Hi, I'm going to talk about LMDAE low-memory deterministic-authenticatedenglishment with 1.8-bit security.I'm Yusuke Naito, and this is going to work with Yusasaki and Taki Sugara.This is summary of our results to obtain a low-memory deterministic-authenticatedenglishment with 1.8-bit security.We designed a new TVC-based DAE mode, LMDAE.LMDAE has 2N-bit state and achieves the N-bit data security when using an N-bit TVC.Due to the birthday pound for an internal state-size, the state-size is optimal.LMDAE is designed to have no tweak schedule in birth, and so reducing hardware cost. Moreover, LMDAE ensures low-memory for threshold implementation, or TI, which is a side-channel attack counter-measure.Then we designed a new TVC-tweak skinny.Tweak skinny is a variant of skinny, where a 3-bit tweak space is added in order to meet the LMDAE structure.Tweak skinny is designed to minimize the implementation cost of the key schedule in birth.and combining LMDAE with Tweak skinny, we obtain a low-memory DAE with 1.8-bit security.finally, we give a hardware implementation of our DAE.and so we compare our DAE with state-of-the-art TVC-based and North-Best AuthenticatedエンクションPFB and PV Plus.The memory sizes of these schemes are the same as our DAE.But since the tweak in birth cost is small, the hardware size of our DAE is fewer than those existing schemes.And for threshold implementation, the hardware size of our scheme is fewer than PFB.I'd like to first talk about the background of our research.Lightweight cryptography has been a hot topic in cryptography for more than a decade.The motivation is to design cryptographic algorithms that achieve efficient performances and providedata security for resource-constrained devices.Lightweight includes a lot of meanings such as low-memory, power consumption, latency, and so on.So the target of this talk is low-memory.Memory size determines the overall hard cost in lightweight implementation.So by reducing memory size, the hardware cost is reduced.Now, NIST is holding a lightweight cryptographysundation process for Authenticated ENGVision.The sidestation process demands for replacing AES-based schemes such as ASGGMand optionally considers security against side-channel attack.NIST selects its 10 finalists, which includes different types of primitives due to the design diversity.Many candidates have more than 64-bit security for this size.Oauthenticated ENGVision provides confidentiality and integrity of data.Many schemes are designed to have NIST as well as key associated plaintext.NIST is an input to Authenticated ENGVision and non-repeated value in encryption procedure.This property offers AES schemes with beyond-birthbound security or with low-memory.Use of NIST is a requirement of NIST standardization process.On the other hand, there are several issues for NIST implementation.For example, NIST is repeated due to time in NIST space.NIST is fixed to some constant and so on.In addition, NIST requirements require extensive non-volatile memory.DEE solves these problems and DEE provides confidentiality and integrity of data without NIST.NIST focuses on design of low-memory DEE with one 20-bit securityand additionally considers side-channel attack countermeasure threshold implementation or TI.DEE takes key associated plaintext.In order to ensure the security in this setting,Argorithm must ensure that each bit of the input must affect the whole output.DEE schemes have a sieve-type structure which is two-pathand makes an entry structure like this figure.Several DEE schemes have been proposed from these primitives,block cipher,ticker block cipher and permutation.In this slide, I explained which primitive meets or go128-bit secure low-memory and TI-friendly DEE.In order to achieve 128-bit security,the key size must be 128-bit and the state size must be at least 256-bit.This size is from the birthday attack on the internal state.For block cipher,in order to handle a 256-bit state,the block size must be at least 256-bit.On the other hand,block ciphers have been designed to have at most 128-bit block.In TI,the non-linear state size is tripledwhile the linear state size is doubled.Since the block size is equal to the non-linear size,in TI,the state size of block cipher is largeand so block cipher does not meet or go.For permutation,as the block cipher case,we need 256-bit permutation that is non-linear size is largeso permutation does not meet or go.The last primitive is tweaker block cipher.Tweaker block cipher is extension of block cipher.The initial input called tweak is introducedwhich offers distinct permutation by changing the tweak.As block cipher,tweaker block ciphers have been designedto have at most 180-bit block,but the tweak contributes to design BBB secure non-space aids.Moreover,TBCs offer TI-friendly modes such asBFB and TB Plus because the block cipher eats moreand tweak and key are processed by linear operations.From these features,we choose TBC as the primitive of our DAE.To design a 180-bit secure and TI-friendly DAEwith 256-bit state,we need to designDAE-mode that for the security level S.The memory size is 3S-bits and the block size is S-bits.For existing TBC-based DAEs,none of DAEs satisfies these requirements.The fast-skinned DAE is highly efficient DAEthat it is parallelizable and has efficient mark structureBut the DAE requires a large memory sizeand these two-skins are non-space-skinsand achieve NB security in the non-respecting settingbut these-skins fall into B7 security in the DAE settingwhere the non-th is fixedso these-skins also require a large memory.So we design a NB-secure DAE with 12-bit statefrom NB-block TBC.We first define a state-update function shown here.The function is designed to have only linear operationexcept for thicker block ciphersince we consider lightweight-skinsand in this function,firstly,12-bit state is updated by data blocks D1 and D2each block size is at most N-bitthen TBC is performedand finally the TBC outputand the remaining N-bit stateis mixed by this linear functionthere is a 3-bit domain separation.Directing this function offers 12-bit state-skinsfor the speed of the-skins using this functionwhen the data block size is through 2-bitthe DAE becomes fastestbut unfortunately if the size is greater than N-bitthere is this due to half of an attackfor example,this is one insertion of the state-update functioneach data block size is N-bitif the coefficient of this TBC output occur in this part due to the difference of this data blockthen since we can set the same differenceto this data blockthe coefficient in this partby the 2-to-half of N-curry complexityso the makimax data block sizeof the state-update function is N-bitso we design a DAE using the state-update functionwith N-bit data blocks sizethen DAE follows the shift type designthe makimax data block sizethis is the makipart and this is the encryption partthe makipart process is associatedA and plaintext Mthen using the tar from this partthe encryption part generates the key stream RTto encrypt plaintexteach part is designed by justinterwriting the state-update functionwith N-bit data blockin LMDAEthe permutation pi isintroduced in the lower part of each state-update functionand we can choose arbitrary permutationso choosing the tweaked scheduling as the permutationwe don't need to implement the inverse of the tweaked schedulingwhich reduces the implementation costregarding security, LMDAENBlockTBCの使用者のセキュリティはLNDAとIGLDAの間にセキュリティは実際にIGLDAとRNDAのエクリションとディジェクトオラクルとRNDAとIGLDAとRNDAとRandabit、Randabit、Jet、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、Randabit、そして、インターネットの部分は、正確に上昇されています。そのため、その内側のコベリーの間違いのコレーションは、2 to Mのカラーのコレーションに必要です。このフレーションの方法は、彼らのエンクリプトのエンクリプトの位置に分かることは、この部分のTBCインプットのインプットは、2Lランダムバルの位置であることが可能です。そのため、TBCインプットのインプットをアップに上昇することは、2 to Mのコレーションに必要です。Keystream RTE can be seen as a random value.Therefore, LNDAE is indistinguishable from IDLDAE up to today killing complexity.That is, LNDAE achieves LBIT security.Next, I explain the underlying TBC of RDAE.LNDAE needs to support 128-bit block, 128-bit key, 128-bit tweak,and additional 3-bit tweak for the domain separation.Skinny 188256 almost meets the requirement of LNDAE.However, the tweak space is 3-bit short.The elastic tweak enables to convert using TBCs to slightly enlarge the tweak size.We determined to combine these two approaches.However, elastic tweak was designed to minimize the number of computations by increasing the state size,which is not suitable for LNDAE. Hence, we modified the elastic tweak to be hardware-friendly.In the original elastic tweak, a small tweak of 3-bit 1-bit is first expanded to 3-bit 2-bit.Then, the expanded tweak is injected to 3-bit 3-bit or the data state in every 3-4 rounds.The tweak expansion requires an increase of the state.Also, the sparse tweak injection requires different operations depending on the LNDAE.In our design, we don't expand the small tweak.In every round, LFSR is applied to the small tweak and it is injected to the data state.We apply exactly the same operation for every round, which contributes to lower the memory size.This page shows the LNDAE function of TBC128256.Most of the round functions are the same as the skinny with the red-blind area,being the elastic tweak portion that handles the original 3-bit tweak.Without touching the 3-bit tweak or the domain separation processed by the elastic tweak,the security of the 3-bit tweak is the same as that of the skinny.The optimal locations to insert the tweak was chosen by evaluating the number of active X-boxes in MILP for various choices.As shown in this table, sufficient active X-boxes are guaranteed.So, I explained hardware performance of RDAE.We made hardware performance evaluation by implementing LNDAE with 2-bit skinny.Since there is no comparable TBC-based DAE,we compare the performance with non-space masking rendering schemes using skinny,namely, PFB with skinny and P plus with skinny E.For fair comparison, we implement the previous scheme with the same design policy tools and standard set library.This figure is the data path diagram of the LNDAE circuit.The design follows the BICR architecture common for lightweight block-cyber implementations.The data path is basically a skinny implementation with a few additional gates needed for LNDAE.Since we set pi as skinny tweaking scheduling,we can eliminate the circuit for the inverse operation,which was necessary for the conventional schemes.We also implement protected implementation with threshold implementation.In addition to the LNDAE function that needs reshared,we also protect the tweaking array storing secret.But we use only two shares because the tweaking schedule is linear.This table summarizes the circuit area of LNDAE and conventional schemeswith and without TI in non-equivalent gate count.This table also shows the total memory side in bitsbecause it has great impact on the circuit area.In the results, without TI showing this part,LNDAE achieves the smallest circuit area,although the memory side is the same as in all the schemes.This advantage comes from the tweaking implementation.We could eliminate several 120-bit sectors needed for inverting the tweaking schedule.With TI,in this part,the non-space PFE and PFE plus becomeadvantages in memory side because they have a large public memorythat needs no side-channel attack protection.Since optimization is not available to DAE,but LNDAE side is still comparable to PFEbecause of the efficient tweaking implementation.This is the conclusion of my talk.We proposed low-memory DAE with 130-bit security and TI friendly.We designed TBC-based DAE mode LNDAE.When using an L-bit block TBC,LNDAE has L-bit security and L-bit internal state.LNDAE does not require the inverse of tweak scheduling of the underlying TBC.We then proposed tweak skinny.It is the variant of skinny where the favorite tweak space is added.It is designed so that the cost of scheduling inverse is small.Finally,we gave a hardware implementation of our DAEand compare our DAE with the state-of-the-art TBC-basedand non-space authenticity action,PFE and PFE plus.The memory sizes of these schemes are the same as RDAE,but since the tweaking inverse cost is small,without TI,the hardware size of RDAE is fewer than those existing schemes,and with TI,the hardware size of our scheme is fewer than PFE.Thank you very much.