Reducing the Cost of Authenticity with Leakages: a $$\mathsf {CIML2}$$-Secure $$\mathsf {AE}$$ Scheme with One Call to a Strongly Protected Tweakable Block Cipher

Berti, Francesco; Pereira, Olivier; Standaert, François‐Xavier

doi:10.1007/978-3-030-23696-0_12

Cited by 6 publications

(1 citation statement)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another approach to design an AE scheme with SCA resistance is leakage-resilient cryptography. The schemes [ 9 – 11 , 23 , 24 ] based on the Pereira et al.’s approach [ 39 ] assume a leak-free component, and are optimized for minimizing the number of calls to it 3 . However, the way how to realize the leak-free component, that determines the implementation size, is usually out of scope.…”

Section: Introductionmentioning

confidence: 99%

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

Naito

Sasaki

Sugawara

2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

This paper proposes tweakable block cipher (TBC) based modes and that are efficient in threshold implementations (TI). Let t be an algebraic degree of a target function, e.g. (resp. ) for linear (resp. non-linear) function. The d -th order TI encodes the internal state into shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires s -bit block to ensure s -bit security, e.g. PFB and Romulus, while BC requires 2 s -bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of s -bit state with and the first-order TI ( ). Our first design aims to break the barrier of the 3 s -bit state in TI. The block size of an underlying TBC is s /2 bits and the output of TBC is linearly expanded to s bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size 2.5 s bits. We also provide rigorous security proof of . Our second design further increases a parameter : a ratio of the security level s to the block size of an underlying TBC. We prove security of for any under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending SKINNY and provide basic security evaluation. Finally, we give hardware benchmarks of in the first-order TI to show that TI of is smaller than that of PFB by more than one thousand gates and is the smallest within the schemes having 128-bit security.

show abstract

Section: Introductionmentioning

confidence: 99%