没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
98页
随着物联网(IoT)的出现,无数设备为了交换信息而相互连接。这些信息必须得到保护。对称密码术可以确保这些设备共享的数据仍然是机密的,它经过了正确的身份验证,并且没有被篡改。由于这些对象几乎没有计算能力——对于信息安全而言更是如此——确保这些属性的算法成本必须尽可能低。为了满足这一需求,NIST要求设计经过验证的密码和哈希函数,以尽可能小的实现成本提供足够的安全级别。 在本文档中,将说明使用排列的Sparkle家族构建的轻量化哈希算法。经过身份验证的密码Schwaemm提供明文的机密性,以及明文和其他公共相关数据的完整性和身份验证。哈希函数Esch是具有单方向性和抗碰撞的。这个算法的目标是使用尽可能少的CPU周期来执行任务,同时保持强大的安全保证和较小的实现规模。这种速度将允许设备使用比当前所需的CPU周期更少的CPU周期来确保其数据的保护。为了给出这种增益的一个非常具体的应用,密码学对电池供电的微控制器的能量需求将会降低。
资源推荐
资源详情
资源评论
Schwaemm and Esch: Lightweight Authenticated Encryption and
Hashing using the Sparkle Permutation Family
Christof Beierle
1,2
, Alex Biryukov
1
, Luan Cardoso dos Santos
1
, Johann Großsch¨adl
1
,
Amir Moradi
2
, L´eo Perrin
3
, Aein Rezaei Shahmirzadi
2
, Aleksei Udovenko
1,4
, Vesselin
Velichkov
5
, and Qingju Wang
1
1
DSC and SnT, University of Luxembourg, Luxembourg
2
Ruhr University Bochum, Horst G¨ortz Institute for IT Security, Germany
3
Inria, Paris, France
4
CryptoExperts, Paris, France
5
University of Edinburgh, U.K.
Version v1.2 (2021-05-17)
Corresponding submitter:
Prof. Dr. Alex Biryukov
Email: alex.biryukov@uni.lu
Phone: +352 466644-6793
University of Luxembourg
Maison du Nombre, 6, Avenue de la Fonte,
L–4364 Esch-sur-Alzette,
Luxembourg
Contact email for the whole Sparkle group:
sparklegrupp@googlegroups.com
Homepage of Schwaemm, Esch and Sparkle:
https://sparkle-lwc.github.io/
i
Algorithms Specified in this Document
Type Name
Internal state size Data block size Security level Data limit
(bytes) (bytes) (bits) (bytes)
Hash function
Esch256
†
48 16 128 2
132
Esch384 64 16 192 2
196
Extendable-output function (XOF)
XOEsch256 48 16 min{128, 𝑡} 2
132
XOEsch384 64 16 min{192, 𝑡} 2
196
AEAD
Schwaemm128-128 32 16 120 2
68
Schwaemm256-128
†
48 32 120 2
68
Schwaemm192-192 48 24 184 2
68
Schwaemm256-256 64 32 248 2
133
†
Primary instances.
We, the authors, faithfully declare that the algorithms presented in this document are, to the
best of our knowledge, safe from all attacks currently known. We have not hidden any weakness
in any of them.
Changelog. Version v𝑋.𝑌 refers to the 𝑌 -th updated version of the pdf with regard to the
algorithm specification 𝑋. Thus, differences in v𝑋.𝑌 and v𝑋.𝑌
′
are only in the pdf, not in the
actual algorithms. New and improved implementations might be provided.
∙ v1.0 to v1.1: Besides correcting minor typos, we did the following changes. We switched the
primary member of the AEAD schemes from Schwaemm192-192 to Schwaemm256-128. We
give a name to the ARX-box used in Sparkle, i.e., Alzette. We further added a clarification
on how to map bitstrings to 32-bit words of the state in Sparkle. We also added new
implementation results in Chapter 5.
∙ v1.1 to v1.2: Besides correcting minor typos, we did the following changes. First of all, our
team is extended by Amir Moradi and Aein Rezaei Shahmirzadi. Moreover, we included
the results of our latest publications [BBCdS
+
20a] and [BBCdS
+
20b] in this document.
In particular, we included the extendable-output functions XOEsch256 and XOEsch384.
Further, we could slightly improve the differential bound of Alzette. More precisely, we now
have that the probability of the best 7-round differential trail is equal to 2
−26
, which improves
upon our previous result which only stated that this probability was at most 2
−24
. We also
expanded the division property analysis of Alzette.
Acknowledgements. The work of Christof Beierle was performed while he was at the University of
Luxembourg and funded by the SnT CryptoLux RG budget. Luan Cardoso dos Santos is supported
by the Luxembourg National Research Fund through grant PRIDE15/10621687/SPsquared. The
work of Aleksei Udovenko is funded by the Fonds National de la Recherche Luxembourg (project
reference 9037104). Part of the work by Vesselin Velichkov was performed while he was at the
University of Luxembourg. The work of Qingju Wang is funded by the University of Luxembourg
Internal Research Project (IRP) FDISC.
We thank Mridul Nandi for answering some questions about the Beetle mode of operation
and also Beno^ıt Cogliati for helping out with questions about provable security of variations of the
Beetle mode.
The experiments presented in this paper were carried out using the HPC facilities of the Uni-
versity of Luxembourg [VBCG14] – see https://hpc.uni.lu.
ii
Contents
Notations and Abbreviations iv
Chapter 1. Introduction 1
1.1 What Is This Document? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 What Are Esch and Schwaemm? . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 What Is Sparkle? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 What Are Their Key Features? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2. Specification 6
2.1 The Sparkle Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 The Hash Functions Esch256 and Esch384 . . . . . . . . . . . . . . . . . . . . . . 9
2.3 The Authenticated Cipher Family Schwaemm . . . . . . . . . . . . . . . . . . . . 13
2.4 Recommendations for Joint Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 3. Design Rationale 25
3.1 The Sponge Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 A Permutation Structure that Favours Rigorous Security Arguments . . . . . . . . 28
3.3 The ARX-box Alzette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4 The Linear Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.5 On the Number of Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 4. Security Analysis 49
4.1 Security Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 Attacks and Tests Against the Permutation . . . . . . . . . . . . . . . . . . . . . . 50
4.3 Attacks Against the Sponge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.4 Guess and Determine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Chapter 5. Implementation Aspects 72
5.1 Software Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.2 Hardware Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.3 Protection against Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . 73
5.4 Implementation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Bibliography 78
Chapter A. C Implementation of Sparkle 84
Chapter B. Linear Trails in Alzette 85
Chapter C. Representations of the Primitives 87
iii
Notations and Abbreviations
F
2
The set {0, 1}
F
𝑛
2
The set of the bitstrings of length 𝑛
F
*
2
The set of bitstrings of arbitrary length
𝑛
𝑏
number of branches
ℎ
𝑏
𝑛
𝑏
2
Word An element of F
32
2
Branch A pair (𝑥, 𝑦) of two words
+ Modular addition
⊕ Exclusive or, also called “XOR”
|| Concatenation of bitstrings
𝐵
𝑖
The 𝑖-times concatenation of the bitstring 𝐵 with itself
& The bitwise AND operation
𝑥 ≪ 𝑠 The word 𝑥 rotated left by 𝑠 bits
𝑥 ≫ 𝑠 The word 𝑥 rotated right by 𝑠 bits
𝑥 ≪ 𝑠 The word 𝑥 shifted left by 𝑠 bits
𝑥 ≫ 𝑠 The word 𝑥 shifted right by 𝑠 bits
hw (𝑥) The Hamming weight of the bitstring 𝑥
𝜖 A binary string of length 0
|𝐸| The number of elements in a set 𝐸 or the length of a string in bit
Pr[𝜔] The probability of an event 𝜔
I, ℐ The identity mapping
IoT Internet of Things
AEAD Authenticated encryption with associated data
ARX Add-Rotation-XOR
SPN Substitution-Permutation Network
LTS Long trail strategy
SIMD Single Instruction Multiple Data
iv
1 Introduction
With the advent of the Internet of Things (IoT), a myriad of devices are being connected to
one another in order to exchange information. This information has to be secured. Symmetric
cryptography can ensure that the data those devices share remains confidential, that it is properly
authenticated and that it has not been tampered with.
As such objects have little computing power—and even less so that is dedicated to information
security—the cost of the algorithms ensuring these properties has to be as low as possible. To
answer this need, the NIST has called for the design of authenticated ciphers and hash functions
providing a sufficient security level at as small an implementation cost as possible.
In this document, we present a suite of algorithms that answer this call. All our algorithms are
built using the same core, namely the Sparkle family of permutations. The authenticated ciphers,
Schwaemm, provide confidentiality of the plaintext as well as both integrity and authentication
for the plaintext and for additional public associated data. The hash functions, Esch, are (second)
preimage and collision-resistant. Our aim for our algorithms is to use as few CPU cycles as possible
to perform their task while retaining strong security guarantees and a small implementation size.
This speed will allow devices to use much fewer CPU cycles than what is currently needed to
ensure the protection of their data. To give one of many very concrete applications of this gain,
the energy demanded by cryptography for a battery-powered microcontroller will be decreased.
In summary, our goal is to provide fast software encryption for all platforms.
Note. The Sparkle family of permutations together with the AEAD instances Schwaemm and
the hash functions Esch is published in the Special Issue of IACR Transactions on Symmetric
Cryptology dedicated to the second-round candidates of the NIST lightweight cryptography stan-
dardization process [BBCdS
+
20b].
1.1 What Is This Document?
In this document, we specify the cryptographic hash function family Esch and the authenticated
encryption scheme Schwaemm, submitted to the NIST lightweight cryptography standardization
process.
Together with the specification of the algorithms (Chapter 2), we provide a detailed design
rationale that explains the choice of the overall structure and its internal components (Chapter 3).
Further, we provide a detailed analysis of the security of our schemes with regard to state-of-the art
attacks, and beyond (Chapter 4). Proper design rationale and security analysis are essential parts in
a design proposal as they are necessary for other people to trust cryptographic algorithms. Indeed,
this trust comes from both a proper security analysis and the attention of external cryptographers,
and a document explaining the design choices and trade-offs made is necessary in order to satisfy
either of these conditions. We further provide details on how the algorithms allow for optimized
implementations (Chapter 5).
1.2 What Are Esch and Schwaemm?
Both are cryptographic algorithms that were designed to be lightweight in software (i.e., to have
small code size and low RAM footprint) and still reach high performance on a wide range of 8, 16,
and 32-bit microcontrollers. Section 5.1 gives an overview of software implementation options for
different platforms. Esch and Schwaemm can also be well optimized to achieve small silicon area
and low power consumption when implemented in hardware. Hardware implementation aspects
(including a proposal for a lightweight hardware architecture for the Sparkle permutation) are
discussed in Section 5.2.
1
剩余97页未读,继续阅读
资源评论
Chahot
- 粉丝: 1w+
- 资源: 4
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功