TriviA and uTriviA : two fast and secure authenticated encryption schemes
In this paper, we propose two hardware optimized authenticated encryption schemes: TriviA-v2 and uTriviA. Both TriviA-v2, an efficient hardware optimization of TriviA-0-v1, and uTriviA are based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise independen...
Saved in:
| Main Authors: | , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/139518 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | In this paper, we propose two hardware optimized authenticated encryption schemes: TriviA-v2 and uTriviA. Both TriviA-v2, an efficient hardware optimization of TriviA-0-v1, and uTriviA are based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise independent hash to compute the tag. We have adopted one of the ISO-standardized stream ciphers for lightweight cryptography, namely Trivium, to obtain our underlying stream cipher. The main structure of TriviA-v2 remains same as TriviA-0-v1, except some changes in the internal functions. The stream cipher used both in TriviA-v2 and uTriviA has a 384-bit state, slightly larger than Trivium, and can accommodate a 128-bit secret key and IV. TriviA-v2 uses a pairwise independent hash which is an adaptation of the EHC or “Encode-Hash-Combine” hash that requires the optimum number of field multiplications and hence requires small hardware footprint. uTriviA uses a pairwise independent hash which is an adaptation of the HC or “Hash-Combine” hash which is close to EHC but does not use any encode function. We prove that TriviA-v2 construction has at least 128-bit security for privacy and 124-bit security of authenticity under the assumption that the underlying stream cipher produces a pseudorandom bit stream. The uTriviA construction achieves at least 128-bit security for privacy and 93-bit security of authenticity under the same assumption. We have implemented the designs in synthesizable RTL. Pre-layout synthesis using 65 nm standard cell technology reveals that TriviA-v2 is able to achieve a high throughput of 65.9 Gbps for an area of 21.2 KGE, whereas TriviA-0-v1 achieved a much higher hardware area. The uTriviA design achieves a hardware area of only 16.74 KGE, which is lowest among all the TriviA variants but with a lower throughput of 36.76 Gbps. Finally, we provide a brief comparison between the three constructions TriviA-0-v1, TriviA-v2 and uTriviA and the other standard implementations in terms of hardware area-efficiency metric. |
|---|