TY - GEN
T1 - Simpira v2
T2 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2016
AU - Gueron, Shay
AU - Mouha, Nicky
N1 - Publisher Copyright: © International Association for Cryptologic Research 2016.
PY - 2016
Y1 - 2016
N2 - This paper introduces Simpira, a family of cryptographic permutations that supports inputs of 128 × b bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For b = 1, Simpira corresponds to 12-round AES with fixed round keys, whereas for b ≥ 2, Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below 2128, and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for b ≤ 4 and b = 6. For larger permutations, where moving data in memory has a more pronounced effect, Simpira with b = 32 (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than 13% off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than 1%. The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.
AB - This paper introduces Simpira, a family of cryptographic permutations that supports inputs of 128 × b bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For b = 1, Simpira corresponds to 12-round AES with fixed round keys, whereas for b ≥ 2, Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below 2128, and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for b ≤ 4 and b = 6. For larger permutations, where moving data in memory has a more pronounced effect, Simpira with b = 32 (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than 13% off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than 1%. The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.
KW - AES-NI
KW - Beyond birthday-bound (BBB) security
KW - Cryptographic permutation
KW - Even-Mansour
KW - Generalized Feistel structure (GFS)
KW - Hash function
KW - Lamport signature
KW - Wide-block encryption
UR - http://www.scopus.com/inward/record.url?scp=84998911204&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-53887-6_4
DO - 10.1007/978-3-662-53887-6_4
M3 - Conference contribution
SN - 9783662538869
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 95
EP - 125
BT - Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
A2 - Cheon, Jung Hee
A2 - Takagi, Tsuyoshi
PB - Springer Verlag
Y2 - 4 December 2016 through 8 December 2016
ER -