Abstract

We present Orthros, a 128-bit block pseudorandom function. It is designed with primary focus on latency of fully unrolled circuits. For this purpose, we adopt a parallel structure comprising two keyed permutations. The round function of each permutation is similar to Midori, a low-energy block cipher, however we thoroughly revise it to reduce latency, and introduce different rounds to significantly improve cryptographic strength in a small number of rounds. We provide a comprehensive, dedicated security analysis. For hardware implementation, Orthros achieves the lowest latency among the state-of-the-art low-latency primitives. For example, using the STM 90nm library, Orthros achieves a minimum latency of around 2.4 ns, while other constructions like PRINCE, Midori-128 and QARMA9-128- σ0 achieve 2.56 ns, 4.10 ns, 4.38 ns respectively.

Highlights

  • 1.1 Low-Latency EncryptionLightweight cryptography is a subfield of symmetric-key cryptography to study cryptographic core functions usable under strong resource constraints

  • Another proposal is QARMA proposed by Avanzi [Ava17], which is a family of low-latency tweakable block ciphers (TBCs) [LRW02]

  • Mixed Integer Linear Programming (MILP) is used to obtain the lower bound of the number of active S-boxes in each round

Read more

Summary

Low-Latency Encryption

Lightweight cryptography is a subfield of symmetric-key cryptography to study cryptographic core functions usable under strong resource constraints. Another proposal is QARMA proposed by Avanzi [Ava17], which is a family of low-latency tweakable block ciphers (TBCs) [LRW02]. It adopts the design strategy of PRINCE. We started with a question whether this is an exclusive approach – namely, whether we can do better by not requiring an invertible primitive Motivated by this question, we initiated a study on designing low-latency (non-invertible) pseudorandom function (PRF) consisting of parallel keyed permutations. The result of Dai et al [DHT17] suggests that it can ideally achieve n-bit PRF security, i.e., indistinguishable from a truly random function with O(2n) complexity This requires that EK and EK behave as computationally-secure block ciphers, more formally, (computationally-)independent pseudorandom permutations (PRPs). The point is that the outputs of E and E are never given in clear, we can hope that both can cover each weakness, and the sum of them can tolerate dedicated attacks as a PRF

Our Design
Specification
Key Scheduling Function
Round Function of Branch1 and Branch2
General Construction
Linear Layer
Conclusion
Security Evaluation
Impossible Differential Attack
Integral Attack
Invariant Subspace Attack
Other Attacks
Hardware Evaluation
Conclusions
A Round Constants
B Toy Ciphers
Condition 1
Proof of Condition 2
Modeling S-box
Meet-in-the-Middle Attack
Yoyo and Mixture-Differential Attacks
Findings
F Difficulty of Key-Recovery Attacks

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.