CryptoDB
LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security
| Authors: |
|
|---|---|
| Download: | |
| Abstract: | This paper proposes a new lightweight deterministic authenticated encryption (DAE) scheme providing 128-bit security. Lightweight DAE schemes are practically important because resource-restricted devices sometimes cannot afford to manage a nonce properly. For this purpose, we first design a new mode LM-DAE that has a minimal state size and uses a tweakable block cipher (TBC). The design can be implemented with low memory and is advantageous in threshold implementations (TI) as a side-channel attack countermeasure. LM-DAE further reduces the implementation cost by eliminating the inverse tweak schedule needed in the previous TBC-based DAE modes. LM-DAE is proven to be indistinguishable from an ideal DAE up to the O(2n) query complexity for the block size n. To achieve 128-bit security, an underlying TBC must handle a 128-bit block, 128-bit key, and 128+4-bit tweak, where the 4-bit tweak comes from the domain separation. To satisfy this requirement, we extend SKINNY-128-256 with an additional 4-bit tweak, by applying the elastic-tweak proposed by Chakraborti et al. We evaluate the hardware performances of the proposed scheme with and without TI. Our LM-DAE implementation achieves 3,717 gates, roughly 15% fewer than state-of-the-art nonce-based schemes, thanks to removing the inverse tweak schedule. |
Video from TOSC 2020
BibTeX
@article{tosc-2020-30775,
title={LM-DAE: Low-Memory Deterministic Authenticated Encryption for 128-bit Security},
journal={IACR Transactions on Symmetric Cryptology},
publisher={Ruhr-Universität Bochum},
volume={2020, Issue 4},
pages={1-38},
url={https://tosc.iacr.org/index.php/ToSC/article/view/8746},
doi={10.46586/tosc.v2020.i4.1-38},
author={Yusuke Naito and Yu Sasaki and Takeshi Sugawara},
year=2020
}