Paper 2019/193

Towards Lightweight Side-Channel Security and the Leakage-Resilience of the Duplex Sponge

Chun Guo and Olivier Pereira and Thomas Peters and François-Xavier Standaert

Abstract

Authenticated Encryption (AE) has become the de facto standard for encryption in modern protocols, and the ubiquitous deployment of small connected devices naturally calls for the availability of lightweight AE schemes, as reflected by a new standardisation process initiated by the NIST. Small devices do not only have a limited computational power: they are also targets of choice for side-channel attacks, and the ease of protecting against these attacks is therefore an important aspect of the selection criteria in this standardisation process. In this paper, we address this challenge by presenting a new AE mode, TETSponge, which carefully combines a tweakable block cipher with strong protections against side-channel attacks that only needs to be called twice per encryption and decryption, and a sponge-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. TETSponge offers many desirable features: (i) it supports single-pass encryption and decryption, and is compatible with limited memory requirements, (ii) it offers black-box security as an AE mode, with good bounds, including in the multi-user setting, (iii) it offers strong resistance against side-channel attacks during both encryption and decryption, and guarantees nonce misuse-resilience. As such, we conclude that TETSponge offers an appealing option for the implementation of lightweight AE in settings where side-channel attacks are an actual concern. Along our way, we propose the first rigorous methodology that can be used to analyze the leakage-resilience of sponge-based constructions.