Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction

  • Chun Guo Key Laboratory of Cryptologic Technology and Information Security of Ministry of Education, Shandong University, Qingdao, Shandong, 266237, China; School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China; Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM), UCLouvain, B-1348 Louvain-la-Neuve, Belgium
  • Olivier Pereira Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM), UCLouvain, B-1348 Louvain-la-Neuve, Belgium
  • Thomas Peters Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM), UCLouvain, B-1348 Louvain-la-Neuve, Belgium
  • François-Xavier Standaert Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM), UCLouvain, B-1348 Louvain-la-Neuve, Belgium
Keywords: Authenticated Encryption, Duplex Construction, Leakage-Resistance, Leveled Implementations, Multi-User/Beyond Birthday Security

Abstract

The ongoing NIST lightweight cryptography standardization process highlights the importance of resistance to side-channel attacks, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight sidechannel secure implementations. To address this challenge, our first contribution is to investigate the leakage-resistance of a generic duplex-based stream cipher. When the capacity of the duplex is of c bits, we prove the classical bound, i.e., ≈ 2c/2, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode TETSponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. It offers: (i) provable integrity (resp. confidentiality) guarantees in the presence of leakage during both encryption and decryption (resp. encryption only), (ii) some level of nonce misuse robustness. We conclude that TETSponge is an appealing option for the implementation of low-energy AE in settings where side-channel attacks are a concern. We also provides the first rigorous methodology for the leakage-resistance of sponge/duplex-based AEs based on a minimal non-invertibility assumption on leakages, which leads to various insights on designs and implementations.

Published
2020-05-07
How to Cite
Guo, C., Pereira, O., Peters, T., & Standaert, F.-X. (2020). Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction. IACR Transactions on Symmetric Cryptology, 2020(1), 6-42. https://doi.org/10.13154/tosc.v2020.i1.6-42
Section
Articles