Pyjamask: Block Cipher and Authenticated Encryption with Highly Efficient Masked Implementation

This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process. Pyjamask targets side-channel resistance as one of its main goal. More precisely, it strongly minimizes the number of nonlinear gates used in its internal primitive in order to allow efficient masked implementations, especially for high-order masking in software. Compared to other block ciphers, our proposal has thus among the smallest number of binary AND computations per input bit at the time of writing. Even though Pyjamask minimizes such an important criterion, it remains rather lightweight and efficient, thanks to a general bitslice construction that enables to computation of all nonlinear gates in parallel. For authenticated encryption, we adopt the provably secure AEAD mode OCB which has been extensively studied and has the benefit to offer full parallelization. Of course, other block cipher-based modes can be considered as well if other performance profiles are to be targeted.The paper first gives the specification of the Pyjamask block cipher and the associated AEAD proposal. We also provide a detailed design rationale for the block cipher which is guided by our aim of software efficiency in the presence of high-order masking. The security of the design is analyzed against most commonly known cryptanalysis techniques. We finally describe efficient (masked) implementations in software and provide implementation results with aggressive performances for masking of very high orders (up to 128). We also provide a rough estimation of the hardware performances which remain much better than those of an AES round-based implementation.

Download Full-text

Isap v2.0

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.390-416 ◽

2020 ◽

pp. 390-416 ◽

Cited By ~ 1

Author(s):

Christoph Dobraunig ◽

Maria Eichlseder ◽

Stefan Mangard ◽

Florian Mendel ◽

Bart Mennink ◽

...

Keyword(s):

Encryption Algorithm ◽

Side Channel ◽

Design Rationale ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

Fault Attacks ◽

Low Area ◽

Constrained Environments ◽

Leakage Resilient

We specify Isap v2.0, a lightweight permutation-based authenticated encryption algorithm that is designed to ease protection against side-channel and fault attacks. This design is an improved version of the previously published Isap v1.0, and offers increased protection against implementation attacks as well as more efficient implementations. Isap v2.0 is a candidate in NIST’s LightWeight Cryptography (LWC) project, which aims to identify and standardize authenticated ciphers that are well-suited for applications in constrained environments. We provide a self-contained specification of the new Isap v2.0 mode and discuss its design rationale. We formally prove the security of the Isap v2.0 mode in the leakage-resilient setting. Finally, in an extensive implementation overview, we show that Isap v2.0 can be implemented securely with very low area requirements. https://isap.iaik.tugraz.at

Download Full-text

Cryptanalysis of PMACx, PMAC2x, and SIVx

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.162-176 ◽

2017 ◽

pp. 162-176

Author(s):

Kazuhiko Minematsu ◽

Tetsu Iwata

Keyword(s):

Provable Security ◽

Block Cipher ◽

Query Complexity ◽

Block Length ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Pseudorandom Functions ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Download Full-text

M&M: Masks and Macs against Physical Attacks

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2019.i1.25-50 ◽

2018 ◽

pp. 25-50 ◽

Cited By ~ 1

Author(s):

Lauren De Meyer ◽

Victor Arribas ◽

Svetla Nikova ◽

Ventzislav Nikov ◽

Vincent Rijmen

Keyword(s):

Block Cipher ◽

Side Channel ◽

Implementation Cost ◽

Information Theoretic ◽

Side Channel Analysis ◽

Fault Resistance ◽

Channel Analysis ◽

Secure Implementation ◽

Adversary Model ◽

Provably Secure

Cryptographic implementations on embedded systems need to be protected against physical attacks. Today, this means that apart from incorporating countermeasures against side-channel analysis, implementations must also withstand fault attacks and combined attacks. Recent proposals in this area have shown that there is a big tradeoff between the implementation cost and the strength of the adversary model. In this work, we introduce a new combined countermeasure M&M that combines Masking with information-theoretic MAC tags and infective computation. It works in a stronger adversary model than the existing scheme ParTI, yet is a lot less costly to implement than the provably secure MPC-based scheme CAPA. We demonstrate M&M with a SCA- and DFA-secure implementation of the AES block cipher. We evaluate the side-channel leakage of the second-order secure design with a non-specific t-test and use simulation to validate the fault resistance.

Download Full-text

LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i4.1-38 ◽

2020 ◽

pp. 1-38

Author(s):

Yusuke Naito ◽

Yu Sasaki ◽

Takeshi Sugawara

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Size ◽

Query Complexity ◽

Side Channel ◽

Authenticated Encryption ◽

Implementation Cost ◽

Tweakable Block Cipher ◽

Deterministic Authenticated Encryption ◽

State Size

This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.

Download Full-text

Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

Cryptography ◽

10.3390/cryptography4030023 ◽

2020 ◽

Vol 4 (3) ◽

pp. 23

Author(s):

Takeshi Sugawara

Keyword(s):

Block Cipher ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

Key Schedule ◽

Backward Compatibility ◽

Mode Of Operation ◽

Large Memory ◽

Extended States ◽

Lightweight Block Cipher ◽

The Cost

SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI.

Download Full-text

Close to Optimally Secure Variants of GCM

Security and Communication Networks ◽

10.1155/2018/9715947 ◽

2018 ◽

Vol 2018 ◽

pp. 1-12

Author(s):

Ping Zhang ◽

Hong-Gang Hu ◽

Qian Yuan

Keyword(s):

Block Cipher ◽

Positive Response ◽

Block Size ◽

Hybrid Technique ◽

Authenticated Encryption ◽

Pseudorandom Functions ◽

Pseudorandom Permutation ◽

Mode Of Operation ◽

Universal Hash Function ◽

Provably Secure

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about 2n/2 adversarial queries if all nonces used in the encryption oracle are never repeated, where n is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately 2n/67(n-1)2 and 2n/67 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works.

Download Full-text

Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.295-349 ◽

2020 ◽

pp. 295-349 ◽

Cited By ~ 2

Author(s):

Davide Bellizia ◽

Francesco Berti ◽

Olivier Bronchain ◽

Gaëtan Cassiers ◽

Sébastien Duval ◽

...

Keyword(s):

Block Cipher ◽

Block Size ◽

Minimum Cost ◽

Side Channel ◽

Authenticated Encryption ◽

Side Channel Attacks ◽

Mode Of Operation ◽

Channel Analysis ◽

Tweakable Block Cipher ◽

Software And Hardware

This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakageresistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multiuser security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook.

Download Full-text

Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i1.289-312 ◽

2020 ◽

pp. 289-312 ◽

Cited By ~ 1

Author(s):

Christoph Dobraunig ◽

Yann Rotella ◽

Jan Schoone

Keyword(s):

Block Cipher ◽

Slow Growth ◽

Higher Order ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

Key Recovery ◽

Linear Layer ◽

Depth Analysis ◽

Key Recovery Attack ◽

The Cost

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

Download Full-text

Cube-Based Cryptanalysis of Subterranean-SAE

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i4.192-222 ◽

2020 ◽

pp. 192-222

Author(s):

Fukang Liu ◽

Takanori Isobe ◽

Willi Meier

Keyword(s):

Authenticated Encryption ◽

Lightweight Cryptography ◽

Key Recovery ◽

Official Document ◽

Distinguishing Attack ◽

Input And Output ◽

State Recovery ◽

Full State ◽

Standardization Process ◽

Key Recovery Attack

Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of 213 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with 2122 calls to the internal permutation of Subterranean-SAE and 269.5 32-bit blocks. A distinguishing attack with 233 calls to the internal permutation of Subterranean-SAE and 233 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.

Download Full-text

SKINNY-AEAD and SKINNY-Hash

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.88-131 ◽

2020 ◽

pp. 88-131 ◽

Cited By ~ 1

Author(s):

Christof Beierle ◽

Jérémy Jean ◽

Stefan Kölbl ◽

Gregor Leander ◽

Amir Moradi ◽

...

Keyword(s):

Internal State ◽

Block Ciphers ◽

Third Party ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

The Family ◽

Encryption Schemes ◽

Standardization Process

We present the family of authenticated encryption schemes SKINNY-AEAD and the family of hashing schemes SKINNY-Hash. All of the schemes employ a member of the SKINNY family of tweakable block ciphers, which was presented at CRYPTO 2016, as the underlying primitive. In particular, for authenticated encryption, we show how to instantiate members of SKINNY in the Deoxys-I-like ΘCB3 framework to fulfill the submission requirements of the NIST lightweight cryptography standardization process. For hashing, we use SKINNY to build a function with larger internal state and employ it in a sponge construction. To highlight the extensive amount of third-party analysis that SKINNY obtained since its publication, we briefly survey the existing cryptanalysis results for SKINNY-128-256 and SKINNY-128-384 as of February 2020. In the last part of the paper, we provide a variety of ASIC implementations of our schemes and propose new simple SKINNY-AEAD and SKINNY-Hash variants with a reduced number of rounds while maintaining a very comfortable security margin. https://csrc.nist.gov/Projects/Lightweight-Cryptography

Download Full-text