TriviA and uTriviA: two fast and secure authenticated encryption schemes

Abstract

In this paper, we propose two hardware optimized authenticated encryption schemes: TriviA-v2 and uTriviA. Both TriviA-v2, an efficient hardware optimization of TriviA-0-v1, and uTriviA are based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise independent hash to compute the tag. We have adopted one of the ISO-standardized stream ciphers for lightweight cryptography, namely Trivium , to obtain our underlying stream cipher. The main structure of TriviA-v2 remains same as TriviA-0-v1, except some changes in the internal functions. The stream cipher used both in TriviA-v2 and uTriviA has a 384-bit state, slightly larger than Trivium, and can accommodate a 128-bit secret key and IV. TriviA-v2 uses a pairwise independent hash which is an adaptation of the EHC or “Encode-Hash-Combine” hash that requires the optimum number of field multiplications and hence requires small hardware footprint. uTriviA uses a pairwise independent hash which is an adaptation of the HC or “Hash-Combine” hash which is close to EHC but does not use any encode function. We prove that TriviA-v2 construction has at least 128-bit security for privacy and 124-bit security of authenticity under the assumption that the underlying stream cipher produces a pseudorandom bit stream. The uTriviA construction achieves at least 128-bit security for privacy and 93-bit security of authenticity under the same assumption. We have implemented the designs in synthesizable RTL. Pre-layout synthesis using 65 nm standard cell technology reveals that TriviA-v2 is able to achieve a high throughput of 65.9 Gbps for an area of 21.2 KGE, whereas TriviA-0-v1 achieved a much higher hardware area. The uTriviA design achieves a hardware area of only 16.74 KGE, which is lowest among all the TriviA variants but with a lower throughput of 36.76 Gbps. Finally, we provide a brief comparison between the three constructions TriviA-0-v1, TriviA-v2 and uTriviA and the other standard implementations in terms of hardware area-efficiency metric.

Appendix

1.1 \({\varDelta }\)-U property of \(\textsf {HC}^{(d)}\) hash

Proof for Theorem 2

Consider \(m \ne m' \in (\{0,1\}^{32})^{\le \ell }, m = (m_1, \ldots , m_{\ell _1}), m' = (m'_1, \ldots , m'_{\ell _2})\). Without any loss of generality, let \(2^{32} \ge \ell _1 \ge \ell _2\). Let, \(K = (k_1, \ldots , k_{\ell _1})\) is the key. Denote \({\varDelta }h_{i} = K_{i}(m_{i} - m'_{i})\), when \(1 \le i \le \ell _2\) and \({\varDelta }h_{i} = K_{i}.m_{i}\) when \(\ell _2 < i \le \ell _1\). Suppose \({\varDelta }_{\{i_1, \ldots , i_s\}} = ({\varDelta }h_{i_{1}}, {\varDelta }h_{i_{2}}, \ldots , {\varDelta }h_{i_{s}})^{T}\) for some distinct \(1 \le i_1, \ldots , i_s \le \ell _1\). We denote \(H = (H_1, \ldots H_d) = \textsf {HC}^{(d)}_{K, (V_1, \ldots , V_d)}(m)\) and \(H' = (H'_1, \ldots H'_d) = \textsf {HC}^{(d)}_{K, (V_1, \ldots , V_d)}(m')\). We also denote \(H_{int} = (H_{int,1}, \ldots H_{int,d}) = \textsf {HC}^{(d, \ell _1)}_{K}(m)\) and \(H'_{int} = (H'_{int,1}, \ldots H'_{int,d}) = \textsf {HC}^{(d, \ell _2)}_{K}(m')\). Define \(S = \{ i_1, i_2, \ldots i_s \} := \{i : m_{i} \ne m_{i}', \ 1 \le i \le \ell _2\) or \(m_i \ne 0, \ \ell _2 < i \le \ell _1\}\), where \(s = |S|\). We now restrict \(V_{\alpha }^{(d)}\) by the columns indexed by \(i_{1}, \ldots i_{s}\) and denote it by \(V^{(d, S)}_{\alpha }\). Choose \(\delta = (\delta _1 \ldots \delta _d) \in \{0, 1\}^{32d}\). Denote \(T = \{ i : \delta _i \ne 0, 1 \le i \le d\}\) and \(T^{*} = [1 \cdots d] - T\). Let the differential probability be p. Clearly,

$$\begin{aligned} p= & {} Pr_{K, (V_1, \ldots , V_d)}[H - H'= \delta ]\\= & {} Pr_{K, (V_1, \ldots , V_d)}[H_{int, i}\\= & {} H_{int, i}', \forall i\in T, V_{j} = \delta _{j}.(H_{int, j}-H'_{int, j})^{-1}, \forall j\in T^{*}]\\= & {} Pr_{K, (V_1, \ldots , V_d)}[H_{int, i} \\= & {} H_{int, i}', \forall i\in T] . Pr[V_{j} = \delta _{j}.(H_{int, j}-H'_{int, j})^{-1}, \forall j\in T^{*}]\\&\quad (Since \ K_1,\ \ldots ,\ K_{\ell },\ V_1, \ldots , V_d \ are independently drawn ) \end{aligned}$$

The term \(Pr_{K, (V_1, \ldots , V_d)}[V_{j} = \delta _{j}.(H_{int, j}-H_{int, j}')^{-1}, \forall j\in T^*] = 2^{-(31)(d-t)}\) by simply conditioning \(K_i\)’s which also fixes \(H_{int, j}\)s and \(H_{int, j}'\)s with \(t = |T|\).

We restrict \(V^{(d)}_{\alpha }\) by the rows with indexes in T and columns with indexes in S and denote it by \(V^{(T, S)}_{\alpha }\). As all the sub-matrices of \(V^{(T, S)}_{\alpha }\) are non-singular, the probability computation for this event is similar to that of the previous theorem. Thus, \(Pr_{K, (V_1, \ldots , V_d)}[H_{int, i} = H_{int, i}', \forall i\in T] = 2^{-31t}\). \(\square \)

1.2 Privacy of uTriviA

Proof for Theorem 4

Let A makes q queries \((N_1, D_1, M_1), \ldots , (N_q, D_q, M_q)\) such that \((N_i, D_i)\)’s are distinct and let \(Z_i\) and \((C_i, T_i)\) be the respective key streams (including the state bit extraction) and final responses. Moreover, let \(T'_i\) denote the intermediate tag obtained from the associated data which are inserted in the state after processing associated data. Let \(\mathcal {N} = \{N: \exists i~ N = N_i\}\) denote the set of all distinct nonces, such that \(q = |\mathcal {N}|\). For each \(N \in \mathcal {N}\), we write \(\mathcal {I}_{N} = \{j : N_j = N\}\) and \(|\mathcal {I}_{N}| = q_N\). Note that \(q_N \le 1\) for all nonces N and \(\sum _{N \in \mathcal {N}} q_N = q\). By our assumption on the stream cipher output, the key stream \(Z_i\)’s would be independently distributed whenever we have distinct nonces. Thus, we define an event \(\textsf {coll}\): There exists \(i \ne j\) such that \(T'_i = T'_j\). Clearly, when \(N \ne N'\), then the states are distinct due to invertible property of Update function. Thus, \(\textsf {Pr}[\textsf {coll}] = 0\), and by using the ideal assumption of the stream cipher, all key streams \(Z_i\)’s (even with same nonce) are independent and uniformly distributed. As \((C_i, T_i)\)’s are injective functions of the key stream \(Z_i\), the distribution of \((C_i, T_i)\)’s is independent and uniform. So the privacy advantage is bounded by the probability \(\frac{q}{2^{128}}\), and hence, the result follows.

1.3 Authenticity of uTriviA

Proof for Theorem 6

As before, let the q queries be \((D_i, N_i, M_i)\) and the corresponding responses be \((C_i, T_i)\) with intermediate tags \(T'_i, 1 \le i \le q\). We also denote the key stream for the ith query be \(Z_i\). By applying the privacy bound, which is \(q/2^{93}\), we may assume that the all q key streams \(Z_1, \ldots , Z_q\) are uniformly and randomly distributed. Now we consider two cases depending on a forging attempt \((N^*, D^*, C^*, T^*)\).

Case A The adversary makes a forging attempt \((N^*, D^*, C^*, T^*)\) with a fresh \((N^*, D^*)\). In this case, let \(N_i = N^*\). Note that, for all \(j \ne i\), the \(Z_j\)’s are independent from \(Z^*\) the key stream for the forging attempt. The \(Z_i\) also would be independent from \(Z^*\) provided that the intermediate tag \(T'_i\) does not collide with the intermediate tag \(T^*\) for the forging attempt. This can happen with probability at most \(2^{-93}\) (from Theorem 2). Whenever \(Z^*\) behaves like a random string, the forging probability will be \(2^{-96}\) (as the tag size is 96). So the total forging probability, in this case, will be at most \(2^{-93} + 2^{-96} \approx 2^{-93}\).

Case B Suppose the adversary makes a forging attempt with \((N^*, D^*) = (N_i, D_i)\) for some i. Note that one of the key streams \(Z_i\) and \(Z^*\) would be a prefix of the other (depending on the length of the ciphertext). Note that for all other \(Z_j\)’s, \(j \ne i\) would be independent of \(Z^*\) and so we can ignore the responses of the other queries. So the forging probability is the same as

$$\begin{aligned} p:= & {} \textsf {Pr}[(N_i, D_i, C^*, T^*) \text{ is } \text{ valid } ~|~ (C_i, T_i)\nonumber \\&\text{ is } \text{ response } \text{ of } (N_i, D_i, M_i)]\,. \end{aligned}$$

(6)

Claim \(p \le 2^{-93}.\)

We postpone the proof of the claim. Assuming this claim, any forging attempt is successful with probability at most \(2^{-93}\) (as the Case A has lower success probability). Since A makes at most \(q_f\) attempts and adding the privacy advantage, the forging probability would be bounded by \(\frac{q}{2^{93}} + \frac{q_f}{2^{93}}\). This completes the proof.

Proof of the Claim Let \(M^*\) be the message corresponding to \(C^*\). We prove it by considering different cases based on \(\ell := \ell _{M_i}\) and \(\ell ^* := \ell _{M^*}\). For simplicity, we assume that both \(M_i\) and \(M^*\) are complete block messages. The proof for incomplete message blocks is similar. We also write Z into a pair (SK, z) where SK denotes the state key and z denotes the output stream. Note that the z-values can be leaked through the ciphertext and some of the z-values may be also used to compute the tag. We mainly need to handle different cases depending on how the z-values are leaked.

Case 1 \(\ell ^* = \ell \) In this case, the conditional forging event can simply be written as \((\textsf {HC}^{3, \ell }(SK ; M_i)\odot z_v) \oplus (\textsf {HC}^{3, \ell }(SK^* ; M^*)\odot z_v^*) = \delta := T_i \oplus T^*\). As, \(\ell ^* = \ell \), thus \(SK = SK^*\) and \(z_v = z_v^*\). By using the known fact that HC is a \(2^{-93}\)-\({\varDelta }\)U hash (Theorem 2), we have \(p \le 2^{-93}\).

For the cases 2, 3 and 4, we denote \(\textsf {HC}^{3, \ell }(SK ; M_i)\odot z_v = (H_1, H_2, H_3)\) and similarly \(\textsf {HC}^{3, \ell ^*}(SK^* ; M^*)\odot z^*_v = (H^*_1, H^*_2, H^*_3)\) where \(H_i\) and \(H^*_i\)s are 32-bit strings. We similarly parse T and \(T^*\) as \((T_1, T_2, T_3)\) and \((T^*_1, T^*_2, T^*_3)\).

Case 2 \(\ell ^* = \ell +1\) In this case, none of the variable keys \(z_v\) are leaked through the ciphertext \(C_i\). So the forging probability is equivalently written as \(p = \textsf {Pr}[H^*_1 \oplus SK_{\ell +2} = T^*_1, H^*_2 \oplus SK_{\ell +3} = T^*_2 , H^*_3 \oplus SK_{\ell +4} = T^*_3~|~ H_1 \oplus SK_{\ell +1} = T_1, H_2 \oplus SK_{\ell +2} = T_2, H_3 \oplus SK_{\ell +3} = T_3].\) Thus, by using the entropy of \(SK_{\ell }, SK_{\ell +3}\) and \({\varDelta }\)U property of HC, we get the bound.

Case 3 \(\ell ^* = \ell +2\) The proof for this case will be similar as the proof in Case 2. Here we use the entropy of \(SK_{\ell -1}, SK_{\ell }, SK_{\ell +2}, SK_{\ell +3}\) and \({\varDelta }\)U property of HC, and we get the bound.

Case 4 \(\ell ^* \ge \ell +3\) In this case, all of the variable keys \(SK_v\) are distinct and \(z_v\) is not leaked through the ciphertext \(C_i\). So the forging probability is equivalently written as \(p = \textsf {Pr}[H^*_1 \oplus SK_{\ell +4} = T^*_1, H^*_2 \oplus SK_{\ell +5} = T^*_2 , H^*_3 \oplus SK_{\ell +6} = T^*_3~|~ H_1 \oplus SK_{\ell +1} = T_1, H_2 \oplus SK_{\ell +2} = T_2, H_3 \oplus SK_{\ell +3} = T_3].\) Thus, by using the entropy of \(SK_{\ell +1}, SK_{\ell +2}, SK_{\ell +3}, SK_{\ell +4}, SK_{\ell +5}, SK_{\ell +6}\), we get the bound.

Case 5 \(\ell ^* = \ell - 1\) In this case, the variable keys are different for both computations. Since one set of variable keys are leaked through the ciphertext and the other has full entropy, we use the fact that HC is \(2^{-93}\)-balanced. Using this, one can show that \(p \le 2^{-93}\).

Case 6 \(\ell ^* \le \ell -2\) Since one set of variable keys are leaked through the ciphertext and the other has full entropy, we use the fact that each of the 32 bit components of the HC hash output is \(2^{-31}\)-balanced. Using this, one can show that \(p \le 2^{-93}\).

By considering all the above cases, we prove that \(p \le 2^{-93}\) which concludes the proof of the claim. \(\square \)