TY - JOUR
T1 - Spook
T2 - Sponge-based leakage-resistant authenticated encryption with a masked tweakable block cipher
AU - Bellizia, Davide
AU - Berti, Francesco
AU - Bronchain, Olivier
AU - Cassiers, Gaëtan
AU - Duval, Sébastien
AU - Guo, Chun
AU - Leander, Gregor
AU - Leurent, Gaëtan
AU - Levi, Itamar
AU - Momin, Charles
AU - Pereira, Olivier
AU - Peters, Thomas
AU - Standaert, François Xavier
AU - Udvarhelyi, Balazs
AU - Wiemer, Friedrich
N1 - Publisher Copyright:
© 2020, Ruhr-Universitat Bochum. All rights reserved.
PY - 2020/6/22
Y1 - 2020/6/22
N2 - This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakage-resistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multi-user security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook.
AB - This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakage-resistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multi-user security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook.
KW - Authenticated encryption
KW - Bitslice ciphers
KW - Leakage-resistance
KW - Low energy
KW - Masking countermeasure
KW - NIST lightweight cryptography standardization effort
UR - http://www.scopus.com/inward/record.url?scp=85086912300&partnerID=8YFLogxK
U2 - 10.13154/tosc.v2020.iS1.295-349
DO - 10.13154/tosc.v2020.iS1.295-349
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
SN - 2519-173X
VL - 2020
SP - 295
EP - 349
JO - IACR Transactions on Symmetric Cryptology
JF - IACR Transactions on Symmetric Cryptology
IS - Special Issue 1
ER -