Cryptology ePrint Archive: Report 2015/999

Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

Robert Granger and Philipp Jovanovic and Bart Mennink and Samuel Neves

Abstract: A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors.

Category / Keywords: tweakable Even-Mansour, masking, optimization, discrete logarithms, authenticated encryption, BLAKE2

Date: received 14 Oct 2015, last revised 14 Oct 2015

Contact author: jovanovic at fim uni-passau de

Available format(s): PDF | BibTeX Citation

Version: 20151014:174113 (All versions of this report)

Short URL: ia.cr/2015/999

Discussion forum: Show discussion | Start new discussion