Home

Spook is an algorithm for authenticated encryption with associated data submitted to the NIST Lightweight Cryptography competition. It is primarily designed to support low energy implementation, especially when protection against side-channel attacks is required. For this purpose, Spook is mixing a leakage-resistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a key derivation function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a authentication mechanism based on a tweakable block cipher providing strong data integrity guarantees even if the tag verification mechanism leaks. The underlying bitslice ciphers are optimized for masking countermeasures against side-channel attacks.

Spook is an efficient single-pass algorithm. It provides state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the size of the tweakable block cipher, (iii) multi-user security at minimum cost with a public tweak.

The Spook v1 specifications are available here. The Spook v2 specifications are available here. A small errata for the L-box is available here

News

• November 11, 2020. The presentation of our FSE 2020 paper Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher is now available on the IACR Youtube Channel.

• October 21, 2020. Presentation at the Lightweight Cryptography Workshop 2019: “Secure and Efficient Masking of Lightweight Ciphers in Software and Hardware” (slides).

• October 13, 2020. Our paper Unprotected and Masked Hardware Implementations of Spook v2 is accepted at SILC 2021. It confirms the excellent implementation features of Spook v2, especially when security against side-channel attacks is a concern (pdf file).

• September 18, 2020. The note describing the updates of Spook during the second round of the competition, requested by the NIST, is available here.

• September 16, 2020. The final results of the side-channel cryptanalysis challenge against masked implementations of Clyde (August 31 deadline) are public. We now have attacks against all the software targets. Note that the attack against the 8-share target is slightly exceeding the running time constraints of the CTF. See the details and the codes here. A short presentation of the results has been made during the CHES 2020 rump session (starting at 41:45). We congratulate the winning team for their excellent results and thank all the participants for their efforts! Note that since the hardware part of the challenge remained untouched, it is extended and the first deadline for submitting new attacks against the hardware targets is December 1, 2020. Note also that it is still possible to submit software attacks to improve the state-of-the-art (but we will not distribute points/prizes for this one anymore).

• August 20, 2020. The presentation of our CRYPTO 2020 paper Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography: A Practical Guide Through the Leakage-Resistance Jungle is now available on the IACR Youtube Channel.

• August 1, 2020. The second results of the side-channel cryptanalysis challenge against masked implementations of Clyde (July 24 deadline) are public. The attack against the 3-share software target has been significantly improved and two new attacks have also improved the state-of-the-art against the 4-share and 6-share software targets. See the details and the code here. We hope these new results will stimulate other attacks against the various targets. The next deadline is August 31.

• June 24, 2020. The first results of the side-channel cryptanalysis challenge against masked implementations of Clyde (June 17 deadline) are public. A single attack was submitted. It significantly improves the state-of-the-art for the 3-share software target. See the details and the code here. We hope this first result will stimulate other attacks against the various targets. The next deadline is July 24.

• June 20, 2020. Our paper Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography: A Practical Guide Through the Leakage-Resistance Jungle is accepted to CRYPTO 2020. It discusses the combinations of mode-level and implementation-level physical security features that Spook (and other candidates) leverage and extends the talk “Analyzing the Leakage-Resistance of some Round-2 Candidates of the NIST’s Lightweight Crypto Standardization Process” given during the Lightweight Crypto Workshop in November 2019 (pdf file).

• May 20, 2020. Clyde, the Tweakable Block Cipher (TBC) that is used in Spook (and has to be strongly protected against side-channel attacks if leveled implementations are considered) is the best-in-class for masked software implementations in the recent study of Belaid et al. on a compiler for masked bitslice implementations. See the related Eurocrypt 2020 paper and presentation (performance comparison starts at 18:35).

• May 11, 2020. The CHES 2020 Capture the Flag (CTF) is a side-channel cryptanalysis challenge against masked implementations of the Clyde-128 Tweakable Block Cipher (TBC) which is part of the Spook. See the challenge website.

• March 15, 2020. Our paper Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher, is accepted in the ToSC Special Issue on Designs for the NIST Lightweight Cryptography Standardisation Process. Besides the specifications and design rationale, it contains (i) first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply; (ii) a proof that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC; (iii) a discussion of the external cryptanalysis results of Derbez et al. and tweaks to improve both the security margins and efficiency of Spook, the combination of which lead to Spook v2 (pdf file).

• March 1, 2020. First mathematical cryptanalysis challenge prize goes to Patrick Derbez, Paul Huynh, Virginie Lallemand, Leo Perrin, Maria Naya Plasencia and Andre Schrottenloher. Congratulations to them! Second mathematical cryptanalysis challenge launched (deadline: February 28, 2021).

• February 23, 2020. Our paper Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction, that analyzes the TETSponge mode of operation on which Spook is based is accepted at FSE 2020 (pdf file).

• December 6, 2019. Our paper Strong Authenticity with Leakage under Weak and Falsifiable Physical Assumptions, that describes how to prove authenticity with leakage under an unpredictability assumption rather than a leak-free (tweakable) block cipher is accepted at InsCrypt 2019 (pdf file).

• November 5, 2019. Presentation at the Lightweight Cryptography Workshop 2019: “Analyzing the Leakage-Resistance of some Round-2 Candidates of the NIST’s Lightweight Crypto Standardization Process” (slides; presentation, starts at 7:03:00).

• October 1, 2019. First mathematical cryptanalysis challenge launched (deadline: February 29, 2020).

• August 30, 2019. Spook is selected as a second-round candidate of the NIST LWC standardization process.

• August 18, 2019. Our paper SpookChain: Chaining a Sponge-Based AEAD with Beyond-Birthday Security, that describes how to encrypt long messages with Spook is accepted at SPACE 2019 (pdf file).

• July 3-4, 2019. Spook workshop in Louvain-la-Neuve (see slides under the resources tab).