Abstract
We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers full leakage-resistance, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. Moreover, the leakage integrity bound is asymptotically optimal in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static and incremental associated data efficiently. Concretely, TEDT encourages so-called leveled implementations, in which two TBCs are implemented: the first one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy-efficient protections and performs the bulk of the computation. As a result, TEDT leads to more energy-efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution.
Highlights
The development of Authenticated Encryption with Associated Data (AEAD) schemes has been an area of extremely active research since the beginning of this millennium
This paper proposes TEDT, a new AEAD mode for tweakable block ciphers that primarily aims at a high efficiency when a strong resistance to side-channel attacks is needed, which are among the most practical threats against cryptographic implementations, as highlighted in a recent white paper [ABB+, chapter 1.1] – see [EKM+08, MBKP11, ZYSQ13, BGRV15, GPT15, GST17, DK18]
The overheads for the full AEAD mode are of the same order, since all message blocks are processed by the strongly protected block cipher. Another approach consists in designing leakage-resilient or leakage-resistant modes of operations [BMOS17, BKP+18, BPPS17, DEM+17].1. These modes, which often come with some computational overheads in the black-box setting, e.g., require more block cipher calls than a standard AEAD or require more keying material, aim at considerably reducing the effect of leakages and the possibility to mount a Differential Power Analysis (DPA)
Summary
The development of Authenticated Encryption with Associated Data (AEAD) schemes has been an area of extremely active research since the beginning of this millennium. Another approach consists in designing leakage-resilient or leakage-resistant modes of operations [BMOS17, BKP+18, BPPS17, DEM+17].1 These modes, which often come with some computational overheads in the black-box setting, e.g., require more block cipher calls than a standard AEAD or require more keying material, aim at considerably reducing the effect of leakages and the possibility to mount a DPA. They can lead to more efficient implementations for a given level of resistance to side-channel attacks Even if these modes come with apparently heavier requirements in the black-box world (TEDT requires 4 calls of a TBC per message block), this cost is expected to be largely compensated by the more limited use of side-channel countermeasures that is required. To better explain and to further illustrate the advantage of TEDT we provide a black-box CCA Ssecurity in supplementary material, Appendix D
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have