SKINNY Block Ciphers and MANTIS (2016/660)

Abstract

We present a new tweakable block cipher family SKINNY, whose goal is to compete with NSA recent design SIMON in terms of hardware/software performances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers implementations (SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process).

Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency implementations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption. MANTIS basically reuses well understood, previously studied, known components. Yet, by putting those components together in a new fashion, we obtain a competitive cipher to PRINCE in latency and area, while being enhanced with a tweak input.

Key words: lightweight encryption, low-latency, tweakable block cipher, MILP.

1 — Introduction

Due to the increasing importance of pervasive computing, lightweight cryptography is currently a very active research domain in the symmetric-key cryptography community. In particular, we have recently seen the apparition of many lightweight block ciphers, hash functions and stream ciphers. While the term lightweight is not strictly defined, it most often refers to a primitive that allows compact implementations, i.e. minimizing the area required by the implementation. While the focus on area is certainly valid with many applications, most of them require additional performance criteria to be taken into account. In particular, the throughput of the primitive represents an important dimension for many applications. Besides that, power (in particular for passive RFID tags) and energy (for battery-driven device) may be major aspects.

Investigating the recent proposals in more detail, a major distinction is eye-catching and one can roughly split the proposals in two classes. The first class of ciphers uses very strong, but less efficient components (like the Sbox used in PRESENT [Bog+07] or LED [Guo+11], or the MDS diffusion matrix in LED or PICCOLO [Shi+11]). The second class of designs uses very efficient, but rather weak components (like the very small KATAN [CDK09] or SIMON [Bea+15] round function).

From a security viewpoint, the analysis of the members of the first class can be conducted much easily and it is usually possible to derive strong arguments for their security. However, while the second class strategy usually gives very competitive performance figures, it is much harder with state-of-the-art analysis techniques to obtain security guarantees even with regards to basic linear or differential cryptanalysis.

Of special interest, in this context, is the recent publication of the SIMON and SPECK family of block ciphers by the NSA [Bea+15]. Those ciphers brought a huge leap in terms of performances. However, even though SIMON or SPECK are quite elegant and seemingly well-crafted designs, these efficiency improvements came at an essential price: since the ciphers have a very light round function, their security bounds regarding classical linear or differential cryptanalysis are not so impressive, quite difficult to obtain or even non-existent. No bound is currently known in the related-key model for any version of SIMON.

It is therefore a major challenge for academic research to design a cipher that can compete with SIMON’s performances and additionally provides the essential strong security guarantees that SIMON is clearly lacking.

Lightweight Tweakable Block Ciphers and Side-Channel Protected Implementations

Tiny devices are more prone to be deployed into insecure environments and thus side-channel protected implementations of lightweight encryption primitives is a very important aspect. One extra protection against side-channel attacks can be the use of leakage resilient designs and notably through an extra tweak input of the cipher. Such tweakable block ciphers are rather rare, the only such candidate being Joltik-BC [Jea+15] or the internal cipher from SCREAM [Gro+15]. Coming up with a tweakable block cipher is indeed not an easy task as one must be extremely careful how to include this extra input that can be fully controlled by the attacker.

Low-Latency Implementations for Memory Encryption

One very interesting field in the area of lightweight cryptography is memory encryption. With a focus on data confidentiality, a tweakable block cipher in ECB mode would be the natural, straightforward solution. However, all generic methods to construct a tweakable block cipher from a block cipher suffer from an increased latency. Therefore, there is a clear need for lightweight tweakable block ciphers which do not require whitening value derivation, have a latency similar to the best non-tweakable block ciphers, and that can also be used in modes of operation that do not require memory expansion and offer beyond-birthday-bound security.

Our Contributions

Our contributions are twofold. First, we introduce a new lightweight family of block ciphers: SKINNY. Our goal here is to provide a competitor to SIMON in terms of hardware/software performances, while proving in addition much stronger security guarantees with regard to differential/linear attacks. Second, we present MANTIS, a dedicated variant of SKINNY that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption.

Regarding SKINNY, we have pushed further the recent trend of having a SPN cipher with locally non-optimal internal components: SKINNY is an SPN cipher that uses a compact Sbox, a new very sparse diffusion layer, and a new very light key schedule. Yet, by carefully choosing our components and how they interact, our construction manages to retain very strong security guarantees. For all the SKINNY versions, we are able to prove using mixed integer linear programming (MILP) very strong bounds with respect to differential/linear attacks, not only in the single-key model, but also in the much more involved related-key model.

With regard to performance, SKINNY reaches very small area with serial ASIC implementations, yet it is actually the very first block cipher that leads to better performances than SIMON for round-based ASIC implementations. We also exhibit ASIC threshold implementations of our SKINNY variants that compare very favourably to AES-128 threshold implementations.

2 — Specifications of SKINNY

The lightweight block ciphers of the SKINNY family have 64-bit and 128-bit block versions and we denote n the block size. In both n = 64 and n = 128 versions, the internal state is viewed as a 4 \times 4 square array of cells, where each cell is a nibble (in the n = 64 case) or a byte (in the n = 128 case).

SKINNY follows the TWEAKEY framework from [JNP14] and thus takes a tweakey input instead of a key or a pair key/tweak. The family has three main tweakey size versions: for a block size n, we propose versions with tweakey size t = n, t = 2n and t = 3n, and we denote z = t/n the tweakey size to block size ratio.

Initialization

The cipher receives a plaintext m = m_0 \| m_1 \| \cdots \| m_{14} \| m_{15} , where the m_i are s-bit cells, with s = n/16. The initialization of the cipher’s internal state is performed by simply setting IS_i = m_i for 0 \le i \le 15:

IS = \begin{bmatrix} m_0 & m_1 & m_2 & m_3 \\ m_4 & m_5 & m_6 & m_7 \\ m_8 & m_9 & m_{10} & m_{11} \\ m_{12} & m_{13} & m_{14} & m_{15} \end{bmatrix}

The state is loaded row-wise rather than in the column-wise fashion we have come to expect from the AES; this is a more hardware-friendly choice.

Number of Rounds

Table 1. Number of rounds for SKINNY-n-t, with n-bit internal state and t-bit tweakey state.

Block size n	t = n	t = 2n	t = 3n
64	32 rounds	36 rounds	40 rounds
128	40 rounds	48 rounds	56 rounds

The Round Function

One encryption round of SKINNY is composed of five operations in the following order: SubCells, AddConstants, AddRoundTweakey, ShiftRows and MixColumns. No whitening key is used in SKINNY.

SubCells

An s-bit Sbox is applied to every cell of the cipher internal state. For s=4, SKINNY uses an Sbox \mathcal{S}_4 very close to the PICCOLO Sbox [Shi+11].

Table 2. 4-bit Sbox \mathcal{S}_4 used in SKINNY when s=4.

x	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
\mathcal{S}_4[x]	c	6	9	0	1	a	2	b	3	8	5	d	4	e	7	f
\mathcal{S}_4^{-1}[x]	3	4	6	8	c	a	1	e	9	2	5	7	0	b	d	f

\mathcal{S}_4 can be described with four NOR and four XOR operations. If x_0, x_1, x_2, x_3 represent the four input bits (x_0 being the least significant bit), one applies:

(x_3, x_2, x_1, x_0) \to (x_3, x_2, x_1, x_0 \oplus (\overline{x_3 \vee x_2}))

followed by a left shift bit rotation. This process is repeated four times, except for the last iteration where the bit rotation is omitted.

For s = 8, SKINNY uses an 8-bit Sbox \mathcal{S}_8 built in a similar manner. It applies:

(x_7, x_6, x_5, x_4, x_3, x_2, x_1, x_0) \to (x_7, x_6, x_5, x_4 \oplus (\overline{x_7 \vee x_6}), x_3, x_2, x_1, x_0 \oplus (\overline{x_3 \vee x_2}))

followed by the bit permutation:

(x_7, x_6, x_5, x_4, x_3, x_2, x_1, x_0) \longrightarrow (x_2, x_1, x_7, x_6, x_4, x_0, x_3, x_5)

repeating four times, except for the last iteration where there is just a bit swap between x_1 and x_2.

AddConstants

A 6-bit affine LFSR, whose state is denoted (rc_5, rc_4, rc_3, rc_2, rc_1, rc_0) , is used to generate round constants. Its update function is:

(rc_5 \| rc_4 \| rc_3 \| rc_2 \| rc_1 \| rc_0) \to (rc_4 \| rc_3 \| rc_2 \| rc_1 \| rc_0 \| rc_5 \oplus rc_4 \oplus 1)

The round constants for each round (encoded as byte values):

Rounds	Constants
1–16	01, 03, 07, 0F, 1F, 3E, 3D, 3B, 37, 2F, 1E, 3C, 39, 33, 27, 0E
17–32	1D, 3A, 35, 2B, 16, 2C, 18, 30, 21, 02, 05, 0B, 17, 2E, 1C, 38
33–48	31, 23, 06, 0D, 1B, 36, 2D, 1A, 34, 29, 12, 24, 08, 11, 22, 04
49–62	09, 13, 26, 00, 19, 32, 25, 0A, 15, 2A, 14, 28, 10, 20

AddRoundTweakey

The first and second rows of all tweakey arrays are extracted and bitwise exclusive-ored to the cipher internal state. Then, the tweakey arrays are updated. First, a permutation P_T is applied on the cell positions of all tweakey arrays:

P_T = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7]

Then, every cell of the first and second rows of TK2 and TK3 are individually updated with an LFSR. The LFSRs used are:

Table 3. LFSRs used in SKINNY for tweakey state updates.

TK	s	LFSR
TK2	4	(x_3\, x_2\, x_1\, x_0) \to (x_2\, x_1\, x_0\, x_3 \oplus x_2)
TK2	8	(x_7 \ldots x_0) \to (x_6\, x_5\, x_4\, x_3\, x_2\, x_1\, x_0\, x_7 \oplus x_5)
TK3	4	(x_3\, x_2\, x_1\, x_0) \to (x_0 \oplus x_3\, x_3\, x_2\, x_1)
TK3	8	(x_7 \ldots x_0) \to (x_0 \oplus x_6\, x_7\, x_6\, x_5\, x_4\, x_3\, x_2\, x_1)

ShiftRows

As in AES, the rows of the cipher state cell array are rotated, but they are to the right. The second, third, and fourth cell rows are rotated by 1, 2 and 3 positions to the right, respectively. The permutation is:

P = [0, 1, 2, 3, 7, 4, 5, 6, 10, 11, 8, 9, 13, 14, 15, 12]

MixColumns

Each column of the cipher internal state array is multiplied by the binary matrix:

\mathbf{M} = \begin{pmatrix} 1 & 0 & 1 & 1 \\ 1 & 0 & 0 & 0 \\ 0 & 1 & 1 & 0 \\ 1 & 0 & 1 & 0 \end{pmatrix}

Decryption is very similar to encryption as all cipher components have very simple inverses (SubCells and MixColumns are based on a generalized Feistel structure).

3 — Rationale of SKINNY

Several design choices of SKINNY have been borrowed from existing ciphers, but most of our components are new, optimized for our goal: a cipher well suited for most lightweight applications. When designing SKINNY, one of our main criteria was to only add components which are vital for the security of the primitive, removing any unnecessary operation (hence the name of our proposal).

3.1 — Estimating Area and Performances

We describe an estimation in Gate Equivalent (GE) of the ASIC area cost of several simple bit operations (for UMC 180nm 1.8 V [VS04]): a NOR/NAND gate costs 1 GE, an OR/AND gate costs 1.33 GE, a XOR/XNOR gate costs 2.67 GE, and a NOT gate costs 0.67 GE. One memory bit can be estimated to 6 GE (scan flip-flop).

We distinguish between a serial implementation, a round-based implementation and a low-latency implementation. In the latter, the entire ciphering process is performed in a single clock cycle. For a round-based implementation, an entire round is performed in a single clock cycle. In a serial implementation, one reduces the datapath to the minimum.

3.2 — General Design and Components Rationale

A first and important decision was to choose between a Substitution-Permutation Network (SPN), or a Feistel network. We started from an SPN construction as it is generally easier to provide stronger bounds on the number of active Sboxes. There is actually a dual bit-sliced view of SKINNY that resembles some generalized Feistel network.

SubCells. The choice of the Sbox is a crucial decision. For the 4-bit case, we designed a tool that searches for the most compact candidate with minimal security guarantees: maximal differential transition probability of 2^{-2} and maximal absolute linear bias of 2^{-2}. Our Sbox \mathcal{S}_4 can be implemented with only 12 GE. In comparison, the PRESENT Sbox requires 27.32 GE (or 34.69 GE without special gates).

For the 8-bit Sbox \mathcal{S}_8, the total area cost is 24 GE. In comparison, the AES Sbox requires 198 GE.

ShiftRows and MixColumns. Competing with SIMON’s impressive hardware performance required choosing an extremely sparse diffusion layer. The binary matrix \mathbf{M} has only differential or linear branching number of two. However, \mathbf{M} is designed such that when a branching-two differential transition occurs, the next round will likely lead to a much higher branching number. We can prove at least 96 active Sboxes for 20 rounds.

3.3 — Comparing Differential Bounds

Table 4. Proved bounds on the minimal number of differential active Sboxes for SKINNY-64-128 and various lightweight 64-bit block 128-bit key ciphers.

Cipher	Model	4	8	12	16
SKINNY (36 rds)	SK	8	36	55	75
SKINNY (36 rds)	TK2	0	6	21	40
LED (48 rds)	SK	25	50	75	100
LED (48 rds)	TK2	0	0	25	50
PICCOLO (31 rds)	SK	14	36	54	72
PICCOLO (31 rds)	TK2	0	5	18	32

Table 5. Comparison between AES-128 and SIMON/SKINNY versions for the proportion of total number of rounds needed to provide a sufficiently good differential characteristic probability bound.

Cipher	Single Key	Related Key
SKINNY-64-128	8/36 = 0.22	15/36 = 0.42
SIMON-64-128	19/44 = 0.43	no bound known
SKINNY-128-128	15/40 = 0.37	19/40 = 0.47
SIMON-128-128	41/68 = 0.60	no bound known
AES-128	4/10 = 0.40	6/10 = 0.60

3.4 — Comparing Theoretical Performance

SIMON and SKINNY compare very favorably to other candidates, both in terms of number of operations and theoretical area grade for round-based implementations. SKINNY has the best theoretical profile among all the candidates, even better than SIMON for area. For speed efficiency, SKINNY outperforms SIMON when the key schedule is taken into account.

4 — Security Analysis

We provide an in-depth analysis of the security of the SKINNY family of block ciphers. We do not claim any security in the chosen-key or known-key model, but we do claim security in the related-key model.

4.1 — Differential/Linear Cryptanalysis

We computed lower bounds on the minimal number of active Sboxes, both in the single-key and related-tweakey model using MILP.

Table 7. Lower bounds on the number of active Sboxes in SKINNY (selected rounds). Upper bounds in parentheses where MILP optimization was too long.

Model	5	10	15	20	25	30
SK	12	46	66	96	(124)	(158)
TK1	3	23	49	70	88	(120)
TK2	1	12	35	57	75	96
TK3	0	6	24	45	60	85
SK Lin	13	43	64	–	–	–

4.2 — Meet-in-the-Middle Attacks

Partial-matching cannot work if the number of rounds reaches full diffusion rounds in each direction. For SKINNY, full diffusion is achieved after 6 rounds forwards and backwards. Partial-matching works at most (6-1)+(6-1)=10 rounds. The initial structure works up to 6+2-1=7 rounds. Splice-and-cut may extend up to 6-1=5 rounds. In total, meet-in-the-middle attack may work up to 10+7+5=22 rounds. Consequently, the 32+ rounds of SKINNY provides a reasonable security margin.

4.3 — Impossible Differential Attacks

We searched for impossible differential characteristics with the miss-in-the-middle technique. The longest impossible differential characteristics reach 11 rounds (16 such characteristics in total). Several rounds can be appended before and after the 11-round characteristic. When the block size and key size are the same, two rounds and three rounds can be appended before and after respectively, making a 16-round key recovery. Data, time, and memory complexities reach 2^{88.5} for SKINNY-128 with 128-bit key and 2^{41.5} for SKINNY-64 with 64-bit key.

4.4 — Integral Attacks

Integral attacks consider the following four multiset properties: All (A) – all values appear equally; Balanced (B) – the XOR sum is 0; Constant (C) – fixed through the multiset; Unknown (U) – no particular property.

An active cell in any of the third row yields two cells satisfying the A property after seven rounds. The property can be extended by 4 rounds backwards by activating 12 cells, yielding a 10-round integral distinguisher. One can append 4 rounds after the distinguisher to make a 14-round key-recovery attack.

4.5 — Slide Attacks

In SKINNY, the distinction between rounds is ensured by the AddConstants operation, so straightforward slide attacks cannot be applied. Using MILP, the lower bounds on active Sboxes for slid pairs reach 36 after 11 rounds and 41 after 12 rounds. These bounds are not tight. We expect that slide attacks do not threaten the security of SKINNY.

4.6 — Subspace Cryptanalysis

Invariant subspace cryptanalysis makes use of affine subspaces that are invariant under the round function. For SKINNY, the non-trivial key-scheduling already provides a good protection. We checked that no invariant subspaces exist for the Sbox. Moreover, for the 8-bit Sbox, affine subspaces of dimension larger than two that get mapped to different affine subspaces can be chained only for a very small number of rounds.

4.7 — Algebraic Attacks

The Sboxes \mathcal{S}_4 and \mathcal{S}_8 have algebraic degree a = 3 and a = 6 respectively. For all SKINNY variants, we have a \cdot 26 \cdot \lfloor r/7 \rfloor \gg n . The entire system for a fixed-key SKINNY-64-64 permutation consists of 10752 quadratic equations in 4096 variables (compared to 6400 equations in 2560 variables for AES), indicating that SKINNY offers a high level of protection.

5 — Implementations, Performance and Comparison

5.1 — ASIC Implementations

Table 10. Area breakdown for round-based implementations of SKINNY (in GE).

Component	64/64	64/128	64/192	128/128	128/256	128/384
Key Schedule	384	789	1195	768	1557	2347
Round Function	839	907	988	1623	1755	1921
Total	1223	1696	2183	2391	3312	4268

Table 11. Round-based implementations compared with other lightweight ciphers.

Cipher	Area (GE)	Cycles	Tput @100KHz
SKINNY-64-64	1223	32	200.00 KBit/s
SKINNY-64-128	1696	36	177.78 KBit/s
SKINNY-128-128	2391	40	320.00 KBit/s
SKINNY-128-256	3312	48	266.67 KBit/s
SIMON-64-128	1751	46	145.45 KBit/s
SIMON-128-128	2342	70	188.24 KBit/s
PRESENT-64-128	1884	32	200.00 KBit/s

Threshold Implementation. First-order Threshold Implementations of all variants of SKINNY were realized, requiring zero fresh randomness. Results for SKINNY-128-128: 3780 GE (compared to 11114 GE or 8119 GE for AES-128).

5.2 — FPGA Implementations

Table 16. High-throughput FPGA implementations on Virtex-7 XC7VX330T.

Cipher	LUT	FF	MHz	Tput (GBit/s)
SKINNY-64-64	3101	4000	403.88	25.85
SKINNY-128-128	13389	10048	320.10	40.97
SKINNY-128-256	17037	18048	355.62	45.52
SKINNY-128-384	21966	28096	356.51	45.63

5.3 — Software Implementations

Table 18. Bit-sliced implementations (cycles per byte, with pre-expanded subkeys).

Cipher	Haswell (cpb)	Skylake (cpb)
SKINNY-64-128	2.58	2.48
SIMON-64-128	1.58	1.51
SKINNY-128-128	3.78	3.43
SIMON-128-128	2.38	2.21

5.4 — Micro-Controller Implementations

Table 20. Implementation figures for SKINNY-128-128 on an ATmega644.

Cycles/byte	RAM	ROM
222	576	676
257	287	616
297	31	774
328	31	594

SIMON-128-128 on the same platform: 337 cycles/byte with 510 bytes ROM and 544 bytes RAM. SKINNY-128-128 can be significantly faster while offering different RAM/ROM tradeoffs.

6 — The Low-Latency Tweakable Block Cipher MANTIS

MANTIS is a tweakable block cipher design optimized for low-latency implementations. PRINCE already provides a very good starting point. MANTIS basically reuses well understood, previously studied, known components. By putting those components together in a new fashion, we obtain a cipher competitive to PRINCE in latency and area, while being enhanced with a tweak.

\texttt{MANTIS}_r has a 64-bit block length and works with a 128-bit key and 64-bit tweak. The parameter r specifies the number of rounds of one half of the cipher.

6.1 — Description of the Cipher

\texttt{MANTIS}_r is based on the FX-construction [KR96]. The 128-bit key is split into k = k_0 \| k_1 with 64-bit subkeys, then extended to the 192-bit key:

(k_0 \| k_0' \| k_1) := (k_0 \| (k_0 \gg 1) \oplus (k_0 \gg 63) \| k_1)

SubCells. The involutory MIDORI Sbox Sb_0 is applied to every cell.

Table 21. 4-bit involutory MIDORI Sbox Sb_0 used in MANTIS.

x	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
Sb_0[x]	c	a	d	3	e	b	f	7	8	9	1	5	0	2	4	6

AddRoundTweakey. The tweak permutation h is defined as:

h = [6, 5, 14, 15, 0, 1, 2, 3, 7, 12, 13, 4, 8, 9, 10, 11]

PermuteCells. The cells are permuted according to the MIDORI permutation:

P = [0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]

MixColumns. Each column is multiplied by the involutory binary matrix used in MIDORI:

\mathbf{M} = \begin{pmatrix} 0 & 1 & 1 & 1 \\ 1 & 0 & 1 & 1 \\ 1 & 1 & 0 & 1 \\ 1 & 1 & 1 & 0 \end{pmatrix}

Encryption. With H_r denoting the application of r rounds plus one SubCells layer:

\textbf{Enc}_{(k_0,k_0',k_1)}(\cdot,T) = \texttt{AddTweakey}_{k_0' \oplus k_1 \oplus \alpha \oplus T} \circ H_r^{-1}(\cdot,T,k_1 \oplus \alpha) \circ \texttt{MixColumns} \circ H_r(\cdot,T,k_1) \circ \texttt{AddTweakey}_{k_0 \oplus k_1 \oplus T}

Decryption. \textbf{Enc}^{-1}_{(k_0,k_0',k_1)}(\cdot,T) = \textbf{Enc}_{(k_0',k_0,k_1 \oplus \alpha)}(\cdot,T) because of the \alpha-reflection property.

6.2 — Design Rationale

MANTIS is designed as a reflection cipher such that encryption under a key k equals decryption under a related key, significantly reducing the implementation overhead for decryption. The diffusion layer (from MIDORI) provides full diffusion after only three rounds. The MIDORI Sbox has significantly smaller latency than the PRINCE Sbox. The tweak permutation h was chosen so that five rounds (plus one SubCells layer) guarantee at least 16 active Sboxes in the related-tweak setting.

Security Claim. For \texttt{MANTIS}_7, any adversary with 2^n chosen plain/ciphertext pairs under chosen tweaks (fixed unknown key) needs at least 2^{126-n} calls to the encryption function to recover the secret key. For \texttt{MANTIS}_5, no related-tweak attack is possible with less than 2^{30} chosen or 2^{40} known plaintext/ciphertext pairs.

6.3 — Security Analysis

Table 23. Lower bounds on the number of active Sboxes for MANTIS.

Model	r=2	r=3	r=4	r=5	r=6	r=7	r=8
Linear	14	32	46	62	70	76	82
Related Tweak	6	12	20	34	44	50	56

6.4 — Implementations

Table 24. Unrolled implementations of MANTIS constrained for smallest area (encryption & decryption).

Cipher	Area (GE)	Delay (ns)
\texttt{MANTIS}_5	8544	15.95
\texttt{MANTIS}_6	9861	17.60
\texttt{MANTIS}_7	11209	20.50
\texttt{MANTIS}_8	12533	21.34
PRINCE	8344	16.00

Table 25. Unrolled implementations of MANTIS constrained for shortest delay.

Cipher	Area (GE)	Delay (ns)
\texttt{MANTIS}_5	13424	9.00
\texttt{MANTIS}_7	23926	11.00
PRINCE	17693	9.00

Appendix A — 8-bit Sbox for SKINNY-128

The complete 8-bit Sbox \mathcal{S}_8 in hexadecimal notation:

S8[256] = {
  0x65, 0x4c, 0x6a, 0x42, 0x4b, 0x63, 0x43, 0x6b,
  0x55, 0x75, 0x5a, 0x7a, 0x53, 0x73, 0x5b, 0x7b,
  0x35, 0x8c, 0x3a, 0x81, 0x89, 0x33, 0x80, 0x3b,
  0x95, 0x25, 0x98, 0x2a, 0x90, 0x23, 0x99, 0x2b,
  0xe5, 0xcc, 0xe8, 0xc1, 0xc9, 0xe0, 0xc0, 0xe9,
  0xd5, 0xf5, 0xd8, 0xf8, 0xd0, 0xf0, 0xd9, 0xf9,
  0xa5, 0x1c, 0xa8, 0x12, 0x1b, 0xa0, 0x13, 0xa9,
  0x05, 0xb5, 0x0a, 0xb8, 0x03, 0xb0, 0x0b, 0xb9,
  0x32, 0x88, 0x3c, 0x85, 0x8d, 0x34, 0x84, 0x3d,
  0x91, 0x22, 0x9c, 0x2c, 0x94, 0x24, 0x9d, 0x2d,
  0x62, 0x4a, 0x6c, 0x45, 0x4d, 0x64, 0x44, 0x6d,
  0x52, 0x72, 0x5c, 0x7c, 0x54, 0x74, 0x5d, 0x7d,
  0xa1, 0x1a, 0xac, 0x15, 0x1d, 0xa4, 0x14, 0xad,
  0x02, 0xb1, 0x0c, 0xbc, 0x04, 0xb4, 0x0d, 0xbd,
  0xe1, 0xc8, 0xec, 0xc5, 0xcd, 0xe4, 0xc4, 0xed,
  0xd1, 0xf1, 0xdc, 0xfc, 0xd4, 0xf4, 0xdd, 0xfd
}

Appendix B — Test Vectors

B.1 — Test Vectors for SKINNY

/* Skinny-64-64 */
Key:        f5269826fc681238
Plaintext:  06034f957724d19d
Ciphertext: bb39dfb2429b8ac7

/* Skinny-64-128 */
Key:        9eb93640d088da63
            76a39d1c8bea71e1
Plaintext:  cf16cfe8fd0f98aa
Ciphertext: 6ceda1f43de92b9e

/* Skinny-64-192 */
Key:        ed00c85b120d6861
            8753e24bfd908f60
            b2dbb41b422dfcd0
Plaintext:  530c61d35e8663c3
Ciphertext: dd2cf1a8f330303c

/* Skinny-128-128 */
Key:        4f55cfb0520cac52fd92c15f37073e93
Plaintext:  f20adb0eb08b648a3b2eeed1f0adda14
Ciphertext: 22ff30d498ea62d7e45b476e33675b74

/* Skinny-128-256 */
Key:        009cec81605d4ac1d2ae9e3085d7a1f3
            1ac123ebfc00fddcf01046ceeddfcab3
Plaintext:  3a0c47767a26a68dd382a695e7022e25
Ciphertext: b731d98a4bde147a7ed4a6f16b9b587f

/* Skinny-128-384 */
Key:        df889548cfc7ea52d296339301797449
            ab588a34a47f1ab2dfe9c8293fbea9a5
            ab1afac2611012cd8cef952618c3ebe8
Plaintext:  a3994b66ad85a3459f44e92b08f550cb
Ciphertext: 94ecf589e2017c601b38c6346a10dcfa

B.2 — Test Vectors for MANTIS

/* MANTIS5 */
Key:        92f09952c625e3e9 d7a060f714c0292b
Tweak:      ba912e6f1055fed2
Plaintext:  3b5c77a4921f9718
Ciphertext: d6522035c1c0c6c1

/* MANTIS7 */
Key:        92f09952c625e3e9 d7a060f714c0292b
Tweak:      ba912e6f1055fed2
Plaintext:  60e43457311936fd
Ciphertext: 308e8a07f168f517

Appendix C — Comparing Theoretical Performance of Lightweight Ciphers

SKINNY-64-128. The round function uses 1 NOR and 2.25 XOR gates per bit of internal state. The tweakey schedule uses 0.625 XOR per bit. Total: 1 NOR + 2.875 XOR per bit per round.

SIMON-64-128. The round function uses 0.5 AND and 1.5 XOR per bit. The key schedule uses 1.5 XOR per bit. Total: 0.5 AND + 3.0 XOR per bit per round.

AES-128. The round function uses 4.25 NOR and 16 XOR per bit. The key schedule uses 1.06 NOR and 3.5 XOR per bit. Total: 5.31 NOR + 19.5 XOR per bit per round.

Appendix D — Computing Active S-Boxes using MILP and Diffusion Test

To evaluate the resistance against differential cryptanalysis, we rely on mixed-integer linear programming (MILP). The goal is to minimize the number of active Sboxes in a given number of rounds.

Constraints for XOR. We define by \mathcal{C}_\oplus[i_1, i_2, o, d] the set of linear constraints:

\{i_1 \le d\} \cup \{i_2 \le d\} \cup \{o \le d\} \cup \{i_1 + i_2 + o \ge 2d\}

SK Model: Minimize \sum_{i,j \in \mathbb{Z}_4} \sum_{k \in \mathbb{Z}_r} \bar{x}_{i,j,k} subject to the non-trivial solution constraint and the linear layer application constraints.

TK2 and TK3 Models. The key contribution is modeling the extracted property of the TWEAKEY update. For a given cell position, cancellation between tweakey states occurs at most once within 30 rounds for TK2 and at most twice for TK3 (since the LFSR has cycle length 15). This is modeled using LANE variables with appropriate inequality constraints.

Diffusion Test. SKINNY-64 and SKINNY-128 achieve full diffusion after 6 rounds, both in forward direction and for the inverse.

References

[Ban+15] Banik, S. et al.: Midori: A Block Cipher for Low Energy. ASIACRYPT 2015.
[Bea+13] Beaulieu, R. et al.: The SIMON and SPECK families of lightweight block ciphers. ePrint/2013/404 (2013).
[Bea+15] Beaulieu, R. et al.: SIMON and SPECK: Block ciphers for the internet of things. ePrint/2015/585 (2015).
[Ben+13] Benadjila, R. et al.: Implementing lightweight block ciphers on x86 architectures. SAC 2013.
[BBS99] Biham, E. et al.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. EUROCRYPT 1999.
[Bil+15a] Bilgin, B. et al.: Trade-Offs for Threshold Implementations Illustrated on AES. IEEE Trans. on CAD 34(7) (2015).
[Bil+15b] Bilgin, B. et al.: Threshold Implementations of Small S-boxes. Cryptography and Communications 7(1) (2015).
[Bog+07] Bogdanov, A. et al.: PRESENT: An ultra-lightweight block cipher. CHES 2007.
[BR10] Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: Cryptanalysis of KTANTAN. SAC 2010.
[Bor+12] Borghoff, J. et al.: PRINCE – A low-latency block cipher for pervasive computing applications. ASIACRYPT 2012.
[BC16] Boura, C., Canteaut, A.: Another View of the Division Property. CRYPTO 2016.
[Bou+15] Boura, C. et al.: Reflection ciphers. Designs, Codes and Cryptography (2015).
[CDK09] Canniere, C.D. et al.: KATAN and KTANTAN – a family of small and efficient hardware-oriented block ciphers. CHES 2009.
[Can+15] Canteaut, A. et al.: Construction of Lightweight S-Boxes using Feistel and MISTY structures. ePrint/2015/711 (2015).
[CE85] Chaum, D., Evertse, J.: Cryptanalysis of DES with a reduced number of rounds. CRYPTO 1985.
[DKR97] Daemen, J. et al.: The block cipher Square. FSE 1997.
[Dae+00] Daemen, J. et al.: Nessie Proposal: the Block Cipher Noekeon. Nessie submission (2000).
[Ger+13] Gerard, B. et al.: Block ciphers that are easier to mask: How far can we go? CHES 2013.
[Gra+16] Grassi, L. et al.: Subspace Trail Cryptanalysis and its Applications to AES. ePrint/2016/592 (2016).
[Guo+11] Guo, J. et al.: The LED block cipher. CHES 2011.
[HT13] Henson, M., Taylor, S.: Memory encryption: A survey of existing techniques. ACM Comput. Surv. 46(4) (2013).
[JNP14] Jean, J. et al.: Tweaks and keys for block ciphers: The TWEAKEY framework. ASIACRYPT 2014.
[Jea+15] Jean, J. et al.: Joltik v1.3 (2015). CAESAR competition submission.
[Kho+14] Khoo, K. et al.: FOAM: Searching for hardware-optimal SPN structures and components with a fair comparison. CHES 2014.
[KR96] Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. CRYPTO 1996.
[KW02] Knudsen, L.R., Wagner, D.: Integral cryptanalysis. FSE 2002.
[Kol+15] Kolbl, S. et al.: Observations on the SIMON block cipher family. CRYPTO 2015.
[Kra+16] Kranz, T. et al.: Linear Cryptanalysis: On Key Schedules and Tweakable Block Ciphers. Preprint (2016).
[Mor+11] Moradi, A. et al.: Pushing the Limits: A Very Compact and a Threshold Implementation of AES. EUROCRYPT 2011.
[MS16] Moradi, A., Schneider, T.: Side-Channel Analysis Protection and Low-Latency in Action. ePrint/2016/481 (2016).
[Mou+11] Mouha, N. et al.: Differential and linear cryptanalysis using mixed-integer linear programming. Inscrypt 2011.
[NIST] National Institute of Standards and Technology: Recommendation for Key Management – NIST SP-800-57 Part 3 Revision 1.
[Nik+11] Nikova, S. et al.: Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. J. Cryptology 24(2) (2011).
[PS15] Peyrin, T., Seurin, Y.: Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers. ePrint/2015/1049 (2015).
[Pir+12] Piret, G. et al.: PICARO – a block cipher allowing efficient higher-order side-channel resistance. ACNS 2012.
[Pos+11] Poschmann, A. et al.: Side-Channel Resistant Crypto for Less than 2,300 GE. J. Cryptology 24(2) (2011).
[PT11] Preneel, B., Takagi, T., eds.: CHES 2011. LNCS vol. 6917, Springer, 2011.
[Sas11] Sasaki, Y.: Meet-in-the-middle preimage attacks on AES hashing modes. FSE 2011.
[Shi+11] Shibutani, K. et al.: Piccolo: An ultra-lightweight blockcipher. CHES 2011.
[Sta+07] Standaert, F.X. et al.: FPGA implementations of the ICEBERG block cipher. INTEGRATION 40(1) (2007).
[Sta+02] Standaert, F.X. et al.: Efficient FPGA Implementations of Block Ciphers KHAZAD and MISTY1. Third NESSIE Workshop (2002).
[Sun+13] Sun, S. et al.: Automatic security evaluation of block ciphers with S-BP structures against related-key differential attacks. Inscrypt 2013.
[Suz+12] Suzaki, T. et al.: TWINE: A lightweight block cipher for multiple platforms. SAC 2012.
[Tod15] Todo, Y.: Structural evaluation by generalized integral property. EUROCRYPT 2015.
[Gro+15] Vincent Grosso et al.: SCREAM v3 (2015). CAESAR competition submission.
[VS04] Virtual Silicon Inc.: 0.18 um VIP Standard Cell Library (2004).
[WB11] Williams, P., Boivie, R.: CPU Support for Secure Executables. TRUST 2011.
[Win15] Wingers, L.: Software for SUPERCOP Benchmarking of SIMON and SPECK. GitHub (2015).