Parallel Sponge-based Authenticated Encryption with Side-Channel Protection and Adversary-Invisible Nonces

Since its birth in 2000, Authenticated Encryption (AE) has been a hot research topic, and many new features have been proposed to boost its security or performance. The block cipher was the dominant primitive in constructing AE schemes, followed by stream ciphers and compression functions until the sponge construction emerged in 2011. Sponge-based AE schemes provide functional characteristics such as parallelizability, incrementality, and online. They also offer security features for protection against active or passive adversaries. Currently, there exist parallel sponge-based AE schemes, but they are not protected against simple power analysis (SPA) and differential power analysis (DPA). On the other hand, sponge-based AE schemes that protect against such attacks are serial and cannot be parallelized. Furthermore, sponge-based AE schemes handle the nonces in a way that could allow misuse. So, sponge-based AE schemes that hide the nonce from adversaries are also an open problem. This work aims to bridge these gaps by proposing a parallel sponge-based AE with side-channel protection and adversary-invisible nonces (PSASPIN), using parallel fresh rekeying and the duplex mode of the sponge construction. A leveled implementation is used to implement the key generation part using a pseudorandom function (PRF) based on the Galois field multiplication. The data processing (the rekeyed) part is implemented using the sponge-based duplex mode. Finally, the security proof of the proposed scheme is provided using game-based theory according to the PRP/PRF switching lemma, and its performance is analyzed.


A. BACKGROUND
The use of authenticated encryption (AE) schemes is a crucial element for secure communications to protect the confidentiality and integrity of messages. One of the most popular protocols for protecting Internet communications, the Transport Layer Security (TLS), has already phased out non-AE schemes in its current version (1.3), first defined in 2018. Encryption primitives such as block and stream ciphers only provide confidentiality, i.e., messages are protected from being viewed by unauthorized entities. Such primitives cannot be simply used in secure communications since an adversary can tamper with the encrypted message (i.e., ciphertext) without detection. In that regard, [1] and [2] came up with the first AE schemes by integrating encryption and message authentication code (MAC) schemes. AE with associated data (AEAD) offers authentication of additional unencrypted chunks of data [3][4][5][6]. A classic case is a network packet header, where only the message must be encrypted, but the header and the encrypted content must be authenticated. Figure 2 illustrates a schematic structure of an AE scheme.
The combination of ciphers and MACs can be achieved in several ways depending on the order in which encryption and authentication algorithms are applied and are usually termed the "generic compositions": (1) Encrypt-Then-MAC, in which the message is first encrypted, and then the authenticated tag is generated on encrypted message; (2) Encrypt-and-MAC, in which the encryption and Since the seminal articles of Bellare and Namprempre [1], [12], AE has experienced continuous improvements. The belief that AE schemes could still be refined led to the Competition for AE: Security, Applicability, and Robustness (CAESAR) project, jointly commenced in 2013 by the U.S. National Institute of Standards and Technology (NIST) and Dan Bernstein. NIST declared the final CAESAR portfolio (winners) in 2018, consisting of six schemes [13][14][15][16][17][18]. In the same year, triggered by the upsurge of the Internet-of-Things (IoT), which mainly consists of resource-constrained devices, the NIST solicited a call to standardize lightweight AE schemes (hereafter referred to as NIST-LW schemes). On March 29th, 2021, NIST announced ten finalists out of the 32 candidates from Round 2 as the final portfolio for standardization [19].
AE protects data confidentiality (or privacy) and integrity/authenticity in two forms, each of which branches into two notions of security. Confidentiality protects the secrecy of information in case of the Chosen-plaintext attack (IND-CPA) against passive adversaries and chosen ciphertext attack (IND-CCA) against active adversaries [2,20,21]. Integrity guarantees that the messages are from legitimate sources and have not been tampered with during transit at rest. It protects the integrity of plaintext under the INT-PTXT model and that of the ciphertext under the INT-CTXT model. AE schemes rely on a user-supplied value (a nonce) as an input to the AE scheme that is not supposed to be repeated to encrypt different plaintexts under the same key [10,21]. Nonces do not have to be random; they must be different for each successive usage. An example is a counter that increases with every new encryption. [22]. The way that the nonces are generated or transmitted is the responsibility of Application developers. However, such practice is vulnerable to misuse because reusing nonces (intentionally or otherwise) can have serious consequences. The security of numerous applications and protocols has been abused due to the mishandling of nonces. Examples of violated applications are Wired Equivalent Privacy (WEP) [23], WinZip [24], Wi-Fi-protected access (WPA) 2 [25], and Microsoft Office [26]. Consequently, it is necessary to have AE schemes that provide an acceptable level of protection in the face of such violations. To deal with this issue, Rogaway and Shrimpton [27] proposed the notion of a nonce misuse-resistant AE (MRAE) in 2006. An MRAE scheme guarantees an acceptable level of security even though nonces are reused [27].
Despite the benefits that nonces brought to strengthen security, they have also become a tool to spoil nonce-based encryption schemes' protection; their security claims hold as long as nonces are unique. The valid nonces format and the way to transmit them also stimulated a hot debate among the research community. Some claim nonces can be any text or value, like counters, and can be sent in plain to the receiver along with ciphertext [21,[28][29][30]. On the other extreme, [31] stated that sending nonces in clear or using values like DeviceId could compromise security.
To bridge the gap between theory and practice of nonce handling, Bellare et al. in [31] proposed an approach to alleviate the nonce handling burden and prevent its potential misuse by hiding it like the message. Nonce-hiding eliminates the nonces from the decryption algorithm of the schemes so that the receiver does not have to worry about handling nonces anymore. Finally, in [31], the authors demonstrated simple ways to turn traditional nonce-based authenticated encryption schemes into nonce-oblivious ones for the block cipher-based AE schemes. However, nonce oblivious AE schemes based on Sponge construction remain an open problem.
In addition to analyzing an AE scheme under the mentioned security models, attacks may benefit sideline information from its implementation environment to break systems. Such attacks, classified as SCAs, are particularly harmful when devices with sensitive information like IoT devices, sensor network nodes, and smart cards are in the hands of adversaries or are mounted where they are accessible to the general public [32], [33,34]. Cryptographic algorithms are notably weaker when used in their lightweight form, as Heuser et al. [35] stated. Several techniques are in place to prevent SCAs, including hiding [35], masking [33,[36][37][38], and code morphing techniques [39]. However, re-keying is a less resource-intensive way to protect against side-channel attacks (SCAs) [33,40,41]. In this approach, the core ciphers are not used in their plain fashion, but they are used with a subkey generation function that uses the master key as input and generates session keys for data processing. The core cipher, a block cipher, for example, itself should be cryptographically strong. It should use the subkeys sparingly (once or a few times) and needs to get protected against Simple Power Analysis (SPA) only. On the other hand, the sub-key generation function needs to be heavily protected against SPA and stronger differential power analysis (DPA) but does not have to be cryptographically strong. This concept is termed 'leveled implementation' as stated by Abdalla et al. [40] and Mennink in [33] AE schemes are built on some underlying constructions or building blocks in AE. Some of the most used building blocks are block ciphers. Famous block ciphers to create AE schemes include the AES [42], GIFT [43], and SKINNY [44]. Examples of Stream ciphers are in [45]. Permutation-based structures use either dedicated or keyless permutations as building-block primitive. Schemes in this class apply techniques like XOR, Encrypt XOR, Encrypt Mix Encrypt (EME), or variations of the Even-Mansour construction [46] instead of permutations in a sponge-like mode. The sponge construction is the most used form of keyless permutation. Several schemes use permutations in a sponge-like mode of operation, like the Keccak-f permutation used in the SHA3 hash function, whereas others rely on dedicated permutations [47]. There are also AE that are based on other building blocks like hash function/compression function (CF) like in [48], as there are schemes that use dedicated structures as their underlying structure like those in some other works [49,50] [51].
Besides the security-related characteristics, other essential attributes boost the performance and efficiency of AE schemes, like the following: Parallelizability, which indicates the ability of a scheme to process the i th block independently of the j th block [52]. Online, which indicates the ability of a scheme to compute the i th ciphertext block having processed the first i plaintext blocks and does not need to know any plaintext beyond that block [53]. Inverse free: A scheme is inverse free if the underlying primitive does not require its inverse to perform encryption or decryption [14,15]. Incrementality is the ability of a scheme to update parts altered only by the last activity, given a previous ciphertext-tag pair (C, T) [54]. Being single-pass renders a scheme more efficient and indicates that a scheme processes the plaintext only at once to achieve confidentiality and integrity [55,56]. The Lightweight property indicates whether a scheme is intended for use in resource-constrained environments [57,58]. In the NIST-LW competition dedicated to lightweight AE, several schemes ideal for use with low resource devices were proposed, such as those in [50,59]. Nonce-obliviousness is another desirable feature in situations where nonce mishandling can be expected.

B. CONTRIBUTIONS
The main contribution of this work is to propose and implement a sponge-based AE scheme with the following features: Nonce-oblivious, single-pass, Nonce Misuse Resistant (NMR), parallelizable, Incremental, Single-pass, and protection against SPA and DPA using parallel fresh rekeying. This work is a complementary part of the continuous endeavors to enhance the AE schemes in terms of security, performance, and efficiency and is inspired by ISAP [60] and Nonce-hiding schemes [61]. However, our scheme differs from those works in five main ways: First, Parallel Spongebased AE with Side channel protection and Adversary invisible nonces (PSASPIN) is parallel processing more than one data block simultaneously. Second, it uses the leveled implementation differently. For instance, ISAP uses spongebased functions for rekeying and data processing, whereas PSASPIN uses a key generation PRF based on Galois Field multiplication. Although using the same construction for rekeying and data processing reduces the code size but might be susceptible to a chosen-plaintext attack [62]. Third, PSASPIN is nonce-oblivious using a modified syntax of NAE so that the decryption does not take a nonce as an input parameter. Fourth, our scheme is Nonce Misuse Resistant (NMR); that is, it provides the best security possible in the case where the nonce is repeated. Fifth, PSASPIN provides a security proof based on game-based theory and PRP/PRF switching lemma [27,50,63].

C. ORGANIZATION OF THIS WORK
We describe related work in Section II. In section III, we present a model of AE. Section IV is an introduction to the PSASPIN AE scheme and its features. The security analysis and proofs are given in Section V. We present the performance analysis in In Section VI. Section VII is the discussion part, and Section VIII concludes this work.

II. RELATED WORK
The security strength of cryptographic structures is typically measured based on the assumptions that adversaries behave according to security models defined with conditions and limitations specified by the protocol [33,64]. Furthermore, adversaries traditionally took advantage of weaknesses in the cryptographic algorithms to breach security. SCAs cast doubt on the trustworthiness of this model [33]. These attacks acquire side-line information about cryptographic functions through passive attacks such as SPA [35,[65][66][67], DPA [35,68], timing patterns [68], power consumption [39] or electromagnetic emissions [69]. In addition to the traditional types mentioned above, SCAs have been evolving, and recent works show more recent varieties based on techniques like deep learning [64], Artificial Neural networks [70], and thermal sensors [71].
SCAs take advantage of the relationship between the cryptographic algorithms and the patterns of radiations from the implemented devices. The main philosophy of these attacks is deducing the secret key from their relationships with the side channel signal behavior [35,65]. SCAs are especially dangerous when cryptographic devices are placed where they can be physically accessible by adversaries. Several mechanisms have been proposed in the literature for protection against SCAs, including hiding [35] and masking [33,[36][37][38]. However, these countermeasures imply heavy performance penalties that are unbearable in resourceconstrained environments such as IoT devices and smart cards. Fresh rekeying [40,41] is a less resource-intensive way to obtain SCA protection than other mentioned ways. Furthermore, fresh rekeying provides protection against SCA by preventing the attackers from obtaining the intermediate key materials by confining the use of every session key to once or few times [40,41,62,72].
Nonces are used in AE schemes to prevent predictability and thus boost security as long as they are unique. The Ideal way of using nonces (or IVs) is to make sure that they are not repeated. Still, nonce repetition may occur accidentally, deliberately, or due to device malfunctioning, virtual machine cloning, or resetting source of generations [73,74]. Rogaway and Shrimpton in [27]proposed the SIV model of operation. They came up with the idea of Nonce Misuse Resistance Authenticated Encryption (NMRAE) which provides the best security possible such that the authenticity remains protected. Privacy is protected only to the extent that some minimal information may be leaked, whether two plaintexts are equal and revealed if the message M, the header H, and the particular Nonce (IV) are repeated together, which can happen with negligible probability.
In addition to their misuse through repetition, how nonces are communicated stirred a hot debate within researchers. The gap between the theory and practice of using nonces and the concern of security breaches caused by wrongly handling them was first raised in 2019 by Bellare, NG, and Tackman [61]. They suggested a nonce hiding (NH) syntax for AE schemes and concretized it in the context of Block cipherbased schemes defining several options for processing and transmitting the nonces and defining the level of security they targeted (NH1 to NH5 transforms).
The sponge construction, first proposed by Bertone et al. in [75], is an iterated cryptographic primitive for building a function f with variable-length input and arbitrary output length based on a fixed-length transformation or permutation [75]. The sponge construction operates on a state of b = (r + c) bits where r is called the bitrate and c is the capacity [75]. The sponge first absorbs its input block by block before processing and squeezing them out afterward. The sponge construction is the most used form of keyless permutation in AE. Sponges are also used for other cryptographic purposes like re-seedable pseudorandom generators and stream ciphers [47]. The sponge function is used in several modes based on the functionality required; for instance, the Duplex and its variant MonkeyDuplex [47,76] modes are mainly used to implement online, single-pass AE schemes. Figure 1 depicts the sponge construction proposed by Bertoni et al. [75]. The security of the Duplex construction can be proved to be equivalent to the Sponge construction through the Sponge/Duplex lemma in [75]. One of the winners in the CAESAR competition, namely Ascon [14], was based on Sponge construction, while five out of the ten finalists in the NIST lightweight competition were based on sponge construction, namely: Ascon [77], Elephant [78], ISAP [79], Photon-Beetle [80], Xoodyak [81] Besides the security features, functional characteristics like parallelizability, incrementality, and being single-pass are indispensable for AE schemes because they contribute to the performance and efficiency of the schemes. Most of the sponge-based AE schemes are serial in nature since the original construction can not be parallelized at the algorithmic level. Still, several parallel AE sponge-based AE schemes have been proposed based on the Duplex construction. For instance, the AE schemes [82][83][84] provide various degrees of parallelizability incrementality, but they are not protected against SCAs. Being nonce obliviousness, proposed by Bellare et al. [61], obviates program designers from the burden of taking care of nonce transmission by modifying the traditional syntax of Nonce-Based Authenticated Encryption (NBAE) so that the nonce is integrated into the ciphertext and recovered at the destination. The nonce-hiding transforms were proposed and concretized for block ciphers in [61].
Cryptographic sponges offer a promising solution for protection against SCAs. Furthermore, the capacity parameter of the sponge construction helps withstand SCAs [60,85]; however, the Sponge-based AE schemes that are incremental and single-pass do not provide protection mechanisms against SPA and DPA [83,84]. On the other side, Sponge-based AE schemes that offer protection against SPA and DPA are neither parallelizable nor incremental. Examples of such schemes are [79,85,86]. In addition to that, as far as the authors know, there are no sponge-based AE schemes that are nonceoblivious and NMR. Table I compares

IV. PARALLEL SPONGE-BASED AE WITH SIDE-CHANNEL PROTECTION AND ADVERSARY INVISIBLE NONCES (PSASPIN)
PSASPIN is an Authenticated encryption with associated data based on the duplex mode of the sponge construction protected against SPA and DPA using Parallel fresh rekeying. It hides nonces from the adversary by taking a nonce as part of the input to the encryption but omitting it from the decryption. Nonces are encrypted, together with ciphertext, extracted at the destination, and used in the decryption to obtain plaintext. In that way, the nonce is invisible to the adversary and alleviates the burden of nonce management from the implementors and developers. PSASPIN has the following desirable properties important for AE schemes in terms of security, performance, and efficiency: parallelizable, incremental, single-pass, sidechannel protected, and nonce-oblivious (preventing the adversary from viewing/ accessing the nonces).

A. PARAMETERS
The following are the main parameters used in the encryption and decryption algorithms of PSASPIN: Key size, block size, Nonce size, and the Tag size are 128 bits, and the number of rounds is eight rounds.

B. NOTATIONS
Here we introduce the notations used in this work. By K, T, N, IV, we denote the key, the authentication tag, the nonce, and the initialization vector, respectively. By M, C, A, we denote the plaintext, the ciphertext, and the associated data, respectively. By ⊥ (bottom), we mean an Error or failure of verification. By S, we denote the state of the sponge construction, which is 320 bits. Sc stands for the internal state (the capacity part), while Sr stands for the outer state (the rate part). By P, we denote the Sponge permutation. By 0 k we mean an all 0-bit string of length k. By |X|, we indicate the length of string X. By X||Y; we denote the string 'X' concatenated to the string 'Y.' By ⨁ we denote the XOR of 'X' and 'Y' strings. By ⌈ ⌉ We denote a bitstring X truncated to the most significant (last) k bits. By ⌊ ⌋ , we denote a bitstring X truncated to the least significant bit (first) k bits.

C. PSASPIN AUTHENTICATED ENCRYPTION SCHEME
PSASPIN AE takes four parameters: A 128-bit secret session K * derived from the master key K, an arbitrary length plaintext message M, an arbitrary-length Associated data A, and a public message number (nonce) 128-bit N. The scheme also Takes a 128-bit Secret Message Number nonce (SMN) in the encryption. The decryption takes A 128-bit secret session K * derived from the master key K, cyphertext C, and an arbitrary-length Associated data A. The scheme uses a modified syntax of NAE so that the decryption does not take a nonce as an input parameter. The scheme is based on the duplex mode of sponge construction but uses fresh rekeying to get a fresh key for every invocation of encryption/decryption and authentication functions. A general scheme view is depicted in figure 3. The encryption VOLUME XX, 2017 1 and decryption process of SASPIN AE are shown in figure 5 and figure 6, respectively.

D. PSASPIN PROCESSES
Several steps are necessary for PSASPIN to do its job, from initialization, encryption/decryption to finalization and tag generation. In the initialization and finalization, Parallel Fresh Rekeying (PFRK) is called to feed the process with a new session key.

1) INITIALIZATION
In the initialization process, the PFRK is called. It takes a master K and a Random IV and produces a fresh session key Ks to protect the scheme against SPA/DPA. See algorithm one later in this section for details of FRK. After generating the session key, the shared state S is updated. The first Random IV is generated at the source and securely shared after that and will be incremented to keep the sides synchronized to the sponge permutation P. A counter (Ctr) is generated to keep track of the number of parallel threads incrementing by 1 with every lane.

2) PROCESSING THE ASSOCIATED DATA
PSASPIN first breaks the Associated data message into r bit block. Padding is done by appending '1' and a minimum number of '0's to A so that its length is a multiple of the block size r. If the AD block is empty, no padding is necessary. The AD is processed one block of r bits at a time. A0||A1||……..Ai||, |A|=r. Every block of A is XORed with the outer part of the state (Sr), then it is concatenated with the inner part of the state (Sc). The state is updated by the permutation P in the following manner: ← (( ⨁ ) ∥ ). After processing the last Ai, a 1-bit domain separator is XORed with the state S: ← ⨁(0 319 ∥ 1) to indicate the end of Associated Data and plaintext parts and prevent attacks that change the roles of Associated Data and plaintext blocks as in Ascon [77].

3) PROCESSING AND HIDING THE NONCE (SMN)
The concatenation of the first plaintext block (M0), the first Associated Data Block (A0), and the Public Message Number (N) is OXR-ed with the inner part of the state Sr, ← ⨁( ∥ 0 ∥ 0 ), then the outer state and the new nonce N1 is assigned to the inner state Sr: 1 ← , after that, the state is updated in the following manner: Sr←Sr⨁(N1); S←P((Sr⨁N1)||Sc). The new nonce N1 is a ciphertext of the original nonce and will be XORed with the first block of the ciphertext in the next stage.

4) PROCESSING THE PLAINTEXT (ENCRYPTION)
After breaking the plaintext message into blocks of size rbits, the first plaintext block (M0) is XORed with Sr to produce an intermediate ciphertext block (CM0): Sr←Sr⨁M0; CM0←Sr. The CM0 is combined with the nonce ciphertext N1 to produce the first ciphertext block (C0), and the state is updated: 0 ← 1 ∥ 0 ; S←P(C0||Sc). For the rest of the plaintext blocks, every block is XOR-ed with the outer part of the state Sr, the subsequent ciphertext blocks are produced, and the state is updated. Sr←Sr⨁Mi ; Ci←Sr ; S←P(Sr||Sc). The last block is processed differently. The last plaintext block (Mz) is XOR-ed with the outer state Sr and is truncated to the length of the original unpadded plaintext length so that the ciphertext and the original plaintext are of the same length: Sr←Sr⨁Mz ; ← ⌊ ⌋ | |

5) DECRYPTION AND EXTRACTION OF NONCE
The encryption and decryption processes of PSASPIN are identical except for the absence of the SMN nonce processing in the decryption. In the decryption, the SNM is extracted from the ciphertext. First, the ciphertext is split into blocks. The first ciphertext block (C0) is split into the core ciphertext part (Cm0) and the nonce part (N1) part, then the outer state is XOR-ed with N1 and transformed with the permutation P. The first core ciphertext is retrieved by XORing Sr with (CM0); 1 ∥ 0 ← 0 ; S←P((Sr⨁N1)||Sc); 0 ←Sr⨁CM0. For the rest of the ciphertext block except the last one, the ciphertext block (Ci) is XORed with the inner sate Sr to produce the corresponding plaintext (Mn), the state is updated; Mi←Sr⨁Ci; S←CMi||Sc; S←P(S). The last ciphertext is produced by XORing Cn with Sc truncated to the original length of the ciphertext; ← ⌊ ⌋ | | ⨁ The padded inner state is then updated to proceed to the finalization state.

6) FINALIZATION
The additional key material is used to defend against sidechannel and forgery attacks in the finalization phase. The state is updated by the concatenation of the secret session Ks key, the initialization vectors (IV), and the string of 0s so that the length of the state S is 320-bit, the state width of PSASPIN, the final tag T calculated from intermediate tags tj, is obtained by the truncation of the XOR of the full state and secret session key Ks to 128 bit, ← ⌈ ⨁ ⌉ 128 , then the concatenation of the ciphertext blocks and the tag is returned: C1||…||Ci||Cz||T. See figures 4.4 and 4.5 for the schematic view of PSASPIN and algorithm later in this section for its processes.

7) THE REKEYING FUNCTION.
There are several options for implementing the rekeying scheme, as shown in Figure 4. This study followed the leveled implementation approach proposed in [41] and adopted by [40,88], where the overall scheme is divided into the rekeying and the rekeyed data processing parts. There are several implementation options for the data processing part: block ciphers like AES, permutations like the duplex mode of sponge construction, or tweakable block ciphers [85]. For the rekeying function, a PRF used as a pseudorandom generator (G) is used, which in turn offers different options: (1) leakage-resilient constructions like duplex sponges [60,85], (2) protected block ciphers like AEAS and SERPENT [89], (3) Tweakable block ciphers (4) Algebraic construction-based Galois field (GF) multiplication, or (5) Traditional block ciphers with countermeasures like masking and hiding [72,86,90].

Figure 4: Options for Implementation of Rekeying Function
This work used the leveled implementation approach, with two possibilities for implementing the rekeying function (G). The first option is to use a function based on a GF multiplication field as in [88,91], but with slight modifications in the present case because their implementations protect only against lower-order differential power attacks (DPAs). This work combines countermeasures for protection against higher-order attacks. For instance, in Algorithm 1, a combination of masking and shuffling is used to protect against SPA and DPA, whereas the sponge-based core primitive uses the session key only once to protect it against SPA. The other option is using a leakage-resilient block cipher, which is a heavier construction than the first option but is the preferred alternative in hardware implementations. See Algorithm 1 for details of the G function based on the GF multiplication field using masking and shuffling combined to protect against higher-order DPA attacks.

V. SECURITY MODEL
The security of PSASPIN is measured in terms of the two levels of its implementation. At one level, the security of the rekeying function (which should be protected against DPA and single power analysis (SPA) and generate session keys to protect the core scheme). At the other level, the security of the sponge function-based duplex constructions is to be protected against SPA. In addition, the whole scheme should preserve the privacy and integrity of the data. The ability of an adversary to break the rekeyed AE can be bounded in terms of the key generation function and the base AE scheme. Several countermeasures for protection against SCAs are implemented at the hardware or software level. Examples of countermeasures are masking, hiding, using logic styles, and using session keys for a single or a small number of operations. According to [35], the best way to benefit from the countermeasures is to combine them; all the effort for protection against SCAs should not be spent on a single countermeasure. For instance, combining masking and shuffling is ideal for protection against first-order and higher-order side-channel attacks. VOLUME XX, 2017 1

A. THE SECURITY OF FRESH REKEYING FUNCTION (G)
The fresh rekeying function used an initial master key to generate session keys in the encryption or AE schemes [33,41]. This method can increase the amount of data that can be encrypted with the same key (known as key lifetime). There are two types of rekeying functions: parallel rekeying, in which subkeys(session keys) are generated independently from the master key and serial generators. The generated subkeys depend on the previous state that continuously updates [41]. According to [62], parallel rekeying is necessary when parallel access to data is used. Following [41], we define the pseudorandomness of a stateful generator: Let G =(K, N) be a stateful generator with a block length k, let n be an integer, and Let A be an adversary. Consider the following experiment: Considering the rekeying function as a stateful pseudorandom generator, we provide the security analysis of our rekeying function regarding the security notions according to that assumption. We follow the approach of [41], but their scheme protects a block cipher, while ours protects a sponge-based, parallel AE scheme. The desired attribute of the generator is pseudorandomness which describes the inability of adversary A to distinguish the generator's output from an equal length random string. We define the advantage (ADV) of adversary A and the advantage function of the generator G in the real and random experiments in the following manner. . We upper bound the advantage of A [ ], , . We construct a distinguisher D for F and relate its advantage to A's advantage. The distinguisher D has access to an oracle O. it computes s=O(1)||…..||O(n) and outputs the same guess A on its input s. we could say that when the Oracle O is drawn at random from F, the probability that the distinguisher D return 1 equals the probability that

B. THE SECURITY OF THE REKEYED AE SCHEME
PSASPIN is an AE scheme based on the duplex mode of the sponge construction. It takes as input plaintext M, associated data A, a PMN nonce N, and a master secret key K used to generate session keys that are used to encrypt and decrypt messages in parallel. For The security of the sponge construction, we consider two notions of security as in the literature [2,20,21]

C. CONFIDENTIALITY (OR PRIVACY).
Confidentiality protects the secrecy of information in the case of the Chosen Plaintext Attack (IND-CPA) against eavesdropping adversaries and Chosen Ciphertext Attack (IND-CCA) against active adversaries. In the former model, the adversary is given an encryption oracle, and in the latter, the adversary is given a decryption oracle; therefore, the adversary's advantage should be negligible in all cases. [2,20,21] VOLUME XX, 2017 1 Let P be a set of idealized permutations of a scheme II. Then, we define the advantage of an adversary A, that has access to both forward and inverse permutations in compromising the privacy of II: ( ) = | , ( ± , = 1) − ,$ ( ±,$ = 1).
The fact that A has access to both forward and inverse permutations is denoted by ± . In the case of PSASPIN, A does not have to be nonce respecting which means it can use the same nonces in calling Ek and $.
( , , ) denotes the maximum advantages of all adversaries that query Ek or $.

D. INTEGRITY/AUTHENTICITY.
Integrity ensures that the messages are from legitimate sources and that they have not been tampered with during transit or while at rest. Furthermore, it protects the integrity of plaintext under the INT-PTXT model and the integrity of the ciphertext under the INT-CTXT model. The former ensures that the adversary is unable to produce ciphertext decryption of a message that the sender had never encrypted, and the latter ensures that the attacker is not able to create a ciphertext that the sender has not previously produced, whether the plaintext is new or not [2,20].
Let us denote P as a set of underlying idealized permutations of AE scheme II. Then, we define integrityrelated goals of AE as captured by the inability of adversary A to come up with a new plaintext that had not been produced by a valid decryption (Dk(C) algorithm by using the secret key K in the following way: ). The probability is taken over random choices of A, K, and P. The adversary succeeds to forge if Dk returns a message that is different from ⊥ on an input (N, A, C, T) where (A, C) have never been produced by Ek after taking (N, A, M) as input. We also assume that the adversary can either be nonce-respecting or non-nonce-respecting in the case of privacy. We symbolize authenticity ℎ ( , , , , ) . We denote the maximum advantage taken over all adversaries that that query ± at most times that make at most queries of total length at most blocks to and at most queries of the total length to /⊥ In the proofs of privacy and integrity of PSASPIN in the following sections, we consider an adversary that makes permutation queries and encryption queries of the total length . For the proof of integrity, adversary A can also make decryption queries of the total length we compute the number of permutation calls via The exact computation is done for encryption queries with similar parameter definitions. Let us consider , consisting of c Associated data blocks and f message blocks, and T intermediate tags, we describe the corresponding n state values in the following manner: In this manner, if the j th query is c+f blocks, then the number of state values ( , ) is c+f+4; therefore, the number of Πfunction evaluations via the encryption query is calculated as follows: The same calculation is done for and , .

E. NONCE-OBLIVIOUS AE
In the light of the work of Bellare, Ng & Tackmann [61], nonce oblivious AE integrates the nonce with the core ciphertext in the encryption process so that it does not take a nonce in the decryption process but extracted from the ciphertext for recovery of the plaintext. The authors in [61] proposed five ways to turn the traditional NBAE (NBE1) into a nonce-oblivious AE (NBE2) in what they termed as Hide-Nonce Transforms (from HN1 to HN5). In this work, we are interested in HN4, which provides Nonce Misused Resistance (NMR) and nonce hiding, and we intend to concretize it for sponge-based AE schemes. In HN4 [61], A PRF F is applied to the triple (M, N, H), as in SIV [74], to produce ay synthetic nonce N1, which is sent as part of the Ciphertext C2. As with SIV [74], the security of HN4 assumes tidiness [94].

F. NONCE MISUSE RESISTANT AUTHENTICATED ENCRYPTION (MRAE)
Nonces are supposed not to be repeated since most AE schemes guarantee security as long as nonces are unique, but VOLUME XX, 2017 1 that is not always feasible in practice. Nonce repetitions can happen because of mistakes, deliberate actions by malicious users, or a result of applications and device malfunctioning like hardware resetting or virtual machine cloning problems [23][24][25][26]. Rogaway and Shrimpton Proposed SIV construction in [27] as NMRAE that provides the best security possible if nonces are repeated. In SIV, the nonce is constructed by applying a

G. PSASPIN ADVERSARY MODEL
The adversary A in this work is assumed to be powerful, having access to the communication channel, aiming to violate confidentiality and integrity, can encrypt different messages with the same nonce, and having access to encryption and decryption oracles. Figure 7 depicts the PSASPIN adversary modeled according to Do et al. framework [95]. PSASPIN is secure as long as A with the defined assumptions, capabilities, and goals cannot violate its security with a non-negligible probability. It is worth noting that although A can use the same nonce to encrypt several messages, it cannot access the nonce (which is encrypted and integrated with the cyphertext) since PSASPIN hides the nonces from adversaries.

H. THE SECURITY PROOF
In this subsection, the security of PSASPIN is proved in the Ideal Permutation Model, where the underlying permutation is assumed to be perfectly random as [92], [50], [93], under the adversary model described in section 5. G. , where Is the total number of primitive evaluations using primitive queries. Theorem 1 implies that PSASPIN protects privacy so long as the total complexity + does not go beyond min {2 /2 , 2 } and the number of primitive queries does not exceed 2 c /r. The proof assumes that PSASPIN is indistinguishable from a random permutation if direct and indirect evaluations of P do not collide. Because of the use of a fresh session key Ks for every encryption/decryption, the uniqueness of the nonce (PMN and SMN), XORing a new CounterID with the state in each branch, state values collide with probability 1/2 b . The collisions between direct calls to p and indirect calls via , could happen with a probability of 1/2 c but do not significantly affect the bound according to the multiplicity principle [96], which limits the maximum number of states with the same rate parts. Now Let's focus on an adversary that can interact with either ( ± , ) or ( ± , $) hose challenge is to distinguish between these two views. Here, the advantage can be expressed as: Π ( ) = Δ ( ± , ; ± , $).

1) PRIVACY OF PSASPIN
(3) To make the analysis simpler, ± is replaced by a random function f following the PRP/PRF switch lemma [92] moving from ± to ± as following: The primitive ± at first maintains an initially empty list Q of tuples (x,y) of queries and responses. The domain and range of Q are denoted by dom(Q) and rng (Q), respectively. For a forward query f(x), if ⊂ ( ), the value which corresponds to value y=f(x) is retrieved. When a fresh, forward query is made, the value x is selected randomly from {0,1} . If the value y is already in rng(f), the primitive aborts, setting the flag bad to true; otherwise, the tuple (x,y) is added to dom(Q) and rng(Q), respectively. The description of −1 is similar. Now ± and ± behave identically so long as ± does not set the 'bad' flag. Given that the adversary makes at most + evaluations of f, that abort (setting the bad flag) may happen with a likelihood of Specifically, let us consider an adversary A that has oracle access to ( ± , ), where ∈ { , $}. The adversary does not have to be nonce-respecting, and she only makes full-block queries, and no padding rules are applied. Queries to the function ± are represented as (x,y) for i = 1 … , whereas queries to F are represented as elements of ( ; , , , ) for j = 1….
. When F = the state values are as follows: ).

Lemma 2 bounds these terms by
Lemma 1: Assuming that event is not triggered, ( ± , ) and ( ± , $) re indistinguishable. Proof: The outputs of the function ± are sampled uniformly at random in both cases of ( ± , ) and ( ± , $). The exception is when a collision occurs and guess occurs; however, this event is already excluded by assuming ¬ . Therefore, only queries to the oracle ∈ { , $) must be considered. Let be a fresh nonce used in the j th F-query with state values ( ; , ) and with the corresponding ciphertext and tag ( , ), and let c and f be the number of padded plaintext and associated data blocks, respectively.
By the definition of $ in the ideal world ( , ) $ ← {0,1} | |+ , It can be proven that ( , ) is distributed identically in the real world, assuming that ∨ is not triggered. In PSASPIN, several facts contribute to the freshness and hence the uniqueness of state values: (1) using a fresh session key in each encryption/decryption; (2) the uniqueness of the nonce values (PMN and SMN). (3) XORing the thread counter in each of the parallel lanes. So, it can be claimed that , is fresh and that ( , ) does not have a collision with any other F-query; otherwise, ¬ would have been triggered. Because ,0 = ( , ) ⊕ 0 , it can be claimed that The state ,0 is fresh and hence unique; otherwise, 'event' would have been triggered. In the same manner, , is fresh for > 0. Therefore, the ciphertext blocks are computed as , = , ⊕ [ ( , −1 )] . Because the state , −1 has not been evaluated by f, it outputs a fresh random value from (0,1) , and hence , $ ← {0,1} . In the tag formation process, the output of the final permutation P is XORed with a fresh session key and truncated to the last 128 bits ( ← ⌈ ⨁ ⌉ 128 ). Therefore, it can be claimed that every intermediate tag is fresh and uniformly sampled from The probabilities are bounded by considering the i th forward query or inverse primitive query or the k th state of the j th encryption query and bounding the probability that this evaluation triggers the event ∨ , under the assumptions that this query does not set ( ∨ ) and also that ( ∨ ∨ ∨ ) has not been triggered. For the analysis of ( ∨ ) a similar method can be used.
: this event can be triggered by the i th permutation query (for = 1, … , ) or in evaluating any state value of the j th construction query (for = 1, … , ). Let us represent the values of the state in the j th construction as in (1). Consider that any evaluation assumes that this query does not trigger ∨ and also assumes that ∨ ∨ ∨ has not been triggered before. First, note that = for some i,j would imply that event ( ) has been triggered and thus would annul our assumption. Therefore, = is excluded from further analysis on . Let ∈ {1, … , } for = 1, … , be the number of encryption queries before the i th primitive query. Likewise, ∈ {1, … , } for = 1, … , shall be the number of primitive queries made before the j th encryption query.

Consider a forward or an inverse primitive query
( , ) for ∈ {1, … , }, that has not been posed to ± . If it is a forward query , by ¬ , there are at most state values, [ ] = [ ] , and therefore = with probability at most /2 . Note that the capacity part is not known to the adversary, and therefore it can guess that part with VOLUME XX, 2017 1 probability at most 1/2 . For inverse queries, the reasoning is slightly more complex. Denote the inverse query as . If is taken from the set of all encryption queries made before the i th primitive query, the likelihood that a direct query triggers the event guess to the primitive evaluation is at most Next, consider the likelihood that the j th construction query triggers guess for ∈ {1, … , }. Consider the labeling in (1). PSASPIN branching begins at the initialization phase before the associated data part and continues until the calculation of the intermediate tag. For the associated data and the message parts, the state values are depicted as follows: The Ctr are distinguished by XORing the associated data and the message with a branching number equal to the parallel lane number. Note that any of these nodes equals of the primitive query with the probability for the associated data part /2 and for the message part /2 , where is the number of primitive queries made before the j th encryption query. In conclusion, This argument uses ∑ ∑ , + ∑ ∑ , which follows from the counting argument. The event hit is triggered when two states with different previous state values hit in the encryption queries. At initialization, it is clear that ≠ ′ because of the uniqueness of the nonce and the use of fresh Ks in every instance of PSASPIN. Here, any state value , for > 1 (out of a total of − ) hits, and initial state ′ only if [ , ] = ( ); this happens with probability /2 , assuming , is generated randomly. Finally, the other two states, , ′ , ′ for , ′ > 1, collide with the probability ( − 2 )/2 . Hence, it can be concluded that Pr (ℎ |¬( ∨ ) ≤ With the addition of the four bounds by means of (2): Pr( ∨ ℎ ) ≤ + 2 /2 2 + 2 + + 2 + 2 ( 2 2 ) . where are defined in (4). Theorem 2 indicates that PSASPIN protects integrity if it protects privacy (as in theorem 1), the number of adversarial forgery attempts is limited, and the total complexity + + does not exceed /2 . Proof. Consider an adversary A that has oracle access to ( ± , , ) and tries to forge an output different from ⊥ that was not produced by the encryption oracle. The PRP/PRF switch lemma can be applied as in Theorem 1 to find that: Adversary A is allowed to reuse nonces, and we assume that it makes only full-block queries.

Replacing
In this proof, the same setting, as privacy proof, regarding the guess and hit events, is adopted but have been extended to D-version related events, ℎ . The state values are the same as in (5)  This proof focuses on the probability that adversary A produces a forgery, assuming that an event has not happened. Proof. From Lemma 2, remember that = ∨ ℎ ∨ ∨ ℎ , and therefore: The same techniques used to prove Lemma 2 can be used here, considering all queries and measuring the probability that 'event' is triggered, assuming that event was not set before. Note that previous queries are not influenced by the assumption that ∨ ℎ has not been set before.

Event
: Note that adversary A is allowed to choose the rate part, and the ciphertext and the tag are known. Consequently, this event is triggered whenever there are primitive state and decryption state values that collide in the capacity part, and this can occur with probability at most Pr ( |¬( ∨ ) ≤ /2 . Event : Although adversary A is allowed to reuse the nonces in PSASPIN, a fresh counter value is XORed with each branch of the parallel thread, in addition to using a fresh session key and an SMN in every encryption or decryption. This measure gives PSASPIN an additional defensive barrier to protect confidentiality and authenticity. Note that a decryption state can collide with the initial state value with probability at most /2 . Consider the j th decryption query (N; A, C; T) that consists of 0 , … , −1 and 0 , … , −1 and write its state values as in (5). Let ( , ; , , , ; , ) be a previous associated data and ciphertext tuple that shares the longest common prefix with (N; AD, C; T), keeping in mind that this tuple may not be unique and might come from an encryption or decryption query. Assuming that this query consists of , AD blocks and , ciphertext blocks, the state values can be written as in (5). For the rest, sub-cases can be used: - ( ; , )

A. BACKGROUND
The main target of any encryption or authentication algorithm design is security. However, performance (in software or hardware) is also a significant concern in practice. Therefore, assuming that cryptographic algorithms are secure, performance is essential for developers or implementers to judge algorithms. [77,97] The need for measuring the performance of a cryptographic algorithm usually stems from the requirement to compare several algorithms or the need to know how well a specific algorithm performs for applicability to specific use cases. Therefore, it is an essential deciding factor in including such algorithms in real-world protocols. [97] Several benchmarking frameworks for AE schemes exist in the literature, such as SUPERCORP [98] and BRUTUS [99]. In addition, Ankele & Ankele [97] proposed their framework for evaluating the software performance of 2 nd round candidates of the CAESAR competition. In this work, we follow the benchmarking schemes followed by ASCON developers [77] and Krovetz & Rogaway [100].
To evaluate its performance and compare it with similar schemes, PSASPIN was implemented in C language following the steps of Dobraunig et al. [77], despite the PSASPIN providing more features such as parallelizability protection against SPA and DPA, adversary invisible nonces, and Nonce Misuse Resistance (NMR).

B. TEST ENVIRONMENT SETUP
We implemented our C language code for performance measurement using an HP SpetreX360Convertible laptop, with processor intel(R) Core(TM) i7-1065G7 CPU @

C. THE RESULT
PSASPIN uses the inverse-free ASCON permutation [77], which depends on the duplex mode of sponge construction, needing only the forward direction permutation in the encryption and its decryption. We implemented measurements on a continuous function with varying message sizes, as shown in table II and figure 8. We took the mean for message sizes of all test runs. For better comparability, we represent the performance results in cycle per byte (Cpb), which is a function of the throughput of the ciphers, instead of releasing the timings and latency as done by Ankele & Ankle in [97]. Figure 9 depicts the result and shows that PSASPIN performance ranges from 64 cycles per byte for small messages and 3.6 cycles per byte for longer messages. See Table 2 and figure 10 for a comparison of PSASPIN with other AE schemes.  Figure 8 shows that PSASPIN is suited for longer messages more than shorter messages, the penalty coming from calculations at the initial stages of the process. Table 2 and figure 9 compare the performance of PSASPIN to similar schemes in the literature. For instance, ASCON is a serial sponge-based AE scheme, while ISAP is a serial scheme that uses a sponge-based rekeying function for protection against SPA and DPA. At the same time, PI-cipher and NORX are sponge-based parallel AE schemes that do not protect against SPA/DPA. Finally, table II and figure 9 show that PSABBIN is not as good as the other schemes in processing shorter messages. However, it is comparable to them in longer messages while providing more features like parallelizability with side-channel protection, adversary invisible nonces, and NMR.  [47], followed by other researchers, including [50,83,84,102]. As with other underlying constructions of AE sponge-based backed by its modes of operations like Duplex and its variants monkeyDuplex, SpongeWrap, and DonkeySponge, [47,76], came up with new design philosophies in the area of AE doing away with complexities of key scheduling and pertaining key-related attacks in block ciphers. Protection against side-channel attacks (which benefit sidechannel information instead of exploiting the weaknesses of cryptographic algorithms) is always essential. Still, it gets even more critical when cryptographic devices are deployed where they are accessible to adversaries [35,65,103]. Moreover, protecting against SCA is not trivial when devices with resource constraints like IoT and low memory smart cards are used as cryptographic devices [60,104]. Sponge-based AE encryption schemes provide functional features that boost performance like parallelizability, incrementality [82,83], single-pass, and online [77].
Morawiecki et al. [84] proposed the first parallelizable AE scheme based on the duplex mode of the sponge construction, followed by [50,82,83]. However, the main problem with these works was that they were not protected against certain types of SCAs, especially against Simple Power Analysis (SPA) and DPA [35,65]. Another shortcoming of the schemes mentioned above is the potential mishandling of nonces that could compromise security if not dealt with properly with a nonce-oblivious syntax [61]. In this work, we aim to propose PSASPIN, a sponge-based AE that is protected against SPA and DPA and handles the nonces in a way invisible to the adversaries.
Regarding the protection against SCAs, the authors of ISAP [60], SALE [60], and SPOOK [86] proposed AE schemes based on sponge construction that are fortified against certain types of SCAs using different countermeasures. For instance, AE schemes in [60,85] employed spongebased structures to protect against SPA and DPA, followed by [86], which used a construction based on a tweakable block cipher for the same purpose. In addition, these works used leveled implantation, first proposed by [35,41]. However, one shortcoming of these schemes is that they are serial and thus lack the merit of parallelizability which is vital for performance. PSASPIN adds parallelizability to protection against SPA and DPA to bridge this gap.
Although there are several countermeasures to protect against SCA attacks, such as hiding [35] and masking [33,[36][37][38], fresh rekeying is a cheaper way to achieve the same goal. First proposed by Abdalla & Bellare [41], the master secret key is not used directly in the scheme in fresh rekeying. Still, it is used as input to a pseudorandom generator that produces subkeys (session keys) used to protect confidentiality and integrity. Rekeying increases key lifetime, meaning the number of times the same key can be used to process data before being replaced. Abdalla & Bellare [41,89] proposed a leveled implementation consisting of a rekeying part that does not have to be cryptographically strong but must be protected against both SPA and DPA, and the core scheme be cryptographically strong but needs to be protected against only SPA [105,106]. Medwed et al. [40,88] proposed a fresh re-keying scheme for challenge-response protocols using a leveled implementation; They used a PRF based on modular multiplication, based GF(2 8 ) for the key generation of the AES block cipher for the rekeyed data processing part. But their scheme is vulnerable to attacks indicated by Black et al. in [107]due to the weakness in key processing intermediate states of the block cipher as indicated by [108]. The authors used masking and shuffling to protect the rekeying part but applied them separately, so their scheme is protected against first-order DPA attacks. The proposed scheme is not vulnerable CPA attack mentioned in [108] because it used two different constructions. In addition, PSASPIN combines masking and shuffling to protect against higher-order DPA attacks.
The authors of ISAP [60] and SALE [85] used a leveled implementation (although in different ways), where the rekeying part and the core rekeyed part use sponge-based constructs. According to [62], although using the same primitive for rekeying and data processing can reduce the code size, the possibility of mounting Chosen plaintext attack may lead to compromise of the following keys. On the other side, the authors of Spook [86] used a leveled implementation where the key generation part is based on a tweakable block cipher. The data processing part is based on the sponge function (T-Sponge). Still, a tweakable block cipher is heavier than a lighter algebraic construct based on Galois field multiplication GF(2 8 ), which is also easier to protect against side-channel attacks. Finally, it is worth noting that these schemes are serial and do not allow parallelism, which is an essential feature for cryptographic schemes. PSASPIN uses a rekeying based on GF multiplication, and the main scheme uses the duplex mode of the sponge construction. Using two different primitives VOLUME XX, 2017 1 for the two levels gives a safety margin against the attacks mentioned in [62].
Regarding the nonce-obliviousness feature, Bellare et al. [61] discussed the possible weakness that could creep into AE schemes by using the wrong nonce format that could compromise privacy and proposed several options for modified syntax NAE schemes. They called those options Hide Nonce (NH) transforms. In the proposed syntax, nonces are integrated and sent as part of the ciphertext so that the schemes do not take nonces in their decryption process. The authors in [61] concretized their proposal for the Block cipher-based AE schemes, but it is an open problem for the sponge-based scenarios. Our scheme concretizes the noncehiding syntax for the Sponge-based AE schemes. This work is motivated by ISAP [60] but differs in five ways: First, our scheme (PSASPIN) is a parallel, single-pass scheme. Second, we use different primitives for key generation and data processing (rekeyed part) for protection against the vulnerability mentioned in [62]. Third, our scheme provides security proof using game-playing theory based on PRP/PFR switching lemma [27,50,63] for the sponge-based data processing part based on the work in [41]. Fourth, our scheme is nonce-oblivious; it obviates the burden of nonce communication from the application designers. Fifth, our new scheme is NMR, which tolerates nonce repetition and protects security when the nonce is reused. Finally, we used implantation of the rekeying part, which used a PRF based on polynomial multiplication based on GF(2 8 ) field as in [40,88]. Dobraunig et al. [108] stated that the schemes that use Galois field multiplication like [40,88] are vulnerable to related-key attacks that took advantage of the partial state values related to the key scheduling of block ciphers. Still, that attack is not relevant to sponge-based schemes that do not have key scheduling as in blocks ciphers.

VIII. CONCLUSION
This work proposes a sponge-based nonce-oblivious, NMR, parallel, online, single-pass AE schemes protected against Side-channel Attacks (PSASPIN). We used a leveled implementation approach where the key generation part is used a light algebraic structure based on the Galois field multiplication, and the data processing part is based on the duplex mode of the sponge construction. The scheme structure and the algorithm for implementation were developed. Finally, the security proof was provided using game-playing theory and the performance analysis was provided after implanting the proposed system in C programming language.