Lightweight Yet Nonce-Misuse Secure Authenticated Encryption for Very Short Inputs

IF 8.9 1区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS IEEE Internet of Things Journal Pub Date : 2024-11-06 DOI:10.1109/JIOT.2024.3481033

Alexandre Adomnicăi;Kazuhiko Minematsu;Junji Shikata

{"title":"Lightweight Yet Nonce-Misuse Secure Authenticated Encryption for Very Short Inputs","authors":"Alexandre Adomnicăi;Kazuhiko Minematsu;Junji Shikata","doi":"10.1109/JIOT.2024.3481033","DOIUrl":null,"url":null,"abstract":"We study authenticated encryption (AE) modes dedicated to very short messages, which are crucial for Internet of Things applications. One of the most popular class of AE is built on block ciphers, namely a mode of operation. The computational cost of a mode is typically measured by its rate, indicating the number of input blocks processed per block cipher call in asymptotic terms. While certain modes demonstrate efficiency in terms of rate, such as <inline-formula> <tex-math>$\\mathsf { OCB}$ </tex-math></inline-formula>, this metric does not always accurately portray the total computational burden as it ignores overhead. Consequently, modes efficient in terms of rate may not always perform optimally with short messages. This observation motivates us to study modes that are efficient on short inputs rather than focusing on rate. Since the existing general-purpose AE modes need at least three block cipher calls for nonempty messages, we explore the design space for AE modes that use at most two calls. We propose a family of AE modes, dubbed <inline-formula> <tex-math>$ \\mathsf {Manx}$ </tex-math></inline-formula>, which work when the total input length is less than <inline-formula> <tex-math>$2n$ </tex-math></inline-formula> bits, using an n-bit block cipher. Notably, the second construction of <inline-formula> <tex-math>$ \\mathsf {Manx}$ </tex-math></inline-formula> can encrypt almost n-bit plaintexts and saves one or two block cipher calls compared to standard modes, such as <inline-formula> <tex-math>$\\mathsf { GCM}$ </tex-math></inline-formula> or <inline-formula> <tex-math>$\\mathsf { OCB}$ </tex-math></inline-formula>, while preserving comparable provable security. In addition to the conventional security against nonce-respecting adversary, we prove that <inline-formula> <tex-math>$ \\mathsf {Manx}$ </tex-math></inline-formula> have security against nonce-misusing adversary with a different security level for each family member. We also present benchmarks on popular 8/32-bit microprocessors, namely 8-bit AVR, 32-bit ARM Cortex-M0, and ARM Cortex-M4, using AES and lightweight block ciphers. Our results show the clear advantage of <inline-formula> <tex-math>$ \\mathsf {Manx}$ </tex-math></inline-formula> over the previous modes for such short messages. In particular, <inline-formula> <tex-math>$ \\mathsf {Manx2}$ </tex-math></inline-formula> has significant performance gain from the existing representative schemes thanks to the simple structure and parallelizability. For example, using AES-128, <inline-formula> <tex-math>$ \\mathsf {Manx2}$ </tex-math></inline-formula> is faster than <inline-formula> <tex-math>$\\mathsf { OCB}$ </tex-math></inline-formula> by a factor of 1.5 to 1.7 to process a 64-bit nonce and a 120-bit plaintext.","PeriodicalId":54347,"journal":{"name":"IEEE Internet of Things Journal","volume":"12 3","pages":"2807-2824"},"PeriodicalIF":8.9000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10745525","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Internet of Things Journal","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10745525/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

We study authenticated encryption (AE) modes dedicated to very short messages, which are crucial for Internet of Things applications. One of the most popular class of AE is built on block ciphers, namely a mode of operation. The computational cost of a mode is typically measured by its rate, indicating the number of input blocks processed per block cipher call in asymptotic terms. While certain modes demonstrate efficiency in terms of rate, such as

$\mathsf { OCB}$

, this metric does not always accurately portray the total computational burden as it ignores overhead. Consequently, modes efficient in terms of rate may not always perform optimally with short messages. This observation motivates us to study modes that are efficient on short inputs rather than focusing on rate. Since the existing general-purpose AE modes need at least three block cipher calls for nonempty messages, we explore the design space for AE modes that use at most two calls. We propose a family of AE modes, dubbed

$ \mathsf {Manx}$

, which work when the total input length is less than

$2n$

bits, using an n-bit block cipher. Notably, the second construction of

$ \mathsf {Manx}$

can encrypt almost n-bit plaintexts and saves one or two block cipher calls compared to standard modes, such as

$\mathsf { GCM}$

$\mathsf { OCB}$

, while preserving comparable provable security. In addition to the conventional security against nonce-respecting adversary, we prove that

$ \mathsf {Manx}$

have security against nonce-misusing adversary with a different security level for each family member. We also present benchmarks on popular 8/32-bit microprocessors, namely 8-bit AVR, 32-bit ARM Cortex-M0, and ARM Cortex-M4, using AES and lightweight block ciphers. Our results show the clear advantage of

$ \mathsf {Manx}$

over the previous modes for such short messages. In particular,

$ \mathsf {Manx2}$

has significant performance gain from the existing representative schemes thanks to the simple structure and parallelizability. For example, using AES-128,

$ \mathsf {Manx2}$

is faster than

$\mathsf { OCB}$

by a factor of 1.5 to 1.7 to process a 64-bit nonce and a 120-bit plaintext.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

针对极短输入的轻量级、无误码的安全验证加密

我们研究了专用于非常短消息的身份验证加密（AE）模式，这对物联网应用至关重要。最流行的AE类之一是建立在分组密码上的，即一种操作模式。一种模式的计算成本通常由它的速率来衡量，以渐近的方式表示每个分组密码调用处理的输入块的数量。虽然某些模式在速率方面展示了效率，例如$\mathsf {OCB}$，但该指标并不总是准确地描述总计算负担，因为它忽略了开销。因此，在速率方面有效的模式对于短消息可能并不总是执行最佳。这一观察结果促使我们研究在短时间内有效的模式，而不是专注于速度。由于现有的通用AE模式对非空消息至少需要三个分组密码调用，因此我们探索了最多使用两个调用的AE模式的设计空间。我们提出了一组AE模式，称为$ \mathsf {Manx}$，当总输入长度小于$2n$比特时，使用n位分组密码。值得注意的是，与标准模式（如$\mathsf {GCM}$或$\mathsf {OCB}$）相比，$\mathsf {Manx}$的第二个构造几乎可以加密n位的纯文本，并节省一到两次分组密码调用，同时保持可证明的安全性。除了针对非尊重攻击者的常规安全性之外，我们还证明了$ \mathsf {Manx}$具有针对非滥用攻击者的安全性，每个家庭成员具有不同的安全级别。我们还介绍了流行的8/32位微处理器的基准测试，即8位AVR， 32位ARM Cortex-M0和ARM Cortex-M4，使用AES和轻量级块密码。我们的结果显示，对于这种短消息，$ \mathsf {Manx}$比以前的模式有明显的优势。特别是，由于结构简单和可并行性，$ \mathsf {Manx2}$比现有的代表性方案有显著的性能提升。例如，使用AES-128， $\mathsf {Manx2}$处理64位随机数和120位纯文本的速度比$\mathsf {OCB}$快1.5到1.7倍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Internet of Things Journal Computer Science-Information Systems

CiteScore

17.60

自引率

13.20%

发文量

1982

期刊介绍： The EEE Internet of Things (IoT) Journal publishes articles and review articles covering various aspects of IoT, including IoT system architecture, IoT enabling technologies, IoT communication and networking protocols such as network coding, and IoT services and applications. Topics encompass IoT's impacts on sensor technologies, big data management, and future internet design for applications like smart cities and smart homes. Fields of interest include IoT architecture such as things-centric, data-centric, service-oriented IoT architecture; IoT enabling technologies and systematic integration such as sensor technologies, big sensor data management, and future Internet design for IoT; IoT services, applications, and test-beds such as IoT service middleware, IoT application programming interface (API), IoT application design, and IoT trials/experiments; IoT standardization activities and technology development in different standard development organizations (SDO) such as IEEE, IETF, ITU, 3GPP, ETSI, etc.