ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria - PowerPoint PPT Presentation

ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schläffer DIAC 2016

Our Team • Christoph Dobraunig • Maria Eichlseder • Florian Mendel • Mar4n Schläffer

ASCON Main Design Goals • Security • Online • Efficiency • Single pass • Lightweight • Scalability • Simplicity • Side-Channel Robustness

ASCON General Overview • Nonce-based AE scheme • Sponge inspired ASCON-128 ASCON-128a Security 128 bits 128 bits Rate (r) 064 bits 128 bits Capacity (c) 256 bits 192 bits State size (b) 320 bits 320 bits

ASCON Working Principle The encryp4on process is split into four phases: • Ini4aliza4on • Associated Data Processing • Plaintext Processing • Finaliza4on

ASCON Ini4aliza4on • Ini<aliza<on: updates the 320-bit state with the key K and nonce N r b p a IV k K k N c 0 ∗ k K

ASCON Associated Data • Associated Data Processing : upda4ng the 320-bit state with associated data blocks A i A 1 A s r r p b p b c c c 0 ∗ k 1

ASCON Encryp4on • Plaintext Processing : inject plaintext blocks P i in the state and extract ciphertext blocks C i P t − 1 C t − P 1 C 1 P t C t 1 r r p b p b c c c

ASCON Finaliza4on • Finaliza<on: inject the key K and extracts a tag T for authen4ca4on r p a c k T K k 0 ∗ K

ASCON Permuta4on • SP-Network: x 0 x 1 – S-Layer: x 2 x 3 x 4 x 0 x 1 x 1 – P-Layer: x 2 x 3 x 4

ASCON Permuta4on: S-Layer x 0 x 1 x 2 x 3 x 4 • Algebraic Degree 2 – Ease TI (3 shares) 5 5 5 5 5 • Branch Number 3 – Good Diffusion • Bit-sliced Impl. 5 x 0 x 1 x 2 x 3 x 4

ASCON Permuta4on: P-Layer • Branch Number 4 Σ 0 (x 0 ) = x 0 � (x 0 � 19) � (x 0 � 28) Σ 0 ( x 0 ) = x 0 ⊕ ( x 0 o 19) ⊕ ( x 0 o 28) Σ 1 (x 1 ) = x 1 � (x 1 � 61) � (x 1 � 39) Σ 1 ( x 1 ) = x 1 ⊕ ( x 1 o 61) ⊕ ( x 1 o 39) Σ 2 (x 2 ) = x 2 � (x 2 � 1) � (x 2 � 6) Σ 2 ( x 2 ) = x 2 ⊕ ( x 2 o 1) ⊕ ( x 2 o 6) Σ 3 (x 3 ) = x 3 � (x 3 � 10) � (x 3 � 17) Σ 3 ( x 3 ) = x 3 ⊕ ( x 3 o 10) ⊕ ( x 3 o 17) Σ 4 (x 4 ) = x 4 � (x 4 � 7) � (x 4 � 41) Σ 4 ( x 4 ) = x 4 ⊕ ( x 4 o 7) ⊕ ( x 4 o 41)

ASCON Tweak: Addi4on of Constants • Modifica4on of the round constant schedule • Similar to FIPS 202 • Increase compa4bility with other sponge modes • No impact on exis4ng security analysis

ASCON Security Analysis • Differen4al and Linear Cryptanalysis Rounds Differen<al Linear 1 1 1 2 4 4 3 15 13 4 44 43 ≥ 50l > 640l > 640l ASIACRYPT 2015

ASCON Security Analysis • Analysis of round-reduced versions Method Rounds Complexity cube-like 5/12 2 35 6/12 2 66 differen<al- 4/12 2 18 linear 5/12 2 36 CT-RSA 2015

ASCON Implementa4on/Performance • Sohware – Intel Core2 Duo – ARM Cortex-A8 • Hardware – High-speed – Low-area

ASCON Sohware Implementa4on • Intel Core2 Duo 64 512 1024 4096 ASCON-128 22.0 15.9 15.6 15.2 (cycles/byte) ASCON-128a 17.7 11.0 10.5 10.3 (cycles/byte) Dobraunig, Schläffer

ASCON Sohware Implementa4on • Intel Haswell (four message per core) 64 512 1024 4096 ASCON-128 10.5 7.3 7.1 6.9 (cycles/byte) ASCON-128a 8.5 5.3 5.0 4.8 (cycles/byte) Dobraunig, Senher

ASCON Hardware Implementa4on • Unprotected Implementa4ons Variant 1 Variant 2 Variant 3 Area 7.1 24.9 2.6 (kGE) Throughput 5 524 13 218 14 (Mbps) DSD 2015

ASCON Hardware Implementa4on • Threshold Implementa4ons Variant 1 Variant 2 Variant 3 Area 28.6 123.5 7.9 (kGE) Throughput 3 774 9 018 14 (Mbps) DSD 2015

ASCON Applica4ons (Use Cases) • Lightweight Applica4ons Internet of Things • High-Performance Applica4ons • Defense in Depth

ASCON Lightweight Applica4ons • Small hardware area • Efficiency in hardware • Natural side-channel protec4on • Limited damage in misuse sekngs • Low overhead for short messages

ASCON High-Performance Applica4ons • Efficiency on modern CPUs • Efficiency on dedicated hardware • Natural side-channel protec4on

Thank you! hmp://ascon.iaik.tugraz.at

References Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schläffer. • Cryptanalysis of Ascon. CT-RSA 2015 Christoph Dobraunig, Maria Eichlseder, Florian Mendel . • Heuris<c Tool for Linear Cryptanalysis with Applica<ons to CAESAR Candidates. ASIACRYPT 2015 Hannes Groß, Erich Wenger, Christoph Dobraunig, Christoph Ehrenhöfer. • Suit up! Made-to-Measure Hardware Implementa<ons of Ascon. DSD 2015 Philipp Jovanovic, Atul Luykx, Bart Mennink. • Beyond 2^(c/2) Security in Sponge-Based Authen<cated Encryp<on Modes. ASIACRYPT 2014 Elena Andreeva, Joan Daemen, Bart Mennink, Gilles Van Assche. • Security of Keyed Sponge Construc<ons Using a Modular Proof Approach. FSE 2015 Yosuke Todo. • Structural Evalua<on by Generalized Integral Property. EUROCRYPT 2015