• PDF / 660,016 Bytes
• 22 Pages / 439.37 x 666.142 pts Page_size
• 28 Downloads / 230 Views

DOWNLOAD

REPORT

iversity of Illinois at Chicago, Chicago, USA [email protected] 2 Technical University of Denmark, Kongens Lyngby, Denmark [email protected] 3 Bauhaus-Universit¨ at Weimar, Weimar, Germany [email protected] 4 Radboud University, Nijmegen, Netherlands [email protected],[email protected],[email protected] 5 Graz University of Technology, Graz, Austria [email protected] 6 Universit´e Catholique de Louvain, Louvain-la-Neuve, Belgium {kashif.nawaz,fstandae}@uclouvain.be 7 Ruhr-University Bochum, Bochum, Germany [email protected] 8 NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. This paper presents Gimli, a 384-bit permutation designed to achieve high security with high performance across a broad range of platforms, including 64-bit Intel/AMD server CPUs, 64-bit and 32bit ARM smartphone CPUs, 32-bit ARM microcontrollers, 8-bit AVR microcontrollers, FPGAs, ASICs without side-channel protection, and ASICs with side-channel protection. Keywords: Intel · AMD · ARM Cortex-A · ARM Cortex-M · AVR · FPGA · ASIC · Side channels · The eyes of a hawk and the ears of a fox Author list in alphabetical order; see https://www.ams.org/profession/leaders/ culture/CultureStatement04.pdf. This work resulted from the Lorentz Center Workshop “HighLight: High-security lightweight cryptography”. This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO) and project number 645421 (ECRYPT-CSA); the Austrian Science Fund (FWF) under grant P26494N15; the ARC project NANOSEC; the Belgian Fund for Scientific Research (FNRSF.R.S.); the Technology Foundation STW (project 13499 TYPHOON), from the Dutch government; the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; and the U.S. National Science Foundation under grant 1314919. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.” Permanent ID of this document: 93eb34af666d7fa7264d94c21c18034a. c International Association for Cryptologic Research 2017  W. Fischer and N. Homma (Eds.): CHES 2017, LNCS 10529, pp. 299–320, 2017. DOI: 10.1007/978-3-319-66787-4 15

300

1

D.J. Bernstein et al.

Introduction

Keccak [11], the 1600-bit permutation inside SHA-3, is well known to be extremely energy-efficient: specifically, it achieves very high throughput in moderate-area hardware. Keccak is also well known to be easy to protect against side-channel attacks: each of its 24 rounds has algebraic degree only 2, allowing low-cost masking. The reason that Keccak is well known for these features is that most symmetric primitives are much worse in these metrics. Chaskey [21], a 128-bit-permutation-based message-authentication code with a 128-bit key, is well known to be very fast on 32-bit embedded microcontrollers: for example, it runs at just 7.0 cycles/byte on an ARM Cortex-M3 microcontroller. The reason that Ch

Recommend Documents

New Results on Gimli : Full-Permutation Distinguishers and Improved Collisions

170 46 22MB

Permutation Modulation

228 6 49MB

Permutation Groups

207 59 10MB

Permutation polynomials and factorization

181 69 441KB

Resolutions by permutation modules

186 67 236KB

Representations of Permutation Groups I

171 30 480KB

Permutation Tests in Shape Analysis

171 63 2MB

A Permutation Test for Nonindependent Matched Pair Data

145 81 336KB

Differential Evolution: A Handbook for Global Permutation-Based Combinatorial Optimization

187 58 3MB

Evaluation of a Permutation-Based Evolutionary Framework for Lyndon Factorizations

156 65 65MB

Exact Permutation/Randomization Tests Algorithms

219 0 1MB

Representations of Permutation Groups II

178 1 5MB