Lightweight Authenticated Encryption
Lightweight authenticated ciphers are lightweight cryptographic primitives.
Contents
Design Principles
Description
The aim is to provide simultaneously encryption and authentication in one primitive and in one pass. Authentication allows communicating entities to ensure that their communication has not been modified or tampered with. This verification is based on the computation of a socalled tag associated to the transmitted data which cannot be generated in reasonable time unless a secret is known.
The generation of the tag can be done separately from the encryption but the primitives listed on this page perform both operations at the same time.
StreamCipher Based
One possible way to achieve this is to use a special streamcipher like PHELIX^{[1]} which uses the plaintext to update its internal state. The MAC can then be derived from the internal state of the streamcipher once encryption is finished.
Duplexed Sponge
The duplexed sponge^{[2]} is based on the use of a sponge as a streamcipher in the way described above, i.e. by incorporating blocks of plain text in the computation of the internal state. This structure is best described by a figure (on the right, taken from the original paper^{[2]}): σ_{i} corresponds to the i^{th} block of plain text, Z_{i} to the i^{th} block of cipher text, r to the rate of the sponge, c to its capacity and f to its update function.
The duplexed sponge is actually a construction with broader applications than just authenticated encryption. When used for this purpose, the construction is called SpongeWrap.
This construction can also be further specialized as has been suggested by Andreeva et al.^{[3]} (APE construction) and can be lightweight as long, of course, as the permutation used is.
Summary
Presentation  Cryptographic Properties  Implementation Properties  

name  designers  reference (design)  internal state  key size  Nonce/IV size  attacks  Technology used  area (#GE)  throughput (Kb/s @ 100kHz)  power consumption  reference (implementation)  
ACORN^{[note 1]}  Wu  CAESAR (14)^{[4]}  293  128  128 

          
ALE  Bogdanov et al.  FSE 13^{[5]}  128  128  128 

65nm  2579 / 2700      Specification^{[5]}  
ASC1  Jakimoski et al.  SAC 12^{[8]}  0^{[note 3]}  128  0 

65nm  4793 / 5517      ALE specification^{[5]}  
ASCON^{[note 1]}  Dobraunig et. al.  CAESAR (14)^{[9]}  320  96  96 

          
128  128  
CQUARK  Aumasson et al.  DIAC 12^{[10]}  384  256  64 

90 nm  4000 / 8875  8.33 / 266.67    Specification^{[10]}  
FIDES  Bilgin et al.  CHES 13^{[11]}  160  80  80 

90 nm  793 / 2922  10.64 / 500    Specification^{[11]}  
192  96  96  1001 / 6673  12.77 / 600    
Hummingbird2  Engels et al.  SaP 12^{[12]}  128  128  64 

0.13 µm  3220 / 2332 / 2159    1.93 / 1.845 / 1.73^{[note 4]}  Specification^{[12]}  
Joltik^{[note 1]}  Jean et. al.  CAESAR (14)^{[4]}  64  128 (key+tweak)  128 (key+tweak) 

          
192 (key+tweak)  192 (key+tweak)  
Ketje^{[note 1]}  Bertoni et. al.  CAESAR (14)^{[14]}  200  k ≤ 182  182k 

          
400  k ≤ 382  382k  
LAC^{[note 1]}  Zhang et. al.  CAESAR (14)^{[15]}  80 (key state) + 64 (BC state)  64  80 

          
Sablier^{[note 1]}  Zhang et. al.  CAESAR (14)^{[15]}  208  80  80 

          
SCREAM & iSCREAM^{[note 1]}  Grosso et. al.  CAESAR (14)^{[16]}  128 (tweak state) + 64 (BC state)  128  128 

^{[note 5]}  ^{[note 5]}  ^{[note 5]}  ^{[note 5]}  Specification^{[16]} 
Descriptions
ACORN
 Article: ACORN: a Lightweight Authenticated Cipher^{[4]}^{[note 1]}
 Authors: Wu, Hongjun
ACORN is based on 6 LFSR's having a total length of 293 bits. It uses 2 Boolean functions when computing the keystream bit and the feedback bit. These are called maj(x,y,z) and ch(x,y,z) and are part of the specification of SHA2. ACORN128 is intended to provide 128 bits of security for both encryption and authentication. Finally, the author claims that the hardware implementation cost is close to that of Trivium.
The design is inspired by that of hardware oriented streamciphers like Grain and Trivium.
ASC1
 Article: ASC1: An authenticated encryption stream cipher, SAC 12^{[8]}
 Authors: Jakimoski, G., & Khajuria, S.
The design of this primitive is based on the LEX stream cipher^{[17]}: the keystream corresponds to bytes of the internal state of the AES which are leaked. A quick description is given on the figure on the right. It only supports encryption of messages made of 3 blocks of 128 bits.
We argue that ASC1 is secure by reducing [its] security to the problem of distinguishing the case when the round keys are uniformly random from the case when the round keys are generated by a key scheduling algorithm.
The construction is based on the concept of Leaksafe Almost XOR Universal (LAXU) hash function which can allow the construction of provably secure authenticated ciphers.
ASCON
 Article: ASCON v1: Submission to the CAESAR Competition^{[9]}^{[note 1]}
 Authors: Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.
ASCON uses a sponge construction, although it uses a stronger keyed initialization and keyed finalization phase than usual. There are two suggested instances, ASCON96 and ASCON128, but the specification is more general (the different instances differ only by their rate). In both cases, the sponge uses an internal state of 320 bits.
The function used to update it consists in several iterations of three different operations: round constant addition, substitution layer, linear diffusion layer. The state is represented as an array of 5 lines of 64 bits. The substitution layer operates on columns using a 5x5 SBox which can be implemented cheaply in hardware. The linear layer is applied on each line separately. For each, the operations consists in rotating the line in 3 different ways and then xoring the results.
ALE
 Article: ALE: AESBased Lightweight Authenticated Encryption, FSE 13^{[5]}
 Authors: Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., & Tischhauser, E.
It takes 128bits key and nonce and the length of the plaintext is limited to 2^{45} bytes. The overall structure is that of an authenticated streamcipher.
The design of this primitive is based on the LEX stream cipher^{[17]} and draws some inspiration from ASC1 as well. It is based on the AES to use its high security and, should the instruction be available on the platform, the AESNI assembly instructions. However, it has already been broken by Khovratovitch et al.^{[6]} and Wu et al.^{[7]}.
CQUARK
 Article: Heavy Quark for secure AEAD, DIAC 12^{[10]}
 Authors: Aumasson, J. P., Knellwolf, S., & Meier, W.
Lightweigthness is not the main focus of this primitive since it relies on a heavier version of the sponge used in the QUARK family of lightweight hash functions and provide higher security. It uses a SpongeWrap structure. Its authors want to see if the reverse of the usual approach (building lightweight primitives from simpler versions of notsolightweight ones) is sane.
Despite a 256bits key, it "only" claims 253 bits of security for the sake of the simplicity of the proofs used. The message length is limited to 2^{64} blocks of 64bits.
FIDES
 Article: FIDES: lightweight authenticated cipher with sidechannel resistance for constrained hardware, CHES 13^{[11]}
 Authors: Bilgin, B., Bogdanov, A., Knežević, M., Mendel, F., & Wang, Q.
It is a duplexed sponge using a permutation based on the AES. Defense against sidechannel attacks was one of the design criteria and a custom masking scheme is provided which does not increase the area footprint too much. The permutation used to update the internal state has an AESlike structure but the matrix used in the MixColumns step is different and, depending on the version of the algorithm, the Sbox used is 5x5 or 6x6. In both case, the Sboxes have optimal differential uniformity (i.e. they are APN).
Hummingbird2
 Article: The Hummingbird2 lightweight authenticated encryption algorithm, SaP 12^{[12]}
 Authors: Engels, D., Saarinen, M. J. O., Schweitzer, P., & Smith, E. M.
Hummingbird2 is, as its name indicates, a new iteration of the Hummingbird^{[18]} primitive which was successfully attacked by Saarinen^{[19]}. This cipher has an internal state which is initialized using the 64bits IV. There is no key schedule: the same functions are applied to the internal state every time. At each clock, operations involving the key, the plaintext 16bits block and the 128bits internal state are performed to generate a block of ciphertext. Then, the same sort of operations are used to update the internal state using variables created during the ciphertext generation.
The only operations used are XOR, addition modulo 2^{16} and a nonlinear function called f which is based on 4 different Sboxes.
Joltik
 Article: Joltik v1^{[20]}^{[note 1]}
 Authors: Jean, J., Nikolic, I. & Peyrin, T.
Joltik is a lightweight authenticated cipher based on 64bits tweakable block cipher called JoltikBC. There are two versions of the mode of operation built on top of it: one for noncerespecting adversary and one for not noncerespecting ones.
JoltikBC has the same structure as the AES but the internal state has only 64 bits. The Sbox used is the same as Piccolo (4x4) and the MDS matrix is different: it is also involutory and noncirculant. There are two versions of it: one has a combined key and tweak length of 128 bits, the other has 192.
Ketje
 Article: CAESAR submission KETJE v1^{[14]}
 Authors: Bertoni, G., Daemen, J., Peeters, M., Van Assche, G. & Van Keer, R.
Ketje is a lightweight variant of the winner of the SHA3 competition, Keccak^{[21]}. As such, it is relies on the sponge structure, more precisely on the socalled MonkeyWrap mode. To allow an implementation in memory constrained environment, the internal state of the sponge is made of only 200 (or 400) bits, giving raise to Ketje Jr (and Ketje Sr). Hence, the rates used are much smaller than in Keccak. In both versions, the permutations used are variants of that of Keccak.
LAC
 Article: LAC: A Lightweight Authenticated Encryption Cipher^{[15]}^{[note 1]}
 Authors: Zhang, L., Wu, W., Wang, Y., Wu, S., Zhang, J.
LAC uses a structure similar to that of ALE and an internal primitive based on LBlock. It uses a key of 80 bits, a "public message number" (nonce) of 64 bits and tags of 64 bits.
It relies on a simplified version of LBlock called LBlocks where the Sbox used is unique (instead of 10 different ones) and the keyschedule is modified into being equivalent to a sparse GFS, just like TWINE. The key stream is generated by leaking 24 bits of the internal state after 8 rounds and another 24 bits after another 8 rounds. The 48bits message block is xored with the keystream to obtain the ciphertext and also xored in the internal state.
Sablier
 Article: Sablier v1^{[22]}^{[note 1]}
 Authors: Zhang, B., Shi, Z., Xu, C., Yao, Y. & Li, Z.
Sablier is a hardware oriented stream cipher which provides authentication. The key and nonce are both 80 bits long and the tag is made of 32 bits. Encryption speed in hardware is expected to be 16 times faster than Trivium encryption.
Just like SIMON, it relies only on bit rotations, logical AND and XOR. For instance, it uses the χ transformation of Keccak. Its high level behaviour is explained using a metaphor based on a sandglass ("sablier" in French), see the Figure on the right.
SCREAM & iSCREAM
 Article: SCREAM & iSCREAM, SideChannel Resistant Authenticated Encryption with Masking^{[16]}^{[note 1]}
 Authors: Grosso, V., Leurent, G., Standaert, F.X., Varici, K., Durvaux, F., Gaspar, L. & Kerckhof, S.
Both ciphers are used in the socalled TAE mode (see Figure on the right) to provide authenticated encryption. They are a modified version of Robin and Fantomas^{[23]}. Misuse resistance is not a goal. Scream and iScream are both 128bit ciphers with 8bit Sboxes and 16bit Lboxes. Unlike Scream, iScream is an involutive cipher. They differ by the choice of the S and Lboxes but their design are similar: they are tweakable variants of the LSdesign.
Implementation complexities in both software and hardware are given by the authors.
Notes
 ↑ ^{1.00} ^{1.01} ^{1.02} ^{1.03} ^{1.04} ^{1.05} ^{1.06} ^{1.07} ^{1.08} ^{1.09} ^{1.10} ^{1.11} ^{1.12} This primitive is a candidate of the CAESAR competition.
 ↑ ^{2.0} ^{2.1} ^{2.2} ^{2.3} ^{2.4} ^{2.5} ^{2.6} ^{2.7} ^{2.8} To the best of our knowledge.
 ↑ It only supports encryption of messages of length 3x128 bits.
 ↑ These figures correspond to the peaks of power consumption.
 ↑ ^{5.0} ^{5.1} ^{5.2} ^{5.3} The implementation properties given in Table 5 of the specification do not fit with the units we use. Thus, we refer the interested reader to page 11 of the specification.
References
 ↑ Whiting, D., Schneier, B., Lucks, S., & Muller, F. (2005). Fast encryption and authentication in a single cryptographic primitive. ECRYPT Stream Cipher Project Report, 27(200), 5. pdf at ssi.gouv.fr
 ↑ ^{2.0} ^{2.1} Bertoni, G., Daemen, J., Peeters, M., & Van Assche, G. (2012, January). Duplexing the sponge: singlepass authenticated encryption and other applications. In Selected Areas in Cryptography (pp. 320337). Springer Berlin Heidelberg. pdf at eprint.iacr.org
 ↑ Andreeva, E. and Bilgin, B. and Bogdanov, A. and Luykx, A. and Mennink, B. and Mouha, N. and Yasuda, K. 2013). APE: Authenticated PermutationBased Encryption for Lightweight Cryptography. Cryptology ePrint Archive, Report 2013/791. pdf at eprint.iacr.org
 ↑ ^{4.0} ^{4.1} ^{4.2} Wu, H. (2014) ACORN: a Lightweight Authenticated Cipher. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ ^{5.0} ^{5.1} ^{5.2} ^{5.3} Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., & Tischhauser, E. (2013). ALE: AESbased lightweight authenticated encryption. Lecture Notes in Computer Science. pdf at dtu.dk
 ↑ ^{6.0} ^{6.1} Khovratovich, D., & Rechberger, C (2013). The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE. pdf at eprint.iacr.org
 ↑ ^{7.0} ^{7.1} Wu, S., Wu, H., Huang, T., Wang, M., & Wu, W. (2013). LeakedStateForgery Attack against the Authenticated Encryption Algorithm ALE. In Advances in CryptologyASIACRYPT 2013 (pp. 377404). Springer Berlin Heidelberg. pdf at springer.com
 ↑ ^{8.0} ^{8.1} Jakimoski, G., & Khajuria, S. (2012, January). ASC1: An authenticated encryption stream cipher. In Selected Areas in Cryptography (pp. 356372). Springer Berlin Heidelberg. pdf at springer.com
 ↑ ^{9.0} ^{9.1} Dobraunig, C., Eichlseder, M., Mendel, F. & Schläffer, M. (2014) ASCON v1: Submission to the CAESAR Competition. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ ^{10.0} ^{10.1} ^{10.2} Aumasson, J. P., Knellwolf, S., & Meier, W. (2012). Heavy Quark for secure AEAD. DIACDirections in Authenticated Ciphers, Sweden. pdf at 131002.net
 ↑ ^{11.0} ^{11.1} ^{11.2} Bilgin, B., Bogdanov, A., Knežević, M., Mendel, F., & Wang, Q. (2013). FIDES: lightweight authenticated cipher with sidechannel resistance for constrained hardware. In Cryptographic Hardware and Embedded SystemsCHES 2013 (pp. 142158). Springer Berlin Heidelberg. pdf at kuleuven.be
 ↑ ^{12.0} ^{12.1} ^{12.2} Engels, D., Saarinen, M. J. O., Schweitzer, P., & Smith, E. M. (2012). The Hummingbird2 lightweight authenticated encryption algorithm. In RFID. Security and Privacy (pp. 1931). Springer Berlin Heidelberg. pdf from rfidcusp.org
 ↑ Saarinen, M. J. O. (2013). Relatedkey Attacks Against Full Hummingbird2. IACR Cryptology ePrint Archive, 2013, 70. pdf at eprint.iacr.org
 ↑ ^{14.0} ^{14.1} Bertoni, G., Daemen, J., Peeters, M., Van Assche, G. & Van Keer, R. (2014) CAESAR submission KETJE v1. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ ^{15.0} ^{15.1} ^{15.2} Zhang, L., Wu, W., Wang, Y., Wu, S. & Zhang, J. (2014) LAC: A Lightweight Authenticated Encryption Cipher. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ ^{16.0} ^{16.1} ^{16.2} Grosso, V., Leurent, G., Standaert, F.X., Varici, K., Durvaux, F., Gaspar, L. & Kerckhof, S. SCREAM & iSCREAM, SideChannel Resistant Authenticated Encryption with Masking. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ ^{17.0} ^{17.1} Biryukov, A. (2005). A new 128bit key stream cipher LEX. eSTREAM, ECRYPT Stream Cipher Project, Report, 13, 2005. pdf at ecrypt.eu.org
 ↑ Engels, D., Fan, X., Gong, G., Hu, H., & Smith, E. M. (2010). Hummingbird: ultralightweight cryptography for resourceconstrained devices. In Financial Cryptography and Data Security (pp. 318). Springer Berlin Heidelberg. pdf at springer
 ↑ Saarinen, M. J. O. (2011, January). Cryptanalysis of Hummingbird1. In Fast Software Encryption (pp. 328341). Springer Berlin Heidelberg. pdf at mjos.fi
 ↑ Jean, J., Nikolic, I. & Peyrin, T. (2014) Joltik v1. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ Bertoni, G., Daemen, J., Peeters, M., & Van Assche, G. (2009). Keccak sponge function family main document. Submission to NIST (Round 2), 3. pdf at googlecode.com
 ↑ Zhang, B., Shi, Z., Xu, C., Yao, Y. & Li, Z. (2014) Sablier v1. Submission to the CAESAR competition. pdf at cr.yp.to
 ↑ Grosso, V., Leurent, G., Standaert, F.X. & Varici, K. (2014). LSdesigns: Bitslice encryption for effcient masked software implementations. To appear in the proceedings of FSE 2014.