Abstract
We specify Isap v2.0, a lightweight permutation-based authenticated encryption algorithm that is designed to ease protection against side-channel and fault attacks. This design is an improved version of the previously published Isap v1.0, and offers increased protection against implementation attacks as well as more efficient implementations. Isap v2.0 is a candidate in NIST’s LightWeight Cryptography (LWC) project, which aims to identify and standardize authenticated ciphers that are well-suited for applications in constrained environments. We provide a self-contained specification of the new Isap v2.0 mode and discuss its design rationale. We formally prove the security of the Isap v2.0 mode in the leakage-resilient setting. Finally, in an extensive implementation overview, we show that Isap v2.0 can be implemented securely with very low area requirements.
 https://isap.iaik.tugraz.at
Highlights
Ever since the publication of side-channel and fault attacks [Koc96, KJJ99, BDL97, BS97] it has become evident that implementations of cryptographic schemes cannot be considered as a black box, especially in scenarios where an attacker has physical access to the device performing a cryptographic task
We propose four instantiations of Isap v2.0: two based on the 400-bit permutation Keccak-p[400] [BDPV11, Nat15b], and two based on the 320-bit permutation used in Ascon [DEMS16, DEMS19], which has recently been selected as first choice for the use case of lightweight applications in the final CAESAR portfolio [CAE14]
Isap v2.0 is a candidate in the NIST LightWeight Cryptography (LWC) project [DEM+19], but was not published elsewhere
Summary
Ever since the publication of side-channel and fault attacks [Koc, KJJ99, BDL97, BS97] it has become evident that implementations of cryptographic schemes cannot be considered as a black box, especially in scenarios where an attacker has physical access to the device performing a cryptographic task. Likewise, dedicated modes for symmetric encryption have been introduced that reduce the requirements for countermeasures on the primitive level for protection against side-channel attacks These modes typically fall in the categories of leakage-resilient cryptography [DP08] or fresh re-keying [MSGR10]. Eichlseder, Mangard, Mendel, Mennink, Primas, and Unterluggauer 391 cipher with a suffix keyed sponge acting as MAC in a specific way to provide resistance against side-channel attacks. Both parts derive session keys in a GGM-treelike [GGM86] manner (similar to [TS14]) in order to harden this key derivation against side-channel attacks. All ingredients combine to a nonce-based authenticated encryption scheme that provides protection against (higher-order) differential power analysis without the need for (higher-order) masking
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have