Abstract
In this article, we propose two new families of very lightweight and efficient authenticated encryption with associated data (AEAD) modes, Romulus and Remus, that provide security beyond the birthday bound with respect to the block-length n. The former uses a tweakable block cipher (TBC) as internal primitive and can be proven secure in the standard model. The later uses a block cipher (BC) as internal primitive and can be proven secure in the ideal cipher model. Both our modes allow to switch very easily from the nonce-respecting to the nonce-misuse scenario.Previous constructions, such as ΘCB3, are quite computationally efficient, yet needing a large memory for implementation, which makes them unsuitable for platforms where lightweight cryptography should play a key role. Romulus and Remus break this barrier by introducing a new architecture evolved from a BC mode COFB. They achieve the best of what can be possible with TBC – the optimal computational efficiency (rate-1 operation) and the minimum state size of a TBC mode (i.e., (n + t)-bit for n-bit block, t-bit tweak TBC), with almost equivalent provable security as ΘCB3. Actually, our comparisons show that both our designs present superior performances when compared to all other recent lightweight AEAD modes, being BC-based, TBC-based or sponge-based, in the nonce-respecting or nonce-misuse scenario. We eventually describe how to instantiate Romulus and Remus modes using the Skinny lightweight tweakable block cipher proposed at CRYPTO 2016, including the hardware implementation results
Highlights
Lightweight cryptography has become a very active research domain, as the importance of pervasive computing and the Internet of Things (IoT) is growing
Since its tweakey is n bits, it is even smaller than the members of Romulus. Both sponge/permutation-based schemes and Remus rely on non-standard models, and we emphasize that the security of the tweakable block cipher (TBC) instances that we propose to use inside Remus have been comprehensively evaluated, for the single-key related-tweak setting and related-tweakey setting, which suggests strong reliability to be used as the ideal-cipher
The security of TBC: KTMÑM is defined by the indistinguishability from an ideal object, tweakable uniform random permutation (TURP), denoted by Pr, using chosen-plaintext, chosen-tweak queries
Summary
Lightweight cryptography has become a very active research domain, as the importance of pervasive computing and the Internet of Things (IoT) is growing. Since its tweakey is n bits, it is even smaller than the members of Romulus (they are n-bit secure and using tweakey state of 2n or 3n bits) Both sponge/permutation-based schemes and Remus rely on non-standard models (random permutation or ideal-cipher), and we emphasize that the security of the TBC instances that we propose to use inside Remus have been comprehensively evaluated, for the single-key related-tweak setting and related-tweakey setting, which suggests strong reliability to be used as the ideal-cipher. They reuse the components of Romulus-N and Remus-N as much as possible, obtained by processing the message twice by Romulus-N or Remus-N This allows a faster and smaller scheme than TBC-based MRAE SCT [PS16], yet, we maintain the strong security features of SCT. The security of this TBC has been extensively studied, and it has attractive implementation characteristics
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
