Abstract
Deterministic authenticated encryption (DAE) provides data integrity and authenticity with certain robustness. Previous DAE schemes for low memory are based on block ciphers (BCs) or tweakable block ciphers (TBCs), which can be implemented with 3s bits of memory for s-bit security. On the other hand, schemes based on cryptographic permutations have attracted many researchers and standardization bodies. However, existing permutation-based DAEs require at least 4s bits, or even 5s bits of memory. In this paper, \(\textsf{PALM}\), a new permutation-based DAE mode that can be implemented only with 3s bits of memory is proposed, implying that permutation-based DAEs achieve a competitive memory size with BC- and TBC-based DAEs. Our hardware implementation of \(\textsf{PALM}\), instantiated with PHOTON\(_{256}\) for 128-bit security, achieves 3,585 GE, comparable with the state-of-the-art TBC-based DAE. Finally, optimality of 3s bits of memory of \(\textsf{PALM}\) is shown.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
There may be a case that the tag comparison is included in hardware by using additional memory. As long as the comparison targets are all SIV-like schemes with the same tag size, as in this paper, there is no impact on the fairness of the comparison by whether or not T is counted during decryption. The situation changes when side-channel attack (SCA) is a concern. In such a case, tag comparison needs an SCA protection [16] and should be included in the hardware implementation. This increases the memory requirement in Table 1 in all the schemes but HADDOC that anyway stores the tag during encryption and decryption.
- 2.
The designers claim that “since key bits and tweak bits are used without schedule in TEM-PHOTON, in the case where they can be sent multiple times by the external provider, local storage can be saved." They also claim that “When key and tweak has to be stored locally, they can be stored using 256 regular 1-bit flip-flops.” As discussed above, we argue that the latter is the most natural implementation.
- 3.
Specifically, our security bound is \(\min \left\{ k- \log _2 (b-k), \frac{b}{2} \right\} \) bits. Since \(\log _2 (b-k)\) is small, we omit the term in this paper.
- 4.
For a forward query \(X\) to \(\pi \) (resp. inverse query \(Y\) to \(\pi ^{-1}\)), the response \(Y\) (resp. \(X\)) is defined as \(Y\xleftarrow {\$}\{0,1\}^b\backslash \mathcal {L}_\pi ^2\) (resp. \(X\xleftarrow {\$}\{0,1\}^b\backslash \mathcal {L}_\pi ^1\)), and the query-response pair \((X, Y)\) is added to \(\mathcal {L}_\pi \): \(\mathcal {L}_\pi \xleftarrow {\cup }\mathcal {L}_\pi \cup \{(X, Y)\}\).
- 5.
Specifically, internal values of the PRNG part of the decryption are not revealed as long as no forgery occurs (\(\textsf{bad}_6\)). Hence, the collision event does not yield an attack.
- 6.
Note that a collision for the last output block \(W_{d_\beta }^{(\beta )}\), which is defined by using a tag, is not considered in this event, and instead considered in \(\textsf{bad}_4\).
- 7.
Since \(V_{i+1}^{(\alpha )} = W_{i}^{(\alpha )}\) and \(V_{j+1}^{(\beta )} = W_{j}^{(\beta )}\), \(\textsf{bad}_4\) covers collisions with the input blocks.
- 8.
Obtained by dividing the primitive’s latency with the message block size.
References
Nalla Anandakumar, N., Peyrin, T., Poschmann, A.: A very compact FPGA implementation of LED and PHOTON. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 304–321. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_18
Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_18
Andreeva, E., Lallemand, V., Purnal, A., Reyhanitabar, R., Roy, A., Vizár, D.: Forkcipher: a new primitive for authenticated encryption of very short messages. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 153–182. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_6
Armknecht, F., Hamann, M., Mikhalev, V.: Lightweight authentication protocols on ultra-constrained RFIDs - myths and facts. In: Saxena, N., Sadeghi, A.-R. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 1–18. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13066-8_1
Banik, S., Bogdanov, A., Luykx, A., Tischhauser, E.: SUNDAE: small universal deterministic authenticated encryption for the internet of things. IACR Trans. Symmetric Cryptol. 2018(3), 1–35 (2018)
Bao, Z., Guo, J., Iwata, T., Song, L.: SIV-TEM-PHOTON authenticated encryption and hash family (2019)
Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017)
Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sponge functions. In: ECRYPT Hash Workshop 2007 (2007)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19
Bertoni, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: Using Keccak technology for AE: Ketje, Keyak and more. In: SHA-3 2014 Workshop (2014)
Böck, H., Zauner, A., Devlin, S., Somorovsky, J., Jovanovic, P.: Nonce-disrespecting adversaries: practical forgery attacks on GCM in TLS. ePrint 2016, 475 (2016)
Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: ESTATE: a lightweight and low energy authenticated encryption mode. IACR Trans. Symmetric Cryptol. 2020(S1), 350–389 (2020)
Chang, D., et al.: Release of unverified plaintext: tight unified model and application to ANYDAE. IACR Trans. Symmetric Cryptol. 2019(4), 119–146 (2019)
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021)
Dobraunig, C., Mennink, B.: Leakage resilient value comparison with application to message authentication. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 377–407. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_13
Dworkin, M.: Recommendation for block cipher modes of operation: methods for key wrapping. NIST SP 800–38F (2012)
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)
Groß, H., Wenger, E., Dobraunig, C., Ehrenhöfer, C.: Suit up! - made-to-measure hardware implementations of ASCON. In: DSD 2015, pp. 645–652. IEEE Computer Society (2015)
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_13
Harkins, D.: RFC5297: synthetic initialization vector (SIV) authenticated encryption using the advanced encryption standard (AES) (2008). https://tools.ietf.org/html/rfc5297
Jovanovic, P., Luykx, A., Mennink, B., Sasaki, Y., Yasuda, K.: Beyond conventional security in sponge-based authenticated encryption modes. J. Cryptol. 32(3), 895–940 (2019)
Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_19
Naito, Y., Sasaki, Y., Sugawara, T.: LM-DAE: low-memory deterministic authenticated encryption for 128-bit security. IACR Trans. Symmetric Cryptol. 2020(4), 1–38 (2020)
NanGate: NanGate FreePDK45 open cell library. http://www.nangate.com
NIST: Submission requirements and evaluation criteria for the lightweight cryptography standardization process (2018). https://csrc.nist.gov/Projects/lightweight-cryptography
Patarin, J.: The “Coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Hiraga, Y., Naito, Y., Sasaki, Y., Sugawara, T. (2023). Permutation-Based Deterministic Authenticated Encryption with Minimum Memory Size. In: Athanasopoulos, E., Mennink, B. (eds) Information Security. ISC 2023. Lecture Notes in Computer Science, vol 14411. Springer, Cham. https://doi.org/10.1007/978-3-031-49187-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-49187-0_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-49186-3
Online ISBN: 978-3-031-49187-0
eBook Packages: Computer ScienceComputer Science (R0)