scholarly journals Authenticated Encryption in the Face of Protocol and Side Channel Leakage

2017 ◽  
pp. 693-723 ◽  
Author(s):  
Guy Barwell ◽  
Daniel P. Martin ◽  
Elisabeth Oswald ◽  
Martijn Stam
Keyword(s):  
Side Channel ◽  
Authenticated Encryption ◽  
The Face

scholarly journals Pyjamask: Block Cipher and Authenticated Encryption with Highly Efficient Masked Implementation

2020 ◽  
pp. 31-59
Author(s):  
Dahmun Goudarzi ◽  
Jérémy Jean ◽  
Stefan Kölbl ◽  
Thomas Peyrin ◽  
Matthieu Rivain ◽  
...  
Keyword(s):  
Block Cipher ◽  
High Order ◽  
Side Channel ◽  
Design Rationale ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Standardization Process ◽  
Very High ◽  
Better Than ◽  
Provably Secure

This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process. Pyjamask targets side-channel resistance as one of its main goal. More precisely, it strongly minimizes the number of nonlinear gates used in its internal primitive in order to allow efficient masked implementations, especially for high-order masking in software. Compared to other block ciphers, our proposal has thus among the smallest number of binary AND computations per input bit at the time of writing. Even though Pyjamask minimizes such an important criterion, it remains rather lightweight and efficient, thanks to a general bitslice construction that enables to computation of all nonlinear gates in parallel. For authenticated encryption, we adopt the provably secure AEAD mode OCB which has been extensively studied and has the benefit to offer full parallelization. Of course, other block cipher-based modes can be considered as well if other performance profiles are to be targeted.The paper first gives the specification of the Pyjamask block cipher and the associated AEAD proposal. We also provide a detailed design rationale for the block cipher which is guided by our aim of software efficiency in the presence of high-order masking. The security of the design is analyzed against most commonly known cryptanalysis techniques. We finally describe efficient (masked) implementations in software and provide implementation results with aggressive performances for masking of very high orders (up to 128). We also provide a rough estimation of the hardware performances which remain much better than those of an AES round-based implementation.

scholarly journals Isap v2.0

2020 ◽  
pp. 390-416 ◽  
Author(s):  
Christoph Dobraunig ◽  
Maria Eichlseder ◽  
Stefan Mangard ◽  
Florian Mendel ◽  
Bart Mennink ◽  
...  
Keyword(s):  
Encryption Algorithm ◽  
Side Channel ◽  
Design Rationale ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Fault Attacks ◽  
Low Area ◽  
Constrained Environments ◽  
Leakage Resilient

We specify Isap v2.0, a lightweight permutation-based authenticated encryption algorithm that is designed to ease protection against side-channel and fault attacks. This design is an improved version of the previously published Isap v1.0, and offers increased protection against implementation attacks as well as more efficient implementations. Isap v2.0 is a candidate in NIST’s LightWeight Cryptography (LWC) project, which aims to identify and standardize authenticated ciphers that are well-suited for applications in constrained environments. We provide a self-contained specification of the new Isap v2.0 mode and discuss its design rationale. We formally prove the security of the Isap v2.0 mode in the leakage-resilient setting. Finally, in an extensive implementation overview, we show that Isap v2.0 can be implemented securely with very low area requirements. https://isap.iaik.tugraz.at

LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security

2020 ◽  
pp. 1-38
Author(s):  
Yusuke Naito ◽  
Yu Sasaki ◽  
Takeshi Sugawara
Keyword(s):  
Block Cipher ◽  
State Of The Art ◽  
Block Size ◽  
Query Complexity ◽  
Side Channel ◽  
Authenticated Encryption ◽  
Implementation Cost ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
State Size

This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.

scholarly journals TEDT, a Leakage-Resist AEAD Mode for High Physical Security Applications

2019 ◽  
pp. 256-320 ◽  
Author(s):  
Francesco Berti ◽  
Chun Guo ◽  
Olivier Pereira ◽  
Thomas Peters ◽  
François-Xavier Standaert
Keyword(s):  
Energy Cost ◽  
Energy Efficient ◽  
Low Energy ◽  
Side Channel ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Security Applications ◽  
Leakage Resistance ◽  
Encryption And Decryption ◽  
Associated Data

We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers full leakage-resistance, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. Moreover, the leakage integrity bound is asymptotically optimal in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static and incremental associated data efficiently. Concretely, TEDT encourages so-called leveled implementations, in which two TBCs are implemented: the first one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy-efficient protections and performs the bulk of the computation. As a result, TEDT leads to more energy-efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution.

scholarly journals Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

2020 ◽  
pp. 295-349 ◽  
Author(s):  
Davide Bellizia ◽  
Francesco Berti ◽  
Olivier Bronchain ◽  
Gaëtan Cassiers ◽  
Sébastien Duval ◽  
...  
Keyword(s):  
Block Cipher ◽  
Block Size ◽  
Minimum Cost ◽  
Side Channel ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Mode Of Operation ◽  
Channel Analysis ◽  
Tweakable Block Cipher ◽  
Software And Hardware

This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakageresistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multiuser security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook.

scholarly journals Tightness of the Suffix Keyed Sponge Bound

2020 ◽  
pp. 195-212
Author(s):  
Christoph Dobraunig ◽  
Bart Mennink
Keyword(s):  
Side Channel ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Security Proofs ◽  
Generic Attacks ◽  
Key Recovery Attacks ◽  
Security Bound

Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.

Sign in / Sign up

Export Citation Format

Share Document