ASCON - Graz University of TechnologyASCON Submission to the CAESAR Compe44on Christoph Dobraunig,...
21
ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schläffer DIAC 2014
Transcript of ASCON - Graz University of TechnologyASCON Submission to the CAESAR Compe44on Christoph Dobraunig,...
ASCONSubmissiontotheCAESARCompe44on
ChristophDobraunig,MariaEichlseder,FlorianMendel,Mar4nSchläffer
DIAC2014
OurTeam
• ChristophDobraunig
• MariaEichlseder
• FlorianMendel
• Mar4nSchläffer
ASCONMainDesignGoals
• Security• Efficiency• Simplicity• Scalability
• Online• Singlepass• Lightweight• Side-ChannelRobustness
ASCONGeneralOverview
• Nonce-basedAEscheme• Spongeinspired
ASCON-128 ASCON-96Security 128bits 096bitsStatesize(b) 320bits 320bitsCapacity(c) 256bits 192bitsRate(r) 064bits 128bits
ASCONWorkingPrinciple
Theencryp4onprocessissplitintofourphases:• Ini4aliza4on• AssociatedDataProcessing• PlaintextProcessing• Finaliza4on
ASCONIni4aliza4on
• Ini>aliza>on:updatesthe320-bitstatewiththekeyKandnonceN
IV
KkN
r
c
pa
0⇤kK
c
r
• AssociatedDataProcessing:upda4ngthe320-bitstatewithassociateddatablocksAi
ASCONAssociatedData
c
r
A1
pb
As
cpb
0⇤k1
c
r
ASCONEncryp4on
• PlaintextProcessing:injectplaintextblocksPiinthestateandextractciphertextblocksCi
c
r
P1 C1
pbc
Pt�1 Ct�1
pb
Pt Ct
r
c
ASCONFinaliza4on
• Finaliza>on:injectthekeyKandextractsatagTforauthen4ca4on
r
Kk0⇤
c
pa
K
kT
• SP-Network:
– S-Layer:
– P-Layer:
ASCONPermuta4on
x4
x3
x2
x1
x0
x4
x3
x2
x1
x0x1
ASCONPermuta4on:S-Layer
• AlgebraicDegree2– EaseTI(3shares)
• BranchNumber 3– GoodDiffusion
• Bit-slicedImpl.
x0 x1 x2 x3 x4
5 5 5 5 5
5x0 x1 x2 x3 x4
ASCONPermuta4on:P-Layer
• BranchNumber4Σ0(x0)=x0⊕(x0⋙19)⊕(x0⋙28)Σ1(x1)=x1⊕(x1⋙61)⊕(x1⋙39)Σ2(x2)=x2⊕(x2⋙1)⊕(x2⋙6)Σ3(x3)=x3⊕(x3⋙10)⊕(x3⋙17)Σ4(x4)=x4⊕(x4⋙7)⊕(x4⋙41)
⌃0(x0) = x0 � (x0 o 19)� (x0 o 28)
⌃1(x1) = x1 � (x1 o 61)� (x1 o 39)
⌃2(x2) = x2 � (x2 o 1)� (x2 o 6)
⌃3(x3) = x3 � (x3 o 10)� (x3 o 17)
⌃4(x4) = x4 � (x4 o 7)� (x4 o 41)
ASCONSecurityAnalysis
• Differen4alCryptanalysis– 5rounds:>64ac4veSboxes
• ImpossibleDifferen4al– upto5rounds
• LinearCryptanalysis– 5rounds:>64ac4veSboxes
ASCONSecurityAnalysis
• Differen4alCryptanalysis
Rounds Ac>veSboxes Probability1 1 2-2
2 4 2-8
3 15 2-30
4 44 2-88
5 74 2-148
ASCONSecurityAnalysis
• LinearCryptanalysis
Rounds Ac>veSboxes Correla>on1 1 2-2
2 4 2-8
3 13 2-26
4 43 2-86
5 70 2-140
ASCONImplementa4on/Performance
• Soeware– IntelCore2Duo– ARMCortex-A8
• Hardware– High-speed– Low-area
ASCONSoewareImplementa4on
• IntelCore2Duo
64 512 1024 4096
ASCON-128(cycles/byte) 22.0 15.9 15.6 15.2
ASCON-96(cycles/byte) 17.7 11.0 10.5 10.3
ASCONHardwareImplementa4on
• ASCON-128
Variant1 Variant2
Area(kGE) 8.9 4
Throughput(MByte/s) 400 1
Thresholdimplementa4oncomingsoon!
H.Gross,E.Wenger
ASCONChoiceofParameters
• Now:(c,r)=(256,64)– Conserva4vechoice
• Proposed:(c,r)=(192,128)[BDPV11]– Significantspeedup(factor2)– Limitondatacomplexity264
• Proposed:(c,r)=(128,192)[JLM14]
– Significantspeedup(factor3)– Moreanalysisneeded
ASCONGeneralInforma4on
hmp://ascon.iaik.tugraz.at
Home Specification Implementation Analysis Resources Contact
ASCON Resources
Specification [v1.0]Submission document [v1.0]GitHub repositories with implementations [git collection]
C (reference / optimized) [git] [zip]Python [git] [py]Java [git] [zip] Hardware [git] [zip]
Other Links
The CAESAR competition [call] [round 1 submissions]Authenticated Encryption Zoo [overview] [ASCON]IAIK, Graz University of Technology
ASCONInteresting Links
Thankyou!
hmp://ascon.iaik.tugraz.at
