improved masking for tweakable blockciphers with ...bmennink/slides/dagstuhl16.pdf · powering-up...
TRANSCRIPT
![Page 1: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/1.jpg)
Improved Masking for Tweakable Blockciphers withApplications to Authenticated Encryption
Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves
EPFL, EPFL, KU Leuven, University of Coimbra
Dagstuhl � January 12, 2016
1 / 18
![Page 2: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/2.jpg)
Tweakable Blockciphers1 cipher
m cE
k
• Tweak: �exibility to the cipher
• Each tweak gives di�erent permutation
2 / 18
![Page 3: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/3.jpg)
Tweakable Blockciphers2 ciphertweakable
m
t
c
k
E
• Tweak: �exibility to the cipher
• Each tweak gives di�erent permutation
2 / 18
![Page 4: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/4.jpg)
Tweakable Blockciphers in OCBx2 OCBgen
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
EN,A1
k EN,A2
k EN,Aa
k EN,M⊕k EN,M1
k EN,M2
k EN,Md
k
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11]
• Internally based on tweakable blockcipher E• Tweak (N, tweak) is unique for every evaluation
• Change of tweak should be e�cient
3 / 18
![Page 5: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/5.jpg)
Tweakable Blockciphers in OCBx6 OCBgen-with-arrows
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
EN,A1
k EN,A2
k EN,Aa
k EN,M⊕k EN,M1
k EN,M2
k EN,Md
k
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11]
• Internally based on tweakable blockcipher E• Tweak (N, tweak) is unique for every evaluation
• Change of tweak should be e�cient
3 / 18
![Page 6: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/6.jpg)
Masking-Based Tweakable Blockciphers
Blockcipher-Based.6 picEgen
m c
)
tweak-based mask
Ek
typically 128 bits
pPermutation-Based.p7 picPgen
m c
)
tweak-based mask
P
much larger: 256-1600 bits
4 / 18
![Page 7: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/7.jpg)
Masking-Based Tweakable Blockciphers
Blockcipher-Based.6 picEgen
m c
)
tweak-based mask
Ek
typically 128 bits
pPermutation-Based.p7 picPgen
m c
)
tweak-based mask
P
much larger: 256-1600 bits
4 / 18
![Page 8: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/8.jpg)
Powering-Up Masking (XEX)
• XEX by Rogaway [Rog04]:1 picXEX
m c
2α3β7γ · Ek(N)
Ek
4 picTEM
m c
2α3β7γ · (k‖N ⊕ P (k‖N))
P
• (α, β, γ,N) is tweak (simpli�ed)
• Used in OCB2 and in various CAESAR candidates
• Permutation-based variants in Minalpher and Prøst
5 / 18
![Page 9: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/9.jpg)
Powering-Up Masking (XEX)
• XEX by Rogaway [Rog04]:1 picXEX
m c
2α3β7γ · Ek(N)
Ek
4 picTEM
m c
2α3β7γ · (k‖N ⊕ P (k‖N))
P
• (α, β, γ,N) is tweak (simpli�ed)
• Used in OCB2 and in various CAESAR candidates
• Permutation-based variants in Minalpher and Prøst
5 / 18
![Page 10: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/10.jpg)
Powering-Up Masking (XEX)
• XEX by Rogaway [Rog04]:1 picXEX
m c
2α3β7γ · Ek(N)
Ek
4 picTEM
m c
2α3β7γ · (k‖N ⊕ P (k‖N))
P
• (α, β, γ,N) is tweak (simpli�ed)
• Used in OCB2 and in various CAESAR candidates
• Permutation-based variants in Minalpher and Prøst
5 / 18
![Page 11: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/11.jpg)
Powering-Up Masking in OCB21 OCB2g
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL
2L 22L 2dL
EkEk Ek Ek EkEkEk
• Update of mask:• Shift and conditional XOR
• Variable time computation
• Expensive on certain platforms
6 / 18
L = EK(N)
![Page 12: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/12.jpg)
Powering-Up Masking in OCB27 OCB2-with-arrows-1g
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL
2L 22L 2dL
EkEk Ek Ek EkEkEk
• Update of mask:• Shift and conditional XOR
• Variable time computation
• Expensive on certain platforms
6 / 18
L = EK(N)
![Page 13: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/13.jpg)
Powering-Up Masking in OCB28 OCB2-with-arrows-2g
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL
2L 22L 2dL
EkEk Ek Ek EkEkEk
• Update of mask:• Shift and conditional XOR
• Variable time computation
• Expensive on certain platforms
6 / 18
L = EK(N)
![Page 14: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/14.jpg)
Powering-Up Masking in OCB29 OCB2-with-arrows-3g
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL
2L 22L 2dL
EkEk Ek Ek EkEkEk
• Update of mask:• Shift and conditional XOR
• Variable time computation
• Expensive on certain platforms
6 / 18
L = EK(N)
![Page 15: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/15.jpg)
Powering-Up Masking in OCB210 OCB2-with-arrows-4g
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL
2L 22L 2dL
EkEk Ek Ek EkEkEk
• Update of mask:• Shift and conditional XOR
• Variable time computation
• Expensive on certain platforms
6 / 18
L = EK(N)
![Page 16: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/16.jpg)
Powering-Up Masking in OCB210 OCB2-with-arrows-4g
A1 A2 Aa M1 M2 Md⊕Mi
C1 C2 Cd
T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL
2L 22L 2dL
EkEk Ek Ek EkEkEk
• Update of mask:• Shift and conditional XOR
• Variable time computation
• Expensive on certain platforms
6 / 18
L = EK(N)
![Page 17: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/17.jpg)
Word-Based Powering-Up Masking
• Chakraborty and Sarkar [CS06]:3 picCSts
m c
zi · Ek(N)
Ek
• z ∈ {0, 1}w is a generator, (i,N) is tweak
• Tower of �elds: zi ∈ F2w [z]/g instead of xi ∈ F2[x]/f
• �Word-based powering-up�• Similar drawbacks as regular powering-up
7 / 18
![Page 18: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/18.jpg)
Word-Based Powering-Up Masking
• Chakraborty and Sarkar [CS06]:3 picCSts
m c
zi · Ek(N)
Ek
• z ∈ {0, 1}w is a generator, (i,N) is tweak
• Tower of �elds: zi ∈ F2w [z]/g instead of xi ∈ F2[x]/f
• �Word-based powering-up�• Similar drawbacks as regular powering-up
7 / 18
![Page 19: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/19.jpg)
Gray Code Masking
• OCB1 and OCB3 use Gray Codes:2 picGray
m c
(i⊕ (i ≫ 1)
)· Ek(N)
Ek
• (i,N) is tweak
• Updating: G(i) = G(i− 1)⊕ 2ntz(i)
• Single XOR• Logarithmic amount of �eld doublings (precomputed)
• More e�cient than powering-up [KR11]
8 / 18
![Page 20: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/20.jpg)
Gray Code Masking
• OCB1 and OCB3 use Gray Codes:2 picGray
m c
(i⊕ (i ≫ 1)
)· Ek(N)
Ek
• (i,N) is tweak
• Updating: G(i) = G(i− 1)⊕ 2ntz(i)
• Single XOR• Logarithmic amount of �eld doublings (precomputed)
• More e�cient than powering-up [KR11]
8 / 18
![Page 21: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/21.jpg)
High-Level Contributions
Masked Even-Mansour
• Improved masking of tweakable blockciphers
• Simpler to implement and more e�cient
• Constant time (by default)
• Relies on breakthroughs in discrete log computation
Application to Authenticated Encryption
• Nonce-respecting AE in 0.55 cpb
• Misuse-resistant AE in 1.06 cpb
9 / 18
![Page 22: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/22.jpg)
High-Level Contributions
Masked Even-Mansour
• Improved masking of tweakable blockciphers
• Simpler to implement and more e�cient
• Constant time (by default)
• Relies on breakthroughs in discrete log computation
Application to Authenticated Encryption
• Nonce-respecting AE in 0.55 cpb
• Misuse-resistant AE in 1.06 cpb
9 / 18
![Page 23: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/23.jpg)
Masked Even-Mansour (MEM)
• Masked Even-Mansour (MEM):5 picMEM
m c
)
ϕγ2 ◦ ϕβ
1 ◦ ϕα0 ◦ P (N‖k)
P
• ϕi are �xed LFSRs, (α, β, γ,N) is tweak (simpli�ed)
• Combines advantages of:• Powering-up masking• Word-based LFSRs
• Simpler, constant-time (by default), more e�cient
10 / 18
![Page 24: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/24.jpg)
Masked Even-Mansour (MEM)
• Masked Even-Mansour (MEM):5 picMEM
m c
)
ϕγ2 ◦ ϕβ
1 ◦ ϕα0 ◦ P (N‖k)
P
• ϕi are �xed LFSRs, (α, β, γ,N) is tweak (simpli�ed)
• Combines advantages of:• Powering-up masking• Word-based LFSRs
• Simpler, constant-time (by default), more e�cient
10 / 18
![Page 25: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/25.jpg)
Masked Even-Mansour (MEM)
• Masked Even-Mansour (MEM):5 picMEM
m c
)
ϕγ2 ◦ ϕβ
1 ◦ ϕα0 ◦ P (N‖k)
P
• ϕi are �xed LFSRs, (α, β, γ,N) is tweak (simpli�ed)
• Combines advantages of:• Powering-up masking• Word-based LFSRs
• Simpler, constant-time (by default), more e�cient
10 / 18
![Page 26: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/26.jpg)
Design Considerations
• Particularly suited for large states (permutations)
• Low operation counts by clever choice of LFSR
• Sample LFSRs (state size b as n words of w bits):
b w n ϕ
128 8 16 (x1, . . . , x15, (x0 ≪ 1)⊕ (x9 � 1)⊕ (x10 � 1))128 32 4 (x1, . . . , x3, (x0 ≪ 5)⊕ x1 ⊕ (x1 � 13))128 64 2 (x1, (x0 ≪ 11)⊕ x1 ⊕ (x1 � 13))256 64 4 (x1, . . . , x3, (x0 ≪ 3)⊕ (x3 � 5))512 32 16 (x1, . . . , x15, (x0 ≪ 5)⊕ (x3 � 7))512 64 8 (x1, . . . , x7, (x0 ≪ 29)⊕ (x1 � 9))
1024 64 16 (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))1600 32 50 (x1, . . . , x49, (x0 ≪ 3)⊕ (x23 � 3))...
......
...
• Work exceptionally well for ARX primitives
11 / 18
![Page 27: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/27.jpg)
Design Considerations
• Particularly suited for large states (permutations)
• Low operation counts by clever choice of LFSR
• Sample LFSRs (state size b as n words of w bits):
b w n ϕ
128 8 16 (x1, . . . , x15, (x0 ≪ 1)⊕ (x9 � 1)⊕ (x10 � 1))128 32 4 (x1, . . . , x3, (x0 ≪ 5)⊕ x1 ⊕ (x1 � 13))128 64 2 (x1, (x0 ≪ 11)⊕ x1 ⊕ (x1 � 13))256 64 4 (x1, . . . , x3, (x0 ≪ 3)⊕ (x3 � 5))512 32 16 (x1, . . . , x15, (x0 ≪ 5)⊕ (x3 � 7))512 64 8 (x1, . . . , x7, (x0 ≪ 29)⊕ (x1 � 9))
1024 64 16 (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))1600 32 50 (x1, . . . , x49, (x0 ≪ 3)⊕ (x23 � 3))...
......
...
• Work exceptionally well for ARX primitives
11 / 18
![Page 28: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/28.jpg)
Design Considerations
• Particularly suited for large states (permutations)
• Low operation counts by clever choice of LFSR
• Sample LFSRs (state size b as n words of w bits):
b w n ϕ
128 8 16 (x1, . . . , x15, (x0 ≪ 1)⊕ (x9 � 1)⊕ (x10 � 1))128 32 4 (x1, . . . , x3, (x0 ≪ 5)⊕ x1 ⊕ (x1 � 13))128 64 2 (x1, (x0 ≪ 11)⊕ x1 ⊕ (x1 � 13))256 64 4 (x1, . . . , x3, (x0 ≪ 3)⊕ (x3 � 5))512 32 16 (x1, . . . , x15, (x0 ≪ 5)⊕ (x3 � 7))512 64 8 (x1, . . . , x7, (x0 ≪ 29)⊕ (x1 � 9))
1024 64 16 (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))1600 32 50 (x1, . . . , x49, (x0 ≪ 3)⊕ (x23 � 3))...
......
...
• Work exceptionally well for ARX primitives
11 / 18
![Page 29: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/29.jpg)
Uniqueness of Masking
• Intuitively, masking goes well as long as
ϕγ2 ◦ ϕβ1 ◦ ϕ
α0 6= ϕγ
′
2 ◦ ϕβ′
1 ◦ ϕα′0
for any (α, β, γ) 6= (α′, β′, γ′)
• Challenge: set proper domain for (α, β, γ)
• Requires computation of discrete logarithms
64 128 256 512 1024
︸ ︷︷ ︸solved by
Rogaway [Rog04]
︸ ︷︷ ︸results implicitly used,
e.g., by Prøst (2014)︸ ︷︷ ︸solved in this work using breakthroughs
in discrete log computation
12 / 18
![Page 30: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/30.jpg)
Uniqueness of Masking
• Intuitively, masking goes well as long as
ϕγ2 ◦ ϕβ1 ◦ ϕ
α0 6= ϕγ
′
2 ◦ ϕβ′
1 ◦ ϕα′0
for any (α, β, γ) 6= (α′, β′, γ′)
• Challenge: set proper domain for (α, β, γ)
• Requires computation of discrete logarithms
64 128 256 512 1024
︸ ︷︷ ︸solved by
Rogaway [Rog04]
︸ ︷︷ ︸results implicitly used,
e.g., by Prøst (2014)︸ ︷︷ ︸solved in this work using breakthroughs
in discrete log computation
12 / 18
![Page 31: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/31.jpg)
Uniqueness of Masking
• Intuitively, masking goes well as long as
ϕγ2 ◦ ϕβ1 ◦ ϕ
α0 6= ϕγ
′
2 ◦ ϕβ′
1 ◦ ϕα′0
for any (α, β, γ) 6= (α′, β′, γ′)
• Challenge: set proper domain for (α, β, γ)
• Requires computation of discrete logarithms
64 128 256 512 1024
︸ ︷︷ ︸solved by
Rogaway [Rog04]
︸ ︷︷ ︸results implicitly used,
e.g., by Prøst (2014)︸ ︷︷ ︸solved in this work using breakthroughs
in discrete log computation
12 / 18
![Page 32: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/32.jpg)
Uniqueness of Masking
• Intuitively, masking goes well as long as
ϕγ2 ◦ ϕβ1 ◦ ϕ
α0 6= ϕγ
′
2 ◦ ϕβ′
1 ◦ ϕα′0
for any (α, β, γ) 6= (α′, β′, γ′)
• Challenge: set proper domain for (α, β, γ)
• Requires computation of discrete logarithms
64 128 256 512 1024
︸ ︷︷ ︸solved by
Rogaway [Rog04]
︸ ︷︷ ︸results implicitly used,
e.g., by Prøst (2014)
︸ ︷︷ ︸solved in this work using breakthroughs
in discrete log computation
12 / 18
![Page 33: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/33.jpg)
Uniqueness of Masking
• Intuitively, masking goes well as long as
ϕγ2 ◦ ϕβ1 ◦ ϕ
α0 6= ϕγ
′
2 ◦ ϕβ′
1 ◦ ϕα′0
for any (α, β, γ) 6= (α′, β′, γ′)
• Challenge: set proper domain for (α, β, γ)
• Requires computation of discrete logarithms
64 128 256 512 1024
︸ ︷︷ ︸solved by
Rogaway [Rog04]
︸ ︷︷ ︸results implicitly used,
e.g., by Prøst (2014)︸ ︷︷ ︸solved in this work using breakthroughs
in discrete log computation
12 / 18
![Page 34: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/34.jpg)
�Bare� Implementation Results
• Mask computation in cycles per update
• In most pessimistic scenario (for ours):
Masking Sandy Bridge Haswell
Powering-up 13.108 10.382
Gray code 6.303 3.666
Ours 2.850 2.752
• Di�erences may amplify/diminish in a mode
13 / 18
![Page 35: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/35.jpg)
Application to AE: OPP1 OPPg
PSfrag replacements
A0 A1 Aa–1 M0 M1 Md–1⊕Mi
C1 C2 Cd
T
ϕ0(L)
ϕ0(L)
ϕ1(L)
ϕ1(L)
ϕa–1(L)
ϕa–1(L)
ϕ2◦ϕ21◦ϕd–1(L)
ϕ2◦ϕ21◦ϕd–1(L) ϕ2◦ϕ0(L) ϕ2◦ϕ1(L) ϕ2◦ϕd–1(L)
ϕ2◦ϕ0(L) ϕ2◦ϕ1(L) ϕ2◦ϕd–1(L)
PP P P PPP
• O�set Public Permutation (OPP)
• Generalization of OCB3:• Permutation-based• More e�cient MEM masking
• Security against nonce-respecting adversaries
• 0.55 cpb with reduced-round BLAKE2b
14 / 18
L = P (N‖k)ϕ1 = ϕ⊕ id , ϕ2 = ϕ2 ⊕ ϕ⊕ id
![Page 36: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/36.jpg)
Application to AE: MRO2 MROg
A0 Aa–1 T‖0 T‖d–1M0 Md–1 |A|‖|M |
C1 Cd
T
ϕ0(L)
ϕ0(L)
ϕa–1(L)
ϕa–1(L)
ϕ1◦ϕ0(L)
ϕ1◦ϕ0(L)
ϕ1◦ϕd–1(L)
ϕ1◦ϕd–1(L)
ϕ21(L)
ϕ21(L)
ϕ2(L) ϕ2(L)
ϕ2(L)⊕M0 ϕ2(L)⊕Md–1
P
PPP P PP
• Misuse-Resistant OPP (MRO)
• Fully nonce-misuse resistant version of OPP
• 1.06 cpb with reduced-round BLAKE2b
15 / 18
L = P (N‖k)ϕ1 = ϕ⊕ id , ϕ2 = ϕ2 ⊕ ϕ⊕ id
![Page 37: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/37.jpg)
Implementation
• State size b = 1024
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• P : BLAKE2b permutation with 4 or 6 rounds
• Main implementation results (more in paper):
nonce-respecting misuse-resistant
Platform AES-GCM OCB3 Deoxys6= OPP4 OPP6
GCM-SIV Deoxys= MRO4 MRO6
Cortex-A8 38.6 28.9 - 4.26 5.91
- - 8.07 11.32
Sandy Bridge 2.55 0.98 1.29 1.24 1.91
- 2.58 2.41 3.58
Haswell 1.03 0.69 0.96 0.55 0.75
1.17 1.92 1.06 1.39
16 / 18
![Page 38: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/38.jpg)
Implementation
• State size b = 1024
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• P : BLAKE2b permutation with 4 or 6 rounds
• Main implementation results (more in paper):
nonce-respecting misuse-resistant
Platform AES-GCM OCB3 Deoxys6= OPP4 OPP6
GCM-SIV Deoxys= MRO4 MRO6
Cortex-A8 38.6 28.9 - 4.26 5.91
- - 8.07 11.32
Sandy Bridge 2.55 0.98 1.29 1.24 1.91
- 2.58 2.41 3.58
Haswell 1.03 0.69 0.96 0.55 0.75
1.17 1.92 1.06 1.39
16 / 18
![Page 39: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/39.jpg)
Implementation
• State size b = 1024
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• P : BLAKE2b permutation with 4 or 6 rounds
• Main implementation results (more in paper):
nonce-respecting misuse-resistant
Platform AES-GCM OCB3 Deoxys6= OPP4 OPP6 GCM-SIV Deoxys= MRO4 MRO6
Cortex-A8 38.6 28.9 - 4.26 5.91 - - 8.07 11.32
Sandy Bridge 2.55 0.98 1.29 1.24 1.91 - 2.58 2.41 3.58
Haswell 1.03 0.69 0.96 0.55 0.75 1.17 1.92 1.06 1.39
16 / 18
![Page 40: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/40.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15
x16 x17 x18 x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 41: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/41.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15
x16 x17 x18 x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 42: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/42.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15x16
x17 x18 x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 43: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/43.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15x16 x17
x18 x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 44: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/44.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15x16 x17 x18
x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 45: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/45.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15x16 x17 x18 x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 46: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/46.jpg)
Implementation: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53)⊕ (x5 � 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words
x0 x1 x2 x3x4 x5 x6 x7x8 x9 x10 x11x12 x13 x14 x15x16 x17 x18 x19
• x16 = (x0 ≪ 53)⊕ (x5 � 13)
• x17 = (x1 ≪ 53)⊕ (x6 � 13)
• x18 = (x2 ≪ 53)⊕ (x7 � 13)
• x19 = (x3 ≪ 53)⊕ (x8 � 13)
• Parallelizable (AVX2) and word-sliceable
17 / 18
![Page 47: Improved Masking for Tweakable Blockciphers with ...bmennink/slides/dagstuhl16.pdf · Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 1 picXEX m c 2 3 7 E k ( N ) E k 4 picTEM m](https://reader034.vdocument.in/reader034/viewer/2022052519/5f1f6b5e40002242cd2a5b8f/html5/thumbnails/47.jpg)
Conclusion
Masked Even-Mansour
• Simpler, constant-time (by default), more e�cient
• Justi�ed by breakthroughs in discrete log computation
• MEM-based AE outperforms its closest competitors
More Info
• https://eprint.iacr.org/2015/999
• https://github.com/MEM-AEAD
Thank you for your attention!
18 / 18