[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Log in

TriviA and uTriviA: two fast and secure authenticated encryption schemes

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

In this paper, we propose two hardware optimized authenticated encryption schemes: TriviA-v2 and uTriviA. Both TriviA-v2, an efficient hardware optimization of TriviA-0-v1, and uTriviA are based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise independent hash to compute the tag. We have adopted one of the ISO-standardized stream ciphers for lightweight cryptography, namely Trivium , to obtain our underlying stream cipher. The main structure of TriviA-v2 remains same as TriviA-0-v1, except some changes in the internal functions. The stream cipher used both in TriviA-v2 and uTriviA has a 384-bit state, slightly larger than Trivium, and can accommodate a 128-bit secret key and IV. TriviA-v2 uses a pairwise independent hash which is an adaptation of the EHC or “Encode-Hash-Combine” hash that requires the optimum number of field multiplications and hence requires small hardware footprint. uTriviA uses a pairwise independent hash which is an adaptation of the HC or “Hash-Combine” hash which is close to EHC but does not use any encode function. We prove that TriviA-v2 construction has at least 128-bit security for privacy and 124-bit security of authenticity under the assumption that the underlying stream cipher produces a pseudorandom bit stream. The uTriviA construction achieves at least 128-bit security for privacy and 93-bit security of authenticity under the same assumption. We have implemented the designs in synthesizable RTL. Pre-layout synthesis using 65 nm standard cell technology reveals that TriviA-v2 is able to achieve a high throughput of 65.9 Gbps for an area of 21.2 KGE, whereas TriviA-0-v1 achieved a much higher hardware area. The uTriviA design achieves a hardware area of only 16.74 KGE, which is lowest among all the TriviA variants but with a lower throughput of 36.76 Gbps. Finally, we provide a brief comparison between the three constructions TriviA-0-v1, TriviA-v2 and uTriviA and the other standard implementations in terms of hardware area-efficiency metric.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Our authenticated encryption TriviA-v2 (a shorthand notation for Trivium-Authenticated Encryption) is based on the stream cipher TriviA-SC.

  2. This nonce relaxation does not provide much advantage over nonce respect, as we can repeat nonce at most \(2^{32}\) times but can not repeat the associated data.

References

  1. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: ASIACRYPT. Lecture Notes in Computer Science, vol. 2501, pp. 531–545 (2000)

  2. Jutla, C.: Encryption modes with almost free message integrity. J. Cryptol. 21, 547–578 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  3. CAESAR competition for authenticated encryption. Secur. Appl. Robust. (2014). http://competitions.cr.yp.to/caesar.html

  4. Cannière, C. D., Preneel, B.: “Trivium,” new stream cipher designs. In: The eSTREAM Finalists. Lecture Notes in Computer Science, vol. 4986, pp. 244–266 (2005)

  5. Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput. 2(4), 86–93 (2007)

    Article  Google Scholar 

  6. Babbage, S., Dodd, M.: The eSTREAM Finalists. pp. 191–209. Springer (2008)

  7. eSTREAM The ECRYPT Stream Cipher Project. http://www.ecrypt.eu.org/stream

  8. International organization for standardization. In: ISO/IEC 29192-3:2012, Information technology—Security techniques—Lightweight cryptography—Part 3: Stream ciphers (2102). http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56426

  9. Bernstein, D.J.: Cycle counts for authenticated encryption. In: Workshop Record of SASC 2007: The State of the Art of Stream Ciphers (2007)

  10. Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Fast encryption and authentication in a single cryptographic primitive. In: FSE. Lecture Notes in Computer Science, vol. 2887, pp. 330–346 (2003)

  11. Whiting, D., Schneier, B., Lucks, S., Muller Phelix, F.: Fast Encryption and Authentication in a Single Cryptographic Primitive. http://www.ecrypt.eu.org/stream/ (2004)

  12. Muller, F.: Differential attacks against the Helix stream cipher. In: FSE. Lecture Notes in Computer Science, vol. 3017, pp. 94–108 (2004)

  13. Wu, H., Preneel, B.: Differential-linear attacks against the stream cipher Phelix. In: FSE. Lecture Notes in Computer Science, vol. 4593, pp. 87–100 (2007)

  14. Hell, M., Johansson, T., Maximov, A., Meier, W.: A Stream Cipher Proposal: Grain-128. In: International Symposium on Information Theory-ISIT. IEEE (2006)

  15. ETSI/SAGE specification. In: Specification of the 3GPP Confidentiality and Integrity ALgorithms UEA2 and UIA2. Document 5: Design and Evaluation Report, Version 1.1. European Telecommunications (2006)

  16. ETSI/SAGE specification. In: Specification of the 3GPP Confidentiality and Integrity ALgorithms UEA2 and UIA2. Document 2: SNOW 3G Specification. European Telecommunications (2006)

  17. Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Cryptogr. Commun. 6(3), 189–231 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  18. Bernstein, D.J: The Poly1305-AES message-authentication code. In: FSE Lecture Notes in Computer Science, vol. 3557, pp. 32–49 (2005)

  19. Chakraborti, A., Chattopadhyay, A., Hassan, M., Nandi M.: TriviA: a fast and secure authenticated encryption scheme. In: CHES. Lecture Notes in Computer Science, vol. 9293, pp. 330–353 (2015)

  20. Chakraborti, A., Nandi, M.: TriviA-ck-v1. http://competitions.cr.yp.to/round1/triviackv1.pdf (2014)

  21. Nandi, M.: On the minimum number of multiplications necessary for universal hash constructions. In: FSE. Lecture Notes in Computer Science, vol. 8540, pp. 489–508 (2014)

  22. Helion technology. In: AES-CCM core. http://www.heliontech.com/aes_ccm.htm

  23. Fan, X., Gong, G.: Specification of the stream cipher WG-16 based confidentiality and integrity algorithms. http://cacr.uwaterloo.ca/techreports/2013/cacr2013-06.pdf (2013)

  24. Moon, T.K.: Error Control Coding: Mathematical Methods and Algorithms. Wiley, New York (2005)

    Book  MATH  Google Scholar 

  25. Mansour, Y., Nissan, N., Tiwari, P.: The computational complexity of universal hashing. In: Twenty Second Annual ACM Symposium on Theory of Computing, pp. 235–243 (1990)

  26. Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeet, B.: On families of hash functions via geometric codes and concatenation. In: CRYPTO. Lecture Notes in Computer Science, vol. 773, pp. 331–342 (1993)

  27. den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)

    Google Scholar 

  28. Taylor, R.: Near optimal unconditionally secure authentication. EUROCRYPT 950, 244–253 (1995)

    MATH  Google Scholar 

  29. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 278–299 (2009)

  30. Fouque, P.A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: FSE. Lecture Notes in Computer Science, vol. 8424 (2013)

  31. National Institute of Standards and Technology. In: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800-22rev1a (2010). http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html

  32. Maximov, A., Biryukov, A.: Two trivial attacks on Trivium. In: Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4876, pp. 36–55 (2007)

  33. Moore, G.E.: Cramming more components onto integrated circuits. In: Electronics Magazine, p. 4. http://download.intel.com/museum/Moores_Law/Articles-Press_Releases/Gordon_Moore_1965_Article.pdf (1965)

  34. Grosso, V., Leurent, G., Standaert, F., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM and iSCREAM Side-Channel Resistant Authenticated Encryption with Masking. http://competitions.cr.yp.to/round1/screamv1.pdf (2014)

  35. Good, T., Benaissa, M.: Hardware results for selected stream cipher candidates. In: State of the art of stream ciphers 2007 (SASC 2007), Workshop record (2007)

  36. Mansouri, S.S., Dubrova, E.: An improved hardware implementation of the Grain-128a stream cipher. In: International Conference on Information Security and Cryptology (2012)

  37. Aumasson, J.P., Jovanovic, P., Neves, S.: NORX: parallel and scalable AEAD. In: Computer Security-ESORICS, 19–36. Springer (2014). https://eprint.iacr.org/2015/034.pdf

  38. Gro\(\beta \), H., Wenger, E., Dobraunig, C., Ehrenhofer, C.: Suit up! Made-to-Measure Hardware Implementations of ASCON. https://eprint.iacr.org/2015/034.pdf (2014)

  39. Bhattacharjee, D., Chattopadhyay, A.: Efficient hardware accelerator for AEGIS-128 authenticated encryption. In: Inscrypt. Lecture Notes in Computer Science, vol. 8957, pp. 385–402 (2014)

  40. Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: SAC. Lecture Notes in Computer Science, vol. 8282, pp. 185–201 (2013)

  41. Agren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. Int. J. Wirel. Mob. Comput. 5, 48–59 (2011)

    Article  Google Scholar 

  42. Gaj, K.: CERG: Cryptographic Engineering Research Group. https://cryptography.gmu.edu/athenadb/fpga_auth_cipher/table_view (2016)

  43. McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf (2005)

Download references

Acknowledgments

We would like to thank the reviewers for their detailed comments and suggestions for the betterment of our paper. Their suggestion regarding the choice of the primitive polynomial \(p_{32}(x)\) helped us to increase the area–throughput ratio for TriviA-v1, TriviA-v2 and uTriviA. We are thankful to that.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Avik Chakraborti.

Appendix

Appendix

1.1 \({\varDelta }\)-U property of \(\textsf {HC}^{(d)}\) hash

Proof for Theorem 2

Consider \(m \ne m' \in (\{0,1\}^{32})^{\le \ell }, m = (m_1, \ldots , m_{\ell _1}), m' = (m'_1, \ldots , m'_{\ell _2})\). Without any loss of generality, let \(2^{32} \ge \ell _1 \ge \ell _2\). Let, \(K = (k_1, \ldots , k_{\ell _1})\) is the key. Denote \({\varDelta }h_{i} = K_{i}(m_{i} - m'_{i})\), when \(1 \le i \le \ell _2\) and \({\varDelta }h_{i} = K_{i}.m_{i}\) when \(\ell _2 < i \le \ell _1\). Suppose \({\varDelta }_{\{i_1, \ldots , i_s\}} = ({\varDelta }h_{i_{1}}, {\varDelta }h_{i_{2}}, \ldots , {\varDelta }h_{i_{s}})^{T}\) for some distinct \(1 \le i_1, \ldots , i_s \le \ell _1\). We denote \(H = (H_1, \ldots H_d) = \textsf {HC}^{(d)}_{K, (V_1, \ldots , V_d)}(m)\) and \(H' = (H'_1, \ldots H'_d) = \textsf {HC}^{(d)}_{K, (V_1, \ldots , V_d)}(m')\). We also denote \(H_{int} = (H_{int,1}, \ldots H_{int,d}) = \textsf {HC}^{(d, \ell _1)}_{K}(m)\) and \(H'_{int} = (H'_{int,1}, \ldots H'_{int,d}) = \textsf {HC}^{(d, \ell _2)}_{K}(m')\). Define \(S = \{ i_1, i_2, \ldots i_s \} := \{i : m_{i} \ne m_{i}', \ 1 \le i \le \ell _2\) or \(m_i \ne 0, \ \ell _2 < i \le \ell _1\}\), where \(s = |S|\). We now restrict \(V_{\alpha }^{(d)}\) by the columns indexed by \(i_{1}, \ldots i_{s}\) and denote it by \(V^{(d, S)}_{\alpha }\). Choose \(\delta = (\delta _1 \ldots \delta _d) \in \{0, 1\}^{32d}\). Denote \(T = \{ i : \delta _i \ne 0, 1 \le i \le d\}\) and \(T^{*} = [1 \cdots d] - T\). Let the differential probability be p. Clearly,

$$\begin{aligned} p= & {} Pr_{K, (V_1, \ldots , V_d)}[H - H'= \delta ]\\= & {} Pr_{K, (V_1, \ldots , V_d)}[H_{int, i}\\= & {} H_{int, i}', \forall i\in T, V_{j} = \delta _{j}.(H_{int, j}-H'_{int, j})^{-1}, \forall j\in T^{*}]\\= & {} Pr_{K, (V_1, \ldots , V_d)}[H_{int, i} \\= & {} H_{int, i}', \forall i\in T] . Pr[V_{j} = \delta _{j}.(H_{int, j}-H'_{int, j})^{-1}, \forall j\in T^{*}]\\&\quad (Since \ K_1,\ \ldots ,\ K_{\ell },\ V_1, \ldots , V_d \ are independently drawn ) \end{aligned}$$

The term \(Pr_{K, (V_1, \ldots , V_d)}[V_{j} = \delta _{j}.(H_{int, j}-H_{int, j}')^{-1}, \forall j\in T^*] = 2^{-(31)(d-t)}\) by simply conditioning \(K_i\)’s which also fixes \(H_{int, j}\)s and \(H_{int, j}'\)s with \(t = |T|\).

We restrict \(V^{(d)}_{\alpha }\) by the rows with indexes in T and columns with indexes in S and denote it by \(V^{(T, S)}_{\alpha }\). As all the sub-matrices of \(V^{(T, S)}_{\alpha }\) are non-singular, the probability computation for this event is similar to that of the previous theorem. Thus, \(Pr_{K, (V_1, \ldots , V_d)}[H_{int, i} = H_{int, i}', \forall i\in T] = 2^{-31t}\). \(\square \)

1.2 Privacy of uTriviA

Proof for Theorem 4

Let A makes q queries \((N_1, D_1, M_1), \ldots , (N_q, D_q, M_q)\) such that \((N_i, D_i)\)’s are distinct and let \(Z_i\) and \((C_i, T_i)\) be the respective key streams (including the state bit extraction) and final responses. Moreover, let \(T'_i\) denote the intermediate tag obtained from the associated data which are inserted in the state after processing associated data. Let \(\mathcal {N} = \{N: \exists i~ N = N_i\}\) denote the set of all distinct nonces, such that \(q = |\mathcal {N}|\). For each \(N \in \mathcal {N}\), we write \(\mathcal {I}_{N} = \{j : N_j = N\}\) and \(|\mathcal {I}_{N}| = q_N\). Note that \(q_N \le 1\) for all nonces N and \(\sum _{N \in \mathcal {N}} q_N = q\). By our assumption on the stream cipher output, the key stream \(Z_i\)’s would be independently distributed whenever we have distinct nonces. Thus, we define an event \(\textsf {coll}\): There exists \(i \ne j\) such that \(T'_i = T'_j\). Clearly, when \(N \ne N'\), then the states are distinct due to invertible property of Update function. Thus, \(\textsf {Pr}[\textsf {coll}] = 0\), and by using the ideal assumption of the stream cipher, all key streams \(Z_i\)’s (even with same nonce) are independent and uniformly distributed. As \((C_i, T_i)\)’s are injective functions of the key stream \(Z_i\), the distribution of \((C_i, T_i)\)’s is independent and uniform. So the privacy advantage is bounded by the probability \(\frac{q}{2^{128}}\), and hence, the result follows.

1.3 Authenticity of uTriviA

Proof for Theorem 6

As before, let the q queries be \((D_i, N_i, M_i)\) and the corresponding responses be \((C_i, T_i)\) with intermediate tags \(T'_i, 1 \le i \le q\). We also denote the key stream for the ith query be \(Z_i\). By applying the privacy bound, which is \(q/2^{93}\), we may assume that the all q key streams \(Z_1, \ldots , Z_q\) are uniformly and randomly distributed. Now we consider two cases depending on a forging attempt \((N^*, D^*, C^*, T^*)\).

Case A The adversary makes a forging attempt \((N^*, D^*, C^*, T^*)\) with a fresh \((N^*, D^*)\). In this case, let \(N_i = N^*\). Note that, for all \(j \ne i\), the \(Z_j\)’s are independent from \(Z^*\) the key stream for the forging attempt. The \(Z_i\) also would be independent from \(Z^*\) provided that the intermediate tag \(T'_i\) does not collide with the intermediate tag \(T^*\) for the forging attempt. This can happen with probability at most \(2^{-93}\) (from Theorem 2). Whenever \(Z^*\) behaves like a random string, the forging probability will be \(2^{-96}\) (as the tag size is 96). So the total forging probability, in this case, will be at most \(2^{-93} + 2^{-96} \approx 2^{-93}\).

Case B Suppose the adversary makes a forging attempt with \((N^*, D^*) = (N_i, D_i)\) for some i. Note that one of the key streams \(Z_i\) and \(Z^*\) would be a prefix of the other (depending on the length of the ciphertext). Note that for all other \(Z_j\)’s, \(j \ne i\) would be independent of \(Z^*\) and so we can ignore the responses of the other queries. So the forging probability is the same as

$$\begin{aligned} p:= & {} \textsf {Pr}[(N_i, D_i, C^*, T^*) \text{ is } \text{ valid } ~|~ (C_i, T_i)\nonumber \\&\text{ is } \text{ response } \text{ of } (N_i, D_i, M_i)]\,. \end{aligned}$$
(6)

Claim \(p \le 2^{-93}.\)

We postpone the proof of the claim. Assuming this claim, any forging attempt is successful with probability at most \(2^{-93}\) (as the Case A has lower success probability). Since A makes at most \(q_f\) attempts and adding the privacy advantage, the forging probability would be bounded by \(\frac{q}{2^{93}} + \frac{q_f}{2^{93}}\). This completes the proof.

Proof of the Claim Let \(M^*\) be the message corresponding to \(C^*\). We prove it by considering different cases based on \(\ell := \ell _{M_i}\) and \(\ell ^* := \ell _{M^*}\). For simplicity, we assume that both \(M_i\) and \(M^*\) are complete block messages. The proof for incomplete message blocks is similar. We also write Z into a pair (SKz) where SK denotes the state key and z denotes the output stream. Note that the z-values can be leaked through the ciphertext and some of the z-values may be also used to compute the tag. We mainly need to handle different cases depending on how the z-values are leaked.

Case 1 \(\ell ^* = \ell \) In this case, the conditional forging event can simply be written as \((\textsf {HC}^{3, \ell }(SK ; M_i)\odot z_v) \oplus (\textsf {HC}^{3, \ell }(SK^* ; M^*)\odot z_v^*) = \delta := T_i \oplus T^*\). As, \(\ell ^* = \ell \), thus \(SK = SK^*\) and \(z_v = z_v^*\). By using the known fact that HC is a \(2^{-93}\)-\({\varDelta }\)U hash (Theorem 2), we have \(p \le 2^{-93}\).

For the cases 2, 3 and 4, we denote \(\textsf {HC}^{3, \ell }(SK ; M_i)\odot z_v = (H_1, H_2, H_3)\) and similarly \(\textsf {HC}^{3, \ell ^*}(SK^* ; M^*)\odot z^*_v = (H^*_1, H^*_2, H^*_3)\) where \(H_i\) and \(H^*_i\)s are 32-bit strings. We similarly parse T and \(T^*\) as \((T_1, T_2, T_3)\) and \((T^*_1, T^*_2, T^*_3)\).

Case 2 \(\ell ^* = \ell +1\) In this case, none of the variable keys \(z_v\) are leaked through the ciphertext \(C_i\). So the forging probability is equivalently written as \(p = \textsf {Pr}[H^*_1 \oplus SK_{\ell +2} = T^*_1, H^*_2 \oplus SK_{\ell +3} = T^*_2 , H^*_3 \oplus SK_{\ell +4} = T^*_3~|~ H_1 \oplus SK_{\ell +1} = T_1, H_2 \oplus SK_{\ell +2} = T_2, H_3 \oplus SK_{\ell +3} = T_3].\) Thus, by using the entropy of \(SK_{\ell }, SK_{\ell +3}\) and \({\varDelta }\)U property of HC, we get the bound.

Case 3 \(\ell ^* = \ell +2\) The proof for this case will be similar as the proof in Case 2. Here we use the entropy of \(SK_{\ell -1}, SK_{\ell }, SK_{\ell +2}, SK_{\ell +3}\) and \({\varDelta }\)U property of HC, and we get the bound.

Case 4 \(\ell ^* \ge \ell +3\) In this case, all of the variable keys \(SK_v\) are distinct and \(z_v\) is not leaked through the ciphertext \(C_i\). So the forging probability is equivalently written as \(p = \textsf {Pr}[H^*_1 \oplus SK_{\ell +4} = T^*_1, H^*_2 \oplus SK_{\ell +5} = T^*_2 , H^*_3 \oplus SK_{\ell +6} = T^*_3~|~ H_1 \oplus SK_{\ell +1} = T_1, H_2 \oplus SK_{\ell +2} = T_2, H_3 \oplus SK_{\ell +3} = T_3].\) Thus, by using the entropy of \(SK_{\ell +1}, SK_{\ell +2}, SK_{\ell +3}, SK_{\ell +4}, SK_{\ell +5}, SK_{\ell +6}\), we get the bound.

Case 5 \(\ell ^* = \ell - 1\) In this case, the variable keys are different for both computations. Since one set of variable keys are leaked through the ciphertext and the other has full entropy, we use the fact that HC is \(2^{-93}\)-balanced. Using this, one can show that \(p \le 2^{-93}\).

Case 6 \(\ell ^* \le \ell -2\) Since one set of variable keys are leaked through the ciphertext and the other has full entropy, we use the fact that each of the 32 bit components of the HC hash output is \(2^{-31}\)-balanced. Using this, one can show that \(p \le 2^{-93}\).

By considering all the above cases, we prove that \(p \le 2^{-93}\) which concludes the proof of the claim. \(\square \)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chakraborti, A., Chattopadhyay, A., Hassan, M. et al. TriviA and uTriviA: two fast and secure authenticated encryption schemes. J Cryptogr Eng 8, 29–48 (2018). https://doi.org/10.1007/s13389-016-0137-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-016-0137-2

Keywords

Navigation