Paper 2022/1591

ISAP+: ISAP with Fast Authentication

Arghya Bhattacharjee, Indian Statistical Institute, Kolkata, India
Avik Chakraborti, TCG Centres for Research and Education in Science and Technology, Kolkata, India
Nilanjan Datta, TCG Centres for Research and Education in Science and Technology, Kolkata, India
Cuauhtemoc Mancillas-López, Computer Science Department, CINVESTAV-IPN, Mexico
Mridul Nandi, Indian Statistical Institute, Kolkata, India
Abstract

This paper analyses the lightweight, sponge-based NAEAD mode $\textsf{ISAP}$, one of the finalists of the NIST Lightweight Cryptography (LWC) standardisation project, that achieves high-throughput with inherent protection against differential power analysis (DPA). We observe that $\textsf{ISAP}$ requires $256$-bit capacity in the authentication module to satisfy the NIST LWC security criteria. In this paper, we study the analysis carefully and observe that this is primarily due to the collision in the associated data part of the hash function which can be used in the forgery of the mode. However, the same is not applicable to the ciphertext part of the hash function because a collision in the ciphertext part does not always lead to a forgery. In this context, we define a new security notion, named $\textsf{2PI+}$ security, which is a strictly stronger notion than the collision security, and show that the security of a class of encrypt-then-hash based MAC type of authenticated encryptions, that includes $\textsf{ISAP}$, reduces to the $\textsf{2PI+}$ security of the underlying hash function used in the authentication module. Next we investigate and observe that a feed-forward variant of the generic sponge hash achieves better $\textsf{2PI+}$ security as compared to the generic sponge hash. We use this fact to present a close variant of $\textsf{ISAP}$, named $\textsf{ISAP+}$, which is structurally similar to $\textsf{ISAP}$, except that it uses the feed-forward variant of the generic sponge hash in the authentication module. This improves the overall security of the mode, and hence we can set the capacity of the ciphertext part to $192$ bits (to achieve a higher throughput) and yet satisfy the NIST LWC security criteria.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Indocrypt 2022
Keywords
Authenticated Encryption ISAP ISAP+ Re-keying Side Channel Resistant 2PI+ Sponge
Contact author(s)
bhattacharjeearghya29 @ gmail com
avikchkrbrti @ gmail com
nilanjan datta @ tcgcrest org
cuauhtemoc mancillas @ cinvestav mx
mridul nandi @ gmail com
History
2022-12-02: revised
2022-11-15: received
See all versions
Short URL
https://ia.cr/2022/1591
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX

@misc{cryptoeprint:2022/1591,
      author = {Arghya Bhattacharjee and Avik Chakraborti and Nilanjan Datta and Cuauhtemoc Mancillas-López and Mridul Nandi},
      title = {ISAP+: ISAP with Fast Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1591},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1591}},
      url = {https://eprint.iacr.org/2022/1591}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.