## Cryptology ePrint Archive: Report 2019/193

Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction

Chun Guo and Olivier Pereira and Thomas Peters and François-Xavier Standaert

Abstract: The ongoing NIST lightweight standardization process explicitly puts forward a requirement of side-channel security, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight side-channel secure implementations. To address this challenge, we investigate the leakage-resilience of a generic duplex-based stream cipher, and prove the classical bound, i.e., $\approx2^{c/2}$, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode TETSponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. TETSponge offers: (i) provable resistance against side-channel attacks during both encryption and decryption, (ii) some level of nonce misuse robustness, and (iii) black-box AE security with good bounds in the multi-user setting as well. We conclude that TETSponge offers an appealing option for the implementation of lightweight AE in settings where side-channel attacks are an actual concern.

Our analysis offers the first rigorous methodology for the analysis of the leakage-resilience of sponge/duplex-based AEs. It can be easily adapted to others: we demonstrate this by showcasing brief analyzes of two other 1-pass AEs Ascon, GIBBON, and two 2-pass AEs TEDTSponge and ISAP. These provide various insights for both designs and implementations.

Category / Keywords: secret-key cryptography / Authenticated Encryption, Duplex Construction, Leakage-Resilience, Leveled Implementations.

Date: received 21 Feb 2019, last revised 14 Aug 2019

Contact author: chun guo at uclouvain be

Available format(s): PDF | BibTeX Citation

Note: Incorporated some suggestions & fixed typos.

Short URL: ia.cr/2019/193

[ Cryptology ePrint archive ]