Standards Development

Scope

This part of ISO/IEC 18033 specifies two tweakable block ciphers: DEOXYS-BC: a tweakable block cipher with a block size of 128 bits and a tweakey size of 256 or 384 bits;

Skinny: a tweakable block cipher with a block size / tweakey size of 64/128 or 64/192 or 128/128 or 128/256 or 128/394 bits.

Purpose

Pervasive computing has become an important market and is expected to continue growing due to increasing consumer demand for smart devices. More generally, a lot of use cases (IoT, RFID, embedded systems, etc.) require some information security while having very constrained computing capabilities (area, power, energy, latency, ...), which renders classical cryptographic primitives often not well suited. Lightweight cryptography was introduced to fill this gap, but 64-bit block ciphers such as PRESENT (ISO/IEC 29192) are difficult to use in usual operating modes, due to birthday-type attacks [Bhargavan-Leurent:ACM-CCS2016]. A tweakable block cipher is a very useful primitive that can avoid these birthday attacks trivially with very simple operating modes. More generally, such tweakable block cipher-based modes will guarantee full n-bit security, in contrary to most classical operating modes that will see their security drop completely after processing 2^n/2 data. Tweakable block ciphers have already been used in the industry in several important use cases (format preserving encryption for banking, disk encryption, ...)

Deoxys-BC is a tweakable block cipher that is the main component of Deoxys-II, winner of the CAESAR competition for authenticated encryption. It has been thoroughly analyzed by the community during several years of the competition and remains unbroken with a comfortable security margin. Its performances are very close to those of AES-128, while allowing an extra tweak input that can be used in these advanced modes. In particular, so-called nonce-misuse resistance security notion can be achieved very easily when having an extra tweak input. This is especially important when a user can't guarantee the entropy of its nonce (most authenticated encryption modes are broken if the nonce is repeated even just once).

Skinny is a lightweight tweakable block cipher, published at CRYPTO 2016. It has been scrutinized by many third parties, with more than 20 publications in top venues analyzing its security

(https://sites.google.com/site/skinnycipher/security), motivated by the organization of several cryptanalysis competitions. Its security remains very strong, with about half of the rounds as security margin. Yet, performance-wise, Skinny is among the most efficient lightweight primitives. It has been used as main component in 4 submissions to the recent NIST lightweight cryptography competition.

There is currently no standard tweakable block cipher, even though this primitive would offer very efficiency, simple and secure cryptographic solutions. Therefore, SC 27/WG 2 decided the following in its meeting held in Paris, France, 17th November. Subdivision: Start of a new work item proposal to include Skinny and Deoxys-BC in ISO/IEC 18033 (18033-7).