[Resource Topic] 2020/542: Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Welcome to the resource topic for 2020/542

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Authors: Yusuke Naito, Yu Sasaki, Takeshi Sugawara


This paper proposes tweakable block cipher (TBC) based modes \mathsf{PFB\_Plus} and \mathsf{PFB}\omega that are efficient in threshold implementations (TI). Let t be an algebraic degree of a target function, e.g.~t=1 (resp.~t>1) for linear (resp.~non-linear) function. The d-th order TI encodes the internal state into d t + 1 shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires s-bit block to ensure s-bit security, e.g. \textsf{PFB} and \textsf{Romulus}, while BC requires 2s-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of s-bit state with t=2 and the first-order TI (d=1). Our first design \mathsf{PFB\_Plus} aims to break the barrier of the 3s-bit state in TI. The block size of an underlying TBC is s/2 bits and the output of TBC is linearly expanded to s bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size 2.5s bits. We also provide rigorous security proof of \mathsf{PFB\_Plus}. Our second design \mathsf{PFB}\omega further increases a parameter \omega: a ratio of the security level s to the block size of an underlying TBC. We prove security of \mathsf{PFB}\omega for any \omega under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of \mathsf{PFB\_Plus} for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending \textsf{SKINNY} and provide basic security evaluation. Finally, we give hardware benchmarks of \mathsf{PFB\_Plus} in the first-order TI to show that TI of \mathsf{PFB\_Plus} is smaller than that of \textsf{PFB} by more than one thousand gates and is the smallest within the schemes having 128-bit security.

ePrint: https://eprint.iacr.org/2020/542

Talk: https://www.youtube.com/watch?v=9j242OfsImc

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .