COMET : COunter Mode Encryption with authentication Tag
COunter Mode Encryption with authentication Tag, or
Features
Some of the standout features of
-
1. Small state size:
COMET is designed to achieve minimum state size. It achieves minimal state size, in the sense that the only state it requires (apart from some auxiliary bits) is used for the block cipher, i.e. $(n+\kappa)$-bit state. We believe that this is the smallest possible state size for nonce-based AEAD schemes with security level and data processing rate comparable to that ofCOMET . -
2. Inverse free:
COMET is inverse free, i.e. it does not require the decryption algorithm of the underlying block cipher. This helps in reducing the hardware and software footprints for combined implementations. -
3. Efficiency:
COMET is nonce-based, which helps in keeping the design single pass. This is beneficial in both hardware and software. The block ciphers in different variants ofCOMET are chosen in such a way that the overall instantiations allow for efficient implementation in their respective categories. -
4. Dynamic key updation: In
COMET no two blocks share the same key non-trivially. In other words each block is processed with a distinct key with overwhelming probability. This helps in mitigating certain side-channel attacks, as the adversary gains very little side-channel information due to the often change in key. -
5. Design simplicity: The design of
COMET is extremely simple. Apart from the block cipher invocation, it only requires shift and XOR operations.
Mode of Operation
Parameters:
The
- •
COMET -$128$: Here $\kappa=128$, $r=128$ and $t=128$. - •
COMET -$64$: Here $\kappa=128$, $r=120$ and $t=64$.
Encryption/Decryption Process:
Figure 1 illustrates the major components of the encryption/decryption process. As mentioned before,
Instantiations
Software-oriented Instances:
-
1.
COMET -$128$_AES -$128/128$: This version usesAES -$128$ block cipher inCOMET -$128$ mode. [Primary Recommendation] -
2.
COMET -$128$_Speck -$64/128$: This version usesSpeck -$64/128$ block cipher inCOMET -$64$ mode.
Hardware-oriented Instances:
-
1.
COMET -$128$_CHAM -$128/128$: This version usesCHAM -$128/128$ block cipher inCOMET -$128$ mode. -
2.
COMET -$128$_CHAM -$64/128$: This version usesCHAM -$64/128$ block cipher inCOMET -$64$ mode.
Rationale
The primary motivation behind
Nonce Usage:
Choice of Nonce-based Initialization:
-
State Derivation in
COMET -$128$: In this case the input nonce is encrypted with the master key to get a nonce derived key and the master key is used as the initial input. This helps in two respects: first, the security of the mode can be shown in more relaxed security models \cite{GueronL17}; second, the underlying block cipher is only required to be related-key secure under without replacement key derivation. -
State Derivation in
COMET -$64$: In this case, the block size is smaller than the nonce size, which makes it difficult to process the nonce in one go. Since the focus ofCOMET -$64$ is more towards, state size reduction, we sacrifice a little bit in terms of security. Here the master key is XORed with the input nonce to generate the initial key and the encryption of $ 0 $ under master key is used as the initial input.
Choice of $ \varphi $ Function:
We need that the $ \varphi $ function should have a large period, so that within an encryption query there is no collision in the key input of each block. Multiplication by primitive element $ \alpha $ has this property. In this case two block keys can be same only if the input length goes beyond $ 2^{64} $. So we choose $ \alpha $ multiplication as our choice of $ \varphi $. Note that, it is also expected to resist the existing related-key attack strategies based on key difference.
Choice of $ \varrho $ Function:
Like
Security
Security of the COMET mode of operation:
Table 1 summarized the security claims for concrete recommendations based on the
Schemes based on
Schemes based on
Security of the underlying block ciphers:
All the block ciphers used in the
Third Party Analyses:
A summary of all published third party analyses on
-
1. ePrint Report 2019/888: Khairallah[8] claims a forgery attack on
COMET -$128$ mode in roughly $2^{68}$ bytes data complexity and negligible time complexity. The same attack is extended to recover the key in roughly $2^{68}$ bytes data complexity and $2^{65}$ time complexity. This attack does not violate the security ofCOMET -$128$ as it breaches the data complexity limit.
References
- ^ Morris Dworkin. Recommendation for Block Cipher Modes of Operation – Methods and Techniques. In NIST Special Publication 800-38A, National Institute of Standards and Technology, U. S. Department of Commerce (2001).
- ^ Avik Chakraborti, Nilanjan Datta, Mridul Nandi, Kan Yasuda. Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers. In IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2) (2018) 218-241.
- ^ Avik Chakraborti, Nilanjan Datta, Mridul Nandi, Kan Yasuda. Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers. In IACR Cryptology ePrint Archive 2018 (2018) 805.
- ^ NIST FIPS 197. Advanced Encryption Standard (AES). In NIST Federal Information Processing Standards Publication 197, National Institute of Standards and Technology, U. S. Department of Commerce (2001).
- ^ Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers. The Simon and Speck Block Ciphers on AVR 8-bit Microcontrollers. In LightSec 2014 (2014) 3-20.
- ^ Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers. SIMON and SPECK: Block Ciphers for the Internet of Things. In IACR Cryptology ePrint Archive 2015 (2015) 585.
- ^ Bonwook Koo, Dongyounh Roh, Hyonjin Kim, Younghoon Jung, Donggeon Lee, Daesung Kwon. CHAM: A Family of Lightweight Block Ciphers for Resource-Constrained Devices. In ICISC 2017 (2017) 3-25.
- ^ Mustafa Khairallah. Weak Keys in the Rekeying Paradigm: Attacks on COMET-128 and mixFeed. In Cryptology ePrint Archive 2019 (2019) 888.