International Association for Cryptologic Research

International Association
for Cryptologic Research


Jean Paul Degabriele


Sponges Resist Leakage: The Case of Authenticated Encryption
Jean Paul Degabriele Christian Janson Patrick Struck
In this work we advance the study of leakage-resilient Authenticated Encryption with Associated Data (AEAD) and lay the theoretical groundwork for building such schemes from sponges. Building on the work of Barwell et al. (ASIACRYPT 2017), we reduce the problem of constructing leakage-resilient AEAD schemes to that of building fixed-input-length function families that retain pseudorandomness and unpredictability in the presence of leakage. Notably, neither property is implied by the other in the leakage-resilient setting. We then show that such a function family can be combined with standard primitives, namely a pseudorandom generator and a collision-resistant hash, to yield a nonce-based AEAD scheme. In addition, our construction is quite efficient in that it requires only two calls to this leakage-resilient function per encryption or decryption call. This construction can be instantiated entirely from the T-sponge to yield a concrete AEAD scheme which we call $${ \textsc {Slae}}$$. We prove this sponge-based instantiation secure in the non-adaptive leakage setting. $${ \textsc {Slae}}$$ bears many similarities and is indeed inspired by $${ \textsc {Isap}}$$, which was proposed by Dobraunig et al. at FSE 2017. However, while retaining most of the practical advantages of $${ \textsc {Isap}}$$, $${ \textsc {Slae}}$$ additionally benefits from a formal security treatment.
Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove
Jean Paul Degabriele Marc Fischlin
Ever since the foundational work of Goldwasser and Micali, simulation has proven to be a powerful and versatile construct for formulating security in various areas of cryptography. However security definitions based on simulation are generally harder to work with than game based definitions, often resulting in more complicated proofs. In this work we challenge this viewpoint by proposing new simulation-based security definitions for secure channels that in many cases lead to simpler proofs of security. We are particularly interested in definitions of secure channels which reflect real-world requirements, such as, protecting against the replay and reordering of ciphertexts, accounting for leakage from the decryption of invalid ciphertexts, and retaining security in the presence of ciphertext fragmentation. Furthermore we show that our proposed notion of channel simulatability implies a secure channel functionality that is universally composable. To the best of our knowledge, we are the first to study universally composable secure channels supporting these extended security goals. We conclude, by showing that the Dropbear implementation of SSH-CTR is channel simulatable in the presence of ciphertext fragmentation, and therefore also realises a universally composable secure channel. This is intended, in part, to highlight the merits of our approach over prior ones in admitting simpler security proofs in comparable settings.

Program Committees

Eurocrypt 2022
Crypto 2019