Cryptology ePrint Archive: Report 2019/451

Reducing the Cost of Authenticity with Leakages: a CIML2-Secure AE Scheme with One Call to a Strongly Protected Tweakable Block Cipher

Francesco Berti and Olivier Pereira and François-Xavier Standaert

Abstract: This paper presents CONCRETE (Commit-Encrypt-Send-the-Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption.

CONCRETE improves on a recent line of works aiming at leveled implementations, which mix a strongly protected and energy demanding implementation of a single component, and other weakly protected and much cheaper components. Here, these components all implement a tweakable block cipher TBC.

CONCRETE requires the use of the strongly protected TBC only once while supporting the leakage of the full state of the weakly protected components -- it achieves CIML2 security in the so-called unbounded leakage model.

All previous works need to use the strongly protected implementation at least twice. As a result, for short messages whose encryption and decryption energy costs are dominated by the strongly protected component, we halve the cost of a leakage-resilient implementation. CONCRETE additionally provides security when unverified plaintexts are released, and confidentiality in the presence of simulatable leakages in encryption and decryption.

Category / Keywords: secret-key cryptography / Leakage-resilience, authenticated encryption, leveled implementation, Ciphertext Integrity with Misuse and Leakage (CIML2).

Original Publication (with major differences): Africacrypt 2019

Date: received 3 May 2019

Contact author: francesco berti at uclouvain be

Available format(s): PDF | BibTeX Citation

Version: 20190508:191715 (All versions of this report)

Short URL: ia.cr/2019/451


[ Cryptology ePrint archive ]