Abstract
This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule.
Highlights
The explosive increase in data communication through Internet of Things (IoT) devices has generated a high demand for lightweight authenticated encryption (AE) schemes that can be used comfortably in a resource-restricted environment
We eliminate the inverse tweakey schedule to improve the implementation performance. We achieve this goal without resorting to a cyclic tweakey schedule by instantiating the proposed mode with a particular π and tweakable block cipher (TBC): we address one half of the problem by a primitive and the other half by a mode
5.2 Security Bounds In Theorem 2, we show that LM-deterministic authenticated encryption (DAE).message authentication code (MAC) achieves n-bit prf-security
Summary
The explosive increase in data communication through Internet of Things (IoT) devices has generated a high demand for lightweight authenticated encryption (AE) schemes that can be used comfortably in a resource-restricted environment. Good designs for lightweight AE have been studied extensively, and there is a demand for 128-bit security to replace the conventional AES-GCM and AES-CCM with 64-bit security. NIST LWC explicitly requires better security than AES Some AE schemes need nonce, a value that must be processed only once under the same key; these schemes are called nonce-based AE. Satisfying this requirement in implementation turned out to be difficult, and the community has encountered many security incidents caused by the inappropriate handling of nonces, e.g., a low-quality random number, a tiny nonce space, and even a constant nonce [BZD+16]. The Licensed under Creative Commons License CC-BY 4.0
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
