Cryptology ePrint Archive: Report 2017/649

Blockcipher-based Authenticated Encryption: How Small Can We Go?

Avik Chakraborti and Tetsu Iwata and Kazuhiko Minematsu and Mridul Nandi

Abstract: This paper presents a lightweight blockcipher based authenticated encryption mode mainly focusing on minimizing the implementation size, i.e., hardware gates or working memory on software. The mode is called COFB, for COmbined FeedBack. COFB uses an n-bit blockcipher as the underlying primitive and relies on the use of a nonce for security. In addition to the state required for executing the underlying blockcipher, COFB needs only n/2 bits state as a mask. Till date, for all existing constructions in which masks have been applied, at least $n$ bit masks have been used. Thus, we have shown the possibility of reducing the size of a mask without degrading the security level much. Moreover, it requires one blockcipher call to process one input block. We show COFB is provably secure up to O(2^{n/2}/n) queries which are almost up to the standard birthday bound. We first present an idealized mode iCOFB along with the details of its provable security analysis. Next, we extend the construction to the practical mode COFB. We instantiate COFB with two 128-bit blockciphers, AES-128 and GIFT-128, and present their implementation results on FPGAs. When instantiated with AES-128, COFB achieves only a few more than 1000 Look-Up-Tables (LUTs) while maintaining almost the same level of provable security as standard AES-based AE, such as GCM. When instantiated with GIFT-128, COFB performs much better in hardware area. It consumes less than 1000 LUTs while maintaining the same security level. Both these figures show competitive implementation results compared to other authenticated encryption constructions.

Category / Keywords: COFB, AES, GIFT, authenticated encryption, blockcipher

Original Publication (with major differences): IACR-CHES-2017

Date: received 30 Jun 2017, last revised 23 Mar 2019

Contact author: avikchkrbrti at gmail com, iwata@cse nagoya-u ac jp, k-minematsu@ah jp nec com, mridul nandi@gmail com

Available format(s): PDF | BibTeX Citation

Note: We updated the definition of G. See page 14, "Feedback Function" for more details.

Version: 20190323:111306 (All versions of this report)

Short URL: ia.cr/2017/649


[ Cryptology ePrint archive ]