Abstract
With the trend to connect more and more devices to the Internet, authenticated encryption has become a major backbone in securing the communication, not only between these devices and servers, but also the direct communication among these devices. Most authenticated encryption algorithms used in practice are developed to perform well on modern high-end devices, but are not necessarily suited for usage on resource-constrained devices. We present a lightweight authenticated encryption scheme, called Elephant. Elephant retains the advantages of GCM such as parallelism, but is tailored to the needs of resource-constrained devices. The two smallest instances of Elephant, Dumbo and Jumbo, are based on the 160-bit and 176-bit Spongent permutation, respectively, and are particularly suited for hardware; the largest instance of Elephant, Delirium, is based on 200-bit Keccak and is developed towards software use. All three instances are parallelizable, have a small state size while achieving a high level of security, and are constant time by design.
Highlights
Authenticated encryption has become an integral part of our modern communication infrastructure
A first drawback is the use of components such as the AES [DR02], ChaCha [Ber08], and SHA-2 [FIP12], which were not designed with lightweight applications in mind
A second problem is the need for the implementation of two different primitives for performing the single task of authenticated encryption, which is a potential waste of resources in lightweight applications
Summary
Authenticated encryption has become an integral part of our modern communication infrastructure. TLS 1.3 [Res18] relies on AES-GCM, or ChaCha with Poly1305, whereas in the Signal protocol [PM16, CCD+17], the task of authenticated encryption can be performed using AES in CBC mode for encryption paired with HMAC-SHA-2 for authentication. A second problem is the need for the implementation of two different primitives (one for encryption and one for authentication) for performing the single task of authenticated encryption, which is a potential waste of resources in lightweight applications. This is still true if the primitives within these constructions are replaced with more lightweight counterparts.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
