verification, and a (t,n) threshold authenticated encryption scheme with (k,l) threshold shared verification. Later, Tseng et al. mounted some attacks against Wang et al.'s schemes. At the same, they also presented the improvements. In this paper, we first point out that Tseng et al.'s attacks are actually invalid due to their misunderstanding of Wang et al.'s Schemes. Then, we show that both Wang et al.'s schemes and Tseng et al.'s improvements are indeed insecure by demonstrating several effective attacks.

Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability. The signer can generate a signature with message recovery for a specified recipient. With a dispute, the recipient has ability to convert the signature into an ordinary one that can be verified by anyone without divulging her/his private key and the message. However, we point out that any adversary can forge a converted signature in this article.

In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.

Wang et al., in 2000, proposed a generalized group-oriented threshold signature scheme and a generalized authenticated encryption scheme with shared verification. Tseng et al., in 2001, showed that both schemes are insecure, because any attacker is able to reveal the group secret keys from two previously valid threshold signatures. They further presented two improvements on Wang et al.'s schemes to against the attacks. Unfortunately, this paper will show that the improved schemes are still breakable.

In 2000, Wang et al. proposed a new (t,n) threshold signature scheme with (k,l) threshold shared verification. Meanwhile, integrating the idea of message recovery, they also proposed a (t,n) threshold authenticated encryption scheme with (k,l) threshold shared verification. However, this article will show that both proposed schemes are insecure, because any malicious attacker can obtain the group secret keys from two valid threshold signatures. Thus, the attacker may solely forge or verify a threshold signature. An improvement to overcome the attacks is proposed.

In this paper, we propose an idea of the generalization of threshold signature and authenticated encryption for group communications. The concept of the (t, n) threshold signature with (k, l) shared verification is implemented in group-oriented cryptosystems. In the system, any t members can represent a group to sign a message and any k verifiers can represent another group to authenticate the signature. By integrating the cryptographic techniques of data encryption, digital signature and message recovery, a group-oriented authenticated encryption scheme with (k, l) shared verification is also proposed. The message expansion and communication cost can also be reduced in our schemes.