Chaskey is a lightweight PRF algorithm. It is patent-free and ISO-standardized.
Chaskey is currently deployed in commercial products by Tier 1 automotive suppliers and in major industrial control systems.
Chaskey can be used to cryptographically ensure message integrity (as a MAC), to authenticate users (in challenge-response protocols), and to generate random numbers (in counter mode).
Since Chaskey was presented at SAC 2014 (paper, slides, source code), it has been cited in over 200 papers. Chaskey is ARX-based cryptography, as it uses only three operations: addition, rotation, and XOR. The 12-round variant is standardized in ISO/IEC 29192-6.
Chaskey is fast
Chaskey is up to 2.1x faster than Simon and Speck, and up to 8.3x faster than AES:
| AVR (8-bit) | MSP (16-bit) | ARM (32-bit) | |
|---|---|---|---|
| Chaskey | 21,349 | 19,058 | 8,740 |
| Speck | 45,686 | 37,850 | 17,084 |
| Simon | 67,404 | 53,112 | 23,404 |
| AES | 58,973 | 87,850 | 72,828 |
Note: Chaskey has a 128-bit block size, and therefore offers a much higher level of security than Simon and Speck (64-bit block size).
Chaskey is energy-efficient
Chaskey uses up to 13x less energy than Simon and Speck, and 52x less energy than AES:
| Energy (nJ/byte) | |
|---|---|
| Chaskey | 19.8 |
| Speck | 252 |
| Simon | 604 |
| AES | 1,031 |
Chaskey is compact
The Chaskey block cipher can be implemented in just a few lines of C code:
#include <stdint.h>
#define ROTL(x,b) (uint32_t)( ((x) >> (32 - (b))) | ( (x) << (b)) )
void encrypt(uint32_t v[4], uint32_t key[4]) {
int i;
for (i=0; i<4; i++) v[i] ^= key[i];
for (i=0; i<8; i++) {
v[0] += v[1]; v[1]=ROTL(v[1], 5); v[1] ^= v[0]; v[0]=ROTL(v[0],16);
v[2] += v[3]; v[3]=ROTL(v[3], 8); v[3] ^= v[2];
v[0] += v[3]; v[3]=ROTL(v[3],13); v[3] ^= v[0];
v[2] += v[1]; v[1]=ROTL(v[1], 7); v[1] ^= v[2]; v[2]=ROTL(v[2],16);
}
for (i=0; i<4; i++) v[i] ^= key[i];
}Chaskey is secure
After more than nine years of third-party cryptanalysis, the originally proposed 8-round Chaskey remains unbroken. Therefore, the 12-round ISO-standardized variant has a very comfortable security margin.