lightweight authenticated encryption mode of operation
play

Lightweight Authenticated Encryption Mode of Operation for - PowerPoint PPT Presentation

Sep 09, 2023 •187 likes •420 views

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

  1. Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of Electro-Communications

  2. 1 Overview Our New Design: PFB (Plaintext Feedback) Mode • Key features • 64-bit security with a 64-bit tweakable block cipher (the beyond-the-birthday-bound security) • Low memory usage with threshold implementation (TI) • By replacing a non-linearly updated 64-bit state into a public tweak Previous work This work Tweak State Key State Key Without TI = 256 = 256 64 128 64 128 128 x1 = 640 = 512 x2 x2 With TI x3 x3

  3. 2 Background Lightweight Cryptography • Security for resource-constrained IoT devices • Lightweight block ciphers • Standardization • 64-bit primitives are popular • Memory (register) is a bottleneck in hardware implementation • 4-bit S-box: 20--40 gates • 128-bit register: 600--900 gates

  4. 3 Background Lightweight Authenticated Encryption (AE) • NIST is running a competition (LWC) for choosing a lightweight AE • Optimizing the mode of operation for lightweight implementation • Only 32-bit security when combined with a mode of operation with the birthday- bound security, which is subject to a practical attack** Additional states for tag generation State Key *Y. Naito, M. Matsui, T. Sugawara, and D. Suzuki, “SAEB: A Lightweight 128 128 AES GCM 128 128 Blockcipher-Based AEAD Mode of Operation,” CHES 2018. AES SAEB* 128 128 ** K. Bhargavan, G. Leurent "On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over We are hitting the limit: TLS and OpenVPN", CCS2016. these 256 bits are necessary for running AES

  5. 4 Background Lightweight + SCA Resistance • Resource-constrained devices are used in a hostile environment in which side-channel attack (SCA) is a serious threat • SCA protection in resource-constrained devices is even more challenging • Lightweight cryptography that enable efficient SCA countermeasure is a new frontier of research, e.g., TI-friendly S-box and SCREAM

  6. 5 Background (1 st order) Threshold Implementation • Encode a sensitive value as a share, and implement crypto while preserving the shared representation • Efficiency provides security in the presence of glitches • Multiplies the memory cost! x a x b x c x Input share (𝒚 𝒃 , 𝒚 𝒄 , 𝒚 𝒅 ) satisfying 𝒚 𝒃 ⊕ 𝒚 𝒄 ⊕ 𝒚 𝒅 = 𝒚 � � a � b � c 𝜔 𝜔 ! 𝜔 " 𝜔 # Output share (𝒀 𝒃 , 𝒀 𝒄 , 𝒀 𝒅 ) X X a X b X c satisfying 𝒀 𝒃 ⊕ 𝒀 𝒄 ⊕ 𝒀 𝒅 = 𝒀

  7. 6 Our approach Reduce the Size of Non-Linearly Updated State • Low memory usage with threshold implementation (TI) • Challenge: birthday-bound security • We use a tweakable block cipher (TBC) to efficiently achieve the beyond-the- birthday-bound security, i.e., 64-bit security with a 64-bit primitive SAEB AES This work Tweak State Key State Key Without TI = 256 = 256 128 64 128 64 128 x1 = 640 = 512 x2 x2 x3 With TI x3

  8. 7 Contribution New Mode of Operation PFB (Plaintext Feedback) • A nonce-based authenticated encryption with associated data using TBC • Provides the beyond-the-birthday-bound security: security level = block length • Based on iCOFB (Chakraborti et al. CHES2017) with several improvements: • Adding associate-data processing • Supporting arbitrary-length message • Giving a new proof for a tighter security bound • Hardware performance evaluation with TI X l -1 S H X 2 X l Enc x , N , l -1 ~ x , N ,1 ~ x , N ,2 ~ y , N , l x , N , l ~ ~ E K E K E K E K E K ⊕ Y 2 Y l -1 Y l Y 1 msb t ⊕ ⊕ M 2 ⊕ M l -1 M 1 Plaintext M ozp msb | M * | Tag T ⊕ M l Ciphertext C C l -1 C 1 C 2 C l

  9. 8 Preliminary Tweakable block cipher • An extension of a block cipher with the third input called tweak • We get an independent random permutation for each tweak, i.e., efficient rekeying Block cipher Tweakable block cipher Message m Message m ~ E K E K Tweak t Ciphertext c Ciphertext c

  10. 9 Preliminary Tweakable block cipher SKINNY • A popular lightweight TBC • Tweakey framework: no discrimination between the key and tweak Tweakey: tweak or key Message m TK 1 TK 2 TK 3 Round 1 f 1 f 2 f 3 Tweakey schedule: Round 2 independent between TKs f 1 f 2 f 3 Beierle et al., “The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS,” In CRYPTO 2016 .

  11. 10 Proposed Method V 2 H V 1 V Hash a PFB 1,0 n ,1 1,0 n , a 1,0 n ,2 ~ ~ ~ E K E K E K 0 b ⊕ ⊕ ⊕ ⊕ Associated Data A A 3 A 1 A 2 ozp( A a ) X l -1 S H X 2 X l Enc x , N , l -1 ~ x , N ,1 ~ x , N ,2 ~ y , N , l x , N , l ~ ~ E K E K E K E K E K ⊕ Y 2 Y l Y 1 Y l -1 msb t ⊕ ⊕ M l -1 ⊕ M 2 Plaintext M M 1 ozp msb | M * | Tag T ⊕ M l Ciphertext C C l -1 C 1 C 2 C l X 2 X l H X l -1 S Dec y , N , l x , N ,1 x , N , l x , N , l -1 x , N ,2 ~ ~ ~ ~ ~ E K E K E K E K E K Y 1 Y 2 Y l Y l -1 msb t Plaintext M ⊕ ⊕ ⊕ M 1 M 2 ⊕ M l -1 ? Ciphertext C ^ ozp msb | C l | T = T C 1 C 2 C l -1 M l C l

  12. 11 Proposed Method PFB cont. • Memory for running a TDC is sufficient for the entire PFB operation. • Tweak contains public parameters: a constant, nonce, and counter X l -1 Memory size Public tweak Tweak State Key 64 Without TI = 256 64 128 64 ~ x , N , l -1 E K 64 x1 Small constant = 512 x2 M l -1 Nonce With TI x3 Counter C l -1

  13. 12 Proposed Method Security of PFB • Target: b-bit security with the b-bit block length • Assumption • TBC as a TRP (Tweakable Random Permutation) • Nonce respect setting (i.e., no nonce misuse) • Privacy • Game: distinguishing a ciphertext from a random sequence • PFB achieves perfect security • Authenticity • Game: forging a valid tag with the query access to the decryption oracle • A successful attack needs 2 b decryption queries, i.e., PFB achieves b-bit security

  14. 13 Proposed Method Proof sketch for privacy 1. No repeated tweak in encryption • ∵ the (non-repeated) nonce and a counter 2. TBC’s output Y 1 , Y 2 ,..., T are random and independent by the TRP assumption 3. We cannot distinguish the ciphertexts and tag from a random string, i.e., achieves perfect security X l -1 S H X 2 X l Enc x , N , l -1 ~ x , N ,1 ~ x , N ,2 ~ y , N , l x , N , l ~ ~ E K E K E K E K E K ⊕ Y 2 Y l -1 Y l Y 1 msb t ⊕ ⊕ M 2 ⊕ M l -1 M 1 Plaintext M ozp msb | M * | Tag T ⊕ M l Ciphertext C C l -1 C 1 C 2 C l

  15. 14 Proposed Method Proof sketch for authenticity • We consider two attack cases • Attack case #1: guessing the tag in PFB’s decryption • The success probability is roughly 1/2 b for each query because the tag is almost randomly chosen • The probability Pr[#1] ≦ O(q D /2 b ) with q D queries to the Decryption oracle

  16. 15 Proposed Method Proof sketch for authenticity cont. • Attack case #2: exploiting the collision in the PFB states • A collision in between the Enc and Dec states with the same nonce results in a collision of the tag, i.e., successful tag forgery • The probability to observe a collision is 1/2 b , so Pr[#2] ≦ O(q D /2 b ) with q D Decryption queries Enc H X 2 X 3 X l S x , N , l y , N , l x , N ,3 x , N ,2 x , N ,1 M 2 M 3 M l M 1 ⊕ ⊕ ⊕ ⊕ C 2 C 3 C l T C 1 Collision Collision Collision Collision Dec X' 2 X 3 X l S H' x , N , l y , N , l x , N ,3 x , N ,2 x , N ,1 M' 2 M 3 M l M' 1 ⊕ ⊕ ⊕ ⊕ C' 2 C 3 C l T C' 1

  17. 16 Performance Evaluation Hardware architecture SKINNY • PFB with SKINNY-64-192 (a variant with Tweakey array 64-bit block and 192-bit tweakey) TK1 input TK1 array 4 • A serial SKINNY architecture with 4-bit TK2 input TK2 array 4 datapath Tweak input 4 TK3 array id • The mode of operation is a thin wrapper: 3 with the MUX, XOR, AND gates RC gen. • Heterogeneous number of shares • Green: 1-share (public) g • Red: 2-share (linear secret) State A/M/C C/M/T array 4 4 • Others: 3-share (nonlinear secret) 4

  18. 17 Performance Evaluation Comparing memory sizes • We traded a 64-bit non-linear state with a 64-bit public tweak • The proposed method saves 128 bits with TI Previous work: SAEB w/ GIFT-128 This work: PFB w/ Skinny-64-192 Tweak State Key State Key Without TI = 256 = 256 128 128 64 64 128 x1 = 640 = 512 x2 x2 x3 With TI x3

  19. 18 Performance Evaluation Hardware performance comparison w/ 3-share TI • Smaller circuit area compared with the state-of-the-art: SAEB with GIFT-128 • Advantage over sponge-based schemes • Key/tweak use the smaller number of shares Ref. Scheme Circuit Area /GE Proposed method This work PFB/Skinny-64 5,858 A 128-bit block cipher-based This work SAEB/GIFT-128 6,229 scheme implemented with the same design policy Groß et al.* Ascon w/o IF 7,970 Groß et al.* Ascon w IF 9,190 Previous AE implementations with TI Arribas et al.** Ketje-JR 18,335 [1] Groß et al., “Suit up! - Made-to-Measure Hardware Implementations of ASCON,” DSD 2015. [2] Arribas et al., “Guards in Action: First- Order SCA Secure Implementations of Ketje Without Additional Randomness,” DSD 2018 .

Recommend

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI -

279 views • 26 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2016 ACORN 1 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN ) DIAC 2016 ACORN 2

358 views • 15 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014 ACORN 1 ACORN DIAC 2014 ACORN 2 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN

1.06k views • 13 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views • 12 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides

More recommend