Paper 2022/812

Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking

Yusuke Naito, Mitsubishi Electric Corporation
Yu Sasaki, NTT Social Informatics Laboratories
Takeshi Sugawara, The University of Electro-Communications

We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An $s$-bit key-dependent state is necessary for achieving $s$-bit security, and the conventional schemes always protect the entire $s$ bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode $\mathsf{HOMA}$ that achieves $s$-bit security using a tweakable block cipher with the $s/2$-bit block size. We also propose a new primitive for instantiating $\mathsf{HOMA}$ with $s=128$ by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a $(256+3)$-bit tweak. We make hardware performance evaluation by implementing $\mathsf{HOMA}$ with high-order masking for $d \le 5$. For any $d > 0$, $\mathsf{HOMA}$ outperforms the current state-of-the-art $\mathsf{PFB\_Plus}$ by reducing the circuit area larger than that of the entire S-box.

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in CRYPTO 2022
Authenticated Encryption High-Order Masking Side-Channel Attack Mode of Operation Lightweight Cryptography
Contact author(s)
Naito Yusuke @ ce mitsubishielectric co jp
yu sasaki sk @ hco ntt co jp
sugawara @ uec ac jp
2022-06-23: approved
2022-06-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Yusuke Naito and Yu Sasaki and Takeshi Sugawara},
      title = {Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking},
      howpublished = {Cryptology ePrint Archive, Paper 2022/812},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.