Abstract
The use of a small block length is a common strategy when designing lightweight (tweakable) block ciphers (TBCs), and several 64-bit primitives have been proposed. However, when such a 64-bit primitive is used for an authenticated encryption with birthday-bound security, it has only 32-bit data complexity, which is subject to practical attacks. To employ a short block length without compromising security, we propose PFB, a lightweight TBC-based authenticated encryption with associated data mode, which achieves beyond-birthday-bound security. For this purpose, we extend iCOFB, which is originally defined with a tweakable random function. Unlike iCOFB, the proposed method can be instantiated with a TBC using a fixed tweak length and can handle variable-length data. Moreover, its security bound is improved and independent of the data length; this improves the key lifetime, particularly in lightweight blocks with a small size. The proposed method also covers a broader class of feedback functions because of the generalization presented in our proof. We evaluate the concrete hardware performances of PFB, which benefits from the small block length and shows particularly good performances in threshold implementation.
Highlights
Driven by a demand for secure connectivity in resource-constrained embedded devices, lightweight cryptography has been actively studied in the last decade
The small block length contributes to a smaller memory footprint and a shorter round number, which are crucial for a lightweight implementation
We subsequently prove that the generalized authenticated encryption with associated data (AEAD) scheme, called GFB, satisfies the security bound of O(qD/2b) — the same level of security as ΘCB3
Summary
Driven by a demand for secure connectivity in resource-constrained embedded devices, lightweight cryptography has been actively studied in the last decade. A common strategy for designing a lightweight block cipher is to use a small block length. There are block-cipher-based AEAD modes with BBB security, including CHM [Iwa06], CIP [Iwa08], and AEAD modes with CLRW2 [LST12] or r-CLRW [LS13] They are costly, compared to the lightweight AEAD modes, as they require two or more independent universal hash functions. Our objective is to design a lightweight BBB-secure and nonce-based AEAD mode, thereby employing a short block length without compromising security. The use of a (dedicated) TBC is a promising approach for designing a lightweight and BBB-secure AEAD mode; none of the previous TBC-based AEAD modes, including TAE, ΘCB3, and SCT, satisfy all the lightweight criteria (see Table 1). ICOFB cannot handle arbitrary-length message because the functions ρ and ρ accept b-bit blocks only. Unlike conventional schemes such as ΘCB3, iCOFB has worse security bound that depends on the maximum message block length max. That means a short key life for a large max which results in an additional cost for rekeying or a shorter product lifetime
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
