<div dir="ltr"><div> </div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Perhaps if we designed a mode with integrated masking???<br>
<br></blockquote><div><br></div><div>This is the way to go in my opinion but not everybody is convinced yet. For example in <a href="https://csrc.nist.gov/Projects/lightweight-cryptography">NIST's LWC competition</a>, the rounds have been defined as follow:</div><div>- round1: select candidate with sound cryptographic properties (eliminate the ones with forgeries for example)</div><div>- round2: select candidate based on performances benchmark (hardware and software)</div><div>- round3: select candidate based on performances benchmark of implementation protected against side channel</div><div>Since an AEAD with builtin protection against side channel is likely to be much slower than a regular AEAD, such candidate were bound to be eliminated at round 2.</div>Nevertheless, two candidates followed that path:<br></div><div class="gmail_quote"><div>- <a href="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf">ISAP</a>: It performed poorly in the performances benchmark of round 2 nevertheless it made it to round3 because it reuses the primitive of <a href="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf">ASCON</a>, a very efficient but unprotected AEAD, and because it has been pointed out that it would most likely shine in the performance benchmark of round3.<br></div><div>- <a href="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/drygascon-spec-round2.pdf">DryGASCON</a>: much better performances than ISAP (and even some unprotected AEADs) but was eliminated at round2. Not sure of the reason but I think it was the low number of cryptanalysis papers that has been the cause of elimination. It turned out to have a set of weak keys which can lead to forgeries, so it is not fit for deployment as it is, but the principles used against side channel and fault attacks seems sound.<br><br></div><div>Why is it so much better than protecting at implementation level ? <br></div><div>- quality of implementation depend on the designer</div><div>- security against side channel is hard to test</div><div>- On cipher like AES, protection against both side channel and fault attacks requires a huge overhead in area and performance (something like 10x is common). <br></div><div><br></div><div>Now if you want to stick to AES I would recommend considering the two approaches below:</div><div>- Attempt to fit AES in the ISAP structure: you would get a protected AEAD usable for pretty much any AEAD use case, but much slower than any current AES AEAD.<br></div><div>- ECDH key exchange + <a href="https://eprint.iacr.org/2019/1007">SPAE</a>: you would get a protected AEAD usable to protect communication use cases, with performances comparable to OCB. The rational is that each key is used exactly once (just one block).<br></div><div><br></div><div>Links:</div><div><a href="https://csrc.nist.gov/projects/lightweight-cryptography">https://csrc.nist.gov/projects/lightweight-cryptography</a></div><div><a href="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf">https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf</a></div><div><a href="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf">https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf</a></div><div><a href="https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/drygascon-spec-round2.pdf">https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/drygascon-spec-round2.pdf</a></div><div><a href="https://eprint.iacr.org/2019/1007">https://eprint.iacr.org/2019/1007</a></div><div><br></div><div>Sebastien<br></div></div></div>