Sycon: a new milestone in designing ASCON-like permutations

Abstract

ASCON is one of the elegant designs of authenticated encryption with associated data (AEAD) that was selected as the first choice for lightweight applications in the CAESAR competition, which also has been submitted to NIST lightweight cryptography standardization. ASCON has been in the literature for a while; however, there has been no successful AEAD which is secure and at the same time lighter than ASCON. In this article, we have overcome the challenge of constructing a permutation that is lighter than the ASCON permutation while ensuring a similar performance, and based on which we achieve a more lightweight AEAD which we call Sycon. Extensive security analysis of Sycon confirms that it provides the same level of security as that of ASCON. Our hardware implementation result shows that the Sycon permutation has 5.35% reduced area, compared to the ASCON permutation. This leads to a remarkable area reduction for Sycon AEAD which is about 14.95% as compared to ASCON AEAD. We regard Sycon as a new milestone as it is the lightest among all the AEADs belonging to the ASCON family.

Appendices

Appendix A: Description of Sycon AEAD and hash modes

Sycon AEAD mode. The authenticated encryption algorithm accepts as input a secret key K of length \(\kappa \), a public nonce N of length n, an (optional) associated data A, and a plaintext message M and outputs a ciphertext C of the same length as of the message and a tag T of length \(\tau \). Similarly, the decryption algorithm accepts as input a secret key K, a public nonce N, an (optional) associated data A, a ciphertext message C, and a tag T and computes a tag \(T'\). It outputs the plaintext message M if the verification of the tag succeeds, otherwise, outputs \(\perp \). A high-level overview of the encryption algorithm is provided in Fig. 3. The encryption/decryption process consists of four distinct phases, namely the initialization phase, processing associated data, encrypting the message and generation of the tag.

• Rate and capacity parts: The internal state is divided into two parts, called rate part and capacity part. Any input that is absorbed into the state is done through the rate part. Given the internal state \(\mathbf{s}= \mathbf{s}_4\Vert \mathbf{s}_3\Vert \mathbf{s}_2\Vert \mathbf{s}_1\Vert \mathbf{s}_0\), for \(r = 64\), \(\mathbf{s}_0\) serves as the rate part and the remaining part is the capacity part. For \(r = 96\), the entire \(\mathbf{s}_0\) and the first half of \(\mathbf{s}_1\) serves as the rate part in the state, i.e., \( \mathbf{s}_0\Vert \lfloor \mathbf{s}_1 \rfloor _{32}\), and the remaining part of the state is the capacity.

• Padding: When the length of the plaintext or associated data is not a multiple of r, padding is mandatory to make the message block multiple of r. For empty associated data, no padding is applied, otherwise, the padded associated data A is \(\textsc {pad}_{r}(A) = A\Vert 1\Vert 0^{r-1-|A| \text { mod } r}\). For the plaintext message M, the padding is applied as \(\textsc {pad}_{r}(M) = M\Vert 1\Vert 0^{r-1-|M| \text { mod } r}\). For \(\kappa = 128\) and \(r = 64\), when the key is absorbed into the state, no padding is required, whereas for \(r= 96\), the padding for the key is required, which is described as \(\textsc {pad}_{r}(K) = K\Vert 1\Vert 0^{r-1-|K| \text { mod } r} = K_0\Vert K_1\).

• Initialization: The initialization phase consists of a loading phase that loads the key and nonce to the state and absorbs the key into the state. The key in \(\mathbf{s}_0 \) and \(\mathbf{s}_1\), nonce in \(\mathbf{s}_2 \) and \(\mathbf{s}_3\) and initial vector in \(\mathbf{s}_4\) are loaded and then the full round Sycon permutation applied on the state, followed by absorbing the padded key through the rate part with two permutation calls.

• Processing associated data: This algorithm is applied after the initialization phase if the associated data are nonempty. It accepts the associated data (AD) and the current state as input and returns the state of the permutation. The padding on associated data A is applied as \(\textsc {pad}_{r}(A) = A_0\Vert \cdots \Vert A_{n-1}\) where n is the number of blocks. For each block of the padded associated data, it is XORed with the rate part of the current state, followed by applying the permutation. Note that there is no output during the AD processing.

• Encryption/decryption: After processing the associated data, the encryption algorithm is applied on the plaintext M. First, the padding rule (\(10^*\)) is applied on the plaintext M, and the padding on M returns a padded message which is a multiple of r, i.e., \( \textsc {pad}_{r}(M) = M_0\Vert \cdots \Vert M_{m-1}\), where m is the number blocks for the padded message. The encryption algorithm produces a ciphertext of length m corresponding to the input plaintext. For each message block \(M_i\), the contents in the rate part serves as a keystream to which the message block \(M_i\) is XORed, which is the ciphertext \(C_i\). Then, the Sycon permutation is applied to update the state to encrypt the next message block. The decryption process is the same, except the message is replaced by the ciphertext and the contents in the rate part is replaced by the ciphertext block.

• Finalization: After the encryption or decryption algorithm, the finalization phase is applied to output a 128-bit tag. In this phase, the key is again absorbed to the state through the rate by two permutation calls. Given the state \(\mathbf{s}= \mathbf{s}_4\Vert \mathbf{s}_3\Vert \mathbf{s}_2\Vert \mathbf{s}_1\Vert \mathbf{s}_0\), the tag extraction function, denoted by \(\texttt {ExtTag}(\mathbf{s})\), extracts the tag from the state by concatenating contents from \(\mathbf{s}_2\) and \(\mathbf{s}_3\), i.e., \(\texttt {ExtTag}(\mathbf{s}) = \mathbf{s}_2\Vert \mathbf{s}_3\).

Sycon hash mode. A message digest computation consists of the following two steps, namely absorbing/processing the message and squeezing/outputting the hash value or digest.

• Processing message: To process a message M, the padding is applied, i.e., \( \textsc {pad}_{r}(M) = M_0\Vert \cdots \Vert M_{m-1}\) where m is the number blocks for the padded message. Before start processing the message, the predefined initial vector (iv2) is loaded into \(\mathbf{s}_2\) of the state and the remaining state bits are set to zero, followed by applying the Sycon permutation. After that, sequentially each message block is XORed with the rate part and then the permutation is applied until the last message block.

• Outputting digest: After absorbing the message in the state, it outputs a message digest of 256 bits by outputting four blocks of \(r = 64\) bits from the rate part where the permutation is invoked after taking r-bits from the rate part.

How to choose an AEAD mode. We proposed two AEAD variants for different application scenarios. A variant will be chosen based on the length/amount of data to be encrypted and authenticated from applications. For instance, we recommend to use Sycon-AEAD-96 when the data length is large as it is \(1.5 \times \) faster than Sycon-AEAD-64. When both AEAD and hashing functionalities are required, we recommend to use Sycon-AEAD-64. In an application where the data length is smaller and know in advance (e.g., RFID, smart meters), a variant will be chosen so that the minimum number of permutation invocations is required to process the data.

Table 13 Performance of the Sycon permutation and its AEAD and hash modes on 8-bit Atmel Atmega32 and 32-bit MIPS32 microcontrollers

Table 14 Step-by-step input–outputs of the permutation for 12 rounds

Table 15 Test vectors for Sycon-Hash-64

Table 16 Test vectors for Sycon-AEAD-64

Table 17 Test vectors for Sycon-AEAD-96

Appendix B: Details on efficiency in software

Round function. We briefly explain how the Sycon permutation is implemented in AVX2. We use five YMM registers (\(R_i\)), pacing four instances of the permutation, where \(\mathbf{s}^i = \mathbf{s}_4^i\Vert \mathbf{s}_3^i\Vert \mathbf{s}_2^i\Vert \mathbf{s}_1^i\Vert \mathbf{s}_0^i\) represents the state of the i-th instance, and register contents are:

$$\begin{aligned} R_0&= \mathbf{s}_0^3 \Vert \mathbf{s}_0^2 \Vert \mathbf{s}_0^1 \Vert \mathbf{s}_0^0; \\ R_1&= \mathbf{s}_1^3 \Vert \mathbf{s}_1^2 \Vert \mathbf{s}_1^1 \Vert \mathbf{s}_1^0; \\ R_2&= \mathbf{s}_2^3 \Vert \mathbf{s}_2^2 \Vert \mathbf{s}_2^1 \Vert \mathbf{s}_2^0; \\ R_3&= \mathbf{s}_3^3 \Vert \mathbf{s}_3^2 \Vert \mathbf{s}_3^1 \Vert \mathbf{s}_3^0; \\ R_4&= \mathbf{s}_4^3 \Vert \mathbf{s}_4^2 \Vert \mathbf{s}_4^1 \Vert \mathbf{s}_4^0; \end{aligned}$$

The S-box is chosen so that the permutation has an efficient bit-slice implementation. The bit-slice form of the S-box is as follows:

We need 23 logical instructions including not operations to implement the Sbox, which is the same as ASCON’s S-box. For the SB layer, the instructions such as vpxor, vpand and vpandn among the registers are used according to the bit-slice representation of the S-box to implement this layer. On the other hand, for the SD layer, the instructions vpsllq and vpsrlq are used to implement it, and there are no cross-register operations required.

Fig. 10

Sycon v1.0 has the 4-round differential trail whose number of active S-boxes is only 21

Efficiency on microcontroller. To assess the software performance of Sycon on microcontrollers, we have implemented the Sycon authenticated encryption and hash algorithms on the 8-bit Atmel Atmega32 and a 32-bit MIPS32 from MIPS Technologies. The 8-bit Atmel Atmega32 microcontroller has 2 Kbytes of flash, 32 Kbytes of RAM and 32 8-bit general purpose registers. MIPS32 has 32 32-bit general purpose registers. We implement the Sycon instance in assembly, and the AVR Simulator IDE was used to write the code. In our implementations, we implement the S-box in the bitsliced fashion, instead of a look-up table, to achieve highest efficiency while reducing memory. We use a plaintext of 72 bytes in our experiment to obtain cycles for AEAD and hash instances. For instance, the Sycon permutation evaluation requires 12,097 cycles on the MIPS32 microcontroller, and the throughput of the permutation is 302.43 cycles/byte. Table 13 presents the cycle counts, code sizes in bytes and cycles per byte for the Sycon permutation and the AEAD and hash algorithms.

Appendix C: Efficient differential trail of Syconv1.0

The main reason why we tweaked the design from v1.0 is finding of an efficient 4-round differential trail. Figure 10 shows a 4-round differential trail with only 21 active S-boxes. Considering the best differential trail in [36] has 51 active S-boxes, this differential trail is dramatically efficient. This negative result of Sycon v1.0 comes from heuristic design of the diffusion layer. As a result, very efficient differential trails were overlooked. In our new design, we carefully analyzed the condition that efficient trails happen, and the diffusion layer is designed more systematically.

Appendix D: Test vectors

We present the test vectors for two authenticated encryption algorithms and the hash algorithms. Table 14 lists the step-by-step input-output of the Sycon permutation for 12 rounds. Table 15 lists test vectors of Sycon-Hash-64 for a nonempty message and the empty message. Table 16 lists a set of test vectors of Sycon-AEAD-64 for different combinations of empty or nonempty AD and message. Table 17 lists a test vector of Sycon-AEAD-96 for a pair of an AD and a message.

Sycon permutation. The input and output after 12 rounds of the permutation are:

Input:

0000000000000000000000000000000000000000

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Output:

347654D629FC982F0F085496C5612910670008CA

C78234FCC7743998FB35A737384442DDB1E9F498

Fig. 11

The holistic view of the round function of the Sycon permutation