lightweight authenticated encryption mode of operation
play

Lightweight Authenticated Encryption Mode of Operation for - PowerPoint PPT Presentation

Sep 09, 2023 •187 likes •420 views

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

  1. Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of Electro-Communications

  2. 1 Overview Our New Design: PFB (Plaintext Feedback) Mode • Key features • 64-bit security with a 64-bit tweakable block cipher (the beyond-the-birthday-bound security) • Low memory usage with threshold implementation (TI) • By replacing a non-linearly updated 64-bit state into a public tweak Previous work This work Tweak State Key State Key Without TI = 256 = 256 64 128 64 128 128 x1 = 640 = 512 x2 x2 With TI x3 x3

  3. 2 Background Lightweight Cryptography • Security for resource-constrained IoT devices • Lightweight block ciphers • Standardization • 64-bit primitives are popular • Memory (register) is a bottleneck in hardware implementation • 4-bit S-box: 20--40 gates • 128-bit register: 600--900 gates

  4. 3 Background Lightweight Authenticated Encryption (AE) • NIST is running a competition (LWC) for choosing a lightweight AE • Optimizing the mode of operation for lightweight implementation • Only 32-bit security when combined with a mode of operation with the birthday- bound security, which is subject to a practical attack** Additional states for tag generation State Key *Y. Naito, M. Matsui, T. Sugawara, and D. Suzuki, “SAEB: A Lightweight 128 128 AES GCM 128 128 Blockcipher-Based AEAD Mode of Operation,” CHES 2018. AES SAEB* 128 128 ** K. Bhargavan, G. Leurent "On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over We are hitting the limit: TLS and OpenVPN", CCS2016. these 256 bits are necessary for running AES

  5. 4 Background Lightweight + SCA Resistance • Resource-constrained devices are used in a hostile environment in which side-channel attack (SCA) is a serious threat • SCA protection in resource-constrained devices is even more challenging • Lightweight cryptography that enable efficient SCA countermeasure is a new frontier of research, e.g., TI-friendly S-box and SCREAM

  6. 5 Background (1 st order) Threshold Implementation • Encode a sensitive value as a share, and implement crypto while preserving the shared representation • Efficiency provides security in the presence of glitches • Multiplies the memory cost! x a x b x c x Input share (𝒚 𝒃 , 𝒚 𝒄 , 𝒚 𝒅 ) satisfying 𝒚 𝒃 ⊕ 𝒚 𝒄 ⊕ 𝒚 𝒅 = 𝒚 � � a � b � c 𝜔 𝜔 ! 𝜔 " 𝜔 # Output share (𝒀 𝒃 , 𝒀 𝒄 , 𝒀 𝒅 ) X X a X b X c satisfying 𝒀 𝒃 ⊕ 𝒀 𝒄 ⊕ 𝒀 𝒅 = 𝒀

  7. 6 Our approach Reduce the Size of Non-Linearly Updated State • Low memory usage with threshold implementation (TI) • Challenge: birthday-bound security • We use a tweakable block cipher (TBC) to efficiently achieve the beyond-the- birthday-bound security, i.e., 64-bit security with a 64-bit primitive SAEB AES This work Tweak State Key State Key Without TI = 256 = 256 128 64 128 64 128 x1 = 640 = 512 x2 x2 x3 With TI x3

  8. 7 Contribution New Mode of Operation PFB (Plaintext Feedback) • A nonce-based authenticated encryption with associated data using TBC • Provides the beyond-the-birthday-bound security: security level = block length • Based on iCOFB (Chakraborti et al. CHES2017) with several improvements: • Adding associate-data processing • Supporting arbitrary-length message • Giving a new proof for a tighter security bound • Hardware performance evaluation with TI X l -1 S H X 2 X l Enc x , N , l -1 ~ x , N ,1 ~ x , N ,2 ~ y , N , l x , N , l ~ ~ E K E K E K E K E K ⊕ Y 2 Y l -1 Y l Y 1 msb t ⊕ ⊕ M 2 ⊕ M l -1 M 1 Plaintext M ozp msb | M * | Tag T ⊕ M l Ciphertext C C l -1 C 1 C 2 C l

  9. 8 Preliminary Tweakable block cipher • An extension of a block cipher with the third input called tweak • We get an independent random permutation for each tweak, i.e., efficient rekeying Block cipher Tweakable block cipher Message m Message m ~ E K E K Tweak t Ciphertext c Ciphertext c

  10. 9 Preliminary Tweakable block cipher SKINNY • A popular lightweight TBC • Tweakey framework: no discrimination between the key and tweak Tweakey: tweak or key Message m TK 1 TK 2 TK 3 Round 1 f 1 f 2 f 3 Tweakey schedule: Round 2 independent between TKs f 1 f 2 f 3 Beierle et al., “The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS,” In CRYPTO 2016 .

  11. 10 Proposed Method V 2 H V 1 V Hash a PFB 1,0 n ,1 1,0 n , a 1,0 n ,2 ~ ~ ~ E K E K E K 0 b ⊕ ⊕ ⊕ ⊕ Associated Data A A 3 A 1 A 2 ozp( A a ) X l -1 S H X 2 X l Enc x , N , l -1 ~ x , N ,1 ~ x , N ,2 ~ y , N , l x , N , l ~ ~ E K E K E K E K E K ⊕ Y 2 Y l Y 1 Y l -1 msb t ⊕ ⊕ M l -1 ⊕ M 2 Plaintext M M 1 ozp msb | M * | Tag T ⊕ M l Ciphertext C C l -1 C 1 C 2 C l X 2 X l H X l -1 S Dec y , N , l x , N ,1 x , N , l x , N , l -1 x , N ,2 ~ ~ ~ ~ ~ E K E K E K E K E K Y 1 Y 2 Y l Y l -1 msb t Plaintext M ⊕ ⊕ ⊕ M 1 M 2 ⊕ M l -1 ? Ciphertext C ^ ozp msb | C l | T = T C 1 C 2 C l -1 M l C l

  12. 11 Proposed Method PFB cont. • Memory for running a TDC is sufficient for the entire PFB operation. • Tweak contains public parameters: a constant, nonce, and counter X l -1 Memory size Public tweak Tweak State Key 64 Without TI = 256 64 128 64 ~ x , N , l -1 E K 64 x1 Small constant = 512 x2 M l -1 Nonce With TI x3 Counter C l -1

  13. 12 Proposed Method Security of PFB • Target: b-bit security with the b-bit block length • Assumption • TBC as a TRP (Tweakable Random Permutation) • Nonce respect setting (i.e., no nonce misuse) • Privacy • Game: distinguishing a ciphertext from a random sequence • PFB achieves perfect security • Authenticity • Game: forging a valid tag with the query access to the decryption oracle • A successful attack needs 2 b decryption queries, i.e., PFB achieves b-bit security

  14. 13 Proposed Method Proof sketch for privacy 1. No repeated tweak in encryption • ∵ the (non-repeated) nonce and a counter 2. TBC’s output Y 1 , Y 2 ,..., T are random and independent by the TRP assumption 3. We cannot distinguish the ciphertexts and tag from a random string, i.e., achieves perfect security X l -1 S H X 2 X l Enc x , N , l -1 ~ x , N ,1 ~ x , N ,2 ~ y , N , l x , N , l ~ ~ E K E K E K E K E K ⊕ Y 2 Y l -1 Y l Y 1 msb t ⊕ ⊕ M 2 ⊕ M l -1 M 1 Plaintext M ozp msb | M * | Tag T ⊕ M l Ciphertext C C l -1 C 1 C 2 C l

  15. 14 Proposed Method Proof sketch for authenticity • We consider two attack cases • Attack case #1: guessing the tag in PFB’s decryption • The success probability is roughly 1/2 b for each query because the tag is almost randomly chosen • The probability Pr[#1] ≦ O(q D /2 b ) with q D queries to the Decryption oracle

  16. 15 Proposed Method Proof sketch for authenticity cont. • Attack case #2: exploiting the collision in the PFB states • A collision in between the Enc and Dec states with the same nonce results in a collision of the tag, i.e., successful tag forgery • The probability to observe a collision is 1/2 b , so Pr[#2] ≦ O(q D /2 b ) with q D Decryption queries Enc H X 2 X 3 X l S x , N , l y , N , l x , N ,3 x , N ,2 x , N ,1 M 2 M 3 M l M 1 ⊕ ⊕ ⊕ ⊕ C 2 C 3 C l T C 1 Collision Collision Collision Collision Dec X' 2 X 3 X l S H' x , N , l y , N , l x , N ,3 x , N ,2 x , N ,1 M' 2 M 3 M l M' 1 ⊕ ⊕ ⊕ ⊕ C' 2 C 3 C l T C' 1

  17. 16 Performance Evaluation Hardware architecture SKINNY • PFB with SKINNY-64-192 (a variant with Tweakey array 64-bit block and 192-bit tweakey) TK1 input TK1 array 4 • A serial SKINNY architecture with 4-bit TK2 input TK2 array 4 datapath Tweak input 4 TK3 array id • The mode of operation is a thin wrapper: 3 with the MUX, XOR, AND gates RC gen. • Heterogeneous number of shares • Green: 1-share (public) g • Red: 2-share (linear secret) State A/M/C C/M/T array 4 4 • Others: 3-share (nonlinear secret) 4

  18. 17 Performance Evaluation Comparing memory sizes • We traded a 64-bit non-linear state with a 64-bit public tweak • The proposed method saves 128 bits with TI Previous work: SAEB w/ GIFT-128 This work: PFB w/ Skinny-64-192 Tweak State Key State Key Without TI = 256 = 256 128 128 64 64 128 x1 = 640 = 512 x2 x2 x3 With TI x3

  19. 18 Performance Evaluation Hardware performance comparison w/ 3-share TI • Smaller circuit area compared with the state-of-the-art: SAEB with GIFT-128 • Advantage over sponge-based schemes • Key/tweak use the smaller number of shares Ref. Scheme Circuit Area /GE Proposed method This work PFB/Skinny-64 5,858 A 128-bit block cipher-based This work SAEB/GIFT-128 6,229 scheme implemented with the same design policy Groß et al.* Ascon w/o IF 7,970 Groß et al.* Ascon w IF 9,190 Previous AE implementations with TI Arribas et al.** Ketje-JR 18,335 [1] Groß et al., “Suit up! - Made-to-Measure Hardware Implementations of ASCON,” DSD 2015. [2] Arribas et al., “Guards in Action: First- Order SCA Secure Implementations of Ketje Without Additional Randomness,” DSD 2018 .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI -

279 views • 26 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2016 ACORN 1 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN ) DIAC 2016 ACORN 2

358 views • 15 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014 ACORN 1 ACORN DIAC 2014 ACORN 2 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN

1.06k views • 13 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views • 12 slides
Use Case Development Workshop 28 October 2019 Room 206, HKUSPACE Admiralty Learning Centre

Use Case Development Workshop 28 October 2019 Room 206, HKUSPACE Admiralty Learning Centre

Inter-Modal Transport Data-Sharing Programme Use Case Development Workshop 28 October 2019 Room 206, HKUSPACE Admiralty Learning Centre 2:00 -5:30 pm Dr John Ure Director of the Technology Research Project (TRP ) of the University of

1.05k views • 60 slides
Modern Wireless Networks Cellular Networks ICEN 574 Spring 2019 Prof. Dola Saha 1 Cellular

Modern Wireless Networks Cellular Networks ICEN 574 Spring 2019 Prof. Dola Saha 1 Cellular

Modern Wireless Networks Cellular Networks ICEN 574 Spring 2019 Prof. Dola Saha 1 Cellular Generations Universally accepted single technology ~1990 ~2020 ~2010 ~1980 ~2000 2 Convergence of Wireless Technologies 3 The Next

1.52k views • 47 slides
lrl' fl';' sltLen- H;tLe'L c/rwtyonite yrn + = J{fu", >lf'* TLt:' AuT *"h

lrl' fl';' sltLen- H;tLe'L c/rwtyonite yrn + = J{fu", >lf'* TLt:' AuT *"h

1tr- WoLwr^ i46r'n^^hor- awoL Wonb*w, @l*h-hovv nnhryU*,ae''L * abLes , Ap'^^bLe <rrbrylcrnenL Her.f. b /t n V fvSrl *tweui*'l l.(I bas;s liA} lrl' fl';' sltLen- H;tLe'L c/rwtyonite yrn + = J{fu", >lf'* TLt:' AuT

471 views • 5 slides
Full Review Application Approach 31 OCTOBER 2019 Contents Part One Background Full

Full Review Application Approach 31 OCTOBER 2019 Contents Part One Background Full

2020 2022 FUNDING CYCLE Full Review Application Approach 31 OCTOBER 2019 Contents Part One Background Full Review Application Questions Part Two Key Annexes for the Funding Requests 2 Background Application Approaches

567 views • 42 slides
Positivity of center subsets for QCD Mkiang whteigs pitoisve Falk Bruckmann (Regensburg

Positivity of center subsets for QCD Mkiang whteigs pitoisve Falk Bruckmann (Regensburg

Positivity of center subsets for QCD Mkiang whteigs pitoisve Falk Bruckmann (Regensburg University) SIGN 2015, Atomki/Debrecen, Oct. 2015 with Jacques Bloch 1508.03522 Falk Bruckmann Positivity of center subsets for QCD 0 / 21 Introduction

422 views • 25 slides
Technical Assistance to Brownfields (TAB) Resources for New EPA Grantees In EPA Regions 5, 6, 7,

Technical Assistance to Brownfields (TAB) Resources for New EPA Grantees In EPA Regions 5, 6, 7,

Technical Assistance to Brownfields (TAB) Resources for New EPA Grantees In EPA Regions 5, 6, 7, and 8 Kansas State University Technical Assistance to Brownfields (TAB) Program July, 2019 1 Technical Assistance to Brownfields (TAB) Program

526 views • 27 slides
Geometric Registration for Deformable Shapes 1.3 4D Kinematic Surfaces Rigid Transformation (

Geometric Registration for Deformable Shapes 1.3 4D Kinematic Surfaces Rigid Transformation (

Geometric Registration for Deformable Shapes 1.3 4D Kinematic Surfaces Rigid Transformation ( , ) ? R t P Q = + R T R I p Rp t 2 Eurographics 2010 Course Geometric Registration for Deformable Shapes Scanning (Moving)

323 views • 7 slides
Quantum Lecture 7 The Holevo bound Typical sequences and subspaces Compression Mikael

Quantum Lecture 7 The Holevo bound Typical sequences and subspaces Compression Mikael

Quantum Lecture 7 The Holevo bound Typical sequences and subspaces Compression Mikael Skoglund, Quantum Info 1/15 The Holevo Bound Assume a discrete random variable X X with pmf p ( x ) is embedded on a set of states x , as

372 views • 8 slides

More recommend