Towards Lightweight Side-Channel Security and the Leakage-Resilience of the Duplex Sponge [article]

Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
2019 IACR Cryptology ePrint Archive  
The ongoing NIST lightweight standardization process explicitly puts forward a requirement of side-channel security, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight side-channel secure implementations. To address this challenge, we investigate the leakageresistance of a generic duplex-based stream cipher, and prove the classical bound, i.e., ≈ 2 c/2 , under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode
more » ... ponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. TETSponge offers: (i) provable integrity (resp. confidentiality) guarantees in the presence of leakage during both encryption and decryption (resp. encryption only), (ii) some level of nonce misuse robustness, and (iii) black-box AE security with good bounds in the multi-user setting as well. We conclude that TETSponge offers an appealing option for the implementation of low-energy AE in settings where side-channel attacks are an actual concern. Our analysis offers the first rigorous methodology for the analysis of the leakage-resistance of sponge/duplexbased AEs. It can be easily adapted to others: we demonstrate this by showcasing brief analyzes of two other 1-pass AEs Ascon, GIBBON, and two 2-pass AEs TEDTSponge and ISAP. These provide various insights for both designs and implementations.
dblp:journals/iacr/GuoPPS19 fatcat:tyh5rkjpnveybmk4sgft7awytq