Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

Bellizia, Davide; Berti, Francesco; Bronchain, Olivier; Cassiers, Gaëtan; Duval, Sébastien; Guo, Chun; Leander, Gregor; Leurent, Gaëtan; Levi, Itamar; Momin, Charles; Pereira, Olivier; Peters, Thomas; Standaert, François‐Xavier; Udvarhelyi, Balazs; Wiemer, Friedrich

doi:10.46586/tosc.v2020.is1.295-349

Cited by 28 publications

(26 citation statements)

References 34 publications

(49 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Though our results do not pose a direct threat to the Gimli NIST candidate, low-complexity full-round distinguishers on the permutation or reduced-round attacks for a high proportion of the rounds (specially when not predicted by the designers) have been considered in some cases as an issue worth countering by proposing a tweak, as can be seen for instance in the modification [3] recently proposed by the Spook team [2] to protect against the cryptanalysis results from [15].…”

Section: Resultsmentioning

confidence: 88%

See 1 more Smart Citation

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

Gutierrez

Leurent

Naya-Plasencia

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in Gimli and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity 2 64 . We also provide a practical distinguisher on 23 out of the full 24 rounds of Gimli that has been implemented. Next, we give (full state) collision and semi-free-start collision attacks on Gimli-Hash, reaching respectively up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round Gimli-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in the permutation, and we propose differentiallinear cryptanalysis that reach up to 17 rounds of Gimli.

show abstract

Section: Resultsmentioning

confidence: 88%

“…Linear trails of the (double) SP-box We begin by studying the linear trails of the SP-Box. Since the Gimli permutation mainly uses the composition of the SP-Box with itself, we focus on the "double" SP-Box SP 2 .…”

Section: Linear Cryptanalysismentioning

confidence: 99%

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

Gutierrez

Leurent

Naya-Plasencia

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Spook, designed by Bellizia et al [60], is an AEAD based on the duplex mode of operation [80], where the Shadow-512 permutation or the Shadow-384 permutation is used with strengthened initialization and finalization phases using the tweakable block cipher Clyde-128.…”

Section: Spookmentioning

confidence: 99%

“…Tweak plan. The designers considered two possible tweaks [23,219] for improving the security margins of Spook against the collision attack [218] of Crypto 2020 against a reduced-round Shadow: (1) changing the diffusion layer with an efficient MDS matrix and (2) updating the round constants.…”

Section: Aead Variantsmentioning

confidence: 99%

Status report on the second round of the NIST lightweight cryptography standardization process

Turan¹,

McKay²,

Chang³

et al. 2021

View full text Add to dashboard Cite

The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more Authenticated Encryption with Associated Data (AEAD) and hashing schemes suitable for constrained environments. In February 2019, 57 candidates were submitted to NIST for consideration. Among these, 56 were accepted as firstround candidates in April 2019. After four months, NIST selected 32 of the candidates for the second round. In March 2021, NIST announced 10 finalists to move forward to the final round of the selection process. The finalists are ASCON, Elephant, GIFT-COFB, Grain-128AEAD, ISAP, PHOTON-Beetle, Romulus, SPARKLE, TinyJAMBU, and Xoodyak. This report describes the evaluation criteria and selection process, which is based on public feedback and internal review of the second-round candidates.

show abstract

“…The permutation function in Gimli acts as the fundamental task for both AE and hashing, which is similar to other popular lightweight AE schemes (e.g. Ascon [27], Spook [28], and Skinny [29]). The Gimli permutation function comprises 24 rounds, where the main operations in each round are the logic functions, shift/rotate, or swap.…”

Section: Gimli Overview and Hardware Architectures A Hardware Architectures For Gimli Permutationmentioning

confidence: 99%

A Flexible Gimli Hardware Implementation in FPGA and Its Application to RFID Authentication Protocols

2021

View full text Add to dashboard Cite

Radio Frequency Identification (RFID) systems have bestowed numerous conveniences in a multitude of applications, but the underlying wireless communications architecture makes it vulnerable to several security threats. To mitigate these issues, various authentication protocols have been proposed. The literature accommodates comprehensive proposals and analysis of authentication protocols, but not many of them provide hardware implementations. In addition, there is diverse demand for hardware area and throughput (TP) requirements from RFID system components (tags, readers, database servers), which demand a flexible implementation strategy. This paper proposes a flexible implementation strategy for the lightweight authenticated encryption (AE) and hash function called Gimli, and applies it to a state-of-theart authentication protocol. This allows the authentication protocol to be implemented efficiently, wherein the area and TP can be adjusted flexibly according to the RFID system requirements. This implementation strategy is generic; it can be used to implement any other AE and hash functions. This strategy can also be applied to other authentication protocols that heavily use AE and hash functions. To provide a detailed analysis, the hardware are optimization techniques in each component of the RFID system for a state-ofthe-art authentication protocol are analyzed. When implemented with the most area-optimized versions, we achieve TP of 740 Mbps and 420 Mbps for Gimli hash and Gimli AE, respectively, and for throughputoriented implementation, the results are 3.08 Gbps and 1.43 Gbps, respectively. This shows that the proposed implementation strategies allow us to implement authentication protocols in a flexible manner to meet the differing requirements in TP and area for RFID applications.

show abstract

Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

Cited by 28 publications

References 34 publications

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

Status report on the second round of the NIST lightweight cryptography standardization process

A Flexible Gimli Hardware Implementation in FPGA and Its Application to RFID Authentication Protocols

Contact Info

Product

Resources

About