Contents







ORANGE-Zest Mode of Authenticated Encryption


Optimum RAte spoNGE or ORANGE in abbreviation, is an authenticated encryption and sponge hash scheme based on any permutation, that employs sponge based encryption and hash which can absorb data in the optimum rate. The ORANGE based AE is named as ORANGE-Zest.

Contents
  • 1 Mode Specification
  • 2 Permutation
  • 3 Security
  • 4 Design Rationale

    • Mode Specification

    The mode for ORANGE-Zest is a close variant of sponge with full state absorption. The full state absorption is possible as we hold another state of size 128-bits, a part of the output of previous execution of the underlying permutation. We use this dynamic secret state to mask a part of the ciphertext. This mode can be easily generalized to a design based on a permutation with 2n bit state. In our case, n = 128. To summarize the performance of our AE mode, it has 3n bit state with 2n bit rate. To process 2n bit blocks, we apply 4n-bit XOR, in addition to one permutation call. The design of ORANGE is expected to provide privacy and confidentiality against all adversaries running in time 2128 (i.e. making 2128 permutation calls) having at most 264 data. For further details see the submitted specs. For software implementation see implementation.

    Permutation

    construction use PHOTON256 as the underlying permutation. Among the existing 256-bit permutations, PHOTON256 is one of the lightest designs in the literature. It has been well studied and well analysized. Moreover, PHOTON256 is also a part of ISO-IEC: 29192-5 standard, which deal specifically with light-weight cryptography. The details of PHOTON256 can be found here.

    Security

    The security levels of our recommended instanstiations are presented below in the Table.

    Security model
    • Data complexity
    • (in bits)
    • Time complexity
    • (in bits)
    IND-CPA 64 128
    INT-CTXT 64 128

    Design Rationale

    1. Choice of Mode Our primary goal is to design a lightweight cipher that has optimum throughput. No such sponge variant is known so far which can absorb message at the rate of the state of the permutation. Our design achieves this at the cost of an additional state. So it is optimum in rate. We also use JH variant of hash which also absorbs much higher data compared with classical sponge hash.

    2. Need of an additional state A b-bit permutation with r bit rate leaks r bit information about the permutation outputs. So when r = b, all the state value would be leaked and the key can be computed easily. Thus we need additional state to keep some amount of secret. We find that 128 bit additional state (chosen dynamically) provides the desired security.

    3. Choice of the Permutation PHOTON is an ISO-standard lightweight permutation which also provides sufficient amount of security level.

    References

    1. Guido Bertoni, Joan Daemen, Micha¨el Peeters, and Gilles Van Assche. Sponge functions. In ECRYPT hash workshop, volume 2007. Citeseer, 2007.
    2. Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. On the indifferentiability of the sponge construction. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 181–197. Springer, 2008.
    3. Avik Chakraborti, Nilanjan Datta, Mridul Nandi, and Kan Yasuda. Beetle family of lightweight and secure authenticated encryption ciphers. IACR Cryptology ePrint Archive, 2018:805, 2018
    4. Tingting Cui, Ling Sun, Huaifeng Chen, and Meiqin Wang. Statistical integral distinguisher with multi-structure and its application on AES. In Information Security and Privacy - 22nd Australasian Conference, ACISP 2017, Auckland, New Zealand, July 3-5, 2017, Proceedings, Part I, pages 402–420, 2017.
    5. Jian Guo, Thomas Peyrin, and Axel Poschmann. The PHOTON family of lightweight hash functions. In Phillip Rogaway, editor, Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, volume 6841 of Lecture Notes in Computer Science, pages 222–239. Springer, 2011.
    6. J´er´emy Jean, Mar´ıa Naya-Plasencia, and Thomas Peyrin. Improved rebound attack on the finalist grøstl. In Anne Canteaut, editor, Fast Software Encryption - 19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers, volume 7549 of LNCS, pages 110– 126. Springer, 2012.
    7. J´er´emy Jean, Mar´ıa Naya-Plasencia, and Thomas Peyrin. Multiple limited-birthday distinguishers and applications. In Selected Areas in Cryptography - SAC 2013 - 20th International Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised Selected Papers, pages 533–550, 2013.
    8. Yusuke Naito and Kazuo Ohta. Improved indifferentiable security analysis of PHOTON. In Security and Cryptography for Networks - 9th International Conference, SCN 2014, Amalfi, Italy, September 3-5, 2014. Proceedings, pages 340–357, 2014.
    9. Qingju Wang, Lorenzo Grassi, and Christian Rechberger. Zero-sum partitions of PHOTON permutations. In Topics in Cryptology - CT-RSA 2018 - The Cryptographers’ Track at the RSA Conference 2018, San Francisco, CA, USA, April 16-20, 2018, Proceedings, pages 279–299, 2018.
    10. Hongjun Wu. The hash function jh. Submission to NIST (round 3), 6, 2011.
    | Template by HTML5 Templates