Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo,...
Transcript of Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo,...
![Page 1: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/1.jpg)
Dumbo, Jumbo, and Delirium:
Parallel AEAD for the Lightweight Circus
Tim Beyne1, Yu Long Chen1, Christoph Dobraunig2, Bart Mennink2
1 KU Leuven (Belgium) 2 Radboud University (The Netherlands)
NIST Lightweight Cryptography Workshop 2019
November 6, 2019
1 / 14
![Page 2: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/2.jpg)
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ B
−−−−−→
←−−−−−
Encryption
• No outsider can learn anything about data
Authentication
• No outsider can manipulate data
2 / 14
![Page 3: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/3.jpg)
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ B−−−−−→
←−−−−−
Encryption
• No outsider can learn anything about data
Authentication
• No outsider can manipulate data
2 / 14
![Page 4: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/4.jpg)
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ B−−−−−→
←−−−−−
Encryption
• No outsider can learn anything about data
Authentication
• No outsider can manipulate data
2 / 14
![Page 5: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/5.jpg)
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ B−−−−−→
←−−−−−
Encryption
• No outsider can learn anything about data
Authentication
• No outsider can manipulate data
2 / 14
![Page 6: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/6.jpg)
Authenticated Encryption4 AE
A,M
N
C, TAE
k
• Ciphertext C encryption of message M
• Tag T authenticates associated data A and message M
• Nonce N randomizes the scheme
3 / 14
![Page 7: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/7.jpg)
Authenticated Encryption4 AE
A,M
N
C, TAE
k
• Ciphertext C encryption of message M
• Tag T authenticates associated data A and message M
• Nonce N randomizes the scheme
3 / 14
![Page 8: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/8.jpg)
Authenticated Decryption5 AD
PSfrag replacements
mtcEk
Et
A,M
NC, T
AEk
A,C, T
N
{M if T correct
⊥ otherwiseAD
k
• Authenticated decryption needs to satisfy that• Message disclosed if tag is correct• Message is not leaked if tag is incorrect
• Correctness: ADk(N,A,AEk(N,A,M)) =M
4 / 14
![Page 9: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/9.jpg)
Authenticated Decryption6 AD2
PSfrag replacements
mtcEk
Et
A,M
NC, T
AEk
A,C, T
N{M if T correct
⊥ otherwise
ADk
A,C, T
N
{M if T correct
⊥ otherwiseAD
k
• Authenticated decryption needs to satisfy that• Message disclosed if tag is correct• Message is not leaked if tag is incorrect
• Correctness: ADk(N,A,AEk(N,A,M)) =M
4 / 14
![Page 10: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/10.jpg)
Authenticated Decryption6 AD2
PSfrag replacements
mtcEk
Et
A,M
NC, T
AEk
A,C, T
N{M if T correct
⊥ otherwise
ADk
A,C, T
N
{M if T correct
⊥ otherwiseAD
k
• Authenticated decryption needs to satisfy that• Message disclosed if tag is correct• Message is not leaked if tag is incorrect
• Correctness: ADk(N,A,AEk(N,A,M)) =M
4 / 14
![Page 11: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/11.jpg)
Lightweight Authenticated Encryption
suitable primitivenonce-based?
RUP/LR/...?
hardware/software parallelism
math beyond primitive
Our goal: minimize state size and complexity of design while still meeting
expected security strength 2112 and limit on online complexity 250 bytes
5 / 14
![Page 12: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/12.jpg)
Lightweight Authenticated Encryption
suitable primitivenonce-based?
RUP/LR/...?
hardware/software parallelism
math beyond primitive
Our goal: minimize state size and complexity of design while still meeting
expected security strength 2112 and limit on online complexity 250 bytes
5 / 14
![Page 13: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/13.jpg)
What Primitive?
Tweakable Block Cipher Block Cipher Permutation
Permutation is the best suited choice
6 / 14
![Page 14: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/14.jpg)
What Primitive?
Tweakable Block Cipher Block Cipher Permutation
Permutation is the best suited choice
6 / 14
![Page 15: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/15.jpg)
What Mode?
Established Approach
• Keyed duplex/sponge[BDPV11,MRV15,DMV17]
• Inherently sequential
Our Approach
• Parallel evaluation of the permutation→ requires proper masking
• Evaluating it in forward direction only→ requires proper mode of use
• Goal: minimize permutation size
7 / 14
0
0
r
c
initialize
pad trunc
f
duplexing
σ0 Z0
pad trunc
f
duplexing
σ1 Z1
pad trunc
f
duplexing
σ2 Z2
…
…
∀i :τi ≤ r
σ0 z0 σ1 z1 σ2 z2
pad truncτ0 pad truncτ1 pad truncτ2
r 0
P P P
c K
P
in1
out1
mask1P
in2
out2
mask2P
in3
out3
mask3
![Page 16: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/16.jpg)
What Mode?
Established Approach
• Keyed duplex/sponge[BDPV11,MRV15,DMV17]
• Inherently sequential
Our Approach
• Parallel evaluation of the permutation→ requires proper masking
• Evaluating it in forward direction only→ requires proper mode of use
• Goal: minimize permutation size
7 / 14
0
0
r
c
initialize
pad trunc
f
duplexing
σ0 Z0
pad trunc
f
duplexing
σ1 Z1
pad trunc
f
duplexing
σ2 Z2
…
…
∀i :τi ≤ r
σ0 z0 σ1 z1 σ2 z2
pad truncτ0 pad truncτ1 pad truncτ2
r 0
P P P
c K
P
in1
out1
mask1P
in2
out2
mask2P
in3
out3
mask3
![Page 17: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/17.jpg)
What Mask?
Simpli�ed Version of MEM [GJMN16]
• ϕ1 is �xed LFSR, ϕ2 = ϕ1 ⊕ id
• maska,bK = ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
Features
• Constant-time
• Simple to implement
• More e�cient than alternatives
8 / 14
P
M
C
maska,bK
![Page 18: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/18.jpg)
What Mask?
Simpli�ed Version of MEM [GJMN16]
• ϕ1 is �xed LFSR, ϕ2 = ϕ1 ⊕ id
• maska,bK = ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
Features
• Constant-time
• Simple to implement
• More e�cient than alternatives
8 / 14
P
M
C
maska,bK
![Page 19: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/19.jpg)
Elephant Authenticated Encryption Mode
Encryption
• Nonce N input to all P calls
• K and counter in mask
• Padding M1 . . .M`Mn←−M
• Ciphertext C ← bC1 . . . C`M c|M |
Authentication
• Padding A1 . . . A`An←− N‖A‖1
• Padding C1 . . . C`Cn←− C‖1
• K and counter in mask
• Tag T truncated to t bits
9 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 20: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/20.jpg)
Elephant Authenticated Encryption Mode
Encryption
• Nonce N input to all P calls
• K and counter in mask
• Padding M1 . . .M`Mn←−M
• Ciphertext C ← bC1 . . . C`M c|M |
Authentication
• Padding A1 . . . A`An←− N‖A‖1
• Padding C1 . . . C`Cn←− C‖1
• K and counter in mask
• Tag T truncated to t bits
9 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 21: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/21.jpg)
Elephant Authenticated Encryption Mode
Encryption
• Nonce N input to all P calls
• K and counter in mask
• Padding M1 . . .M`Mn←−M
• Ciphertext C ← bC1 . . . C`M c|M |
Authentication
• Padding A1 . . . A`An←− N‖A‖1
• Padding C1 . . . C`Cn←− C‖1
• K and counter in mask
• Tag T truncated to t bits
9 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 22: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/22.jpg)
Elephant Authenticated Encryption Mode
Mode Properties
• Encrypt-then-MAC
• CTR encryption• Wegman-Carter-Shoup
• Fully parallelizable
• Uses single primitive P
• P in forward direction only
Mask Properties
• Mask can be easily updated
• maski,0K = ϕ1 ◦maski−1,0K
• maski−1,0K ⊕maski−1,1K = maski,0K
10 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 23: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/23.jpg)
Elephant Authenticated Encryption Mode
Mode Properties
• Encrypt-then-MAC
• CTR encryption• Wegman-Carter-Shoup
• Fully parallelizable
• Uses single primitive P
• P in forward direction only
Mask Properties
• Mask can be easily updated
• maski,0K = ϕ1 ◦maski−1,0K
• maski−1,0K ⊕maski−1,1K = maski,0K
10 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 24: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/24.jpg)
Elephant Authenticated Encryption Mode
Mode Properties
• Encrypt-then-MAC
• CTR encryption• Wegman-Carter-Shoup
• Fully parallelizable
• Uses single primitive P
• P in forward direction only
Mask Properties
• Mask can be easily updated
• maski,0K = ϕ1 ◦maski−1,0K
• maski−1,0K ⊕maski−1,1K = maski,0K
10 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 25: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/25.jpg)
Elephant Authenticated Encryption Mode
Mode Properties
• Encrypt-then-MAC
• CTR encryption• Wegman-Carter-Shoup
• Fully parallelizable
• Uses single primitive P
• P in forward direction only
Mask Properties
• Mask can be easily updated
• maski,0K = ϕ1 ◦maski−1,0K
• maski−1,0K ⊕maski−1,1K = maski,0K
10 / 14
P
A1
mask0,2KP
A`A
mask`A−1,2K
· · ·
P
C1
mask0,1KP
C`C
mask`C−1,1K
· · · b·ct T
P
N‖0n−m
mask0,0KP
N‖0n−m
mask`M−1,0K
M1 M`M
C1 C`M
· · ·
maska,bK =
ϕb2 ◦ ϕa
1 ◦ P(K‖0n−k)
![Page 26: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/26.jpg)
Security of Mode
AdvaeElephant(A) .
4σp
2n
• σ is online complexity, p is o�ine complexity
• Assumptions:• P is random permutation• ϕ1 has maximal length and ϕb
2 ◦ ϕa1 6= ϕb′
2 ◦ ϕa′
1 for (a, b) 6= (a′, b′)• A is nonce-based adversary
Parameters of NIST lightweight call
can be met with a 160-bit permutation!
11 / 14
![Page 27: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/27.jpg)
Security of Mode
AdvaeElephant(A) .
4σp
2n
• σ is online complexity, p is o�ine complexity
• Assumptions:• P is random permutation• ϕ1 has maximal length and ϕb
2 ◦ ϕa1 6= ϕb′
2 ◦ ϕa′
1 for (a, b) 6= (a′, b′)• A is nonce-based adversary
Parameters of NIST lightweight call
can be met with a 160-bit permutation!
11 / 14
![Page 28: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/28.jpg)
Instantiation
Dumbo
• Spongent-π[160]
• Minimalist design• Time complexity 2112
• Data complexity 246
Jumbo
• Spongent-π[176]
• Conservative design• Time complexity 2127
• Data complexity 246
• ISO/IEC standardized
Delirium
• Keccak-f [200]
• High security• Time complexity 2127
• Data complexity 270
• NIST standardized
12 / 14
![Page 29: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/29.jpg)
Instantiation
Dumbo
• Spongent-π[160]
• Minimalist design• Time complexity 2112
• Data complexity 246
Jumbo
• Spongent-π[176]
• Conservative design• Time complexity 2127
• Data complexity 246
• ISO/IEC standardized
Delirium
• Keccak-f [200]
• High security• Time complexity 2127
• Data complexity 270
• NIST standardized
12 / 14
![Page 30: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/30.jpg)
Instantiation
Dumbo
• Spongent-π[160]
• Minimalist design• Time complexity 2112
• Data complexity 246
Jumbo
• Spongent-π[176]
• Conservative design• Time complexity 2127
• Data complexity 246
• ISO/IEC standardized
Delirium
• Keccak-f [200]
• High security• Time complexity 2127
• Data complexity 270
• NIST standardized
12 / 14
![Page 31: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/31.jpg)
Technical Speci�cation of Instances
expected limit onsecurity online
instance k m n t P ϕ1 strength complexity
Dumbo 128 96 160 64 80-round Spongent-π[160] ϕDumbo 2112 250/(n/8)Jumbo 128 96 176 64 90-round Spongent-π[176] ϕJumbo 2127 250/(n/8)Delirium 128 96 200 128 18-round Keccak-f [200] ϕDelirium 2127 274/(n/8)
• All LFSRs operate on 8-bit words:
ϕDumbo : (x0, . . . , x19) 7→ (x1, . . . , x19, x0 ≪ 3⊕ x3 � 7⊕ x13 � 7)
ϕJumbo : (x0, . . . , x21) 7→ (x1, . . . , x21, x0 ≪ 1⊕ x3 � 7⊕ x19 � 7)
ϕDelirium : (x0, . . . , x24) 7→ (x1, . . . , x24, x0 ≪ 1⊕ x2 ≪ 1⊕ x13 � 1)
• All have maximal length and ϕb2 ◦ ϕa
1 6= ϕb′2 ◦ ϕa′
1 for (a, b) 6= (a′, b′)
13 / 14
![Page 32: Dumbo, Jumbo, and Delirium: Parallel AEAD for the ...bmennink/slides/nist19a.pdf · Dumbo, Jumbo, and Delirium: Parallel AEAD for the Lightweight Circus Tim Beyne 1, uY Long Chen](https://reader034.fdocuments.net/reader034/viewer/2022050221/5f66c15a0b98b05fa1328ee6/html5/thumbnails/32.jpg)
Conclusion
Elephant
• Parallel lightweight AE with small state
• Mode: provably secure in random permutation model
• Primitives: standardized and well-studied
• Dumbo and Jumbo for hardware
• Delirium for software
Thank you for your attention!
14 / 14