Abstract
The currently ongoing NIST LWC project aims at identifying new standardization targets for lightweight authenticated encryption with associated data (AEAD) and (optionally) lightweight cryptographic hashing. NIST has deemed it important for performance and cost to be optimized on relevant platforms, especially for short messages. Reyhanitabar, Vaudenay and Vizár (Asiacrypt 2016) gave a formal treatment for security of nonce-based AEAD with variable stretch, i.e., when the length of the authentication tag is changed between encryptions without changing the key. They argued that AEAD supporting variable stretch is of practical interest for constrained applications, especially low-power devices operated by battery, due to the ability to flexibly trade communication overhead and level of integrity.In this work, we investigate this hypothesis with affirmative results. We present vCCM, a variable-stretch variant of the standard CCM and prove it is secure when used with variable stretch. We then experimentally measure the energy consumption of a real-world wireless sensor node when encrypting and sending messages with vCCM and CCM, respectively. Our projections show that the flexible trade of integrity level and ciphertext expansion can lead up to 21% overall energy consumption reduction in certain scenarios. As vCCM is obtained from the widely-used CCM by a black-box transformation, allowing any existing CCM implementations to be reused as-is, our results can be immediately put to use in practice. vCCM is all the more relevant because neither the NIST LWC project, nor any of the candidates give a consideration for the support of variable stretch and the related integrity-overhead trade-off.
Highlights
IntroductionIn the absence of a broadly accepted precise definition, lightweight cryptography can be roughly understood to comprise cryptographic designs created and optimized for a specific design trade-off (along the axes of computational complexity, memory complexity, security level, qualitative security properties etc.), such that this trade-off is not well-served by the existing general-purpose cryptography
In the absence of a broadly accepted precise definition, lightweight cryptography can be roughly understood to comprise cryptographic designs created and optimized for a specific design trade-off, such that this trade-off is not well-served by the existing general-purpose cryptography
Even though the field has already seen nearly two decades of research activities [BP17, SWE02, WSRE03, nisa], lightweight cryptography has been truly brought into the spotlight only recently by the ongoing NIST Lightweight Cryptography (LWC) Standardization process [nisb]
Summary
In the absence of a broadly accepted precise definition, lightweight cryptography can be roughly understood to comprise cryptographic designs created and optimized for a specific design trade-off (along the axes of computational complexity, memory complexity, security level, qualitative security properties etc.), such that this trade-off is not well-served by the existing general-purpose cryptography. In many applications relying on battery-operated low-power devices (such as wireless sensor networks, smart medical implants, etc.) energy is a critical resource and decreasing its consumption one of the major optimization targets Towards this goal, we first propose a variable-stretch variant of the CCM standard, naming it vCCM, and prove that it is a secure nonce-based variable-stretch AEAD scheme, i.e., nvAE-secure as formalized by Reyhanitabar et al [RVV16]. Our proposed vCCM scheme is obtained from CCM using a black-box transformation, i.e., without requiring any changes in the internals of the standard CCM scheme This property has been the primary design goal in this work: it allows practitioners to benefit from existing software and hardware implementations of CCM, while instantly enabling the trade-off between security level and energy consumption in a flexible and provably sound manner. We believe that salvaging a widely implemented standard such as CCM and instantly enabling a provably graceful trading of security for energy savings is of high interest, with the potential to bring measurable improvements to real-world applications
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
