Multiplex: TBC-Based Authenticated Encryption at Xiamen University
Discover the cutting-edge research on TBC-based authenticated encryption with a sponge-like rate at Xiamen University. Explore innovative methods for ensuring integrity, confidentiality, and protection against side-channel attacks in encryption.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Xiamen University Multiplex: TBC-Based Authenticated Encryption with Sponge-Like Rate Yaobin Shen Joint work with Thomas Peters, Fran ois-Xavier Standaert March 20, FSE 2025 @Rome 1
Authenticated Encryption (AE) Integrity & confidentiality Xiamen University ?3?3 ?1?1 ?2?2 ? ? KDF TGF message processing tag ? Protection against side-channel attacks, e.g., masking ?3?3 ?1?1 ?2?2 ? ? KDF message processing tag TGF ? significant overheads if protect all 2
Avoid heavy protection Leveled implementation [PSV15] avoid equally protecting all parts of an implementation identify the protection level of each part (performance gains) [BPPS17]: DPA-protected KDF/TGF + unbounded leakage for the rest substantial performance gains for integrity Xiamen University the bulk of computation ?3?3 ?1?1 ?2?2 ? ? KDF message processing tag TGF ? [PSV15]: Olivier Pereira, Fran ois-Xavier Standaert, Srinivas Vivek: Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives. CCS 2015: 96-108 [BPPS17]: Francesco Berti, Olivier Pereira, Thomas Peters, Fran ois-Xavier Standaert: On Leakage-Resilient Authenticated Encryption with Decryption Leakages. IACR Trans. Symmetric Cryptol.2017(3): 271-293 (2017)On Leakage-Resilient Authenticated Encryption with Decryption Leakages. IACR Trans. Symmetric Cryptol. 2017(3): 271-293 (2017) 3
One-pass Modes: CIML2 + CCAmL1 CIML2 & CCAmL1[BBB+20] Ciphertext Integrity with nonce Misuse-resistance and Leakage in enc & dec CCA with misuse-resilience and Leakage in enc Ascon: DPA protection in KGF & TGF [DEMS21] sponge-based Xiamen University [BBB+20]: Bellizia et al.:Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher. IACR Trans. Symmetric Cryptol. 2020(S1): 295-349 (2020) [DEMS21]: Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schl ffer: Ascon v1.2: Lightweight Authenticated Encryption and Hashing. J. Cryptol.34(3): 33 (2021) 4
One-pass Modes: CIML2 + CCAmL1 TET [BGP+20] TBC-based rate 1/2 (two TBCs per n-bit message) Xiamen University [BGP+20]: Francesco Berti, Chun Guo, Olivier Pereira, Thomas Peters, Fran ois-Xavier Standaert:TEDT, a Leakage-Resist AEAD Mode for High Physical Security Applications. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(1): 256-320 (2020) 5
One-pass Modes: CIML2 + CCAmL1 Triplex: n-bit CIML2 + n/2-bit CCAmL1 (n-bit CCA) rate 2/3 for message (three TBCs per 2n-bit) TBC with n-bit key and 2n-bit tweak Xiamen University Can we improve the rate of Triplex? [SPS+22] Yaobin Shen, Thomas Peters, Fran ois-Xavier Standaert, Ga tan Cassiers, Corentin Verhamme: Triplex: an Efficient and One-Pass Leakage-Resistant Mode of Operation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022(4): 135-162 (2022) 6
Our new design: Multiplex, more flexible Multiplex: n-bit CIML2 + n/2-bi CCAmL1 (n-bit CCA) Xiamen University rate 2/3 for a TBC with 2n-bit tweak Multiplex vs Triplex: flexible rate d/(d+1) vs fixed rate 2/3 parallel vs sequential TBC calls in iteration nonce only appears in the first TBC call 7
Our new design: Multiplex, more flexible Multiplex: n-bit CIML2 + n/2-bi CCAmL1 (n-bit CCA) Xiamen University to obtain better rate: 1. using a TBC with larger tweak 2. increase the number of TBC calls in each iteration rate 3/4 for a TBC with 3n-bit tweak 8
Main component of Multiplex: Multihash Turn compression function F into enc and auth Xiamen University enc M then auth C Hirose DBL compression on TBC [Hir06] Shoichi Hirose: Some Plausible Constructions of Double-Block-Length Hash Functions. FSE 2006: 210-225 [SPS+22] Yaobin Shen, Thomas Peters, Fran ois-Xavier Standaert, Ga tan Cassiers, Corentin Verhamme: Triplex: an Efficient and One-Pass Leakage-Resistant Mode of Operation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022(4): 135-162 (2022) 9
Main component of Multiplex: Multihash Multihash: output multiple blocks in each iteration Xiamen University n-bit collision resistance as only 2n-bit state cannot be manipulated 10
Integrity and confidentiality of Multiplex Integrity: ? log2?? bits of CIML2 in the unbounded leakage model integrity holds if #queries 2?/?? Xiamen University Confidentiality: ?/2 bits for CCAmL1 ? log2? bits confidentiality without leakage in the nonce misuse-resilient setting [GPPS19] Chun Guo, Olivier Pereira, Thomas Peters, Fran ois-Xavier Standaert: Authenticated Encryption with Nonce Misuse and Physical Leakage: Definitions, Separation Results and First Construction - (Extended Abstract). LATINCRYPT 2019: 150-172 [ADL17] Tomer Ashur, Orr Dunkelman,Atul Luykx: Boosting Authenticated Encryption Robustness with Minimal Modifications. CRYPTO (3) 2017: 3-33 11
Parameters of Multiplex Multiplex based on a TBC with n-bit key and dn-bit tweak Xiamen University The rate can be 3/4 with Deoxys-TBC-512, 4/5 with Deoxys-TBC-640 [BJPS24] [BJPS24] Beno t Cogliati, J r my Jean, Thomas Peyrin, Yannick Seurin: A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers. IACR Commun. Cryptol. 1(2): 17 (2024) 12
Sponge-based vs TBC-based constructions Xiamen University Duplex construction [BDPV11] the rate can be increased if the size of permutation is increased Multiplex the rate can also be increased if the tweak size of TBC is increased Interesting question: how security (# of rounds of primitives) scales in function of the tweak and permutation sizes in order to compare both options [BDPV11] Guido Bertoni, Joan Daemen, Micha l Peeters, Gilles Van Assche: Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications. Selected Areas in Cryptography2011: 320-337 13
Conclusion Multiplex: a more flexible design than Triplex rate d/(d+1) for a TBC with dn-bit tweak, n-bit key Xiamen University 14
Thanks 15
Supplementary material A shorter-block variant of Multiplex based a TBC with n/2-bit block, n-bit key, and 2n-bit tweak Xiamen University Can this construction achieve n-bit security?
Multi-block hash function MBLhash: the rate is low compared to Multihash Xiamen University We can achieve high collision resistance with a large tweak TBC 17
