Figure - available via license: Creative Commons Attribution 4.0 International
Content may be subject to copyright.
Source publication
We present Orthros, a 128-bit block pseudorandom function. It is designed with primary focus on latency of fully unrolled circuits. For this purpose, we adopt a parallel structure comprising two keyed permutations. The round function of each permutation is similar to Midori, a low-energy block cipher, however we thoroughly revise it to reduce laten...
Contexts in source publication
Context 1
... the 5th round to the 11th round, the nibble permutations P n1 and P n2 will be adopted in each branch respectively. The details of the permutation P brN and P nN , where N ∈ {1, 2}, are shown in Table 3 and Table 4, respectively. ...Similar publications
Maximum distance separable (MDS) matrices are often used in the linear layer of a block cipher due to their good diffusion property. A well-designed lightweight MDS matrix, especially an involutory one, can provide both security and performance benefits to the cipher. Finding the corresponding effective linear straight-line program (SLP) of the cir...
Citations
... MIDORI, proposed by Banik et al. [4], is an SPN-based block cipher targeting low-energy applications, while its latency is quite small. Since SPNbased designs seem more promising in terms of latency than Feistel-based design, several other low-latency designs, such as Mantis [5], Orthros [6], SPEEDY [7] also have an SPNbased construction. For these low-latency designs, a thorough security analysis is essential, as these designs typically feature a small number of rounds to achieve low latency. ...
... Such twobranch-based designs do not have a decryption function, namely, these designs are PRF not PRP, but they can still be applied into many popular modes, e.g., CTR, CMAC, and GCM. The advantage of a two-branch construction in terms of security is that it is difficult to add the key-recovery rounds for the attacker, as discussed in [6]. This means that additional rounds required for a security margin can be small in these designs, which directly results in a reduction in latency. ...
... Specifically, Orthros is based on two "weak" keyed permutations, i.e., each keyed permutation cannot be used as a standalone PRP by itself. This makes a discussion in the context of the provable security so hard that the authors of Orthros carefully investigated the security of the sum of permutations from the Copyright © 200x The Institute of Electronics, Information and Communication Engineers perspective of cryptanalysis [6]. In the designer's analysis, the most powerful attack on Orthros is the integral cryptanalysis, which can distinguish up to 7 rounds. ...
As low-latency designs tend to have a small number of rounds to decrease latency, the differential-type cryptanalysis can become a significant threat to them. In particular, since a multiple-branch-based design, such as Orthros can have the strong clustering effect on differential attacks due to its large internal state, it is crucial to investigate the impact of the clustering effect in such a design. In this paper, we present a new SAT-based automatic search method for evaluating the clustering effect in the multiple-branch-based design. By exploiting an inherent trait of multiple-branch-based designs, our method enables highly efficient evaluations of clustering effects on this-type designs. We apply our method to the low-latency PRF Orthros, and show a best differential distinguisher reaching up to 7 rounds of Orthros with 2116.806 time/data complexity and 9-round distinguisher for each underlying permutation which is 2 more rounds than known longest distinguishers. Besides, we update the designer's security bound for differential attacks based on the lower bounds for the number of active S-boxes, and obtain the optimal differential characteristic of Orthros, Branch 1, and Branch 2 for the first time. Consequently, we improve the designer's security bound from 9/12/12 to 7/10/10 rounds for Orthros/Branch 1/Branch 2 based on a single differential characteristic. Moreover, we define Orthros-like three-branch-based PRF in order to investigate the impact of the clustering effect when increasing the number of branches. Based on the results of our evaluation, we show that adding one more branch makes the clustering effect easy to happen, but is promising to enhance the security against differential cryptanalysis.
... QARMA has already been used to achieve control flow integrity (CFI) in the products of ARMv8.3 [18]. In 2021, Banik et al. proposed Orthros [4], a low-latency pseudorandom function (PRF) which ignors the support of decryption to achieve ultra low-latency. Leander et al. proposed another ultra low-latency block cipher family called SPEEDY at CHES 2021 [15]. ...
... In Fig. 3, we present an example of the best differential trail for 3-round SPEEDY, where the black box denotes '1' difference and the empty box denotes '0' difference. There are 23 active S-boxes and the first 2-round (2R) is 1-bit to 1-bit differential trail corresponding to T 4 [1,4] in Table 3 whose differential probability is 2 −51.32 . Therefore, the total probability of the 3-round differential trail is equal to 2 −51.32 ×(2 −3 ) 2 ×(2 −4 ) 3 ×2 −4 ×2 −3.4 ≈ 2 −76.72 . ...
... There are at least 35 active S-boxes for 4-round SPEEDY since pbn 4 Unfortunately, there are only four solutions of i 10 , i 11 , i 20 , i 21 satisfying there are 35 active S-boxes, and by traversing all the possible patterns we find that it is impossible to construct a concrete differential trail when the actual difference distribution table of the S-box is considered. Therefore, we further check patterns with the almost least number of active Sboxes. ...
In this paper, we present some new observations on the branch number and study concrete differential analysis of SPEEDY. It is a new low-latency block cipher proposed at TCHES 2021. It employs SPS-type round function and consists of only 5/6/7 rounds. Since the iteration rounds are rather small so as to achieve ultra low-latency in encryption speed, it will be crucially important to analyze its security margin accurately. In this paper, we first propose a new notation of partition branch number which can describe the minimum number of active S-boxes for 2-round SPEEDY more accurately. An efficient algorithm to compute the value of partition branch number is also given. Then by extending the notation to higher-order partition branch number, we can obtain more accurate results of the minimum number of active S-boxes for 3–7 rounds. As a result, the maximum expected differential probabilities are significantly higher than the results estimated by designers. Based on this, we search for optimal differential characteristics of SPEEDY while considering the difference distribution table of S-box. We present examples of differential characteristics for 2–7 rounds. Furthermore, by utilizing the simple bit-permutation key schedule of SPEEDY, we can extend the differential trail search method and construct an efficient 6-round related-key differential trail with probability 2-179.2. Based on it, we can present related-key differential attack on full round SPEEDY-7-192 with data complexity of 2186.2 chosen-plaintexts and time complexity of 2160.13 encryptions.
... In the evaluation of impossible differentials, we also model the differential propagation of the encryption algorithm and then searched for distinguishers by constraining input-output patterns to evaluate whether the differential propagation of these patterns is possible without the objective function. From the perspective of diffusion property, our search considers hamming weight 1 to be better and other block cipher designers evaluated in the same way [20][21][22] when estimating the longest distinguisher. Therefore, in this research, we fix both the input and the output difference with hamming weight of 1 and search for distinguishers among the (64 � 64) possible patterns. ...
In the field of symmetric key cryptography, the security against distinguishing attacks is one of the crucial security requirements. With advancements in computing capabilities and cryptanalysis techniques in recent years, more efficient methods have been proposed for exploring distinguishers using Mixed‐Integer Linear Programing (MILP) or satisfiability problem (SAT), thereby updating the security bounds of various ciphers. Piccolo is a lightweight block cipher proposed at CHES in 2011, with support 80‐bit and 128‐bit keys. Designers have undergone a rough security evaluation against differential, impossible differential, and related‐key differential attacks, based on nibble‐wise estimations due to the limitation of computational resource. Here, the authors perform bit‐level evaluations on Piccolo block cipher against differential, integral and impossible differential attacks by leveraging SAT‐based approaches. For the first time, the authors succeed in identifying optimal differential distinguisher on 6 rounds in the single key setting, and on 10/12 rounds in the related‐key setting for 80‐bit and 128‐bit keys, respectively. For integral attacks, the authors find integral distinguisher up to 7 rounds. Although the number of attacked rounds is the same as that of the previous attack, the authors find the 56th ordered integral distinguisher, which enable reducing the data complexity for attacks from 2⁶³ to 2⁵⁶. As a result, the authors find the 7‐round impossible differentials which is the same number of rounds as the previous nibble‐wise evaluation.
Boolean formula minimization is a notoriously hard problem. Circuit minimization, typically studied in the context of a much broader subject known as synthesis and optimization of circuits, introduces another layer of complexity since ultimately those technology-independent representations (e.g., Boolean formulas and truth tables) has to be transformed into a netlist of cells of the target technology library. To manage those complexities, the industrial community typically separates the synthesis process into two steps: technology-independent optimization and technology mapping. In each step, this approach only tries to find the local optimal solution and relies heavily on heuristics rather than a systematic search. However, for small S-boxes, a more systematic exploration of the design space is possible. Aiming at the global optimum, we propose a method which can synthesize a truth table for a small S-box directly into a netlist of the cells of a given technology library. Compared with existing technology-dependent synthesis tools like LIGHTER and PEIGEN, our method produces improved results for many S-boxes with respect to circuit area. In particular, by applying our method to the GF(2^4)-inverter involved in the tower field implementation of the AES S-box, we obtain the currently known lightest implementation of the AES S-box. The search framework can be tweaked to take circuit delay into account. As a result, we find implementations for certain S-boxes with both latency and area improved.
In recent years, there has been a growing interest in low-latency ciphers. Since the first low-latency block cipher PRINCE was proposed at ASIACRYPT 2012, many low-latency primitives sprung up, such as Midori, MANTIS, QARMA and SPEEDY. Some ciphers, like SPEEDY and Orthros, introduce bit permutations to achieve reduced delay. However, this approach poses a challenge in evaluating the resistance against some cryptanalysis, especially differential and linear attacks. SPEEDY-7-192, was fully broken by Boura et.al. using differential attack, for example. In this paper, we manage to propose a novel low-latency block cipher, which guarantees security against differential and linear attacks. Revisiting the permutation technique used in Orthros, we investigate the selection of nibble permutations and propose a method for selecting them systematically rather than relying on random search. Our new nibble permutation method ensures the existence of impossible differential and differential trails for up to 8 rounds, while the nibble permutations for both branches of Orthros may lead to a 9-round impossible differential trail. Furthermore, we introduce a new approach for constructing low-latency coordinate functions for 4-bit S-boxes, which involves a more precise delay computation compared to traditional methods based solely on circuit depth. The new low-latency primitive uLBC we propose, is a family of 128-bit block ciphers, with three different versions of key length, respectively 128-bit and 256-bit key, as well as a 384-bit tweakey version with variable-length key. According to the key length, named uLBC-128, uLBC-256 and uLBC-384t. Our analysis shows that uLBC-128 exhibits lower latency and area requirements compared to ciphers such as QARMA9-128 and Midori128. On performance, uLBC-128 has excellent AT performance, the best performance except SPEEDY-6, and even the best performance in UMC 55nm in our experiments.
Lightweight block ciphers are critical for ensuring secure data transmission in resource-limited Internet of Things (IoT) devices. In designing secure and efficient lightweight block ciphers, balancing diffusion property and resource consumption becomes a key metric. This paper proposes QLW, a highly diffusive lightweight block cipher, designed to meet the growing security needs of resource-constrained devices. QLW employs a combined variant form of generalized Feistel structure (GFS) and Lai–Massey structure as its underlying structure. The QLW round function adopts a GFS, refined into a double half-round structure. The branch XOR and F-function utilize the Lai–Massey structure. Under the combined effect of both, QLW achieves full diffusion with just two rounds. Meanwhile, the QLW cipher uses a standard genetic algorithm (GA) to optimize a 4-bit S-box, ensuring robust security. The final S-box design occupies only 15.01 gate equivalents (GE) and requires eight logic gates, minimizing hardware overhead. Moreover, QLW achieves high diffusion with low-resource consumption using a linear matrix built from bitwise operations and logic gates. Furthermore, the QLW cipher increases the unpredictability of the rotation by incorporating a dynamic round constant T from the key schedule, enhancing resistance to algebraic attacks. Finally, the QLW is subjected to a security evaluation and hardware implementation. The results demonstrate that the hardware implementation of QLW requires only 1655.26 GE of area, consumes 7.37 \upmu J/bit of energy, and is resistant to known attacks such as differential cryptanalysis, linear cryptanalysis, and integral attack, with good security redundancy.
