ASCONSubmissiontotheCAESARCompe44on
ChristophDobraunig,MariaEichlseder,FlorianMendel,Mar4nSchläffer
DIAC2014
OurTeam
• ChristophDobraunig
• MariaEichlseder
• FlorianMendel
• Mar4nSchläffer
ASCONMainDesignGoals
• Security• Efficiency• Simplicity• Scalability
• Online• Singlepass• Lightweight• Side-ChannelRobustness
ASCONGeneralOverview
• Nonce-basedAEscheme• Spongeinspired
ASCON-128 ASCON-96Security 128bits 096bitsStatesize(b) 320bits 320bitsCapacity(c) 256bits 192bitsRate(r) 064bits 128bits
ASCONWorkingPrinciple
Theencryp4onprocessissplitintofourphases:• Ini4aliza4on• AssociatedDataProcessing• PlaintextProcessing• Finaliza4on
ASCONIni4aliza4on
• Ini>aliza>on:updatesthe320-bitstatewiththekeyKandnonceN
IV
KkN
r
c
pa
0⇤kK
c
r
• AssociatedDataProcessing:upda4ngthe320-bitstatewithassociateddatablocksAi
ASCONAssociatedData
c
r
A1
pb
As
cpb
0⇤k1
c
r
ASCONEncryp4on
• PlaintextProcessing:injectplaintextblocksPiinthestateandextractciphertextblocksCi
c
r
P1 C1
pbc
Pt�1 Ct�1
pb
Pt Ct
r
c
ASCONFinaliza4on
• Finaliza>on:injectthekeyKandextractsatagTforauthen4ca4on
r
Kk0⇤
c
pa
K
kT
• SP-Network:
– S-Layer:
– P-Layer:
ASCONPermuta4on
x4
x3
x2
x1
x0
x4
x3
x2
x1
x0x1
ASCONPermuta4on:S-Layer
• AlgebraicDegree2– EaseTI(3shares)
• BranchNumber 3– GoodDiffusion
• Bit-slicedImpl.
x0 x1 x2 x3 x4
5 5 5 5 5
5x0 x1 x2 x3 x4
ASCONPermuta4on:P-Layer
• BranchNumber4Σ0(x0)=x0⊕(x0⋙19)⊕(x0⋙28)Σ1(x1)=x1⊕(x1⋙61)⊕(x1⋙39)Σ2(x2)=x2⊕(x2⋙1)⊕(x2⋙6)Σ3(x3)=x3⊕(x3⋙10)⊕(x3⋙17)Σ4(x4)=x4⊕(x4⋙7)⊕(x4⋙41)
⌃0(x0) = x0 � (x0 o 19)� (x0 o 28)
⌃1(x1) = x1 � (x1 o 61)� (x1 o 39)
⌃2(x2) = x2 � (x2 o 1)� (x2 o 6)
⌃3(x3) = x3 � (x3 o 10)� (x3 o 17)
⌃4(x4) = x4 � (x4 o 7)� (x4 o 41)
ASCONSecurityAnalysis
• Differen4alCryptanalysis– 5rounds:>64ac4veSboxes
• ImpossibleDifferen4al– upto5rounds
• LinearCryptanalysis– 5rounds:>64ac4veSboxes
ASCONSecurityAnalysis
• Differen4alCryptanalysis
Rounds Ac>veSboxes Probability1 1 2-2
2 4 2-8
3 15 2-30
4 44 2-88
5 74 2-148
ASCONSecurityAnalysis
• LinearCryptanalysis
Rounds Ac>veSboxes Correla>on1 1 2-2
2 4 2-8
3 13 2-26
4 43 2-86
5 70 2-140
ASCONImplementa4on/Performance
• Soeware– IntelCore2Duo– ARMCortex-A8
• Hardware– High-speed– Low-area
ASCONSoewareImplementa4on
• IntelCore2Duo
64 512 1024 4096
ASCON-128(cycles/byte) 22.0 15.9 15.6 15.2
ASCON-96(cycles/byte) 17.7 11.0 10.5 10.3
ASCONHardwareImplementa4on
• ASCON-128
Variant1 Variant2
Area(kGE) 8.9 4
Throughput(MByte/s) 400 1
Thresholdimplementa4oncomingsoon!
H.Gross,E.Wenger
ASCONChoiceofParameters
• Now:(c,r)=(256,64)– Conserva4vechoice
• Proposed:(c,r)=(192,128)[BDPV11]– Significantspeedup(factor2)– Limitondatacomplexity264
• Proposed:(c,r)=(128,192)[JLM14]
– Significantspeedup(factor3)– Moreanalysisneeded
ASCONGeneralInforma4on
hmp://ascon.iaik.tugraz.at
Home Specification Implementation Analysis Resources Contact
ASCON Resources
Specification [v1.0]Submission document [v1.0]GitHub repositories with implementations [git collection]
C (reference / optimized) [git] [zip]Python [git] [py]Java [git] [zip] Hardware [git] [zip]
Other Links
The CAESAR competition [call] [round 1 submissions]Authenticated Encryption Zoo [overview] [ASCON]IAIK, Graz University of Technology
ASCONInteresting Links
Thankyou!
hmp://ascon.iaik.tugraz.at
Top Related