Abstract
We present Orthros, a 128-bit block pseudorandom function. It is designed with primary focus on latency of fully unrolled circuits. For this purpose, we adopt a parallel structure comprising two keyed permutations. The round function of each permutation is similar to Midori, a low-energy block cipher, however we thoroughly revise it to reduce latency, and introduce different rounds to significantly improve cryptographic strength in a small number of rounds. We provide a comprehensive, dedicated security analysis. For hardware implementation, Orthros achieves the lowest latency among the state-of-the-art low-latency primitives. For example, using the STM 90nm library, Orthros achieves a minimum latency of around 2.4 ns, while other constructions like PRINCE, Midori-128 and QARMA9-128- σ0 achieve 2.56 ns, 4.10 ns, 4.38 ns respectively.
Highlights
1.1 Low-Latency EncryptionLightweight cryptography is a subfield of symmetric-key cryptography to study cryptographic core functions usable under strong resource constraints
Another proposal is QARMA proposed by Avanzi [Ava17], which is a family of low-latency tweakable block ciphers (TBCs) [LRW02]
Mixed Integer Linear Programming (MILP) is used to obtain the lower bound of the number of active S-boxes in each round
Summary
Lightweight cryptography is a subfield of symmetric-key cryptography to study cryptographic core functions usable under strong resource constraints. Another proposal is QARMA proposed by Avanzi [Ava17], which is a family of low-latency tweakable block ciphers (TBCs) [LRW02]. It adopts the design strategy of PRINCE. We started with a question whether this is an exclusive approach – namely, whether we can do better by not requiring an invertible primitive Motivated by this question, we initiated a study on designing low-latency (non-invertible) pseudorandom function (PRF) consisting of parallel keyed permutations. The result of Dai et al [DHT17] suggests that it can ideally achieve n-bit PRF security, i.e., indistinguishable from a truly random function with O(2n) complexity This requires that EK and EK behave as computationally-secure block ciphers, more formally, (computationally-)independent pseudorandom permutations (PRPs). The point is that the outputs of E and E are never given in clear, we can hope that both can cover each weakness, and the sum of them can tolerate dedicated attacks as a PRF
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.