Permutation-Based Lightweight Authenticated Cipher with Beyond Conventional Security

Lightweight authenticated ciphers are specially designed as authenticated encryption (AE) schemes for resource-constrained devices. Permutation-based lightweight authenticated ciphers have gained more attention in recent years. However, almost all of permutation-based lightweight AE schemes only ensure conventional security, i.e., about c/2-bit security, where c is the capacity of the permutation. -is may be vulnerable for an insufficiently large capacity. -is paper focuses on the stronger security guarantee and the better efficiency optimization of permutation-based lightweight AE schemes. On the basis of APE series (APE, APE, APE, and APE), we propose a new improved permutation-based lightweight online AE mode APE which supports beyond conventional security and concurrent absorption. -en, we derive a simple security proof and prove that APE enjoys at most about min r, c { }-bit security, where r is the rate of the permutation. Finally, we discuss the properties of APE on the hardware implementation.


Introduction
With the widespread rise of the big data, Internet of ings (IoT), and fifth generation (5G) and beyond 5G (B5G) networks, leaks of sensitive data from wireless sensor devices and network platforms have become more serious and more common. e collection of sensitive data has become one of the important targets of cyberattacks by hackers. How can we protect the security of our sensitive data? Cryptography is an important method to protect the security of sensitive data.
Lightweight cryptography focuses on the symmetric-key cryptography, whose goal is to settle the data security of resource-constrained devices in the embedded systems, sensor networks, RFID, and low-cost environments. e feature of the lightweight cryptography is that the implementation costs of hardware devices (such as areas, footprints, latency, and throughput) are as low as possible and the implementation efficiency (rate) is as high as possible, without sacrificing security guarantee. e research of the lightweight cryptography began in 2004 and has been going on for more than a decade. e lightweight cryptography mainly includes the lightweight cipher and its modes of operation. Lightweight ciphers are designed to protect the privacy (confidentiality) of sensitive data on lightweight devices. Up to now, a large number of lightweight ciphers have been proposed, analyzed, and implemented [1][2][3][4][5][6][7][8][9]. Lightweight authenticated encryption (AE) modes of operation, also called lightweight authenticated ciphers, achieve both the privacy protection of sensitive data and the integrity verification of all data on lightweight devices. Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) held in 2013 greatly contributed to the vigorous development of lightweight AE modes and produced many excellent schemes, such as Ascon [10] and ACORN [10]. From the perspective of the design method, lightweight AE modes include block-cipher-based lightweight AE modes [11][12][13][14], stream-cipher-based lightweight AE modes [15,16], permutation-based lightweight AE modes [17][18][19][20], and hashbased lightweight AE modes [19,20]. Moreover, permutation-based lightweight AE modes have more advantages and attractions than others due to its simple structure, convenient lookup table, and fast running speed.
(1) In order to achieve higher efficiency, we consider to put some good factors into APE + , such as inversefree, stream-cipher encryption, concurrent absorption, and pure permutation. APE + is inverse-free, i.e., the decryption algorithm of APE + does not invoke the inverse of permutation. Besides, it is a streamcipher encryption mode. For the associated data and the message, APE + utilizes the method of concurrent absorption to process them, which makes the number of invoking the underlying permutation as few as possible. In particular, in view of the performance of APE + on the hardware implementation, APE + is built by the cascade method and has no backward feedback. erefore, it can be fully pipeline implemented on the hardware. Moreover, APE + just requires the forward permutation circuit for the encryption and decryption circuits. erefore, the area of the hardware device and the number of the hardware footprints are minimized. APE + utilizes the concurrent absorption method, which greatly reduces the computational complexity on the hardware devices.
(2) In order to achieve stronger security, the encryption and authentication parts are considered separately. For the encryption part, we utilize the iterated Even-Mansour cipher with a short key [21] to generate the ciphertext while avoiding the defeat that the current plaintext is XOR-ed with the previous ciphertext. For the authentication part, the authentication tag is generated by the XOR of the rate and the capacity of the last permutation to resist forgery attacks. In this paper, we derive a simple security proof by using a modular proof approach and prove that APE + enjoys at most about min r, c { }-bit AE security under the RPM assumption, where r and c are, respectively, the rate and the capacity of the permutation. Specifically, given a permutation with parameters b � 256, r � 96, and c � 160 (or b � 256, r � 128, and c � 128), APE + enjoys at most about 96-bit (or 128-bit) AE security, which is shown in Table 1. e rest of this paper is organized as follows. Notations and some preliminaries are presented in Section 2. Section 3 describes the security model of lightweight AE schemes. Section 4 provides a new permutation-based lightweight AE mode with beyond conventional security and derives a security proof. Section 5 shows some discussions for APE + . Finally, Section 6 ends up with a conclusion.

Preliminaries
Notations. Let 0, 1 { } * denote the set containing all finite bit strings (including the empty string). Let b be an integer and 0, 1 { } b be the set of all strings whose lengths are b bits. For a finite string x, |x| stands for its bit-length. For two finite Table 1: Security levels of permutation-based AE modes using recommended parameters (b, r, c), where b is the permutation size, r is the rate of the permutation, c is the capacity of the permutation, and b � r + c. Strong Pseudorandom Permutation (SPRP). One of the most important security concepts in symmetric ciphers is SPRP. What is SPRP? In a nutshell, if a symmetric cipher is indistinguishable from an ideal random permutation under chosen ciphertext attacks, then this symmetric cipher is an SPRP. e detailed definition is shown as follows.
be a symmetric cipher, where K is a nonempty key set. en, for any K ∈ K, E K (·) is a permutation on b bits and E − 1 K (·) is the inverse of E K (·). Let Perm(b) be the set of all permutations on b bits. Let P be a primitive utilized in E. Let A be an adversary with access to encryption, decryption, and the primitive and its inverse oracles, i.e., (E ± K , P ± ). Let A O ⇒1 be the event that an adversary A outputs 1 after interacting with the oracle O. Let � Δ E ± K , P ± ; π ± , P ± . (1) If the advantage Adv sprp E (A) is negligible, the cipher E K is a secure strong pseudorandom permutation (SPRP).
If the resources (such as the overall running time t, the number of querying the encryption and decryption oracles q, the total query complexity of the construction σ, and the number of querying the primitive and its inverse oracles p) used by adversaries are limited, we define the maximum advantage as Even-Mansour Cipher with a Short Key [21]. Let P be a public random b-bit permutation, c be the capacity of P, r be the rate of P, and b � r + c. Let K � 0, 1 { } k be a k-bit key set. To minimize the key material of the Even-Mansour cipher and achieve beyond conventional security bound, the Even-Mansour cipher with a short key is presented. e Even-Mansour cipher with a short key is a function E:

Security Model
Syntax of Authenticated Encryption (AE). Let K, N, H, M, C, and T be, respectively, the sets of the keys, nonce, associated data, plaintexts, ciphertexts, and authentication tags. A nonce-based AE with associated data scheme Π � (E, D) consists of an encryption algorithm E: K × N × H × M ⟶ C × T and a decryption algorithm D: where the symbol ⊥ indicates the failure of the decryption oracle. Let K ∈ K be a key, N ∈ N be a nonce, A ∈ H be an associated data, M ∈ M be a plaintext, C ∈ C be a ciphertext, and T ∈ T be an authentication tag, then the syntax is formalized as follows: where e nonce-based AE with associated data scheme Π � (E, D) is called as an online AE scheme (or authenticated online cipher) if and only if the j-th ciphertext block C j only depends on the first j plaintext blocks M 1 , . . . , M j , where j � 1, . . . , m � ⌈|M/r|⌉. at is to say, for any fixed key K, nonce N, and associated data A, if two plaintexts M and M ′ share an l-block common prefix, where 0 ≤ l ≤ m − 1, then their encrypted ciphertexts C and C ′ also share an l-block common prefix. erefore, a secure authenticated online cipher requires that ciphertexts do not reveal any further information about plaintexts than its length and the longest common prefix with previous plaintexts.

Ideal Online Function and Ideal Authenticated Online Cipher. Let f j be a function randomly chosen from
We define an ideal online function g: N × H × M ⟶ C as follows: Let t be a tag-generation function randomly chosen from N × H × M ⟶ T, and we define an ideal authenticated online cipher $: N × H × M ⟶ C × T as follows:

AE Security
Model. e security model of AE schemes includes the conventional security model (privacy and authenticity) [11,17] and all-in-one AE security model [18,[22][23][24]. In fact, all-in-one AE security model covers the conventional privacy and authenticity security models. erefore, we consider all-in-one AE security model. Let Π � (E, D) be an AE scheme. e all-in-one AE security model is defined as follows.
Definition 1 (AE security [24]). Let P be a public random permutation, K be a key, and Π[P] be a P-based AE scheme. Let q, σ, p > 0. en, the AE security advantage of the adversary is Security and Communication Networks where q is the number of querying the encryption oracle E or the decryption oracle D, generating at most σ blocks, p is the number of querying the permutation P or its inverse P − 1 , $ is an ideal authenticated online cipher, and ⊥ stands for the failure of the decryption oracles.

APE + : Authenticated Permutation-Based Encryption Scheme with Beyond Conventional Security for Lightweight Applications
In this section, we provide a new pure permutation-based lightweight online AE mode APE + which enjoys beyond conventional security. Section 4.1 describes the specification of APE + . Section 4.2 derives the security proofs of APE + .

APE
‖C m ∈ C be the corresponding ciphertext, and T ∈ T be the corresponding authentication tag, where m � ⌈|M|/r⌉ is the block length of the plaintext. Let τ be the bit-length of the tag and τ � k � c.
To design a lightweight online AE mode with beyond conventional security, we utilize the iterated Even-Mansour cipher with a short key [21] to generate the ciphertext for the encryption part and invoke the Even-Mansour cipher with a short key [21] to generate the authentication tag for the authentication part. Moreover, to prevent forgery attacks, the rate of the last permutation is XOR-ed to the capacity of the last permutation with the short key to realize the authentication tag with a random mask. To make the number of invoking the underlying permutation as few as possible, we utilize the concurrent absorption method [25] to process the associated data and the message. e overview of APE + is shown in Figure 1.
APE + consists of an encryption algorithm E and a decryption algorithm D. e encryption algorithm E takes as input a key K, a nonce N, an associated data A, and a plaintext M and returns a ciphertext C and a tag T. e decryption algorithm D takes K, N, A, C, and T as inputs and returns either M or ⊥. e encryption and decryption algorithms are depicted in Algorithms 1 and 2.

Beyond
Conventional Security of APE + . APE, APE RI , APE OW , and APE CA only ensure at most about 2 c/2 adversarial queries (i.e., c/2-bit security). APE + is a pure permutation-based lightweight AE scheme with beyond conventional security. Besides, APE + is also an authenticated online cipher. In this section, we prove that APE + enjoys at most about min r, c { }-bit AE security. Let Π[P] � (E, D) stand for our APE + scheme with a permutation P.
where e � 2.71828182845 . . . is the base of the natural logarithm.
Proof. We utilize the modular proof approach. First, our scheme can be described as a scheme based on an Even--Mansour cipher with a short key E K , i.
It follows that we need to calculate the upper bounds of Adv sprp E (q, σ, p) and Adv ae Π[Q] (q, σ, p). First, according to the advantage of the Even-Mansour cipher with a short key [21], we have where μ is the maximal multiplicity. Now, we consider the rationality of μ. e probability that the multiplicity exceeds μ is upper bounded by σ μ (1/2 r ) μ− 1 , which is very close to zero. By Stirling's approximation, this probability is also bounded by 2 r (eσ/μ2 r ) μ , where e � 2.71828182845 . . . . Assume that eσ/μ2 r � (epσ/2 r+c ) 1/2 and 16epσ/2 r+c ≪ 1, and we have μ � (eσ · 2 c /p · 2 r ) 1/2 . It follows that en, we need to compute the following advantage: Now, we replace the random permutation Q by the random function f and rename the new scheme as Π[f]. According the hybrid argument and the RP/RF switch lemma, we have Input: a key K, a nonce N, an associated data A, and a plaintext M Output: a ciphertext C and a tag T ALGORITHM 1: Encryption algorithm: E K (N, A, M).
Input: a key K, a nonce N, an associated data A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ where Adv auth In the first step, we calculate the PRIV advantage Adv priv Π[f] (q, σ, p). Assume that the adversary queries (N 1 , A 1 , M 1 ), . . . , ((N q , A q , M q ) to the encryption oracle E[f] and gains the corresponding responses (C 1 , T 1 ), . . . , (C q , T q ). Here, the adversary is deterministic and adaptive, i.e., each query of the adversary (N w+1 , A w+1 , M w+1 ) is completely determined by the previous query-response pairs Let us define some symbols for the i-th encryption query-response pair (N i , A i , M i , C i , T i ), where 1 ≤ i ≤ q. Let a i � A i |/c and m i � M i |/r be, respectively, the block lengths of the associated data A i and the plaintext M i . en, Here, we assume that the block length of the associated data is always less than or equal to the block length of the plaintext. Let ) be the inputs and outputs of the random function f, where C i s �K i s ⊕M i s for 1≤s≤m i and V i t �W i t ⊕A i t for 1≤t≤a i . We define an event Coll that stands for a collision between the inputs of the random function f. For an authenticated online cipher, we consider that any two distinct queries (N i , A i , M i ) ≠ (N j , A j , M j ) share a common prefix, where 1 ≤ i ≠ j ≤ q. e adversary is nonce-misuse; therefore, N i � N j � N is a common prefix. We consider the following cases: . e event Coll occurs if one of the following collisions happens: Let l be the maximum block length of the plaintext, i.e., m i ≤ l and m j ≤ l, and let σ � ql. erefore, after removing the duplicate conditions, the probability that the event Coll occurs is where α ≥ 0. We assume that M i and M j have a β-longest common prefix, where β ≥ 0. en, . e probability that the event Coll occurs is the same with Case 1.
. e event Coll occurs if one of the following collisions happens: for β + 2 ≤ s ≤ m i and 1 ≤ t ≤ m j , where 1 ≤ i≠j ≤ q.
It follows that, in Case 2.2, the probability that the event Coll occurs is Summarizing the above mutually exclusive cases, the probability that the event Coll occurs is If the event Coll does not occur, all inputs of f are fresh, except that the inputs from the common prefix are equal.
erefore, E[f] is indistinguishable from $. In the noncemisuse setting, we have Adv priv In the second step, we evaluate the AUTH advantage Adv auth Π[f] (q, σ, p). Assume that the adversary makes q d nontrivial forgery attempts querying q e encryption oracles, where (N ′ 1 , A ′′ 1 , (N q e , A q e , C q e , T q e )} and q � q e + q d . Here, we define an event Forge that some decryption queries among q d forgery attempts do not return ⊥.
e probability that the event Coll happens is similar to the PRIV advantage except that we need to consider an extra query complexity-the decryption query complexity under the forgery attempts, i.e., Pr[Coll] ≤ (q + σ) 2 /2 b+1 + σ/2 r , where σ is the total query complexity of the encryption and decryption queries.
To compute the probability Pr[Forge|¬Coll], we consider the following cases: For each forgery attempt, the probability of correctly guessing the image of a new point for the adversary is at most 1/(2 c − q e ). e outputs of f with distinct inputs are random and independent. erefore, the probability for correctly guessing the same tag is at most 1/2 c .
Summarizing the above two cases, the successful probability of q d forgery attempts is upper bounded by erefore, according the sugar water inequality a/b ≤ a + m/b + m, where b > a > 0 and m ≥ 0, and q � q e + q d , we have erefore, combining (1)-(6), we can obtain the result of eorem 1. According to eorem 1, the AE security of APE + is up to 2 min b/2,r,c { } � 2 min r,c { } adversarial queries against noncemisusing adversaries. In other words, APE + ensures at most about min r, c { }-bit AE security, which is a beyond conventional (c/2-bit) security.

Discussions
e original intention of designing our APE + scheme is to achieve higher efficiency, better performance, and stronger security on the lightweight devices. APE + is an improved version of APE series (including APE, APE RI , APE OW , and APE CA ). erefore, APE + inherits most of the advantages of APE series. Besides, it has the following advantages in the hardware implementation: (1) APE + is a pure permutation-based lightweight online AE mode with concurrent absorption. e rate of Security and Communication Networks processing the associated data and the message is faster on hardware devices. (2) APE + is inverse-free, i.e., its decryption circuit does not invoke the inverse of permutation. Moreover, it is a stream-cipher encryption mode. (3) APE + is built by the cascade method and has no backward feedback. erefore, it can be fully pipeline implemented. (4) To the best of our knowledge, APE + is the first AE mode which supports beyond conventional security against blockwise adaptive adversaries in the lightweight devices. (5) APE series and APE + are designed and have proven security against nonce-misusing adversaries up to common prefix. Jovanovic et al. showed an attack on APE with a complexity of about 2 c/2 in the noncerespecting setting (here, "nonce-respecting" means that the nonce is never repeated in the encryption queries) according to the defect M i ⊕ C i− 1 [26]. If there exists k such that M k ⊕ C k− 1 � M 1 � 0, the adversary breaks the privacy with a complexity of about 2 c/2 in the nonce-respecting setting. In fact, this attack also works for APE series. is defect exists in APE RI , APE OW , and APE CA , while it does not exist in APE + . erefore, APE + is robust against this kind of attack. Table 2 shows the comparison of permutation-based lightweight AE modes. From the perspective of hardware implementation costs, APE + just needs the permutation circuit on hardware devices as its encryption and decryption algorithms only call the permutation P. erefore, the area of the hardware device and the number of hardware footprints are minimized. From the perspective of the efficiency, the bandwidth of implementing is |N|| + |A| + |M| + c. Moreover, the computational costs of the encryption and decryption algorithms are 1 + max ⌈|A|/r⌉, ⌈|M|/r⌉ { } as we utilize the method of concurrent absorption to process the associated data and the message. erefore, the computational complexity is obviously reduced. From the perspective of the security, APE + enjoys at most about min r, c { }-bit AE security, which is a great contribution of this paper. Fixing a permutation with recommended parameters b � 256, r � 96, and c � 160, APE series ensure at most about 80-bit security while APE + enjoys at most about 96-bit security. Security levels of permutation-based AE modes using recommended parameters are shown in Table 1.
is paper just focuses on the single-key security of APE + . Recently, the multikey or multiuser security and related-key security are also very hot research topics of lightweight ciphers. e implementation of APE + on the hardware circuit and the security under the multikey or multiuser and related-key settings are our next important works.

Conclusions
Most of the devices widely used in smart home and Internet of ings are resource constrained. e privacy security and authenticity security of data from these devices are crucial in the process of data transmission. e lightweight AE modes designed by permutations have more advantages and attractions for the protection of data security due to its simple structure, convenient lookup table, and fast running speed. However, almost all of permutation-based lightweight AE modes enjoy conventional security. In this paper, we discuss the problem of whether can we design an efficient lightweight AE mode to achieve beyond conventional security bound for permutation-based lightweight ciphers. We propose a new permutation-based lightweight AE mode APE + with beyond conventional security, derive its security proof, and discuss the properties of APE + . APE + has proven AE security up to about 2 min r,c { } adversarial queries and it is robust, where r and c are, respectively, the rate and the capacity of the permutation. APE + is an improved version of APE series and inherits most of the advantages of APE series. It is well suited for the protection of the data security in some special environments, such as an insufficiently large capacity of the permutation or the partial information leakage of permutation by side channel attacks.

Data Availability
e data used to support the findings of the study are available within the article.

Conflicts of Interest
e author declares that there are no conflicts of interest.