DryGASCON is an AEAD and hash algorithm submitted to NIST lightweight crypto competition
The official specification is hosted by NIST. Status update.
This repository contains several hardware and software implementation. You can find also other implementations on other repositories:
- DryGASCON128k32 optimized for ARM Cortex-M.
- Rhys Weatherley's pure C and AVR implementations supports AEAD and hash.
- Ekawat 'Ice' Homsirikamol's VHDL / Verilog implementation supports AEAD and hash, follows the LWC hardware API
This repository contains:
- updated files compared to the official submission
- additional files such as build scripts and presentations
Python3 package:
- read the docs page: To use in your Python code
- pypi page: Examples to use from command line
Benchmark of software implementations:
Benchmarks on hardware implementations:
The following papers mention DryGASCON:
- distinguishers-for-reduced-round-ascon-drygascon-shamash-lwc2019
- Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography A Practical Guide Through the Leakage-Resistance Jungle
As DryGASCON core permutation is closely related to ASCON, much of the cryptanalysis work done on ASCON can be adapted to DryGASCON. All it takes is a reordering of the bits and change of few constants.
Cryptanalysis Challenge:
- DryGASCON-128 F function: how many rounds in G function can you break ?
- DryGASCON-256 F function: same as above
As DryGASCON is not readily analyzable using classical Cryptanalysis tools, the challenges above may require to develop entirely new tools.
Classical Cryptanalysis Challenges:
- DryGASCON-128 G function: assuming you can xor a 128 bit input value with C 128 LSBs, how many rounds can you break by observing R ?
- DryGASCON-256 G function: same as above
- DryGASCON-128 F function, with the assumption that "X" is known to the attacker
- Write up a strategy to mount a side channel attack allowing key recovery on DryGASCON.
- Perform a side channel attack on the FPGA project and recover the full key.
From Implementations folder, launch the following command:
./all build
This create several executables in the bin folder.
From Implementations folder, launch the following command:
./all kat
The following command check consistency between ref and le32 C implementations:
./all kat_check
From drygasconv1_python3 folder, launch the following command:
./check_all
The python implementation supports a "verbosity" level, this is an integer from 0 to 5.
$ ./drygascon128_hash "" 0
1EDC77386E20A37C721D6E77ADABB9C4830F199F5ED25284A13C1D84B9FC257A
$ ./drygascon128_hash "" 2
Hashing 0 bytes message:
Padded Message: 01000000000000000000000000000000
F/G entry 0 (F with DS): padded=1, domain=2, finalize=1
C[ 0] = 243F6A8885A308D313198A2E03707344243F6A8885A308D313198A2E03707344
C[ 1] = 243F6A8885A308D3
X[ 0] = A4093822299F31D0082EFA98EC4E6C89
R = 00000000000000000000000000000000
I = 01000000000000000000000000000000
F/G entry 1 (G):
C[ 0] = 5A6181623A46FA76D9D2B88D7071294CE76EC1D45CACEAC442098C4E488A1544
C[ 1] = F93362EBACB4DCC4
X[ 0] = A4093822299F31D0082EFA98EC4E6C89
R = 1EDC77386E20A37C721D6E77ADABB9C4
Final state:
C[ 0] = 836EBE0D38DC2CFA8DAC5422568C2448413A8871431D60C43E04300BB55C4B70
C[ 1] = 2B1A3852D5A568AA
X[ 0] = A4093822299F31D0082EFA98EC4E6C89
R = 830F199F5ED25284A13C1D84B9FC257A
Digest: 1EDC77386E20A37C721D6E77ADABB9C4830F199F5ED25284A13C1D84B9FC257A