Paper 2022/812

Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking

Abstract

We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An $s$-bit key-dependent state is necessary for achieving $s$-bit security, and the conventional schemes always protect the entire $s$ bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode $$ that achieves $$-bit security using a tweakable block cipher with the $$-bit block size. We also propose a new primitive for instantiating $$ with $$ by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a $$-bit tweak. We make hardware performance evaluation by implementing $$ with high-order masking for $$. For any $$, $$ outperforms the current state-of-the-art $$ by reducing the circuit area larger than that of the entire S-box.