Chaskey is a very efficient MAC algorithm for microcontrollers (paper, slides, source code). It is intended for applications that require 128-bit security, yet cannot implement standard MAC algorithms (such as HMAC, CMAC or UMAC) because of stringent requirements on speed, energy consumption or code size. Chaskey is ARX-based cryptography, as it uses only three operations: addition, rotation, and XOR.

The Chaskey-12 variant is standardized in ISO/IEC 29192-6. A Chaskey-12 reference implementation with test vectors is available.

We are very grateful for the large amount of external cryptanalysis and implementation results since Chaskey was introduced at the SAC 2014 conference. However, to keep this page concise, we provide only a list of features and a description of Chaskey.

Features

Chaskey is fast. On an ARM Cortex-M4, Chaskey runs at 7.0 cycles/byte, compared to 89.4 cycles/byte for AES-128-CMAC. As there is roughly a linear relation between the number of cycles and energy consumption, Chaskey is an order of magnitude more energy-efficient as well.

Chaskey is provably secure. Chaskey is proven to be secure in the standard model, based on the security of an underlying Even-Mansour block cipher. The best generic attacks on Chaskey require about D=264 message blocks for an internal collision, about T=2128/D permutation evaluations for a key recovery attack, or about 2t guesses for a tag guessing attack, where t is the tag length in bits.

Chaskey resists cryptanalysis. Chaskey uses a reduced-word-size variant of the SipHash round function. SipHash-2-4 is very widely used: in FreeBSD, Perl, Python,… We analyzed Chaskey against a wide variety of cryptanalytical attacks, including differential cryptanalysis, truncated differential cryptanalysis, meet-in-the-middle attacks, rotational cryptanalysis, and slide attacks.

…including external cryptanalysis. The first external cryptanalysis of Chaskey was presented by Gaëtan Leurent (Inria, France) at ESC 2015 (paper, slides). He demonstrated a practically verified attack on 6 rounds with D=225 and T=229, and sketched an attack on 7 rounds with D=245–248. Because of the novel techniques used in his attack (differential-linear cryptanalysis together with state-of-the-art improvements), we expect a large academic interest in Chaskey in the near future. Nevertheless, we are confident that the full 8-round Chaskey will remain unbroken.

Chaskey is small. On an ARM Cortex-M4, Chaskey can be implemented in 402 bytes of ROM. This is about ten times smaller than the smallest available AES-128-ECB implementation on this platform.

Chaskey is flexible. Chaskey has been designed to perform well on a wide range of 8-bit, 16-bit and 32-bit microcontrollers. Short tags are supported: the best attack in this case is tag guessing. Furthermore, Chaskey does not require nonce values, and is secure against timing attacks on all platforms.

Chaskey is free. Chaskey is patent-free and its source code is available without restrictions on its use: click to download a portable, a speed-optimized, a size-optimized or an 8-bit Chaskey reference implementation in C. Björn Haase wrote an optimized implementation for the ARM Cortex-M0, which reaches 9.77 cycles/byte for 128-byte messages. We thank Damian Gryski for a Chaskey implementation in Go, Bart Mennink for a Chaskey implementation in Python, and Pavel Werl for a  Chaskey implementation in C#. Of course there is also a Chaskey implementation in Rust, written by sacundim.

Description

A brief description of Chaskey is given below. For more details, see the full paper: ePrint 2014/386.

Chaskey takes a message m, and splits it into message blocks m1, m2, …, m, of 128 bits each. It also takes a 128-bit key K, from which two 128-bit subkeys K1 and K2 are derived, each using a 128-bit shift and a 128-bit conditional XOR.

Let rightt denote the truncation of a 128-bit value to t bits. If the last message block m is complete, Chaskey iterates a permutation π as follows:

Chaskey (complete last message block)

If the last message block m is incomplete, Chaskey is defined as follows:

Chaskey (fractional last message block)

The permutation π used in Chaskey-12 consists of twelve applications of the following round function:

Chaskey permutation (one round)

Note that π is definitely not an ideal permutation. For example, it is easy to find a fixed point: π(0)=0. However, one of the main innovations of Chaskey is to wrap π inside an Even-Mansour block cipher, in order to overcome a wide variety of distinguishing attacks on π. Another major innovation of Chaskey is to minimize the number of program variables, which significantly reduces register pressure.