Abstract

Owing to the growing demand for lightweight cryptographic solutions, NIST has initiated a standardization process for lightweight cryptographic algorithms. Specific to authenticated encryption (AE), the NIST draft demands that the scheme should have one primary member that has key length of 128 bits, and it should be secure for at least 250 − 1 byte queries and 2112 computations. Popular (lightweight) modes, such as OCB, OTR, CLOC, SILC, JAMBU, COFB, SAEB, Beetle, SUNDAE etc., require at least 128-bit primitives to meet the NIST criteria, as all of them are just birthday bound secure. Furthermore, most of them are sequential, and they either use a two pass mode or they do not offer any security when the adversary has access to unverified plaintext (RUP model). In this paper, we propose two new designs for lightweight AE modes, called LOCUS and LOTUS, structurally similar to OCB and OTR, respectively. These modes achieve notably higher AE security bounds with lighter primitives (only a 64-bit tweakable block cipher). Especially, they satisfy the NIST requirements: secure as long as the data complexity is less than 264 bytes and time complexity is less than 2128, even when instantiated with a primitive with 64-bit block and 128-bit key. Both these modes are fully parallelizable and provide full integrity security under the RUP model. We use TweGIFT-64[4,16,16,4] (also referred as TweGIFT-64), a tweakable variant of the GIFT block cipher, to instantiate our AE modes. TweGIFT-64-LOCUS and TweGIFT-64-LOTUS are significantly light in hardware implementation. To justify, we provide our FPGA based implementation results, which demonstrate that TweGIFT-64-LOCUS consumes only 257 slices and 690 LUTs, while TweGIFT-64-LOTUS consumes only 255 slices and 664 LUTs.

Highlights

  • Lightweight cryptography, that aims towards applications in resource constrained environments has seen a sudden surge in interest due to the advent of Internet of things (IoT)

  • Lightweight authenticated encryption (AE) schemes are of utmost importance in establishing private and authenticated communication channels in IoT applications

  • This importance was addressed by recently concluded CAESAR competition [CAE14] and the ongoing NIST lightweight cryptography project [MBTM17]

Read more

Summary

Introduction

Lightweight cryptography, that aims towards applications in resource constrained environments has seen a sudden surge in interest due to the advent of Internet of things (IoT). Lightweight authenticated encryption (AE) schemes are of utmost importance in establishing private and authenticated communication channels in IoT applications. This importance was addressed by recently concluded CAESAR competition [CAE14] and the ongoing NIST lightweight cryptography project [MBTM17]. In many of these designs, the internal state size reduction is the main priority. In this context, permutationbased schemes [BDPA11, CDNY18] have an advantage over block cipher-based schemes [CIMN17], as they do not need to store the key. Received: 2019-06-01, Revised: 2019-09-01, Accepted: 2019-11-01, Published: 2020-01-31

The NIST Lightweight Cryptography Standardization Project
State of the Art on AE Modes in light of NIST Requirements
Design Goals
Our Contributions
Design Comparison
Novelty of LOTUS and LOCUS
Security Proof
Preliminaries
Finite Field Arithmetic
Tweakable Block cipher
Authenticated Encryption in the Ideal Cipher Model
Security Definitions
TSPRP Security in Ideal Cipher Model
Privacy Security in Ideal Cipher Model
INT-RUP Security in Ideal Cipher Model
Coefficient-H Technique
LOTUS and LOCUS Modes
Associated Data Processing in LOTUS and LOCUS
Description of LOTUS
Description of LOCUS
Design Rationale
The TweGIFT-64 Tweakable Block Cipher
Intuition
Security against Differential Cryptanalysis
Hardware Implementation
Hardware Architecture
Implementation of TweGIFT-64
Implementation of LOCUS and LOTUS
Benchmarking Methodology
Θ-LOC and Θ-LOT
Privacy and Integrity Security of LOCUS
Privacy and Integrity Security of LOTUS
Security of P
Some Remarks on Generic Cryptanalysis on LOCUS and LOTUS
Colliding the internal key and input of two distinct P queries
Hardware Implementation of TweGIFT-64
Findings
Component Wise Area Calculation for lightweight LOCUS and LOTUS
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call