Lightweight authenticated encryption mode suitable for threshold implementation (Q2119030)

From MaRDI portal
Revision as of 10:17, 28 July 2024 by ReferenceBot (talk | contribs) (‎Changed an Item)
scientific article
Language Label Description Also known as
English
Lightweight authenticated encryption mode suitable for threshold implementation
scientific article

    Statements

    Lightweight authenticated encryption mode suitable for threshold implementation (English)
    0 references
    0 references
    0 references
    0 references
    23 March 2022
    0 references
    This paper proposes tweakable block cipher (TBC) based modes $\text{PFB}_-\text{Plus}$ and $\text{PFB}\omega$ that are efficient in threshold implementations (TI). Let $t$ be an algebraic degree of a target function, e.g. $t = 1$ (resp. $t > 1$) for linear (resp. non-linear) function. The $d\text{-}th$ order TI encodes the internal state into $dt+1$ shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC-based modes can be smaller than block cipher (BC) based modes in TI because TBC requires an $s$-bit block to ensure $s$-bit security, e.g. PFB and Romulus, while BC requires a 2s-bit block. However, even with those TBC based modes, the minimum they can reach is 3 shares of $s$-bit state with $t = 2$ and the first-order TI $(d = 1)$. Their first design $\text{PFB}_-\text{Plus}$ aims to break the barrier of the $3s$-bit state in TI. The block size of an underlying TBC is $s/2$ bits and the output of TBC is linearly expanded to $s$ bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size $2.5s$ bits.They also provide rigorous security proof of $\text{PFB}_-\text{Plus}$. Their second design $\text{PFB}\omega$ further increases a parameter $\omega$: a ratio of the security level s to the block size of an underlying TBC. They prove the security of $\text{PFB}\omega$ for any $\omega$ under some assumptions for an underlying TBC and for parameters used to update a state. Next, they show a concrete instantiation of $\text{PFB}_-\text{Plus}$ for 128-bit security. It requires a TBC with a 64-bit block, 128-bit key, and 128-bit tweak, while no existing TBC can support it. They design a new TBC by extending SKINNY and provide basic security evaluation. Finally, they give hardware benchmarks of $\text{PFB}_-\text{Plus}$ in the first-order TI to show that TI of $\text{PFB}_-\text{Plus}$ is smaller than that of PFB by more than one thousand gates and is the smallest within the schemes having 128-bit security. For the entire collection see [Zbl 1482.94003].
    0 references
    authenticated encryption
    0 references
    threshold implementation
    0 references
    beyond-birthday-bound security
    0 references
    tweakable block cipher
    0 references
    lightweight
    0 references
    0 references
    0 references
    0 references
    0 references
    0 references
    0 references
    0 references
    0 references

    Identifiers