New Results on Romulus T. Iwata, M. Khairallah, K. Minematsu and T. - PowerPoint PPT Presentation

New Results on Romulus T. Iwata, M. Khairallah, K. Minematsu and T. Peyrin NIST LWC 2020 Virtual - October 19, 2020

❘♦♠✉❧✉s✲◆ : nonce-respecting ❘♦♠✉❧✉s✲◆ : BBB nonce-respecting AEAD A [1] A [2] A [3] A [4] A [ a − 2] A [ a − 1] pad ( A [ a ]) N t n ρ E 8 , 1 ρ E 8 , 3 ρ E 8 ,a − 2 ρ E w A ,a � 0 n � � � S n n K K K K M [1] M [2] pad ( M [ m ]) 0 n N N N t n ρ E 4 , 1 � ρ � E 4 , 2 ρ E w M ,m � ρ S K n n K K n lsb | M [ m ] | C [1] C [2] T C [ m ]

❘♦♠✉❧✉s✲▼ : nonce-misuse ❘♦♠✉❧✉s✲▼ : BBB nonce-misuse resistant AEAD A [1] A [2] pad ( A [ a ]) M [1] M [2] M [3] pad ( M [ m ]) N 0 n t t n n ρ ρ E 44 ,a � ρ ρ E w,a + m ρ 0 n � E 40 , 1 � E 44 ,a +2 � n n K K K K T M [ m ′ − 1] N M [1] N M [2] N N pad ( M [ m ′ ]) t n ρ ρ ρ ρ T E 36 , 0 � E 36 , 1 � � E 36 , 2 E 36 ,m ′ − 1 � K n n K K K n lsb | M [ m ′ ] | C [ m ′ − 1] C [1] C [2] C [ m ′ ]

Summary of proposed updates and new results We propose the following updates if selected for new round : ⊲ reduce the number of rounds for the internal primitive ⊲ simplify the submission by removing some variants ⊲ add hash function ❘♦♠✉❧✉s✲❍ ⊲ add two leakage resilient modes ❘♦♠✉❧✉s✲▲❘ and ❘♦♠✉❧✉s✲▲❘✲❚❊❉❚ Additional new results : ⊲ RUP security proof for ❘♦♠✉❧✉s✲▼ ⊲ new software/hardware implementations ⊲ efficient threshold implementation

Update : round reduction for SKINNY-128/384 SKINNY : ⊲ an ultra lightweight Tweakable Block Cipher (TBC) ⊲ SKINNY is probably the most analysed primitive used in the competition (except AES or Keccak , already standardized) ⊲ currently in Committee Draft stage at ISO (ISO/IEC 18033-7) ⊲ already used in practical applications C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich and S.M. Sim CRYPTO 2016 https://sites.google.com/site/skinnycipher/

Update : round reduction for SKINNY-128/384 Security margin of SKINNY-128/384 is very (too?) large 56 ⊲ SKINNY-128/384 has 56 rounds ⊲ current best attack reaches 28 rounds with 2 315 time, > 2 122 data (50% security margin!) 28 ⊲ for attacks with time/data limited to 2 128 , 22 best attack reaches 22 rounds ⊲ SKINNY-128/384 was designed to handle even 384-bit keys, while ❘♦♠✉❧✉s uses it as a 128-bit security primitive 0 SKINNY-128/384

Update : round reduction for SKINNY-128/384 Security margin of SKINNY-128/384 is very (too?) large 56 ⊲ we reduce the rounds number from 56 to 40 40 ⊲ SKINNY-128/384+ has 40 rounds, proposed by SKINNY team 28 ⊲ still maintains 30% security margin , even 22 for unrealistic 2 315 attacks ⊲ 45% security margin if only considering < 2 128 time/data 0 SKINNY-128/384+

Update : round reduction for SKINNY-128/384 Security margin of SKINNY-128/384 is very (too?) large 56 ⊲ we reduce the rounds number from 56 to 40 ⊲ SKINNY-128/384+ has 40 rounds, 40 proposed by SKINNY team ⊲ still maintains 30% security margin , even for unrealistic 2 315 attacks 28 22 ⊲ 45% security margin if only considering < 2 128 time/data 0 We directly get a 1.4 performance gain on all current benchmarks SKINNY-128/384+

Update : only keep ❘♦♠✉❧✉s - ◆ 1 and ❘♦♠✉❧✉s - ▼ 1 We originally proposed 6 versions of ❘♦♠✉❧✉s to have several trade-offs. Previous Mode Primitive Comment ❘♦♠✉❧✉s - ◆ 1 SKINNY-128/384 ❘♦♠✉❧✉s - ◆ 2 ❘♦♠✉❧✉s - ◆ 1 BBB nonce-respecting AEAD SKINNY-128/384 ❘♦♠✉❧✉s - ◆ 3 SKINNY-128/256 ❘♦♠✉❧✉s - ▼ 1 SKINNY-128/384 ❘♦♠✉❧✉s - ▼ 2 ❘♦♠✉❧✉s - ▼ 1 SKINNY-128/384 BBB nonce-misuse resistant AEAD ❘♦♠✉❧✉s - ▼ 3 SKINNY-128/256

Update : only keep ❘♦♠✉❧✉s - ◆ 1 and ❘♦♠✉❧✉s - ▼ 1 In order to simplify, we propose to only keep the main variants ❘♦♠✉❧✉s - ◆ 1 and ❘♦♠✉❧✉s - ▼ 1. Previous Mode Primitive Comment ❘♦♠✉❧✉s - ◆ 1 SKINNY-128/384 ❘♦♠✉❧✉s - ◆ 2 ❘♦♠✉❧✉s - ◆ 1 BBB nonce-respecting AEAD SKINNY-128/384 ❘♦♠✉❧✉s - ◆ 3 SKINNY-128/256 ❘♦♠✉❧✉s - ▼ 1 SKINNY-128/384 ❘♦♠✉❧✉s - ▼ 2 ❘♦♠✉❧✉s - ▼ 1 SKINNY-128/384 BBB nonce-misuse resistant AEAD ❘♦♠✉❧✉s - ▼ 3 SKINNY-128/256

Update : only keep ❘♦♠✉❧✉s - ◆ 1 and ❘♦♠✉❧✉s - ▼ 1 ❘♦♠✉❧✉s : simpler and faster New Mode Primitive Comment ❘♦♠✉❧✉s✲◆ ❘♦♠✉❧✉s - ◆ 1 BBB nonce-respecting AEAD SKINNY-128/384+ ❘♦♠✉❧✉s✲▼ ❘♦♠✉❧✉s - ▼ 1 BBB nonce-misuse resistant AEAD

Update : only keep ❘♦♠✉❧✉s - ◆ 1 and ❘♦♠✉❧✉s - ▼ 1 ❘♦♠✉❧✉s : simpler and faster New Mode Primitive Comment ❘♦♠✉❧✉s✲◆ ❘♦♠✉❧✉s - ◆ 1 BBB nonce-respecting AEAD ❘♦♠✉❧✉s✲▼ ❘♦♠✉❧✉s - ▼ 1 BBB nonce-misuse resistant AEAD ❘♦♠✉❧✉s✲❍ MDPH SKINNY-128/384+ Hash function / XOF ❘♦♠✉❧✉s✲▲❘ AET-LR Leakage res. AEAD (CIML2 + CCAml1) TEDT Leakage res. AEAD (CIML2 + CCAmL2) ❘♦♠✉❧✉s✲▲❘✲❚❊❉❚

❘♦♠✉❧✉s✲❍ : hashing with ❘♦♠✉❧✉s Hashing with a 128-bit TBC is very easy with Naito’s MDPH : ⊲ build a 256-bit compression function h with the well-known Hirose DBL construction (rate 1) [FSE06] ⊲ place h into the Merkle-Damgård with Permutation (MDP) mode [JoC12] MDPH is indifferentiable from a (variable-input-length) random oracle up to about ( n − log n ) queries 2 0 n � � � E E E n || H 0 n M [1] M [2] M [ m ] n 2 n 1 1 1 1 1 1 � � � E E E

❘♦♠✉❧✉s✲❍ : hashing with ❘♦♠✉❧✉s Extra features of ❘♦♠✉❧✉s✲❍ : ⊲ XOF : simply use H ( M || 0 ) , H ( M || 1 ) , H ( M || 2 ) , etc. ⊲ ❘♦♠✉❧✉s✲❍ can naturally adapt to very constrained area environments by reducing its message block size 2 0 n � � � E E E n || H 0 n M [1] M [2] M [ m ] n 2 n 1 1 1 1 1 1 � � � E E E

❘♦♠✉❧✉s✲▲❘ : leakage resilience with ❘♦♠✉❧✉s One can get some leakage resilience by simply feed-forwarding message block into the tweak input in ❘♦♠✉❧✉s✲◆ + key/tag protect A [1] A [2] A [3] A [4] A [ a − 2] A [ a − 1] pad ( A [ a ]) N t n 0 n ρ E 8 , 1 � ρ � E 8 , 3 ρ E 8 ,a − 2 � ρ E w A ,a � S K n n K K K M [1] N M [2] N pad ( M [ m ]) N 0 n t n ρ E 4 , 1 ρ E 4 , 2 ρ E w M ,m � ρ S � � n n K K K n lsb | M [ m ] | C [1] C [2] T C [ m ]

❘♦♠✉❧✉s✲▲❘ : leakage resilience with ❘♦♠✉❧✉s One can get some leakage resilience by simply feed-forwarding message block into the tweak input in ❘♦♠✉❧✉s✲◆ + key/tag protect 0 t E 0 , 0 � N K ′ K A [1] A [2] A [3] A [4] A [ a − 2] A [ a − 1] pad ( A [ a ]) N n ρ E 8 , 1 � ρ � E 8 , 3 ρ E 8 ,a − 2 � ρ E w A ,a � 0 n S n n K ′ K ′ K ′ K ′ M [1] N M [2] N pad ( M [ m ]) N N n ρ E 4 , 1 � ρ E 4 , 2 � ρ E 4 ,m � E w M ,m � S T n n K ′ K ′ K ′ K n C [1] C [2] C [ m ]

❘♦♠✉❧✉s✲▲❘ : leakage resilience with ❘♦♠✉❧✉s ❘♦♠✉❧✉s✲▲❘ ensures CIML2 (best for integrity) + CCAml1 0 t E 0 , 0 � K ′ N K A [1] A [2] A [3] A [4] A [ a − 2] A [ a − 1] pad ( A [ a ]) N n 0 n ρ E 8 , 1 � ρ � E 8 , 3 ρ E 8 ,a − 2 � ρ E w A ,a � S K ′ n n K ′ K ′ K ′ M [1] M [2] N N pad ( M [ m ]) N N n ρ E 4 , 1 � ρ � E 4 , 2 ρ E 4 ,m � E w M ,m � S T K ′ K n n K ′ K ′ n C [1] C [2] C [ m ]

❘♦♠✉❧✉s✲▲❘✲❚❊❉❚ : strong leakage resilience One can get some strong leakage resilience by simply using TEDT mode [CHES20] with SKINNY-128/384+ ❘♦♠✉❧✉s✲▲❘✲❚❊❉❚ ensures CIML2 (best for integrity) + CCAmL2 (best for privacy)

RUP security of ❘♦♠✉❧✉s✲▼ RUP security notion (relevant in case of limited memory) : result of decryption (possibly an unauthentic plaintext) is leaked before the verification result is obtained. ⊲ integrity : ❘♦♠✉❧✉s✲▼ is INT-RUP secure (both nonce-respecting and nonce-misuse adversary) ⊲ privacy : ❘♦♠✉❧✉s✲▼ is PA1 secure (Plaintext Awarness)

Software performances of ❘♦♠✉❧✉s Software perf. rankings on AVR (8-bit) from OTH, Germany lwc.las3.de/table.php

Hardware performances of ❘♦♠✉❧✉s : FPGA FPGA performance from GMU, USA

Hardware performances of ❘♦♠✉❧✉s : ASIC Performance Efficiency 3 Mbps Candidate Th. Area Power Energy Th./Area Th./Power Energy × Area Th./Area Th./Power Energy × Area DryGascon 4 7 7 4 4 4 5 6 8 7 Elephant 6 5 5 6 7 6 7 7 7 6 PHOTON-Beetle 5 6 6 5 6 5 6 5 5 5 Pyjamask 8 8 8 8 8 8 8 8 6 8 Romulus 3 2 2 2 3 2 2 2 2 2 Subterranean 1 3 3 1 1 1 1 3 4 3 TinyJambu 7 1 1 7 5 7 4 1 1 1 Xoodyak 2 4 4 3 2 3 3 4 3 4 T able – ASIC performance ranking from https://github.com/ mustafam001/lwc-aead-rtl/raw/master/asic-report.pdf