1 Introduction
With the advent of the Internet of Things (IoT), a myriad of devices are being connected to
one another in order to exchange information. This information has to be secured. Symmetric
cryptography can ensure that the data those devices share remains confidential, that it is properly
authenticated and that it has not been tampered with.
As such objects have little computing power—and even less so that is dedicated to information
security—the cost of the algorithms ensuring these properties has to be as low as possible. To
answer this need, the NIST has called for the design of authenticated ciphers and hash functions
providing a sufficient security level at as small an implementation cost as possible.
In this document, we present a suite of algorithms that answer this call. All our algorithms are
built using the same core, namely the Sparkle family of permutations. The authenticated ciphers,
Schwaemm, provide confidentiality of the plaintext as well as both integrity and authentication
for the plaintext and for additional public associated data. The hash functions, Esch, are (second)
preimage and collision-resistant. Our aim for our algorithms is to use as few CPU cycles as possible
to perform their task while retaining strong security guarantees and a small implementation size.
This speed will allow devices to use much fewer CPU cycles than what is currently needed to
ensure the protection of their data. To give one of many very concrete applications of this gain,
the energy demanded by cryptography for a battery-powered microcontroller will be decreased.
In summary, our goal is to provide fast software encryption for all platforms.
Note. The Sparkle family of permutations together with the AEAD instances Schwaemm and
the hash functions Esch is published in the Special Issue of IACR Transactions on Symmetric
Cryptology dedicated to the second-round candidates of the NIST lightweight cryptography stan-
dardization process [BBCdS
+
20b].
1.1 What Is This Document?
In this document, we specify the cryptographic hash function family Esch and the authenticated
encryption scheme Schwaemm, submitted to the NIST lightweight cryptography standardization
process.
Together with the specification of the algorithms (Chapter 2), we provide a detailed design
rationale that explains the choice of the overall structure and its internal components (Chapter 3).
Further, we provide a detailed analysis of the security of our schemes with regard to state-of-the art
attacks, and beyond (Chapter 4). Proper design rationale and security analysis are essential parts in
a design proposal as they are necessary for other people to trust cryptographic algorithms. Indeed,
this trust comes from both a proper security analysis and the attention of external cryptographers,
and a document explaining the design choices and trade-offs made is necessary in order to satisfy
either of these conditions. We further provide details on how the algorithms allow for optimized
implementations (Chapter 5).
1.2 What Are Esch and Schwaemm?
Both are cryptographic algorithms that were designed to be lightweight in software (i.e., to have
small code size and low RAM footprint) and still reach high performance on a wide range of 8, 16,
and 32-bit microcontrollers. Section 5.1 gives an overview of software implementation options for
different platforms. Esch and Schwaemm can also be well optimized to achieve small silicon area
and low power consumption when implemented in hardware. Hardware implementation aspects
(including a proposal for a lightweight hardware architecture for the Sparkle permutation) are
discussed in Section 5.2.
1
