 Hi everyone, my name is Raghvindra Rohit and I am going to present Wage and Authenticated Encryption with a twist. This is a joint work with Reha Maltave, Gongong and Kali Kankarmundal. In this talk, first I will give a brief introduction and motivation of this work. Next I will present the design of Wage along with its security analysis and some of its features. Finally, I will briefly describe the hardware performance of Wage and conclude the talk. So let's start with the developments in Symmetry Key Cryptography in the past 50 years. So starting from DES and Lucifer, many Symmetry Key Cryptography primitives have been proposed. For block ciphers, the most notable competition was the AES competition in the late 90s. This was later followed by E-Stream competition for the stream ciphers in 2005 and Sathri competition for the hedge funds in late 2008. And finally around 2013, we have seen the Caesar competition for the Authenticated Encryption, which was recently finished. So we have lots and lots of Symmetry Key Primitives. In the last decade, we have also seen millions and millions of resource constant devices such as Internet of Things, Sensor Networks, Radio Frequency Identifiers, NFC's, smart devices and some of the embedded systems. Now there are some algorithms and current cryptographic standards which do not fit into these devices. For example, there are some microcontroller environments where AES does not fit and even Sathri and Sathri is unable to fit in those environments. So the US National Agency NIST called for the Lightweight Cryptographic Algorithm Submissions in 2019 and it received 56 submissions as the round one candidates. This was later reduced to 32 round candidates. Now all of these candidates have different designs, different goals and they target varying platforms. Wage is one of the round two candidates of this competition which mainly targets the hardware. So coming to our contributions, our contributions are threefold. Wage represents the design of a hardware friendly permutation of state size 259 bits. It is based on 37 stage Galois non-linear feedback shift register over the finite field 2 to the power 7. We analyze the security of wage permutation and the wage authenticated encryption scheme against well-known attack vectors such as diffusion, algebraic attacks and difference in linear distinguisors. We saw the construction of a WG based pseudo-random bit generator from wage and it has certain theoretical guaranteed randomness properties by design. Now let's move on to the design of wage. So a high-level overview of the round function of wage permutation is shown here. So it consists of 37 bit words which are shown in green, two well-conked permutation S boxes shown in blue, four another non-linear S boxes Sb shown in yellow, two sets of round constants Rci and Rc0 and a linear layer consisting of the primitive feedback polynomial and omega multiplier. So coming to the rationale of the overall design why we chose this design. So our first goal was to reuse and adopt the initializing phase of the WG stream cipher which was the authenticated, which was the phase 2 candidate in the E stream project and we want to utilize it for the authenticated encryption since it was well-studied and for the word size we find that the ASIC cost for the WG permutation module over F2 to the power 7 is much cheaper than F2 to the power 8. So we chose the word size as 7 instead of 8 bits and to have faster confusion we introduce five more additional S boxes and so to move to bring more diffusions in addition to the primitive feedback polynomial the XOR the partial word-wise XORs in between the state. Finally we want to move from the WG permutation back to the WG pseudo random bit generator and for that we want to have a minimal overhead. So this was our overall rationale for designing the WGE permutation. So now let's talk about the S boxes utilized in the WGE permutation. So the first one is WELCONG permutation S box it is defined over F2 to the power 7 by this equation WGP 7X to the power 13 where WGP 7X consists of the five power terms. Note that in the hardware all these power terms can be computed easily in terms of normal basis multiplication and here we chose the decimation D equals 13 to have lower differential uniformity and higher non-linearity for the S box. The second S box was the SB S box this is defined in a bitwise and iterative fashion similar to the 4-bit and 8-bit S boxes of skinny block cipher. So it consists of two steps first be applied around function R five times followed by a non-linear function Q then in the end we complement the first and second components of the 7-bit world. So a block diagram of R is shown here so the Q the non-linear layer Q consists of three AND gates and three XORs and two NOTs on the bits X3 and XY and in the end we have a permutation layer which is just a bitwise permutation. So another component of the beige permutation was the round constants so for generating the round constants we use a 7-bit lightweight linear feedback shift register. So you can see the LFS are here so the way we generate the round constant is follow So we generate a sequence of 8 bits let's say AI to AI plus 7 the first 7 bits constitutes the part of the round constant 0 and the next so starting from the bit 1 to bit 7 this is the round constant 1 in the i-th round. So you can see both the round constants differ in only one bit however we have ensured that for each round the tuple of round constants are not equal so this means the each round of the wage is parameterized by a different set of round constants and are distinct. This is necessary to provide resistance against slide and invariant subspace attacks. So how we chose the number of rounds of the wage permutation. So as I said before we iterate the wage round function for 111 rounds to get one call of the wage permutation. So this selection of number of rounds is based on our security analysis mainly we focus on the diffusion, algebraic degree, differential and linear bounds so this we will see later. So the overall criteria for our analysis is to show that wage permutation is indistinguishable from random permutation with non-neglectual probability. So for the diffusion test we perform the full bit diffusion so that means we check how many rounds are needed so that each output state bit depends on all the input state bits. So we find that wage achieves full bit diffusion in 28 rounds in both forward and backward directions and hence 56 out of 111 rounds are sufficient against meeting the metallurtex. For the algebraic degree the utilized S boxes WGP and SB both are of degree 6 and the way we chose the linear layer of wage it brings more confusion and diffusion and thus 111 rounds are sufficient against algebraic attacks because there is a huge growth in algebraic degree because of the primitive feedback polynomial and the partial word wise x-hours. According to the differential linear bounds of the wage permutation so the WGP S box has the differential probability of 2 to the power minus 4.4 and the linear square correlation of 2 to the power minus 5.08 the values of the SB S boxes are similar. So we modeled the differential and linear behavior of wage using the mixed integer programming and we considered the two cases. For the case one we put no constraints on the poisons of the input and output differences that is the the adversary can inject differences at any poisons in the state and can observe output at any place. For the case two we restrict the input and output difference at the rate poisons only. So this case considers the situation when wage is used in an authenticated encryption mode. So we list the upper bounds of maximum expected differential characteristic probability and maximum expected linear characteristic square correlation values of wage in table in this table. So if you see for case one after 74 rounds we have 59 active S boxes. So this implies the MEDCP value of wage is minus 59 times 4 which is around minus 2 to the power minus 236. Here we have we have the MELSC value for case two this bound even grows for example we have 72 active S boxes and the values are around 2 to the power minus 288 and 2 to the power minus 365.7 respectively for differential and linear probabilities. So here we have taken 2 to the power minus 4 as the maximum differential probability of S-B-S box and 2 to the power minus 508 as the linear square correlation of the WGP S box. So we believe that better bounds are possible but those may be much lower than these. Now we look into the wage authenticated encryption and WGC order random bit generator. So the authenticated encryption scheme wage it supports 128 bit key, 128 bit nonce and 128 bit tag. So it operates in a well known sponge duplex mode however with stronger keyed initialization and finalization phases. So first we load the state with nonce and key then apply one call of the wage permutation then again we observe the keys in blocks of 64 bits and apply the wage permutation again. So this phase constitutes the initialization part of the wage authenticated encryption scheme. Next we observe the associate data and again call the wage permutation for each 64 bit block of associate data. However we change the domain separator here from 00 to 01. For the encryption phase we observe the message block and take a orbit rate as the key stream xOR with the message to take the ciphertext and the ciphertext goes into the state. This we keep on continuing until all the message blocks are encrypted. Here we change the domain separator from 01 to 02. In the end we observe the key blocks again and finally take the tag from the 128 bits of this chain. So if you note that we are using only two bits for the domain separator which is minimal and as well as the circuit is uniform because the domain separator is running uniformly starting from the initialization phase till tag generation phase. So coming to our security claims, so wage offers, so all our security claims are in the non-respecting setting and considering that scenario wage offers confidentiality, integrity and authenticity of 128 bits and for one key the amount of data which can be processed by wage is due to the power 64 bits and in addition wage offers strong guarantees in the related key setting because the way the key blocks are absorbed in the state via rate poisons. So for instance if an adversary put a key difference in the state part at the beginning of the initialization phase then he has no control over the key block in the next part of the initialization phase. For example if he inserts a difference one here in K0 then he has to again insert difference one in the rate poison and further in the tag extraction process also the same difference will go. So this means the input difference will pass through at least five calls of permutations which lowers the differential and linear bounds too much. So now coming to the seed random bit generator functionality. So as we know the sponge constructions are multifunctional so we can use the sponge mode to generate to achieve seed random bit functionality. So the way we do it we start with an initial seed in the state and we call the permutation again and again and at the each execution of the permutation we output the rate part of the state. So in case of wage we output 64 bits at a time however for generating those 64 bits we need to call the round functions 111 times. So in addition to this sponge based PRVG we propose another seed random bit generator which is much more efficient than sponge PRVG which we call as WG seed random bit generator. So the overall idea is to null some components of the wage round function the construction will be shown in next slide and then use the WG stream cipher over the finite field F2 to the power 7 to generate random bits. So for the initialization phase we just call the wage round function for 74 rounds then we generate each output bit in one clock cycles so compared to 111 rounds here we can generate each bit in one clock cycles. So obviously it has certain advantages so the first one is it has low power and energy consumption compared to sponge PRVG it has low latency and it is an efficient source for generating random nonces which are needed for the authenticated encryption. So this diagram shows the high level overview of construction of WG's PRVG from the wage round function. So at the top we have the wage permutation round function with all the non-linear S boxes and the feedback polynomial and intermediate diffusion layer. So at the bottom we have the WG PRVG where we null all the S boxes starting from LOS box SB till here and we also null these XORs and in addition we add the trace function and then we take the output as one bit in each clock cycle in each clock cycles. So that's the reason why because we are so that's one of the reason why we have like low power conceptions because earlier you are performing the non-linear operation over the six S boxes however in WG PRVG you are only performing non-linear operation over one S boxes compared to over five. Now let's look into the hardware performance of WG. So we fill out the so all the numbers in this table are taken from the round to submission documents and so whatever numbers are available we only include those numbers. So for example in ST micro 65 nanometer wage has an area of 2900 G equivalent compared to grain which is much high which is much lower and in ST micro 1900 meter the wage is also much lower than other candidates. For example it is comparable to Scon however the Scon's area as mentioned in the round to submission document this is for the serial version of the Scon however for wage this is round based version. The only exception is the tiny jumbo 128 whose area is 1300 G, 1352 G equivalent compared to wage. However one should note that tiny jumbo only offers one toilet bits security while the security level of wage is 128 bits. Similarly we have some results for IBM 113 nanometer technology. So you can see like in most of the ASIC results the performance of wage is either comparable or better than the other round to candidates. So even if you see it is comparable to Spix and Spock however for Spix and Spock the designers only provided the values of the encryption and decryption circuit. So the entire combinatorial logic is not included in their implementation and finally I would like to mention at this point that since the ASIC benchmarking results for the round to most of the round to candidates are not available so it's bit hard to compare all the hardware performance of the candidates. So to conclude we have proposed a wage sponge-based authenticated encryption algorithm which is mainly designed for hardware and it is tailored hardware and other resource constrained environments. The underlying permutation wage is simple and consists of Galois non-linear feedback sieve register, it has two S-boxes, Wellgong permutation and SBS boxes. The linear layer consists of a primitive feedback polynomial and partial advice exhaust. We discussed its security and it offers good security margins as well as good hardware efficiency. We also seen how to configure the wage permutation to WG-based pseudo-random width generator which is much more efficient than the sponge-based PRWG. So thanks a lot for listening the talk. The full paper is available at the TOSC archive and eprint and if you have any questions, comments or suggestions you can email any of the authors. Finally special thanks to TickJet for cryptographers for the diagrams, thanks a lot.