Chaskey is a lightweight PRF algorithm. It is patent-free and ISO-standardized.

Chaskey is currently deployed in commercial products by almost all large Tier 1 automotive suppliers and in major industrial control systems.

Chaskey can be used to cryptographically ensure message integrity (as a MAC), to authenticate users (in challenge-response protocols), and to generate random numbers (in counter mode).

Since Chaskey was presented at SAC 2014 (paper, slides, source code), it has been cited in about 300 papers. Chaskey is ARX-based cryptography, as it uses only three operations: addition, rotation, and XOR. The 12-round variant is standardized in ISO/IEC 29192-6.

Chaskey is fast

Chaskey is up to 2.1x faster than Simon and Speck, and up to 8.3x faster than AES:

AVR (8-bit)MSP (16-bit)ARM (32-bit)
Chaskey21,349 19,0588,740
Speck45,68637,85017,084
Simon67,40453,11223,404
AES58,97387,85072,828
Execution time in cycles in Scenario 1 of the FELICS project

Note: Chaskey has a 128-bit block size, and therefore offers a much higher level of security than Simon and Speck (64-bit block size).

Chaskey is energy-efficient

Chaskey uses up to 13x less energy than Simon and Speck, and 52x less energy than AES:

Energy (nJ/byte)
Chaskey19.8
Speck252
Simon604
AES1,031
Energy consumption (Patrick and Schaumont)

Chaskey is compact

The Chaskey block cipher can be implemented in just a few lines of C code:

#include <stdint.h>
#define ROTL(x,b) (uint32_t)( ((x) >> (32 - (b))) | ( (x) << (b)) )

void encrypt(uint32_t v[4], uint32_t key[4]) {
   int i;
   for (i=0; i<4; i++) v[i] ^= key[i];
   for (i=0; i<8; i++) {
     v[0] += v[1]; v[1]=ROTL(v[1], 5); v[1] ^= v[0]; v[0]=ROTL(v[0],16);
     v[2] += v[3]; v[3]=ROTL(v[3], 8); v[3] ^= v[2];
     v[0] += v[3]; v[3]=ROTL(v[3],13); v[3] ^= v[0];
     v[2] += v[1]; v[1]=ROTL(v[1], 7); v[1] ^= v[2]; v[2]=ROTL(v[2],16);
   }
   for (i=0; i<4; i++) v[i] ^= key[i];
}

Chaskey is secure

After more than a decade of third-party cryptanalysis, the originally proposed 8-round Chaskey remains unbroken. Therefore, the 12-round ISO-standardized variant has a very comfortable security margin.