International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Lightweight AEAD and Hashing using the Sparkle Permutation Family

Authors:
Christof Beierle , Interdisciplinary Centre for Security, Reliability and Trust (SnT) and Department of Computer Science (DCS), University of Luxembourg, Esch-sur-Alzette, Luxembourg; Ruhr University Bochum, Bochum, Germany
Alex Biryukov , Interdisciplinary Centre for Security, Reliability and Trust (SnT) and Department of Computer Science (DCS), University of Luxembourg, Esch-sur-Alzette, Luxembourg
Luan Cardoso dos Santos , Interdisciplinary Centre for Security, Reliability and Trust (SnT) and Department of Computer Science (DCS), University of Luxembourg, Esch-sur-Alzette, Luxembourg
Johann Großschädl , Interdisciplinary Centre for Security, Reliability and Trust (SnT) and Department of Computer Science (DCS), University of Luxembourg, Esch-sur-Alzette, Luxembourg
Léo Perrin , Inria, Paris, France
Aleksei Udovenko , Interdisciplinary Centre for Security, Reliability and Trust (SnT) and Department of Computer Science (DCS), University of Luxembourg, Esch-sur-Alzette, Luxembourg
Vesselin Velichkov , University of Edinburgh, Edinburgh, U.K
Qingju Wang , Interdisciplinary Centre for Security, Reliability and Trust (SnT) and Department of Computer Science (DCS), University of Luxembourg, Esch-sur-Alzette, Luxembourg
Download:
DOI: 10.13154/tosc.v2020.iS1.208-261
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8627
Search ePrint
Search Google
Abstract: We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ranging from 120 to 250 bits. We also use them to build new sponge-based hash functions, Esch256 and Esch384. Our permutations are among those with the lowest footprint in software, without sacrificing throughput. These properties are allowed by our use of an ARX component (the Alzette S-box) as well as a carefully chosen number of rounds. The corresponding analysis is enabled by the long trail strategy which gives us the tools we need to efficiently bound the probability of all the differential and linear trails for an arbitrary number of rounds. We also present a new application of this approach where the only trails considered are those mapping the rate to the outer part of the internal state, such trails being the only relevant trails for instance in a differential collision attack. To further decrease the number of rounds without compromising security, we modify the message injection in the classical sponge construction to break the alignment between the rate and our S-box layer.
Video from TOSC 2020
BibTeX
@article{tosc-2020-30520,
  title={Lightweight AEAD and Hashing using the Sparkle Permutation Family},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Special Issue 1},
  pages={208-261},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8627},
  doi={10.13154/tosc.v2020.iS1.208-261},
  author={Christof Beierle and Alex Biryukov and Luan Cardoso dos Santos and Johann Großschädl and Léo Perrin and Aleksei Udovenko and Vesselin Velichkov and Qingju Wang},
  year=2020
}