Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation.

This paper proposes tweakable block cipher (TBC) based modes \(\mathsf {PFB\_Plus}\) and \(\mathsf {PFB}\omega \) that are efficient in threshold implementations (TI). Let t be an algebraic degree of a target function, e.g. \(t=1\) (resp. \(t>1\)) for linear (resp. non-linear) function. The d-th order TI encodes the internal state into \(d t + 1\) shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires s-bit block to ensure s-bit security, e.g. PFB and Romulus, while BC requires 2s-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of s-bit state with \(t=2\) and the first-order TI (\(d=1\)).