About GAGE

GAGE
A family of sponge-based hash functions with states between 232 and 576 bits and rates of 8, 16, 32, 64 and 128 bits.

To be a lightweight crypto design, GAGE uses:
• very small 4-to-2 bits s-box;
• 2-bit round constants.

S-box in GAGE
Interleaved 4-to-2 bits s-boxes act as one huge s-box of (b+2)-to-b bits.

Flexible register size representation
GAGE operations can be represented as 2-bit, 4-bit, 8-bit, 16-bit, 32-bit, 64-bit or wide b-bit register operations, thus suitable for all types of MCUs and CPUs.

Nonlinear operations in GAGE
They can be represented as
• readings from very small 4-to-2 bits lookup tables
• register operations of SHIFT, XOR, AND and NOT.

Explicit description of its differential distribution tables
Its simple and systematic design offers a possibility to completely describe with explicit mathematical expressions the distribution and the values of the cells in the differential distribution table for the big (b+2)-to-b-bits s-box, regardless of the size of b.

Two types of protection techniques against side channel attacks
• Masking techniques for reading from look-up tables. The small size of the s-box enables higher order masking look-up tables;
• If implemented with register operations of SHIFT, XOR, AND and NOT, then the Boolean masking techniques used for Keccak can be used also for GAGE.

About InGAGE

InGAGE
Authenticated Encryption Cipher with Associated Data based on GAGE with states between 232 and 512 bits and rates of 8, 16, 32 and 64 bits.

To be a lightweight crypto design, InGAGE uses:
GAGE :-)

InGAGE is nonce respecting ciphe
but a nonce misuse will not result in a catastrophic key recovery.

InGAGE is multi-platform
It can run on different platforms (from 4-bit MCUs to latest 64-bit CPUs with 512-bit SIMD registers) depending on the purpose.

Resources

AVR Implementations

AVR Assembler for GAGE256c224r008 and GAGE256c224r032 (8 - 33 Bytes RAM, 218 - 478 Bytes ROM)

VHDL Implementations

Vivado project for GAGE256c224r008AllParallel (106MB) (402 LUTs, 516 Flip Flops and 0 RAM)

GAGE256c224r008AllParallel Core VHDL and Testbench (30KB)

Vivado project for GAGE256c224r008AllSequential (1,2MB) (226 LUTs, 120 Flip Flops and 0 RAM)

GAGE256c224r008AllSequential Core VHDL and Testbench (30KB)

First Round Documents

v1.03 version from 01 Aug 2019

v1.02 version from 28 May 2019

v1.01 version from 7 May 2019

v1.0 version from 26 March 2019

Changelog

Version v1.03

A typo in Step 3 of Algorithm 2 is now corrected. The for cycle now runs correctly to ROUNDS - 1. The previous wrong value was ROUNDS. Noticed and suggested by Mohamed El-Hadedy, during his FPGA implementation of GAGE.
Added a new Section 3.4 for reporting various hardware implementations.

Version v1.02

The squeezing pseudocode in Table 1.3 is now corrected by swapping rows 3 and 4 to match the submitted source C code and KAT values as noticed and suggested by Tolga Yalcin in [15].
Added a new reference [15].

Version v1.01

Web page http://gageingage.org now on the cover sheet.
The preimage column in Table 1.4 is now correctly computed as suggested by Bagheri and Sadeghi in [12] and also given in [8].
The integrity security values for b=232 and b=240 in Table 2.1 are corrected as suggested by Bagheri, Sadeghi and Niknam in [13].
Added a new sub-subsection in Section 2.3.2 titled "Forgeries when b - |T| < |T|"
Added three new references [8], [12] and [13].

Publications

On the S-box in GAGE and InGAGE, by Danilo Gligoroski
GAGE has only one nonlinear vector AND operation per round

Cryptanalysis

Preimage attack on GAGE variants
OFFICIAL Comment, lwc-forum@list.nist.gov, April 2019

GAGE and InGAGE