Review of the NIST Light-weight Cryptography Finalists

Since 2016, NIST has been assessing lightweight encryption methods, and, in 2022, NIST published the final 10: ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak. At the time that the article was written, NISC announced ASCOn as the chosen method that will be published as NIST'S lightweight cryptography standard later in 2023. In this article, we provide a comparison between these methods in terms of energy efficiency, time for encryption, and time for hashing.Comment: 6 page

Security analysis of NIST-LWC contest finalists

Dissertação de mestrado integrado em Informatics EngineeringTraditional cryptographic standards are designed with a desktop and server environment in mind, so, with the relatively recent proliferation of small, resource constrained devices in the Internet of Things, sensor networks, embedded systems, and more, there has been a call for lightweight cryptographic standards with security, performance and resource requirements tailored for the highly-constrained environments these devices find themselves in. In 2015 the National Institute of Standards and Technology began a Standardization Process in order to select one or more Lightweight Cryptographic algorithms. Out of the original 57 submissions ten finalists remain, with ASCON and Romulus being among the most scrutinized out of them. In this dissertation I will introduce some concepts required for easy understanding of the body of work, do an up-to-date revision on the current situation on the standardization process from a security and performance standpoint, a description of ASCON and Romulus, and new best known analysis, and a comparison of the two, with their advantages, drawbacks, and unique traits.Os padrões criptográficos tradicionais foram elaborados com um ambiente de computador e servidor em mente. Com a proliferação de dispositivos de pequenas dimensões tanto na Internet of Things, redes de sensores e sistemas embutidos, apareceu uma necessidade para se definir padrões para algoritmos de criptografia leve, com prioridades de segurança, performance e gasto de recursos equilibrados para os ambientes altamente limitados em que estes dispositivos operam. Em 2015 o National Institute of Standards and Technology lançou um processo de estandardização com o objectivo de escolher um ou mais algoritmos de criptografia leve. Das cinquenta e sete candidaturas originais sobram apenas dez finalistas, sendo ASCON e Romulus dois desses finalistas mais examinados. Nesta dissertação irei introduzir alguns conceitos necessários para uma fácil compreensão do corpo deste trabalho, assim como uma revisão atualizada da situação atual do processo de estandardização de um ponto de vista tanto de segurança como de performance, uma descrição do ASCON e do Romulus assim como as suas melhores análises recentes e uma comparação entre os dois, frisando as suas vantagens, desvantagens e aspectos únicos

Residual Vulnerabilities to Power side channel attacks of lightweight ciphers cryptography competition Finalists

The protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate built‐in countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTON‐Beetle security vulnerability can generally be assessed with the security assumptions “Chosen ciphertext attack and leakage in encryption only, with nonce‐misuse resilience adversary (CCAmL1)” and “Chosen ciphertext attack and leakage in encryption only with nonce‐respecting adversary (CCAL1)”, respectively. However, the security vulnerability of GIFT‐COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack

Related-Tweakey Impossible Differential Attack on Reduced-Round SKINNY-AEAD M1/M3

SKINNY-AEAD is one of the second-round candidates of the Lightweight Cryptography Standardization project held by NIST. SKINNY-AEAD M1 is the primary member of six SKINNY-AEAD schemes, while SKINNY-AEAD M3 is another member with a small tag. In the design document, only security analyses of their underlying primitive SKINNY-128-384 are provided. Besides, there are no valid third-party analyses on SKINNY-AEAD M1/M3 according to our knowledge. Therefore, this paper focuses on constructing the first third-party security analyses on them under a nonce-respecting scenario. By taking the encryption mode of SKINNY-AEAD into consideration and exploiting several properties of SKINNY, we can deduce some necessary constraints on the input and tweakey differences of related-tweakey impossible differential distinguishers. Under these constraints, we can find distinguishers suitable for mounting powerful tweakey recovery attacks. With the help of the automatic searching algorithms based on STP, we find some 14-round distinguishers. Based on one of these distinguishers, we mount a 20-round and an 18-round tweakey recovery attack on SKINNY-AEAD M1/M3. To the best of our knowledge, all these attacks are the best ones so far

Security of lightweight cryptographic algorithms

Η διπλωματική εργασία μελετά τους lightweight κρυπτογραφικούς αλγορίθμους, εστιάζοντας σε συγκεκριμένα χαρακτηριστικά ασφάλειας. Πιο συγκεκριμένα, θα αναλυθούν, θα αξιολογηθούν και θα ταξινομηθούν σε διάφορες κατηγορίες, όπως αν είναι block ή stream ciphers και αν είναι authenticated ή όχι, κάποιοι lightweight αλγόριθμοι. Αυτή η ταξινόμηση αφορά αλγόριθμους που βρίσκονται σε διαδικασία προτυποποίησης και συμμετέχουν στο διαγωνισμό του NIST (National Institution of Standards and Technology), Lightweight Crypto. Στη συνέχεια, θα δοθεί έμφαση στις Boolean Functions που χρησιμοποιούν αυτοί οι lightweight κρυπτογραφικοί αλγόριθμοι, με σκοπό να υπολογιστούν οι κρυπτογραφικές ιδιότητες των συναρτήσεων αυτών και να αξιολογηθεί η ανθεκτικότητα αυτών των αλγορίθμων ενάντια σε κρυπταναλυτικές επιθέσεις. Η ανάλυσή μας δείχνει πως δεν υπάρχει καμία Boolean function που να ικανοποιεί όλες τις κρυπτογραφικές ιδιότητες και έτσι απαιτείται περαιτέρω έρευνα για να διευκρινιστεί αν οι ευπάθειες αυτές των Boolean functions μπορούν να χρησιμοποιηθούν για την διεξαγωγή κρυπταναλυτικής επίθεσης.This thesis studies the lightweight cryptographic algorithms, focusing on specific security features. In particular, many lightweight algorithms are being analyzed, evaluated and classified into several categories including but not limited to block/stream ciphers, either being authenticated or not. This categorization consists of algorithms that are in the progress of standardization, competing in the NIST (National Institution of Standards and Technology) Lightweight Crypto Standardization process. Next, emphasis will be given on the Boolean functions that these Lightweight cryptographic algorithms utilize, with the aim to calculate the cryptographic properties of such functions towards evaluating the resistance of these algorithms against several cryptanalytic attacks. Our analysis illustrates that there is no cryptographic Boolean function satisfying all the cryptographic properties and, thus, further research is needed in order to evaluate whether such vulnerabilities of underlying Boolean functions can actually be exploited in order to mount a cryptanalytic attac

Forkcipher: A New Primitive for Authenticated Encryption of Very Short Messages

This is an extended version of the article with the same title accepted at Asiacrypt 2019.International audienceHighly efficient encryption and authentication of short messages is an essential requirement for enabling security in constrained scenarios such as the CAN FD in automotive systems (max. message size 64 bytes), massive IoT, critical communication domains of 5G, and Narrowband IoT, to mention a few. In addition, one of the NIST lightweight cryptography project requirements is that AEAD schemes shall be “optimized to be efficient for short messages (e.g., as short as 8 bytes)”. In this work we introduce and formalize a novel primitive in symmetric cryptography called a forkcipher. A forkcipher is a keyed function expanding a fixed-length input to a fixed-length output. We define its security as indistinguishability under chosen ciphertext attack. We give a generic construction validation via the new iterate-fork-iterate design paradigm. We then propose ForkSkinny as a concrete forkcipher instance with a public tweak and based on SKINNY: a tweakable lightweight block cipher constructed using the TWEAKEY framework. We conduct extensive cryptanalysis of ForkSkinny against classical and structure-specific attacks. We demonstrate the applicability of forkciphers by designing three new provably-secure, nonce-based AEAD modes which offer performance and security tradeoffs and are optimized for efficiency of very short messages. Considering a reference block size of 16 bytes, and ignoring possible hardware optimizations, our new AEAD schemes beat the best SKINNY-based AEAD modes. More generally, we show forkciphers are suited for lightweight applications dealing with predominantly short messages, while at the same time allowing handling arbitrary messages sizes. Furthermore, our hardware implementation results show that when we exploit the inherent parallelism of ForkSkinny we achieve the best performance when directly compared with the most efficient mode instantiated with the SKINNY block cipher

Arithmetic Circuit Implementations of S-boxes for SKINNY and PHOTON in MPC

Secure multi-party computation (MPC) enables multiple distrusting parties to compute a function while keeping their respective inputs private. In a threshold implementation of a symmetric primitive, e.g., of a block cipher, each party holds a share of the secret key or of the input block. The output block is computed without reconstructing the secret key. This enables the construction of distributed TPMs or transciphering for secure data transmission in/out of the MPC context. This paper investigates implementation approaches for the lightweight primitives SKINNY and PHOTON in arithmetic circuits. For these primitives, we identify arithmetic expressions for the S-box that result in smaller arithmetic circuits compared to the Boolean expressions from the literature. We validate the optimization using a generic actively secure MPC protocol and obtain 18% faster execution time with 49% less communication data for SKINNY-64-128 and 27% to 74% faster execution time with 49% to 81% less data for PHOTON $P_{100}$ and $P_{288}$. Furthermore, we find a new set of parameters for the heuristic method of polynomial decomposition, introduced by Coron, Roy and Vivek, specialized for SKINNY\u27s 8-bit S-box. We reduce the multiplicative depth from 9 to 5

RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography

The NIST LightWeight Cryptography (LWC) selection process aims to standardise cryptographic functionality which is suitable for resource-constrained devices. Since the outcome is likely to have significant, long-lived impact, careful evaluation of each submission with respect to metrics explicitly outlined in the call is imperative. Beyond the robustness of submissions against cryptanalytic attack, metrics related to their implementation (e.g., execution latency and memory footprint) form an important example. Aiming to provide evidence allowing richer evaluation with respect to such metrics, this paper presents the design, implementation, and evaluation of one separate Instruction Set Extension (ISE) for each of the 10 LWC final round submissions, namely Ascon, Elephant, GIFT-COFB, Grain-128AEADv2, ISAP, PHOTON-Beetle, Romulus, Sparkle, TinyJAMBU, and Xoodyak; although we base the work on use of RISC-V, we argue that it provides more general insight

Fast Skinny-128 SIMD Implementations for Sequential Modes of Operation

This paper reports new software implementation results for the Skinny-128 tweakable block ciphers on various SIMD architectures. More precisely, we introduce a decomposition of the 8-bit S-box into four 4-bit S-boxes in order to take advantage of vector permute instructions, leading to significant performance improvements over previous constant-time implementations. Since our approach is of particular interest when Skinny-128 is used in sequential modes of operation, we also report how it benefits to the Romulus authenticated encryption scheme, a finalist of the NIST LWC standardization process