Hardware Oriented Authenticated Encryption Based on Tweakable Block Ciphers

Preface
	References
Acknowledgements
Contents
1 Introduction and Background
	1.1 Hardware Digital Circuit Design
	1.2 Symmetric-Key Encryption
	1.3 Block Ciphers
		1.3.1 Hardware Implementations of SPNs
		1.3.2 The Advanced Encryption Standard AES
		1.3.3 The Lightweight Encryption Device (LED) Cipher
		1.3.4 Deoxys-BC
		1.3.5 The SKINNY TBC
	1.4 Hash Functions
		1.4.1 The Davies–Meyer Construction
		1.4.2 The Merkle–Damgård Construction
		1.4.3 SHA-1 and Related Attacks
		1.4.4 Birthday Search in Practice
	1.5 Modes of Operation
		1.5.1 The Security Notions of AEAD
		1.5.2 The ΘCB3 AEAD Mode
		1.5.3 The Combined-Feedback (COFB) AEAD Mode
	1.6 Hardware Cryptanalysis
		1.6.1 Cryptanalytic Attacks with Tight Hardware Requirements
		1.6.2 Brute-Force Attacks
		1.6.3 Time-Memory-Data Trade-off Attacks
		1.6.4 Parallel Birthday Search Algorithms
		1.6.5 Hardware Machines for Breaking Ciphers
	References
2 On the Cost of ASIC Hardware Crackers
	2.1 The Chosen-Prefix Collision Attack
		2.1.1 Differential Cryptanalysis
	2.2 Hardware Birthday Cluster
		2.2.1 Cluster Nodes
		2.2.2 Hardware Design of Birthday Slaves
	2.3 Hardware Differential Attack Cluster Design
		2.3.1 Neutral Bits
		2.3.2 Storage
		2.3.3 Architecture
	2.4 Chip Design
		2.4.1 Chip Architecture
		2.4.2 Implementation
		2.4.3 ASIC Fabrication and Running Cost
		2.4.4 Results
		2.4.5 Attack Rates and Execution Time
	2.5 Cost Analysis and Comparisons
		2.5.1 264 Birthday Attack
		2.5.2 280 Birthday Attack
		2.5.3 Chosen Prefix Differential Collision Attack
		2.5.4 Limitations
	2.6 Conclusion
	References
3 Hardware Performance of the ΘCB3 Algorithm
	3.1 Related Work
	3.2 Proposed Architecture
	3.3 Multi-stream AES-like Ciphers
		3.3.1 FPGA LUT-Based Optimization of Linear Transformations
		3.3.2 Zero Area Overhead Pipelining
	3.4 Implementations and Results
		3.4.1 Two-Stream and Four-Stream AES Implementations
		3.4.2 Round-Based Two-Block Deoxys-I-128
		3.4.3 Three-Stream LED Implementation
	3.5 Conclusion
	References
4 Arguments for Tweakable Block Cipher-Based Cryptography
	4.1 History
	4.2 The TWEAKEY Framework
	4.3 TBC-Based Authenticated Encryption
	4.4 Efficiency Function e(λ)
	4.5 Applications and Discussions on the Efficiency Function
	References
5 Analysis of Lightweight BC-Based AEAD
	5.1 Attacks on Rekeying-Based Schemes
		5.1.1 Background and Motivation
		5.1.2 COFB-Like Schemes
		5.1.3 Forgery Attacks Against RaC
		5.1.4 Application to COMET-128
	5.2 Application to mixFeed
		5.2.1 Weak Key Analysis of mixFeed
		5.2.2 Misuse in RaC Schemes: Attack on mixFeed
	References
6 Romulus: Lighweight AEAD from Tweakable Block Ciphers
	6.1 Specifications
		6.1.1 Notations
		6.1.2 Parameters
		6.1.3 Romulus-N Nonce-Based AE Mode
		6.1.4 Romulus-M Misuse-Resistant AE Mode
	6.2 Design Rationale
		6.2.1 Mode Design
		6.2.2 Hardware Implementations
		6.2.3 Primitives Choices
	6.3 Hardware Performances
		6.3.1 ASIC Performances
		6.3.2 FPGA Performances
		6.3.3 Hardware Benchmark Efforts
	References
7 Remus: Lighweight AEAD from Ideal Ciphers
	7.1 Specification
		7.1.1 Notations
		7.1.2 Parameters
		7.1.3 Recommended Parameter Sets
		7.1.4 The Authenticated Encryption Remus
		7.1.5 Remus-M Misuse-Resistant AE Mode
	7.2 Design Rationale
		7.2.1 Mode Design
		7.2.2 Hardware Implementations
		7.2.3 Primitives Choices
	References
8 Hardware Design Space Exploration  of a Selection of NIST Lightweight Cryptography Candidates
	8.1 Limitations and Goals
	8.2 Summary and Rankings
	8.3 Trade-Offs
	8.4 Conclusions
	References
9 Conclusions
	Reference