Previous constructions, such as ThetaCB, are quite computationally efficient, yet needing a large memory for implementation, which makes them unsuitable for platforms where lightweight cryptography should play a key role. Romulus and Remus break this barrier by introducing a new architecture evolved from a BC mode COFB. They achieve the best of what can be possible with TBC -- the optimal computational efficiency (rate-1 operation) and the minimum state size of a TBC mode (i.e., $(n+t)$-bit for $n$-bit block, $t$-bit tweak TBC), with almost equivalent provable security as ThetaCB. Actually, our comparisons show that both our designs present superior performances when compared to all other recent lightweight AEAD modes, being BC-based, TBC-based or sponge-based, in the nonce-respecting or nonce-misuse scenario.
We eventually describe how to instantiate Romulus and Remus modes using the Skinny lightweight tweakable block cipher proposed at CRYPTO 2016, including the hardware implementation results.
Category / Keywords: secret-key cryptography / Authenticated encryption, lightweight cryptography, tweakable block cipher, provable security Original Publication (with minor differences): IACR-FSE-2020 Date: received 1 Sep 2019, last revised 10 Jul 2020 Contact author: tetsu iwata at nagoya-u jp, mustafam001 at e ntu edu sg, thomas peyrin at ntu edu sg, k-minematsu at nec com Available format(s): PDF | BibTeX Citation Version: 20200710:065048 (All versions of this report) Short URL: ia.cr/2019/992