Paper 2022/812
Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking
Abstract
We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An $s$-bit key-dependent state is necessary for achieving $s$-bit security, and the conventional schemes always protect the entire $s$ bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode $\mathsf{HOMA}$ that achieves $s$-bit security using a tweakable block cipher with the $s/2$-bit block size. We also propose a new primitive for instantiating $\mathsf{HOMA}$ with $s=128$ by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a $(256+3)$-bit tweak. We make hardware performance evaluation by implementing $\mathsf{HOMA}$ with high-order masking for $d \le 5$. For any $d > 0$, $\mathsf{HOMA}$ outperforms the current state-of-the-art $\mathsf{PFB\_Plus}$ by reducing the circuit area larger than that of the entire S-box.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Published by the IACR in CRYPTO 2022
- Keywords
- Authenticated Encryption High-Order Masking Side-Channel Attack Mode of Operation Lightweight Cryptography
- Contact author(s)
-
Naito Yusuke @ ce mitsubishielectric co jp
yu sasaki sk @ hco ntt co jp
sugawara @ uec ac jp - History
- 2022-06-23: approved
- 2022-06-22: received
- See all versions
- Short URL
- https://ia.cr/2022/812
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/812, author = {Yusuke Naito and Yu Sasaki and Takeshi Sugawara}, title = {Secret Can Be Public: Low-Memory {AEAD} Mode for High-Order Masking}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/812}, year = {2022}, url = {https://eprint.iacr.org/2022/812} }