Abstract / Description of output
S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ones (e.g., 32 bits). In this context, an S-box is then defined as a subfunction whose cryptographic properties can be estimated precisely.
We present a 64-bit ARX-based S-box called Alzette, which can be evaluated in constant time using only 12 instructions on modern CPUs. Its parallel application can also leverage vector (SIMD) instructions. One iteration of Alzette has differential and linear properties comparable to those of the AES S-box, and two are at least as secure as the AES super S-box. As the state size is much larger than the typical 4 or 8 bits, the study of the relevant cryptographic properties of Alzette is not trivial.
We further discuss how such wide S-boxes could be used to construct round functions of 64-, 128- and 256-bit (tweakable) block ciphers with good cryptographic properties that are guaranteed even in the related-tweak setting. We use these structures to design a very lightweight 64-bit block cipher (Crax) which outperforms SPECK-64/128 for short messages on micro-controllers, and a 256-bit tweakable block cipher (Trax) which can be used to obtain strong security guarantees against powerful adversaries (nonce misuse, quantum attacks).
We present a 64-bit ARX-based S-box called Alzette, which can be evaluated in constant time using only 12 instructions on modern CPUs. Its parallel application can also leverage vector (SIMD) instructions. One iteration of Alzette has differential and linear properties comparable to those of the AES S-box, and two are at least as secure as the AES super S-box. As the state size is much larger than the typical 4 or 8 bits, the study of the relevant cryptographic properties of Alzette is not trivial.
We further discuss how such wide S-boxes could be used to construct round functions of 64-, 128- and 256-bit (tweakable) block ciphers with good cryptographic properties that are guaranteed even in the related-tweak setting. We use these structures to design a very lightweight 64-bit block cipher (Crax) which outperforms SPECK-64/128 for short messages on micro-controllers, and a 256-bit tweakable block cipher (Trax) which can be used to obtain strong security guarantees against powerful adversaries (nonce misuse, quantum attacks).
Original language | English |
---|---|
Title of host publication | Advances in Cryptology -- CRYPTO 2020 |
Editors | Daniele Micciancio, Thomas Ristenpart |
Place of Publication | Cham |
Publisher | Springer |
Pages | 419-448 |
Number of pages | 30 |
ISBN (Electronic) | 978-3-030-56877-1 |
ISBN (Print) | 978-3-030-56876-4 |
DOIs | |
Publication status | Published - 10 Aug 2020 |
Event | Annual International Cryptology Conference 2020 - Virtual Conference Duration: 17 Aug 2020 → 21 Aug 2020 https://crypto.iacr.org/2020/ |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 12172 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | Annual International Cryptology Conference 2020 |
---|---|
Abbreviated title | CRYPTO 2020 |
City | Virtual Conference |
Period | 17/08/20 → 21/08/20 |
Internet address |
Keywords / Materials (for Non-textual outputs)
- (Tweakable) block cipher
- Related-tweak setting
- Long trail strategy
- Alzette
- MEDCP
- MELCC