Abstract
The cryptographic algorithms needed to ensure the security of our communications have a cost. For devices with little computing power, whose number is expected to grow significantly with the spread of the Internet of Things (IoT), this cost can be a problem. A simple answer to this problem is a compromise on the security level: through a weaker round function or a smaller number of rounds, the security level can be decreased in order to cheapen the implementation of the cipher. At the same time, quantum computers are expected to disrupt the state of the art in cryptography in the near future. For public-key cryptography, the NIST has organized a dedicated process to standardize new algorithms. The impact of quantum computing is harder to assess in the symmetric case but its study is an active research area.In this paper, we specify a new block cipher, Saturnin, and its usage in different modes to provide hashing and authenticated encryption in such a way that we can rigorously argue its security in the post-quantum setting. Its security analysis follows naturally from that of the AES, while our use of components that are easily implemented in a bitsliced fashion ensures a low cost for our primitives. Our aim is to provide a new lightweight suite of algorithms that performs well on small devices, in particular micro-controllers, while providing a high security level even in the presence of quantum computers. Saturnin is a 256-bit block cipher with a 256-bit key and an additional 9-bit parameter for domain separation. Using it, we built two authenticated ciphers and a hash function.• Saturnin-CTR-Cascade is an authenticated cipher using the counter mode and a separate MAC. It requires two passes over the data but its implementation does not require the inverse block cipher.• Saturnin-Short is an authenticated cipher intended for messages with a length strictly smaller than 128 bits which uses only one call to Saturnin to providenconfidentiality and integrity.• Saturnin-Hash is a 256-bit hash function. In this paper, we specify this suite of algorithms and argue about their security in both the classical and the post-quantum setting.
 https://project.inria.fr/saturnin/
Highlights
The aim of Saturnin is to provide a lightweight suite of algorithms that performs well on small devices and that provides a high security against quantum adversaries.1.1 Post-quantum Symmetric CryptographyQuantum computation was first introduced in the late 80s as a general framework and potential tool for simulating quantum systems
The cryptographic community has been concerned with the impact of large or intermediate-scale quantum computers which, they are yet to be built, would have massive consequences on the currently deployed public-key cryptosystems, breaking most of those that are in use today
It is widely acknowledged that new cryptographic designs should take into account the quantum threat. As examples of this new direction, one may cite the NIST post-quantum standardization project [Nat16], which structures most of the efforts of the asymmetric cryptographic community, or the report of the National Academies of Sciences [Nat18], which gives a precise evaluation of the quantum threat, up to the uncertainties inherent to the evolution of cutting-edge technologies
Summary
The aim of Saturnin is to provide a lightweight suite of algorithms that performs well on small devices and that provides a high security against quantum adversaries.1.1 Post-quantum Symmetric CryptographyQuantum computation was first introduced in the late 80s as a general framework and potential tool for simulating quantum systems. As examples of this new direction, one may cite the NIST post-quantum standardization project [Nat16], which structures most of the efforts of the asymmetric cryptographic community, or the report of the National Academies of Sciences [Nat18], which gives a precise evaluation of the quantum threat, up to the uncertainties inherent to the evolution of cutting-edge technologies Until recently, such concerns did not seem to apply to symmetric cryptography, which does not rely on structured mathematical problems such as factorization. Grover’s algorithm [Gro96] provides a quadratic speedup for a wide range of exhaustive search problems, which are relevant to symmetric cryptography Such a speedup occurs when performing an exhaustive search for secret keys, which brings the cost of this search from 2128 encryptions to its square root, 264 operations, in the case of a 128-bit keyed block cipher such as AES-128. This leads to the natural countermeasure of increasing key sizes, as the report [Nat18] indicates:
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
