Cryptology ePrint Archive: Report 2015/999

Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

Robert Granger and Philipp Jovanovic and Bart Mennink and Samuel Neves

Abstract: A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors.

Category / Keywords: Tweakable Even-Mansour, masking, optimization, discrete logarithms, authenticated encryption, BLAKE2

Original Publication (with major differences): IACR-EUROCRYPT-2016

Date: received 14 Oct 2015, last revised 20 Apr 2018

Contact author: philipp jovanovic at epfl ch

Available format(s): PDF | BibTeX Citation

Note: Full version of the EUROCRYPT 2016 paper.

Version: 20180420:131802 (All versions of this report)

Short URL: ia.cr/2015/999