We are not able to resolve this OAI Identifier to the repository landing page. If you are the repository manager for this record, please head to the Dashboard and adjust the settings.
International Association for Cryptologic Research (IACR)
Abstract
This paper proposes tweakable block cipher (TBC) based modes PFB_Plus and PFBω that are efficient in threshold implementations (TI). Let t be an algebraic degree of a target function, e.g.~t=1 (resp.~t>1) for linear (resp.~non-linear) function. The d-th order TI encodes the internal state into dt+1 shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires s-bit block to ensure s-bit security, e.g. \textsf{PFB} and \textsf{Romulus}, while BC requires 2s-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of s-bit state with t=2 and the first-order TI (d=1).
Our first design PFB_Plus aims to break the barrier of the 3s-bit state in TI. The block size of an underlying TBC is s/2 bits and the output of TBC is linearly expanded to s bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size 2.5s bits. We also provide rigorous security proof of PFB_Plus. Our second design PFBω further increases a parameter ω: a ratio of the security level s to the block size of an underlying TBC. We prove security of PFBω for any ω under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of PFB_Plus for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending \textsf{SKINNY} and provide basic security evaluation. Finally, we give hardware benchmarks of PFB_Plus in the first-order TI to show that TI of PFB_Plus is smaller than that of \textsf{PFB} by more than one thousand gates and is the smallest within the schemes having 128-bit security
Is data on this page outdated, violates copyrights or anything else? Report the problem now and we will take corresponding actions after reviewing your request.