WAGE: An Authenticated Encryption with a Twist Riham AlTawy , Guang - - PowerPoint PPT Presentation
WAGE: An Authenticated Encryption with a Twist Riham AlTawy , Guang Gong, Kalikinkar Mandal 1 , and Raghvendra Rohit 2 IACR FSE 2020 1 Currently with University of New Brunswick, Canada 2 Currently with University of Rennes 1, CNRS,
Riham AlTawy⋆, Guang Gong, Kalikinkar Mandal1, and Raghvendra Rohit2 ⋆
1 Currently with University of New Brunswick, Canada 2 Currently with University of Rennes 1, CNRS, IRISA, France
1 / 20
1970 1980 1990 2000 Lucifier DES MD5 RIPEMD SHA-1 AES MARS RC6 Serpent CAST . . . RC4 2010 2019 SHA-2 Grain Trivium Mickey Salsa WG Present Keccak . . . Photon Quark Spongent Simon Simeck Ascon Skinny GIFT . . .
2 / 20
1970 1980 1990 2000 Lucifier DES MD5 RIPEMD SHA-1 AES MARS RC6 Serpent CAST . . . RC4 2010 2019 SHA-2 Grain Trivium Mickey Salsa WG Present Keccak . . . Photon Quark Spongent Simon Simeck Ascon Skinny GIFT . . . Resource constrained devices Smart devices Internet of Things RFIDs and NFC Embedded systems Sensor networks
2 / 20
1970 1980 1990 2000 Lucifier DES MD5 RIPEMD SHA-1 AES MARS RC6 Serpent CAST . . . RC4 2010 2019 SHA-2 Grain Trivium Mickey Salsa WG Present Keccak . . . Photon Quark Spongent Simon Simeck Ascon Skinny GIFT . . . Resource constrained devices Smart devices Internet of Things RFIDs and NFC Embedded systems Sensor networks Some algorithms and current standards do not fit into these devices!
2 / 20
1970 1980 1990 2000 Lucifier DES MD5 RIPEMD SHA-1 AES MARS RC6 Serpent CAST . . . RC4 2010 2019 SHA-2 Grain Trivium Mickey Salsa WG Present Keccak . . . Photon Quark Spongent Simon Simeck Ascon Skinny GIFT . . . Resource constrained devices Smart devices Internet of Things RFIDs and NFC Embedded systems Sensor networks Some algorithms and current standards do not fit into these devices! NIST LWC Submission call 56 round 1 candidates 32 round 2 candidates Different designs and goals
2 / 20
1970 1980 1990 2000 Lucifier DES MD5 RIPEMD SHA-1 AES MARS RC6 Serpent CAST . . . RC4 2010 2019 SHA-2 Grain Trivium Mickey Salsa WG Present Keccak . . . Photon Quark Spongent Simon Simeck Ascon Skinny GIFT . . . Resource constrained devices Smart devices Internet of Things RFIDs and NFC Embedded systems Sensor networks Some algorithms and current standards do not fit into these devices! NIST LWC Submission call 56 round 1 candidates 32 round 2 candidates Different designs and goals
2 / 20
1970 1980 1990 2000 Lucifier DES MD5 RIPEMD SHA-1 AES MARS RC6 Serpent CAST . . . RC4 2010 2019 SHA-2 Grain Trivium Mickey Salsa WG Present Keccak . . . Photon Quark Spongent Simon Simeck Ascon Skinny GIFT . . . Resource constrained devices Smart devices Internet of Things RFIDs and NFC Embedded systems Sensor networks Some algorithms and current standards do not fit into these devices! NIST LWC Submission call 56 round 1 candidates 32 round 2 candidates Different designs and goals
2 / 20
3 / 20
differential, and linear properties of the WAGE permutation and the WAGE authenticated encryption.
3 / 20
differential, and linear properties of the WAGE permutation and the WAGE authenticated encryption.
random bit generator with guaranteed randomness properties from WAGE.
3 / 20
4 / 20
Si
36
Si
35
Si
34
Si
33
Si
32
Si
31
Si
30
Si
29
Si
28
Si
27
Si
26
Si
25
Si
24
Si
23
Si
22
Si
21
Si
20
Si
19
WGP SB SB Si
17
Si
18
Si
16
Si
15
Si
14
Si
13
Si
12
Si
11
Si
10
Si
9
Si
8
Si
7
Si
6
Si
5
Si
4
Si
3
Si
2
Si
1
Si WGP SB SB ⊕ ω rci
1
rci
i is a 7-bit word, WGP and SB are 7-bit S-boxes, ω is a linear
j are 7-bit round constants.
5 / 20
stream cipher for authenticated encryption
6 / 20
stream cipher for authenticated encryption
confusion
6 / 20
stream cipher for authenticated encryption
confusion
independent WG-PRBG
6 / 20
WGP(x) = WGP7(x13) WGP7(x) = x + (x + 1)33 + (x + 1)39 + (x + 1)41 + (x + 1)104 d = 13 chosen to achieve low differential uniformity and high nonlinearity
7 / 20
WGP(x) = WGP7(x13) WGP7(x) = x + (x + 1)33 + (x + 1)39 + (x + 1)41 + (x + 1)104 d = 13 chosen to achieve low differential uniformity and high nonlinearity
(x0, x1, x2, x3, x4, x5, x6) ← R5(x0, x1, x2, x3, x4, x5, x6) (x0, x1, x2, x3, x4, x5, x6) ← Q(x0, x1, x2, x3, x4, x5, x6) x0 ← x0 ⊕ 1 x2 ← x2 ⊕ 1
7 / 20
⊙ ⊙ ⊙ ⊕ ⊕ ⊕ ▽
x1 x2 x3 x4 x5 x6 y0 y1 y2 y3 y4 y5 y6 A block diagram of R Q layer P layer
8 / 20
ai+6 ai+4 ai+2 ai ai+5 ai+3 ai+1 ai+8 ai+7
rci
1
9 / 20
ai+6 ai+4 ai+2 ai ai+5 ai+3 ai+1 ai+8 ai+7
rci
1
0, rci 1) = (rcj 0, rcj 1) for 0 ≤ i, j ≤ 110 and i = j.
Ensures that all the rounds of WAGE are distinct and provides resistance against slide and invariant subspace attacks.
9 / 20
differential and linear bounds
random permutation
10 / 20
backward directions. 56/111 rounds are sufficient against meet-in the-middle attacks.
growth in algebraic degree and 111 rounds provides huge security margin against algebraic attacks.
11 / 20
12 / 20
differences
positions
Table: Upper bounds of MEDCP and MELCSC values of WAGE in log2(·) scale Rounds Minimum MEDCP MELSC # active sboxes log2(·) Case I 74 59 −59 × 4 = −236 −59 × 5.08 ≈ −299.7 Case II 74 72 −72 × 4 = −288 −72 × 5.08 ≈ −365.7
12 / 20
13 / 20
and finalization phases
14 / 20
and finalization phases
P P P
load(N, K)
195 64 0x00 0x00 K0 K1 Initialization 14 / 20
and finalization phases
P P P
load(N, K)
195 64 0x00 0x00 K0 K1 Initialization P P Processing associated data AD0 ADa−1 0x01 0x01 14 / 20
and finalization phases
P P P
load(N, K)
195 64 0x00 0x00 K0 K1 Initialization P P Processing associated data AD0 ADa−1 0x01 0x01 P P P M0 Mm−2 Mm−1 C0 Cm−2 Cm−1 Encryption X Y X Y 0x02 0x02 0x02 14 / 20
and finalization phases
P P P
load(N, K)
195 64 0x00 0x00 K0 K1 Initialization P P Processing associated data AD0 ADa−1 0x01 0x01 P P P M0 Mm−2 Mm−1 C0 Cm−2 Cm−1 Encryption X Y X Y 0x02 0x02 0x02 P P tagextract(·) 128 Tag generation K0 K1 0x00 0x00 14 / 20
Confidentiality, Integrity and Authenticity in nonce-respecting setting: 128 bits Data limit per key: 264 bits Strong security guarantees in related-key setting because of absorbing key blocks via rate
15 / 20
each call of WAGE permutation. Number of rounds to generate 64 bits is 111.
(construction in next slide) and use WG stream cipher over F27 to generate random bits. Number of rounds in initialization phase is
16 / 20
each call of WAGE permutation. Number of rounds to generate 64 bits is 111.
(construction in next slide) and use WG stream cipher over F27 to generate random bits. Number of rounds in initialization phase is
Advantages:
encryption
16 / 20
WAGE internal state WAGE internal state Feedback polynomial Feedback polynomial
WGP WGP SB SB WGP SB SB Tr
bitstream
17 / 20
with other NIST LWC round 2 candidates. Tput, A, F, and E denote throughput, area, maximum frequency, and energy, respectively.
ST Micro 65 nm ST Micro 90 nm IBM 130 nm Algorithm‡‡ A F Tput E A F Tput E A F Tput E [GE] [MHz] [Mbit/s] [nJ] [GE] [MHz] [Mbit/s] [nJ] [GE] [MHz] [Mbit/s] [nJ] WAGE⋄ 2900 907 517 20.0 2540 940 535 39.2 2960 153 87.21 30.4 SKINNY-AEAD
422 53
267 34
672 14 5,706 µJ/B
10 22.3 † 2.69 †
3638.5 1120 560
≥169 2.9 bpc
2611 100 kHz 81.8 Kbps
2329 100 kHz 58.3 Kbps
10 15.9 †† 4.2 †
⋄ Entire cipher including encryption, decryption and control logic † For 16 B and 32 B of associated data and plaintext, respectively ‡ Encryption circuit only. †† #cycles = 242, ⋆ only 112 bit security
18 / 20
algorithm, tailored for resource-constrained environments.
WGP and SB, a primitive feedback polynomial, and partial word-wise XORs.
19 / 20
Full paper available at: https://tosc.iacr.org/index.php/ToSC/article/view/8620 https://eprint.iacr.org/2020/435 For any questions, comments or suggestions, please email us. Special thanks to TikZ for Cryptographers for the diagrams.
20 / 20