Hardware Benchmarking of Round 2 Candidates in the NIST Lightweight Cryptography Standardization Process

This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process. Pyjamask targets side-channel resistance as one of its main goal. More precisely, it strongly minimizes the number of nonlinear gates used in its internal primitive in order to allow efficient masked implementations, especially for high-order masking in software. Compared to other block ciphers, our proposal has thus among the smallest number of binary AND computations per input bit at the time of writing. Even though Pyjamask minimizes such an important criterion, it remains rather lightweight and efficient, thanks to a general bitslice construction that enables to computation of all nonlinear gates in parallel. For authenticated encryption, we adopt the provably secure AEAD mode OCB which has been extensively studied and has the benefit to offer full parallelization. Of course, other block cipher-based modes can be considered as well if other performance profiles are to be targeted.The paper first gives the specification of the Pyjamask block cipher and the associated AEAD proposal. We also provide a detailed design rationale for the block cipher which is guided by our aim of software efficiency in the presence of high-order masking. The security of the design is analyzed against most commonly known cryptanalysis techniques. We finally describe efficient (masked) implementations in software and provide implementation results with aggressive performances for masking of very high orders (up to 128). We also provide a rough estimation of the hardware performances which remain much better than those of an AES round-based implementation.

Download Full-text

Exploiting Weak Diffusion of Gimli: Improved Distinguishers and Preimage Attacks

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i1.185-216 ◽

2021 ◽

pp. 185-216

Author(s):

Fukang Liu ◽

Takanori Isobe ◽

Willi Meier

Keyword(s):

Time Complexity ◽

Divide And Conquer ◽

Lightweight Cryptography ◽

Significant Bias ◽

Linear Layer ◽

Cross Platform ◽

Standardization Process ◽

Constant Addition ◽

Weak Diffusion ◽

Main Strategy

The Gimli permutation proposed in CHES 2017 was designed for cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. The above two facts have been recently exploited to construct a distinguisher for the full Gimli permutation with time complexity 264. By utilizing a new property of the SP-box, we demonstrate that the time complexity of the full-round distinguisher can be further reduced to 252 while a significant bias still remains. Moreover, for the 18-round Gimli permutation, we could construct a distinguisher even with only 2 queries. Apart from the permutation itself, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 can reach up to 5 rounds and 9 rounds, respectively. Since Gimli is included in the second round candidates in NIST’s Lightweight Cryptography Standardization process, we expect that our analysis can further advance the understanding of Gimli. To the best of our knowledge, the distinguishing attacks and preimage attacks are the best so far.

Download Full-text

Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process

10.6028/nist.ir.8369 ◽

2021 ◽

Author(s):

Meltem Sonmez Turan ◽

Kerry McKay ◽

Donghoon Chang ◽

Cagdas Calik ◽

Lawrence Bassham ◽

...

Keyword(s):

Status Report ◽

Lightweight Cryptography ◽

Standardization Process

Download Full-text

Cube-Based Cryptanalysis of Subterranean-SAE

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i4.192-222 ◽

2020 ◽

pp. 192-222

Author(s):

Fukang Liu ◽

Takanori Isobe ◽

Willi Meier

Keyword(s):

Authenticated Encryption ◽

Lightweight Cryptography ◽

Key Recovery ◽

Official Document ◽

Distinguishing Attack ◽

Input And Output ◽

State Recovery ◽

Full State ◽

Standardization Process ◽

Key Recovery Attack

Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of 213 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with 2122 calls to the internal permutation of Subterranean-SAE and 269.5 32-bit blocks. A distinguishing attack with 233 calls to the internal permutation of Subterranean-SAE and 233 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.

Download Full-text

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i3.152-174 ◽

2020 ◽

pp. 152-174

Author(s):

Dhiman Saha ◽

Yu Sasaki ◽

Danping Shi ◽

Ferdinand Sibleyras ◽

Siwei Sun ◽

...

Keyword(s):

Security Analysis ◽

Third Party ◽

Nand Gate ◽

Linear Component ◽

Lightweight Cryptography ◽

Forgery Attack ◽

First Order ◽

Minimum Number ◽

Standardization Process ◽

State Size

This paper presents the first third-party security analysis of TinyJAMBU, which is one of 32 second-round candidates in NIST’s lightweight cryptography standardization process. TinyJAMBU adopts an NLFSR based keyed-permutation that computes only a single NAND gate as a non-linear component per round. The designers evaluated the minimum number of active AND gates, however such a counting method neglects the dependency between multiple AND gates. There also exist previous works considering such dependencies with stricter models, however those are known to be too slow. In this paper, we present a new model that provides a good balance of efficiency and accuracy by only taking into account the first-order correlation of AND gates that frequently occurs in TinyJAMBU. With the refined model, we show a 338-round differential with probability 2−62.68 that leads to a forgery attack breaking 64-bit security. This implies that the security margin of TinyJAMBU with respect to the number of unattacked rounds is approximately 12%. We also show a differential on full 384 rounds with probability 2−70.64, thus the security margin of full rounds with respect to the data complexity, namely the gap between the claimed security bits and the attack complexity, is less than 8 bits. Our attacks also point out structural weaknesses of the mode that essentially come from the minimal state size to be lightweight.

Download Full-text

SKINNY-AEAD and SKINNY-Hash

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.88-131 ◽

2020 ◽

pp. 88-131 ◽

Cited By ~ 1

Author(s):

Christof Beierle ◽

Jérémy Jean ◽

Stefan Kölbl ◽

Gregor Leander ◽

Amir Moradi ◽

...

Keyword(s):

Internal State ◽

Block Ciphers ◽

Third Party ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

The Family ◽

Encryption Schemes ◽

Standardization Process

We present the family of authenticated encryption schemes SKINNY-AEAD and the family of hashing schemes SKINNY-Hash. All of the schemes employ a member of the SKINNY family of tweakable block ciphers, which was presented at CRYPTO 2016, as the underlying primitive. In particular, for authenticated encryption, we show how to instantiate members of SKINNY in the Deoxys-I-like ΘCB3 framework to fulfill the submission requirements of the NIST lightweight cryptography standardization process. For hashing, we use SKINNY to build a function with larger internal state and employ it in a sponge construction. To highlight the extensive amount of third-party analysis that SKINNY obtained since its publication, we briefly survey the existing cryptanalysis results for SKINNY-128-256 and SKINNY-128-384 as of February 2020. In the last part of the paper, we provide a variety of ASIC implementations of our schemes and propose new simple SKINNY-AEAD and SKINNY-Hash variants with a reduced number of rounds while maintaining a very comfortable security margin. https://csrc.nist.gov/Projects/Lightweight-Cryptography

Download Full-text

An Account of the ISO/IEC Standardization of the Simon and Speck Block Cipher Families

Security of Ubiquitous Computing Systems ◽

10.1007/978-3-030-10591-4_4 ◽

2021 ◽

pp. 63-78

Author(s):

Tomer Ashur ◽

Atul Luykx

Keyword(s):

Information Technology ◽

National Security ◽

Block Cipher ◽

Block Ciphers ◽

National Security Agency ◽

Lightweight Cryptography ◽

Information Technology Security ◽

The Us ◽

Standardization Process

AbstractSimon and Speck are two block cipher families published in 2013 by the US National Security Agency (NSA). These block ciphers, targeting lightweight applications, were suggested in 2015 to be included in ISO/IEC 29192-2 Information technology—Security techniques—Lightweight cryptography—Part 2: Block ciphers. Following 3.5 years of deliberations within ISO/IEC JTC 1 they were rejected in April 2018. This chapter provides an account of the ISO/IEC standardization process for Simon and Speck.

Download Full-text

On the Security of Sponge-type Authenticated Encryption Modes

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i2.93-119 ◽

2020 ◽

pp. 93-119

Author(s):

Bishwajit Chakraborty ◽

Ashwin Jha ◽

Mridul Nandi

Keyword(s):

Previous Analysis ◽

Authenticated Encryption ◽

Expected Number ◽

Lightweight Cryptography ◽

Mode Of Operation ◽

Encryption Schemes ◽

Type Mode ◽

Standardization Process ◽

Tight Security ◽

Security Bound

The sponge duplex is a popular mode of operation for constructing authenticated encryption schemes. In fact, one can assess the popularity of this mode from the fact that around 25 out of the 56 round 1 submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are based on this mode. Among these, 14 sponge-type constructions are selected for the second round consisting of 32 submissions. In this paper, we generalize the duplexing interface of the duplex mode, which we call Transform-then-Permute. It encompasses Beetle as well as a new sponge-type mode SpoC (both are round 2 submissions to NIST LwC). We show a tight security bound for Transform-then-Permute based on b-bit permutation, which reduces to finding an exact estimation of the expected number of multi-chains (defined in this paper). As a corollary of our general result, authenticated encryption advantage of Beetle and SpoC is about T(D+r2r)/2b where T, D and r denotes the number of offline queries (related to time complexity of the attack), number of construction queries (related to data complexity) and rate of the construction (related to efficiency). Previously the same bound has been proved for Beetle under the limitation that T << min{2r, 2b/2} (that compels to choose larger permutation with higher rate). In the context of NIST LwC requirement, SpoC based on 192-bit permutation achieves the desired security with 64-bit rate, which is not achieved by either duplex or Beetle (as per the previous analysis).

Download Full-text

Information technology. Security techniques. Lightweight cryptography

10.3403/30228422u ◽

2015 ◽

Keyword(s):

Information Technology ◽

Lightweight Cryptography ◽

Information Technology Security

Download Full-text