Skip to main content
SpringerLink
Log in

Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2022 (CRYPTO 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13509))

Included in the following conference series:

Abstract

We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An s-bit key-dependent state is necessary for achieving s-bit security, and the conventional schemes always protect the entire s bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode \(\textsf{HOMA}\) that achieves s-bit security using a tweakable block cipher with the s/2-bit block size. We also propose a new primitive for instantiating \(\textsf{HOMA}\) with \(s=128\) by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a \((256+3)\)-bit tweak. We make hardware performance evaluation by implementing \(\textsf{HOMA}\) with high-order masking for \(d \le 5\). For any \(d > 0\), \(\textsf{HOMA}\) outperforms the current state-of-the-art \(\textsf{PFB}\_\textsf{Plus}\) by reducing the circuit area larger than that of the entire S-box.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Some masking implementations use non-cryptographic PRNGs, e.g., a simple LFSR, insufficient for the random IV. A hardware TRNG for seeding should be used instead.

  2. 2.

    For \(\varPi .\textsf{Dec}[\widetilde{E}_K]\), nonces and random IVs can be repeated.

  3. 3.

    The \(\textsf{AE}\)-security notion does not take into account SCA.

  4. 4.

    The function is introduced for the security proof that ensures that the TBC output provides a randomness to the unprotected state. It ensures that the output is chosen uniformly at random from at least \(2^{n-1}\) elements. Note that \(\textsf{fix0}\) can be removed by reserving a bit in a tweak space that takes the LSB of the TBC input.

  5. 5.

    The function \(\textsf{SUF}\) is the same for \(\mathsf{DPF_A}\). In \(\mathsf{DPF_M}\), a TBC is performed to encrypt/decrypt a plaintext/ciphertext block, then \(\textsf{SUF}\) is performed.

  6. 6.

    If the length of the last block equals \(n\), then \(x=1\), and otherwise \(x=2\).

  7. 7.

    If the length of the last block equals \(n\), then \(y=4\), and otherwise \(y=5\).

  8. 8.

    For the encryption, \(T_{0}\) and \(T_{1}\) can be unprotected but plaintext blocks must be protected. The latter is necessary to ensure the privacy of plaintexts in real-world implementations but not in the security proof as an adversary chooses a plaintext.

  9. 9.

    To ensure the privacy, a plaintext \(M\) must be kept private to an adversary. Thus, the plaintext must not be included in a tuple of simulator’s inputs.

  10. 10.

    A TRP offers independent permutations if the tweaks are distinct. In \(\textsf{HOMA}\), a nonce is a tweak element, thus \(\textsf{HOMA}\) procedures with distinct nonces are independently performed (even if the \(R\) values are the same). Thus, encryption queries whose nonces are different from the nonce of the decryption query do not affect the internal state collision probability.

  11. 11.

    A TRP \(\widetilde{P}\) keeps a table \(\mathcal {L}\) that is initially empty. For an input \((X, Y) \in \{0,1\}^n\times \mathcal{T}\mathcal{W}\) to \(\widetilde{P}\), the output Z is defined as follows: if \(\mathcal {L}(X,Y)=\varepsilon \) then \(Z \displaystyle \mathop {\leftarrow }^{\$} \{0,1\}^n\backslash \mathcal {L}(*, Y)\) and \(\mathcal {L}(X,Y) \leftarrow Z\), where \(\mathcal {L}(*, Y)\) is the set of all outputs whose tweaks are Y, and otherwise \(Z \leftarrow \mathcal {L}(X,Y)\).

  12. 12.

    The longest attack in literature with respect to the number of distinguisher rounds plus key-recovery rounds reaches \(22+8=30\) rounds with TK3 [19].

  13. 13.

    For both implementations, we use 28 bits as a counter and the remaining bits as a nonce, by following the conventional \(\textsf{PFB}\_\textsf{Plus}\) implementation [26].

  14. 14.

    19 cycles for S-box calculation with pipeline latency, 4 cycles for MixColumns, and 1 cycle for ShiftRows.

References

  1. Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17

    Chapter  Google Scholar 

  2. Barwell, G., Martin, D.P., Oswald, E., Stam, M.: Authenticated encryption in the face of protocol and side channel leakage. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 693–723. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_24

    Chapter  MATH  Google Scholar 

  3. Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5

    Chapter  Google Scholar 

  4. Belaïd, S., Grosso, V., Standaert, F.-X.: Masking and leakage-resilient primitives: one, the other(s) or both? Cryptogr. Commun. 7(1), 163–184 (2014). https://doi.org/10.1007/s12095-014-0113-6

    Article  MathSciNet  MATH  Google Scholar 

  5. Bellizia, D., et al.: Spook: sponge-based leakage-resistant authenticated encryption with a masked tweakable block cipher. IACR Trans. Symmetric Cryptol. 2020(S1), 295–349 (2020)

    Google Scholar 

  6. Berti, F., Guo, C., Pereira, O., Peters, T., Standaert, F.: TEDT, a leakage-resist AEAD mode for high physical security applications. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(1), 256–320 (2020)

    Google Scholar 

  7. Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higher-order threshold implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_18

    Chapter  Google Scholar 

  8. Cassiers, G.: FullVerif (2021). https://github.com/cassiersg/fullverif

  9. Cassiers, G., Gregoire, B., Levi, I., Standaert, F.X.: Hardware private circuits: from trivial composition to full verification. IEEE Trans. Comput. 1 (2020)

    Google Scholar 

  10. Cassiers, G., Levi, I.: AND depth 2, 4 ANDs, 4-bit (optimized) S-boxes. IACR Cryptol. ePrint Arch. 2020, 185 (2020). https://eprint.iacr.org/2020/185

  11. Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: Elastic-tweak: a framework for short tweak tweakable block cipher. IACR Cryptol. ePrint Arch. 2019, 440 (2019). https://eprint.iacr.org/2019/440

  12. Chakraborti, A., Datta, N., Nandi, M., Yasuda, K.: Beetle family of lightweight and secure authenticated encryption ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 218–241 (2018)

    Article  Google Scholar 

  13. Dobraunig, C., et al.: ISAP v2.0. IACR Trans. Symmetric Cryptol. 2020(S1), 390–416 (2020)

    Google Scholar 

  14. Dobraunig, C., Mennink, B.: Leakage resilient value comparison with application to message authentication. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 377–407. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_13

    Chapter  Google Scholar 

  15. Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: IEEE Symposium on Foundations of Computer Science, FOCS 2008. pp. 293–302 (2008)

    Google Scholar 

  16. Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_22

    Chapter  Google Scholar 

  17. Goudarzi, D., et al.: Pyjamask: block cipher and authenticated encryption with highly efficient masked implementation. IACR Trans. Symmetric Cryptol. 2020, 31–59 (2020)

    Google Scholar 

  18. Grosso, V., et al.: SCREAM & iSCREAM side-channel resistant authenticated encryption with masking. Submitted to CAESAR (2014)

    Google Scholar 

  19. Hadipour, H., Bagheri, N., Song, L.: Improved rectangle attacks on SKINNY and CRAFT. IACR Cryptol. ePrint Arch. 1317 (2020)

    Google Scholar 

  20. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27

    Chapter  Google Scholar 

  21. Iwata, T., Khairallah, M., Minematsu, K., Peyrin, T.: Duel of the titans: the romulus and remus families of lightweight AEAD algorithms. IACR Trans. Symmetric Cryptol. 2020(1), 43–120 (2020)

    Article  Google Scholar 

  22. Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15

    Chapter  Google Scholar 

  23. Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(3), 243–268 (2020)

    Article  Google Scholar 

  24. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  25. Naito, Y., Matsui, M., Sugawara, T., Suzuki, D.: SAEB: a lightweight blockcipher-based AEAD mode of operation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 192–217 (2018)

    Article  Google Scholar 

  26. Naito, Y., Sasaki, Y., Sugawara, T.: Lightweight authenticated encryption mode suitable for threshold implementation. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 705–735. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_24

    Chapter  Google Scholar 

  27. Naito, Y., Sasaki, Y., Sugawara, T.: LM-DAE: low-memory deterministic authenticated encryption for 128-bit security. IACR Trans. Symmetric Cryptol. 2020(4), 1–38 (2020)

    Google Scholar 

  28. Naito, Y., Sasaki, Y., Sugawara, T.: Secret can be public: low-memory AEAD mode for high-order masking. IACR Cryptol. ePrint Arch. 2022, 812 (2022). https://eprint.iacr.org/2022/812

  29. Naito, Y., Sugawara, T.: Lightweight authenticated encryption mode of operation for tweakable block ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(1), 66–94 (2020)

    Google Scholar 

  30. Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15

    Chapter  Google Scholar 

  31. NanGate: NanGate FreePDK45 Open Cell Library (2021). https://si2.org/open-cell-library/. Accessed 06 May 2021

  32. Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_38

    Chapter  MATH  Google Scholar 

  33. NIST: National Institute of Standards and Technology: Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process (2018). https://csrc.nist.gov/Projects/lightweight-cryptography

  34. NIST: National Institute of Standards and Technology: Lightweight Cryptography Standardization: Finalists Announced (2021). https://csrc.nist.gov/News/2021/lightweight-crypto-finalists-announced

  35. Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21

    Chapter  Google Scholar 

  36. Pereira, O., Standaert, F., Vivek, S.: Leakage-resilient authentication and encryption from symmetric cryptographic primitives. In: CCS 2015, pp. 96–108 (2015)

    Google Scholar 

  37. Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_9

    Chapter  Google Scholar 

  38. Reparaz, O.: A note on the security of higher-order threshold implementations. IACR Cryptol. ePrint Arch. 1 (2015). http://eprint.iacr.org/2015/001

  39. Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_37

    Chapter  Google Scholar 

  40. Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis of reduced-round SKINNY. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 117–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57339-7_7

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Mitsubishi Electric Corporation, Kanagawa, Japan

    Yusuke Naito

  2. NTT Social Informatics Laboratories, Tokyo, Japan

    Yu Sasaki

  3. The University of Electro-Communications, Tokyo, Japan

    Takeshi Sugawara

Authors
  1. Yusuke Naito
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yu Sasaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Takeshi Sugawara
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yusuke Naito .

Editor information

Editors and Affiliations

  1. New York University, New York, NY, USA

    Yevgeniy Dodis

  2. University of Florida, Gainesville, FL, USA

    Thomas Shrimpton

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Naito, Y., Sasaki, Y., Sugawara, T. (2022). Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15982-4_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15981-7

  • Online ISBN: 978-3-031-15982-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation