Abstract
We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An s-bit key-dependent state is necessary for achieving s-bit security, and the conventional schemes always protect the entire s bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode \(\textsf{HOMA}\) that achieves s-bit security using a tweakable block cipher with the s/2-bit block size. We also propose a new primitive for instantiating \(\textsf{HOMA}\) with \(s=128\) by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a \((256+3)\)-bit tweak. We make hardware performance evaluation by implementing \(\textsf{HOMA}\) with high-order masking for \(d \le 5\). For any \(d > 0\), \(\textsf{HOMA}\) outperforms the current state-of-the-art \(\textsf{PFB}\_\textsf{Plus}\) by reducing the circuit area larger than that of the entire S-box.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Some masking implementations use non-cryptographic PRNGs, e.g., a simple LFSR, insufficient for the random IV. A hardware TRNG for seeding should be used instead.
- 2.
For \(\varPi .\textsf{Dec}[\widetilde{E}_K]\), nonces and random IVs can be repeated.
- 3.
The \(\textsf{AE}\)-security notion does not take into account SCA.
- 4.
The function is introduced for the security proof that ensures that the TBC output provides a randomness to the unprotected state. It ensures that the output is chosen uniformly at random from at least \(2^{n-1}\) elements. Note that \(\textsf{fix0}\) can be removed by reserving a bit in a tweak space that takes the LSB of the TBC input.
- 5.
The function \(\textsf{SUF}\) is the same for \(\mathsf{DPF_A}\). In \(\mathsf{DPF_M}\), a TBC is performed to encrypt/decrypt a plaintext/ciphertext block, then \(\textsf{SUF}\) is performed.
- 6.
If the length of the last block equals \(n\), then \(x=1\), and otherwise \(x=2\).
- 7.
If the length of the last block equals \(n\), then \(y=4\), and otherwise \(y=5\).
- 8.
For the encryption, \(T_{0}\) and \(T_{1}\) can be unprotected but plaintext blocks must be protected. The latter is necessary to ensure the privacy of plaintexts in real-world implementations but not in the security proof as an adversary chooses a plaintext.
- 9.
To ensure the privacy, a plaintext \(M\) must be kept private to an adversary. Thus, the plaintext must not be included in a tuple of simulator’s inputs.
- 10.
A TRP offers independent permutations if the tweaks are distinct. In \(\textsf{HOMA}\), a nonce is a tweak element, thus \(\textsf{HOMA}\) procedures with distinct nonces are independently performed (even if the \(R\) values are the same). Thus, encryption queries whose nonces are different from the nonce of the decryption query do not affect the internal state collision probability.
- 11.
A TRP \(\widetilde{P}\) keeps a table \(\mathcal {L}\) that is initially empty. For an input \((X, Y) \in \{0,1\}^n\times \mathcal{T}\mathcal{W}\) to \(\widetilde{P}\), the output Z is defined as follows: if \(\mathcal {L}(X,Y)=\varepsilon \) then \(Z \displaystyle \mathop {\leftarrow }^{\$} \{0,1\}^n\backslash \mathcal {L}(*, Y)\) and \(\mathcal {L}(X,Y) \leftarrow Z\), where \(\mathcal {L}(*, Y)\) is the set of all outputs whose tweaks are Y, and otherwise \(Z \leftarrow \mathcal {L}(X,Y)\).
- 12.
The longest attack in literature with respect to the number of distinguisher rounds plus key-recovery rounds reaches \(22+8=30\) rounds with TK3 [19].
- 13.
For both implementations, we use 28 bits as a counter and the remaining bits as a nonce, by following the conventional \(\textsf{PFB}\_\textsf{Plus}\) implementation [26].
- 14.
19 cycles for S-box calculation with pipeline latency, 4 cycles for MixColumns, and 1 cycle for ShiftRows.
References
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Barwell, G., Martin, D.P., Oswald, E., Stam, M.: Authenticated encryption in the face of protocol and side channel leakage. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 693–723. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_24
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Belaïd, S., Grosso, V., Standaert, F.-X.: Masking and leakage-resilient primitives: one, the other(s) or both? Cryptogr. Commun. 7(1), 163–184 (2014). https://doi.org/10.1007/s12095-014-0113-6
Bellizia, D., et al.: Spook: sponge-based leakage-resistant authenticated encryption with a masked tweakable block cipher. IACR Trans. Symmetric Cryptol. 2020(S1), 295–349 (2020)
Berti, F., Guo, C., Pereira, O., Peters, T., Standaert, F.: TEDT, a leakage-resist AEAD mode for high physical security applications. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(1), 256–320 (2020)
Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: Higher-order threshold implementations. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 326–343. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_18
Cassiers, G.: FullVerif (2021). https://github.com/cassiersg/fullverif
Cassiers, G., Gregoire, B., Levi, I., Standaert, F.X.: Hardware private circuits: from trivial composition to full verification. IEEE Trans. Comput. 1 (2020)
Cassiers, G., Levi, I.: AND depth 2, 4 ANDs, 4-bit (optimized) S-boxes. IACR Cryptol. ePrint Arch. 2020, 185 (2020). https://eprint.iacr.org/2020/185
Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: Elastic-tweak: a framework for short tweak tweakable block cipher. IACR Cryptol. ePrint Arch. 2019, 440 (2019). https://eprint.iacr.org/2019/440
Chakraborti, A., Datta, N., Nandi, M., Yasuda, K.: Beetle family of lightweight and secure authenticated encryption ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 218–241 (2018)
Dobraunig, C., et al.: ISAP v2.0. IACR Trans. Symmetric Cryptol. 2020(S1), 390–416 (2020)
Dobraunig, C., Mennink, B.: Leakage resilient value comparison with application to message authentication. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 377–407. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_13
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: IEEE Symposium on Foundations of Computer Science, FOCS 2008. pp. 293–302 (2008)
Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_22
Goudarzi, D., et al.: Pyjamask: block cipher and authenticated encryption with highly efficient masked implementation. IACR Trans. Symmetric Cryptol. 2020, 31–59 (2020)
Grosso, V., et al.: SCREAM & iSCREAM side-channel resistant authenticated encryption with masking. Submitted to CAESAR (2014)
Hadipour, H., Bagheri, N., Song, L.: Improved rectangle attacks on SKINNY and CRAFT. IACR Cryptol. ePrint Arch. 1317 (2020)
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Iwata, T., Khairallah, M., Minematsu, K., Peyrin, T.: Duel of the titans: the romulus and remus families of lightweight AEAD algorithms. IACR Trans. Symmetric Cryptol. 2020(1), 43–120 (2020)
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(3), 243–268 (2020)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Naito, Y., Matsui, M., Sugawara, T., Suzuki, D.: SAEB: a lightweight blockcipher-based AEAD mode of operation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 192–217 (2018)
Naito, Y., Sasaki, Y., Sugawara, T.: Lightweight authenticated encryption mode suitable for threshold implementation. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 705–735. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_24
Naito, Y., Sasaki, Y., Sugawara, T.: LM-DAE: low-memory deterministic authenticated encryption for 128-bit security. IACR Trans. Symmetric Cryptol. 2020(4), 1–38 (2020)
Naito, Y., Sasaki, Y., Sugawara, T.: Secret can be public: low-memory AEAD mode for high-order masking. IACR Cryptol. ePrint Arch. 2022, 812 (2022). https://eprint.iacr.org/2022/812
Naito, Y., Sugawara, T.: Lightweight authenticated encryption mode of operation for tweakable block ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(1), 66–94 (2020)
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15
NanGate: NanGate FreePDK45 Open Cell Library (2021). https://si2.org/open-cell-library/. Accessed 06 May 2021
Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_38
NIST: National Institute of Standards and Technology: Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process (2018). https://csrc.nist.gov/Projects/lightweight-cryptography
NIST: National Institute of Standards and Technology: Lightweight Cryptography Standardization: Finalists Announced (2021). https://csrc.nist.gov/News/2021/lightweight-crypto-finalists-announced
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Pereira, O., Standaert, F., Vivek, S.: Leakage-resilient authentication and encryption from symmetric cryptographic primitives. In: CCS 2015, pp. 96–108 (2015)
Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_9
Reparaz, O.: A note on the security of higher-order threshold implementations. IACR Cryptol. ePrint Arch. 1 (2015). http://eprint.iacr.org/2015/001
Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_37
Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis of reduced-round SKINNY. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 117–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57339-7_7
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Naito, Y., Sasaki, Y., Sugawara, T. (2022). Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-15982-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15981-7
Online ISBN: 978-3-031-15982-4
eBook Packages: Computer ScienceComputer Science (R0)