没有合适的资源?快使用搜索试试~ 我知道了~
首页Sparkle家族轻量级加密与哈希:提升IoT设备数据安全性
本文档关注于物联网(IoT)时代背景下,针对设备间数据安全传输的需求,特别是对那些计算能力有限的设备,如何设计高效的轻量化密码学算法。Sparkle家族中的Schwaemm和Esch算法被重点介绍,它们分别是轻量级的身份验证密码和哈希函数。 Schwaemm是一种专为资源受限设备设计的加密技术,它结合了明文机密性与完整性和身份验证的功能。该算法利用排列的Sparkle家族结构,旨在以极低的CPU周期消耗提供强大且可靠的数据保护。其内部状态大小为48字节(对于Esch256版本)或64字节(Esch384版本),数据块大小为16字节,分别对应128位(256比特)和192位(384比特)的安全级别。这些特性使得它能够在低功耗环境中运行,特别适合电池供电的微控制器,有助于减少能源消耗。 Esch哈希函数则专注于单向性和抗碰撞特性,用于生成数据的固定长度摘要,保证数据完整性。Esch256和Esch384版本分别支持128位和192位的安全强度,数据限制分别为2132字节和2196字节。这些哈希函数的设计目标是提供足够的安全性,同时避免复杂的实现细节,以便在资源受限的设备上高效执行。 文档详细描述了这两个算法的具体实现、内部结构和性能指标,以及它们在实际应用中的潜在优势,比如降低电池供电设备的加密操作能量消耗。此外,作者还提供了联系信息,包括论文作者、提交人邮箱、电话以及Sparkle团队的主页,供读者进一步查询或参与到研究讨论中。 本文档是密码学和哈希函数领域的重要参考资料,对于优化物联网设备之间的安全通信,特别是在处理低功耗、高效率要求方面,具有显著的实际价值。
资源详情
资源推荐
Algorithm 2.9 Esch256
Input: 𝑀 ∈ F
*
2
Output: 𝐷 ∈ F
256
2
◁ Padding the message
if 𝑀 = 𝜖 then
𝑃
0
‖𝑃
1
‖ . . . ‖𝑃
ℓ−1
← 𝑀
with ∀𝑖<ℓ−1: |𝑃
𝑖
|=128 and 1≤|𝑃
ℓ−1
|≤128
else
ℓ ← 1
𝑃
0
← 𝜖
end if
if |𝑃
ℓ−1
| < 128 then
𝑃
ℓ−1
← pad
128
(𝑃
ℓ−1
)
Const
M
← (1 ≪ 192)
else
Const
M
← (2 ≪ 192)
end if
◁ Absorption
𝑆 ← 0 ∈ F
384
2
for all 𝑗 = 0, . . . , ℓ − 2 do
𝑃
′
𝑗
← ℳ
3
(𝑃
𝑗
‖0
64
)
𝑆 ←Sparkle384
7
𝑆 ⊕ (𝑃
′
𝑗
‖0
192
)
end for
𝑃
′
ℓ−1
← ℳ
3
(𝑃
ℓ−1
‖0
64
)
𝑆 ←Sparkle384
11
𝑆 ⊕ (𝑃
′
ℓ−1
‖0
192
)⊕Const
M
◁ Squeezing
𝐷
0
← trunc
128
(𝑆)
𝑆 ← Sparkle384
7
𝑆
𝐷
1
← trunc
128
(𝑆)
return 𝐷
0
‖𝐷
1
Algorithm 2.10 Esch384
Input: 𝑀 ∈ F
*
2
Output: 𝐷 ∈ F
384
2
◁ Padding the message
if 𝑀 = 𝜖 then
𝑃
0
‖𝑃
1
‖ . . . ‖𝑃
ℓ−1
← 𝑀
with ∀𝑖<ℓ−1: |𝑃
𝑖
|=128 and 1≤|𝑃
ℓ−1
|≤128
else
ℓ ← 1
𝑃
0
← 𝜖
end if
if |𝑃
ℓ−1
| < 128 then
𝑃
ℓ−1
← pad
128
(𝑃
ℓ−1
)
Const
M
← (1 ≪ 256)
else
Const
M
← (2 ≪ 256)
end if
◁ Absorption
𝑆 ← 0 ∈ F
512
2
for all 𝑗 = 0, . . . , ℓ − 2 do
𝑃
′
𝑗
← ℳ
4
(𝑃
𝑗
‖0
128
)
𝑆 ←Sparkle512
8
𝑆 ⊕ (𝑃
′
𝑗
‖0
256
)
end for
𝑃
′
ℓ−1
← ℳ
4
(𝑃
ℓ−1
‖0
128
)
𝑆 ←Sparkle512
12
𝑆 ⊕ (𝑃
′
ℓ−1
‖0
256
)⊕Const
M
◁ Squeezing
𝐷
0
← trunc
128
(𝑆)
𝑆 ← Sparkle512
8
𝑆
𝐷
1
← trunc
128
(𝑆)
𝑆 ← Sparkle512
8
𝑆
𝐷
2
← trunc
128
(𝑆)
return 𝐷
0
‖𝐷
1
‖𝐷
2
. . .
separation
Sparkle512
8
Sparkle512
8
Sparkle512
8
Sparkle512
12
Sparkle512
8
0
0
256
256
384
128
P
0
k0
128
P
1
k0
128
P
`−2
k0
128
P
`−1
k0
128
⊕M
−1
4
(c
M
)
D
0
D
1
D
2
Sparkle512
8
M
4
M
4
M
4
M
4
Figure 2.4: The Hash Function Esch384 with rate 𝑟 = 128 and capacity 𝑐 = 384. The constant 𝑐
𝑀
is equal to (0, 0, . . . , 0, 1) ∈ F
256
2
if the last block was padded and equal to (0, 0, . . . , 0, 1, 0) ∈ F
256
2
otherwise.
2.2.3 The Extendable-Output Functions XOEsch256 and XOEsch384
The hash functions Esch256 and Esch384 can easily be adapted to provide outputs of arbitrary
length. We define the extendable-output functions (XOFs) XOEsch256 and XOEsch384, which
12
are very similar to their hashing counterparts. Besides that other values for the constants Const
M
are used in order to separate between the different use-cases, the only difference is that the XOFs
obtain an additional input parameter 𝑡 which defines the size of the output string. The squeez-
ing phase is extended in order to provide the output of the required length. XOEsch256 and
XOEsch384 are formally described in Algorithms 2.11 and 2.12, respectively. The parameters
and security levels are given in Table 2.2.
Algorithm 2.11 XOEsch256
Input: 𝑀 ∈ F
*
2
, 𝑡 ∈ N Output: 𝐷 ∈ F
𝑡
2
◁ Padding the message
if 𝑀 = 𝜖 then
𝑃
0
‖𝑃
1
‖ . . . ‖𝑃
ℓ−1
← 𝑀
with ∀𝑖<ℓ−1: |𝑃
𝑖
|=128 and 1≤|𝑃
ℓ−1
|≤128
else
ℓ ← 1
𝑃
0
← 𝜖
end if
if |𝑃
ℓ−1
| < 128 then
𝑃
ℓ−1
← pad
128
(𝑃
ℓ−1
)
Const
M
← (1 ≪ 192) ⊕ (4 ≪ 192)
else
Const
M
← (2 ≪ 192) ⊕ (4 ≪ 192)
end if
◁ Absorption
𝑆 ← 0 ∈ F
384
2
for all 𝑗 = 0, . . . , ℓ − 2 do
𝑃
′
𝑗
← ℳ
3
(𝑃
𝑗
‖0
64
)
𝑆 ←Sparkle384
7
𝑆 ⊕ (𝑃
′
𝑗
‖0
192
)
end for
𝑃
′
ℓ−1
← ℳ
3
(𝑃
ℓ−1
‖0
64
)
𝑆 ←Sparkle384
11
𝑆 ⊕ (𝑃
′
ℓ−1
‖0
192
)⊕Const
M
◁ Squeezing
𝐷
0
← trunc
128
(𝑆)
for all 𝑗 = 1, . . . , ⌈𝑡/128⌉ − 1 do
𝑆 ← Sparkle384
7
𝑆
𝐷
𝑗
← trunc
128
(𝑆)
end for
return trunc
𝑡
(𝐷
0
‖𝐷
1
‖ . . . ‖𝐷
⌈𝑡/128⌉−1
)
Algorithm 2.12 XOEsch384
Input: 𝑀 ∈ F
*
2
, 𝑡 ∈ N Output: 𝐷 ∈ F
𝑡
2
◁ Padding the message
if 𝑀 = 𝜖 then
𝑃
0
‖𝑃
1
‖ . . . ‖𝑃
ℓ−1
← 𝑀
with ∀𝑖<ℓ−1: |𝑃
𝑖
|=128 and 1≤|𝑃
ℓ−1
|≤128
else
ℓ ← 1
𝑃
0
← 𝜖
end if
if |𝑃
ℓ−1
| < 128 then
𝑃
ℓ−1
← pad
128
(𝑃
ℓ−1
)
Const
M
← (1 ≪ 256) ⊕ (4 ≪ 256)
else
Const
M
← (2 ≪ 256) ⊕ (4 ≪ 256)
end if
◁ Absorption
𝑆 ← 0 ∈ F
512
2
for all 𝑗 = 0, . . . , ℓ − 2 do
𝑃
′
𝑗
← ℳ
4
(𝑃
𝑗
‖0
128
)
𝑆 ←Sparkle512
8
𝑆 ⊕ (𝑃
′
𝑗
‖0
256
)
end for
𝑃
′
ℓ−1
← ℳ
4
(𝑃
ℓ−1
‖0
128
)
𝑆 ←Sparkle512
12
𝑆 ⊕ (𝑃
′
ℓ−1
‖0
256
)⊕Const
M
◁ Squeezing
𝐷
0
← trunc
128
(𝑆)
for all 𝑗 = 1, . . . , ⌈𝑡/128⌉ − 1 do
𝑆 ← Sparkle512
8
𝑆
𝐷
𝑗
← trunc
128
(𝑆)
end for
return trunc
𝑡
(𝐷
0
‖𝐷
1
‖ . . . ‖𝐷
⌈𝑡/128⌉−1
)
2.3 The Authenticated Cipher Family Schwaemm
2.3.1 Instances
We propose four instances for authenticated encryption with associated data, i.e. Schwaemm128-
128, Schwaemm256-128, Schwaemm192-192 and Schwaemm256-256 which, for a given key 𝐾
and nonce 𝑁 allow to process associated data 𝐴 and messages 𝑀 of arbitrary length
3
and output a
ciphertext 𝐶 with |𝐶| = |𝑀| and an authentication tag 𝑇 . For given (𝐾, 𝑁, 𝐴, 𝐶, 𝑇 ), the decryption
procedure returns the decryption 𝑀 of 𝐶 if the tag 𝑇 is valid, otherwise it returns the error symbol
⊥. Our primary member of the family is Schwaemm256-128. All instances use (a slight variation
of) the Beetle mode of operation presented in [CDNY18], which is based on the well-known
SpongeWrap AEAD mode [BDPA11]. The difference between the instances is the version of
3
As for the hash function, the length can be chosen arbitrarily but it has do be under thresholds that are given
in Table 2.3.
13
the underlying Sparkle permutation (and thus the rate and capacity is different) and the size of
the authentication tag. As a naming convention, we used Schwaemmr-c, where 𝑟 refers to the
size of the rate and 𝑐 to the size of the capacity in bits. Similar as for hashing, we use the big
version of Sparkle for initialization, separation between processing of associated data and secret
message, and finalization, and the slim version of Sparkle for updating the intermediate state
otherwise. Table 2.3 gives an overview of the parameters of the Schwaemm instances. The data
limits correspond to 2
64
blocks of 𝑟 bits rounded up to the closest power of two, except for the
high security Schwaemm256-256 for which it is 𝑟 × 2
128
bits.
Table 2.3: The instances we provide for authenticated encryption together with their (joint) security
level in bit with regard to confidentiality and integrity and the limitation in the data (in bytes) to
be processed. The first line refers to our primary member, i.e. Schwaemm256-128.
𝑛 𝑟 𝑐 |𝐾| |𝑁| |𝑇 | security data limit (in bytes)
Schwaemm256-128 384 256 128 128 256 128 120 2
68
Schwaemm192-192 384 192 192 192 192 192 184 2
68
Schwaemm128-128 256 128 128 128 128 128 120 2
68
Schwaemm256-256 512 256 256 256 256 256 248 2
133
2.3.2 The Algorithms
The main difference between the Beetle mode and duplexed sponge modes is the usage of a
combined feedback 𝜌 to differentiate the ciphertext blocks and the outer part of the states. This
combined feedback is created by applying the function FeistelSwap to the outer part of the state,
which is computed as
FeistelSwap(𝑆) = 𝑆
2
‖(𝑆
2
⊕ 𝑆
1
) ,
where 𝑆 ∈ F
𝑟
2
and 𝑆
1
‖𝑆
2
= 𝑆 with |𝑆
1
| = |𝑆
2
| =
𝑟
2
. The feedback function 𝜌: (F
𝑟
2
×F
𝑟
2
) → (F
𝑟
2
×F
𝑟
2
)
is defined as 𝜌(𝑆, 𝐷) = (𝜌
1
(𝑆, 𝐷), 𝜌
2
(𝑆, 𝐷)), where
𝜌
1
: (𝑆, 𝐷) ↦→ FeistelSwap(𝑆) ⊕ 𝐷, 𝜌
2
: (𝑆, 𝐷) ↦→ 𝑆 ⊕ 𝐷 .
For decryption, we have to use the inverse feedback function 𝜌
′
: (F
𝑟
2
× F
𝑟
2
) → (F
𝑟
2
× F
𝑟
2
) defined
as 𝜌
′
(𝑆, 𝐷) = (𝜌
′
1
(𝑆, 𝐷), 𝜌
′
2
(𝑆, 𝐷)), where
𝜌
′
1
: (𝑆, 𝐷) ↦→ FeistelSwap(𝑆) ⊕ 𝑆 ⊕ 𝐷, 𝜌
′
2
: (𝑆, 𝐷) ↦→ 𝑆 ⊕ 𝐷 .
After each application of 𝜌 and the additions of the domain separation constants, i.e., before
each call to the Sparkle permutation except the one for initialization, we prepend a rate whitening
layer which XORs the value of 𝒲
𝑐,𝑟
(𝑆
𝑅
) to the outer part, where 𝑆
𝑅
denotes the internal state
corresponding to the inner part. For the Schwaemm instances with 𝑟 = 𝑐, we define 𝒲
𝑐,𝑟
: F
𝑐
2
→ F
𝑟
2
as the identity (i.e., we just XOR the inner part to the outer part). For Schwaemm256-128, we
define 𝒲
128,256
(𝑥, 𝑦) = (𝑥, 𝑦, 𝑥, 𝑦), where 𝑥, 𝑦 ∈ F
64
2
. Note that this tweak can still be described
in the Beetle framework as the prepended rate whitening can be considered to be part of the
definition of the underlying permutation.
Figure 2.5 depicts the mode for our primary member Schwaemm256-128. The formal spec-
ifications of the encryption and decryption procedures of the four family members are given in
Algorithms 2.13-2.20.
14
. . .
. . .
Sparkle384
11
Sparkle384
7
Sparkle384
7
Sparkle384
7
Sparkle384
11
Sparkle384
7
Sparkle384
7
Sparkle384
7
Sparkle384
11
big
big
ρ ρ ρ ρ
ρ ρ ρ ρ
A
0
A
1
A
`
A
−2
A
`
A
−1
M
0
M
1
M
`
M
−2
M
`
M
−1
C
0
C
1
C
`
M
−2
C
`
M
−1
T
N
K
Const
A
Const
M
128
256
big
W
c,r
W
c,r
W
c,r
W
c,r
W
c,r
W
c,r
W
c,r
W
c,r
K
Figure 2.5: The Authenticated Encryption Algorithm Schwaemm256-128 with rate 𝑟 = 256 and
capacity 𝑐 = 128.
15
Algorithm 2.13 Schwaemm256-128-Enc
Input: (𝐾, 𝑁, 𝐴, 𝑀 ) where 𝐾 ∈ F
128
2
is a key, 𝑁 ∈ F
256
2
is a nonce and 𝐴, 𝑀 ∈ F
*
2
Output: (𝐶, 𝑇 ), where 𝐶 ∈ F
*
2
is the ciphertext and 𝑇 ∈ F
128
2
is the authentication tag
◁ Padding the associated data and message
if 𝐴 = 𝜖 then
𝐴
0
‖𝐴
1
‖ . . . ‖𝐴
ℓ
𝐴
−1
← 𝐴 with ∀𝑖 ∈ {0, . . . , ℓ
𝐴
− 2} : |𝐴
𝑖
| = 256 and 1 ≤ |𝐴
ℓ
𝐴
−1
| ≤ 256
if |𝐴
ℓ
𝐴
−1
| < 256 then
𝐴
ℓ
𝐴
−1
← pad
256
(𝐴
ℓ
𝐴
−1
)
Const
𝐴
← 0 ⊕ (1 ≪ 2)
else
Const
𝐴
← 1 ⊕ (1 ≪ 2)
end if
end if
if 𝑀 = 𝜖 then
𝑀
0
‖𝑀
1
‖ . . . ‖𝑀
ℓ
𝑀
−1
← 𝑀 with ∀𝑖 ∈ {0, . . . , ℓ
𝑀
− 2} : |𝑀
𝑖
| = 256 and 1 ≤ |𝑀
ℓ
𝑀
−1
| ≤ 256
𝑡 ← |𝑀
ℓ
𝑀
−1
|
if |𝑀
ℓ
𝑀
−1
| < 256 then
𝑀
ℓ
𝑀
−1
← pad
256
(𝑀
ℓ
𝑀
−1
)
Const
𝑀
← 2 ⊕ (1 ≪ 2)
else
Const
𝑀
← 3 ⊕ (1 ≪ 2)
end if
end if
◁ State initialization
𝑆
𝐿
‖𝑆
𝑅
← Sparkle384
11
𝑁‖𝐾
with |𝑆
𝐿
| = 256 and |𝑆
𝑅
| = 128
◁ Processing of associated data
if 𝐴 = 𝜖 then
for all 𝑗 = 0, . . . , ℓ
𝐴
− 2 do
𝑆
𝐿
‖𝑆
𝑅
← Sparkle384
7
(𝜌
1
(𝑆
𝐿
, 𝐴
𝑗
) ⊕ 𝒲
128,256
(𝑆
𝑅
))‖𝑆
𝑅
end for
◁ Finalization if message is empty
𝑆
𝐿
‖𝑆
𝑅
← Sparkle384
11
(𝜌
1
(𝑆
𝐿
, 𝐴
ℓ
𝐴
−1
) ⊕ 𝒲
128,256
(𝑆
𝑅
⊕ Const
𝐴
))‖(𝑆
𝑅
⊕ Const
𝐴
)
end if
◁ Encrypting
if 𝑀 = 𝜖 then
for all 𝑗 = 0, . . . , ℓ
𝑀
− 2 do
𝐶
𝑗
← 𝜌
2
(𝑆
𝐿
, 𝑀
𝑗
)
𝑆
𝐿
‖𝑆
𝑅
← Sparkle384
7
(𝜌
1
(𝑆
𝐿
, 𝑀
𝑗
) ⊕ 𝒲
128,256
(𝑆
𝑅
))‖𝑆
𝑅
end for
𝐶
ℓ
𝑀
−1
← trunc
𝑡
𝜌
2
(𝑆
𝐿
, 𝑀
ℓ
𝑀
−1
)
◁ Finalization
𝑆
𝐿
‖𝑆
𝑅
← Sparkle384
11
(𝜌
1
(𝑆
𝐿
, 𝑀
ℓ
𝑀
−1
) ⊕ 𝒲
128,256
(𝑆
𝑅
⊕ Const
𝑀
))‖(𝑆
𝑅
⊕ Const
𝑀
)
end if
return (𝐶
0
‖𝐶
1
‖ . . . ‖𝐶
ℓ
𝑀
−1
, 𝑆
𝑅
⊕ 𝐾)
16
剩余97页未读,继续阅读
Chahot
- 粉丝: 1w+
- 资源: 4
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- 构建智慧路灯大数据平台:物联网与节能解决方案
- 智慧开发区建设:探索创新解决方案
- SQL查询实践:员工、商品与销售数据分析
- 2022智慧酒店解决方案:提升服务效率与体验
- 2022年智慧景区信息化整体解决方案:打造数字化旅游新时代
- 2022智慧景区建设:大数据驱动的5A级管理与服务升级
- 2022智慧教育综合方案:迈向2.0时代的创新路径与实施策略
- 2022智慧教育:构建区域教育云,赋能学习新时代
- 2022智慧教室解决方案:融合技术提升教学新时代
- 构建智慧机场:2022年全面信息化解决方案
- 2022智慧机场建设:大数据与物联网引领的生态转型与客户体验升级
- 智慧机场2022安防解决方案:打造高效指挥与全面监控系统
- 2022智慧化工园区一体化管理与运营解决方案
- 2022智慧河长管理系统:科技助力水环境治理
- 伪随机相位编码雷达仿真及FFT增益分析
- 2022智慧管廊建设:工业化与智能化解决方案
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功