Authenticated encryption primitives for size-constrained trusted computing

Abstract

Trusted execution environments (TEEs) are widely deployed both on mobile devices as well as in personal computers. TEEs typically have a small amount of physically secure memory but they are not enough to realize certain algorithms, such as authenticated encryption modes, in the standard manner. TEEs can however access the much larger but untrusted system memory using which "pipelined" variants of these algorithms can be realized by gradually reading input from, and/or writing output to the untrusted memory. In this paper, we motivate the need for pipelined variants of authenticated encryption modes in TEEs, describe a pipelined version of the EAX mode, and prove that it is as secure as standard, "baseline", EAX. We point out potential pitfalls in mapping the abstract description of a pipelined variant to concrete implementation and discuss how these can be avoided. We also discuss other algorithms which can be adapted to the pipelined setting and proved correct in a similar fashion. © 2012 Springer-Verlag.