Lightweight authenticated encryption mode suitable for threshold implementation (Q2119030)

This paper proposes tweakable block cipher (TBC) based modes $\text{PFB}_-\text{Plus}$ and $\text{PFB}\omega$ that are efficient in threshold implementations (TI). Let $t$ be an algebraic degree of a target function, e.g. $t = 1$ (resp. $t > 1$) for linear (resp. non-linear) function. The $d\text{-}th$ order TI encodes the internal state into $dt+1$ shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC-based modes can be smaller than block cipher (BC) based modes in TI because TBC requires an $s$-bit block to ensure $s$-bit security, e.g. PFB and Romulus, while BC requires a 2s-bit block. However, even with those TBC based modes, the minimum they can reach is 3 shares of $s$-bit state with $t = 2$ and the first-order TI $(d = 1)$. Their first design $\text{PFB}_-\text{Plus}$ aims to break the barrier of the $3s$-bit state in TI. The block size of an underlying TBC is $s/2$ bits and the output of TBC is linearly expanded to $s$ bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size $2.5s$ bits.They also provide rigorous security proof of $\text{PFB}_-\text{Plus}$. Their second design $\text{PFB}\omega$ further increases a parameter $\omega$: a ratio of the security level s to the block size of an underlying TBC. They prove the security of $\text{PFB}\omega$ for any $\omega$ under some assumptions for an underlying TBC and for parameters used to update a state. Next, they show a concrete instantiation of $\text{PFB}_-\text{Plus}$ for 128-bit security. It requires a TBC with a 64-bit block, 128-bit key, and 128-bit tweak, while no existing TBC can support it. They design a new TBC by extending SKINNY and provide basic security evaluation. Finally, they give hardware benchmarks of $\text{PFB}_-\text{Plus}$ in the first-order TI to show that TI of $\text{PFB}_-\text{Plus}$ is smaller than that of PFB by more than one thousand gates and is the smallest within the schemes having 128-bit security. For the entire collection see [Zbl 1482.94003].