![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
DOI:10.5121/ijcis.2018.8301 1
RMAC – A LIGHTWEIGHT AUTHENTICATION
PROTOCOL FOR HIGHLY CONSTRAINED IOT
DEVICES
Ahmad Khoureich Ka
Department of Computer Science, University of Alioune Diop de Bambey,Senegal
ABSTRACT
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These
devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks)
components. Their adoption is growing in areas where data security or privacy or both must be
guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many
papers have proposed solutions for encryption or authentication. But it turns out that sometimes the
proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited
processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by
Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our
proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses
simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and
thus secure against man-in-the-middle attacks.
KEYWORDS
IoT, MAC, authentication, lightweight protocol, Xor-Cascade Encryption
1. INTRODUCTION
The Internet of Things (IoT), refers to a wide variety of devices that can collect, share data and
more to connect to the internet. These devices mainly comprise RFID or WSN components [1].
Data security and privacy constitute one of the biggest issues with the IoT since extremely
sensitive data can be collected and shared anonymously [1]. Therefore, in order to maintain the
growing interest (and trust) in connected objects in healthcare, in the retail supply chain and in the
automotive industry to name a few, security in their implementation must be taken into account.
Unfortunately, classical cryptographic primitives require important processing and storage
capacities that constrained IoT devices do not have [2]. Therefore, it is necessary to invent secure
and lightweight solutions. But designing such lightweight protocols is not easy, since they must
take into account security, hardware efficiency and energy consumption. Nevertheless, several
solutions for lightweight authentication protocol have been proposed. We can mention HB-like
protocols [3–5], Message Authentication Codes [6–8] exploiting the difficulty of the LPN
problem and others [2,9–14].
In this paper, we propose a new 3-round MAC authentication protocol named RMAC (stands for
Random MAC). One might ask why a new lightweight authentication protocol since there is a
bunch of proposals. The answer is simply because many of the aforementioned proposals have
been broken [15–20] or have a storage and transmission cost unacceptably high [4,6] for highly
constrained IoT devices. This new protocol is inspired by the MM proposal [21], i.e. a 2-round
authentication protocol based on weak MACs and provably secure against man-in-the-middle
attacks. It also exploits the well-studied -round Xor-Cascade Encryption, i.e. a framework for
designing block ciphers.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-1-320.jpg)
![International Journal on Cryptography and Information Security
The main idea behind the MM proposal is that the prover responds to
pair , received is correct (see figure 1). Since the
message attack (uf-rma), any modification of the pair
Therefore, the attacker has very l
authentication protocol. But the weakness of this method
prover as a verification oracle because he can send a pair
responds he will know that the pair is good and at the same time he will have
free for an M of his choice. The RMAC protocol that we propose here eliminates this
shortcoming.
The -round Xor-Cascade Encryption is a framework for designing block ciphers from random
permutations [22–25]. RMAC implements a 2
authentication code. We know that
to2 /
query complexity [22]. That is an
key with less than 2 / queries to both the 2
inner permutations. But this threshold can be easily reached when the
genuine prover. Therefore, in order to overcome this weakness, we execute a key establishment
protocol before the core authentication protocol to renew the key at each authentication session.
This paper is structured as follo
definitions in section 2. Section 3 presents existing work. Our RMAC protocol is described in
section 4 followed by the security arguments that weighs in its favor in section 5. Finally, a
conclusion is given in section 6.
2. DEFINITION
2.1. r-round Xor-Cascade Encryption
The -round Xor-Cascade Encryption (which can also be seen as a Generalized Even
Cipher) can be considered as a framework for building block ciphers from a set of
permutations. Consider an ensemble
round Xor-Cascade Encryption
space 0,1 and key space
, where , , … ,
message ∈ 0,1 ,
A considerable number of papers [22
given oracle access to inner permutations
permutation !,the security of the
increasing. Also, other papers explored at
2.2. Message Authentication Codes
A message authentication code (MAC) is a triple of probabilistic polynomial
algorithms " #$, , %&'(
1
The Generalized Even-Mansour Cipher is a generalization of the o
International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
The main idea behind the MM proposal is that the prover responds to the verifier only if the
received is correct (see figure 1). Since the used MAC is unforgettable under random
modification of the pair , stops the execution of the protocol.
Therefore, the attacker has very little chance to have any information about the keys used in the
authentication protocol. But the weakness of this method is that the attacker can use an isolated
prover as a verification oracle because he can send a pair , to theprover and if the la
responds he will know that the pair is good and at the same time he will have
for an M of his choice. The RMAC protocol that we propose here eliminates this
Cascade Encryption is a framework for designing block ciphers from random
]. RMAC implements a 2-round Xor-Cascade Encryption as a message
authentication code. We know that the 2-round Xor-Cascade Encryption is secure up
]. That is an adversary cannot gain useful information about the
queries to both the 2-round Xor-Cascade Encryptionitself and to its
inner permutations. But this threshold can be easily reached when the attacker has at his disposala
genuine prover. Therefore, in order to overcome this weakness, we execute a key establishment
the core authentication protocol to renew the key at each authentication session.
This paper is structured as follows. A brief introduction is done in section 1 followed by some
in section 2. Section 3 presents existing work. Our RMAC protocol is described in
security arguments that weighs in its favor in section 5. Finally, a
Cascade Encryption
Cascade Encryption (which can also be seen as a Generalized Even
considered as a framework for building block ciphers from a set of
permutations. Consider an ensemble! )* *∈ , +of random permutations of
Cascade Encryption ! with , 2 defines a block cipher with message
and key space 0,1 as follow: given a key
∈ 0,1 , - , - , … , - ∈ 0,1 ,
onsiderable number of papers [22–25] have shown that, in the model where the adversary is
oracle access to inner permutations)* ∈ ! of her choice and their inverses and to the outer
,the security of the -roundXor-Cascade Encryption approaches2
explored attacks on these constructions [27–30].
Authentication Codes
A message authentication code (MAC) is a triple of probabilistic polynomial
such that:
Mansour Cipher is a generalization of the one-round Even-Mansour schema [26
(IJCIS), Vol. 8, No.3, September 2018
2
fier only if the
under random-
stops the execution of the protocol.
to have any information about the keys used in the
is that the attacker can use an isolated
to theprover and if the latter
responds he will know that the pair is good and at the same time he will have for
for an M of his choice. The RMAC protocol that we propose here eliminates this
Cascade Encryption is a framework for designing block ciphers from random
Cascade Encryption as a message
Cascade Encryption is secure up
gain useful information about the
Cascade Encryptionitself and to its
attacker has at his disposala
genuine prover. Therefore, in order to overcome this weakness, we execute a key establishment
the core authentication protocol to renew the key at each authentication session.
ws. A brief introduction is done in section 1 followed by some
in section 2. Section 3 presents existing work. Our RMAC protocol is described in
security arguments that weighs in its favor in section 5. Finally, a
Cascade Encryption (which can also be seen as a Generalized Even-Mansour1
considered as a framework for building block ciphers from a set of random
of 0,1 , the -
defines a block cipher with message
as follow: given a key
and a
] have shown that, in the model where the adversary is
of her choice and their inverses and to the outer
when is
A message authentication code (MAC) is a triple of probabilistic polynomial-time
Mansour schema [26].](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-2-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
3
1. " #$ is the key generation algorithm. It takes as input a security parameter 1 and
outputs a key " from a specified key space..
2. is the MAC tag generation algorithm (may be randomized). It takes as input a key
" and a message from a specified message space ℳand outputs a MAC tag ←
.
3. %&'( is the verification algorithm (assumed to be deterministic). It takes as input a key
", a message and a MAC tag and outputs a bit1 %&'( , . If the TAG
algorithm is a cipher as in our RMAC protocol, %&'( outputs 1 if or 0
otherwise.
The security of a MAC is related to its resistance against forgery. The strongest notion of MAC
security issuf-cma, that is strongly unforgettable under chosen-message attack. It refers to MACs
for which any adversary has negligible chance to generate a valid MAC tag for a new message (a
message whose MAC tag is not previously seen by the adversary) even if she has seen MAC tags
for messages of its choosing. Our RMAC protocol is based on a weaker MAC (uf-rma MAC) that
is a MAC which is unforgettable only under random-message attack. That is, the MAC is
unforgettable if the adversary does not have the ability to perform chosen-message attack. The
adversary can only see MAC tags for random messages (messages for which she has no control).
2.3. MITM secure authentication protocol
Man-in-the-middle (MITM) attacks are the most powerful attacks against authentication protocols
[6]. The MITM adversary is allowed to interact several times (at will and even concurrently) with
the prover and the verifier. An authentication protocol achieves MITM security if any MITM
adversary cannot bring the verifier to accept.
3. EXISTING WORK
A number of works has been done on lightweight authentication protocols. There is HB-like
protocols [3–5] which take advantage of the difficulty of solving the learning parity with noise
(LPN) problem. The probabilistic nature of the verifier’s final response (accepting or rejecting the
prover) in HB-like protocols is generally exploited to develop attacks against them [17–19]. In
addition, despite their attractive design, which implies low computing resource requirements,
their communication cost is often very high. Thus, it is hard to see an efficient HB-like protocol
secure against man-in-the-middle attacks. However, there are other lightweight authentication
protocols based on MACs. For example, SQUASH [2] based on the Rabin encryption scheme,
and others based on the LPN problem [6 ,7 ,31]. The proposals of Kiltz et al. [6] are MAC-based
authentication protocols exploiting the difficulty of the LPN problem. These protocols have the
advantage of having a tight reduction to the LPN problem and therefore secure against man-in-
the-middle attacks. But they suffer from the large size of their keys and their large communication
complexity. All these drawbacks make these protocols poorly suited for highly constrained IoT
devices. More recent proposals have been made [9–12] but it turns out that [9 ,10] fail to achieve
the claimed security level [15 ,16].
The proposal of Mol et al. named Mirror-Mac (MM) [21] has caught our attention. MM is a
generic construction of a 2-round MITM secure protocol (see figure 1). Mol et al. have proven
that when instantiated with an uf-rma (unforgettable under random-message attack) MAC, MM is
secure even if the adversary interacts at will with an arbitrary number of both prover and verifier
instances. That is the adversary has negligible chance to make the verifier to accept. Our proposal
RMAC is inspired by MM.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-3-320.jpg)
![International Journal on Cryptography and Information Security
Figure 1:The generic MM construction of a 2
al. [21]. Using MAC = (KGEN, TAG,
TAG takes as input a key " and a message
VRFY takes as input a key ", a message
decision%&'( , ∈ 0,1 .
4. THE NEW PROTOCOL
Traditionally, a MAC authentication is a 2 steps protocol. The verifier and the prover share a
common secret". The verifier sends a challenge
corresponding tag ←
%&'( , 1to accept the prover. For such ascheme to be secure it is necessary that the
MAC be suf-cma since the adversary has a direct access to it and canmake chosen
attacks. Such MACs are generally const
in a highly constrained environment
highly constrained IoT devices is to use a MAC consisting of
less sure than conventional MACs) and embed it in a protocol from which the
have a direct access to make chosen
passive. It’s that solution that we implement with
RMAC is an authentication protocol that uses a 128
and 64-bitresponse. In the rest of the paper, we set n =
generic construction of aman
MM introduced by Mol et al. [21
time pad prior to sending it to the prover and whatever the result of the
pair pfx 2 , by the prover an n
graphical comparison of MM and RMAC).
Figure 2:The RMAC authentication p
International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
The generic MM construction of a 2-round MITM secure protocol proposed by Mol et
]. Using MAC = (KGEN, TAG,VRFY) where the keys " and " are generated by
and a message in a message space and outputs
, a message and a MAC tag in the tag space 3 then outputs a
Traditionally, a MAC authentication is a 2 steps protocol. The verifier and the prover share a
. The verifier sends a challenge to the prover that calculates and returns the
to the verifier. The latter checks if the received tag is correct
to accept the prover. For such ascheme to be secure it is necessary that the
cma since the adversary has a direct access to it and canmake chosen
attacks. Such MACs are generally constructed from traditional pseudorandom functions unusable
a highly constrained environment because they require heavy computation. A solution for
highly constrained IoT devices is to use a MAC consisting of light weight algorithms (certainly
than conventional MACs) and embed it in a protocol from which the adversary will not
have a direct access to make chosen-message attacks. Therefore, the adversary is forced to be
solution that we implement with our protocol.
authentication protocol that uses a 128-bit key and operates with 64-
bitresponse. In the rest of the paper, we set n = 64. RMAC is based on the tw
aman-in-the-middle secure authentication protocol denoted
[21]. But in our protocol the challenge is encrypted using a one
time pad prior to sending it to the prover and whatever the result of the verification of the
by the prover an n-bit string is returned to the verifier (see figures 1 and 2 for a
graphical comparison of MM and RMAC).
The RMAC authentication protocol using SC with keys " , " , 4 and 4 .pfx 2
length 5 of 2.
(IJCIS), Vol. 8, No.3, September 2018
4
round MITM secure protocol proposed by Mol et
are generated by KGEN,
and
then outputs a
Traditionally, a MAC authentication is a 2 steps protocol. The verifier and the prover share a
to the prover that calculates and returns the
cks if the received tag is correct
to accept the prover. For such ascheme to be secure it is necessary that the
cma since the adversary has a direct access to it and canmake chosen-message
pseudorandom functions unusable
. A solution for
weight algorithms (certainly
adversary will not
message attacks. Therefore, the adversary is forced to be
-bit challenge
64. RMAC is based on the two-round
middle secure authentication protocol denoted
the challenge is encrypted using a one-
verification of the
verifier (see figures 1 and 2 for a
is the prefix of](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-4-320.jpg)
![International Journal on Cryptography and Information Security
The RMAC protocol also uses a new implementation of
only two rounds as an uf-rma message authentication code. Using this small number of
guaranties low-latency and low-
call Small-Cipher or SC that implementation of the 2
from [22] that the 2-round Xor
complexity.When such construction is implemented in highly con
lightweight implementation)with a fixed key,
easily reached. Thus, in order to make such anattack difficult and burdensome, we renew the key
with a lightweight key establishment protocol.
4.1. The Lightweight Key Establishment Protocol
The lightweight key establishment protocol we describe here is run before the core authentication
protocol. Figure2 shows how the key establishment protocol works. The two parties share a secret
key 4 of size25. The proverbegins by drawing uniformly at r
sends it to the verifier. They both compute
After that, the verifier draws uniformly at random
the result to the prover. Finally the two parties derive two n
using∆ 2, 4′ . The function ∆ acts as a comb on
between the teeth is define by 4′
usedbut here we propose to use the mixing function introduced in the Gossamer protocol because
it has an extremely lightweight nature [14
The MixBits function:
4.2. Design Details of the Core Authentication Protocol
The prover and the verifier share a long
from the lightweightkey establishment protocol. The verifier draws a random
computes 2′
2⨁4′ and
keyestablishment protocol, pfx
International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
The RMAC protocol also uses a new implementation of a Xor-Cascade Encryption
rma message authentication code. Using this small number of
-cost hardware implementation [32]. In the rest of this paper, we
or SC that implementation of the 2-round Xor-Cascade Encryption.
round Xor-Cascade Encryption is secure up to
complexity.When such construction is implemented in highly constrained devices (this must be a
lightweight implementation)with a fixed key, the security threshold of 2 /
queries can be
easily reached. Thus, in order to make such anattack difficult and burdensome, we renew the key
ment protocol.
The Lightweight Key Establishment Protocol
The lightweight key establishment protocol we describe here is run before the core authentication
protocol. Figure2 shows how the key establishment protocol works. The two parties share a secret
. The proverbegins by drawing uniformly at random 8 from 0,1
sends it to the verifier. They both compute4′
MixBits 4, 8 where MixBits is a mixing function.
After that, the verifier draws uniformly at random 2 from 0,1 , computes 2′
2⨁
the result to the prover. Finally the two parties derive two n-bit long secret keys "
acts as a comb on 2 with 5 teeth randomly spaced
(see algorithm 1). Any secure lightweight mixing function can be
usedbut here we propose to use the mixing function introduced in the Gossamer protocol because
nature [14] (see below).
Core Authentication Protocol
The prover and the verifier share a long-lived key 4 and two session keys " and
from the lightweightkey establishment protocol. The verifier draws a random 25
SC pfx 2 (where4′is computed during the session
2 is the prefix of length n of 2) then sends
(IJCIS), Vol. 8, No.3, September 2018
5
Cascade Encryption consisting of
rma message authentication code. Using this small number of rounds
rest of this paper, we
Cascade Encryption. We know
cade Encryption is secure up to 2 /
query
strained devices (this must be a
queries can be
easily reached. Thus, in order to make such anattack difficult and burdensome, we renew the key
The lightweight key establishment protocol we describe here is run before the core authentication
protocol. Figure2 shows how the key establishment protocol works. The two parties share a secret
1 and then
where MixBits is a mixing function.
⨁4′ and sends
" and " by
teeth randomly spaced, the space
. Any secure lightweight mixing function can be
usedbut here we propose to use the mixing function introduced in the Gossamer protocol because
and " obtained
5-bit string 2,
is computed during the session
2′
, to the](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-5-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
6
prover. Upon receiving 2′
, , the prover checks whether is equal to SC pfx 2 , and if so,
computes SC and sends to the verifier, if not, draws uniformly at random a 5-bit string
and sends It to the verifier. The latter accepts the prover if and only if SC .Recall that SC
uses keys" ," and 4.
Now we present our Small-Cipher2
(SC) which is an extremely lightweight implementation of the
2-roundXor-Cascade Encryption. It is used as a message authentication code (MAC) by RMAC.
Its inner permutation is an SP-network denoted RBOX (stands for Random Box). Basically, an
SP-network applies to its input (a plaintext and a key) many rounds of transformation each
consisting of a random substitution of value of bits along the input text (using an S-box), a
permutation of bit positions (using a P-box) and a key mixing. The P-boxes of SP-networks are
usually a fixed permutation of the bit positions of state but here we introduce keyed one. In the
rest of this section, we successively present the S-box, the P-box, RBOX (the Small-Cipher inner
permutation) and Small-Cipher itself.
4.2.1.The S-box
It consists of the 4-bit to 4-bit S-box borrowed from the ultra-lightweight block cipher PRESENT
[33]. This S-box is designed with hardware efficiency in mind for resource-limited devices. The
following table recalls its action in hexadecimal notation.
0 1 2 3 4 5 6 7 8 9 A B C D E F
s-box[ ] C 5 6 B 9 0 A D 3 E F 8 4 7 1 2
4.2.2. The P-box
Let :: 0,1} × {0,1} → {0,1} be the bit positions permutation we introduce here. That is for
every" ∈ {0,1} , :(", ∙) or : (∙) is a permutation on {0,1} that preserves the hamming weight
of its input. The way that : (∙) computes the image of an input ∈ {0,1} is given by algorithm
2.For a randomly chosen" ∈ {0,1} , the first plot from the top of figure 3 shows how : maps
the original position of a bit of state to its new position. Note that the diffusion power of : is
weak because some streak ofconsecutive bits of state are not perturbed. We can also see from the
plotting two groups of points forming twosuperimposed slopes. Bits of ", which are equal to 1,
give the group at the top and bits of ", which are equal to0, give the group at the bottom. In order,
to achieve a better diffusion, we can iterate : a number of times. Figure3 shows the
improvement obtained by iterating: .
Lemma 1 gives the relation that exists between the original position of a bit and its final position
after ? iterations of : . Also, it becomes clear from lemma 1 that the more we iterate : the more
the final position of abit is unrelated to its original position but only depends on ".
2
It must be clear that SC is used as an uf-rma MAC for our authentication protocol and we do not claim to
offer it as block cipher for constrained environments.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-6-320.jpg)
![International Journal on Cryptography and Information Security
4.2.4. The Small-Cipher (SC)
In an initial phase, both the prover and the verifier hold the same
4 pfx 4 and4 sfx 4 be respectively the prefix of length
5 of S. From the execution of thelightweight key establishmen
two n-bit session keys " and "
have the 3-round keys to be 2-wise independent [34
permutations RBOX HLH
and RBOX
implementation of the 2-round Xor
Figure 5
A comparison of RMAC with other
Table 1.Storage and transmission cost of some authent
Rabin cryptosystem, qSDH for q
and 2-XC for 2-roundXor Cascade Encryption. Values are given in bits.
5. SECURITY ARGUMENTS
In this section, we present the security analysis of SC and provide security proofs for RMAC.
5.1. Security of SC
5.1.1. The Structure of SC
SC is an implementation of the 2
permutation. The2-round Xor-Cascade Encryption is secure up to
For SC, M 25thus SC istheoretically secure up to
to SC itself. This bound is theoreticalsince the RBOXes cannot be considered as random
permutations. This is why it is advantageous to change theRBOXes keys at each execution of
RMAC. Also, note that through RMAC it is
attack (and even more difficult a chosen ciphertext attack) against SC.
International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
In an initial phase, both the prover and the verifier hold the same 25-bit secret key S. Let
be respectively the prefix of length 5 of S and the suffix of length
of S. From the execution of thelightweight key establishment protocol the two parties obtained
. Since it is onlyrequired for the iterated Even-Mansour cipher to
wise independent [34]. Then, by using the two-independent n
RBOXL and the round keys " , " ⨁" , "
round Xor-Cascade Encryption depicted in Figure 5.
5: Small-Cipher using keys " , " , 4 and 4
A comparison of RMAC with other authentication protocols is given in table 1.
Storage and transmission cost of some authentication protocols. Rabin crypto
cryptosystem, qSDH for q-Strong Diffie-Hellman, PUF for Physical Unclonable Function
r Cascade Encryption. Values are given in bits.
RGUMENTS
In this section, we present the security analysis of SC and provide security proofs for RMAC.
SC is an implementation of the 2-round Xor-Cascade Encryption using RBOX as
Cascade Encryption is secure up to 2 /
query complexity [22
thus SC istheoretically secure up to 2N /
queries to the underlying RBOXes and
to SC itself. This bound is theoreticalsince the RBOXes cannot be considered as random
permutations. This is why it is advantageous to change theRBOXes keys at each execution of
RMAC. Also, note that through RMAC it is difficult for an adversary to make a chosen plaintext
attack (and even more difficult a chosen ciphertext attack) against SC.
(IJCIS), Vol. 8, No.3, September 2018
8
bit secret key S. Let
of S and the suffix of length
t protocol the two parties obtained
Mansour cipher to
independent n-bit
wehave our
ication protocols. Rabin crypto stands for
Hellman, PUF for Physical Unclonable Function
In this section, we present the security analysis of SC and provide security proofs for RMAC.
Cascade Encryption using RBOX as its inner
query complexity [22].
queries to the underlying RBOXes and
to SC itself. This bound is theoreticalsince the RBOXes cannot be considered as random
permutations. This is why it is advantageous to change theRBOXes keys at each execution of
chosen plaintext](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-8-320.jpg)
![International Journal on Cryptography and Information Security
5.1.2. Resistance to Linear and Differential Cryptanalysis
Linear and differential cryptanalysis [35,36
security of a block cipher. But those cryptanalysis tools are heavily dependent on the S
involved in the linear approximation or in the differential characteristic as we traverse the SP
network (the so-called active S-b
with a secret key " makes complex to follow a bit ofstate through the SP
very unlikely to determine the active S
cryptanalysis.
Lemma 1.Let ? O 0 be an integer,
iterations of : .
Where PQ * is the bit at position
Hamming weight of the prefix of length
Proof. We prove lemma 1 using the induction principle.
For ? 0we have R - -. Thus,
Now we assume ? S 0 and show that equation 2
1we have:
which leads to:
So
By supposing that equation 2 is true, we have:
International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
5.1.2. Resistance to Linear and Differential Cryptanalysis
d differential cryptanalysis [35,36] are among the most famous tools used to analyse the
of a block cipher. But those cryptanalysis tools are heavily dependent on the S
approximation or in the differential characteristic as we traverse the SP
boxes).Theorem 1 implies that, using the iterated linear layer
makes complex to follow a bit ofstate through the SP-network. Therefore, it is
very unlikely to determine the active S-boxes which are crucial to linear and
be an integer, - be the position of a bit of state and RT
- its position after
is the bit at position R - of ", the Hamming weight of " and
Hamming weight of the prefix of length R - of ".
We prove lemma 1 using the induction principle.
. Thus, equation 2 is true for ? 0.
w that equation 2 holds for ? U 1 iterations of : . From algorithm
is true, we have:
(IJCIS), Vol. 8, No.3, September 2018
9
mous tools used to analyse the
of a block cipher. But those cryptanalysis tools are heavily dependent on the S-boxes
approximation or in the differential characteristic as we traverse the SP-
oxes).Theorem 1 implies that, using the iterated linear layer :
network. Therefore, it is
linear and differential
its position after ?
and PQ * the
From algorithm](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-9-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
10
This final equation completes the proof.
Theorem 1.If " is secret, then after three iterations of : the position of a bit of state is no
longer related to its original position but depends only on fixed unknown data (as they are
determined by ").
Sketch of the proof. We show that the term - ∏ 1 −TX
Y PQ * on the right-hand side of the
equation 2 vanishes after 3 iterations of : .
The positions R - for 0 , , ? − 1of bits of " are not independent but the corresponding bits
are independent since all bits of " are drawn uniformly at random from 0,1 . Hence 1 − PQ * for
0 , , ? − 1can be considered as a random variable with equal probability of taking value 0 or
1. We know from [37] that when we draw uniformly at random ? bits, the longest streak of
consecutive 1 we expect to have is Θ(log ? .Therefore, for ? S 3 there is necessarily some Z in
the set of integer 0, ⋯ , ? − 1 for which1 − P *
5.1.3. Resistance to Algebraic Attacks
Algebraic attacks are known plaintext attacks. The adversary expresses the whole cipher as a
system of multivariate algebraic equations and then tries to solve it using known plaintext-cipher
text pairs in order to recover the secret key. SC is a 2-round cipher that uses a 4-bit to 4-bit S-box
and operates on 64-bit block. Each-box can be described by 21 equations in 8 variables (4 inputs
and 4 outputs). Therefore, SC can be expressed as a system of 672 multivariate equations in 256
variables. The number of equations is not impressive. However, the difficulty of using an
algebraic attack against SC relies on the fact that it will not be easy (as theorem 1 implies) to bind
the input variables of the S-boxes of the first round to the bits of the plaintext, to bind the output
variables of the S-boxes of the first round to the input variables of the S-boxes of the second
round and to bind the output variables of the S-boxes of the second round to the bits of the cipher
text. Consequently, it is very unlikely that algebraic attack be effective against SC.
5.2. Security of RMAC
5.2.1. Security of the Lightweight Key Establishment Protocol
Any modification on 8will only change the way that " and " are extracted from2. A
modification of 8 willalso change the value of 2′ (which is a one-time pad encryption of 2)
transmitted to the prover by the verifier.Since 2 is drawn uniformly at random from 0,1} , the
attacker derives no benefit from its actions on 8.
5.2.2. Security of the Core Authentication Protocol
The following theorem states that RMAC has the same resistance to MITM attacks as MM.
Theorem 2.If MM instantiated with an uf-rma MAC is a man-in-the-middle secure authentication
protocol, and then RMAC instantiated with the same type of MAC is a man-in-the-middle secure
authentication protocol.
Proof. For this proof, we use the reduction technique. That is from an instance of the MM
protocol we simulate an instance of the RMAC protocol. And show that if there is a MITM
adversary that has a non-negligible advantage on RMAC, it can be used to mount a MITM attack
against MM with a non-negligible success probability.
Now, let ] be a MITM probabilistic polynomial-time adversary attacking RMAC with a non-
negligible success probability. We construct a MITM probabilistic polynomial-time adversary
]′that attempts to attackMM. So, from an instance of the MM protocol, ]′ simulates for ] an
instance of RMAC as follows:](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-10-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
11
1. ]′ Begins by drawing uniformly at random 8 from {0,1} and sends it to ].
2. Upon receiving ( , ) from the MM verifier where = TAG ( ), ]′ draws uniformly
at random ′ from {0,1} and sends ( || ′, ) to ]. Since in the RMAC protocol
pfx (2′)is unrelated to sfx (2′)and 2′ is obtained from a one-time pad of two unknown
bit strings, the view of ] in this step is identically distributed to the view it has from the
second step of RMAC.
3. ]′ finises the simulation by forwarding received from the MM prover to ], or if it
doesn’t receive nothing, sends a uniformly and randomly selected 5-bit string to ]. Since
the MAC is uf-rma, the adversary is not allowed to see MAC tags for chosen messages.
Therefore, it will not be able to distinguish TAG ′( ) fromTAG ( ) for " et "′ in
{0,1} . Thus, the view of ] in this step is identically distributed to the view it has from
the final step of RMAC.
We claim that this simulation is correct since the view of ] when used as a sub-routine by]′ is
identicallydistributed to the view it has when it interacts directly with RMAC. In conclusion, ]
has the same advantage overRMAC as ]′ has over MM (which is negligible [21]).
Encapsulating the challenge in2′using the one-time pad encryption reduces the security
requirements on SC. Therefore, even if the attacker succeeded in finding a valid message-tag pair
(_, ), it has very little chanceto reach the next step of the protocol since it will not know how to
encapsulate _ in 2′. Another aspect that reinforces the security of our protocol is that the prover
returns a response to the verifier regardless the outcome of the verification (pfx (2), ). This
prevents the attacker from using the RMAC prover as a verification oraclesince it has no way of
detecting a change in the behaviour of the RMAC prover following the outcome of the
verification of the pair(2′
, ). This is a one more security element that our protocol RMAC has
over the MM protocol.All this, allows us to say that our protocol can be seen as a generic
construction (SC can be replaced by a uf-rma MAC) at least as secure as MM which is a man-in-
the-middle secure authentication protocol.
6. CONCLUSIONS
In this paper, we have presented RMAC a new lightweight MAC authentication protocol for
highly constrained IoT devices. RMAC consists of ultra-lightweight algorithms and takes
advantage—but also adds some extra steps— of the design of MM, a two-round generic
construction secure against man-in-the-middle attacks introduced by Mol et al. It also uses a new
implementation of the extensively studied 2-round Xor-Cascade Encryption as a message
authentication code. Although SC is not intended to be a block cipher for resource constrained
devices, we have shown that it is resistant to linear or differential cryptanalysis or an algebraic
attack. When viewed as a generic construction (SC replaced by an unforgettable under random-
message attack MAC), RMAC is proven to be a secure MITM three rounds authentication
protocol.
REFERENCES
[1] David, L.; Ammar, R.; Monique, M. The Internet of Things. The Internet Protocol Journal 2012,
15,10–9.https://www.cisco.com/c/dam/en_us/about/ac123/ac147/archived_issues/ipj_15-3/ipj_15-
3.pdf.
[2] Shamir, A. SQUASH – A New MAC with Provable Security Properties for Highly Constrained
Devices Such asRFID Tags. Fast Software Encryption; Nyberg, K., Ed.; Springer Berlin Heidelberg:
Berlin, Heidelberg, 2008; pp.144–157.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-11-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
12
[3] Juels, A.; Weis, S.A. Authenticating Pervasive Devices with Human Protocols. Advances in
Cryptology – CRYPTO2005; Shoup, V., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2005;
pp. 293–308.
[4] Gilbert, H.; Robshaw, M.J.B.; Seurin, Y. Increasing the Security and Efficiency of HB+. Advances in
Cryptology –EUROCRYPT 2008; Smart, N., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg,
2008; pp. 361–378.
[5] Rizomiliotis, P.; Gritzalis, S. GHB#: A Provably Secure HB-Like Lightweight Authentication
Protocol. AppliedCryptography and Network Security; Bao, F.; Samarati, P.; Zhou, J., Eds.; Springer
Berlin Heidelberg: Berlin,Heidelberg, 2012; pp. 489–506.
[6] Kiltz, E.; Pietrzak, K.; Venturi, D.; Cash, D.; Jain, A. Efficient Authentication from Hard Learning
Problems. Journalof Cryptology 2017, 30, 1238–1275. doi:10.1007/s00145-016-9247-3.
[7] Heyse, S.; Kiltz, E.; Lyubashevsky, V.; Paar, C.; Pietrzak, K. Lapin: An Efficient Authentication
Protocol Based onRing-LPN. Fast Software Encryption; Canteaut, A., Ed.; Springer Berlin
Heidelberg: Berlin, Heidelberg, 2012; pp.346–365.
[8] Lyubashevsky, V.; Masny, D. Man-in-the-Middle Secure Authentication Schemes from LPN and
Weak PRFs.Advances in Cryptology – CRYPTO 2013; Canetti, R.; Garay, J.A., Eds.; Springer Berlin
Heidelberg: Berlin,Heidelberg, 2013; pp. 308–325.
[9] Fan, K.; Jiang, W.; Li, H.; Yang, Y. Lightweight RFID Protocol for Medical Privacy Protection in
IoT. IEEETransactions on Industrial Informatics 2018, 14, 1656–1665.
doi:10.1109/TII.2018.2794996.
[10] Liu, D.; Li, N.; Kim, J.; Nepal, S. Compact-LWE: Enabling Practically Lightweight Public Key
Encryption for LeveledIoT Device Authentication. Cryptology ePrint Archive, Report 2017/685,
2017. https://eprint.iacr.org/2017/685.
[11] Chen, M.; Chen, S.; Fang, Y. Lightweight Anonymous Authentication Protocols for RFID Systems.
IEEE/ACMTransactions on Networking 2017, 25, 1475–1488. doi:10.1109/TNET.2016.2631517.
[12] Xu, H.; Ding, J.; Li, P.; Zhu, F.; Wang, R. A Lightweight RFID Mutual Authentication Protocol
Based on PhysicalUnclonable Function. Sensors 2018, 18. doi:10.3390/s18030760.
[13] Lee, J.Y.; Lin, W.C.; Huang, Y.H. A lightweight authentication protocol for Internet of Things. 2014
InternationalSymposium on Next-Generation Electronics (ISNE), 2014, pp. 1–2.
doi:10.1109/ISNE.2014.6839375.
[14] Peris-Lopez, P.; Hernandez-Castro, J.C.; Tapiador, J.M.E.; Ribagorda, A. Advances in
Ultralightweight Cryptographyfor Low-Cost RFID Tags: Gossamer Protocol. Information Security
Applications; Chung, K.I.; Sohn, K.; Yung, M.,Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg,
2009; pp. 56–68.
[15] Aghili, S.F.; Mala, H. Security Analysis of Fan et al. Lightweight RFID Authentication Protocol for
Privacy Protectionin IoT. Cryptology ePrint Archive, Report 2018/388, 2018.
https://eprint.iacr.org/2018/388.
[16] Xiao, D.; Yu, Y. Cryptanalysis of Compact-LWE and Related Lightweight Public Key Encryption.
Sec. and Commun.Netw. 2018, 2018. doi:10.1155/2018/4957045.
[17] Gilbert, H.; Robshaw, M.J.B.; Seurin, Y. Good Variants of HB+ Are Hard to Find. Financial
Cryptography and DataSecurity; Tsudik, G., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg,
2008; pp. 156–170.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-12-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
13
[18] Frumkin, D.; Shamir, A. Un-Trusted-HB: Security Vulnerabilities of Trusted-HB. Cryptology ePrint
Archive, Report2009/044, 2009. https://eprint.iacr.org/2009/044.
[19] Ouafi, K.; Overbeck, R.; Vaudenay, S. On the Security of HB# against a Man-in-the-Middle Attack.
Advancesin Cryptology - ASIACRYPT 2008; Pieprzyk, J., Ed.; Springer Berlin Heidelberg: Berlin,
Heidelberg, 2008; pp.108–124.
[20] Ouafi, K.; Vaudenay, S. Smashing SQUASH-0. Advances in Cryptology - EUROCRYPT 2009; Joux,
A., Ed.;Springer Berlin Heidelberg: Berlin, Heidelberg, 2009; pp. 300–312.
[21] Mol, P.; Tessaro, S. Secret-Key Authentication Beyond the Challenge-Response Paradigm:
Definitional Issues andNew Protocols. 2012. http://www.cs.ucsb.edu/%7Etessaro/papers/auth.pdf.
[22] Gaži, P.; Tessaro, S. Efficient and Optimally Secure Key-Length Extension for Block Ciphers via
RandomizedCascading. Advances in Cryptology – EUROCRYPT 2012; Pointcheval, D.; Johansson,
T., Eds.; Springer BerlinHeidelberg: Berlin, Heidelberg, 2012; pp. 63–80.
[23] Lee, J. Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade
Encryption.Advances in Cryptology – EUROCRYPT 2013; Johansson, T.; Nguyen, P.Q., Eds.;
Springer Berlin Heidelberg:Berlin, Heidelberg, 2013; pp. 405–425.
[24] Gaži, P. Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers.
Advances inCryptology – CRYPTO 2013; Canetti, R.; Garay, J.A., Eds.; Springer Berlin Heidelberg:
Berlin, Heidelberg, 2013;pp. 551–570.
[25] Chen, S.; Lampe, R.; Lee, J.; Seurin, Y.; Steinberger, J. Minimizing the Two-Round Even-Mansour
Cipher. Advancesin Cryptology – CRYPTO 2014; Garay, J.A.; Gennaro, R., Eds.; Springer Berlin
Heidelberg: Berlin, Heidelberg,2014; pp. 39–56.
[26] Even, S.; Mansour, Y. A construction of a cipher from a single pseudorandom permutation. Journal of
Cryptology1997, 10, 151–161. doi:10.1007/s001459900025.
[27] Daemen, J. Limitations of the Even-Mansour construction. Advances in Cryptology— ASIACRYPT
’91; Imai, H.;Rivest, R.L.; Matsumoto, T., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg,
1993; pp. 495–498.
[28] Biryukov, A.; Wagner, D. Advanced Slide Attacks. Advances in Cryptology—EUROCRYPT 2000;
Preneel, B.,Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2000; pp. 589–606.
[29] Dunkelman, O.; Keller, N.; Shamir, A. Minimalism in Cryptography: The Even-Mansour Scheme
Revisited.Advances in Cryptology – EUROCRYPT 2012; Pointcheval, D.; Johansson, T., Eds.;
Springer Berlin Heidelberg:Berlin, Heidelberg, 2012; pp. 336–354.
[30] Dinur, I.; Dunkelman, O.; Keller, N.; Shamir, A. Cryptanalysis of Iterated Even-Mansour Schemes
with TwoKeys. Advances in Cryptology – ASIACRYPT 2014; Sarkar, P.; Iwata, T., Eds.; Springer
Berlin Heidelberg: Berlin,Heidelberg, 2014; pp. 439–457.
[31] Dodis, Y.; Kiltz, E.; Pietrzak, K.; Wichs, D. Message Authentication, Revisited. Advances in
Cryptology –EUROCRYPT 2012; Pointcheval, D.; Johansson, T., Eds.; Springer Berlin Heidelberg:
Berlin, Heidelberg, 2012; pp.355–374.
[32] Borghoff, J.; Canteaut, A.; Güneysu, T.; Kavun, E.B.; Knezevic, M.; Knudsen, L.R.; Leander, G.;
Nikov, V.; Paar, C.;Rechberger, C.; Rombouts, P.; Thomsen, S.S.; Yalçın, T. PRINCE – A Low-
Latency Block Cipher for PervasiveComputing Applications. Advances in Cryptology –
ASIACRYPT 2012; Wang, X.; Sako, K., Eds.; Springer BerlinHeidelberg: Berlin, Heidelberg, 2012;
pp. 208–225.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-13-320.jpg)
![International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018
14
[33] Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.B.; Seurin, Y.;
Vikkelsoe, C.PRESENT: An Ultra-Lightweight Block Cipher. Cryptographic Hardware and
Embedded Systems - CHES 2007;Paillier, P.; Verbauwhede, I., Eds.; Springer Berlin Heidelberg:
Berlin, Heidelberg, 2007; pp. 450–466.
[34] Chen, S.; Steinberger, J. Tight Security Bounds for Key-Alternating Ciphers. Advances in Cryptology
– EUROCRYPT2014; Nguyen, P.Q.; Oswald, E., Eds.; Springer Berlin Heidelberg: Berlin,
Heidelberg, 2014; pp. 327–350.
[35] Biham, E.; Shamir, A. Differential Cryptanalysis of the Data Encryption Standard; Springer-Verlag:
Berlin,Heidelberg, 1993.
[36] Matsui, M. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology — EUROCRYPT
’93; Helleseth,T., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 1994; pp. 386–397.
[37] Cormen, T.H.; Leiserson, C.E.; Rivest, R.L.; Stein, C. Introduction to Algorithms, Third Edition, 3rd
ed.; The MITPress, 2009.
AUTHOR
Dr. Ahmad Khoureich Ka is Maître de conferences at University of Alioune Diop de
Bambey since 2007.His research interests include cryptography, and security on power-
restrained devices.](https://image.slidesharecdn.com/8318ijcis01-181008052324/85/RMAC-A-LIGHTWEIGHT-AUTHENTICATION-PROTOCOL-FOR-HIGHLY-CONSTRAINED-IOT-DEVICES-14-320.jpg)
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
- 1. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 DOI:10.5121/ijcis.2018.8301 1 RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES Ahmad Khoureich Ka Department of Computer Science, University of Alioune Diop de Bambey,Senegal ABSTRACT Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks. KEYWORDS IoT, MAC, authentication, lightweight protocol, Xor-Cascade Encryption 1. INTRODUCTION The Internet of Things (IoT), refers to a wide variety of devices that can collect, share data and more to connect to the internet. These devices mainly comprise RFID or WSN components [1]. Data security and privacy constitute one of the biggest issues with the IoT since extremely sensitive data can be collected and shared anonymously [1]. Therefore, in order to maintain the growing interest (and trust) in connected objects in healthcare, in the retail supply chain and in the automotive industry to name a few, security in their implementation must be taken into account. Unfortunately, classical cryptographic primitives require important processing and storage capacities that constrained IoT devices do not have [2]. Therefore, it is necessary to invent secure and lightweight solutions. But designing such lightweight protocols is not easy, since they must take into account security, hardware efficiency and energy consumption. Nevertheless, several solutions for lightweight authentication protocol have been proposed. We can mention HB-like protocols [3–5], Message Authentication Codes [6–8] exploiting the difficulty of the LPN problem and others [2,9–14]. In this paper, we propose a new 3-round MAC authentication protocol named RMAC (stands for Random MAC). One might ask why a new lightweight authentication protocol since there is a bunch of proposals. The answer is simply because many of the aforementioned proposals have been broken [15–20] or have a storage and transmission cost unacceptably high [4,6] for highly constrained IoT devices. This new protocol is inspired by the MM proposal [21], i.e. a 2-round authentication protocol based on weak MACs and provably secure against man-in-the-middle attacks. It also exploits the well-studied -round Xor-Cascade Encryption, i.e. a framework for designing block ciphers.
- 2. International Journal on Cryptography and Information Security The main idea behind the MM proposal is that the prover responds to pair , received is correct (see figure 1). Since the message attack (uf-rma), any modification of the pair Therefore, the attacker has very l authentication protocol. But the weakness of this method prover as a verification oracle because he can send a pair responds he will know that the pair is good and at the same time he will have free for an M of his choice. The RMAC protocol that we propose here eliminates this shortcoming. The -round Xor-Cascade Encryption is a framework for designing block ciphers from random permutations [22–25]. RMAC implements a 2 authentication code. We know that to2 / query complexity [22]. That is an key with less than 2 / queries to both the 2 inner permutations. But this threshold can be easily reached when the genuine prover. Therefore, in order to overcome this weakness, we execute a key establishment protocol before the core authentication protocol to renew the key at each authentication session. This paper is structured as follo definitions in section 2. Section 3 presents existing work. Our RMAC protocol is described in section 4 followed by the security arguments that weighs in its favor in section 5. Finally, a conclusion is given in section 6. 2. DEFINITION 2.1. r-round Xor-Cascade Encryption The -round Xor-Cascade Encryption (which can also be seen as a Generalized Even Cipher) can be considered as a framework for building block ciphers from a set of permutations. Consider an ensemble round Xor-Cascade Encryption space 0,1 and key space , where , , … , message ∈ 0,1 , A considerable number of papers [22 given oracle access to inner permutations permutation !,the security of the increasing. Also, other papers explored at 2.2. Message Authentication Codes A message authentication code (MAC) is a triple of probabilistic polynomial algorithms " #$, , %&'( 1 The Generalized Even-Mansour Cipher is a generalization of the o International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 The main idea behind the MM proposal is that the prover responds to the verifier only if the received is correct (see figure 1). Since the used MAC is unforgettable under random modification of the pair , stops the execution of the protocol. Therefore, the attacker has very little chance to have any information about the keys used in the authentication protocol. But the weakness of this method is that the attacker can use an isolated prover as a verification oracle because he can send a pair , to theprover and if the la responds he will know that the pair is good and at the same time he will have for an M of his choice. The RMAC protocol that we propose here eliminates this Cascade Encryption is a framework for designing block ciphers from random ]. RMAC implements a 2-round Xor-Cascade Encryption as a message authentication code. We know that the 2-round Xor-Cascade Encryption is secure up ]. That is an adversary cannot gain useful information about the queries to both the 2-round Xor-Cascade Encryptionitself and to its inner permutations. But this threshold can be easily reached when the attacker has at his disposala genuine prover. Therefore, in order to overcome this weakness, we execute a key establishment the core authentication protocol to renew the key at each authentication session. This paper is structured as follows. A brief introduction is done in section 1 followed by some in section 2. Section 3 presents existing work. Our RMAC protocol is described in security arguments that weighs in its favor in section 5. Finally, a Cascade Encryption Cascade Encryption (which can also be seen as a Generalized Even considered as a framework for building block ciphers from a set of permutations. Consider an ensemble! )* *∈ , +of random permutations of Cascade Encryption ! with , 2 defines a block cipher with message and key space 0,1 as follow: given a key ∈ 0,1 , - , - , … , - ∈ 0,1 , onsiderable number of papers [22–25] have shown that, in the model where the adversary is oracle access to inner permutations)* ∈ ! of her choice and their inverses and to the outer ,the security of the -roundXor-Cascade Encryption approaches2 explored attacks on these constructions [27–30]. Authentication Codes A message authentication code (MAC) is a triple of probabilistic polynomial such that: Mansour Cipher is a generalization of the one-round Even-Mansour schema [26 (IJCIS), Vol. 8, No.3, September 2018 2 fier only if the under random- stops the execution of the protocol. to have any information about the keys used in the is that the attacker can use an isolated to theprover and if the latter responds he will know that the pair is good and at the same time he will have for for an M of his choice. The RMAC protocol that we propose here eliminates this Cascade Encryption is a framework for designing block ciphers from random Cascade Encryption as a message Cascade Encryption is secure up gain useful information about the Cascade Encryptionitself and to its attacker has at his disposala genuine prover. Therefore, in order to overcome this weakness, we execute a key establishment the core authentication protocol to renew the key at each authentication session. ws. A brief introduction is done in section 1 followed by some in section 2. Section 3 presents existing work. Our RMAC protocol is described in security arguments that weighs in its favor in section 5. Finally, a Cascade Encryption (which can also be seen as a Generalized Even-Mansour1 considered as a framework for building block ciphers from a set of random of 0,1 , the - defines a block cipher with message as follow: given a key and a ] have shown that, in the model where the adversary is of her choice and their inverses and to the outer when is A message authentication code (MAC) is a triple of probabilistic polynomial-time Mansour schema [26].
- 3. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 3 1. " #$ is the key generation algorithm. It takes as input a security parameter 1 and outputs a key " from a specified key space.. 2. is the MAC tag generation algorithm (may be randomized). It takes as input a key " and a message from a specified message space ℳand outputs a MAC tag ← . 3. %&'( is the verification algorithm (assumed to be deterministic). It takes as input a key ", a message and a MAC tag and outputs a bit1 %&'( , . If the TAG algorithm is a cipher as in our RMAC protocol, %&'( outputs 1 if or 0 otherwise. The security of a MAC is related to its resistance against forgery. The strongest notion of MAC security issuf-cma, that is strongly unforgettable under chosen-message attack. It refers to MACs for which any adversary has negligible chance to generate a valid MAC tag for a new message (a message whose MAC tag is not previously seen by the adversary) even if she has seen MAC tags for messages of its choosing. Our RMAC protocol is based on a weaker MAC (uf-rma MAC) that is a MAC which is unforgettable only under random-message attack. That is, the MAC is unforgettable if the adversary does not have the ability to perform chosen-message attack. The adversary can only see MAC tags for random messages (messages for which she has no control). 2.3. MITM secure authentication protocol Man-in-the-middle (MITM) attacks are the most powerful attacks against authentication protocols [6]. The MITM adversary is allowed to interact several times (at will and even concurrently) with the prover and the verifier. An authentication protocol achieves MITM security if any MITM adversary cannot bring the verifier to accept. 3. EXISTING WORK A number of works has been done on lightweight authentication protocols. There is HB-like protocols [3–5] which take advantage of the difficulty of solving the learning parity with noise (LPN) problem. The probabilistic nature of the verifier’s final response (accepting or rejecting the prover) in HB-like protocols is generally exploited to develop attacks against them [17–19]. In addition, despite their attractive design, which implies low computing resource requirements, their communication cost is often very high. Thus, it is hard to see an efficient HB-like protocol secure against man-in-the-middle attacks. However, there are other lightweight authentication protocols based on MACs. For example, SQUASH [2] based on the Rabin encryption scheme, and others based on the LPN problem [6 ,7 ,31]. The proposals of Kiltz et al. [6] are MAC-based authentication protocols exploiting the difficulty of the LPN problem. These protocols have the advantage of having a tight reduction to the LPN problem and therefore secure against man-in- the-middle attacks. But they suffer from the large size of their keys and their large communication complexity. All these drawbacks make these protocols poorly suited for highly constrained IoT devices. More recent proposals have been made [9–12] but it turns out that [9 ,10] fail to achieve the claimed security level [15 ,16]. The proposal of Mol et al. named Mirror-Mac (MM) [21] has caught our attention. MM is a generic construction of a 2-round MITM secure protocol (see figure 1). Mol et al. have proven that when instantiated with an uf-rma (unforgettable under random-message attack) MAC, MM is secure even if the adversary interacts at will with an arbitrary number of both prover and verifier instances. That is the adversary has negligible chance to make the verifier to accept. Our proposal RMAC is inspired by MM.
- 4. International Journal on Cryptography and Information Security Figure 1:The generic MM construction of a 2 al. [21]. Using MAC = (KGEN, TAG, TAG takes as input a key " and a message VRFY takes as input a key ", a message decision%&'( , ∈ 0,1 . 4. THE NEW PROTOCOL Traditionally, a MAC authentication is a 2 steps protocol. The verifier and the prover share a common secret". The verifier sends a challenge corresponding tag ← %&'( , 1to accept the prover. For such ascheme to be secure it is necessary that the MAC be suf-cma since the adversary has a direct access to it and canmake chosen attacks. Such MACs are generally const in a highly constrained environment highly constrained IoT devices is to use a MAC consisting of less sure than conventional MACs) and embed it in a protocol from which the have a direct access to make chosen passive. It’s that solution that we implement with RMAC is an authentication protocol that uses a 128 and 64-bitresponse. In the rest of the paper, we set n = generic construction of aman MM introduced by Mol et al. [21 time pad prior to sending it to the prover and whatever the result of the pair pfx 2 , by the prover an n graphical comparison of MM and RMAC). Figure 2:The RMAC authentication p International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 The generic MM construction of a 2-round MITM secure protocol proposed by Mol et ]. Using MAC = (KGEN, TAG,VRFY) where the keys " and " are generated by and a message in a message space and outputs , a message and a MAC tag in the tag space 3 then outputs a Traditionally, a MAC authentication is a 2 steps protocol. The verifier and the prover share a . The verifier sends a challenge to the prover that calculates and returns the to the verifier. The latter checks if the received tag is correct to accept the prover. For such ascheme to be secure it is necessary that the cma since the adversary has a direct access to it and canmake chosen attacks. Such MACs are generally constructed from traditional pseudorandom functions unusable a highly constrained environment because they require heavy computation. A solution for highly constrained IoT devices is to use a MAC consisting of light weight algorithms (certainly than conventional MACs) and embed it in a protocol from which the adversary will not have a direct access to make chosen-message attacks. Therefore, the adversary is forced to be solution that we implement with our protocol. authentication protocol that uses a 128-bit key and operates with 64- bitresponse. In the rest of the paper, we set n = 64. RMAC is based on the tw aman-in-the-middle secure authentication protocol denoted [21]. But in our protocol the challenge is encrypted using a one time pad prior to sending it to the prover and whatever the result of the verification of the by the prover an n-bit string is returned to the verifier (see figures 1 and 2 for a graphical comparison of MM and RMAC). The RMAC authentication protocol using SC with keys " , " , 4 and 4 .pfx 2 length 5 of 2. (IJCIS), Vol. 8, No.3, September 2018 4 round MITM secure protocol proposed by Mol et are generated by KGEN, and then outputs a Traditionally, a MAC authentication is a 2 steps protocol. The verifier and the prover share a to the prover that calculates and returns the cks if the received tag is correct to accept the prover. For such ascheme to be secure it is necessary that the cma since the adversary has a direct access to it and canmake chosen-message pseudorandom functions unusable . A solution for weight algorithms (certainly adversary will not message attacks. Therefore, the adversary is forced to be -bit challenge 64. RMAC is based on the two-round middle secure authentication protocol denoted the challenge is encrypted using a one- verification of the verifier (see figures 1 and 2 for a is the prefix of
- 5. International Journal on Cryptography and Information Security The RMAC protocol also uses a new implementation of only two rounds as an uf-rma message authentication code. Using this small number of guaranties low-latency and low- call Small-Cipher or SC that implementation of the 2 from [22] that the 2-round Xor complexity.When such construction is implemented in highly con lightweight implementation)with a fixed key, easily reached. Thus, in order to make such anattack difficult and burdensome, we renew the key with a lightweight key establishment protocol. 4.1. The Lightweight Key Establishment Protocol The lightweight key establishment protocol we describe here is run before the core authentication protocol. Figure2 shows how the key establishment protocol works. The two parties share a secret key 4 of size25. The proverbegins by drawing uniformly at r sends it to the verifier. They both compute After that, the verifier draws uniformly at random the result to the prover. Finally the two parties derive two n using∆ 2, 4′ . The function ∆ acts as a comb on between the teeth is define by 4′ usedbut here we propose to use the mixing function introduced in the Gossamer protocol because it has an extremely lightweight nature [14 The MixBits function: 4.2. Design Details of the Core Authentication Protocol The prover and the verifier share a long from the lightweightkey establishment protocol. The verifier draws a random computes 2′ 2⨁4′ and keyestablishment protocol, pfx International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 The RMAC protocol also uses a new implementation of a Xor-Cascade Encryption rma message authentication code. Using this small number of -cost hardware implementation [32]. In the rest of this paper, we or SC that implementation of the 2-round Xor-Cascade Encryption. round Xor-Cascade Encryption is secure up to complexity.When such construction is implemented in highly constrained devices (this must be a lightweight implementation)with a fixed key, the security threshold of 2 / queries can be easily reached. Thus, in order to make such anattack difficult and burdensome, we renew the key ment protocol. The Lightweight Key Establishment Protocol The lightweight key establishment protocol we describe here is run before the core authentication protocol. Figure2 shows how the key establishment protocol works. The two parties share a secret . The proverbegins by drawing uniformly at random 8 from 0,1 sends it to the verifier. They both compute4′ MixBits 4, 8 where MixBits is a mixing function. After that, the verifier draws uniformly at random 2 from 0,1 , computes 2′ 2⨁ the result to the prover. Finally the two parties derive two n-bit long secret keys " acts as a comb on 2 with 5 teeth randomly spaced (see algorithm 1). Any secure lightweight mixing function can be usedbut here we propose to use the mixing function introduced in the Gossamer protocol because nature [14] (see below). Core Authentication Protocol The prover and the verifier share a long-lived key 4 and two session keys " and from the lightweightkey establishment protocol. The verifier draws a random 25 SC pfx 2 (where4′is computed during the session 2 is the prefix of length n of 2) then sends (IJCIS), Vol. 8, No.3, September 2018 5 Cascade Encryption consisting of rma message authentication code. Using this small number of rounds rest of this paper, we Cascade Encryption. We know cade Encryption is secure up to 2 / query strained devices (this must be a queries can be easily reached. Thus, in order to make such anattack difficult and burdensome, we renew the key The lightweight key establishment protocol we describe here is run before the core authentication protocol. Figure2 shows how the key establishment protocol works. The two parties share a secret 1 and then where MixBits is a mixing function. ⨁4′ and sends " and " by teeth randomly spaced, the space . Any secure lightweight mixing function can be usedbut here we propose to use the mixing function introduced in the Gossamer protocol because and " obtained 5-bit string 2, is computed during the session 2′ , to the
- 6. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 6 prover. Upon receiving 2′ , , the prover checks whether is equal to SC pfx 2 , and if so, computes SC and sends to the verifier, if not, draws uniformly at random a 5-bit string and sends It to the verifier. The latter accepts the prover if and only if SC .Recall that SC uses keys" ," and 4. Now we present our Small-Cipher2 (SC) which is an extremely lightweight implementation of the 2-roundXor-Cascade Encryption. It is used as a message authentication code (MAC) by RMAC. Its inner permutation is an SP-network denoted RBOX (stands for Random Box). Basically, an SP-network applies to its input (a plaintext and a key) many rounds of transformation each consisting of a random substitution of value of bits along the input text (using an S-box), a permutation of bit positions (using a P-box) and a key mixing. The P-boxes of SP-networks are usually a fixed permutation of the bit positions of state but here we introduce keyed one. In the rest of this section, we successively present the S-box, the P-box, RBOX (the Small-Cipher inner permutation) and Small-Cipher itself. 4.2.1.The S-box It consists of the 4-bit to 4-bit S-box borrowed from the ultra-lightweight block cipher PRESENT [33]. This S-box is designed with hardware efficiency in mind for resource-limited devices. The following table recalls its action in hexadecimal notation. 0 1 2 3 4 5 6 7 8 9 A B C D E F s-box[ ] C 5 6 B 9 0 A D 3 E F 8 4 7 1 2 4.2.2. The P-box Let :: 0,1} × {0,1} → {0,1} be the bit positions permutation we introduce here. That is for every" ∈ {0,1} , :(", ∙) or : (∙) is a permutation on {0,1} that preserves the hamming weight of its input. The way that : (∙) computes the image of an input ∈ {0,1} is given by algorithm 2.For a randomly chosen" ∈ {0,1} , the first plot from the top of figure 3 shows how : maps the original position of a bit of state to its new position. Note that the diffusion power of : is weak because some streak ofconsecutive bits of state are not perturbed. We can also see from the plotting two groups of points forming twosuperimposed slopes. Bits of ", which are equal to 1, give the group at the top and bits of ", which are equal to0, give the group at the bottom. In order, to achieve a better diffusion, we can iterate : a number of times. Figure3 shows the improvement obtained by iterating: . Lemma 1 gives the relation that exists between the original position of a bit and its final position after ? iterations of : . Also, it becomes clear from lemma 1 that the more we iterate : the more the final position of abit is unrelated to its original position but only depends on ". 2 It must be clear that SC is used as an uf-rma MAC for our authentication protocol and we do not claim to offer it as block cipher for constrained environments.
- 7. International Journal on Cryptography and Information Security Figure 3: Improvement of the string93#6748F4#52787 4.2.3. The RBOX It is composed of the S-box presented earlier surrounded by two iterated P P-boxes are keyed, let " and " of : H followed by theS-box and five iterations of Figure 4:RBOXI International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 Improvement of the diffusion power by iterating : where " is the 64- J. From top to bottom we have the 1st to the 5th iteration of box presented earlier surrounded by two iterated P-Box layers. Since our be two n-bit keys, therefore RBOX H consists of five iterations box and five iterations of: (see figure 4 for a depiction of IHI , the P-boxes LIH and LI are iterated five times. (IJCIS), Vol. 8, No.3, September 2018 7 -bit ration of : . Box layers. Since our consists of five iterations (see figure 4 for a depiction of RBOX H ).
- 8. International Journal on Cryptography and Information Security 4.2.4. The Small-Cipher (SC) In an initial phase, both the prover and the verifier hold the same 4 pfx 4 and4 sfx 4 be respectively the prefix of length 5 of S. From the execution of thelightweight key establishmen two n-bit session keys " and " have the 3-round keys to be 2-wise independent [34 permutations RBOX HLH and RBOX implementation of the 2-round Xor Figure 5 A comparison of RMAC with other Table 1.Storage and transmission cost of some authent Rabin cryptosystem, qSDH for q and 2-XC for 2-roundXor Cascade Encryption. Values are given in bits. 5. SECURITY ARGUMENTS In this section, we present the security analysis of SC and provide security proofs for RMAC. 5.1. Security of SC 5.1.1. The Structure of SC SC is an implementation of the 2 permutation. The2-round Xor-Cascade Encryption is secure up to For SC, M 25thus SC istheoretically secure up to to SC itself. This bound is theoreticalsince the RBOXes cannot be considered as random permutations. This is why it is advantageous to change theRBOXes keys at each execution of RMAC. Also, note that through RMAC it is attack (and even more difficult a chosen ciphertext attack) against SC. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 In an initial phase, both the prover and the verifier hold the same 25-bit secret key S. Let be respectively the prefix of length 5 of S and the suffix of length of S. From the execution of thelightweight key establishment protocol the two parties obtained . Since it is onlyrequired for the iterated Even-Mansour cipher to wise independent [34]. Then, by using the two-independent n RBOXL and the round keys " , " ⨁" , " round Xor-Cascade Encryption depicted in Figure 5. 5: Small-Cipher using keys " , " , 4 and 4 A comparison of RMAC with other authentication protocols is given in table 1. Storage and transmission cost of some authentication protocols. Rabin crypto cryptosystem, qSDH for q-Strong Diffie-Hellman, PUF for Physical Unclonable Function r Cascade Encryption. Values are given in bits. RGUMENTS In this section, we present the security analysis of SC and provide security proofs for RMAC. SC is an implementation of the 2-round Xor-Cascade Encryption using RBOX as Cascade Encryption is secure up to 2 / query complexity [22 thus SC istheoretically secure up to 2N / queries to the underlying RBOXes and to SC itself. This bound is theoreticalsince the RBOXes cannot be considered as random permutations. This is why it is advantageous to change theRBOXes keys at each execution of RMAC. Also, note that through RMAC it is difficult for an adversary to make a chosen plaintext attack (and even more difficult a chosen ciphertext attack) against SC. (IJCIS), Vol. 8, No.3, September 2018 8 bit secret key S. Let of S and the suffix of length t protocol the two parties obtained Mansour cipher to independent n-bit wehave our ication protocols. Rabin crypto stands for Hellman, PUF for Physical Unclonable Function In this section, we present the security analysis of SC and provide security proofs for RMAC. Cascade Encryption using RBOX as its inner query complexity [22]. queries to the underlying RBOXes and to SC itself. This bound is theoreticalsince the RBOXes cannot be considered as random permutations. This is why it is advantageous to change theRBOXes keys at each execution of chosen plaintext
- 9. International Journal on Cryptography and Information Security 5.1.2. Resistance to Linear and Differential Cryptanalysis Linear and differential cryptanalysis [35,36 security of a block cipher. But those cryptanalysis tools are heavily dependent on the S involved in the linear approximation or in the differential characteristic as we traverse the SP network (the so-called active S-b with a secret key " makes complex to follow a bit ofstate through the SP very unlikely to determine the active S cryptanalysis. Lemma 1.Let ? O 0 be an integer, iterations of : . Where PQ * is the bit at position Hamming weight of the prefix of length Proof. We prove lemma 1 using the induction principle. For ? 0we have R - -. Thus, Now we assume ? S 0 and show that equation 2 1we have: which leads to: So By supposing that equation 2 is true, we have: International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 5.1.2. Resistance to Linear and Differential Cryptanalysis d differential cryptanalysis [35,36] are among the most famous tools used to analyse the of a block cipher. But those cryptanalysis tools are heavily dependent on the S approximation or in the differential characteristic as we traverse the SP boxes).Theorem 1 implies that, using the iterated linear layer makes complex to follow a bit ofstate through the SP-network. Therefore, it is very unlikely to determine the active S-boxes which are crucial to linear and be an integer, - be the position of a bit of state and RT - its position after is the bit at position R - of ", the Hamming weight of " and Hamming weight of the prefix of length R - of ". We prove lemma 1 using the induction principle. . Thus, equation 2 is true for ? 0. w that equation 2 holds for ? U 1 iterations of : . From algorithm is true, we have: (IJCIS), Vol. 8, No.3, September 2018 9 mous tools used to analyse the of a block cipher. But those cryptanalysis tools are heavily dependent on the S-boxes approximation or in the differential characteristic as we traverse the SP- oxes).Theorem 1 implies that, using the iterated linear layer : network. Therefore, it is linear and differential its position after ? and PQ * the From algorithm
- 10. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 10 This final equation completes the proof. Theorem 1.If " is secret, then after three iterations of : the position of a bit of state is no longer related to its original position but depends only on fixed unknown data (as they are determined by "). Sketch of the proof. We show that the term - ∏ 1 −TX Y PQ * on the right-hand side of the equation 2 vanishes after 3 iterations of : . The positions R - for 0 , , ? − 1of bits of " are not independent but the corresponding bits are independent since all bits of " are drawn uniformly at random from 0,1 . Hence 1 − PQ * for 0 , , ? − 1can be considered as a random variable with equal probability of taking value 0 or 1. We know from [37] that when we draw uniformly at random ? bits, the longest streak of consecutive 1 we expect to have is Θ(log ? .Therefore, for ? S 3 there is necessarily some Z in the set of integer 0, ⋯ , ? − 1 for which1 − P * 5.1.3. Resistance to Algebraic Attacks Algebraic attacks are known plaintext attacks. The adversary expresses the whole cipher as a system of multivariate algebraic equations and then tries to solve it using known plaintext-cipher text pairs in order to recover the secret key. SC is a 2-round cipher that uses a 4-bit to 4-bit S-box and operates on 64-bit block. Each-box can be described by 21 equations in 8 variables (4 inputs and 4 outputs). Therefore, SC can be expressed as a system of 672 multivariate equations in 256 variables. The number of equations is not impressive. However, the difficulty of using an algebraic attack against SC relies on the fact that it will not be easy (as theorem 1 implies) to bind the input variables of the S-boxes of the first round to the bits of the plaintext, to bind the output variables of the S-boxes of the first round to the input variables of the S-boxes of the second round and to bind the output variables of the S-boxes of the second round to the bits of the cipher text. Consequently, it is very unlikely that algebraic attack be effective against SC. 5.2. Security of RMAC 5.2.1. Security of the Lightweight Key Establishment Protocol Any modification on 8will only change the way that " and " are extracted from2. A modification of 8 willalso change the value of 2′ (which is a one-time pad encryption of 2) transmitted to the prover by the verifier.Since 2 is drawn uniformly at random from 0,1} , the attacker derives no benefit from its actions on 8. 5.2.2. Security of the Core Authentication Protocol The following theorem states that RMAC has the same resistance to MITM attacks as MM. Theorem 2.If MM instantiated with an uf-rma MAC is a man-in-the-middle secure authentication protocol, and then RMAC instantiated with the same type of MAC is a man-in-the-middle secure authentication protocol. Proof. For this proof, we use the reduction technique. That is from an instance of the MM protocol we simulate an instance of the RMAC protocol. And show that if there is a MITM adversary that has a non-negligible advantage on RMAC, it can be used to mount a MITM attack against MM with a non-negligible success probability. Now, let ] be a MITM probabilistic polynomial-time adversary attacking RMAC with a non- negligible success probability. We construct a MITM probabilistic polynomial-time adversary ]′that attempts to attackMM. So, from an instance of the MM protocol, ]′ simulates for ] an instance of RMAC as follows:
- 11. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 11 1. ]′ Begins by drawing uniformly at random 8 from {0,1} and sends it to ]. 2. Upon receiving ( , ) from the MM verifier where = TAG ( ), ]′ draws uniformly at random ′ from {0,1} and sends ( || ′, ) to ]. Since in the RMAC protocol pfx (2′)is unrelated to sfx (2′)and 2′ is obtained from a one-time pad of two unknown bit strings, the view of ] in this step is identically distributed to the view it has from the second step of RMAC. 3. ]′ finises the simulation by forwarding received from the MM prover to ], or if it doesn’t receive nothing, sends a uniformly and randomly selected 5-bit string to ]. Since the MAC is uf-rma, the adversary is not allowed to see MAC tags for chosen messages. Therefore, it will not be able to distinguish TAG ′( ) fromTAG ( ) for " et "′ in {0,1} . Thus, the view of ] in this step is identically distributed to the view it has from the final step of RMAC. We claim that this simulation is correct since the view of ] when used as a sub-routine by]′ is identicallydistributed to the view it has when it interacts directly with RMAC. In conclusion, ] has the same advantage overRMAC as ]′ has over MM (which is negligible [21]). Encapsulating the challenge in2′using the one-time pad encryption reduces the security requirements on SC. Therefore, even if the attacker succeeded in finding a valid message-tag pair (_, ), it has very little chanceto reach the next step of the protocol since it will not know how to encapsulate _ in 2′. Another aspect that reinforces the security of our protocol is that the prover returns a response to the verifier regardless the outcome of the verification (pfx (2), ). This prevents the attacker from using the RMAC prover as a verification oraclesince it has no way of detecting a change in the behaviour of the RMAC prover following the outcome of the verification of the pair(2′ , ). This is a one more security element that our protocol RMAC has over the MM protocol.All this, allows us to say that our protocol can be seen as a generic construction (SC can be replaced by a uf-rma MAC) at least as secure as MM which is a man-in- the-middle secure authentication protocol. 6. CONCLUSIONS In this paper, we have presented RMAC a new lightweight MAC authentication protocol for highly constrained IoT devices. RMAC consists of ultra-lightweight algorithms and takes advantage—but also adds some extra steps— of the design of MM, a two-round generic construction secure against man-in-the-middle attacks introduced by Mol et al. It also uses a new implementation of the extensively studied 2-round Xor-Cascade Encryption as a message authentication code. Although SC is not intended to be a block cipher for resource constrained devices, we have shown that it is resistant to linear or differential cryptanalysis or an algebraic attack. When viewed as a generic construction (SC replaced by an unforgettable under random- message attack MAC), RMAC is proven to be a secure MITM three rounds authentication protocol. REFERENCES [1] David, L.; Ammar, R.; Monique, M. The Internet of Things. The Internet Protocol Journal 2012, 15,10–9.https://www.cisco.com/c/dam/en_us/about/ac123/ac147/archived_issues/ipj_15-3/ipj_15- 3.pdf. [2] Shamir, A. SQUASH – A New MAC with Provable Security Properties for Highly Constrained Devices Such asRFID Tags. Fast Software Encryption; Nyberg, K., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2008; pp.144–157.
- 12. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 12 [3] Juels, A.; Weis, S.A. Authenticating Pervasive Devices with Human Protocols. Advances in Cryptology – CRYPTO2005; Shoup, V., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2005; pp. 293–308. [4] Gilbert, H.; Robshaw, M.J.B.; Seurin, Y. Increasing the Security and Efficiency of HB+. Advances in Cryptology –EUROCRYPT 2008; Smart, N., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2008; pp. 361–378. [5] Rizomiliotis, P.; Gritzalis, S. GHB#: A Provably Secure HB-Like Lightweight Authentication Protocol. AppliedCryptography and Network Security; Bao, F.; Samarati, P.; Zhou, J., Eds.; Springer Berlin Heidelberg: Berlin,Heidelberg, 2012; pp. 489–506. [6] Kiltz, E.; Pietrzak, K.; Venturi, D.; Cash, D.; Jain, A. Efficient Authentication from Hard Learning Problems. Journalof Cryptology 2017, 30, 1238–1275. doi:10.1007/s00145-016-9247-3. [7] Heyse, S.; Kiltz, E.; Lyubashevsky, V.; Paar, C.; Pietrzak, K. Lapin: An Efficient Authentication Protocol Based onRing-LPN. Fast Software Encryption; Canteaut, A., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2012; pp.346–365. [8] Lyubashevsky, V.; Masny, D. Man-in-the-Middle Secure Authentication Schemes from LPN and Weak PRFs.Advances in Cryptology – CRYPTO 2013; Canetti, R.; Garay, J.A., Eds.; Springer Berlin Heidelberg: Berlin,Heidelberg, 2013; pp. 308–325. [9] Fan, K.; Jiang, W.; Li, H.; Yang, Y. Lightweight RFID Protocol for Medical Privacy Protection in IoT. IEEETransactions on Industrial Informatics 2018, 14, 1656–1665. doi:10.1109/TII.2018.2794996. [10] Liu, D.; Li, N.; Kim, J.; Nepal, S. Compact-LWE: Enabling Practically Lightweight Public Key Encryption for LeveledIoT Device Authentication. Cryptology ePrint Archive, Report 2017/685, 2017. https://eprint.iacr.org/2017/685. [11] Chen, M.; Chen, S.; Fang, Y. Lightweight Anonymous Authentication Protocols for RFID Systems. IEEE/ACMTransactions on Networking 2017, 25, 1475–1488. doi:10.1109/TNET.2016.2631517. [12] Xu, H.; Ding, J.; Li, P.; Zhu, F.; Wang, R. A Lightweight RFID Mutual Authentication Protocol Based on PhysicalUnclonable Function. Sensors 2018, 18. doi:10.3390/s18030760. [13] Lee, J.Y.; Lin, W.C.; Huang, Y.H. A lightweight authentication protocol for Internet of Things. 2014 InternationalSymposium on Next-Generation Electronics (ISNE), 2014, pp. 1–2. doi:10.1109/ISNE.2014.6839375. [14] Peris-Lopez, P.; Hernandez-Castro, J.C.; Tapiador, J.M.E.; Ribagorda, A. Advances in Ultralightweight Cryptographyfor Low-Cost RFID Tags: Gossamer Protocol. Information Security Applications; Chung, K.I.; Sohn, K.; Yung, M.,Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2009; pp. 56–68. [15] Aghili, S.F.; Mala, H. Security Analysis of Fan et al. Lightweight RFID Authentication Protocol for Privacy Protectionin IoT. Cryptology ePrint Archive, Report 2018/388, 2018. https://eprint.iacr.org/2018/388. [16] Xiao, D.; Yu, Y. Cryptanalysis of Compact-LWE and Related Lightweight Public Key Encryption. Sec. and Commun.Netw. 2018, 2018. doi:10.1155/2018/4957045. [17] Gilbert, H.; Robshaw, M.J.B.; Seurin, Y. Good Variants of HB+ Are Hard to Find. Financial Cryptography and DataSecurity; Tsudik, G., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2008; pp. 156–170.
- 13. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 13 [18] Frumkin, D.; Shamir, A. Un-Trusted-HB: Security Vulnerabilities of Trusted-HB. Cryptology ePrint Archive, Report2009/044, 2009. https://eprint.iacr.org/2009/044. [19] Ouafi, K.; Overbeck, R.; Vaudenay, S. On the Security of HB# against a Man-in-the-Middle Attack. Advancesin Cryptology - ASIACRYPT 2008; Pieprzyk, J., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2008; pp.108–124. [20] Ouafi, K.; Vaudenay, S. Smashing SQUASH-0. Advances in Cryptology - EUROCRYPT 2009; Joux, A., Ed.;Springer Berlin Heidelberg: Berlin, Heidelberg, 2009; pp. 300–312. [21] Mol, P.; Tessaro, S. Secret-Key Authentication Beyond the Challenge-Response Paradigm: Definitional Issues andNew Protocols. 2012. http://www.cs.ucsb.edu/%7Etessaro/papers/auth.pdf. [22] Gaži, P.; Tessaro, S. Efficient and Optimally Secure Key-Length Extension for Block Ciphers via RandomizedCascading. Advances in Cryptology – EUROCRYPT 2012; Pointcheval, D.; Johansson, T., Eds.; Springer BerlinHeidelberg: Berlin, Heidelberg, 2012; pp. 63–80. [23] Lee, J. Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption.Advances in Cryptology – EUROCRYPT 2013; Johansson, T.; Nguyen, P.Q., Eds.; Springer Berlin Heidelberg:Berlin, Heidelberg, 2013; pp. 405–425. [24] Gaži, P. Plain versus Randomized Cascading-Based Key-Length Extension for Block Ciphers. Advances inCryptology – CRYPTO 2013; Canetti, R.; Garay, J.A., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2013;pp. 551–570. [25] Chen, S.; Lampe, R.; Lee, J.; Seurin, Y.; Steinberger, J. Minimizing the Two-Round Even-Mansour Cipher. Advancesin Cryptology – CRYPTO 2014; Garay, J.A.; Gennaro, R., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg,2014; pp. 39–56. [26] Even, S.; Mansour, Y. A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology1997, 10, 151–161. doi:10.1007/s001459900025. [27] Daemen, J. Limitations of the Even-Mansour construction. Advances in Cryptology— ASIACRYPT ’91; Imai, H.;Rivest, R.L.; Matsumoto, T., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg, 1993; pp. 495–498. [28] Biryukov, A.; Wagner, D. Advanced Slide Attacks. Advances in Cryptology—EUROCRYPT 2000; Preneel, B.,Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2000; pp. 589–606. [29] Dunkelman, O.; Keller, N.; Shamir, A. Minimalism in Cryptography: The Even-Mansour Scheme Revisited.Advances in Cryptology – EUROCRYPT 2012; Pointcheval, D.; Johansson, T., Eds.; Springer Berlin Heidelberg:Berlin, Heidelberg, 2012; pp. 336–354. [30] Dinur, I.; Dunkelman, O.; Keller, N.; Shamir, A. Cryptanalysis of Iterated Even-Mansour Schemes with TwoKeys. Advances in Cryptology – ASIACRYPT 2014; Sarkar, P.; Iwata, T., Eds.; Springer Berlin Heidelberg: Berlin,Heidelberg, 2014; pp. 439–457. [31] Dodis, Y.; Kiltz, E.; Pietrzak, K.; Wichs, D. Message Authentication, Revisited. Advances in Cryptology –EUROCRYPT 2012; Pointcheval, D.; Johansson, T., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2012; pp.355–374. [32] Borghoff, J.; Canteaut, A.; Güneysu, T.; Kavun, E.B.; Knezevic, M.; Knudsen, L.R.; Leander, G.; Nikov, V.; Paar, C.;Rechberger, C.; Rombouts, P.; Thomsen, S.S.; Yalçın, T. PRINCE – A Low- Latency Block Cipher for PervasiveComputing Applications. Advances in Cryptology – ASIACRYPT 2012; Wang, X.; Sako, K., Eds.; Springer BerlinHeidelberg: Berlin, Heidelberg, 2012; pp. 208–225.
- 14. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.3, September 2018 14 [33] Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.B.; Seurin, Y.; Vikkelsoe, C.PRESENT: An Ultra-Lightweight Block Cipher. Cryptographic Hardware and Embedded Systems - CHES 2007;Paillier, P.; Verbauwhede, I., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2007; pp. 450–466. [34] Chen, S.; Steinberger, J. Tight Security Bounds for Key-Alternating Ciphers. Advances in Cryptology – EUROCRYPT2014; Nguyen, P.Q.; Oswald, E., Eds.; Springer Berlin Heidelberg: Berlin, Heidelberg, 2014; pp. 327–350. [35] Biham, E.; Shamir, A. Differential Cryptanalysis of the Data Encryption Standard; Springer-Verlag: Berlin,Heidelberg, 1993. [36] Matsui, M. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology — EUROCRYPT ’93; Helleseth,T., Ed.; Springer Berlin Heidelberg: Berlin, Heidelberg, 1994; pp. 386–397. [37] Cormen, T.H.; Leiserson, C.E.; Rivest, R.L.; Stein, C. Introduction to Algorithms, Third Edition, 3rd ed.; The MITPress, 2009. AUTHOR Dr. Ahmad Khoureich Ka is Maître de conferences at University of Alioune Diop de Bambey since 2007.His research interests include cryptography, and security on power- restrained devices.