Paper 2020/542

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Yusuke Naito, Yu Sasaki, and Takeshi Sugawara

Abstract

This paper proposes tweakable block cipher (TBC) based modes $\mathsf{PFB\_Plus}$ and $\mathsf{PFB}\omega$ that are efficient in threshold implementations (TI). Let $t$ be an algebraic degree of a target function, e.g.~$t=1$ (resp.~$t>1$) for linear (resp.~non-linear) function. The $d$-th order TI encodes the internal state into $d t + 1$ shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires $s$-bit block to ensure $s$-bit security, e.g. \textsf{PFB} and \textsf{Romulus}, while BC requires $2s$-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of $s$-bit state with $t=2$ and the first-order TI ($d=1$). Our first design $\mathsf{PFB\_Plus}$ aims to break the barrier of the $3s$-bit state in TI. The block size of an underlying TBC is $s/2$ bits and the output of TBC is linearly expanded to $s$ bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size $2.5s$ bits. We also provide rigorous security proof of $\mathsf{PFB\_Plus}$. Our second design $\mathsf{PFB}\omega$ further increases a parameter $\omega$: a ratio of the security level $s$ to the block size of an underlying TBC. We prove security of $\mathsf{PFB}\omega$ for any $\omega$ under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of $\mathsf{PFB\_Plus}$ for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending \textsf{SKINNY} and provide basic security evaluation. Finally, we give hardware benchmarks of $\mathsf{PFB\_Plus}$ in the first-order TI to show that TI of $\mathsf{PFB\_Plus}$ is smaller than that of \textsf{PFB} by more than one thousand gates and is the smallest within the schemes having 128-bit security.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in EUROCRYPT 2020
Keywords
Authenticated encryptionthreshold implementationbeyond- birthday-bound securitytweakable block cipherlightweight
Contact author(s)
Naito Yusuke @ ce mitsubishielectric co jp
History
2021-04-14: revised
2020-05-15: received
See all versions
Short URL
https://ia.cr/2020/542
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/542,
      author = {Yusuke Naito and Yu Sasaki and Takeshi Sugawara},
      title = {Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/542},
      year = {2020},
      url = {https://eprint.iacr.org/2020/542}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.