##
###
Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption
[chapter]

Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves

2016
*
Lecture Notes in Computer Science
*

A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSRand powering-up-based methods. We show in particular how recent advancements in computing discrete
## more »

... ithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors. Authenticated encryption (AE) has faced significant attention in light of the ongoing CAESAR competition [16]. An AE scheme aims to provide both confidentiality and integrity of processed data. While the classical approach is predominantly blockcipher-based, where an underlying blockcipher is used to encrypt, novel approaches start from a permutation and either rely on Sponge-based principles or on the fact that the Even-Mansour construction E(K, M ) = P (K ⊕ M ) ⊕ K is a blockcipher. Characteristic for the majority of blockcipher-based AE schemes is that they rely on a tweakable blockcipher where changes in the tweak can be realized efficiently. The most prominent example of this is the OCB2 mode which internally uses the XEX tweakable blockcipher [74]: The idea is that every associated data or message block is transformed using a different tweak, where increasing i 0 , i 1 , or i 2 can be done efficiently. This approach is furthermore used in second-round CAESAR candidates AEZ, COPA, ELmD, OTR, POET, and SHELL. Other approaches to masking include Gray code ordering (used in OCB1 and OCB3 [75, 58] and OMD) and the word-oriented LFSR-based approach where δ = ϕ i (E(K, X)) for some LFSR ϕ (suggested by Chakraborty and Sarkar [19]). The same masking techniques can also be used for permutation-based tweakable blockciphers. For instance, Minalpher uses the Tweakable Even-Mansour (TEM) construction [78] with XEX-like masking, and similar for Prøst. This TEM construction has faced generalizations by Cogliati et al. [25, 26] and Mennink [65], but none of them considers efficiency improvements of the masking. Application to Nonce-Based AE As first application, we present the Offset Public Permutation (OPP) mode in Section 4, a parallelizable nonce-based AE based on MEM. It can be considered as a permutation-based generalization of OCB3 [58] to arbitrary block sizes using permutations and using the improved masking from MEM. Particularly, assuming security of MEM, the proof of [58] mostly carries over, and we obtain that OPP behaves like a random AE up to attack complexity dominated by min{2 b/2 , 2 k }, where b is the size of the permutation and k is the key length. OPP also shows similarities with Kurosawa's adaption of IAPM and OCB to the permutation-based setting [59] . Using the masking techniques described later in this paper, OPP has excellent performance when compared to contemporary permutation-based schemes, such as first-round CAESAR [16] submissions Artemia, Ascon, CBEAM, ICEPOLE, Keyak, NORX, π-Cipher, PRIMATEs, and STRIBOB, or SpongeWrap schemes in general [10, 66] . OPP improves upon these by being inherently parallel and rate-1; the total overhead of the mode reduces to 2 extra permutation calls and the aforementioned efficient masking. In particular, when instantiated with a reduced-round BLAKE2b permutation [5], OPP achieves a peak speed of 0.55 cycles per byte on an Intel Haswell processor (see Section 8). This is faster than any other permutation-based CAESAR submission. In fact, there are only a few CAESAR ciphers, such as Tiaoxin (0.28 cpb) or AEGIS (0.35 cpb), which are faster than the above instantiation of OPP. However, both require AES-NI to reach their best performance and neither of them is arbitrarily parallelizable. Application to Nonce-Misuse Resistant AE We also consider permutation-based authenticated encryption schemes that are resistant against nonce-reuse. We consider "full" nonce-misuse resistance, where the output is completely random for different inputs, but we remark that similarly schemes can be designed to achieve "online" nonce-misuse resistance [28, 43] , for instance starting from COPA [2]. It is a well-known result that nonce-misuse resistant schemes are inherently offline, meaning that two passes over the data must be made in order to perform the authenticated encryption. The first misuse-resistant AE we consider is the parallelizable Misuse-Resistant Offset (MRO) mode (Section 5). It starts from OPP, but with the absorption performed on the entire data and with encryption done in counter mode instead. 5 As the underlying MEM is used by the absorption and encryption parts for different maskings, we can view the absorption and encryption as two independent functions and a classical MAC-then-Encrypt security proof shows that MRO is secure up to complexity dominated by min{2 b/2 , 2 k , 2 τ /2 }, where b and k are as before and τ denotes the tag length. Next, we consider Misuse-Resistant Sponge (MRS) in Section 6. It is not directly based on MEM; it can merely be seen as a cascaded evaluation of the Full-state Keyed Duplex of Mennink et al. [66], a generalization of the Duplex of Bertoni et al. [10]: a first evaluation computes the tag on input of all data, the second evaluation encrypts the message with the tag functioning as the nonce. MRS is mostly presented to suit the introduction of the Misuse-Resistant Sponge-Offset hybrid (MRSO) in Section 7, which absorbs like MRS and encrypts like MRO. (It is also possible to consider the complementary Offset-Sponge hybrid, but we see no potential applications of this construction.) The schemes MRS and MRSO are proven secure up to complexity of about min{2 c/2 , 2 k/2 , 2 τ /2 } and min{2 (b−τ )/2 , 2 k , 2 τ /2 }, respectively, where c denotes the capacity of the Sponge. While various blockcipher-based fully misuse-resistant AE schemes exist (such as SIV [76], GCM-SIV [39], HS1-SIV [57], AEZ [42], Deoxys = and Joltik = [46,47] (using Synthetic Counter in Tweak mode [73]), and DAEAD [20]), the state of the art for permutation-based schemes is rather scarce. In particular, the only misuse-resistant AE schemes known in literature are Haddoc and Mr. Monster Burrito by Bertoni et al. [12]. Haddoc lacks a proper formalization but appears to be similar to MRSO, and the security and efficiency bounds mostly carry over. Mr. Monster Burrito is a proof of concept to design a permutation-based robust AE comparable with AEZ [42], but it is four-pass and thus not very practical. 6 5 MRO's structure is comparable with the independently introduced Synthetic Counter in Tweak [73, 46, 47] . 6 We remark that the state of the art on online misuse-resistant permutation-based AE is a bit more advanced. For instance, APE [1] is online misuse-resistant, and achieves security against the release of unverified plaintext,

doi:10.1007/978-3-662-49890-3_11
fatcat:7hajg3rx7zcfblb4hkyayncs6y