This paper presents a lightweight blockcipher-based authenticated encryption mode mainly focusing on minimizing the implementation size, i.e., hardware gates or working memory on software. The mode is called $$\textsf {COFB}$$ COFB , for COmbined FeedBack. $$\textsf {COFB}$$ COFB uses an n -bit blockcipher as the underlying primitive and relies on the use of a nonce for security. In addition to the state required for executing the underlying blockcipher, $$\textsf {COFB}$$ COFB needs only n / 2 bits state as a mask. Till date, for all existing constructions in which masks have been applied, at least n bit masks have been used. Thus, we have shown the possibility of reducing the size of a mask without degrading the security level much. Moreover, it requires one blockcipher call to process one input block. We show $$\textsf {COFB}$$ COFB is provably secure up to $$O(2^{n/2}/n)$$ O ( 2 n / 2 / n ) queries which is almost up to the standard birthday bound. We first present an idealized mode $$\textsf {iCOFB}$$ iCOFB along with the details of its provable security analysis. Next, we extend the construction to the practical mode COFB . We instantiate COFB with two 128-bit blockciphers, AES-128 and GIFT-128 , and present their implementation results on FPGAs. We present two implementations, with and without CAESAR hardware API. When instantiated with AES-128 and implemented without CAESAR hardware API, COFB achieves only a few more than 1000 Look-Up-Tables (LUTs) while maintaining almost the same level of provable security as standard AES -based AE, such as GCM. When instantiated with GIFT-128 , COFB performs much better in hardware area. It consumes less than 1000 LUTs while maintaining the same security level. However, when implemented with CAESAR hardware API, there are significant overheads both in hardware area and in throughput. COFB with AES-128 achieves about 1475 LUTs. COFB with GIFT-128 achieves a few more than 1000 LUTs. Though there are overheads, still both these figures show competitive implementation results compared to other authenticated encryption constructions.

中文翻译：

---

基于块密码的认证加密：我们能做到多小？

本文提出了一种轻量级的基于分组密码的认证加密模式，主要侧重于最小化实现规模，即软件上的硬件门或工作内存。该模式称为 $$\textsf {COFB}$$ COFB ，用于组合反馈。$$\textsf {COFB}$$ COFB 使用 n 位块密码作为底层原语，并依赖使用随机数来保证安全。除了执行底层分组密码所需的状态外，$$\textsf {COFB}$$ COFB 只需要 n/2 位状态作为掩码。迄今为止，对于应用了掩码的所有现有结构，至少使用了 n 位掩码。因此，我们已经展示了在不大幅降低安全级别的情况下减小面罩尺寸的可能性。此外，它需要一个块密码调用来处理一个输入块。我们证明 $$\textsf {COFB}$$ COFB 在 $$O(2^{n/2}/n)$$O ( 2 n / 2 / n ) 次查询时是可证明安全的，这几乎达到了标准生日绑定。我们首先提出了一个理想化的模式 $$\textsf {iCOFB}$$ iCOFB 及其可证明的安全分析的细节。接下来，我们将构造扩展到实用模式 COFB 。我们使用两个 128 位分组密码 AES-128 和 GIFT-128 实例化 COFB，并在 FPGA 上展示它们的实现结果。我们提出了两种实现，有和没有 CAESAR 硬件 API。当使用 AES-128 实例化并在没有 CAESAR 硬件 API 的情况下实现时，COFB 仅实现了 1000 多个查找表 (LUT)，同时保持了与基于标准 AES 的 AE（例如 GCM）几乎相同级别的可证明安全性。当使用 GIFT-128 实例化时，COFB 在硬件方面的表现要好得多。它在保持相同安全级别的同时消耗不到 1000 个 LUT。然而，当使用 CAESAR 硬件 API 实现时，在硬件面积和吞吐量方面都有显着的开销。带有 AES-128 的 COFB 实现了大约 1475 个 LUT。带有 GIFT-128 的 COFB 实现了 1000 多个 LUT。尽管存在开销，但与其他经过身份验证的加密结构相比，这两个数字仍然显示出具有竞争力的实施结果。