KNOT: Algorithm Specifications and Supporting Document

Notation Meaning y ∥ x Concatenation of two bitstrings x and y 0 All-zero bitstring of length l |x| Length in bits of the bitstring x x⊕ y XOR of bitstrings x and y xm−1 ∥ · · · ∥ x1 ∥ x0 x0 is the least significant bit (or block), xm−1 is the most significant bit(or block). ⌊x⌋l Truncation of bitstring x to its first (least significant) l bits ⌈x⌉l Truncation of bitstring x to its last (most significant) l bits {0, 1} The set of bit strings of length k {0, 1}∗ The set of bit strings of all lengths S A b-bit state of the Sponge/Duplex construction Sr, Sc The r-bit rate and c-bit capacity part of a state S nr (or nr0, nrf , nrh) The number of rounds for an underlying permutation pb A round transformation with a width of b bits pb[nr] A permutation consisting of nr-round pb KNOT-AEAD(k, b, r) A KNOT AE member with k-bit key, b-bit state and r-bit rate KNOT-Hash(n, b, r, r′) A KNOT hash member with n-bit hash output, b-bit state, r-bit absorbing rate and r′-bit squeezing rate

[1]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[2]  Mitsuru Matsui,et al.  On the Power of Bitslice Implementation on Intel Core2 Processor , 2007, CHES.

[3]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[4]  Dongdai Lin,et al.  Bitsliced Implementations of the PRINCE, LED and RECTANGLE Block Ciphers on AVR 8-Bit Microcontrollers , 2015, ICICS.

[5]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.

[6]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[7]  Noen Given RECTANGLE : A Bit-slice Lightweight Block Cipher Suitable for Multiple Platforms , 2015 .

[8]  Yao Sun,et al.  Preimage Attacks on the Round-reduced Keccak with Cross-linear Structures , 2017, IACR Trans. Symmetric Cryptol..

[9]  Kan Yasuda,et al.  Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[10]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[11]  Gregor Leander,et al.  On the Classification of 4 Bit S-Boxes , 2007, WAIFI.

[12]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[13]  Bart Preneel,et al.  The parazoa family: generalizing the sponge hash functions , 2012, International Journal of Information Security.

[14]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[15]  Meiqin Wang,et al.  Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT , 2009, CANS.

[16]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[17]  Dongdai Lin,et al.  Speeding Up the Search Algorithm for the Best Differential and Best Linear Trails , 2014, Inscrypt.

[18]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[19]  Ross Anderson,et al.  Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[20]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems – CHES 2016 , 2016, Lecture Notes in Computer Science.

[21]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[22]  G. V. Assche,et al.  Permutation-based encryption , authentication and authenticated encryption , 2012 .

[23]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[24]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[25]  François-Xavier Standaert,et al.  A Statistical Saturation Attack against the Block Cipher PRESENT , 2009, CT-RSA.

[26]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[27]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[28]  Yu Sasaki,et al.  Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes , 2018, Journal of Cryptology.

[29]  Vincent Rijmen,et al.  A New Classification of 4-bit Optimal S-boxes and Its Application to PRESENT, RECTANGLE and SPONGENT , 2015, FSE.

[30]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[31]  Vincent Rijmen,et al.  Threshold Implementations of all 3x3 and 4x4 S-boxes , 2012, IACR Cryptol. ePrint Arch..