NISTIR8369

StatusReportontheSecondRoundof theNISTLightweightCryptography StandardizationProcess

MeltemSonmezTuran¨ KerryMcKay DonghoonChang C¸gdasa˘ ¸Calık ¸ LawrenceBassham JinkeonKang JohnKelsey

Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 NISTIR8369

StatusReportontheSecondRoundof theNISTLightweightCryptography StandardizationProcess

MeltemSonmezTuran¨ KerryMcKay DonghoonChang C¸gdasa˘ ¸Calık ¸ LawrenceBassham JinkeonKang JohnKelsey

ComputerSecurityDivision InformationTechnologyLaboratory

Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369

July2021

U.S.DepartmentofCommerce GinaM.Raimondo,Secretary

NationalInstituteofStandardsandTechnology James K. Olthoff, Performing the Non-Exclusive Functions and Duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology Certaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribe an experimental procedure or concept adequately. Such identification is not intended to imply recommendationorendorsementbytheNationalInstituteofStandardsandTechnology,norisitintendedto implythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose.

NationalInstituteofStandardsandTechnology InteragencyorInternalReport8369 Natl.Inst.Stand.Technol.Interag.Intern.Rep.8369,81pages(July2021)

Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 ______NISTIR8369 SecondRoundStatusReport

Abstract

TheNationalInstituteofStandardsandTechnology(NIST)initiatedapublicstandardiza- tionprocesstoselectoneormoreAuthenticatedEncryptionwithAssociatedData(AEAD) andhashingschemessuitableforconstrainedenvironments. InFebruary2019,57candi- This datesweresubmittedtoNISTforconsideration. Amongthese,56wereacceptedasfirst-

publication roundcandidatesinApril2019. Afterfourmonths,NISTselected32ofthecandidates forthesecondround. InMarch2021,NISTannounced10finaliststomoveforwardto thefinalroundoftheselectionprocess. ThefinalistsareASCON,Elephant,GIFT-COFB, Grain-128AEAD,ISAP,PHOTON-Beetle,Romulus,SPARKLE,TinyJAMBU,andXoodyak. Thisreportdescribestheevaluationcriteriaandselectionprocess,whichisbasedonpublic is

available feedbackandinternalreviewofthesecond-roundcandidates.

Keywords free authenticatedencryption· cryptography· hashfunctions· lightweightcryptography of charge from: https://doi.org/10.6028/NIST.IR.8369

i ______NISTIR8369 SecondRoundStatusReport

Acknowledgments

NIST thanks the second-round submission teams, who developed and designed the second-roundcandidates,andthecryptographiccommunity,whoanalyzedthecandidates, sharedtheircommentsthroughthe ,andpublishedpapersonvarioustechnical

This lwc-forum aspectsofthecandidates.

publication NISTalsothanksthedevelopers,whoprovidedoptimizedimplementationsofthecan- didatesaswellasthehardwareandsoftwarebenchmarkinginitiatives,fortheircontribution totheunderstandingoftheperformancecharacteristicsofthealgorithmsonvarioustarget platforms. Specifically,NISTthanksallthosewhocontributedtothefollowingprojects:(i)FPGA is

available benchmarkingbyK.Mohajerani,R.Haeussler,R.Nagpal,F.Farahmand,A.Abdulgadir, J.-P.Kaps,andK.Gaj;(ii)ASICbenchmarkingbyM.AagaardandN.Zidaric;(ˇ iii)ASIC benchmarkingbyM.Khairallah, T.Peyrin, andA.Chattopadhyay; (iv)Microcontroller benchmarkingbyS.Renner,E.Pozzobon,andJ.Mottok;(v)Microcontrollerbenchmark- free ingbyR.Weatherley;(vi)RISC-VbenchmarkingbyF.Campos,L.Jellema,M.Lemmen, L. Muller,D.Sprenkels,andB.Viguier;¨ (vii)RISC-VbenchmarkingbyG.Nisanci,R. of

charge Atay,M.K.Pehlivanoglu,E.B.Kavun,andT.Yalc¸ın;and(viii)eBACS(ECRYPTBench- markingofCryptographicSystems)benchmarkingbyD.J.BernsteinandT.Lange. Theauthorsofthisreportacknowledgeandappreciatecontributionsfromtheircol- from: leaguesatNIST–LilyChen,AndrewRegenscheid,SaraKerman,NoahWaller,IsabelVan Wyk,RayPerlner,Lu´ısBrandao,SherylTaylor,DustinMoody,andMichaelJ.Fagan–˜

https://doi.org/10.6028/NIST.IR.8369 whoprovidedtechnicalandadministrativesupportandparticipatedinmeetingstodiscuss theselectionofthefinalists.

ii ______

Contents

1 Introduction 1 2 EvaluationCriteria 2

This 3 Second-RoundCandidates 3 3.1 ClassificationoftheSecond-RoundCandidates 3 publication 3.2 EvaluationoftheSecond-RoundCandidates 4 3.2.1 ACE 5 3.2.2 ASCON 6 3.2.3 COMET 7 is 3.2.4 DryGASCON 8 available 3.2.5 Elephant 8 3.2.6 ESTATE 9 3.2.7 ForkAE 10

free 3.2.8 GIFT-COFB 11 3.2.9 Gimli 11 of 3.2.10 Grain-128AEAD 12 charge 3.2.11 HyENA 13 3.2.12 ISAP 14 3.2.13 KNOT 15 from: 3.2.14 LOTUS-AEADandLOCUS-AEAD 16 3.2.15 mixFeed 16 https://doi.org/10.6028/NIST.IR.8369 3.2.16 ORANGE 17 3.2.17 Oribatida 18 3.2.18 PHOTON-Beetle 19 3.2.19 Pyjamask 19 3.2.20 Romulus 20 3.2.21 SAEAES 22 3.2.22 SATURNIN 22 3.2.23 SKINNY-AEAD andSKINNY-HASH 23 3.2.24 SPARKLE 24 3.2.25 SPIX 25 3.2.26 SpoC 25 3.2.27 Spook 26 3.2.28 Subterranean2.0 27 3.2.29 SUNDAE-GIFT 28 3.2.30 TinyJAMBU 28 3.2.31 WAGE 29 3.2.32 Xoodyak 30 3.3 AdditionalConsiderations 30 3.3.1 Side-ChannelResistance 30 3.3.2 Nonce-MisuseSecurity 31

iii ______NISTIR8369 SecondRoundStatusReport

3.3.3 RUPSecurity 32 3.3.4 ImpactsofStateRecovery 32 3.3.5 Post-QuantumSecurity 33 4 PerformanceBenchmarking 34

This 4.1 SoftwareBenchmarking 34 4.1.1 MicrocontrollerBenchmarkingbyNIST 34 publication 4.1.2 MicrocontrollerBenchmarkingbyRenneretal. 35 4.1.3 MicrocontrollerBenchmarkingbyWeatherley 36 4.1.4 AdditionalResults 37 4.2 HardwareBenchmarking 37 is 4.2.1 FPGABenchmarkingbyGMUCERG 38 available 4.2.2 ASICBenchmarkingbyKhairallahetal. 38 4.2.3 ASICBenchmarkingbyAagaardandZidaricˇ 39 5 SelectingtheFinalists 40 free 6 NextSteps 41

of References 42 charge A NISTSoftwareBenchmarkingResults 67 from: https://doi.org/10.6028/NIST.IR.8369

iv ______

ListofTables

Table1 TimelineoftheNISTLightweightCryptographyStandardizationProcess 2 Table2 Underlyingprimitivesofthesecond-roundcandidates 4 Table3 AEADmode-of-operationclassificationofprimaryvariants 5 This Table4 Hashingmodesofthe12candidateswithhashingfunctionalities 6

publication Table5 SummaryofattacksonASCON family 7 Table6 Anon-exhaustivesummaryofattacksonGIFT-128 12 Table7 SummaryofattacksonGimli 13 Table8 SummaryofdistinguishingattacksonPHOTON256 19 Table9 Summaryofbestkey-recoveryattacksonSKINNY-128-256andSKINNY- is

available 128-384 21 Table10 Specificationsofmicrocontrollersusedinbenchmarkinginitiatives 35 Table11 Summaryofthehardwarebenchmarkinginitiatives 39 Table12 Code sizes (in bytes) for the smallest implementations of the primary free AEADvariantsonmicrocontrollers 69 Table13 Codesizes(inbytes)forthesmallestimplementationsoftheprimaryhash of

charge variantsonmicrocontrollers 70 Table14 Timings(inµs)forthefastestimplementationsofprimaryAEADvari- antsforauthenticatedencryptionof16-bytemessageand16-byteADon from: microcontrollers 71 Table15 Timings(inµs)forthefastestimplementationsofprimaryhashvariants

https://doi.org/10.6028/NIST.IR.8369 forprocessing16-bytemessageonmicrocontrollers 72

v ______

ListofFigures

Figure1 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- thenticatedencryptionof16-bytemessageand16-byteADonATmega328P 73 Figure2 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- This thenticatedencryptionof16-bytemessageand16-byteADonATmega4809 73

publication Figure3 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonSAMD21 74 Figure4 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- thenticatedencryptionof16-bytemessageand16-byteADonnRF52840 74 is

available Figure5 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonPIC32MX 75 Figure6 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonESP8266 75 free Figure7 RelativespeedsofthecandidatescomparedtoAES-GCMonATmega328P 76 Figure8 RelativespeedsofthecandidatescomparedtoAES-GCMonATmega4809 77 of

charge Figure9 RelativespeedsofthecandidatescomparedtoAES-GCMonSAMD21 78 Figure10RelativespeedsofthecandidatescomparedtoAES-GCMonnRF52840 79 Figure11RelativespeedsofthecandidatescomparedtoAES-GCMonPIC32MX 80 from: Figure12RelativespeedsofthecandidatescomparedtoAES-GCMonESP8266 81 https://doi.org/10.6028/NIST.IR.8369

vi ______NISTIR8369 SecondRoundStatusReport

Acronyms

AD AssociatedData

AEAD AuthenticatedEncryptionwithAssociatedData This AES AdvancedEncryptionStandard publication ARX Addition-Rotation-Xor

ASIC ApplicationSpecificIntegratedCircuit is CAESAR CompetitionforAuthenticatedEncryption: Security,Applicability,andRo- available bustness

CBC CipherBlockChaining free CCA ChosenCiphertextAttack of CCAm CCAwithnoncemisuse-resilience charge CI CiphertextIntegrity

from: CIM CiphertextIntegritywithMisuse-resistance

CTR Counter https://doi.org/10.6028/NIST.IR.8369 eBACS ECRYPTBenchmarkingofCryptographicSystem

eSTREAM ECRYPTSTREAMcipherproject

FOBOS FlexibleOpensourceworkBenchfOrSide-channelanalysis

FPGA FieldProgrammableGateArray

GCM Galois/CounterMode

GE GateEquivalents

INT-RUP INTegrityunderRUP

ISO/IEC InternationalOrganizationforStandardization/InternationalElectrotechnical Commission

LE LogicElements

LFSR LinearFeedbackShiftRegister

LUT Look-UpTable

vii ______NISTIR8369 SecondRoundStatusReport

MAC MessageAuthenticationCode

MCU MicrocontrollerUnit

MD Merkle-Damgard˚ This MDS MaximumDistanceSeparable publication MILP Mixed-IntegerLinearProgramming

MITM Man-In-The-Middle

is MMO Matyas-Meyer-Oseas available NIST NationalInstituteofStandardsandTechnology

NISTIR NISTInternalReport free OCB OffsetCodeBook of

charge OFB OutputFeedBack

RAM RandomAccessMemory from: RFID RadioFrequencyIdentification

https://doi.org/10.6028/NIST.IR.8369 RISC ReducedInstructionSetComputer

ROM ReadOnlyMemory

RUP ReleasingUnverifiedPlaintext

SFS Semi-Free-Start

SHA SecureHashAlgorithm

TBC TweakableBlockCipher

XOF eXtendable-OutputFunction

XOR eXclusiveOR

viii ______NISTIR8369 SecondRoundStatusReport

1. Introduction

TheNationalInstituteofStandardsandTechnology(NIST)initiatedtheLightweightCryp- tographyStandardizationProcesstosolicit,evaluate,andstandardizeoneormoreAuthen- ticatedEncryptionwithAssociatedData(AEAD)andhashingschemesthataresuitable This foruseinconstrainedenvironments,suchasinradiofrequencyidentification(RFID)tags

publication andsensornetworks,wheretheperformanceofcurrentNISTcryptographystandardsisnot acceptableorisdeficient. NISTreceived57submissionsinresponsetoitscallforalgorithms;andinApril2019, NISTannounced56first-roundcandidates. InAugust2019,NISTannounced32second- roundcandidatesandpublishedNISTInternalReport(NISTIR)8268[1]toexplainthe is

available evaluationcriteriaandselectionofthesecond-roundcandidates. Later,NISTpublished thesecond-roundpackagesofthecandidates,whichincludedcorrectionstotypographical errors,bugfixes,andadditionalsupplementarycontentsuchasoptimizedimplementations andnewsecurityanalysis. Atthisstage, thedesignerswerenotallowedtotweaktheir free designs. InAugust2020,NISTinvitedthesubmittersofthesecond-roundcandidatestoprovide of

charge ashortupdateontheiralgorithms,specificallyon(1)newproofs/argumentsthatsupport thesecurityclaims,(2)newsoftwareandhardwareimplementations(includingonesthat protectagainstside-channelattacks),(3)newthird-partyanalysisanditsimplications,(4) from: platformsandmetricsinwhichthecandidateperformsbetterthancurrentNISTstandards, (5)targetapplicationsandusecasesforwhichthecandidateisoptimized,(6)plannedtweak

https://doi.org/10.6028/NIST.IR.8369 proposalsifthesubmissionisacceptedasafinalist,andanyotherrelevantinformation.In September2020,NISTreceivedstatusupdatesfrom27(outof32)teams[2–28]. Duringthesecondroundoftheprocess,NISThostedthethirdandfourthlightweight cryptographyworkshopstodiscussvariousaspectsofthesecond-roundcandidatesandob- tainvaluablefeedbackfortheselectionofthefinalists.Thetimelineofthestandardization processissummarizedinTable1. InMarch2021,NISTannouncedthefinalistsofthe standardizationprocess,namely:

•ASCON •Elephant •GIFT-COFB •Grain-128AEAD •ISAP •PHOTON-Beetle •Romulus •SPARKLE •TinyJAMBU •Xoodyak

The purpose ofthis report is toprovide a public recordof the second roundof the standardizationprocess. Thereportdescribestheevaluationcriteriaandselectionofthe finalists. InSection2explainstheevaluationcriteriaforthesecondround. Section3pro- videstheclassificationofsecond-roundcandidatesandadiscussionforeachcandidate. Section4liststhesoftwareandhardwarebenchmarkinginitiatives. Finally,Section5ex- plains the selection of the finalists. Appendix A provides additional information about NIST’sinternalsoftwarebenchmarkingresults.

1 ______NISTIR8369 SecondRoundStatusReport

Table1.TimelineoftheNISTLightweightCryptographyStandardizationProcess

Date Event July2015 FirstLightweightCryptographyWorkshopatNIST

This October2016 SecondLightweightCryptographyWorkshopatNIST March2017 publication NISTIR8114ReportonLightweightCryptography[29] April2017 (draft)ProfilesforLightweightCryptographyStandardizationPro- cess[30] August2018 FederalRegisterNotice is Submission Requirements and Evaluation Criteria for the available LightweightCryptographyStandardizationProcess[31] February2019 Submissiondeadline April2019 Announcementofthefirst-roundcandidates free August2019 Announcementofthesecond-roundcandidates of October2019 NISTIR 8268, Status Report on the First Round of the NIST charge LightweightCryptographyStandardizationProcess[1] November2019 ThirdLightweightCryptographyWorkshopatNIST from: September2020 Submissiondeadlineforoptionalstatusupdates October2020 FourthLightweightCryptographyWorkshop(virtual) https://doi.org/10.6028/NIST.IR.8369 March2021 Announcementofthefinalists

2. EvaluationCriteria

TheevaluationcriteriaforthestandardizationprocesswerepublishedinAugust2018[31]. ThesecriteriawerefurtherdiscussedandclarifiedduringtheNISTLightweightCryptog- raphyworkshops. Thissectionsummarizestheevaluationcriteriausedduringthesecond roundofthestandardizationprocess. Thecryptographicsecurityofthecandidatesisthemostimportantcriterion. Similar to the selection of the second-round candidates, the submissions with significant third- partyanalysisorthatbasedtheirsecurityclaimsonwell-understooddesignprinciplesand securityproofswerefavoredduringtheselectionoffinalists. NISTstudiedthefeedback receivedfromthecryptographiccommunityandthedocumentsprovidedbythesubmitters in addition to its own internal analysis. The security evaluations of the candidates are summarizedinSection3.2. Thesecondcriterionistheperformanceofthecandidatesinapplicationsusingcon- straineddevices(i.e.,thehardwareandsoftwareperformanceofcandidatesinconstrained environments).Candidateswereevaluatedandcomparedintermsofvariousperformance andcostmetrics,andthosethatperformedsignificantlybetterthanthecurrentNISTstan-

2 ______NISTIR8369 SecondRoundStatusReport

dards (especially AES-GCM [32] and SHA-2 [33]) were favored during the selection. NISTconsideredvariouspublicsoftwareandhardwarebenchmarkingeffortsaswellas internalsoftwarebenchmarkingcomparisons(seeSection4andAppendixA). Side-channelresistanceofthecandidateswasanothercriterion. Althoughtherewere

This notmanycomprehensivecomparisonsofthecandidates,NISTconsideredtheclaimsfrom the submission documents and related papers from the literature. More information is publication providedinSection3.3.1. Althoughnotexplicitlyrequiredbythesubmissioncall, thereweresomeadditional propertiesconsideredduringtheselectionwhenmultiplecandidateshadsimilarsecurity andperformanceevaluations,includingnonce-misusesecurity(seeSection3.3.2),releas-

is ingunverifiedplaintext(RUP)security(seeSection3.3.3),theimpactofstaterecovery(see available Section3.3.4),andpost-quantumsecurityofthecandidates(seeSection3.3.5).NISTalso consideredtweakplans,thediversityofthecandidates,andtheirsuitabilityforadditionto NIST’sportfolioofcryptographicstandards. free 3. Second-RoundCandidates of

charge 3.1 ClassificationoftheSecond-RoundCandidates This section provides a classification of the second-round candidates [34–65] based on

from: theirunderlyingprimitivesandmodesofoperation. Similarcomparisonsareavailablein [66,67]. Thesubmissionpackageswereallowedtoincludeafamilyofalgorithmssupporting https://doi.org/10.6028/NIST.IR.8369 different parameters, such as key and nonce sizes. Toallow for fair comparison, each family was required to include a primary variant that met minimum criteria. Some of thecandidatefamiliesincludemorethanonevariantforAEADandhashing,andthetotal numberofvariantsis89forAEADand19forhashing.Outof32second-roundcandidates, 11ofthemhavesinglevariants. Onaverage,candidateshave2.7AEADvariantsand1.5 hashvariants. Thecomparisonsprovidedinthissectionaremostlybasedontheprimary variants. Theunderlyingprimitivesofthesecond-roundcandidatesaresummarizedinTable2. BlockciphersortweakableblockciphersareusuallyusedbycandidatesaimingforAEAD- onlyfunctionality,whereaspermutationsaregenerallyusedwhenbothAEADandhashing functionalitiesaretargeted. Therearemanycandidatesthatshareaparticularprimitiveorprimitivesthatarevery closelyrelated(e.g.,somechangestotheprimitivearepresent,butprevioussecurityanal- ysisoftheprimitivemaystillapply). Forexample,themodespresentedinCOMET and SAEAES areinstantiatedusingtheblockcipherAES,whereasthecandidatesESTATE and mixFeed useslightlymodifiedvariantsofAES.Thewell-analyzedblockcipherGIFTis alsousedinmultiplecandidates,namelyESTATE,GIFT-COFB,HyENA,LOTUS-AEAD, LOCUS-AEAD,andSUNDAE-GIFT.Similarly,thetweakableblockcipherSKINNY isused inForkAE,Romulus,SKINNY-AEAD and SKINNY-HASH.Amongpermutation-basedcan- didates,theASCONpermutationanditsvariantsareusedinASCON,DryGASCON,and

3 ______NISTIR8369 SecondRoundStatusReport

Table2.Underlyingprimitivesofthesecond-roundcandidates

CandidatesprovidingAEAD-onlyfunctionality Permutation Elephant,ISAP,Oribatida,SPIX,SpoC,Spook3,WAGE This BlockCipher COMET, GIFT-COFB, HyENA, mixFeed, Pyjamask, 1 publication SAEAES,SUNDAE-GIFT,TinyJAMBU TweakableBlockCipher ESTATE,ForkAE,LOTUS-AEAD and LOCUS-AEAD,Ro- mulus,Spook StreamCipher Grain-128AEAD is available CandidatesprovidingAEADandhashingfunctionalities Permutation ACE, ASCON, DryGASCON, Gimli, KNOT, ORANGE, PHOTON-Beetle,SPARKLE,Subterranean 2.0,Xoodyak free BlockCipher SATURNIN2 of TweakableBlockCipher SKINNY-AEAD and SKINNY-HASH charge 1TheunderlyingprimitiveofTinyJAMBU isgivenaskeyedpermutationin[63]. 2TheunderlyingprimitiveofSATURNIN [55]canalsobeconsideredatweakableblockcipherdue from: totheuseofadditional9-bitparameterfordomainseparation. 3Spook designusesbothapermutationandatweakableblockcipher. https://doi.org/10.6028/NIST.IR.8369

ISAP;theKECCAKpermutationisusedinElephant andISAP;thePHOTONpermutation isusedinORANGE andPHOTON-Beetle; andthesLiSCP-lightpermutationisusedin SPIX andSpoC. Table3classifiestheAEADmodesofoperationoftheprimaryvariantsassequential and parallel modes. For sequential modes, sponge constructions and their variants are commonlyusedinadditiontomodesbasedonblockciphersandtweakableblockciphers, whereasparallelmodesaretypicallybasedon(tweakable)blockciphers. Twelveofthe32second-roundcandidatesofferhashingfunctionality.ExceptforSAT- URNIN,allofthesecandidatesarebasedonthespongeconstructionoritsvariants[68] forhashing(seeTable4). SATURNIN usesanMatyas-Meyer-Oseas(MMO)-basedcom- pressionfunction[69]instantiatedwithatweakableblockcipher,anditshashalgorithmis constructedusingaMerkle-Damgard(MD)construction[˚ 70,71].

3.2 EvaluationoftheSecond-RoundCandidates Thissectionincludesanevaluationofthesecond-roundcandidatesbasedontheevaluation criteriadescribedinSection2.Thissectionprovidesasummaryofthedesignandsecurity analysisforeachcandidate,aswellastweakplans.Performancesummariescanbefound inSection4.

4 ______NISTIR8369 SecondRoundStatusReport

Table3.AEADmode-of-operationclassificationofprimaryvariants

Sequentialmodes Classicalspongewithpublicpermutation DryGASCON, Gimli, KNOT, Subterranean 2.0,

This Xoodyak Classicalspongewithstronger ACE,ASCON,SPIX,Spook,WAGE publication initializationandfinalization Classicalspongewithkeyedpermutation SAEAES,TinyJAMBU Modifiedspongewithpublicpermutation ORANGE,Oribatida,PHOTON-Beetle is SPARKLE,SpoC available Blockcipherortweakable-block-cipher COMET,GIFT-COFB,HyENA, basedfeedback(rate1) mixFeed,Romulus Encrypt-then-MAC ISAP,SATURNIN free MAC-then-Encrypt ESTATE,SUNDAE-GIFT of Streamcipherbased Grain-128AEAD charge Parallelmodes ΘCB3-based(rate1) SKINNY-AEAD from: OCB3-based(rate1) Pyjamask

https://doi.org/10.6028/NIST.IR.8369 Enc-then-MAC Elephant Others ForkAE,LOTUS-AEAD

3.2.1 ACE ACE,designedbyAagaardetal.[34],isapermutation-basedAEADandhashingscheme. TheAEADschemeusesaunifiedspongeduplexmode,whereasthehashfunctionisbased onthespongeconstruction.TheACE permutationisbasedona5-blockgeneralizedversion ofsLiSCP-light[72]. Nonlinearityisprovidedbyaround-reducedunkeyedinstanceof Simeck-64,denotedSB-64 [73].

Variants. ThevariantsoftheACE familyarelistedbelow.

AEADvariants Key Nonce Tag #Steps Hashvariants Digestsize #Steps ACE-AE-128 128 128 128 16 ACE-H-256 256 16

Security Analysis. Liuetal. [74]constructedtwo8-stepimpossibledifferentialsforthe ACE permutationandshowedthattherearenoimpossibledifferentialdistinguisherslonger thanninesteps.Variousanalyses[75–78]onSimeck64/128describeattacksexceedingthe

5 ______NISTIR8369 SecondRoundStatusReport

Table4.Hashingmodesofthe12candidateswithhashingfunctionalities

Hashing modes Candidates (digest sizes) Spongeconstruction ACE (256),ASCON (256),DryGASCON (256,512),Gimli (256),

This KNOT (256,384,512), ORANGE (256), PHOTON- Beetle (256), SKINNY-HASH (256), SPARKLE (256,384), publication Subterranean 2.0 (256),Xoodyak (256) MDconstruction SATURNIN (256) basedonMMOmode is available eightroundsofSB-64. TheimplicationsoftheseanalysesontheACE permutationneed moreinvestigation.

free Tweak plan. Notweakplanhasbeenproposed[2].

of 3.2.2 ASCON charge ASCON,designedbyDobraunigetal. [35],isapermutation-basedAEADandhashing scheme. ASCON-AEADisbasedonthemonkeyDuplexconstruction[79]withadditional from: keyadditionsduringinitializationandfinalization. ASCON-Hashisbasedontheduplex spongeconstruction[80]. ThemaincomponentoftheASCON familyisa320-bitper-

https://doi.org/10.6028/NIST.IR.8369 mutationinstantiatedwithdifferentconstantsandnumberofroundsfordifferentvariants. ASCON wasselectedastheprimarychoiceforlightweightauthenticatedencryptioninthe finalportfoliooftheCAESARcompetition(2014–2019).

Variants. ThevariantsoftheASCON familyarelistedbelow. Thenumberofroundsfor theAEADvariantsisrepresentedasatripleta,b,andc,whereaisthenumberofrounds duringinitialization,bisthenumberofroundsduringADormessageprocessing,andcis thenumberofroundsduringfinalization.TheprimaryAEADandhashvariantsappearin boldface.

AEADvariants Key Nonce Tag #Rounds Hashvariants Digestsize #Rounds ASCON-128 128 128 128 12,6,12 ASCON-Hash 256 12 ASCON-128a 128 128 128 12,8,12 ASCON-Xof 256 12 ASCON-80pq 160 128 128 12,6,12

Security Analysis. ASCON hasreceivedsignificantthird-partyanalysis(e.g.,[35,81–91]). Theexistingsecurityanalysesaresummarizedin[92],andasummaryisprovidedinTable 5.Additionally,Ramezanpouretal.[93]evaluatedASCON’svulnerabilitytobothpassive andactiveside-channelattacks.

6 ______NISTIR8369 SecondRoundStatusReport

Table5.SummaryofattacksonASCON family

Target Attack type Method Rounds1 Data Time Memory Nonce misuse Ref. Cube 7,?,? 277.2 2103.92 - No [85] Keyrecovery Cube 7,5,? 250 298 241 Yes [86] This ASCON-128 Conditionalcube 6,?,? 240 240 - No [85] ASCON-128a Forgery Cube ?,?,6 233 - - Yes [86] publication Cube ?,?,5 217 - - Yes [86] Cube ?,5,? 218 266 254 Yes [86] ASCON-128 Staterecovery SAT-solver ?,2,? - practical No [87] ASCON-128a Staterecovery Cube ?,5,? 218 264 238 Yes [86] is ASCON Zero-sum 12 - 2130 - - [84] available Permutation Distinguishing Zero-sum 11 - 285 - - [35] Integral 11 - 2315 - - [82] ASCON-Hash2 Preimage Algebraic 6,6,6 - 263.3 - - [90] ASCON-Xof2 Cube 2,2,2 - 239 - - [90] free ASCON-Hash - - - SFSCollision Differential 2,2,2 practical [90] of ASCON-Xof charge 1Thesymbol? denotesarbitrarynumberofrounds. 2Thevarianthas64-bithashoutput. from: Tweak plan. Notweakplanhasbeenproposed[3]. https://doi.org/10.6028/NIST.IR.8369 3.2.3 COMET COMET (COunterModeEncryptionwithauthenticationTag),designedbyGueronetal. [36],isasingle-pass,inverse-freeblock-ciphermodeofoperationthatusesre-keyingtech- niquestominimizethestatesizeandthenumberofoperations. Themodeisinstantiated usingtheblockciphersAES-128[94],CHAM-128[95],andSpeck-64[96].

Variants. COMET supports64-bitand128-bitblocksizes,andthevariantsoftheCOMET fam- ilyarelistedbelow.

AEADvariants Key Nonce Tag COMET-128AES-128/128 128 128 128 COMET-128CHAM-128/128 128 128 128 COMET-64CHAM-64/128 128 120 64 COMET-64Speck-64/128 128 120 64

Security Analysis. COMET designersprovidedaproofintheidealciphermodelshow- ingthatCOMET-128issecurewhenthedatacomplexityislessthan264 bytesandthe

7 ______NISTIR8369 SecondRoundStatusReport

offlinecomputationcomplexity,includingblockcipherevaluations,islessthan2119 [97]. Khairallah[98]showedtheexistenceof264 weakkeysanddemonstratedanexistential forgeryattackwithweakkeysusing264 onlinequeries. Bernsteinetal. [99]presented twoobservationsonCOMET:thefirstobservationusesalongmessagetodetecttheuseof

This weakkeys;andthesecondfocusesontheresistanceofCOMET againstslideattacks.

publication Tweak plan. Although the results presented in [98, 99] do not invalidate the security claimsofCOMET,thedesignersconsideredthefollowingtweaks[4]: (1)updatingthe placewherecontrolbitsareXORedtosaveadditionaln-bitmemoryand(2)updatingthe permute functionthatmodifiesthekeytoincreasethedatacomplexitiesoftheavailable attacks. Thedesignersprovidedasecurityproofforthemodeofthisupdatedproposal is

available [100].

3.2.4 DryGASCON

free DryGASCON,designedbyRiou[37],isanAEADandhashingschemethataimstoprevent manyphysicalattacksatthealgorithmiclevel. DryGASCON isbasedontheDrySponge of construction,whichisderivedfromtheduplexspongeconstruction[80]. Theunderlying charge GASCONpermutationsareconstructedbytweakingtheASCON permutation[35].

Variants. ThevariantsoftheDryGASCON familyarelistedbelow.Inthetable,srepresents from: thesizeoftheGASCONpermutation,andthenumberofroundsforAEADvariantsisrep- resentedasatupleaandb,whereaisthenumberofroundsduringthediversificationphase https://doi.org/10.6028/NIST.IR.8369 (i.e.,nonce-processingphase)andbisthenumberofroundsusedinremainingphases.

AEADvariants Key Nonce Tag s #Rounds Hashvariants Digestsize s #Rounds DryGASCON128 128 128 128 320 11,7 DryGASCON128 256 320 7 DryGASCON256 256 128 256 576 12,8 DryGASCON256 512 576 8

Security Analysis. ThedesignerofDryGASCON arguesthattheGASCONpermutations havesecuritypropertiessimilartotheASCON permutation[37]. Tezcanreporteda3.5 roundtruncateddifferentialwithaprobabilityofone[91].

Tweak plan. Thedesignerhasdescribedthreepossibletweaks[5]: (1)addinganXOF mode;(2)uniformizationofthekeyprofilestoallowformappingallkeysfromthesmall keyprofiletokeysinthefastandfullprofiletoachieve“upward”interoperability;and(3) allowingprecomputationoverADbyswappingtheorderofcomputationbetweennonce andAD,whichinvolvesremovingsupportforthe“staticdata”feature.

3.2.5 Elephant Elephant,designedbyBeyneetal.[38],isapermutation-basedAEADschemethatfollows anonce-basedencrypt-then-MACconstructionwithacountermodeandavariantofthe

8 ______NISTIR8369 SecondRoundStatusReport

Wegman-Carter-ShoupMACfunction. Elephant istheonlysecond-roundcandidatethat usesaparallelmodewithapermutation. Themodeisinstantiatedusingthepermutations ofSpongent[101]andKECCAK[102].

Variants. Elephant This Thevariantsofthe familyarelistedbelow.

AEADvariants Key Nonce Tag Permutation #Rounds publication Dumbo 128 96 64 160-bitSpongent 80 Jumbo 128 96 64 176-bitSpongent 90 Delirium 128 96 128 200-bitKECCAK 18 is available Security Analysis. ThedesignersofElephant [38]providedprivacyandauthenticityproofs ofthemodeofElephant inthenonce-respectingscenarioundertheidealpermutationas- sumption. AsconfirmedbythedesignersofElephant [6],themodeofElephant doesnot free provideauthenticityinthenonce-misusescenario. Zhouetal. [103]presentedaninter- 70 of polationattackon8-round(outof18)Deliriuminthenonce-respectingscenariowith2 98.3 70 charge datacomplexityand2 XORoperationsand2 memorycomplexity. Sunetal. [104] presentedazero-sumdistinguishingattackon176-bitSpongentpermutationof21-round (outof90rounds)with2159 timecomplexity.Bogdanovetal.[105]presenteddifferential from: distinguisherson160-bitSpongentpermutationof40-round(outof80)withprobability 2−160 and176-bitSpongentpermutationof44-round(outof90)withprobability2−176. https://doi.org/10.6028/NIST.IR.8369 Bogdanovetal. [105]presentedlineardistinguisherson160-bitSpongentpermutationof 80-round(outof80)withcorrelationprobability2−160 and176-bitSpongentpermutation of90-round(outof90)withprobability2−180.ZhangandLiu[106]presentedatruncated- differentialdistinguisheron176-bitSpongentpermutationof46-round(outof90)with probability2−174.415. In[107,108],thesecurityofElephant againstkeyrecoveryattacks wereanalyzedinquantumsettings.

Tweak plan. Thedesignersdescribedtwopossibletweaksrelatedtothemode[6,109]:(1) changingtheindexpairofeveryblock,whichisusedtogenerateamaskingkeyforthat blockcomputation,and(2)changingfromaWegman-Carter-Shoupstyleauthenticatorto aprotectedcountersumstyleauthenticatortoprovideauthenticityeveninnonce-misuse.

3.2.6 ESTATE ESTATE,designedbyChakrabortietal. [39],isanAEADschemebasedontweakable blockciphers.ThemodeofESTATE usesanonce-basedMAC-then-Encryptconstruction, wheretheencryption(basedontheOutputFeeback(OFB)mode)isdonebyXORinga messageandakeystream,andtheauthentication/verificationisbasedonatweakablevari- antofFCBC[110]byusingdifferenttweakvaluesforthelastblockprocessing,depending onwhetherthelastblockofinputisfullorpartial.TheESTATE mode,inspiredbySUN- DAE[111],usesatweakableblockciphertominimizethenumberofunderlyingprimitive

9 ______NISTIR8369 SecondRoundStatusReport

callsandremovefieldmultiplicationsfromthemodelevel. TheESTATE modeprovides privacyandauthenticityeveninnonce-misuseandRUPattackmodels[112,113].

Variants. ThevariantsoftheESTATE familyarelistedbelow. ESTATE isinstantiated

This using three new tweakable block ciphers with 4-bit tweak: (1) TweAES-128(adds the tweakateverysecondroundofAES-128);(2)TweGIFT-128(addsthetweakateveryfifth

publication roundofGIFT-128);and(3)TweAES-128-6(addsthetweakateverysecondroundofthe firstsixroundsofAES-128andincludestheMixColumnsoperationsinthelastround). AEADvariants Key Nonce Tag ESTATE TweAES-128 128 128 128 is available ESTATE TweGIFT-128 128 128 128 sESTATE TweAES-128-6 128 128 128 free Security Analysis. ThesecurityofthenewblockciphersTweAESandTweGIFTrelieson theavailableanalysisonAESandGIFT.ThedesignersofESTATE [39,113]reportedthat of

charge theywereunabletofindanyvulnerabilityofthetweakinjectionafterconductingin-depth self-analysis. In [112,113], privacy, authenticity, and INT-RUP security proofs of ES- TATE inthenonce-misusescenariowereprovided.In[108],thesecurityofsESTATE against

from: thekeyrecoveryattackwasanalyzedinquantumsettings.

Tweak plan. Notweakplanhasbeenproposedexceptfortwobugfixesinthereference https://doi.org/10.6028/NIST.IR.8369 implementation[7].

3.2.7 ForkAE ForkAE,designedbyAndreevaetal. [40],isanAEADschemethatusesthetwomodes ofoperations–SAEF(SequentialAEADfromaForkcipher)andPAEF(ParallelAEAD fromaForkcipher)–andtheforkcipherForkSkinny.AForkcipher[114–116]enablesthe evaluationofatweakableblockcipheronthesamemessageandtwodifferentkeyswithan amortizedcomputationalcosttooptimizeshortmessagehandling.

Variants. ThevariantsoftheForkAE familyarelistedbelow. AEADvariants Key Nonce Tag Tweakey Blocksize PAEF-ForkSkinny-128-288 128 104 128 288 128 PAEF-ForkSkinny-128-192 128 48 128 192 128 PAEF-ForkSkinny-128-256 128 112 128 256 128 PAEF-ForkSkinny-64-192 128 48 64 192 64 SAEF-ForkSkinny-128-192 128 56 128 192 128 SAEF-ForkSkinny-128-256 128 120 128 256 128

10 ______NISTIR8369 SecondRoundStatusReport

Security Analysis. AlthoughForkSkinnyisanewforkcipherdesign,thecandidatebenefits fromtheextensiveanalysisonthetweakableblockcipherSkinny. Bariantetal. [117] showedthatattacksonSkinnycanbeextendedtooneextraroundformostForkSkinny variantsanduptothreeroundsforForkSkinny-128-256. Privacyandauthenticityproofs

This ofPAEFandSAEFinthenonce-respectingscenariowereprovidedin[40]. TheRUP- securityofSAEFwasprovidedin[118]. Theonlinenonce-misusesecurityofSAEFwas publication givenin[119]. TheexistingsecurityanalysesonForkSkinnyandothernewmodesbased onaforkcipherweresummarizedin[120].

Tweak plan. Thedesignersdescribedthefollowingtweaks[8]: (1)reducingthenumber ofroundsinForkSkinny;(2)includingnewinstancesofRPAEF(ReducedParallelAEAD is

available fromaforkcipher)mode, whichareoptimizedtohandlelongqueries; and(3)possibly includingnewCTR-likemodesthatachievebeyond-birthday-boundsecurityandimprove efficiencyforencryption-onlyqueries. free 3.2.8 GIFT-COFB of GIFT-COFB,designedbyBaniketal.[41],isarate-1AEADschemebasedonthe128-bit charge blockcipherGIFT-128[121,122].ThemodeofGIFT-COFB isslightlydifferentfromthe originalCOmbinedFeedBack(COFB)modeintroducedin[123,124]. Whena128-bit blockcipherisused,theoriginalCOFBmodeusesa64-bitnonceandafeedbackwith from: noentropyloss. Alternatively,GIFT-COFB usesa128-bitnonceandhardware-efficient feedbackwith1-bitentropylossandhandlesemptydatabychangingitspaddingmethod. https://doi.org/10.6028/NIST.IR.8369

Variants. ThesinglevariantoftheGIFT-COFB familyislistedbelow.

AEADvariants Key Nonce Tag GIFT-COFB 128 128 128

Security Analysis. TheunderlyingblockcipherGIFThasreceivedalargenumberofthird- partyanalysesandstillhasahighsecuritymargin(seeTable6).Anextendedlistofthird- partyanalysesonGIFT-128isprovidedin[9].

Tweak plan. Thedesignersdonotplantotweaktheirsubmission[9].

3.2.9 Gimli Gimli,designedbyBernsteinetal.[42],isapermutation-basedAEADandhashingscheme. TheAEADschemeGimli-Cipherisbasedonaduplexmodeofoperation,andGimli-Hash isbasedonaspongemodeofoperation,bothhaving128-bitrateand256-bitcapacity.The schemeisbasedonthe384-bitGimli permutationwith24rounds,wherethestateisa3× 4 matrixof32-bitwords. TheGimli permutationcomprisesthreelayers: (1)thenonlinear

11 ______NISTIR8369 SecondRoundStatusReport

Table6.Anon-exhaustivesummaryofattacksonGIFT-128

Attack Rounds Setting Data Time Memory Ref. Differential 22/40 singlekey 2114 2114 253 [125]

This Differential 26/40 singlekey 2124.4 2124.4 2109 [126] 126.6 126.6 publication Boomerang 21/40 relatedkey 2 2 – [127] Boomerang 22/40 relatedkey 2112.6 2112.6 252 [128] Rectangle 23/40 relatedkey 2121.3 2126.9 2121.6 [128] is

available layerwiththeSP-boxon96bitsisappliedtoeverycolumnofeachround;(2)thelinear layerwithoneoftwoswapoperations(small-swaporbig-swap),isappliedonlytothefirst rowineverysecondround;and(3)a32-bitroundconstantisaddedtothestateinevery fourthround. free Variants. ThevariantsoftheGimli familyarelistedbelow. Additionally, thedesigners of proposedGimli-XOFbyincludingtheoutputlengthintheGimli-Hashinitialization. charge

AEADvariants Key Nonce Tag #Rounds Hashvariants Digestsize #Rounds from: Gimli-Cipher 256 128 128 24 Gimli-Hash 256 24 https://doi.org/10.6028/NIST.IR.8369 Security Analysis. SincetheGimli permutationwasfirstintroducedin2017[129],several in-depthanalyses[89,130–135]havebeenconducted. Foreachscheme,thebest-known attacksareshowninTable7. Sincethesmall-swapandbig-swapoperationsareapplied onlytothefirstrowineverysecondround,theGimli permutationhasslowdiffusion,which ledtoalargernumberofroundsbeinganalyzedespeciallybycollisionanddistinguishing attacks.

Tweak plan. Thedesignersdidnotplantotweaktheirsubmission[10].

3.2.10 Grain-128AEAD Grain-128AEAD,designedbyHelletal.[43],isabit-orientedfeedbackshiftregisterbased AEADschemeoptimizedforhardwareimplementations.In2008,Grainv1wasselectedas afinalistinthehardwareprofileoftheeSTREAMportfolio[136]. ThestandardISO/IEC 29167-13:2015[137]includesGrain-128aforRFIDsystems.

Variants. TheAEADvariantoftheGrain-128AEAD familyislistedbelow.

AEADvariants Key Nonce Tag Grain-128AEAD 128 96 64

12 ______NISTIR8369 SecondRoundStatusReport

Table7.SummaryofattacksonGimli

Target Attack Type Rounds Data Time Memory Ref. Gimli-Cipher State-recoveryin 9 4 2192 2190 [134] 128 126 This (AEAD) nonce-respectingscenario 5 4 2 2 [134] Collision(Quantum) 14 - 274 negl. [135] publication Collision 12 - 2106 negl. [135] SFSCollision(Quantum) 20 - 274 264 [135] Gimli-Hash SFSCollision 18 - 2106 264 [135] is Preimage 5 - 296 265.6 [133] available 2ndPreimage 3 - 1 negl. [132] 28∗ - 264 negl. [135] Gimli-Permutation Distinguishing 24(Full) - 252 negl. [133] free 24(Full) - 264 negl. [135] of Gimli-XOF-128 Preimage 9 - 2104 270 [133] charge ∗ Represents1-roundshiftedversionofGimli-permutation. from: Security Analysis. EarlierversionsoftheGrainfamilyhavebeeninvestigatedbyalarge numberofthird-partyanalyses(e.g.,[138–143]).AlthoughthedesignofGrain-128AEAD is https://doi.org/10.6028/NIST.IR.8369 slightlydifferentfromearlierversions,someofthethird-partyanalysesarestillapplicable. ThebestattackwasbyHaoetal. [144],whichpresenteddistinguishingattacksupto189 roundswith296 timecomplexityandakey-recoveryattackfor190roundswith2123 time complexity.Additionally,ChangandTuran[145]analyzedthecomplexityofkeyrecovery ofGrain-128AEAD fromtheinternalstateunderdifferentscenarios.

Tweak plan. Notweakplanwasproposed[11].

3.2.11 HyENA HyENA (Hybridfeedback-basedENcryptionwithAuthentication),designedbyChakraborti etal.[44],isasingle-pass,inverse-freeblock-ciphermodeofoperationinwhichblockci- pherinputisobtainedfromboththeciphertextfeedbackandtheplaintextfeedback. The candidateisinstantiatedwiththeblockcipherGIFT-128[122].

Variants. TheAEADvariantoftheHyENA familyislistedbelow.

AEADvariants Key Nonce Tag HyENA 128 96 128

13 ______NISTIR8369 SecondRoundStatusReport

Security Analysis. Mege[146]presentedapracticalforgeryattackduetoproblemsindo- mainseparationoffullversusincompletemessageblocks. Althoughdesignersproposed achangetoaddresstheissuebeforetheattackwaspublished[147],NISTconsideredthis changeasadesigntweakratherthanatypocorrectionanddidnotacceptitduringthat

This stageoftheprocess. Thedesignersprovidedasecurityproofofthemodifiedmodeof HyENA [148,149]. publication Tweak plan. Thedesignersconsideredthefollowingdesigntweaks[12]:(1)updatingthe maskingoperation,(2)simplifyingtheinitializationtoimprovethehardwareimplementa- tionarea,and(3)removingtheswapoperationinthefinalization. is available 3.2.12 ISAP ISAP,designedbyDobraunigetal. [45],isapermutation-basedAEADschemedesigned toprovide,fromthealgorithmiclevel,securityagainstawiderrangeofimplementation free attacks,suchasdifferentialfaultattacks,statisticalfaultattacks,statisticalineffectivefault attacks,anddifferentialpoweranalysis.ThemodeofISAP isanonce-basedencrypt-then- of MACconstruction,wheretheencryptionisdonebyXORingamessageandakeystream, charge andtheauthentication/verificationisbasedonahash-then-MACparadigm.

Variants. ThevariantsoftheISAP familyarelistedbelow. Therateisrepresentedasa from: tuplea,andb,wherearepresentsthesizeoftherateforthenonceprocessingintherekey- ingfunctionIsapRkandbrepresentsthesizeoftherateforallotherphases. Thenumber https://doi.org/10.6028/NIST.IR.8369 ofroundsisrepresentedusinga4-tuplesH,sB,sE,sK thatshowsthenumberofroundsof thepermutationusedduringtheauthenticationphase,thenonceprocessingphase,encryp- tionanddecryptionphases,andgeneratingsessionkeysintherekeyingfunctionphase, respectively.

AEADvariants Key Nonce Tag Permutation Rate #Rounds ISAP-K-128a 128 128 128 400-bitKECCAK 144,1 16,1,8,8 ISAP-A-128a 128 128 128 320-bitASCON 64,1 12,1,6,12 ISAP-K-128 128 128 128 400-bitKECCAK 144,1 20,12,12,12 ISAP-A-128 128 128 128 320-bitASCON 64,1 12,12,12,12

Security Analysis. FormalsecurityproofsofISAP modewereprovidedinleakage-resilient settings[150–152]. ISAP variantsareinstantiatedusingwell-analyzedpermutations. The distinguishingattacksontheASCON permutationweresummarizedinTable5. Azero- sumdistinguisheronthe12-round400-bitKECCAK permutationwithacomplexity282 waspresentedin[153]. Intheauthenticationphase, thekeyisusedonlyattheendso theattackercantrytofindacollisiononastateforaforgeryattack. However,incasesof ISAP-K-128aandISAP-K-128,sH= 16or20providesasufficientsecuritymarginbecause

14 ______NISTIR8369 SecondRoundStatusReport

nocollisionattackonKECCAKvariantswithmorethansixroundshasbeenreported[154]. ThevaluesofsH,sB,sE, andsK werechosenbydesignerstoprovidesufficientsecurity marginsagainstknowncubeorcube-likeattacks[45]. Theimplementationsecurityof ISAP issummarizedin[155]. This Tweak plan. Thedesignersconsideredchangingtherecommendationorderasfollows[13]:

publication ISAP-A-128a(primary),ISAP-K-128a,ISAP-A-128,andISAP-K-128.Thischangeismo- tivatedbythesignificantlybetterperformanceoftheASCONpermutationon32-bitde- vicesandthenoticeablylowerarearequirementsofASCON-permutation-basedISAP in hardware. is available 3.2.13 KNOT KNOT,designedbyZhangetal.[46],isapermutation-basedAEADandhashingscheme. KNOT-AEADisbasedonthemonkeyDuplexconstruction[79],andKNOT-Hashisbased free onanextendedspongeconstructionwithadifferentsqueezingbitrate.Thestructureofthe KNOT permutationissimilartothe64-bitblockcipherRECTANGLE[156]. of charge Variants. ThevariantsoftheKNOT familyarelistedbelow. Therearefourmembersof theKNOT-AEAD(k,b,r)familywithk-bitkey,b-bitstate,andr-bitrate.Similarly,there arefourmembersoftheKNOT-Hash(n,b,r,r0)familywithn-bithashoutput,b-bitstate, from: r-bitabsorbingrate,andr0-bitsqueezingrate. Thenumberofroundsisrepresentedusing a3-tuplea,bandcthatshowsthenumberofroundsoftheKNOT permutationsduring https://doi.org/10.6028/NIST.IR.8369 initialization,ADandmessageprocessing,andfinalization,respectively.

AEADvariants Nonce Tag #Rounds Hashvariants Digestsize #Rounds KNOT-AEAD(128,256,64) 128 128 52,28,32 KNOT-Hash(256,256,32,128) 256 68 KNOT-AEAD(128,384,192) 128 128 76,28,32 KNOT-Hash(256,384,128,128) 256 80 KNOT-AEAD(192,384,96) 192 192 76,40,44 KNOT-Hash(384,384,48,192) 384 104 KNOT-AEAD(256,512,128) 256 256 100,52,56 KNOT-Hash(512,512,64,256) 512 140

Security Analysis. Dingetal. [157]constructeda48-rounddifferentialtrailwithprob- ability2−252,a52-rounddifferentialtrailwithprobability2−274,a45-roundlineartrail withthesquareofcorrelation2−256,anda51-roundlineartrailwiththesquareofcorre- lation2−292. Usingthetoolfrom[157],Zhangetal. [158]showedthattheprobabilityof thebest14-roundusefuldifferentialtrailduringtheinitializationphase(thefullnumber ofroundsoftheinitializationis52)is2−62.2,theprobabilityofthebest12-rounduseful differentialtrailduringtheencryptionphase(thefullnumberofroundsoftheencryption is28)is2−62.2,andtheprobabilityofthebest13-roundusefuldifferentialtrailduringthe finalizationphase(thefullnumberofroundsofthefinalizationis32)is2−61.4. Rohit[159]suggestedthatthepreimageresistancemaybelowerthanclaimed.Raghav includeddetailsandaskediftheinterpretationwascorrect. TheKNOT team[160]re-

15 ______NISTIR8369 SecondRoundStatusReport

spondedwithseveralargumentsandbelievedthatthepreimageattackRaghavproposed couldnotwork.Raghav[161]concededthatthecomputationswerenotcorrect.

Tweak plan. Thedesignersconsideredtwopossibletweaks[14]: (1)forsecurityagainst

This multi-keyattacks,incaseoftheprimarymember,increasingthenumberofroundsduring theplaintextprocessingfrom28to36andthenumberofroundsduringthefinalization

publication processingfrom32to40and(2)forsupportinghashingontopofAEADmoreseamlessly, usingthesameLFSRstogenerateroundconstantsoftheunderlyingpermutations.

3.2.14 LOTUS-AEADandLOCUS-AEAD is LOTUS-AEAD andLOCUS-AEAD,designedbyChakrabortietal.[47],areAEADmodes available thatrelyonatweakableblockciphertoallowfordomainseparation. Thesemodeshave nonce-basedrekeying. Thesubmissionpackagenamestwovariantsthatareinstantiated withTweGIFT-64,atweakablevariantofGIFT-64-128 [121].GIFT-64-128 hasa64-bit free stateand128-bitkeyand28rounds,andamodifiedversion–TweGIFT-64 –isproposed thatadditionallyhasa4-bittweak. TheroundstructureofTweGIFT-64 isanaugmented of versionofGIFT-64-128 thataddsastepforinjectingbitsintothestatethatarederived charge fromthetweakeveryfourrounds.

Variants. The variants of the LOTUS-AEAD and LOCUS-AEAD family are listed be- from: low.LOCUS-AEAD requirestheinversecipherfordecryption,whereasLOTUS-AEAD is inverse-free. https://doi.org/10.6028/NIST.IR.8369 AEADvariants TBC #Rounds Key Nonce Tag LOTUS-AEAD TweGIFT-64 28 128 128 64 LOCUS-AEAD TweGIFT-64 28 128 128 64

Security Analysis. GIFT-64-128 isawidely-analyzedblockcipher(e.g.,see[121,125, 127,128,162–165]).ThesubmissionteamprovidedanalysisoffourroundsofTweGIFT-64 thattheyidentifyasthe4-roundcore,wherethetweakadditionoccursinthemiddleofthe core. BothLOTUS-AEAD andLOCUS-AEAD modesclaimtobeINT-RUPsecure. The submissionteamprovidedasecurityprooftosupportthisclaimthatusestheidealtweak- ableciphermodel[166,167].

Tweak plan. Notweakplanhasbeenproposed.

3.2.15 mixFeed Minimally Xored Feedback (mixFeed), designed by Chakraborty and Nandi [48], is a block-cipher based AEAD scheme. The scheme is single-pass and inverse-free, using nonce-dependentkeystolimitthedamageofleakageandthere-keyingtechniquetomin- imizemodeoverhead. ThesubmissioninstantiatesthemodewiththeAES0128/128block

16 ______NISTIR8369 SecondRoundStatusReport

cipher. AES0 islargelyidenticaltoAES[94]withtheexceptionthataMixColumnsop- erationisperformedinthefinalround. Therefore,all10roundsarestructurallyidentical, allowingformorecompactimplementationthanAESatthecostofperformingmoreoper- ations. This Variants. ThesinglevariantofthemixFeed familyislistedbelow. publication AEADvariants Key Nonce Tag mixFeed 128 120 128 is available Security Analysis. Duringthefirstround,Khairallahreportedaforgeryattackinthenonce- misusescenario[168]. Theauthorsagreedwiththeanalysisandnolongerclaimnonce- misuseresistanceformixFeed.KhairallahalsoprovidedanalysisofweakkeysinmixFeed [98],whichwasextendedbyLeurentandPernot[169]. Thetimeanddatacomplexityof free theseanalysesdoesnotviolatethesecurityclaims.SecurityproofsofmixFeedaregivenin

of theidealciphermodel[170]. charge Tweak plan. Notweakplanhasbeenproposed.

from: 3.2.16 ORANGE ORANGE (Optimum RAte spoNGE construction), designed by Chakraborty and Nandi https://doi.org/10.6028/NIST.IR.8369 [49],isarate-1sponge-variantdesignthatusesPHOTON256 [171],the256-bitPHOTON permutationwith12rounds. TheAEADschemeiscalledORANGE-Zest,andthehash functioniscalledORANGISH.ORANGE-Zestusesaspongevariantwithfullstateabsorp- tionbyholdingadynamicsecretstatetomaskpartoftheciphertext.

Variants. ThevariantsoftheORANGE familyarelistedbelow.

AEADvariants Key Nonce Tag Hashvariants Digestsize ORANGE-Zest 128 128 128 ORANGISH 256

Security Analysis. ThePHOTON256permutationhasreceivedmuchanalysis,summarized inSection3.2.18(seeTable8). Dobraunigetal. [172,173]proposedapracticalforgery attackthatusestwoencryptionsofthesamemessageblockwhennoassociateddata(AD) is used. The designers of ORANGE presented a security proof of a modified mode of ORANGE [174].Dobraunigetal.[172]statedthattheattackdidnotseemtoapplytothe modifiedversion.Sarkaretal.[175]observedthatintheproofofthemodifiedmodethere isnomentionofthelimitofthesizeofthetagintheproofof[174]andshowedthatitis easytoforgeandrecoverthekeyforthemodifiedmodewhenthetagsizeisthesameas

17 ______NISTIR8369 SecondRoundStatusReport

thesizeoftheblock.Therefore,forthesecurityofthemodifiedmode,itiscrucialtolimit thesizeoftagsothatitisinfeasibletorecoverastaterightbeforethetaggeneration.

Tweak plan. Thedesignershaveconfirmedtheattackpresentedin[173]andproposedafix ORANGE

This intheirsecond-roundsubmissionof toavoidtheattackbychangingtheinputof thefunctionintheabsenceofAD.However,sinceNISTdidnotacceptanytweaksduring

publication thesecondroundoftheprocess,thissuggestionwasnotofficiallyacceptedbyNIST.The ORANGE designersdidnotprovideanofficialstatusupdate.

3.2.17 Oribatida is Oribatida,designedbyBhattacharjeeetal. [50],isapermutation-basedAEADscheme available based on a sponge-like structure with ciphertext-masking. The main motivation of the modedesignistoprovideprivacyandauthenticityinnonce-respectingandINT-RUPse- curity[176]. ItsunderlyingpermutationiscalledSimPandisdesignedbyborrowingtwo free componentsoftheSimonblockcipher[96]: itskey-updatefunctionanditsstateupdate function. of charge Variants. ThevariantsoftheOribatida familyarelistedbelow. Thenumberofstepsfor ADprocessingandforotherpartsofprocessingare2and4,respectively. Oribatida-256- 64 (primary) andOribatida-192-96, whereOribatida-n-shas n-bit state ands-bit secret from: masking value. Each s-bit masking value is derived from the c-bit capacity part of its previousstate,andeachciphertextblockisgeneratedbyXORingamaskingvalueandthe https://doi.org/10.6028/NIST.IR.8369 ratepartofstate.

AEADvariants Key Nonce Tag #RoundsofStep #Steps Oribatida-256-64 128 128 128 34 2/4 Oribatida-192-96 128 64 96 26 2/4

Security Analysis. RohitandSarkar[177]reportedakeyrecoveryattackonOribatida-192- 96thatmakestwoonlinequeriesandhastimecomplexity296.NotethatOribatida-192-96 isnottheprimaryvariant. Thedesignersprovidedprivacyandauthenticityproofsinthe nonce-respectingcaseaswellasanINT-RUPsecurityproof[178].

Tweak plan. Thedesignersconsideredtwopossibletweaks[15]:(1)maskingthetagwith a secret masking value to hide the output of the permutation in order to prevent a key recoveryattackonOribatida-192-96andimprovethenAE-securityinthenonce-respecting case from 89 bits to 112 bits and (2) updating the definition of the end-of-type (EOT) controlbitst2 ofthedomainconstantstosimplifythedescription.Thedesignersprovided asecurityproofofthemodeofthistweakproposal[179].

18 ______NISTIR8369 SecondRoundStatusReport

3.2.18 PHOTON-Beetle

PHOTON-Beetle,designedbyBaoetal.[51],usesPHOTON256[171]–the256-bitPHO- TONpermutationwith12rounds–astheunderlyingpermutationforallthemembersof PHOTON-Beetle.PHOTON-Beetle-AEADsarebasedonasponge-likeAEADmodewith This acombinedfeedback(inspiredbyCOFBmode[123]),andPHOTON-Beetle-Hash isbased onaspongestructure. publication

Variants. ThevariantsofthePHOTON-Beetle familyarelistedbelow.IntheRatecolumn, a/bindicatesa-bitabsorbingrateandb-bitsqueezingrate. is available AEADvariants Key Nonce Tag Rate Hashvariants Digestsize Rate PHOTON-Beetle-AEAD[128] 128 128 128 128/128 PHOTON-Beetle-Hash[32] 256 32/128 PHOTON-Beetle-AEAD[32] 128 128 128 32/128 free Security Analysis. PHOTON[171]wasintroducedin2011andisapartofISO/IEC29192- of 5:2016[180]. ThePHOTON256 permutationhasreceivedsignificantanalysis(seeTable charge 8).SecurityproofsoftheBeetlemodeareprovidedin[181–184].DobraunigandMennink [185]pointedoutanincorrectsecurityboundinthesubmissionanddescribedakeyrecov- 124

from: eryattackwithemptymessageandADthattakes2 primitivequeries.Thecomplexityis toohighforittobeathreatundertheNISTsecurityrequirements,buttheyrecommended thesubmittersupdatetheirsecurityclaims. https://doi.org/10.6028/NIST.IR.8369

Table8.SummaryofdistinguishingattacksonPHOTON256

Method Rounds Time Memory Ref. Zero-sumPartitions 12/12 2184 - [186] StatisticalIntegral 10/12 296.59 270.46 [187] Rebound-like 9/12 2184 232 [188] multiplelimited-birthday 8/12 210.8 28 [189] Rebound-like 8/12 216 28 [171]

Tweak plan. Notweakplanhasbeenproposed[16].

3.2.19 Pyjamask Pyjamask, designedbyGoudarzietal. [52], isanAEADschemeinstantiatedwiththe newblockcipherPyjamaskoperatedinOffsetCodebook(OCB)mode. OCBmodeisan old,well-understoodAEADmodethatcansupportcomputingmanyinstancesoftheblock

19 ______NISTIR8369 SecondRoundStatusReport

cipherinparallel. However,thePyjamask designersslightlyalteredthemodetosupport theuseofa96-bitblockcipher. AmajordesigngoalofthePyjamask blockciphersistobeefficientlymaskable. The costofcurrentmaskedimplementationsofciphersismostlydeterminedbythenumberof

This ANDgatesthatmustbecomputed. Thus,theciphersupportsabitslicedimplementation, theS-boxhasmultiplicativecomplexityofone,andthekeyscheduleisentirelylinear. publication Variants. ThevariantsofthePyjamask familyarelistedbelow.

AEADvariants Key Nonce Tag

is Pyjamask-128-AEAD 128 96 128 available Pyjamask-96-AEAD 128 64 96

Security Analysis. Pyjamask’sblockcipherswerenotpublishedpriortobecomingcandi- free datesand,thus,haveseenrelativelylittlethird-partyanalysis. Additionally,theirvariant

of ofOCBfor96-bitblocksisnewandhasnotseenmuchindependentanalysis. Goudarzi

charge etal. [190]givescomputedboundsondifferentialandlinearcharacteristics,whichshow alargesecuritymarginagainsttheseattacks. Dobraunigetal. [191]demonstrateshigher orderdifferentialattacksonthefull96-bitversionofthecipher,thoughtheattackrequires from: thefullcodebookfromthecipheraswellas2115 work. Thesamepapershowsanattack ontheseven-roundversionofthecipher(outof14totalrounds),whichworksevenwithin 41 89 https://doi.org/10.6028/NIST.IR.8369 OCBmodeandrequires2 chosenplaintextsand2 work.

Tweak plan. Notweakplanhasbeenproposed.

3.2.20 Romulus Romulus,designedbyIwataetal.[53],isanAEADschemebasedonthetweakableblock cipherSKINNY [192]. Romulus consistsoftwofamilies: anonce-basedAEADRomulus- Nandanoncemisuse-resistantAEADRomulus-M.Romulus-Nusesarate-1TBC-based combinedfeedbackmode,andthemodeofRomulus-MfollowsaMAC-then-encryptap- proach.

Variants. ThevariantsoftheRomulus familyarelistedbelow.

20 ______NISTIR8369 SecondRoundStatusReport

AEADvariants Family TBC #Rounds Key Nonce Tag Romulus-N1 SKINNY-128-384 56 128 128 128 Romulus-N2 Romulus-N SKINNY-128-384 56 128 96 128

This Romulus-N3 SKINNY-128-256 48 128 96 128 Romulus-M1 SKINNY-128-384 56 128 128 128 publication Romulus-M2 Romulus-M SKINNY-128-384 56 128 96 128 Romulus-M3 SKINNY-128-256 48 128 96 128 is

available Security Analysis. ProofsforprivacyandauthenticityofthemodeofRomulus-Ninthe nonce-respectingscenario(withbeyond-birthday-boundsecurity)andthemodeofRomu- lus-Minthenonce-misusescenariowereprovidedin[193–195].In[196],INT-RUPsecu- rityandtheplaintext-awarenesssecurityforRomulus-Mwereprovided. In[196],anew free hashingmodeandleakage-resilientAEADmodesbasedonatweakableblockcipherwere described. In[197],rate-1leakage-resilientAEADbasedontheRomulus familywasin- of troducedalongwithsecurityproofsintermsofCIML2,CCAmL1,andINT-RUP.Table9 charge summarizesthebest-knownavailablekey-recoveryattacksinthesinglekeyandrelated- tweakeyattackmodels. In[198,199],newrelated-tweakeyboomerangdistinguisherson −85.77 from: 20roundsforSkinny-128-256(withprobability2 )and24roundsforSkinny-128-384 (withprobability2−86.09)weredescribed. https://doi.org/10.6028/NIST.IR.8369 Table9.Summaryofbestkey-recoveryattacksonSKINNY-128-256andSKINNY-128-384

Target Attack Rounds Setting Data Time Memory Ref. ImpossibleDiff 20/48 singlekey 292.1 2245.72 2147.1 [200] ImpossibleDiff 23/48 related-tweakey 2124.47 2251.47 2248 [201] SKINNY-128-256 ImpossibleDiff 23/48 related-tweakey 2124.41 2243.41 2155.41 [202] Rectangle 24/48 related-tweakey 2125.21 2209.85 2125.54 [203] ImpossibleDiff 22/56 singlekey 292.22 2373.48 2147.22 [200] MITM 22/56 singlekey 296 2382.46 2330.99 [204] SKINNY-128-384 MITM 22/56 singlekey 296 2366.28 2370.99 [205] Rectangle 28/56 related-tweakey 2122 2315.25 2122.32 [165,206] Rectangle 30/56 related-tweakey 2125.29 2361.68 2125.8 [203]

Tweak plan. Thedesignersconsideredthefollowingtweaks[17]:(1)droppingthevariants thatarenotbasedonSKINNY-128-384,(2)reducingthenumberofroundsofSKINNY-128-384 from56to40,and(3)addingthenewvariantRomulus-H toprovidehashingandXORca- pabilities.

21 ______NISTIR8369 SecondRoundStatusReport

3.2.21 SAEAES SAEAES,designedbyNaitoetal.[54],isanAEADschemethatusesaninstantiationofthe SAEB(Small(Simple,Slim,Sponge-based)AEADfromBlockcipher)modeofoperation [207]withtheblockcipherAES.SAEBissimilartothesponge-baseddesignapproach This butusesablockcipherinsteadofapermutation. SAEBisaninverse-free,onlinemode ofoperationwiththedesigngoalsofhavingminimumstatesize, beingXOR-onlyand publication efficientlyhandlingstaticAD.

Variants. EachmemberoftheSAEAES family,SAEAESk r1 τ,isparameterizedbythe keysizek,theADblocklengthr1,andthetaglengthτ.Thenonceisfixedto128bitsfor is allmembers.SAEAES familyhasthefollowingtenmembers: available AEADvariants Key Nonce Tag SAEAES128 120 128 128 120 128 free SAEAES128 120 64 128 120 64

of SAEAES128 64 128 128 120 128 charge SAEAES128 64 64 128 120 64 SAEAES192 120 128 192 120 128

from: SAEAES192 64 128 192 120 128 SAEAES192 64 64 192 120 64 https://doi.org/10.6028/NIST.IR.8369 SAEAES256 120 128 256 120 128 SAEAES256 64 128 256 120 128 SAEAES256 64 64 256 120 64

Security Analysis. SAEAES benefitsfromthesignificantthird-partyanalysisofAES,and asecurityproofoftheSAEBmodeispublishedin[207].

Tweak plan. Notweakplanhasbeenproposed.

3.2.22 SATURNIN SATURNIN,designedbyCanteautetal. [55],containstwoAEADvariantsandonehash function.ThecoreprimitiveofallvariantsistheSATURNIN blockcipherthathasa256-bit state,256-bitkey,and9-bitparameterfordomainseparation.ItwasbuiltwithAESdesign principlesandaimstoprovidesecurityagainstquantumadversaries. SATURNIN-Hash is aMerkle-Damgardconstructionthatusesthe˚ SATURNIN blockcipherinMatyas-Meyer- Oseas(MMO)modeasthecompressionfunction.

Variants. ThevariantsoftheSATURNIN familyarelistedbelow.SATURNIN-CTR-Cascade is theprimaryAEADvariantthatacceptsanoncewithlengthupto160bitsanda256-bit

22 ______NISTIR8369 SecondRoundStatusReport

keyasinputsandproducesa256-bittag.Thereisanadditionalvariant,SATURNIN-Short, thatisdesignedformessageslessthan128bitslongwithnoAD.Itoutputsasingleblock ofciphertext, andverificationisperformedbydecryptingtheciphertextandcomparing thelefthalfoftheplaintexttothenonce.SATURNIN-CTR-Cascade isinverse-free,while

This SATURNIN-Short requirestheinversefunctiontodecrypttheciphertext. publication AEADvariants Key Nonce Tag Hashvariants Digestsize SATURNIN-CTR-Cascade 256 128 256 SATURNIN-Hash 256 SATURNIN-Short 256 128 256 is available

Security Analysis. BecauseSATURNIN sharesacommonstructurewithAES,previous analysisonAEScanbeapplied.TheSATURNIN teamhasprovidedasignificantamount

free ofanalysisinthesubmissiondocumentation. However,third-partycryptanalysiswasnot available. of charge Tweak plan. SATURNIN-CTR-Cascade isanencrypt-then-MACdesignand,assuch,does notrankasfavorablyassingle-passcandidatesintermsofthroughput. Toalleviatethis issue,theteamhasproposedaddinganadditionalvariantforsingle-passAEAD[18]. from:

3.2.23 SKINNY-AEAD andSKINNY-HASH https://doi.org/10.6028/NIST.IR.8369 Skinny,designedbyBeierleetal.[56],isatweakableblockcipherbasedAEADandhash- ingscheme.ThemaincomponentofSKINNY-AEAD andSKINNY-HASH isthetweakable blockcipherSKINNY.ThistweakableblockcipherwasproposedinCRYPTO2016[192]. ThedesigngoalofSKINNY istocompetewiththeblockcipherSIMONintermsofhard- wareandsoftwareperformancewhileprovingstrongersecurityguaranteeswithregardto differentialandlinearattacks. SKINNY-AEAD usesamodeofoperationfollowingthe generalθCB3 framework[208],whereasSKINNY-HASH followsthespongeconstruction.

Variants. ThevariantsoftheSKINNY familyarelistedbelow. M5andM6areadditional variantsthatdonotfollowNISTrequirements.Thetablealsoincludestheblocksizeofthe underlyingfunctionb,theratesizer,andthecapacitysizec.

AEADvariants TBC Key Nonce Tag Hashvariants TBC Digestsize b,r,c SKINNY-AEAD-M1 SKINNY-128-384 128 128 128 SKINNY-tk3-Hash SKINNY-128-384 256 384,128,256 SKINNY-AEAD-M2 SKINNY-128-384 128 96 128 SKINNY-AEAD-M3 SKINNY-128-384 128 128 64 SKINNY-AEAD-M4 SKINNY-128-384 128 96 64 SKINNY-AEAD-M5 SKINNY-128-256 128 96 128 SKINNY-tk2-Hash SKINNY-128-256 256 256,32,224 SKINNY-AEAD-M6 SKINNY-128-256 128 96 64

23 ______NISTIR8369 SecondRoundStatusReport

Security Analysis. Therehasbeenasignificantamountofthird-partyanalysisonSKINNY (e.g., [201,202,209])(seeTable9forthekey-recoveryanddistinguishingattacks). Zhaoetal. [206]presenteda28-round(outof56)related-tweakeyrectangleattackonSKINNY-128-384 withtimecomplexity2315.25,dataof2122chosenplaintexts,andmemory2122.32.Hadipour 361.68 This etal.[203]presenteda30-roundattackonSKINNY-128-384 withtimecomplexity2 , dataof2125.29chosenplaintexts,andmemory2125.8.Sincemostofthethird-partyanalyses publication requirehighcomplexityandonlyworkintherelated-tweakeymodel,accordingto[210], thesecuritymarginofthecandidateisadequate.

Tweak plan. Thedesignersconsideredtwotweaks[19]: (1)proposingfivenewvariants – , , , and , is SKINNY-AEAD-M1+ SKINNY-AEAD-M2+ SKINNY-AEAD-M3+ SKINNY-AEAD-M4+

available SKINNY-tk3-Hash+ –wherethenumberofroundsofSKINNY-128-384 isreducedfrom56 to40and(2)droppingthevariantsbasedonSKINNY-128-256,namelySKINNY-AEAD-M5, SKINNY-AEAD-M6,andSKINNY-tk2-Hash. free 3.2.24 SPARKLE of SPARKLE,designedbyBeierleetal. [57],comprisestheSCHWAEMM familyofAEADci- charge pherandESCH familyofhashfunctions,bothbasedontheSPARKLEpermutation[57]. ThepermutationappliesmultipledistinctinstancesofAlzette,a4-round64-bitblockci- pher,toachievenonlinearity.Alzetteisa64-bitS-boxbasedonanAddition-Rotation-XOR from: (ARX)designoperatingon32-bitwords,makingitparticularlyefficientinsoftware. The SCHWAEMM familyofAEADcipherisbasedontheduplexedspongeconstructionwitha https://doi.org/10.6028/NIST.IR.8369 combinedfeedback. TheESCH familyofhashfunctionsisbasedonthespongeconstruc- tion.

Variants. ThevariantsoftheSPARKLE familyarelistedinthetablebelow. Bothprimary algorithmsrelyonthe384-bitSPARKLE permutation.Inthetable,eachvariantusestheb- bitSPARKLE permutationwithr-bitrateandc-bitcapacity,whereb= r+ c.Inthe#Steps columnforAEADvariants,x,yindicatesthattheSPARKLE permutationwithystepsisused (1)intheinitialization,(2)betweentheADprocessingandthemessageprocessing,and (3)inthefinalization; andtheSPARKLE permutationwithxstepsisusedin(1)theAD processingand(2)themessageprocessing. Inthe#StepscolumnforHashvariants,x,y indicatesthattheSPARKLE permutationwithystepsisusedoncetogeneratethefirsthalf ofthehashoutput,andtheSPARKLE permutationwithxstepsisused(1)intheabsorption phaseand(2)togeneratethesecondhalfofthehashoutput.

AEADvariants Key Nonce Tag b,r,c #Steps Hashvariants Digestsize b,r,c #Steps SCHWAEMM128-128 128 128 128 256,128,128 7,10 ESCH256 256 384,128,256 7,11 SCHWAEMM192-192 192 192 192 384,192,192 7,11 ESCH384 384 512,128,384 8,12 SCHWAEMM256-128 128 256 128 384,256,128 7,11 SCHWAEMM256-256 256 256 256 512,256,256 8,12

24 ______NISTIR8369 SecondRoundStatusReport

Security Analysis. ThesecurityofSPARKLE againstvariousattackswasanalyzedbyBeierle etal. [211]. Workhasalsoshownthattheprobabilityof7-rounddifferentialtrailsof Alzetteisatmost2−24 [212]. Liuetal. [213]presented4-rounddifferential-linearand rotationaldifferential-lineartrailsinAlzettethatimprovedonpreviouslypublisheddiffer-

This entialcharacteristics.In[20],thedesignersofSPARKLE reportedthattheprobabilityofthe best7-rounddifferentialtrailsis2−26. publication Tweak plan. Thedesignershaveindicatedthattheydonotplantotweaktheirsubmission [20].

is 3.2.25 SPIX available SPIX,designedbyAlTawyetal. [58],isapermutation-basedAEADschemebasedon themonkeyDuplexconstruction[79]withadditionalkeyadditionsduringinitializationand finalizationtopreventakey-recoveryattackandaforgeryattackevenafterastateisre- free coveredbyanattackerduringtheencryption.SPIX operatesontwoinstances(wheresteps s∈ {9,18})of256-bitsLiSCP-lightpermutations. Thenonlinearlayerappliesasubstitu- of tionboxtotwowordsofthestate. Thesubstitution-boxfunctionisanunkeyed8-round charge variantoftheSimeck-64blockcipher[73]thatisdenotedSB-64.

Variants. ThesingleAEADvariantoftheSPIX familyislistedbelow. Inthetable,the from: numberofstepscorrespondsto18stepsduringtheinitializationandfinalizationphases and9stepsduringtheADormessageprocessingphases. https://doi.org/10.6028/NIST.IR.8369

AEADvariants Key Nonce Tag #Steps SPIX 128 128 128 18,9

Security Analysis. SPIX and one of the SpoC variants use similar sLiSCP-light-[256] permutations. Differentialcharacteristics[214–216]anddistinguishers[217]onsLiSCP- light[256],summarizedinSection3.2.26,arealsoapplicabletoSPIX.

Tweak plan. Notweakwasplanned[21].

3.2.26 SpoC SpongewithmaskedCapacity(SpoC),designedbyAlTawyetal. [59],isapermutation- basedAEADschemethataimstoachieveahigherratethantheduplexspongemodewhile alsomaintainingthesamelevelofsecurity.Thisisdonebymaskingthecapacitywithdata. TheSpoCmodeisinstantiatedwithsLiSCP-lightpermutationssimilartothoseofSPIX.

Variants. ThevariantsoftheSpoC familyarelistedbelow. SpoC-64,theprimaryvariant, has64-bitrate,128-bitcapacity,and64-bittagandusesanunkeyed6-roundvariantofthe

25 ______NISTIR8369 SecondRoundStatusReport

Simeck-64blockcipher[73]. Asecondvariant,SpoC-128,hasa128-bitrate,128-bitca- pacity,and128-bittagandusesanunkeyed8-roundvariantoftheSimeck-64blockcipher [73]. Bothvariantsusea128-bitnonceand128-bitkeys. Bothpermutationscomprise18 steps.Inthetable,bistheblocksizeoftheunderlyingfunction,ristheratesize,andcis

This thecapacitysize. publication AEADvariants Key Nonce Tag #Rounds #Steps b, r, c SpoC-128 sLiSCP-light-[256] 128 128 128 8 18 256,128,128 SpoC-64 sLiSCP-light-[192] 128 128 64 6 18 192,64,128 is available Security Analysis. Kralevaetal.[214–216]describeddifferentialcharacteristicsofsLiSCP- light-[256]andsLiSCP-light-[192]thatcoveredsix,seven,orninesteps,aswellascorre- spondingattacksonreduced-stepSpoC-64andSpoC-128variants. Akeyrecoveryattack free onfullSpoC-64waspresentedthatdoesnotviolatethesecurityclaimsduetolargedata

of requirements.

charge Hosoyamada et al. [217] described limited-birthday distinguishers over 15 steps of sLiSCP-light that can be used to mount attacks on 15-step and 16-step variants of the permutations. Theseattacksonthepermutationdonotposeanimmediatethreattothe from: SpoCsubmission,astheydonottakethemodeintoaccount. Theproofsofthemodeof SpoC wereprovidedin[182–184]. https://doi.org/10.6028/NIST.IR.8369 Tweak plan. TheSpoC teamdidnotplantotweaktheirdesign[22].

3.2.27 Spook Spook, designedbyBelliziaetal. [60], isanAEADbasedontheduplexmodeofop- eration[80],wheretheShadow-512permutationortheShadow-384permutationisused withstrengthenedinitializationandfinalizationphasesusingthetweakableblockcipher Clyde-128.

Variants. ThevariantsoftheSpook familyarelistedbelow,wheresuandmumeansingle- userandmulti-user. Forexample,Spook[128,512,su]usesClyde-128asitsunderlying tweakableblockcipherandShadow-512permutationasitsunderlyingpermutationinthe singleusersetting.

AEADvariants Usersetting Key Nonce Tag Spook[128,512,su] single 128 128 128 Spook[128,384,su] single 128 128 128 Spook[128,384,mu] multi 256 128 128 Spook[128,512,mu] multi 256 128 128

26 ______NISTIR8369 SecondRoundStatusReport

Security Analysis. Derbezetal. [218]describedpracticaldistinguishersofthefullsix stepsofShadow-512andShadow-384andalsopracticalforgeriesagainstSpook with4- stepShadowinthenonce-misusescenario.

Tweak plan. This Thedesignersconsideredtwopossibletweaks[23,219]forimprovingthe security margins of Spook against the collision attack [218] of Crypto 2020 against a

publication reduced-round Shadow: (1) changing the diffusion layer with an efficient MDS matrix and(2)updatingtheroundconstants.

3.2.28 Subterranean2.0 is Subterranean 2.0,designedbyDaemenetal.[61],isanAEADandhashingschemeoper- available atingona257-bitstateandisbasedonthemonkeyDuplexconstruction[79].

Variants. TheSubterranean 2.0 submissioncontainsoneAEADvariant, Subterranean-

free SAE,thatappliesSessionAuthenticatedEncryption(SAE)toaSubterranean duplexob- ject. Thesubmissionalsospecifiesasinglehashvariant,Subterranean-XOF,wherethe of XOFoutputlengthisfixedto256bits. BothSubterranean-SAEandSubterranean-XOF charge haveaninjectionrateof33bits,extractionrateof32bits,and224-bitcapacity. Inaddi- tion,thespecificationdefinesaDoubly-ExtendableCryptographicKeyed(deck)function, whichcanbeusedtoderivefreshsessionkeys.ThevariantsoftheSubterranean 2.0 family from: arelistedbelow. https://doi.org/10.6028/NIST.IR.8369 AEADvariants Key Nonce Tag Hashvariants Digestsize Subterranean-SAE 128 128 128 Subterranean-XOF 256

Security Analysis. Liuetal. [220]performedasecurityanalysisofSubterranean-SAE usingfourtypesofconditionalcubetestersinspiredbytheideaofconditionalcubeattacks [221]. Theypresentedafull-state-recoverywith215 bytesofdata inthenonce-misuse scenarioandakey-recoverywithtime235 inthenonce-misusescenario, distinguishing with235 bytesofdataandtime233 with4blankroundsinnonce-respectingscenarioand key-recoveryattack(data271.5 bytesofdataandtime2122)with4blankroundsinnonce- respectingscenario.NotethatSubterranean 2.0 useseightblankrounds.Later,Songetal. [222]proposedabetter(intermsoftimecomplexityandthenumberofnoncerepetitions) full-state-recoveryattackwith352bytesofdatainnonce-misusebyproposinganested, one-rounddifferentialanalysis, whichexploitstheoutputdifferenceintwoconsecutive rounds. Songetal. [222]madeMILPmodelsandshowedthatincasesofSubterranean- deckandSubterranean-SAE,therangeofthecorrelationoflineartrailsofthreeorfour keystreamblocksis[2−96,2−49),andtherangeoftheprobabilityofdifferentialtrailsfor statecollisionis[2−180,2−108).

Tweak plan. Notweakplanwasproposed[24].

27 ______NISTIR8369 SecondRoundStatusReport

3.2.29 SUNDAE-GIFT SUNDAE-GIFT,designedbyBaniketal.[62],isablock-cipherbasedAEADschemein- stantiatedwiththeblockcipherGIFT-128[121,122]. ItsmodefollowstheMAC-then- encrypt approach to provide privacy and authenticity even in the nonce-misuse setting. This Encryption(basedonOutputFeedback(OFB)mode)isdonebyXORingamessageand akey-stream;authentication/verificationisbasedonavariantofCBC-MAC(inspiredby publication GCBC[223]),whichusesmultiplicationby2or4toprovidedomainseparationforpadded vs.unpaddedversionsoftheADandplaintext.

Variants. ThevariantsoftheSUNDAE-GIFT familyarelistedbelow. is available AEADvariants Key Nonce Tag SUNDAE-GIFT-96 128 96 128 SUNDAE-GIFT-0 128 0 128 free SUNDAE-GIFT-128 128 128 128 of SUNDAE-GIFT-64 128 64 128 charge

Security Analysis. Mege[224]reportedanattackthatrevealsablockofplaintextwith from: 246 ciphertextblocks,249 bytesofmemory,and245 memorylookupswithattacksuccess probability2−39.Theattackdoesthisbyfindinginternalcollisions.Peyrin[225]responded https://doi.org/10.6028/NIST.IR.8369 thatthisisagenericbirthdayattack,andthecomplexitysupportsthesecurityclaimsmade inthesubmission.Changetal.[226]reportedthatSUNDAEisnotINT-RUP-secure.The third-partyanalysesonGIFT-128aresummarizedinTable6inSection3.2.8.

Tweak plan. Thedesignersdidnotplantotweaktheirsubmission[25].

3.2.30 TinyJAMBU TinyJAMBU,designedbyWuandHuang[63],isanAEADschemethatisinspiredbythe third-roundcandidateoftheCAESARcompetition,JAMBU[227]. Themaincomponent ofTinyJAMBU isa128-bitkeyedpermutationwithoutakeyschedulethatisbasedona nonlinearfeedbackshiftregister,andthenonlinearityineachroundisobtainedusinga singleNAND operation.

Variants. ThevariantsoftheTinyJAMBU familyarelistedbelow.

AEADvariants Key Nonce Tag Statesize TinyJAMBU-128 128 96 64 128 TinyJAMBU-192 192 96 64 128 TinyJAMBU-256 256 96 64 128

28 ______NISTIR8369 SecondRoundStatusReport

Security Analysis. In[63],thedesignersprovidedasecurityproofforthemode,analysis ofthekeyed-permutation,andsecurityagainstforgeryandkeyrecoveryattacks(including differential,linear,algebraic,andslideattacks).Sahaetal.[228–230]showedthatthese- curitymarginofTinyJAMBU isaround12%duetothedependenciesbetweentheoutputs

This ofmultipleAND gates.

publication Tweak plan. Inordertoprovidealargersecuritymargin,thedesignersconsideredincreas- ingthenumberofroundsforthepermutationthatprocessesthenonceandtheAD[26].

3.2.31 WAGE is WAGE, designed by Aagaard et al. [64, 231], is a permutation-based AEAD scheme. available WAGE isbasedontheduplexmodeofoperation[80],wheretherateis64bitsandthe capacityis195bits. Themodeincludesadditionalkeyadditionsduringtheinitialization andfinalizationphasestopreventakey-recoveryattackandaforgeryattackevenafter free astateisrecoveredbyanattackerduringtheencryption. Thedesignoftheunderlying 259-bitpermutationofWAGE,calledtheWAGE permutation,isinspiredbytheinitializa- of tionphaseoftheWelch-Gong(WG)cipher[232,233]. TheWAGE permutationhas111 charge rounds,wherethestateisdescribedby377-bitstages.Ateachround,sixstagesoutofthe 37stagesareupdatedandshiftedwithonestagethroughanLFSRoperationwith10tap positions;twoapplicationsoftheWelch-Gongpermutation(WGP);fourapplicationsofa from: 7-bitS-box(SB);andtheadditionoftwo7-bitroundconstants.NotethatWGPandSBare chosenforlow-costhardwareimplementation,thedifferentialprobabilitiesofWGPand https://doi.org/10.6028/NIST.IR.8369 SBare2−4.42 and2−4,andthecorrespondinglinearsquaredcorrelationsare2−5.08 and 2−5.35,respectively.

Variants. ThesingleAEADvariantoftheWAGE islistedbelow.

AEADvariants Key Nonce Tag WAGE-AE-128 128 128 128

Security Analysis. UsingtheMILPmodel,theWAGE designers[64,231]showedthatthe lowerboundsontheminimumnumberofdifferentially/linearlyactiveS-boxesare59for thecasewheretherearenoconstraintsonthepositionsofinputandoutputdifferencesand 72forthecasewheretheinputandoutputdifferencesrestrictedtoonlyratepositions.

Tweak plan. Thedesignersconsideredonepossibletweak[27]: changingthenumberof roundsoftheWAGEpermutationfrom111to74intheinitialization,associateddatapro- cessing,andfinalizationphases.

29 ______NISTIR8369 SecondRoundStatusReport

3.2.32 Xoodyak Xoodyak, designed by Daemen et al. [65], is a permutation-based AEAD and hashing scheme. Xoodyak isbuiltfromafixed384-bitpermutationXoodoooperatedinCyclist mode. ThedesignapproachofXoodooiscloselyrelatedtothatoftheKECCAKpermuta- This tion. publication Variants. ThevariantsoftheXoodyak familyarelistedbelow.

AEADvariants Key Nonce Tag Hashvariants Digestsize Xoodyakv1 128 128 128 Xoodyakv1 256 is available

Security Analysis. ThedesignersofXoodooprovideboundsondifferentialandlineartrails, aswellasapreliminarysecurityanalysisonthepermutation.SongandGuo[234]demon- free stratedacube-likeattackonXoodoo-AEreducedtosix(outof12)roundsin289 timeand 255 memory. Zhouetal. [235]alsopresentedaconditionalcubeattackonXoodyak re- of ducedtosix(outof12)roundsinanonce-misusesetting,recoveringthe128-bitkeyin charge 243.8 timeandnegligiblememorycost. Liuetal. [236]showedazero-sumdistinguisher onthefull12-roundXoodoo,with233 timecomplexityandLiuetal. [213]identifieda

from: 4-roundrotationaldifferential-lineardistinguisherwithcorrelationoneonXoodoowitha probability2−117.81. https://doi.org/10.6028/NIST.IR.8369 Tweak plan. Thesubmittershaveindicatedthattheyplantomakeatweakthatwillimprove speedforshortmessages[28].

3.3 AdditionalConsiderations Thissectiondescribesadditionalconsiderationsfortheselectionofthefinalists.

3.3.1 Side-ChannelResistance Asstatedinthesubmissioncall[31],resistancetoside-channelattacksisadesiredfea- ture. Thissectionprovidesanon-exhaustiveoverviewoftheresultsontheside-channel resistanceofthecandidates. Bela¨ıdetal. [237]introducedthetoolTornado thatproducesbitslicedmaskedimple- mentationsfromahigh-leveldescriptionofacryptographicprimitive,andtheyevaluated 11ofthecandidatesthatself-identifiedasbeingamendabletomaskingacrossalargerange ofmaskingorders. Abdulgadiretal. [238]developedFOBOS2–animprovedversionofFOBOS(Flexi- bleOpensourceworkBenchfOrSide-channelanalysis)–toperformpowermeasurements andside-channelresistanceevaluationsofthecandidates.ResultsonSpoC,Spook,GIFT- COFB,ASCON,andAES-GCM aremeasured.

30 ______NISTIR8369 SecondRoundStatusReport

Coleman et al. [239] compared the side-channel protection cost of the ARX-based candidatesCOMET-CHAMandSCHWAEMM.Theirresultsshowedthat,onaverage,the costofprotectingtheseciphersagainstside-channelattacksis32%moreinareaand38% moreinpowercomparedtoothercandidates.

This Guoetal. [240]proposedsecuritydefinitionsandconstructionsofauthenticateden- cryptionschemesinthepresenceofside-channelleakagesandnoncemisuse. publication Belliziaetal.[241]consideredthenoncemisuse-resilientCCAsecuritywithaunique challenge nonce (called CCAm security) and the nonce misuse-resistant Ciphertext In- tegrity(calledCIMsecurity)inthetwoleakagemodels,L1(encryptionleakageonly)and L2(bothencryptionanddecryptionleakages). Asshowninthebelowtable,Belliziaet

is al.[241]consideredtheachievablesecuritiesofleveledimplementationsofsomesecond- available roundcandidates,wheredifferentpartsoftheinvestigatedcandidateshavedifferentsecu- rityrequirementsagainstleakage.

Achievable security Candidates free CCAL1,CIL1 DryGASCON,Gimli,Oribatida,PHOTON-Beetle of

charge CCAmL1,CIML2 ACE,ASCON,SPIX,Spook,WAGE CCAmL2,CIML2 ISAP from: MandalandGong[242]investigatedtheBooleancircuitcomplexityofthecoreprim- itivesofthecandidates,specificallyforprivacyenhancingcryptographictechniques. The https://doi.org/10.6028/NIST.IR.8369 individualnonlinearcountsofthecandidatesarealsousefultostudythecostofproviding side-channelresistanceforthecandidates. AdomnicaiandPeyrin[243]studiedthebenefitsofthefixslicingimplementationstrat- egythataimstoachieveconstant-timesoftwareimplementations,andshowedhowitim- pactedthesoftwareperformanceofGIFT-COFB,Romulus,SKINNY-AEAD,andSAEAES. Kiaeietal.[244]examinedexecutiontimecharacteristicsofseveralsecond-roundcan- didates,andhowthesecharacteristicsenabletimingsidechannels. Additionally,theau- thorsevaluatedthefeasibilityofautomaticconstant-timecodegenerationonACE,ASCON, GIFT-COFB,andWAGE.

3.3.2 Nonce-MisuseSecurity Inthenonce-misusescenario,thesamenonceisusedfortwoormoreencryptionqueries. Noneoftherate-1second-roundcandidatesareintegrity-secureinanonce-misusesce- nario[245],becauseasimpleforgeryattackispossiblebyfindingastatecollision. There areeightrate-1candidateprimaryvariants:COMET,GIFT-COFB,HyENA,mixFeed,OR- ANGE,Pyjamask,Romulus,andSKINNY-AEAD.ThecandidatesESTATE andSUNDAE- GIFT arebothbasedontheMAC-then-encryptapproachandaredesignedtoprovidecon- fidentialityandintegrityinnonce-misusescenarios.

31 ______NISTIR8369 SecondRoundStatusReport

Thenonce-misusesecurityofdesignsfollowingsponge-typeconstruction,whetheritis basedonapublicpermutationorbasedonablockcipherwithafixedsecretkeyorakeyed permutation,largelydependsonthecapacitysizec. InthecaseofanAEADwithashorttagsizet,evenwhenanoncerepetitionisnot

This allowedforitsencryptionqueries,anonce-misuseattackcanbemountedthroughasuc- cessfuldecryptionquerywithprobability2−t [246]. Forexample,whent= 64,aforgery publication attackonanyrate-1candidatewithdecryption-querycomplexity264ispossible.However, aforgeryattackrequiringmorethandatacomplexity250 isbeyondtheNISTsubmission requirements[31]. Ashuretal.[247]introducedaconceptofnoncemisuse-resilientCCAsecurity,which

is meansthataslongasthenonceusedinthetestqueryisfresh,theconfidentialityofthe available testquerymusthold. Later,Belliziaetal. [241]andGuoetal. [240]calledthenonce misuse-resilientCCAsecurity“CCAm.” Notethatnoncemisuse-resilienceconsidersse- curity with a unique challenge nonce, and nonce misuse-resistance considers the secu- ritywithoutrestrictiononnonce-repetition. Forexample,Subterranean-SAEisinsecure free in terms of CCAm security [220]. This is because an efficient key-recovery attack on

of Subterranean-SAEispossibleinanonce-misusescenario.Notethatonceakeyiscompro-

charge mised,nomeaningfulsecurityisguaranteed.

3.3.3 RUPSecurity from: In the releasing unverified plaintext (RUP) scenario, even when tags are not valid, un-

https://doi.org/10.6028/NIST.IR.8369 verifiedplaintextsarereturnedthroughdecryptionqueries[176]. WhenanAEADpro- videsintegritysecurityintheRUPscenario,theAEADiscalledINT-RUP-secure. None oftherate-1second-roundcandidatesareINT-RUP-secure[245]. SUNDAE-GIFT isnot INT-RUP-secure[226],whichshowsthatitsnonce-misusesecuritydoesnotguaranteeits RUPsecurity. ESTATE [113],LOTUS-AEAD [167],LOCUS-AEAD [167],andOrib- atida [178]aredesignedtoprovideintegrityintheRUPscenario. Inthecaseofasponge-typeAEADdesignbasedonapermutation,excepttheexhaus- tivekeysearchandatagguessing,itsINT-RUPsecuritylevelfromitsmodelevellargely dependsonthecapacitysizec,wherethecapacitypartofeachstateissecretandisassumed tobeunpredictable.

3.3.4 ImpactsofStateRecovery Inthissection,weanalyzethecomplexityofrecoveringthekeyfromtheknowledgeofthe internalstateofthecipher. Thoughthesecretstaterecoveryisastrongassumption,some second-roundcandidatesclaimanadditionalfeaturethatensureslimiteddamageevenin caseofstaterecovery. ACE,ASCON,ISAP,SPIX,Spook, andWAGE areallbasedonsponge-typemodes withkeyedinitializationandfinalizationphasesmakingitdifficulttorecoverakeyfrom theknowledgeofthesecretstate.Therefore,theyaredesignedtoprovidesecurityagainst

32 ______NISTIR8369 SecondRoundStatusReport

key-recoveryandforgeryattacksevenwhenanentireinternalstateduringtheencryption phaseisdisclosedtotheattackers. Incasesofcandidatesbasedona(tweakable)blockcipherwithkey(s)orakeyedper- mutation,nomeaningfulsecurityisguaranteed,becausethedisclosureofanentireinternal

This stateduringtheencryptionphasemayimplythedisclosureofsecretkeyaswell. Incasesofsponge-likecandidatesbasedonapublicpermutationwithnoindependent publication keyedfinalization,onceanentireinternalstateduringtheencryptionphaseisdisclosed a key or an initial secret state can be recovered by reversing it, which enables attack- erstofreelyperformencryptionanddecryptionwithanyinput. Thereare10suchcan- didates: DryGASCON,Gimli,KNOT,ORANGE,Oribatida,PHOTON-Beetle,SPARKLE,

is SpoC,Subterranean 2.0 [220],andXoodyak. available ChangandTuran[145]analyzedthecomplexityofkeyrecoveryofGrain-128AEAD from theinternalstateunderdifferentscenariosandshowedthatthesecrecyofthekeyisnotfully protectedbyreintroducingthekey. free 3.3.5 Post-QuantumSecurity of Althoughnotformallyrequiredbythelightweightcryptographystandardizationprocess, charge anadditionalconcernfornewcryptographystandardsistheirresistancetoquantumthreats. Shor[248]showedthatasufficientlypowerfulquantumcomputercanefficientlybreak

from: commonly used public-key cryptosystems based on integer factorization, discrete loga- rithm,orelliptic-curvediscretelogarithmproblems. Toaddressthisissue,NISTiscur-

https://doi.org/10.6028/NIST.IR.8369 rentlyrunningaprocesstostandardizeoneormorequantum-resistantpublic-keycrypto- graphicalgorithms[249]. Mostsymmetriccryptosystemsareconsideredtoberelativelysecureagainstquantum threats. ThebestgenericattackagainstsymmetricciphersisGrover’salgorithm[250], whichprovidesaquadraticspeedupforexhaustivekeysearch(orfindingcollisionsinhash functions). Toavoidtheattack,variantswithlargerkeysizes(orlargerdigestsizes)may bepreferred. However,duetotherequirementtorunGrover’salgorithmusingsequential queries,thepracticalimplicationsoftheattackmaybelimited. Laterstudieshaveshown thatitisalsopossibletoexploittheinternalstructureofsymmetricciphers(e.g.,Even- Mansourconstruction[251],3-roundFeistelcipher[252],modeofoperations[253])using superpositionqueriestoaquantumcryptographicoracle. Hence,classicalsecurityproofs ofcryptographicconstructionneedtoberevisitedtoconsiderthequantumthreat. There arealsonewstudiesthatextendtheseresultstoaquantumattackerlimitedtoclassical queriesandofflinequantumcomputations(e.g.,[107,254]),whichcanbemorerelevantin practice.Recently,in[108],thesecuritiesofsESTATE andElephant againstkeyrecovery attackswereanalyzedinbothonlineandofflinequantumsettings. Threeofthesecond-roundteamsrespondedtothequantumsecurityoftheircandidates intheirsubmissiondocument:

• ASCON [35] includes the variant Ascon-80pq specifically designed for quantum resistancesupportingakeysizeof160bits;

33 ______NISTIR8369 SecondRoundStatusReport

• Gimli [42]arguesthattheselectionofthe256-bitkeyisdonetoavoidquantumand multi-userattacks; • SATURNIN [55]wasdesignedspecificallytoresistquantumattackswitha256-bit keyandblocksize. This Additionally,therearesixmorecandidates,namelyDryGASCON,KNOT,SAEAES,SPARKLE, publication Spook andTinyJAMBU,withvariantsthatsupport256-bitkeys.

4. PerformanceBenchmarking

is Thissectionsummarizesthemainsoftwareandhardwareperformancebenchmarkingini- available tiativesthatwereconsideredduringevaluation. Whiletheseeffortsprovidedcrucialin- formationontheperformanceofthecandidates,itisimportanttonotetheirlimitations. Resultsmaynotpresentacompletepictureofacandidate’spotentialforoptimizationin

free anyparticularmetric.Further,notallimplementationsaredesignedwiththesameassump- tionsorgoals,andtherearemorediverseimplementationsforsomecandidatesthanothers. of Moreefficientimplementationsarelikelypossibleforallcandidates. Assuch,theresults charge oftheseeffortswereconsideredasageneralguideandnotastrictranking.

4.1 SoftwareBenchmarking from: Softwareperformanceonmicrocontrollersisanimportantcriterionfortheevaluationof

https://doi.org/10.6028/NIST.IR.8369 thecandidates.Multiplebenchmarkinginitiativesevaluatedtheperformanceofthecandi- dates.Theseinitiativescoverawiderangeoftargetplatformsfrom8-bitmicrocontrollers withlimitedmemoryto32-bitand64-bitmicrocontrollers. Thespecificationsofthemi- crocontrollersusedbythebenchmarkinginitiativesaresummarizedinTable10.

4.1.1 MicrocontrollerBenchmarkingbyNIST NIST[255]internallyevaluatedtheperformanceofthecandidatesonmicrocontrollersand comparedthemagainsttheNISTstandardsAES-GCM andSHA-256. Theimplementa- tionswerecollectedfromthesubmissionpackages,GitHubrepositoriesofthecandidates, andtherepositoriesofotherbenchmarkinginitiatives. Intotal,327AEADand116hash implementationswerebenchmarkedontwo8-bitMCUsandfour32-bitMCUs. Theper- formancemetricscapturedwerecodesizeandexecutiontime,withvariousinputlengths rangingfrom8bytesto1024bytes. Theimplementationswerebenchmarkedunderfour differentcompileroptimizationflags.AppendixAcontainsdetailsandselectedresultsfor thiseffort.ThecompletesetofresultsisprovidedontheprojectGitHubpage[255]. TheAEADvariantsofKNOT andPHOTON-Beetle achievedthesmallestcodesize on8-bitplatforms. Ononeofthe8-bitplatforms(ATmega4809),thecodesizesofGIFT- COFB andTinyJAMBU arealsolessthanthatofAES-GCM.ASCON,GIFT-COFB,Gimli, KNOT,andTinyJAMBU aresmallerthanAES-GCM onall32-bitplatforms,whereasEle- phant,Pyjamask,SATURNIN,SPARKLE,SPIX,SUNDAE-GIFT,andXoodyak havesmaller

34 ______NISTIR8369 SecondRoundStatusReport

Table10.Specificationsofmicrocontrollersusedinbenchmarkinginitiatives

Initiative Microcontroller Processor Word Clock Flash RAM size speed ATmega328P AVR 8-bit 16MHz 32KB 2KB This ATmega4809 AVR 8-bit 20MHz 48KB 6KB SAMD21 ARMCortex-M0+ 32-bit 48MHz 256KB 32KB publication NIST[255] nRF52840 ARMCortex-M4 32-bit 64MHz 1MB 256KB PIC32MX340F512H MIPS32M4K 32-bit 80MHz 512KB 32KB ESP8266 TensilicaL106 32-bit 80MHz 4MB 80KB ATmega328P AVR 8-bit 16MHz 32KB 2KB is STM32F103 ARMCortex-M3 32-bit 72MHz 64KB 20KB available Renneretal.[256] STM32F746ZG ARMCortex-M7 32-bit 216MHz 1MB 320KB ESP32WROOM TensilicaXtensaLX6 32-bit 240MHz 4MB 520KB KendryteK210 RISC-V(DualCore) 64-bit 400MHz 16MB 8MB free ATmega2560 AVR 8-bit 16MHz 256KB 8KB Weatherley[257] AT91SAM3X8E ARMCortex-M3 32-bit 84MHz 512KB 96KB of ESP32 TensilicaXtensaLX6 32-bit 240MHz 4MB 520KB charge

codesizesonsomeofthoseplatforms. Overall,Gimli,KNOT,andTinyJAMBU havethe from: smallestcodesizeacrossallplatformswithASCON andXoodyak performingparticularly wellon32-bitplatforms. https://doi.org/10.6028/NIST.IR.8369 ThehashvariantsofGimli,KNOT,andSPARKLE achievesmallercodesizesthanSHA- 256 on all the tested platforms. ASCON outperforms SHA-256 except on SAM D21 and ESP8266, and Xoodyak outperforms SHA-256 except on nRF52840. PHOTON- Beetle achievesthesmallestcodesizeon8-bitplatformswhileperformingworseon32-bit platforms.

4.1.2 MicrocontrollerBenchmarkingbyRenneretal. Renneretal. [256,258–260]developedabenchmarkingframeworktoevaluatetheper- formanceofAEADalgorithmsandevaluatedthesecond-roundcandidatesonfivemicro- controllers. Thebenchmarkingprovidesexecutiontime(averagetimetogeneratethetest vectors),sizeofthecompiledbinary,andRAMusage(foronlySTM32F746ZG)asperfor- mancemetrics.Theresultsarepublishedat[258]. Consideringonlytheprimaryvariants,theresultscanbesummarizedasfollows:

• SCHWAEMM,TinyJAMBU,GIFT-COFB,KNOT,andHyENA werethefastestonthe ArduinoUNO,whileKNOT,PHOTON-Beetle,TinyJAMBU,Xoodyak,andGIFT- COFB hadthesmallestcodesizes.

• On a STM32F1 MCU, Xoodyak, ASCON, SCHWAEMM, TinyJAMBU, and GIFT- COFB hadthefastestimplementations; andKNOT,TinyJAMBU,Xoodyak, ACE,

35 ______NISTIR8369 SecondRoundStatusReport

andSCHWAEMM usedtheleastROM.

• ThefastestfiveontheESP32MCUwereTinyJAMBU,Xoodyak,SAEAES,KNOT, andGIFT-COFB,andthesmallestwereGrain-128AEAD,KNOT,TinyJAMBU,AS- CON,andSCHWAEMM. This

• TinyJAMBU,ASCON,Xoodyak,SCHWAEMM,andGimli werefastestontheSTM32F7 publication MCU;ASCON,KNOT,TinyJAMBU,Xoodyak,andSCHWAEMM usedtheleastROM; andTinyJAMBU,KNOT,ASCON,SCHWAEMM,andSpoC usedtheleastRAM.

• ASCON,KNOT,SAEAES,TinyJAMBU,andXoodyak werethefastestontheRISC-

is Vplatform;andASCON,KNOT,TinyJAMBU,SCHWAEMM,andXoodyak usedthe available leastROM.

• Overall,ASCON,GIFT-COFB,KNOT,SCHWAEMM,TinyJAMBU,andXoodyak stood outastopperformers. free

of 4.1.3 MicrocontrollerBenchmarkingbyWeatherley charge Weatherley[257]developedoptimizedimplementationsofthesecond-roundcandidates andperformedtimingmeasurementsonthem. Foreachvariant,anoptimizedCimple- mentationandassemblyimplementationsforAVRandARM-v7marchitectureswerepro- from: vided. AES-basedvariantsoffoursubmissions,namelyCOMET,ESTATE,mixFeed,and SAEAES wereexcluded. Thebenchmarksincludedtimingresultsforencryptingandde- https://doi.org/10.6028/NIST.IR.8369 crypting16- and128- bytemessages. Thespeedmetricsweregivenbycomparingeach AEADalgorithmwithChaChaPoly[261–263]andeachhashingalgorithmwithBLAKE2s [264]. This work also provided the masked implementations of ASCON, GIFT-COFB, Gimli, KNOT, Pyjamask, SPIX, SpoC, Spook, TinyJAMBU, and Xoodyak and bench- markedtheirexecutiontimesforuptosixshares. Resultscanbesummarizedasfollows:

• Onthe8-bitAVRplatform,COMET,SPARKLE,GIFT-COFB,HyENA,ASCON,Tiny- JAMBU,ORANGE,Spook,andGimli werethetopAEADperformers,andtheirper- formanceismorethantwicethatofChaChaPoly.

• ESTATE,SUNDAE-GIFT,Subterranean 2.0,Xoodyak,Pyjamask,Romulus,PHOTON- Beetle,KNOT,SKINNY-AEAD,SpoC,andSATURNIN arefasterthanChaChaPoly byafactorlessthantwo.

• Oribatida, Grain-128AEAD,WAGE,ForkAE,ACE,Elephant, andISAP areslower thanChaChaPoly. SPARKLE,Gimli, SATURNIN,andXoodyak performedhashing fasterthanBLAKE2s.

• DryGASCON,ASCON,ORANGE,PHOTON-Beetle,Subterranean 2.0,ACE,KNOT, andSKINNY-HASH wereslowerthanBLAKE2s.

36 ______NISTIR8369 SecondRoundStatusReport

• Onthe32-bitplatforms,COMET,SPARKLE,Xoodyak,ASCON,andTinyJAMBU were fasterthanChaChaPoly.

• TherewasnohashalgorithmamongthecandidatesthatwasfasterthanBLAKE2s on32-bitplatforms. This

publication 4.1.4 AdditionalResults Camposetal. [265]comparedtheeffectivenessofvariousoptimizationmethodsonsix ofthesecond-roundcandidateswhenimplementedonRISC-Vplatforms. Thefocusof thisworkwasnottocomparetheperformancebetweencandidates,but,rather,tocompare is differentimplementationoptimizationstrategiesofasmallnumberofcandidates.Thiswas available donebyconsideringthetime(incyclecounts)forencrypting128bytesofmessagewith 128bytesofAD,aswellashashing128bytesofmessages. Nisanci et al. [266] evaluated the size and speed of the reference implementations

free oftheprimaryAEADvariantsofthesecond-roundcandidateson32-bitRISC-Varchi- tectures. Themetricsusedwerecodesizeandexecutiontimeforauthenticatedencryp- of tion/decryptionofinputsofsize128-byte,2KB,and16KB.Inallcases,compilingwith charge the-os flagresultedinasignificantlysmallerexecutablethancompilingwithnooptimiza- tion.Otherflagsalsoledtomorecompactimplementationsinsomecases. eBACS(ECRYPTBenchmarkingofCryptographicSystems)[267]isarepositoryof from: softwareperformancebenchmarkingresultsonconventionalprocessors.Thereareseveral smaller benchmarking projects, each focusing on a different type of primitive or func- https://doi.org/10.6028/NIST.IR.8369 tionality.ResultsfromeBAEAD(ECRYPTBenchmarkingofAuthenticatedCiphers)and eBASH(ECRYPTBenchmarkingofAllSubmittedHashes)resultswereconsideredfor serverorhubdevices.ASCON,Gimli,andXoodyak implementationsperformedbestover- allforhashing,followedbySATURNIN andSPARKLE.ForAEAD,ASCON andXoodyak con- sistentlyoutperformothercandidateson64-bitplatformswhenconsideringalltestedinput lengths. Gimli,KNOT,andSAEAES alsohavehighspeedimplementationsonsomesys- tems. SantosandGroßschadl[¨ 268]studiedtheexecutiontimeandcodesizeofassemblerim- plementationsofpermutationsofASCON,Gimli,SPARKLE,andXoodyak onan8-bitAVR, anda32-bitARMCortex-M3microcontroller. Accordingtothestudy,thethroughputof ASCON,SPARKLE andXoodoo permutationsisverysimilaronARM;andon8-bitAVR, SPARKLE outperformsASCON andXoodoo. Fotovvatetal. [269]studiedtheperformanceofthecandidatesonRaspberryPi3, RaspberryPiZeroW,andiMX233usingthepowerconsumption,randomaccessmemory usage,andexecutiontimemetrics.

4.2 HardwareBenchmarking Inadditiontohardwarefiguresprovidedbythesubmitters,NISTconsideredresultsfrom thehardwarebenchmarkinginitiativesdescribedinsubsections4.2.1to4.2.3below. The

37 ______NISTIR8369 SecondRoundStatusReport

platformsandmetricsusedintheseeffortsaresummarizedinTable11.

4.2.1 FPGABenchmarkingbyGMUCERG TheGeorgeMasonUniversityCryptographicEngineeringResearchGroup[270]provided This performanceresultsusingtheirtoolsuite:ATHENa[271],Minerva[272],andXeda[273].

publication Thiseffortevaluatedtheimplementationsof27second-roundcandidatesandrankedthem intermsofthroughputandenergyperbit.Optimizationrulesfixedanupperlimitonimple- mentationsizeandselectedtheclockfrequencyforeachimplementationthatmaximized itsthroughput. Thesameclockfrequencywasusedforallimplementationsduringpower andenergyanalysis. is

available OntheXilinxArtix-7platform,Subterranean 2.0,ASCON,Xoodyak,Gimli,KNOT, GIFT-COFB,DryGASCON,COMET,Spook,Elephant,TinyJAMBU,andRomulus were thetopAEADperformersaccordingtothroughput.TinyJAMBU,Gimli,Subterranean 2.0, Romulus, and ESTATE had very compact implementations that were under 1000 Look free UpTables(LUTs). Gimli,Xoodyak,andASCON performedhashingfasterthanSHA-2. Subterranean 2.0,Gimli,ACE,Xoodyak,andSATURNIN werethefivecandidateswiththe of smallestimplementationssupportinghashing. SPARKLE hadtheonlyimplementationthat charge exceededtheresourcelimit. ResultsweresimilarfortheIntelCyclone10LPFPGA.Subterranean 2.0,ASCON,

from: Gimli,Xoodyak,KNOT,GIFT-COFB,Elephant,DryGASCON,TinyJAMBU,Spook,Ro- mulus,SATURNIN,andPHOTON-Beetle hadhigherthroughputthanAES-GCM,where

https://doi.org/10.6028/NIST.IR.8369 theAES-GCM implementationexceededthe5000LEbudget.TinyJAMBU,Subterranean 2.0,ESTATE,SpoC,andRomulus werethefivecandidateswiththesmallestimplementa- tions.Gimli andXoodyak alsodemonstratedfasterhashingthanSHA-2.Subterranean 2.0, ACE,Xoodyak,andGimli werethecandidateswiththesmallestimplementationssupport- inghashing. Results were also similar on the Lattice ECP5, where Subterranean 2.0, Xoodyak, Gimli,ASCON,KNOT,GIFT-COFB,Elephant,DryGASCON,andTinyJAMBU implemen- tationsprocessedplaintextfasterthanAES-GCM;andGimli andXoodyak exhibitedhigher hashingthroughputthanSHA-2. Subterranean 2.0, Gimli, ACE,andXoodyak werethe candidateswiththesmallestimplementationssupportinghashing.

4.2.2 ASICBenchmarkingbyKhairallahetal. Khairallahetal.[274,275]synthesizedtenofthecandidateson65nmand28nmtechnolo- gies.Thisworkprimarilyconsideredtwousecases.Thefirstwasperformanceefficiency, wherethethroughput/arearatioisthemainconcern.Thesecondusecasewaslightweight protocols,whereBluetoothandBluetoothLow-Energywereselectedasrepresentativesof suchprotocols.Implementationsweresynthesizedaccordingtofourdifferentoptimization goals:balanced,low-area,high-speed,andlow-frequency. Implementationswerecomparedaccordingtoarea,energy,area×energy,andthrough- put. TinyJAMBU andRomulus hadthesmallestimplementationsandstrongperformance

38 ______NISTIR8369 SecondRoundStatusReport

whenoptimizedforlowarea.Subterranean 2.0 wasthemostenergy-efficient.Whenarea islimitedto9000GE,TinyJAMBU,Romulus,Subterranean 2.0,andXoodyak displaythe bestresults.Pyjamask faredtheworstofthetencandidatesinallmetrics.

This 4.2.3 ASICBenchmarkingbyAagaardandZidaricˇ

1 publication AagaardandZidaric[ˇ 276]synthesized22ofthecandidates, aswellastwoimplementa- tionsofAES-GCM.FivedifferentASICcelllibrariesandtwosynthesistoolswereused. Thecelllibrariestarget65nm,90nm,and130nmtechnologies. Toillustratedesigntrade- offs,thestudyprovidestheratiosofthroughputtoarea,throughputtoenergy,andthrough- puttoarea×energy. is

available Resultswerepresentedasaveragescaledvaluestakenacrossthedifferentconfigura- tions. Throughputresultsreflectsteady-stateplaintextprocessinganddonotincludethe costofloadingthekey,stateinitialization,orADprocessing. Hashingwasnotevaluated inthisstudy. free TinyJAMBU hadthesmallestfootprintfollowedbyRomulus;however,theybothhad relativelypoorperformance. Subterranean 2.0 hadthenextlowestareaandhasoutstand- of

charge ing performance. The candidates with the most energy-efficient implementations were Subterranean 2.0, Gimli, Xoodyak, and ASCON. In addition, TinyJAMBU, SPIX, and COMET werealsoveryenergyefficientatlowerthroughputs.Subterranean 2.0 andTiny- from: JAMBU excelonceagainwhenconsideringarea×energy. Xoodyak andASCON hadlow area×energy withgoodthroughput,followedbyRomulus.COMET alsodemonstrateslow

https://doi.org/10.6028/NIST.IR.8369 area×energyatlowthroughput.

Table11.Summaryofthehardwarebenchmarkinginitiatives

Initiative Platforms Metrics Resourceutilization(LUTorLE,flip-flops) XilinxArtix-7 Maximumclockfrequency(MHz) GMUCERGgroup[270] IntelCyclone10LP LatticeSemiconductorECP5 Throughput(Mbits/s) Energyperbit(nJ/bit) Area(µm2 andGE) TSMC65nm Clockperiod(ns) Khairallahetal.[274] FDSOI28nm Power(mW) Energy(mJ) STMicro65nm Throughput(bitspercycle) TSMC65nm Area(GE) AagaardandZidaric[ˇ 276] STMicro90nm Energy(nJ) TSMC90nm Area×Energy(GE×nJ) ARM/IBM130nm ClockSpeed(GHz)

1LOTUS-AEAD andLOCUS-AEAD areincludedinthesamesubmissionpackage.

39 ______NISTIR8369 SecondRoundStatusReport

5. SelectingtheFinalists

Tofocusanalysisonthecandidatesmostlikelytobestandardizedattheendofthisprocess, thenumberofcandidatesunderconsiderationhadtobesignificantlyreduced.Tenfinalists wereselectedusingtheevaluationcriteriadescribedinSection2.Thissectionsummarizes This theselectionprocess. publication Security. Thedesignrationale,securityanalysis,andproofsprovidedbythesubmission team,aswellasthethird-partyanalysis,playedasignificantroleintheselection.Analysis thatcoveredonlysmallnumberofrounds,andrequiredsignificanttimeandmemorycom- plexitiesincreasedconfidenceintheclaimedsecuritymargins. Insomecases,third-party is resultsraisedconcernsaboutthevalidityofsecurityclaims;inparticulardistinguisherson available theunderlyingpermutationsorweakkeyclasseswereofconcern. Therewerealsoattack resultsthatinvalidatedsecurityclaims,suchaspracticalforgeryattacksorkeyrecovery attacks. free Performance. Softwareandhardwareperformancecomparisonsofthecandidateswere of conductedbymultiplepublicinitiatives(seeSection4). Candidatesthatdidnotdemon- charge stratesignificantperformancebenefitsovercurrentNISTstandardswerenotfavoredfor advancement.NISTalsoconsideredthestatedgoalsofthecandidate,performanceacross avarietyofinputsizes,andhowcandidateswithsimilarfeaturescompared. Designsthat from: demonstratedampleflexibilityinselectingimplementationtrade-offsandcouldbeapplied toawidevarietyofusecaseswithacceptableperformancewerefavored. https://doi.org/10.6028/NIST.IR.8369 TweakPlans.NISTalsoconsideredthetweakplansofthecandidates(inparticular,their impactontheperformanceandthesecurityofthecandidate)asapartoftheevaluation. Ingeneral,tweaksrequiringsignificantstructuralchangeswerenotlookeduponfavorably duringtheselection.

DiversityofCandidates. Duringtheselection,NISTalsoconsideredthediversityofthe finalists. Whenthereweremultiplepromisingcandidatesbasedonthesameunderlying primitive(e.g.,permutation,blockcipher,ortweakableblockcipher),theywerealsocom- paredtoeachother,andasubsetofthecandidateswasselectedfromthesecandidates.

NISTPortfolio. NISTalsoconsideredhowcandidateswouldfitwithinitsexistingport- folioofcryptographicstandards. Someofthecandidatesincludedminormodificationsto AES inwaysthatwouldpotentiallycauseissuesduringadoptionanduse.Modesthatwere instantiatedwithAESwerenotfavoredtoadvancetothenextround,becausetherearelim- itedperformancebenefitsinconstraineddevices,especiallywhenconsideringside-channel resistantimplementations. NISTselectedtenfinaliststomoveforwardtothenextround.Forapplicationsthatonly requireAEADfunctionality, thefollowingsixcandidateswillbeconsidered: Elephant, GIFT-COFB,Grain-128AEAD,ISAP,Romulus,andTinyJAMBU.Forapplicationsthatalso

40 ______NISTIR 8369 Second Round Status Report

require hashing functionality, the following four candidates will be considered: ASCON, PHOTON-Beetle, SPARKLE, and Xoodyak. Eight of the finalists, namely ASCON, Elephant, GIFT-COFB, Grain-128AEAD, ISAP, PHOTON-Beetle, Romulus, and SPARKLE, rely on thoroughly-analyzed, and previously-

This published building blocks and components. ASCON, GIFT-COFB, ISAP, PHOTON-Beetle, Romulus, SPARKLE, TinyJAMBU, and Xoodyak demonstrated performance advantages publication over NIST standards in software benchmarks and are under consideration for software applications. For hardware applications, the finalists ASCON, Elephant, GIFT-COFB, PHOTON-Beetle, Romulus, TinyJAMBU, and Xoodyak demonstrated performance advan- tages over NIST standards. ISAP provides promising features for applications requiring

is side-channel resistance. available 6. Next Steps

It is estimated that the third round of evaluation and review will take approximately 12 free months. The selection will consider the security of the candidates and performance on

of software and hardware platforms, including the performance of protected implementations. charge During the final round, NIST is planning to host the fifth workshop to support the standard- ization process. NIST encourages further analysis of the candidates that did not advance to the final from: round. The candidates that proposed new modes of operation instantiated with AES might still be beneficial for general-purpose applications. The modes of operations of these can- https://doi.org/10.6028/NIST.IR.8369 didates may be considered later under NIST’s mode development project [277].

41 ______NISTIR8369 SecondRoundStatusReport

References

[1] SonmezTuranM,McKayKA,C¸alıkC¸,ChangD,BasshamILawrenceE(2019)¨ Status Report on the First Round of the NIST Lightweight Cryptography Stan- dardization Process (National Institute of Standards and Technology), Report. This https://doi.org/10.6028/NIST.IR.8268

publication [2] Aagaard M, AlTawy R, Gong G, Mandal K, Rohit R (2020) Updates on ACE, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/status-update-sep2020/aceupdate.pdf. [3] Dobraunig C, Eichlseder M, Mendel F, Schlaffer¨ M (2020) Status Update is

available on Ascon v1.2, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/asconupdate.pdf. [4] Gueron S, Jha A, Nandi M (2020) Updates on COMET, Update to free the NIST Lightweight Cryptography Standardization Process. https: //csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ of

charge round-2/status-update-sep2020/cometupdate.pdf. [5] Riou S (2020) DryGASCON Status Update, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ from: Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ DryGASCON20200917-status-update.pdf.

https://doi.org/10.6028/NIST.IR.8369 [6] Beyne T, Chen YL, Dobraunig C, Mennink B (2020) Status Update on Elephant, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/Elephantstatus-update-round-2.pdf. [7] Chakraborti A, Datta N, Jha A, Lopez CM, Nandi M, Sasaki Y (2020) [lwc-forum] Official Comment: ESTATE, Email to lwc-forum. https: //csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/status-update-sep2020/ESTATE-update-email.pdf. [8] AndreevaE,LallemandV,PurnalA,ReyhanitabarR,RoyA,Vizar´ D(2020)Sta- tusUpdateofForkAE,UpdatetotheNISTLightweightCryptographyStandardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/ForkAEUpdate.pdf. [9] Banik S, Chakraborti A, Iwata T, Minematsu K, Nandi M, Peyrin T, Sasaki Y, Sim SM, Todo Y (2020) GIFT-COFB: NIST LWC Second-round Candi- date Status Update, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/GIFT-COFBstatusupdate.pdf. [10] Bernstein DJ, Kolbl¨ S, Lucks S, Massolino PMC, Nawaz FMK, Schneider T, Schwabe P, Standaert FX, Todo Y, Viguier B (2020) Gimli: NIST LWC Second-round Candidate Status Update, Update to the NIST Lightweight Cryp-

42 ______NISTIR8369 SecondRoundStatusReport

tography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/ lightweight-cryptography/documents/round-2/status-update-sep2020/gimliupdate. pdf. [11] Hell M, Johansson T,Meier W,Sonnerup J, YoshidaH (2020) Grain-128AEAD

This - Status Document, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ publication documents/round-2/status-update-sep2020/Grain128AEADstatusdocument.pdf. [12] Chakraborti A, Datta N, Jha A, Nandi M (2020) HyENA-v2: Tweak Pro- posal for HyENA, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/

is documents/round-2/status-update-sep2020/hyenaupdate.pdf. available [13] Dobraunig C, Eichlseder M, Mangard S, Mendel F, Mennink B, Primas R, Un- terluggauerT(2020)NISTUpdate: ISAPv2.0, UpdatetotheNISTLightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ free ISAPupdateisap.pdf.

of [14] Zhang W, Ding T, Yang B, Bao Z, Xiang Z, Ji F, Zhao X, Zhou C

charge (2020) Update on Security Analysis and Implementations of KNOT, Up- date to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ from: round-2/status-update-sep2020/KNOTUpdate.pdf. [15] Bhattacharjee A, List E, Lopez´ CM, Nandi M (2020) Tweaks for Oribatida https://doi.org/10.6028/NIST.IR.8369 v1.3, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/status-update-sep2020/oribatidanistlwc2020oribatida-v13update.pdf. [16] Bao Z, Chakraborti A, Datta N, Guo J, Nandi M, Peyrin T, Yasuda K (2020) PHOTON-Beetle Authenticated Encryption and Hash Family — Updated on Software Implementations, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ PHOTON-Beetlesoftwareupdate18Sep2020.pdf. [17] Iwata T, Khairallah M, Minematsu K, Peyrin T (2020) Romulus for Round 3, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/status-update-sep2020/Romulus-for-Round-3.pdf. [18] Canteaut A, Duval S, Leurent G, Naya-Plasencia M, Perrin L, Pornin T,Schrot- tenloher A (2020) An Update on Saturnin, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ Saturninupdate.pdf. [19] Beierle C, Jean J, Kolbl¨ S, Leander G, Moradi A, Peyrin T, Sasaki Y, Sas- drich P, Sim SM (2020) SKINNY-AEAD and SKINNY-Hash: NIST LWC

43 ______NISTIR8369 SecondRoundStatusReport

Second-round Candidate Status Update, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ SKINNY-AEADandSKINNY-Hashstatusupdate.pdf.

This [20] Beierle C, Biryukov A, dos Santos LC, Großschadl¨ J, Perrin L, Udovenko A, Velichkov V, Wang Q (2020) An Update on the Sparkle Suite, Up- publication date to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/status-update-sep2020/SPARKLEupdate.pdf. [21] AlTawy R, Gong G, He M, Mandal K, Rohit R (2020) Updates on Spix,

is Update to the NIST Lightweight Cryptography Standardization Process. available https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/status-update-sep2020/spixupdate.pdf. [22] AlTawy R, Gong G, He M, Mandal K, Nandi M, Rohit R (2020) Up- dates on SpoC, Update to the NIST Lightweight Cryptography Standardiza- free tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/

of documents/round-2/status-update-sep2020/spocupdate.pdf.

charge [23] Bellizia D, Berti F, Bronchain O, Cassiers G, Duval S, Guo C, Le- ander G, Leurent G, Levi I, Momin C, Pereira O, Peters T, Standaert FX, Udvarhelyi B, Wiemer F (2020) Spook: Updates on the Round- from: 2 Submission, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ https://doi.org/10.6028/NIST.IR.8369 documents/round-2/status-update-sep2020/Spookupdates.pdf. [24] DaemenJ,MassolinoPMC,MehrdadA,RotellaY(2020)UpdatesontheSubter- ranean2.0CipherSuite,UpdatetotheNISTLightweightCryptographyStandardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/subterraneanr2Update.pdf. [25] Banik S, Bogdanov A, Peyrin T, Sasaki Y, Sim SM, Tischhauser E, Todo Y (2020) SUNDAE-GIFT: Status Update, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ SUNDAE-GIFTStatus-Update.pdf. [26] Wu H, Huang T (2020) TinyJAMBU Update, Update to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/status-update-sep2020/ TinyJambuupdate20200918.pdf. [27] Aagaard M, AlTawy R, Gong G, Mandal K, Rohit R, Zidaric N (2020) Up- dates on WAGE, Update to the NIST Lightweight Cryptography Standardiza- tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/wageupdate.pdf. [28] Daemen J, Hoffert S, Mella S, Peeters M, Assche GV, Keer RV (2020) Xoodyak,AnUpdate,UpdatetotheNISTLightweightCryptographyStandardiza-

44 ______NISTIR8369 SecondRoundStatusReport

tion Process. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/status-update-sep2020/Xoodyak-update.pdf. [29] McKayKA,BasshamILawrenceE,SonmezTuranM,MouhaN(2017)Report¨ onLightweightCryptography(NationalInstituteofStandardsandTechnology),Re-

This port.https://doi.org/10.6028/NIST.IR.8114 [30] Bassham L,C ¸alık C, ¸ McKay K, Mouha N,S onmez¨ Turan M (2017) publication Profiles for the Lightweight Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Publications/white-paper/2017/04/26/ profiles-for-lightweight-cryptography-standardization-process/draft/documents/ profiles-lwc-std-proc-draft.pdf.

is [31] NIST (2018) Submission Requirements and Evaluation Criteria for available the Lightweight Cryptography Standardization Process. https://csrc. nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/ final-lwc-submission-requirements-august2018.pdf. [32] DworkinMJ(2007)RecommendationforBlockCipherModesofOperation: Ga- free lois/CounterMode(GCM)andGMAC(NationalInstituteofStandardsandTech-

of nology),Report.https://doi.org/10.6028/NIST.SP.800-38D

charge [33] NationalInstituteofStandardsandTechnology(2015)SecureHashStandard(SHS) (U.S.DepartmentofCommerce),Report.https://doi.org/10.6028/NIST.FIPS.180-4 [34] Aagaard M, AlTawy R, Gong G, Mandal K, Rohit R (2019) ACE: An from: Authenticated Encryption and Hash Algorithm, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ https://doi.org/10.6028/NIST.IR.8369 lightweight-cryptography/round-2-candidates. [35] DobraunigC,EichlsederM,MendelF,SchlafferM(2019)Ascon,Submissionto¨ theNISTLightweightCryptographyStandardizationProcess.https://csrc.nist.gov/ Projects/lightweight-cryptography/round-2-candidates. [36] Gueron S, Jha A, Nandi M (2019) COMET: COunter Mode Encryption with authentication Tag, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. [37] RiouS(2019)DryGASCON,SubmissiontotheNISTLightweightCryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. [38] BeyneT,ChenYL,DobraunigC,MenninkB(2019)Elephantv1.1,Submissionto theNISTLightweightCryptographyStandardizationProcess.https://csrc.nist.gov/ Projects/lightweight-cryptography/round-2-candidates. [39] ChakrabortiA,DattaN,JhaA,LopezCM,NandiM,SasakiY(2019)ESTATE, SubmissiontotheNISTLightweightCryptographyStandardizationProcess.https: //csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates. [40] Andreeva E, Lallemand V, Purnal A, Reyhanitabar R, Roy A, Vizar´ D (2019) ForkAE v.1, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/

45 ______NISTIR8369 SecondRoundStatusReport

round-2-candidates. [41] Banik S, Chakraborti A, Iwata T, Minematsu K, Nandi M, Peyrin T, Sasaki Y, Sim SM, Todo Y (2019) GIFT-COFB v1.0, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/

This lightweight-cryptography/round-2-candidates. [42] Bernstein DJ, Kolbl¨ S, Lucks S, Massolino PMC, Mendel F, Nawaz K, Schnei- publication derT,SchwabeP,StandaertFX,TodoY,ViguierB(2019)Gimli,Submissionto theNISTLightweightCryptographyStandardizationProcess.https://csrc.nist.gov/ Projects/lightweight-cryptography/round-2-candidates. [43] Hell M, Johansson T, Meier W, Sonnerup¨ J, Yoshida H (2019) Grain-

is 128AEAD - A Lightweight AEAD Stream Cipher, Submission to the NIST available Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ lightweight-cryptography/round-2-candidates. [44] ChakrabortiA,DattaN,JhaA,NandiM(2019)HyENA,SubmissiontotheNIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ free lightweight-cryptography/round-2-candidates.

of [45] DobraunigC,EichlsederM,MangardS,MendelF,MenninkB,PrimasR,Unter-

charge luggauerR(2019)ISAPv2.0,SubmissiontotheNISTLightweightCryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. from: [46] Zhang W, Ding T, YangB, Bao Z, Xiang Z, Ji F, Zhao X (2019) KNOT, Sub- mission to the NIST Lightweight Cryptography Standardization Process. https: https://doi.org/10.6028/NIST.IR.8369 //csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates. [47] ChakrabortiA,DattaN,JhaA,LopezCM,NandiM,SasakiY(2019)LOTUS- AEAD and LOCUS-AEAD, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. [48] Chakraborty B, Nandi M (2019) mixFeed, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ lightweight-cryptography/round-2-candidates. [49] Chakraborty B, Nandi M (2019) ORANGE, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ lightweight-cryptography/round-2-candidates. [50] Bhattacharjee A, List E, Lopez´ CM, Nandi M (2019) The Oribatida Fam- ily of Lightweight Authenticated Encryption Schemes, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ lightweight-cryptography/round-2-candidates. [51] Bao Z, Chakraborti A, Datta N, Guo J, Nandi M, Peyrin T, Yasuda K (2019) PHOTON-Beetle Authenticated Encryption and Hash Family, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/ Projects/lightweight-cryptography/round-2-candidates. [52] Goudarzi D, Jean J, KolblS,PeyrinT,RivainM,SasakiY,SimSM(2019)Pyjamask¨

46 ______NISTIR8369 SecondRoundStatusReport

v1.0,SubmissiontotheNISTLightweightCryptographyStandardizationProcess. https://csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates. [53] IwataT,KhairallahM,MinematsuK,PeyrinT(2019)Romulusv1.2,Submissionto theNISTLightweightCryptographyStandardizationProcess.https://csrc.nist.gov/

This Projects/lightweight-cryptography/round-2-candidates. [54] NaitoY,MatsuiM,SakaiY,SuzukiD,SakiyamaK,SugawaraT(2019)SAEAES, publication SubmissiontotheNISTLightweightCryptographyStandardizationProcess.https: //csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates. [55] Canteaut A, Duval S, Leurent G, Naya-Plasencia M, Perrin L, Pornin T,Schrot- tenloher A (2019) Saturnin: A Suite of Lightweight Symmetric Algorithms

is for Post-Quantum Security, Submission to the NIST Lightweight Cryptography available Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. [56] BeierleC,JeanJ,KolblS,LeanderG,MoradiA,PeyrinT,SasakiY,SasdrichP,¨ SimS(2019)SKINNY-AEADandSKINNY-Hashv1.1,SubmissiontotheNIST free Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/

of lightweight-cryptography/round-2-candidates.

charge [57] Beierle C, Biryukov A, dos Santos LC, Großschadl¨ J, Perrin L, Udovenko A, VelichkovV,WangQ(2019)SchwaemmandEsch:LightweightAuthenticatedEn- cryptionandHashingusingtheSparklePermutationFamily,SubmissiontotheNIST from: Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ lightweight-cryptography/round-2-candidates. https://doi.org/10.6028/NIST.IR.8369 [58] AlTawy R, Gong G, He M, Mandal K, Rohit R (2019) Spix: An Authenticated Cipher,SubmissiontotheNISTLightweightCryptographyStandardizationProcess. https://csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates. [59] AlTawy R, Gong G, He M, Jha A, Mandal K, Nandi M, Rohit R (2019) SpoC: An Authenticated Cipher, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. [60] Bellizia D, Berti F, Bronchain O, Cassiers G, Duval S, Guo C, Lean- der G, Leurent G, Levi I, Momin C, Pereira O, Peters T, Standaert FX, Wiemer F (2019) Spook: Sponge-Based Leakage-Resistant Authenticated En- cryption with a Masked Tweakable Block Cipher, Submission to the NIST Lightweight Cryptography Standardization Process. https://csrc.nist.gov/Projects/ lightweight-cryptography/round-2-candidates. [61] DaemenJ,MassolinoPMC,RotellaY(2019)TheSubterranean2.0CipherSuite, SubmissiontotheNISTLightweightCryptographyStandardizationProcess.https: //csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates. [62] Banik S, Bogdanov A, Peyrin T, Sasaki Y, Sim SM, Tischhauser E, Todo Y (2019)SUNDAE-GIFTv1.0, SubmissiontotheNISTLightweightCryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates.

47 ______NISTIR8369 SecondRoundStatusReport

[63] Wu H, Huang T (2019) TinyJAMBU: A Family of Lightweight Authenti- catedEncryptionAlgorithms,SubmissiontotheNISTLightweightCryptography Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates.

This [64] Aagaard M, AlTawy R, Gong G, Mandal K, Rohit R, Zidaric N (2019) WAGE: An Authenticated Cipher, Submission to the NIST Lightweight Cryptography publication Standardization Process. https://csrc.nist.gov/Projects/lightweight-cryptography/ round-2-candidates. [65] Daemen J, Hoffert S, Peeters M, Assche GV, Keer RV (2019) Xoodyak: A Lightweight Cryptographic Scheme, Submission to the NIST Lightweight

is Cryptography Standardization Process. https://csrc.nist.gov/Projects/ available lightweight-cryptography/round-2-candidates. [66] Chakraborti A, Datta N, Jha A, Nandi M (2020) Structural Clas- sification of Authenticated Encryption Schemes, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/media/ free Events/lightweight-cryptography-workshop-2020/documents/papers/

of structural-classification-lwc2020.pdf.

charge [67] Bovy E (2020) Comparison of the Second Round Candidates of the NIST LightweightCryptographyCompetition,BachelorthesisComputingScience,Rad- boudUniversity.https://www.cs.ru.nl/bachelors-theses/. from: [68] BertoniG,DaemenJ,PeetersM,AsscheGV(2008)OntheIndifferentiabilityofthe SpongeConstruction.AdvancesinCryptology- EUROCRYPT2008,27thAnnual https://doi.org/10.6028/NIST.IR.8369 InternationalConferenceontheTheoryandApplicationsofCryptographicTech- niques,Istanbul,Turkey,April13-17,2008.Proceedings,edSmartNP(Springer), LectureNotesinComputerScience,Vol.4965,pp181–197.https://doi.org/10.1007/ 978-3-540-78967-311 [69] MatyasSM,MeyerCH,OseasJ(1985)GeneratingStrongOne-wayFunctionswith CryptographicAlgorithm,IBMTechnicalDisclosureBulletin,27:5658–5659,1985. [70] Merkle RC (1989) One Way Hash Functions and DES. Advances in Cryptology - CRYPTO’89,9thAnnualInternationalCryptologyConference,SantaBarbara, California,USA,August20-24,1989,Proceedings,edBrassardG(Springer),Lec- ture Notes in Computer Science, Vol.435, pp 428–446. https://doi.org/10.1007/ 0-387-34805-040 [71] Damgard˚ I (1989) ADesign Principle for Hash Functions.Advances in Cryptol- ogy- CRYPTO’89, 9thAnnualInternationalCryptologyConference, SantaBar- bara,California,USA,August20-24,1989,Proceedings,edBrassardG(Springer), LectureNotesinComputerScience,Vol.435,pp416–427.https://doi.org/10.1007/ 0-387-34805-039 [72] AlTawy R, Rohit R, He M, Mandal K, Yang G, Gong G (2018) SLISCP-light: TowardsHardwareOptimizedSponge-specificCryptographicPermutations.ACM TransEmbedComputSyst17(4):81:1–81:26.https://doi.org/10.1145/3233245 [73] YangG, Zhu B, Suder V,Aagaard MD, Gong G (2015) The Simeck Family of

48 ______NISTIR8369 SecondRoundStatusReport

Lightweight Block Ciphers. Cryptographic Hardware and Embedded Systems - CHES2015- 17thInternationalWorkshop,Saint-Malo,France,September13-16, 2015,Proceedings,eds GuneysuT,HandschuhH(Springer),¨ LectureNotesinCom- puterScience,Vol.9293,pp307–329.https://doi.org/10.1007/978-3-662-48324-4

This 16 [74] Liu J, Liu G, Qu L (2020) A New Automatic Tool Searching for Impossible publication Differential of NIST Candidate ACE. Mathematics 8(9). https://doi.org/10.3390/ math8091576 [75] BagheriN(2015)LinearCryptanalysisofReduced-RoundSIMECKVariants,Cryp- tologyePrintArchive,Report2015/716.https://ia.cr/2015/716.

is [76] LeDP,LuR,GhorbaniAA(2020)ImprovedFaultAnalysisonSIMECKCiphers, available CryptologyePrintArchive,Report2020/1263.https://ia.cr/2020/1263. [77] Kolbl¨ S, Roy A (2016) A Brief Comparison of Simon and Simeck. Lightweight Cryptography for Security and Privacy - 5th International Workshop, LightSec 2016,Aksaray,Turkey,September21-22,2016,RevisedSelectedPapers,edBog- free danov A (Springer), Lecture Notes in Computer Science, Vol.10098, pp 69–88.

of https://doi.org/10.1007/978-3-319-55714-4\ 6

charge [78] LuJ,LiuY,AshurT,SunB,LiC(2020)Rotational-XORCryptanalysisofSimon- likeBlockCiphers,CryptologyePrintArchive,Report2020/486.https://ia.cr/2020/ 486. from: [79] BertoniG,DaemenJ,PeetersM,AsscheGV(2012)Permutation-basedEncryption, AuthenticationandAuthenticatedEncryption,DIAC–DirectionsinAuthenticated https://doi.org/10.6028/NIST.IR.8369 Ciphers.https://keccak.team/files/KeccakDIAC2012.pdf. [80] BertoniG,DaemenJ,PeetersM,AsscheGV(2011)DuplexingtheSponge:Single- PassAuthenticatedEncryptionandOtherApplications.SelectedAreasinCryptog- raphy - 18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12, 2011, Revised Selected Papers, eds Miri A, VaudenayS (Springer), Lec- ture Notes in Computer Science, Vol.7118, pp 320–337. https://doi.org/10.1007/ 978-3-642-28496-019 [81] DobraunigC,EichlsederM,MendelF(2015)HeuristicToolforLinearCryptanal- ysis with Applications to CAESAR Candidates. Advances in Cryptology - ASI- ACRYPT2015- 21stInternationalConferenceontheTheoryandApplicationof CryptologyandInformationSecurity,Auckland,NewZealand,November29- De- cember 3, 2015, Proceedings, Part II, eds Iwata T, Cheon JH (Springer), Lec- ture Notes in Computer Science, Vol.9453, pp 490–509. https://doi.org/10.1007/ 978-3-662-48800-320 [82] TodoY (2015) Structural Evaluation by Generalized Integral Property.Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on theTheoryandApplicationsofCryptographicTechniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, eds Oswald E, Fischlin M (Springer), Lec- ture Notes in Computer Science, Vol.9056, pp 287–314. https://doi.org/10.1007/ 978-3-662-46800-512

49 ______NISTIR8369 SecondRoundStatusReport

[83] TezcanC(2016)Truncated, Impossible, andImprobableDifferentialAnalysisof ASCON. Proceedings of the 2nd International Conference on Information Sys- temsSecurityandPrivacy,ICISSP2016,Rome,Italy,February19-21,2016,eds Camp O, Furnell S, Mori P (SciTePress), pp 325–332. https://doi.org/10.5220/

This 0005689903250332 [84] DobraunigC,EichlsederM, MendelF,SchlafferM¨ (2015)CryptanalysisofAs- publication con.TopicsinCryptology- CT-RSA2015,TheCryptographer’sTrackattheRSA Conference 2015, San Francisco, CA, USA, April 20-24, 2015. Proceedings, ed NybergK(Springer),LectureNotesinComputerScience,Vol.9048,pp371–387. https://doi.org/10.1007/978-3-319-16715-220

is [85] Li Z, Dong X, Wang X (2017) Conditional Cube Attack on Round- available ReducedASCON.IACRTransactionsonSymmetricCryptology2017(1):175–202. https://doi.org/10.13154/tosc.v2017.i1.175-202 [86] LiY,ZhangG,WangW,WangM(2017)CryptanalysisofRound-reducedASCON. SciChinaInfSci60(3):38102.https://doi.org/10.1007/s11432-016-0283-3 free [87] DwivediAD,KloucekM,MorawieckiP,NikolicI,PieprzykJ,WojtowiczS(2017)´

of SAT-basedCryptanalysisofAuthenticatedCiphersfromtheCAESARCompetition.

charge Proceedingsofthe14thInternationalJointConferenceone-BusinessandTelecom- munications(ICETE2017)- Volume4:SECRYPT,Madrid,Spain,July24-26,2017, edsSamaratiP,ObaidatMS,CabelloE(SciTePress),pp237–246.https://doi.org/ from: 10.5220/0006387302370246 [88] LeanderG,TezcanC,WiemerF(2018)SearchingforSubspaceTrailsandTrun- https://doi.org/10.6028/NIST.IR.8369 catedDifferentials.IACRTransSymmetricCryptol2018(1):74–100.https://doi.org/ 10.13154/tosc.v2018.i1.74-100 [89] Zong R, Dong X, Wang X (2019) Collision Attacks on Round-Reduced Gimli- Hash/Ascon-Xof/Ascon-Hash,CryptologyePrintArchive,Report2019/1115.https: //ia.cr/2019/1115. [90] DobraunigC,EichlsederM,MendelF,SchlafferM(2019)PreliminaryAnalysis¨ ofAscon-XofandAscon-Hash.TechnicalReport https://ascon.iaik.tugraz.at/files/ PreliminaryAnalysisofAscon-XofandAscon-Hashv01.pdf. [91] Tezcan C (2019) Distinguishers for Reduced Round Ascon, Dry- GASCON, and Shamash Permutations, NIST Lightweight Cryptog- raphy Workshop 2019. https://csrc.nist.gov/CSRC/media/Presentations/ distinguishers-for-reduced-round-ascon-drygascon-a/images-media/ session5-tezcan-distinguishers-reduced-round.pdf. [92] DobraunigC,EichlsederM,MendelF,SchlafferM(2019)Asconv1.2–Analysis¨ ofSecurityandEfficiency,NISTLightweightCryptographyWorkshop2019.https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/ documents/papers/ascon-1-2-analysis-of-security-lwc2019.pdf. [93] Ramezanpour K, Abdulgadir A, William Diehl JPK, Ampadu P (2020) Ac- tive and Passive Side-Channel Key Recovery Attacks on Ascon, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/

50 ______NISTIR8369 SecondRoundStatusReport

media/Events/lightweight-cryptography-workshop-2020/documents/papers/ active-passive-recovery-attacks-ascon-lwc2020.pdf. [94] NationalInstituteofStandardsandTechnology(2001)AdvancedEncryptionStan- dard(AES)(U.S.DepartmentofCommerce),Report.https://doi.org/10.6028/NIST.

This FIPS.197 [95] Koo B, Roh D, Kim H, Jung Y,Lee D, Kwon D (2017) CHAM: A Family of publication LightweightBlockCiphersforResource-ConstrainedDevices.InformationSecurity andCryptology- ICISC2017- 20thInternationalConference,Seoul,SouthKorea, November29- December1, 2017, RevisedSelectedPapers, edsKimH,KimD (Springer),LectureNotesinComputerScience,Vol.10779,pp3–25.https://doi.org/

is 10.1007/978-3-319-78556-11 available [96] BeaulieuR,ShorsD,SmithJ,Treatman-ClarkS,WeeksB,WingersL(2013)The SIMON and SPECK Families of Lightweight Block Ciphers, Cryptology ePrint Archive,Report2013/404.http://ia.cr/2013/404. [97] Gueron S, Jha A, Nandi M (2019) On the Security of COMET Authenticated free Encryption Scheme, NIST Lightweight Cryptography Workshop 2019. https:

of //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/

charge documents/papers/on-sthe-security-of-comet-lwc2019.pdf. [98] Khairallah M (2020) Weak Keys in the Rekeying Paradigm: Application to COMETandmixFeed.IACRTransactionsonSymmetricCryptology2019(4):272– from: 289.https://doi.org/10.13154/tosc.v2019.i4.272-289 [99] BernsteinDJ,GilbertH,SonmezTuranM(2020)ObservationsonCOMET,Cryp¨ - https://doi.org/10.6028/NIST.IR.8369 tologyePrintArchive,Report2020/1445.https://ia.cr/2020/1445. [100] GueronS,JhaA,NandiM(2020)RevisitingtheSecurityofCOMETAuthenticated Encryption Scheme, NIST Lightweight Cryptography Workshop 2020. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/revisiting-security-of-comet-lwc2020.pdf. [101] Bogdanov A, Knezevic M, Leander G, Toz D, VarıcıK, VerbauwhedeI (2011) Spongent: A Lightweight Hash Function. Cryptographic Hardware and Embed- dedSystems- CHES2011- 13thInternationalWorkshop, Nara, Japan, Septem- ber28- October1,2011.Proceedings,edsPreneelB,TakagiT(Springer),Lec- ture Notes in Computer Science, Vol.6917, pp 312–325. https://doi.org/10.1007/ 978-3-642-23951-921 [102] National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (U.S. Department of Commerce),Report.https://doi.org/10.6028/NIST.FIPS.202 [103] Zhou H, Zong R, Dong X, Jia K, Meier W (2020) Interpolation Attacks on Round-ReducedElephant,KravatteandXoofff,CryptologyePrintArchive,Report 2020/781.https://ia.cr/2020/781. [104] Sun L, Wang W, Wang M (2020) MILP-aided Bit-based Division Property for Primitives with Non-bit-permutation Linear Layers. IET Inf Secur 14(1):12–20. https://doi.org/10.1049/iet-ifs.2018.5283

51 ______NISTIR8369 SecondRoundStatusReport

[105] BogdanovA,KnezevicM,LeanderG,TozD,cıKV,VerbauwhedeI(2013)SPON- GENT:TheDesignSpaceofLightweightCryptographicHashing.IEEETransCom- puters62(10):2041–2053.https://doi.org/10.1109/TC.2012.196 [106] Zhang G, Liu M (2016) A Distinguisher on PRESENT-Like Permutations with

This Application to SPONGENT, Cryptology ePrint Archive, Report 2016/236. http: //ia.cr/2016/236. publication [107] BonnetainX,JaquesS(2020)QuantumPeriodFindingagainstSymmetricPrim- itives in Practice. CoRR abs/2011.07022. Available at https://arxiv.org/abs/2011. 07022. [108] Shi T, Wu W, Hu B, Guan J, Wang S (2021) Breaking LWC Candidates: sES-

is TATEand Elephant in Quantum Setting. Des Codes Cryptogr https://doi.org/10. available 1007/s10623-021-00875-7 [109] Beyne T, Chen YL, Dobraunig C, Mennink B (2020) Updates on Elephant, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2020/documents/papers/ free update-on-elephant-lwc2020.pdf.

of [110] Black J, Rogaway P (2005) CBC MACs for Arbitrary-Length Messages:

charge The Three-Key Constructions. J Cryptol 18(2):111–131. https://doi.org/10.1007/ s00145-004-0016-3 [111] BanikS,BogdanovA,LuykxA,TischhauserE(2018)SUNDAE:SmallUniver- from: salDeterministicAuthenticatedEncryptionfortheInternetofThings.IACRTrans SymmetricCryptol2018(3):1–35.https://doi.org/10.13154/tosc.v2018.i3.1-35 https://doi.org/10.6028/NIST.IR.8369 [112] Chakraborti A, Datta N, Jha A, Lopez CM, Nandi M, Sasaki Y (2019) ES- TATE Authenticated Encryption Mode: Hardware Benchmarking and Se- curity Analysis, NIST Lightweight Cryptography Workshop 2019. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/ documents/papers/estate-authenticated-encryption-mode-lwc2019.pdf. [113] Chakraborti A, Datta N, Jha A, Mancillas-Lopez´ C, Nandi M, Sasaki Y (2020) ESTATE:ALightweightandLowEnergyAuthenticatedEncryptionMode.IACR Trans Symmetric Cryptol 2020(S1):350–389. https://doi.org/10.13154/tosc.v2020. iS1.350-389 [114] AndreevaE,ReyhanitabarR,VariciK,Vizar´ D(2018)ForkingaBlockcipherfor AuthenticatedEncryptionofVeryShortMessages,CryptologyePrintArchive,Re- port2018/916.https://ia.cr/2018/916. [115] AndreevaE,LallemandV,PurnalA,ReyhanitabarR,RoyA,VizarD(2019)Fork- cipher: A New Primitive for Authenticated Encryption of VeryShort Messages, CryptologyePrintArchive,Report2019/1004.https://ia.cr/2019/1004. [116] AndreevaE,LallemandV,PurnalA,ReyhanitabarR,RoyA,VizarD(2019)Fork-´ cipher: A New Primitive for Authenticated Encryption of VeryShort Messages. AdvancesinCryptology- ASIACRYPT2019- 25thInternationalConferenceonthe TheoryandApplicationofCryptologyandInformationSecurity,Kobe,Japan,De- cember8-12, 2019, Proceedings, PartII,edsGalbraithSD,MoriaiS(Springer),

52 ______NISTIR8369 SecondRoundStatusReport

Lecture Notes in Computer Science, Vol.11922, pp 153–182. https://doi.org/10. 1007/978-3-030-34621-86 [117] BariantA,DavidN,LeurentG(2020)CryptanalysisofForkciphers.IACRTrans- actionson SymmetricCryptology2020(1):233–265.https://doi.org/10.13154/tosc.

This v2020.i1.233-265 [118] AndreevaE,BhatiAS,VizarD(2021)RUPSecurityoftheSAEFAuthenticated publication EncryptionMode,CryptologyePrintArchive,Report2021/103.https://ia.cr/2021/ 103. [119] AndreevaE,BhatiAS,VizarD(2020)Nonce-MisuseSecurityoftheSAEFAu- thenticatedEncryptionMode,CryptologyePrintArchive,Report2020/1524.https:

is //ia.cr/2020/1524. available [120] AndreevaE,DeprezA,PittevilsJ,RoyA,BhatiAS,VizarD(2020)NewResults´ and Insighs on ForkAE, NIST Lightweight Cryptography Workshop2020. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/new-results-ForkAE-lwc2020.pdf. free [121] BanikS,PandeySK,PeyrinT,SasakiY,SimSM,TodoY(2017)GIFT:ASmall

of Present,CryptologyePrintArchive,Report2017/622.https://ia.cr/2017/622.

charge [122] Banik S, Pandey SK, Peyrin T, Sasaki Y, Sim SM, Todo Y (2017) GIFT: A Small Present - Towards Reaching the Limit of Lightweight Encryption. Cryp- tographic Hardware and Embedded Systems - CHES 2017 - 19th International from: Conference,Taipei,Taiwan,September25-28,2017,Proceedings,edsFischerW, HommaN(Springer),LectureNotesinComputerScience,Vol.10529,pp321–345. https://doi.org/10.6028/NIST.IR.8369 https://doi.org/10.1007/978-3-319-66787-416 [123] Chakraborti A, Iwata T, Minematsu K, Nandi M (2017) Blockcipher-Based Au- thenticated Encryption: How Small Can We Go? Cryptographic Hardware and EmbeddedSystems- CHES2017- 19thInternationalConference,Taipei,Taiwan, September25-28, 2017, Proceedings, edsFischerW,HommaN(Springer), Lec- tureNotesinComputerScience,Vol.10529,pp277–298.https://doi.org/10.1007/ 978-3-319-66787-4\ 14 [124] Chakraborti A, Iwata T, Minematsu K, Nandi M (2020) Blockcipher-Based Au- thenticatedEncryption: HowSmallCanWeGo? JCryptol33(3):703–741.https: //doi.org/10.1007/s00145-019-09325-z. [125] ZhuB,DongX,YuH(2018)MILP-basedDifferentialAttackonRound-reduced GIFT,CryptologyePrintArchive,Report2018/390.https://ia.cr/2018/390. [126] LiL,WuW,ZhengY,ZhangL(2019)TheRelationshipbetweentheConstruction and Solution of the MILP Models and Applications, Cryptology ePrint Archive, Report2019/049.https://ia.cr/2019/049. [127] LiuY,SasakiY(2019)Related-KeyBoomerangAttacksonGIFTwithAutomated TrailSearchIncludingBCTEffect, CryptologyePrintArchive, Report2019/669. https://ia.cr/2019/669. [128] JiF,ZhangW,ZhouC,DingT(2020)Improved(Related-key)DifferentialCrypt- analysisonGIFT,CryptologyePrintArchive,Report2020/1242.https://ia.cr/2020/

53 ______NISTIR8369 SecondRoundStatusReport

1242. [129] BernsteinDJ,KolblS,LucksS,MassolinoPMC,MendelF,NawazK,Schneider¨ T,Schwabe P,Standaert F,TodoY,Viguier B (2017) Gimli : A Cross-Platform Permutation.CryptographicHardwareandEmbeddedSystems- CHES2017- 19th

This InternationalConference,Taipei,Taiwan,September25-28,2017,Proceedings,eds FischerW,HommaN(Springer),LectureNotesinComputerScience,Vol.10529, publication pp299–320.https://doi.org/10.1007/978-3-319-66787-415 [130] Hamburg M (2017) Cryptanalysis of 22 1/2 rounds of Gimli, Cryptology ePrint Archive,Report2017/743.https://ia.cr/2017/743. [131] CaiJ,WeiZ,ZhangY,SunS,HuL(2019)Zero-sumDistinguishersforRound-

is reducedGIMLIPermutation.Proceedingsofthe5thInternationalConferenceon available Information Systems Security and Privacy, ICISSP 2019, Prague, Czech Repub- lic,February23-25,2019,edsMoriP,FurnellS,CampO(SciTePress),pp38–43. https://doi.org/10.5220/0007249000380043 [132] Liu F, Isobe T, Meier W (2019) Preimages and Collisions for Up to 5-Round free Gimli-HashUsingDivide-and-ConquerMethods, CryptologyePrintArchive, Re-

of port2019/1080.https://ia.cr/2019/1080.

charge [133] Liu F,Isobe T,Meier W (2020) Exploiting WeakDiffusion of Gimli: Improved DistinguishersandPreimageAttacks,CryptologyePrintArchive,Report2020/561. https://ia.cr/2020/561. from: [134] LiuF,IsobeT,MeierW(2020)AutomaticVerificationofDifferentialCharacteris- tics: ApplicationtoReducedGimli(FullVersion),CryptologyePrintArchive,Re- https://doi.org/10.6028/NIST.IR.8369 port2020/591.https://ia.cr/2020/591. [135] GutierrezAF,LeurentG,Naya-PlasenciaM,PerrinL,SchrottenloherA,Sibleyras´ F(2020)NewresultsonGimli:Full-PermutationDistinguishersandImprovedCol- lisions,CryptologyePrintArchive,Report2020/744.https://ia.cr/2020/744. [136] CidC,RobshawM,BabbageS,BorghoffJ,VelichkovV(2012)TheeSTREAM Portfolioin2012, eSTREAM:theECRYPTStreamCipherProject.https://www. ecrypt.eu.org/stream/. [137] ISO/IEC29167-13:2015(2015)Informationtechnology—Automaticidentification anddatacapturetechniques—Part13: CryptosuiteGrain-128Asecurityservices forairinterfacecommunications. [138] Berbain C, Gilbert H, Maximov A (2006) Cryptanalysis of Grain. FastSoftware Encryption,13thInternationalWorkshop,FSE2006,Graz,Austria,March15-17, 2006,RevisedSelectedPapers,edRobshawMJB(Springer),LectureNotesinCom- puterScience,Vol.4047,pp15–29.https://doi.org/10.1007/117993132 [139] BanikS,MaitraS,SarkarS,SonmezTuranM(2013)AChosenIVRelatedKey¨ AttackonGrain-128a.InformationSecurityandPrivacy- 18thAustralasianCon- ference,ACISP2013,Brisbane,Australia,July1-3,2013.Proceedings,edsBoyd C,SimpsonL(Springer),LectureNotesinComputerScience,Vol.7959,pp13–26. https://doi.org/10.1007/978-3-642-39059-32 [140] CastagnosG,BerzatiA,CanovasC,DebraizeB,GoubinL,GougetA,PaillierP,

54 ______NISTIR8369 SecondRoundStatusReport

Salgado S (2009) Fault Analysis of Grain-128. IEEE International Workshopon Hardware-OrientedSecurityandTrust,HOST2009,SanFrancisco,CA,USA,July 27,2009.Proceedings,edsTehranipoorM,PlusquellicJ(IEEEComputerSociety), pp7–14.https://doi.org/10.1109/HST.2009.5225030

This [141] ZhangH,WangX(2009)CryptanalysisofStreamCipherGrainFamily,Cryptology ePrintArchive,Report2009/109.https://ia.cr/2009/109. publication [142] TodoY,IsobeT,MeierW,AokiK,ZhangB(2018)FastCorrelationAttackRe- visited- CryptanalysisonFullGrain-128a,Grain-128,andGrain-v1.Advancesin Cryptology- CRYPTO2018- 38thAnnualInternationalCryptologyConference, SantaBarbara,CA,USA,August19-23,2018,Proceedings,PartII,edsShacham

is H,BoldyrevaA(Springer),LectureNotesinComputerScience,Vol.10992,pp129– available 159.https://doi.org/10.1007/978-3-319-96881-05 [143] WangQ,HaoY,TodoY,LiC,IsobeT,MeierW(2018)ImprovedDivisionProp- ertyBasedCubeAttacksExploitingAlgebraicPropertiesofSuperpoly.Advancesin Cryptology–CRYPTO2018(Springer),LectureNotesinComputerScience,Vol. free 10991,pp275–305.https://doi.org/10.1007/978-3-319-96884-110

of [144] HaoY,LeanderG,MeierW,TodoY,WangQ(2020)ModelingforThree-SubsetDi-

charge visionPropertyWithoutUnknownSubset- ImprovedCubeAttacksAgainstTrivium andGrain-128AEAD.AdvancesinCryptology- EUROCRYPT2020- 39thAnnual InternationalConferenceontheTheoryandApplicationsofCryptographicTech- from: niques, Zagreb, Croatia, May10-14, 2020, Proceedings, PartI,edsCanteautA, IshaiY(Springer),LectureNotesinComputerScience,Vol.12105,pp466–495. https://doi.org/10.6028/NIST.IR.8369 https://doi.org/10.1007/978-3-030-45721-117 [145] ChangD,SonmezTuranM(2021)RecoveringtheKeyfromtheInternalStateof¨ Grain-128AEAD,CryptologyePrintArchive,Report2021/439.https://ia.cr/2021/ 439. [146] Mege A (2020) [lwc-forum] Official Comment: HYENA, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-2/official-comments/hyena-round2-official-comment.pdf. [147] Chakraborti A, Datta N, Jha A, Nandi M (2020) [lwc-forum] Official Com- ment: HYENA, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-1/official-comments/ HYENA-official-comment.pdf. [148] Chakraborti A, Datta N, Jha A, Mitragotri S, Nandi M (2019) Se- curity Analysis of HyENA Authenticated Encryption Mode, NIST Lightweight Cryptography Workshop 2019. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2019/documents/papers/ security-analysis-of-hyena-lwc2019.pdf. [149] ChakrabortiA,DattaN,JhaA,MitragotriS,NandiM(2020)FromCombinedto Hybrid:MakingFeedback-basedAEevenSmaller.IACRTransSymmetricCryptol 2020(S1):417–445.https://doi.org/10.13154/tosc.v2020.iS1.417-445 [150] Dobraunig C, Mennink B (2019) Leakage Resilience of the ISAP Mode: a

55 ______NISTIR8369 SecondRoundStatusReport

Vulgarized Summary, NIST Lightweight Cryptography Workshop 2019. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/ documents/papers/leakage-resilience-isap-mode-lwc2019.pdf. [151] DobraunigC,EichlsederM,MangardS,MendelF,MenninkB,PrimasR,Unter-

This luggauer T (2020) Isap v2.0. IACR Trans Symmetric Cryptol 2020(S1):390–416. https://doi.org/10.13154/tosc.v2020.iS1.390-416 publication [152] Dobraunig C, Mennin B (2019) Leakage Resilience of the ISAP Mode: A Vulgarized Summary, NIST Lightweight Cryptography Workshop 2019. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/ documents/papers/leakage-resilience-isap-mode-lwc2019.pdf.

is [153] GuoJ,LiuM,SongL(2016)Linearstructures: Applicationstocryptanalysisof available round-reduced KECCAK. Advances in Cryptology - ASIACRYPT 2016 - 22nd In- ternational Conference on the Theory and Application of Cryptology and Infor- mation Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, eds CheonJH,TakagiT,LectureNotesinComputerScience,Vol.10031,pp249–274. free https://doi.org/10.1007/978-3-662-53887-69

of [154] GuoJ,LiaoG,LiuG,LiuM,QiaoK,SongL(2020)Practicalcollisionattacks

charge against round-reduced SHA-3. J Cryptol 33(1):228–270. https://doi.org/10.1007/ s00145-019-09313-3 [155] Dobraunig C, Eichlseder M, Mangard S, Mendel F, Mennink B, Pri- from: mas R, Unterluggauer T (2020) Updates on the Implementation Secu- rity of ISAP, NIST Lightweight Cryptography Workshop 2020. https: https://doi.org/10.6028/NIST.IR.8369 //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/updates-on-ISAP-lwc2020.pdf. [156] ZhangW,BaoZ,LinD,RijmenV,YangB,VerbauwhedeI(2015)RECTANGLE: ABit-sliceLightweightBlockCipherSuitableforMultiplePlatforms,Sci.China Inf.Sci.58,1–15.https://doi.org/10.1007/s11432-015-5459-7. [157] DingT,ZhangW,ZhouC,JiF(2020)AnAutomaticSearchToolforIterativeTrails anditsApplicationtoestimationofdifferentialsandlinearhulls,CryptologyePrint Archive,Report2020/1152.https://ia.cr/2020/1152.pdf. [158] Zhang W, Ding T, Zhou C, Ji F (2020) Security Analysis of KNOT-AEAD and KNOT-Hash, NIST Lightweight Cryptography Workshop 2020. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/security-analysis-of-KNOT-lwc2020.pdf. [159] Rohit R (2019) [lwc-forum] Official Comment: KNOT, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-1/official-comments/KNOT-official-comment.pdf. [160] KNOTteam(2019)[lwc-forum]OfficialComment: KNOT,Emailtolwc-forum. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/ round-1/official-comments/KNOT-official-comment.pdf. [161] Rohit R (2019) [lwc-forum] Official Comment: KNOT, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/

56 ______NISTIR8369 SecondRoundStatusReport

round-1/official-comments/KNOT-official-comment.pdf. [162] SasakiY(2018)IntegerLinearProgrammingforThree-SubsetMeet-in-the-Middle Attacks: Application to GIFT. Advances in Information and Computer Secu- rity - 13th International Workshop on Security, IWSEC 2018, Sendai, Japan,

This September 3-5, 2018, Proceedings, eds Inomata A, Yasuda K (Springer), Lec- tureNotesinComputerScience,Vol.11049,pp227–243.https://doi.org/10.1007/ publication 978-3-319-97916-815 [163] ChenH,ZongR,DongX(2019)ImprovedDifferentialAttacksonGIFT-64.ICICS (Springer),LectureNotesinComputerScience,Vol.11999,pp447–462. [164] CaoM,ZhangW(2019)Related-KeyDifferentialCryptanalysisoftheReduced-

is RoundBlockCipherGIFT.IEEEAccess7:175769–175778.https://doi.org/10.1109/ available ACCESS.2019.2957581 [165] ZhaoB,DongX,MeierW,JiaK,WangG(2019)GeneralizedRelated-KeyRectan- gleAttacksonBlockCipherswithLinearKeySchedule:ApplicationstoSKINNY andGIFT,CryptologyePrintArchive,Report2019/714.https://ia.cr/2019/714. free [166] Chakraborti A, Datta N, Jha A, Lopez CM, Nandi M, Sasaki Y (2019) LO-

of TUS and LOCUS AEAD: Hardware Benchmarking and Security Analysis,

charge NIST Lightweight Cryptography Workshop 2019. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2019/documents/papers/ lotus-and-locus-aead-hardware-benchmarking-and-security-analysis-lwc2019.pdf. from: [167] Chakraborti A, Datta N, Jha A, Mancillas-Lopez´ C, Nandi M, Sasaki Y (2019) INT-RUPSecureLightweightParallelAEModes.IACRTransSymmetricCryptol https://doi.org/10.6028/NIST.IR.8369 2019(4):81–118.https://doi.org/10.13154/tosc.v2019.i4.81-118 [168] Khairallah M (2019) [lwc-forum] Official Comment: mixFeed, Email to lwc- forum. https://groups.google.com/a/list.nist.gov/g/lwc-forum/c/fk8XdiC4r10/m/ cETppeTYAwAJ. [169] LeurentG,PernotC(2020)NewRepresentationsoftheAESKeySchedule,Cryp- tologyePrintArchive,Report2020/1253.https://ia.cr/2020/1253. [170] Chakraborty B, Nandi M (2019) Security Proof of mixFeed, NIST Lightweight Cryptography Workshop 2019. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2019/documents/papers/ security-proof-of-mixfeed-lwc2019.pdf. [171] GuoJ,PeyrinT,PoschmannA(2011)ThePHOTONFamilyofLightweightHash Functions. Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, SantaBarbara, CA,USA,August14-18, 2011.Proceedings, edRo- gawayP(Springer), LectureNotesinComputerScience, Vol.6841, pp222–239. https://doi.org/10.1007/978-3-642-22792-913 [172] Dobraunig C, Mendel F, Mennink B (2019) [lwc-forum] Official Com- ment: ORANGE, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-1/official-comments/ ORANGE-official-comment.pdf. [173] DobraunigC,MendelF,MenninkB(2020)PracticalforgeriesforORANGE.Infor-

57 ______NISTIR8369 SecondRoundStatusReport

mationProcessingLetters159-160:105961.https://doi.org/https://doi.org/10.1016/ j.ipl.2020.105961 [174] Chakraborty B, Nandi M (2019) Security Proof of ORANGE-Zest, NIST Lightweight Cryptography Workshop 2019. https://csrc.nist.gov/CSRC/

This media/Events/lightweight-cryptography-workshop-2019/documents/papers/ security-proof-ORANGE-Zest-lwc2019.pdf. publication [175] Sarkar S, Khairallah M, Rohit R (2019) [lwc-forum] Official Com- ment: ORANGE, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/ Projects/lightweight-cryptography/documents/round-2/official-comments/ orange-round2-official-comment.pdf.

is [176] AndreevaE,BogdanovA,LuykxA,MenninkB,MouhaN,YasudaK(2014)How available toSecurelyReleaseUnverifiedPlaintextinAuthenticatedEncryption.Advancesin Cryptology- ASIACRYPT2014- 20thInternationalConferenceontheTheoryand ApplicationofCryptologyandInformationSecurity, Kaoshiung, Taiwan,R.O.C., December7-11,2014.Proceedings,PartI,edsSarkarP,IwataT(Springer),Lec- free ture Notes in Computer Science, Vol.8873, pp 105–125. https://doi.org/10.1007/

of 978-3-662-45611-86

charge [177] Rohit R, Sarkar S (2019) [lwc-forum] Official Comment: Oribatida, Email tolwc-forum.https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-2/official-comments/Oribatida-round2-official-comment.pdf. from: [178] Bhattacharjee A, List E,L opez´ CM, Nandi M (2019) Security Proofs for Oribatida, NIST Lightweight Cryptography Workshop 2019. https: https://doi.org/10.6028/NIST.IR.8369 //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/ documents/papers/security-proofs-for-oribatida-lwc2019.pdf. [179] Bhattacharjee A, Lopez´ CM, List E, Nandi M (2021) The Oribatida v1.3 Fam- ily of Lightweight Authenticated Encryption Schemes. Journal of Mathemati- cal Cryptology Volume15 Issue 1:305–344. Available at https://doi.org/10.1515/ jmc-2020-0018. [180] ISO(2016)ISO/IEC29192-5:2016,InformationTechnology- SecurityTechniques - LightweightCryptography- Part5:Hash-functions.http://www.iso.org/iso/home/ store/cataloguetc/cataloguedetail.htm?csnumber=67173. [181] ChakrabortiA,DattaN,NandiM,YasudaK(2018)BeetleFamilyofLightweight andSecureAuthenticatedEncryptionCiphers.IACRTransCryptogrHardwEmbed Syst2018(2):218–241.https://doi.org/10.13154/tches.v2018.i2.218-241 [182] Chakraborty B, Jha A, Nandi M (2019) Security Proof of Beetle and SpoC, NIST Lightweight Cryptography Workshop 2019. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2019/documents/papers/ security-proof-of-beetle-spoc-proof-lwc2019.pdff. [183] ChakrabortyB,JhaA,NandiM(2019)OntheSecurityofSponge-typeAuthen- ticated Encryption Modes, Cryptology ePrint Archive, Report 2019/1475. https: //ia.cr/2019/1475. [184] Chakraborty B, Jha A, Nandi M (2020) On the Security of Sponge-type Au-

58 ______NISTIR8369 SecondRoundStatusReport

thenticated Encryption Modes. IACR Trans Symmetric Cryptol 2020(2):93–119. https://doi.org/10.13154/tosc.v2020.i2.93-119 [185] Dobraunig C, Mennink B (2020) [lwc-forum] Official Comment: PHOTON-Beetle, Email to lwc-forum. https://csrc.nist.gov/CSRC/media/

This Projects/lightweight-cryptography/documents/round-2/official-comments/ photon-beetle-round2-official-comment.pdf. publication [186] WangQ,GrassiL,RechbergerC(2018)Zero-SumPartitionsofPHOTONPermu- tations.TopicsinCryptology- CT-RSA2018- TheCryptographers’Trackatthe RSAConference2018,SanFrancisco,CA,USA,April16-20,2018,Proceedings,ed SmartNP(Springer),LectureNotesinComputerScience,Vol.10808,pp279–299.

is https://doi.org/10.1007/978-3-319-76953-015 available [187] CuiT,SunL,ChenH,WangM(2017)StatisticalIntegralDistinguisherwithMulti- structureandItsApplicationonAES.InformationSecurityandPrivacy- 22ndAus- tralasianConference,ACISP2017,Auckland,NewZealand,July3-5,2017,Pro- ceedings,PartI,edsPieprzykJ,SuriadiS(Springer),LectureNotesinComputer free Science,Vol.10342,pp402–420.https://doi.org/10.1007/978-3-319-60055-021

of [188] JeanJ,Naya-PlasenciaM,PeyrinT(2012)ImprovedReboundAttackontheFi-

charge nalistGrøstl.FastSoftwareEncryption- 19thInternationalWorkshop,FSE2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers, ed Can- teaut A (Springer), Lecture Notes in Computer Science, Vol.7549, pp 110–126. from: https://doi.org/10.1007/978-3-642-34047-57 [189] JeanJ,Naya-PlasenciaM,PeyrinT(2013)MultipleLimited-BirthdayDistinguish- https://doi.org/10.6028/NIST.IR.8369 ersandApplications.SelectedAreasinCryptography- SAC2013- 20thInterna- tional Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised Selected Papers,edsLangeT,LauterKE,LisonekP(Springer),LectureNotesinComputer Science,Vol.8282,pp533–550.https://doi.org/10.1007/978-3-662-43414-727 [190] GoudarziD,JeanJ,KolblS,PeyrinT,RivainM,SasakiY,SimSM(2020)Pyja¨ - mask: BlockCipherandAuthenticatedEncryptionwithHighlyEfficientMasked Implementation. IACR Trans Symmetric Cryptol 2020(S1):31–59. https://doi.org/ 10.13154/tosc.v2020.iS1.31-59 [191] DobraunigC,RotellaY,SchooneJ(2020)AlgebraicandHigher-OrderDifferential Cryptanalysis of Pyjamask-96. IACR Trans Symmetric Cryptol 2020(1):289–312. https://doi.org/10.13154/tosc.v2020.i1.289-312 [192] Beierle C, Jean J, KolblS,LeanderG,MoradiA,PeyrinT,SasakiY,SasdrichP,Sim¨ SM (2016) The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS. Advances in Cryptology - CRYPTO 2016 - 36th Annual International CryptologyConference,SantaBarbara,CA,USA,August14-18,2016,Proceedings, PartII,edsRobshawM,KatzJ(Springer),LectureNotesinComputerScience,Vol. 9815,pp123–153.https://doi.org/10.1007/978-3-662-53008-55 [193] Iwata T, Khairallah M, Minematsu K, Peyrin T (2019) Updates on Romulus, Remus and TGIF, NIST Lightweight Cryptography Workshop 2019. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/

59 ______NISTIR8369 SecondRoundStatusReport

documents/papers/updates-on-romulus-remus-tgif-lwc2019.pdf. [194] IwataT,KhairallahM,MinematsuK,PeyrinT(2019)Duelofthetitans:Theromu- lusandremusfamiliesoflightweightAEADalgorithms.IACRCryptolePrintArch 2019:992.Availableathttps://ia.cr/2019/992.

This [195] IwataT,KhairallahM,MinematsuK,PeyrinT(2020)Duelofthetitans: Thero- mulusandremusfamiliesoflightweightAEADalgorithms.IACRTransSymmetric publication Cryptol2020(1):43–120.https://doi.org/10.13154/tosc.v2020.i1.43-120 [196] Iwata T, Khairallah M, Minematsu K, Peyrin T (2020) New Results on Romulus, NIST Lightweight Cryptography Workshop 2020. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/

is documents/papers/new-results-romulus-lwc2020.pdf. available [197] Guo C, Khairallah M, Peyrin T (2020) AET-LR: Rate-1 Leakage- Resilient AEAD based on the Romulus Family, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/media/Events/ lightweight-cryptography-workshop-2020/documents/papers/AET-LR-lwc2020. free pdf.

of [198] DelauneS,DerbezP,VavrilleM(2021)CatchingtheFastestBoomerangs- Appli-

charge cationtoSKINNY,CryptologyePrintArchive,Report2021/020.https://ia.cr/2021/ 020. [199] DelauneS,DerbezP,VavrilleM(2020)Catchingthefastestboomerangsapplication from: toSKINNY.IACRTransSymmetricCryptol2020(4):104–129.https://doi.org/10. 46586/tosc.v2020.i4.104-129 https://doi.org/10.6028/NIST.IR.8369 [200] TolbaM,AbdelkhalekA,YoussefAM(2017)Impossibledifferentialcryptanalysis ofreduced-roundSKINNY.ProgressinCryptology- AFRICACRYPT2017- 9thIn- ternationalConferenceonCryptologyinAfrica,Dakar,Senegal,May24-26,2017, Proceedings,edsJoyeM,NitajA,LectureNotesinComputerScience,Vol.10239, pp117–134.https://doi.org/10.1007/978-3-319-57339-77 [201] Liu G, Ghosh M, Song L (2017) Security analysis of SKINNY under related- tweakey settings (long paper). IACR Trans Symmetric Cryptol 2017(3):37–72. https://doi.org/10.13154/tosc.v2017.i3.37-72 [202] Sadeghi S, Mohammadi T, Bagheri N (2018) Cryptanalysis of reduced round SKINNY block cipher. IACR Trans Symmetric Cryptol 2018(3):124–162. https://doi.org/10.13154/tosc.v2018.i3.124-162 [203] HadipourH,BagheriN,SongL(2020)ImprovedRectangleAttacksonSKINNY andCRAFT,CryptologyePrintArchive,Report2020/1317.https://ia.cr/2020/1317. [204] ShiD,SunS,DerbezP,TodoY,SunB,HuL(2018)Programmingthedemirci- selc¸ukmeet-in-the-middleattackwithconstraints.AdvancesinCryptology- ASI- ACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2-6, 2018, Proceedings, Part II, eds Peyrin T, Galbraith SD (Springer), Lec- ture Notes in Computer Science, Vol. 11273, pp 3–34. https://doi.org/10.1007/ 978-3-030-03329-31

60 ______NISTIR8369 SecondRoundStatusReport

[205] ChenQ,ShiD,SunS,HuL(2019)Automaticdemirci-selc¸ukmeet-in-the-middle attackonSKINNYwithkey-bridging.InformationandCommunicationsSecurity - 21st International Conference, ICICS 2019, Beijing, China, December 15-17, 2019,RevisedSelectedPapers,edsZhouJ,LuoX,ShenQ,XuZ(Springer),Lec-

This tureNotesinComputerScience,Vol.11999,pp233–247.https://doi.org/10.1007/ 978-3-030-41579-214 publication [206] Zhao B, Dong X, Meier W, Jia K, Wang G (2020) Generalized Related-key Rectangle Attacks on Block Ciphers with Linear Key Schedule: Applications to SKINNYandGIFT.DesCodesCryptogr88(6):1103–1126.https://doi.org/10.1007/ s10623-020-00730-1

is [207] Naito Y, Matsui M, Sugawara T, Suzuki D (2018) SAEB: A Lightweight available Blockcipher-BasedAEADModeofOperation.IACRTransCryptogrHardwEm- bedSyst2018(2):192–217.https://doi.org/10.13154/tches.v2018.i2.192-217 [208] Krovetz T, Rogaway P (2011) The Software Performance of Authenticated- EncryptionModes.FastSoftwareEncryption- 18thInternationalWorkshop,FSE free 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers, ed

of Joux A (Springer), Lecture Notes in Computer Science, Vol.6733, pp 306–327.

charge https://doi.org/10.1007/978-3-642-21702-918 [209] TolbaM,ElSheikhM,YoussefAM(2020)ImpossibleDifferentialCryptanalysisof Reduced-RoundTweakableTWINE.ProgressinCryptology- AFRICACRYPT2020 from: - 12thInternationalConferenceonCryptologyinAfrica,Cairo,Egypt,July20-22, 2020,Proceedings,edsNitajA,YoussefAM(Springer),LectureNotesinComputer https://doi.org/10.6028/NIST.IR.8369 Science,Vol.12174,pp91–113.https://doi.org/10.1007/978-3-030-51938-45 [210] Beierle C, Jean J, KolblS,LeanderG,MoradiA,PeyrinT,SasakiY,SasdrichP,Sim¨ SM (2020) SKINNY-AEADand SKINNY-Hash. IACR Trans Symmetric Cryptol 2020(S1):88–131.https://doi.org/10.13154/tosc.v2020.iS1.88-131 [211] Beierle C, Biryukov A, dos Santos LC, Großschadl¨ J, Perrin L, Udovenko A, VelichkovV,WangQ(2020)LightweightAEADandHashingusingtheSparklePer- mutationFamily.IACRTransSymmetricCryptol2020(S1):208–261.https://doi.org/ 10.13154/tosc.v2020.iS1.208-261 [212] Beierle C, Biryukov A, dos Santos LC, Großschadl¨ J, Perrin L, Udovenko A, VelichkovV,WangQ(2020)Alzette:A64-BitARX-box- (Feat.CRAXandTRAX. AdvancesinCryptology- CRYPTO2020- 40thAnnualInternationalCryptology Conference,CRYPTO2020,SantaBarbara,CA,USA,August17-21,2020,Proceed- ings,PartIII,edsMicciancioD,RistenpartT(Springer),LectureNotesinComputer Science,Vol.12172,pp419–448.https://doi.org/10.1007/978-3-030-56877-115 [213] LiuY,SunS,LiC(2021)RotationalCryptanalysisFromaDifferential-linearPer- spective:PracticalDistinguishersforRound-reducedFRIET,Xoodoo,andAlzette, CryptologyePrintArchive,Report2021/189.https://ia.cr/2021/189. [214] KralevaL,PosteucaR,RijmenV(2020)CryptanalysisofthePermutationBased AlgorithmSpoC,CryptologyePrintArchive,Report2020/1072.https://ia.cr/2020/ 1072.

61 ______NISTIR8369 SecondRoundStatusReport

[215] Kraleva L, Posteuca R, Rijmen V (2020) Cryptanalysis of the permutation based algorithm SpoC, NIST Lightweight Cryptography Workshop 2020. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/cryptanalysis-of-SpoC-lwc2020.pdf.

This [216] KralevaL,PosteucaR,RijmenV(2020)Cryptanalysisofthepermutationbased algorithmspoc.ProgressinCryptology- INDOCRYPT2020- 21stInternational publication Conference on Cryptology in India, Bangalore, India, December 13-16, 2020, Proceedings, eds Bhargavan K, Oswald E, Prabhakaran M (Springer), Lecture Notes in Computer Science, Vol. 12578, pp 273–293. https://doi.org/10.1007/ 978-3-030-65277-712

is [217] HosoyamadaA,Naya-PlasenciaM,SasakiY(2020)ImprovedAttacksonsLiSCP available Permutation and Tight Bound of Limited Birthday Distinguishers. IACR Trans- actionson SymmetricCryptology2020(4):147–172.https://doi.org/10.46586/tosc. v2020.i4.147-172 [218] Derbez P, Huynh P, Lallemand V, Naya-Plasencia M, Perrin L, Schrottenloher free A(2020)CryptanalysisResultsonSpook- BringingFull-RoundShadow-512to

of the Light. Advances in Cryptology - CRYPTO 2020 - 40th Annual International

charge Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17- 21, 2020, Proceedings, PartIII,edsMicciancioD,RistenpartT(Springer), Lec- tureNotesinComputerScience,Vol.12172,pp359–388.https://doi.org/10.1007/ from: 978-3-030-56877-113 [219] BelliziaD,BertiF,BronchainO,CassiersG,DuvalS,GuoC,LeanderG,Leurent https://doi.org/10.6028/NIST.IR.8369 G, Levi I, Momin C, Pereira O, Peters T, Standaert F, Udvarhelyi B, Wiemer F (2020) Spook: Sponge-based leakage-resistant authenticated encryption with a maskedtweakableblockcipher.IACRTransSymmetricCryptol2020(S1):295–349. https://doi.org/10.13154/tosc.v2020.iS1.295-349 [220] LiuF,IsobeT,MeierW(2020)Cube-BasedCryptanalysisofSubterranean-SAE. IACRTransactionsonSymmetricCryptology2019(4):192–222.https://doi.org/10. 13154/tosc.v2019.i4.192-222 [221] Huang S, WangX, Xu G, WangM, Zhao J (2017) Conditional Cube Attack on Reduced-RoundKeccakSpongeFunction.AdvancesinCryptology- EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, PartII,edsCoronJ,NielsenJB,LectureNotesinComputerScience,Vol.10211,pp 259–288.https://doi.org/10.1007/978-3-319-56614-69 [222] SongL,TuY,ShiD,HuL(2020)SecurityAnalysisofSubterranean2.0,Cryptology ePrintArchive,Report2020/1133.https://ia.cr/2020/1133. [223] Nandi M (2009) Fast and Secure CBC-Type MAC Algorithms. Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, Febru- ary 22-25, 2009, Revised Selected Papers, ed Dunkelman O (Springer), Lec- ture Notes in Computer Science, Vol.5665, pp 375–393. https://doi.org/10.1007/ 978-3-642-03317-923

62 ______NISTIR8369 SecondRoundStatusReport

[224] Mege A (2019) [lwc-forum] Official Comment: SUNDAE-GIFT, Email tolwc-forum.https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-1/official-comments/SUNDAE-GIFT-official-comment.pdf. [225] Peyrin T (2019) [lwc-forum] Official Comment: SUNDAE-GIFT, Email

This tolwc-forum.https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/ documents/round-1/official-comments/SUNDAE-GIFT-official-comment.pdf. publication [226] ChangD,DattaN,DuttaA,MenninkB,NandiM,SanadhyaS,SibleyrasF(2019) Release of Unverified Plaintext: Tight Unified Model and Application to ANY- DAE. IACR Trans Symmetric Cryptol 2019(4):119–146. https://doi.org/10.13154/ tosc.v2019.i4.119-146

is [227] WuH,HuangT(2014)JAMBULightweightAuthenticatedEncryptionModeand available AES-JAMBU,CAESARcompetitionproposal. [228] Saha D, Sasaki Y, Shi D, Sibleyras F, Sun S, Zhang Y (2020) On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis, NIST Lightweight Cryptography Workshop 2020. https: free //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/

of documents/papers/security-margin-tinyJAMBU-lwc2020.pdf.

charge [229] SahaD,SasakiY,ShiD,SibleyrasF,SunS,ZhangY(2020)OntheSecurityMar- ginofTinyJAMBUwithRefinedDifferentialandLinearCryptanalysis,Cryptology ePrintArchive,Report2020/1045.https://ia.cr/2020/1045. from: [230] Saha D, Sasaki Y,Shi D, Sibleyras F, Sun S, Zhang Y (2020) On the Security MarginofTinyJAMBUwithRefinedDifferentialandLinearCryptanalysis.IACR https://doi.org/10.6028/NIST.IR.8369 TransSymmetricCryptol2020(3):152–174.https://doi.org/10.13154/tosc.v2020.i3. 152-174 [231] AlTawyR,GongG,MandalK,RohitR(2020)WAGE:AnAuthenticatedEncryp- tionwithaTwist.IACRTransSymmetricCryptol2020(S1):132–159.https://doi.org/ 10.13154/tosc.v2020.iS1.132-159 [232] NawazY,GongG(2005)TheWGStreamCipher,eSTREAM,ECRYPTStream CipherProject,Report2005/033.http://www.ecrypt.eu.org/stream. [233] NawazY,GongG(2008)WG:Afamilyofstreamcipherswithdesignedrandomness properties.InfSci178(7):1903–1916.https://doi.org/10.1016/j.ins.2007.12.002 [234] Song L, Guo J (2018) Cube-Attack-Like Cryptanalysis of Round-Reduced KECCAK Using MILP. IACR Trans Symmetric Cryptol 2018(3):182–214. https://doi.org/10.13154/tosc.v2018.i3.182-214 [235] ZhouH,LiZ,DongX,JiaK,MeierW(2020)PracticalKey-RecoveryAttacksOn Round-ReducedKetjeJr,Xoodoo-AEAndXoodyak.ComputJ63(8):1231–1246. https://doi.org/10.1093/comjnl/bxz152 [236] LiuF,IsobeT,MeierW,YangZ(2020)AlgebraicAttacksonRound-ReducedKec- cak/Xoodoo,CryptologyePrintArchive,Report2020/346.https://ia.cr/2020/346. [237] Bela¨ıdS,DagandP,MercadierD,RivainM,WintersdorffR(2020)Tornado: Au- tomaticgenerationofprobing-securemaskedbitslicedimplementations.Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on

63 ______NISTIR8369 SecondRoundStatusReport

theTheoryandApplicationsofCryptographicTechniques, Zagreb, Croatia, May 10-14, 2020, Proceedings, Part III, eds Canteaut A, Ishai Y (Springer), Lec- tureNotesinComputerScience,Vol.12107,pp311–341.https://doi.org/10.1007/ 978-3-030-45727-311

This [238] AbdulgadirA,DiehlW,KapsJP(2019)Anopen-sourceplatformforevaluating side-channelcountermeasuresinhardwareimplementationsoflightweightauthen- publication ticatedciphers,NISTLightweightCryptographyWorkshop2019.https://csrc.nist. gov/Presentations/2019/an-open-source-platform-for-evaluating-side-channe. [239] Coleman F,Rezvani B, Sachin S, Diehl W (2020) Side Channel Resistance at a Cost: AComparisonofARX-BasedAuthenticatedEncryption.202030thInterna-

is tionalConferenceonField-ProgrammableLogicandApplications(FPL),pp193– available 199.https://doi.org/10.1109/FPL50879.2020.00040 [240] Guo C, Pereira O, Peters T, Standaert F (2019) Authenticated Encryption with NonceMisuseandPhysicalLeakage:Definitions,SeparationResultsandFirstCon- struction- (ExtendedAbstract).ProgressinCryptology- LATINCRYPT2019- 6th free InternationalConferenceonCryptologyandInformationSecurityinLatinAmer-

of ica, Santiago de Chile, Chile, October 2-4, 2019, Proceedings, eds Schwabe P,

charge TheriaultN(Springer),´ LectureNotesinComputerScience, Vol.11774, pp150– 172.https://doi.org/10.1007/978-3-030-30530-78 [241] BelliziaD,BronchainO,CassiersG,GrossoV,GuoC,MominC,PereiraO,Peters from: T,StandaertFX(2020)Mode-Levelvs.Implementation-LevelPhysicalSecurityin SymmetricCryptography:APracticalGuideThroughtheLeakage-ResistanceJun- https://doi.org/10.6028/NIST.IR.8369 gle,CryptologyePrintArchive,Report2020/211.https://ia.cr/2020/211. [242] Mandal K, Gong G (2020) Can LWC and PEC be Friends?: Eval- uating Lightweight Ciphers in Privacy-enhancing Cryptography, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2020/documents/papers/ can-lwc-pec-be-friends-lwc2020.pdf. [243] Adomnicai A, Peyrin T (2020) Fixslicing - Application to Some NIST LWC Round 2 Candidates, NIST Lightweight Cryptography Workshop 2020. https: //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/fixslicing-lwc2020.pdf. [244] Kiaei P, Krishna AS, Schaumont P (2020) Parallel Synchronous Code Generation for Second Round Light Weight Candidates, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2020/documents/papers/ parallel-synchronous-code-generation-lwc2020.pdf. [245] Chakraborti A, Datta N, Nandi M (2016) INT-RUP Analysis of Block-cipher Based Authenticated Encryption Schemes. Topics in Cryptology - CT-RSA 2016 - The Cryptographers’ Track at the RSA Conference 2016, San Francisco, CA, USA, February 29 - March 4, 2016, Proceedings, ed Sako K (Springer), Lec- ture Notes in Computer Science, Vol. 9610, pp 39–54. https://doi.org/10.1007/

64 ______NISTIR8369 SecondRoundStatusReport

978-3-319-29485-83 [246] MegeA(2019)TagLengthImpactonConfidentialitySecurity,Emailtolwc-forum. https://groups.google.com/a/list.nist.gov/g/lwc-forum/c/2a0H-HQHgqU. [247] AshurT,DunkelmanO,LuykxA(2017)BoostingAuthenticatedEncryptionRo-

This bustnesswithMinimalModifications.AdvancesinCryptology- CRYPTO2017- 37thAnnualInternationalCryptologyConference, SantaBarbara, CA,USA,Au- publication gust20-24, 2017, Proceedings, PartIII,edsKatzJ,ShachamH(Springer), Lec- ture Notes in Computer Science, Vol. 10403, pp 3–33. https://doi.org/10.1007/ 978-3-319-63697-91 [248] Shor PW (1997) Polynomial-Time Algorithms for Prime Factorization and Dis-

is crete Logarithms on a Quantum Computer. SIAM J Comput 26(5):1484–1509. available https://doi.org/10.1137/S0097539795293172 [249] AlagicG,Alperin-SheriffJ,AponD,CooperD,DangQ,MillerC,MoodyD,Per- altaR,PerlnerR,RobinsonA,Smith-ToneD,LiuYK(2019)NISTIR8240Status ReportontheFirstRoundoftheNISTPost-QuantumCryptographyStandardization free Process.https://doi.org/10.6028/NIST.IR.8240.

of [250] Grover LK (1996) A Fast Quantum Mechanical Algorithm for Database Search.

charge ProceedingsoftheTwenty-EighthAnnualACMSymposiumontheTheoryofCom- puting,Philadelphia,Pennsylvania,USA,May22-24,1996,edMillerGL(ACM), pp212–219.https://doi.org/10.1145/237814.237866 from: [251] KuwakadoH,MoriiM(2012)Securityonthequantum-typeEven-Mansourcipher. ProceedingsoftheInternationalSymposiumonInformationTheoryanditsAppli- https://doi.org/10.6028/NIST.IR.8369 cations,ISITA2012,Honolulu,HI,USA,October28-31,2012(IEEE),pp312–316. [252] KuwakadoH,MoriiM(2010)QuantumDistinguisherbetweenthe3-roundFeistel CipherandtheRandomPermutation.IEEEInternationalSymposiumonInformation Theory,ISIT2010,June13-18,2010,Austin,Texas,USA,Proceedings(IEEE),pp 2682–2685.https://doi.org/10.1109/ISIT.2010.5513654 [253] KaplanM,LeurentG,LeverrierA,Naya-PlasenciaM(2016)BreakingSymmetric CryptosystemsUsingQuantumPeriodFinding.AdvancesinCryptology- CRYPTO 2016- 36thAnnualInternationalCryptologyConference,SantaBarbara,CA,USA, August14-18,2016,Proceedings,PartII,edsRobshawM,KatzJ(Springer),Lec- ture Notes in Computer Science, Vol.9815, pp 207–237. https://doi.org/10.1007/ 978-3-662-53008-58 [254] BonnetainX,HosoyamadaA,Naya-PlasenciaM,SasakiY,SchrottenloherA(2020) QuantumAttackswithoutSuperpositionQueries: theOfflineSimon’sAlgorithm. CoRRabs/2002.12439.Availableathttps://arxiv.org/abs/2002.12439. [255] NIST (2020) Benchmarking of Lightweight Cryptographic Algorithms on Microcontrollers, GitHub Repository. https://github.com/usnistgov/ Lightweight-Cryptography-Benchmarking. [256] RennerS,PozzobonE,MottokJLWCBenchmark,GitHubrepository.https://lab. las3.de/gitlab/lwc/compare. [257] Weatherley R Lightweight Cryptography Primitives, GitHub repository. https://

65 ______NISTIR8369 SecondRoundStatusReport

github.com/rweather/lightweight-crypto. [258] RennerS,PozzobonE,MottokJNISTLWCSoftwarePerformanceBenchmarks onMicrocontrollers,ProjectWebpage.https://lwc.las3.de/(AccessedFebruary27, 2021).

This [259] RennerS,PozzobonE,MottokJ(2020)CurrentandFutureEffortsinBenchmark- ingNISTLWCCiphers, NISTLightweightCryptographyWorkshop2020.https: publication //csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/ documents/papers/current-and-future-efforts-in-benchmarking-lwc2020.pdf. [260] RennerS,PozzobonE,MottokJ(2020)AHardwareintheLoopBenchmarkSuite toEvaluateNISTLWCCiphersonMicrocontrollers.InformationandCommunica-

is tionsSecurity,edsMengW,GollmannD,JensenCD,ZhouJ(SpringerInternational available Publishing,Cham),pp495–509.https://doi.org/10.1007/978-3-030-61078-428. [261] BernsteinDJ(2008)ChaCha,avariantofSalsa20,StateoftheArtofStreamCiphers (SASC)2008.Availableathttps://www.ecrypt.eu.org/stvl/sasc2008/. [262] BernsteinDJ(2005)ThePoly1305-AESMessage-AuthenticationCode.FSE,eds free GilbertH,HandschuhH(Springer),LectureNotesinComputerScience,Vol.3557,

of pp32–49.https://doi.org/10.1007/115027603.

charge [263] NirY,LangleyA(2018)ChaCha20andPoly1305forIETFProtocols,InternetRe- searchTaskForce(IRTF),RequestforComments(RFC)8439.https://doi.org/10. 17487/RFC8439. from: [264] Aumasson J, Neves S, Wilcox-O’Hearn Z, Winnerlein C (2013) BLAKE2: sim- pler,smaller,fastasMD5.AppliedCryptographyandNetworkSecurity- 11thIn- https://doi.org/10.6028/NIST.IR.8369 ternationalConference, ACNS2013, Banff, AB,Canada, June25-28, 2013.Pro- ceedings, eds Jr MJJ, Locasto ME, Mohassel P,Safavi-Naini R (Springer), Lec- ture Notes in Computer Science, Vol.7954, pp 119–135. https://doi.org/10.1007/ 978-3-642-38980-18 [265] Campos F, Jellema L, Lemmen M, MullerL,SprenkelsD,ViguierB(2020)Assem¨ - blyorOptimizedCforLightweightCryptographyonRISC-V?,CryptologyePrint Archive,Report2020/836.https://ia.cr/2020/836. [266] Nisanci G, Atay R, Pehlivanoglu MK, Kavun EB, n TY (2019) Will the Future Lightweight Standard be RISC-V Friendly?, NIST Lightweight Cryptography Workshop 2019. https://csrc.nist.gov/CSRC/media/ Presentations/will-the-future-lightweight-standard-be-risc-v-fri/images-media/ session4-yalcin-will-future-lw-standard-be-risc-v-friendly.pdf. [267] BernsteinD,LangeTeBACS:ECRYPTBenchmarkingofCryptographicSystems. https://bench.cr.yp.to/. [268] dos Santos LC, Großschadl¨ J (2020) An Evaluation of the Multi- Platform Efficiency of Lightweight Cryptographic Permutations, NIST Lightweight Cryptography Workshop 2020. https://csrc.nist.gov/CSRC/ media/Events/lightweight-cryptography-workshop-2020/documents/papers/ performance-evaluation-cryptographic-permutations-lwc2020.pdf. [269] FotovvatA,RahmanGME,VedaeiSS,WahidKA(2021)Comparativeperformance

66 ______NISTIR8369 SecondRoundStatusReport

analysisoflightweightcryptographyalgorithmsforiotsensornodes.IEEEInternet ofThingsJournal8(10):8279–8290.https://doi.org/10.1109/JIOT.2020.3044526 [270] MohajeraniK,HaeusslerR,NagpalR,FarahmandF,AbdulgadirA,KapsJP,Gaj K(2021)FPGABenchmarkingofRound2CandidatesintheNISTLightweight

This CryptographyStandardizationProcess: Methodology,Metrics,Tools,andResults, CryptologyePrintArchive,Report2020/1207(updatedFebruary24,2021).https: publication //ia.cr/2020/1207/20210224:202629. [271] ATHENa, Project Webpage. https://cryptography.gmu.edu/athena/index.php?id= LWC. [272] Farahmand F, Ferozpuri A, Diehl W, Gaj K (2017) Minerva: Automated hard-

is ware optimization tool. International Conference on ReConFigurable Computing available andFPGAs,ReConFig2017,Cancun,Mexico,December4-6,2017(IEEE),pp1– 8.https://doi.org/10.1109/RECONFIG.2017.8279804 [273] MohajeraniK,NagpalR(2020)Xeda: Cross-EDAAbstractionandAutomation. https://github.com/XedaHQ/xeda. free [274] Khairallah M, Peyrin T, Chattopadhyay A (2020) Preliminary Hardware Bench-

of markingofaGroupofRound2NISTLightweightAEADCandidates,Cryptology

charge ePrintArchive,Report2020/1459.https://ia.cr/2020/1459. [275] LightweightCryptographyASICBenchmarking,GitHubrepository.https://github. com/mustafam001/lwc-aead-rtl. from: [276] Aagaard MD, Zidaric N (2021) ASIC Benchmarking of Round 2 Candidates in the NIST Lightweight Cryptography Standardization Process, Cryptology ePrint https://doi.org/10.6028/NIST.IR.8369 Archive,Report2021/049.https://ia.cr/2021/049. [277] NIST Modes development. https://csrc.nist.gov/projects/block-cipher-techniques/ bcm/modes-development.

A. NISTSoftwareBenchmarkingResults

ThissectionpresentsNIST’ssoftwarebenchmarkingresultsonmicrocontrollers(seeTable 10). ThebenchmarkingresultsontheNISTstandardsAES-GCM andSHA-256arealso includedforcomparisonpurposes.Foradditionalresults,seetheGitHubrepositoryofthe project[255]. Table12presentsthecodesizesofthesmallestimplementationsoftheprimaryAEAD variantsoneachtestedmicrocontroller. CandidateswithasmallercodesizethanAES- GCM arehighlighted. Theresultsoncodesizefortheprimaryhashvariantsaresum- marizedinTable13, wherethecandidateshavingsmallercodesizethanSHA-256are highlighted. Table 14 presents the timing results for the fastest implementations of the primary AEADvariantsforprocessing16-bytemessageand16-byteAD.Entrieswitha‘-’sign indicatethatthetiminginformationcouldnotbemeasuredforthevariantonthatmicro- controller.Table15showsthetimingresultsforthefastestimplementationsoftheprimary hashvariantsforprocessing16-bytemessage.

67 ______NISTIR8369 SecondRoundStatusReport

Figures1,2,3,4,5,and6providethecodesizeandtiminginformationforthesmallest implementationsoftheprimaryAEADvariantsoneachmicrocontroller,respectively.The timinginformationisprovidedforprocessinga16-bytemessageand16-byteAD.Note thatthecodesizesbelongtothesmallestimplementationswheretimingresultcouldbe

This collected. Figures7,8,9,10,11,and12showthetimingcomparisonoftheprimaryAEADvari- publication antsagainstAES-GCM foreachmicrocontroller,respectively. Inthefigures,therelative timingsforeachcandidateareshownbyamatrixofvalues,wheretherowscorrespond tothemessagelengths,andthecolumnscorrespondtotheADlengths. Thelengthsfor differentMCUsvarydependingonthelongestinputthatcouldbemeasuredonthatmi-

is crocontroller.Ifanentryhasthevaluex,itmeanstheexecutiontimeofthecandidateisx available timestheexecutiontimeofAES-GCM forthatparticularinputlength. Valueslessthan1 indicateacandidateperformingbetterthanAES-GCM,andthesecellsarehighlighted. free of charge from: https://doi.org/10.6028/NIST.IR.8369

68 ______NISTIR8369 SecondRoundStatusReport

Table12.Codesizes(inbytes)forthesmallestimplementationsoftheprimaryAEADvariantson microcontrollers

ATmega328P ATmega4809 SAMD21 nRF52840 PIC32MX ESP8266 AES-GCM 2810 3072 1648 1784 3012 2332 This ACE 4356 3794 1948 1952 3716 2600 publication ASCON 3662 3590 1392 1392 2368 2092 COMET 7360 7082 7168 6944 10976 7484 DryGASCON 5810 5878 2392 2200 3956 2640 Elephant 6740 6574 3728 2600 2944 3108 is

available ESTATE 6570 6436 2228 2192 3800 2656 ForkAE 13858 13434 4704 4416 7792 5712 GIFT-COFB 2948 2882 1460 1504 2760 1836

free Gimli 3028 3092 1136 1040 1876 1164 Grain-128AEAD 9600 9418 2512 2088 4192 2904 of HyENA 6676 6562 2400 2384 4428 3228 charge ISAP 3742 3642 1420 1728 2708 1928 KNOT 1132 1124 1020 1112 1936 1288 from: LOTUS-AEAD 9306 9570 3584 3464 6236 4344 mixFeed 4222 4015 2076 2248 3440 2504 https://doi.org/10.6028/NIST.IR.8369 ORANGE 5222 4714 3176 2712 5040 3444 Oribatida 4716 4674 2428 1880 3492 2376 PHOTON-Beetle 1596 1588 4344 3124 7852 5812 Pyjamask 4034 3858 1684 1768 2988 2248 Romulus 4814 4644 3800 3256 5956 4232 SAEAES 13506 13584 7472 7320 9684 7572 Saturnin 3358 3400 1780 1920 3220 2252 SKINNY-AEAD 10840 10934 7572 6816 6956 5112 SPARKLE 3944 3834 1656 1688 2780 1896 SPIX 4722 4308 2112 1704 3272 2424 SpoC 4040 3578 2140 2088 3464 2372 Spook 6546 6354 2724 2296 4412 2852 Subterranean2.0 5962 5984 3344 3232 4904 3856 SUNDAE-GIFT 4798 4976 1956 1760 5064 2300 TinyJambu 3106 2810 872 888 1584 1076 WAGE 6052 5948 3768 3360 5804 4432 Xoodyak 2906 3072 1260 3252 2020 1468

69 ______NISTIR8369 SecondRoundStatusReport

Table13.Codesizes(inbytes)forthesmallestimplementationsoftheprimaryhashvariantson microcontrollers

ATmega328P ATmega4809 SAMD21 nRF52840 PIC32MX ESP8266 SHA-256 2284 2322 944 904 1576 1084 This ACE 2790 2482 1164 1216 2216 1484 publication ASCON 2164 2148 1064 888 1404 1124 DryGASCON 4648 4596 1320 1168 2136 1504 Gimli 1220 1228 416 352 628 412 KNOT 2128 1970 636 512 784 572 is

available ORANGE 2882 2894 1556 1456 2580 1760 PHOTON-Beetle 1006 1000 3612 2420 6128 4532 Saturnin 2582 2664 1280 1352 2100 1572

free SKINNY-HASH 2800 2694 2300 1896 2936 2136 SPARKLE 1836 1938 848 752 1316 960 of Subterranean2.0 2614 2592 2364 2352 3136 2624 charge Xoodyak 1996 2028 868 2676 1248 1004 from: https://doi.org/10.6028/NIST.IR.8369

70 ______NISTIR8369 SecondRoundStatusReport

Table14.Timings(inµs)forthefastestimplementationsofprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonmicrocontrollers

ATmega328P ATmega4809 SAMD21 nRF52840 PIC32MX ESP8266 AES-GCM 16144 14560 1137 548 385 326 This ACE 37988 37032 4708 1364 1458 1640 publication ASCON 7524 6976 812 217 197 316 COMET - - 1511 1134 549 435 DryGASCON 121952 71876 1347 522 418 597 Elephant 37744 37744 42349 16837 14180 28170 is

available ESTATE 6952 7548 3259 1204 1020 1249 ForkAE - 21064 9310 3546 3521 3750 GIFT-COFB 5196 5108 670 249 217 310

free Gimli 7852 7572 1047 388 254 312 Grain-128AEAD 19812 18836 2372 688 561 755 of HyENA - 207656 52290 28798 17324 18380 charge ISAP 41852 37420 6405 2556 5220 5324 KNOT 7340 7000 1207 366 385 433 from: LOTUS-AEAD 17044 16476 2977 958 835 1386 mixFeed 6736 6704 2659 1784 821 1092 https://doi.org/10.6028/NIST.IR.8369 ORANGE 8052 7560 2213 1165 826 2308 Oribatida 22220 20784 3631 1055 1034 1223 PHOTON-Beetle 12472 11976 3545 1912 1355 3758 Pyjamask 10536 10448 1323 316 334 451 Romulus 11664 10824 1888 704 616 656 SAEAES - 6676 1017 476 416 258 Saturnin 12696 11472 1632 597 510 709 SKINNY-AEAD 13108 12200 4321 796 1270 1707 SPARKLE 3660 3380 434 135 128 246 SPIX 15300 14920 2249 611 715 782 SpoC 13540 13476 2945 1035 972 1008 Spook 7532 7156 935 294 270 317 Subterranean2.0 7732 7168 3817 1826 1455 2099 SUNDAE-GIFT 8940 8880 1321 616 412 596 TinyJambu 8080 7964 774 283 320 324 WAGE 23428 21112 21932 8089 6894 7674 Xoodyak 6604 5908 541 155 137 204

71 ______NISTIR8369 SecondRoundStatusReport

Table15.Timings(inµs)forthefastestimplementationsofprimaryhashvariantsforprocessing 16-bytemessageonmicrocontrollers

ATmega328P ATmega4809 SAMD21 nRF52840 PIC32MX ESP8266 SHA-256 10672 10608 211 72 56 56 This ACE 9160 8940 1132 324 348 389 publication ASCON 3836 3552 367 95 86 123 DryGASCON 11928 10980 177 50 53 78 Gimli 1972 1920 270 103 61 75 KNOT 9144 8100 761 217 236 290 is ORANGE 3816 3584 1043 564 399 1114 available PHOTON-Beetle 2464 2364 696 377 268 742 Saturnin 1848 1676 251 88 72 101 SKINNY-HASH 45944 34596 7329 3418 2331 3803 free SPARKLE 1104 1036 141 39 40 68 of Subterranean2.0 4972 4620 2425 1120 934 1358 charge Xoodyak 1440 1288 122 42 36 44 from: https://doi.org/10.6028/NIST.IR.8369

72 ______NISTIR8369 SecondRoundStatusReport This publication is available free

Figure1.Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforauthenticated of encryptionof16-bytemessageand16-byteADonATmega328P charge from: https://doi.org/10.6028/NIST.IR.8369

Figure2.Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforauthenticated encryptionof16-bytemessageand16-byteADonATmega4809

73 ______NISTIR8369 SecondRoundStatusReport This publication is available free

Figure3.Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforauthenticated of encryptionof16-bytemessageand16-byteADonSAMD21 charge from: https://doi.org/10.6028/NIST.IR.8369

Figure4.Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforauthenticated encryptionof16-bytemessageand16-byteADonnRF52840

74 ______NISTIR8369 SecondRoundStatusReport This publication is available free

Figure5.Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforauthenticated of encryptionof16-bytemessageand16-byteADonPIC32MX charge from: https://doi.org/10.6028/NIST.IR.8369

Figure6.Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforauthenticated encryptionof16-bytemessageand16-byteADonESP8266

75 ______NISTIR8369 SecondRoundStatusReport This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8369

Figure7.RelativespeedsofthecandidatescomparedtoAES-GCMonATmega328P

76 ______NISTIR8369 SecondRoundStatusReport This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8369

Figure8.RelativespeedsofthecandidatescomparedtoAES-GCMonATmega4809

77 ______NISTIR8369 SecondRoundStatusReport This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8369

Figure9.RelativespeedsofthecandidatescomparedtoAES-GCMonSAMD21

78 ______NISTIR8369 SecondRoundStatusReport This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8369

Figure10.RelativespeedsofthecandidatescomparedtoAES-GCMonnRF52840

79 ______NISTIR8369 SecondRoundStatusReport This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8369

Figure11.RelativespeedsofthecandidatescomparedtoAES-GCMonPIC32MX

80 ______NISTIR8369 SecondRoundStatusReport This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8369

Figure12.RelativespeedsofthecandidatescomparedtoAES-GCMonESP8266

81