**Chaskey is a very efficient MAC algorithm for microcontrollers** (paper, slides, source code). It is intended for applications that require 128-bit security, yet cannot implement standard MAC algorithms (such as HMAC, CMAC or UMAC) because of stringent requirements on **speed**, **energy consumption** or **code size**. Chaskey is **ARX-based cryptography**, as it uses only three operations: addition, rotation, and XOR.

The **Chaskey-12** variant is standardized in ISO/IEC 29192-6. A Chaskey-12 reference implementation with test vectors is available.

We are very grateful for the large amount of external cryptanalysis and implementation results since Chaskey was introduced at the SAC 2014 conference. However, to keep this page concise, we provide only a list of features and a description of Chaskey.

**Contents**

#### Features

**Chaskey is fast.** On an ARM Cortex-M4, Chaskey runs at **7.0 cycles/byte**, compared to 89.4 cycles/byte for AES-128-CMAC. As there is roughly a linear relation between the number of cycles and energy consumption, Chaskey is an order of magnitude more energy-efficient as well.

**Chaskey is provably secure.** Chaskey is proven to be secure in the standard model, based on the security of an underlying Even-Mansour block cipher. The best generic attacks on Chaskey require about ** D=2^{64} message blocks** for an internal collision, about

**for a key recovery attack, or about**

*T=2*permutation evaluations^{128}/D**for a tag guessing attack, where**

*2*guesses^{t}*t*is the tag length in bits.

**Chaskey resists cryptanalysis.** Chaskey uses a reduced-word-size variant of the SipHash round function. **SipHash-2-4 is very widely used**: in FreeBSD, Perl, Python,… We analyzed Chaskey against a wide **variety of cryptanalytical attacks**, including differential cryptanalysis, truncated differential cryptanalysis, meet-in-the-middle attacks, rotational cryptanalysis, and slide attacks.

**…including external cryptanalysis.** The first external cryptanalysis of Chaskey was presented by Gaëtan Leurent (Inria, France) at ESC 2015 (paper, slides). He demonstrated a practically verified attack on 6 rounds with *D=2 ^{25}* and

*T=2*, and sketched an attack on 7 rounds with

^{29}*D=2*. Because of the novel techniques used in his attack (differential-linear cryptanalysis together with state-of-the-art improvements), we expect a large academic interest in Chaskey in the near future. Nevertheless, we are confident that the full 8-round Chaskey will remain unbroken.

^{45}–2^{48}**Chaskey is small.** On an ARM Cortex-M4, Chaskey can be implemented in **402 bytes of ROM**. This is about ten times smaller than the smallest available AES-128-ECB implementation on this platform.

**Chaskey is flexible.** Chaskey has been designed to perform well on a **wide range** of 8-bit, 16-bit and 32-bit microcontrollers. **Short tags are supported**: the best attack in this case is tag guessing. Furthermore, Chaskey does **not require nonce values**, and is **secure against timing attacks** on all platforms.

**Chaskey is free.** Chaskey is **patent-free** and its **source code is available** without restrictions on its use: click to download a portable, a speed-optimized, a size-optimized or an 8-bit Chaskey reference implementation in C. Björn Haase wrote an optimized implementation for the ARM Cortex-M0, which reaches 9.77 cycles/byte for 128-byte messages. We thank Damian Gryski for a Chaskey implementation in Go, Bart Mennink for a Chaskey implementation in Python, and Pavel Werl for a Chaskey implementation in C#. Of course there is also a Chaskey implementation in Rust, written by sacundim.

#### Description

**A brief description of Chaskey is given below.** For more details, see the full paper: ePrint 2014/386.

Chaskey takes a message *m*, and splits it into *ℓ* message blocks *m _{1}*,

*m*, …,

_{2}*m*, of 128 bits each. It also takes a 128-bit key

_{ℓ}*K*, from which two 128-bit subkeys

*K*and

_{1}*K*are derived, each using a 128-bit shift and a 128-bit conditional XOR.

_{2}Let right* _{t}* denote the truncation of a 128-bit value to

*t*bits. If the last message block

*m*is complete, Chaskey iterates a permutation

_{ℓ}*π*as follows:

If the last message block *m _{ℓ}* is incomplete, Chaskey is defined as follows:

The permutation *π* used in Chaskey-12 consists of twelve applications of the following round function:

Note that *π* is definitely not an ideal permutation. For example, it is easy to find a fixed point: *π*(0)=0. However, one of the main innovations of Chaskey is to wrap *π* inside an Even-Mansour block cipher, in order to overcome a wide variety of distinguishing attacks on *π*. Another major innovation of Chaskey is to minimize the number of program variables, which significantly reduces register pressure.