ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria - - PowerPoint PPT Presentation

ascon
SMART_READER_LITE
LIVE PREVIEW

ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria - - PowerPoint PPT Presentation

May 28, 2023 427 likes •693 views

ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schlffer DIAC 2016 Our Team Christoph Dobraunig Maria Eichlseder Florian Mendel Mar4n Schlffer ASCON Main Design Goals

slide-1
SLIDE 1

ASCON

Submission to the CAESAR Compe44on

Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schläffer

DIAC 2016

slide-2
SLIDE 2

Our Team

  • Christoph Dobraunig
  • Maria Eichlseder
  • Florian Mendel
  • Mar4n Schläffer
slide-3
SLIDE 3

ASCON

Main Design Goals

  • Security
  • Efficiency
  • Lightweight
  • Simplicity
  • Online
  • Single pass
  • Scalability
  • Side-Channel

Robustness

slide-4
SLIDE 4

ASCON

General Overview

  • Nonce-based AE scheme
  • Sponge inspired

ASCON-128 ASCON-128a Security 128 bits 128 bits Rate (r) 064 bits 128 bits Capacity (c) 256 bits 192 bits State size (b) 320 bits 320 bits

slide-5
SLIDE 5

ASCON

Working Principle

The encryp4on process is split into four phases:

  • Ini4aliza4on
  • Associated Data Processing
  • Plaintext Processing
  • Finaliza4on
slide-6
SLIDE 6

IV kKkN

b

pa 0∗kK

c r

ASCON

Ini4aliza4on

  • Ini<aliza<on: updates the 320-bit state with

the key K and nonce N

slide-7
SLIDE 7
  • Associated Data Processing: upda4ng the

320-bit state with associated data blocks Ai

ASCON

Associated Data

c r

A1 pb As

c

pb 0∗k1

c r

slide-8
SLIDE 8

ASCON

Encryp4on

  • Plaintext Processing: inject plaintext blocks Pi

in the state and extract ciphertext blocks Ci

c r

P1 C1 pb

c

Pt−

1 Ct− 1

pb Pt Ct

r c

slide-9
SLIDE 9

ASCON

Finaliza4on

  • Finaliza<on: inject the key K and extracts a tag

T for authen4ca4on

r

Kk0∗

c

pa K

k

T

slide-10
SLIDE 10
  • SP-Network:

– S-Layer: – P-Layer:

ASCON

Permuta4on

x4 x3 x2 x1 x0 x4 x3 x2 x1 x0

x1

slide-11
SLIDE 11

ASCON

Permuta4on: S-Layer

  • Algebraic Degree 2

– Ease TI (3 shares)

  • Branch Number 3

– Good Diffusion

  • Bit-sliced Impl.

x0 x1 x2 x3 x4 5 5 5 5 5 5 x0 x1 x2 x3 x4

slide-12
SLIDE 12

ASCON

Permuta4on: P-Layer

  • Branch Number 4

Σ0(x0) = x0 (x0 19) (x0 28) Σ1(x1) = x1 (x1 61) (x1 39) Σ2(x2) = x2 (x2 1) (x2 6) Σ3(x3) = x3 (x3 10) (x3 17) Σ4(x4) = x4 (x4 7) (x4 41)

Σ0(x0) = x0 ⊕ (x0 o 19) ⊕ (x0 o 28) Σ1(x1) = x1 ⊕ (x1 o 61) ⊕ (x1 o 39) Σ2(x2) = x2 ⊕ (x2 o 1) ⊕ (x2 o 6) Σ3(x3) = x3 ⊕ (x3 o 10) ⊕ (x3 o 17) Σ4(x4) = x4 ⊕ (x4 o 7) ⊕ (x4 o 41)

slide-13
SLIDE 13

ASCON

Tweak: Addi4on of Constants

  • Modifica4on of the round constant schedule
  • Similar to FIPS 202
  • Increase compa4bility with other sponge

modes

  • No impact on exis4ng security analysis
slide-14
SLIDE 14

ASCON

Security Analysis

  • Differen4al and Linear Cryptanalysis

Rounds Differen<al Linear 1 1 1 2 4 4 3 15 13 4 44 43 ≥ 50l > 640l > 640l

ASIACRYPT 2015

slide-15
SLIDE 15

ASCON

Security Analysis

  • Analysis of round-reduced versions

Method Rounds Complexity cube-like 5/12 235 6/12 266 differen<al- linear 4/12 218 5/12 236

CT-RSA 2015

slide-16
SLIDE 16

ASCON

Implementa4on/Performance

  • Sohware

– Intel Core2 Duo – ARM Cortex-A8

  • Hardware

– High-speed – Low-area

slide-17
SLIDE 17

ASCON

Sohware Implementa4on

  • Intel Core2 Duo

64 512 1024 4096 ASCON-128

(cycles/byte)

22.0 15.9 15.6 15.2 ASCON-128a

(cycles/byte)

17.7 11.0 10.5 10.3

Dobraunig, Schläffer

slide-18
SLIDE 18

ASCON

Sohware Implementa4on

  • Intel Haswell (four message per core)

64 512 1024 4096 ASCON-128

(cycles/byte)

10.5 7.3 7.1 6.9 ASCON-128a

(cycles/byte)

8.5 5.3 5.0 4.8

Dobraunig, Senher

slide-19
SLIDE 19

ASCON

Hardware Implementa4on

  • Unprotected Implementa4ons

Variant 1 Variant 2 Variant 3 Area

(kGE)

7.1 24.9 2.6 Throughput

(Mbps)

5 524 13 218 14

DSD 2015

slide-20
SLIDE 20

ASCON

Hardware Implementa4on

  • Threshold Implementa4ons

Variant 1 Variant 2 Variant 3 Area

(kGE)

28.6 123.5 7.9 Throughput

(Mbps)

3 774 9 018 14

DSD 2015

slide-21
SLIDE 21

ASCON

Applica4ons (Use Cases)

  • Lightweight Applica4ons
  • High-Performance Applica4ons
  • Defense in Depth

Internet

  • f Things
slide-22
SLIDE 22

ASCON

Lightweight Applica4ons

  • Small hardware area
  • Efficiency in hardware
  • Natural side-channel protec4on
  • Limited damage in misuse sekngs
  • Low overhead for short messages
slide-23
SLIDE 23

ASCON

High-Performance Applica4ons

  • Efficiency on modern CPUs
  • Efficiency on dedicated hardware
  • Natural side-channel protec4on
slide-24
SLIDE 24

Thank you!

hmp://ascon.iaik.tugraz.at

slide-25
SLIDE 25

References

  • Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schläffer.

Cryptanalysis of Ascon. CT-RSA 2015

  • Christoph Dobraunig, Maria Eichlseder, Florian Mendel.

Heuris<c Tool for Linear Cryptanalysis with Applica<ons to CAESAR Candidates. ASIACRYPT 2015

  • Hannes Groß, Erich Wenger, Christoph Dobraunig, Christoph Ehrenhöfer.

Suit up! Made-to-Measure Hardware Implementa<ons of Ascon. DSD 2015

  • Philipp Jovanovic, Atul Luykx, Bart Mennink.

Beyond 2^(c/2) Security in Sponge-Based Authen<cated Encryp<on Modes. ASIACRYPT 2014

  • Elena Andreeva, Joan Daemen, Bart Mennink, Gilles Van Assche.

Security of Keyed Sponge Construc<ons Using a Modular Proof Approach. FSE 2015

  • Yosuke Todo.

Structural Evalua<on by Generalized Integral Property. EUROCRYPT 2015