GAGE and InGAGE - Families of lightweight hash functions and authenticated ciphers
 GAGE and InGAGE - Families of lightweight hash functions and authenticated ciphers

GAGE and InGAGE

First round candidates for the NIST Lightweight crypto standardization process

The newest document version:  GAGEandInGAGEv1.03.pdf
(version from 01 Aug 2019)

Current reference implementation:  source code

About  GAGE

 
GAGE
A family of sponge-based hash functions with states between 232 and 576 bits and rates of 8, 16, 32, 64 and 128 bits.
To be a lightweight crypto design, GAGE uses:
very small 4-to-2 bits s-box;
2-bit round constants.
S-box in GAGE
Interleaved 4-to-2 bits s-boxes act as one huge s-box of (b+2)-to-b bits.
Flexible register size representation
GAGE operations can be represented as 2-bit, 4-bit, 8-bit, 16-bit, 32-bit, 64-bit or wide b-bit register operations, thus suitable for all types of MCUs and CPUs.
Nonlinear operations in GAGE
They can be represented as
readings from very small 4-to-2 bits lookup tables
register operations of SHIFT, XOR, AND and NOT.
Explicit description of its differential distribution tables
Its simple and systematic design offers a possibility to completely describe with explicit mathematical expressions the distribution and the values of the cells in the differential distribution table for the big (b+2)-to-b-bits s-box, regardless of the size of b.
Two types of protection techniques against side channel attacks
Masking techniques for reading from look-up tables. The small size of the s-box enables higher order masking look-up tables;
If implemented with register operations of SHIFT, XOR, AND and NOT, then the Boolean masking techniques used for Keccak can be used also for GAGE.

About  InGAGE

 
InGAGE
Authenticated Encryption Cipher with Associated Data based on GAGE with states between 232 and 512 bits and rates of 8, 16, 32 and 64 bits.
To be a lightweight crypto design, InGAGE uses:
GAGE :-)
InGAGE is nonce respecting ciphe
but a nonce misuse will not result in a catastrophic key recovery.
InGAGE is multi-platform
It can run on different platforms (from 4-bit MCUs to latest 64-bit CPUs with 512-bit SIMD registers) depending on the purpose.  

Resources

 

VHDL Implementations

 

 Vivado project for GAGE256c224r008AllParallel (106MB)

 GAGE256c224r008AllParallel Core VHDL and Testbench (30KB)

First Round Documents

 

 v1.03 version from 01 Aug 2019

 v1.02 version from 28 May 2019

 v1.01 version from 7 May 2019

 v1.0 version from 26 March 2019

Changelog

 

Version v1.03

  1. A typo in Step 3 of Algorithm 2 is now corrected. The for cycle now runs correctly to     ROUNDS - 1. The previous wrong value was ROUNDS. Noticed and suggested by Mohamed El-Hadedy, during his FPGA implementation of GAGE.
  2. Added a new Section 3.4 for reporting various hardware implementations.

Version v1.02

  1. The squeezing pseudocode in Table 1.3 is now corrected by swapping rows 3 and 4 to match the submitted source C code and KAT values as noticed and suggested by Tolga Yalcin in [15].
  2. Added a new reference [15].

Version v1.01

  1. Web page http://gageingage.org now on the cover sheet.
  2. The preimage column in Table 1.4 is now correctly computed as suggested by Bagheri and Sadeghi in [12] and also given in [8].
  3. The integrity security values for b=232 and b=240 in Table 2.1 are corrected as suggested by Bagheri, Sadeghi and Niknam in [13].
  4. Added a new sub-subsection in Section 2.3.2 titled "Forgeries when b - |T| < |T|"
  5. Added three new references [8], [12] and [13].

    Publications

     

     

    Cryptanalysis

     

    People

     Danilo Gligoroski, IIK, NTNU, Norway
     danilog(at)ntnu.no
     Hristina Mihajloska, FCSE, UKIM, Macedonia
     hristina.mihajloska(at)finki.ukim.mk
     Daniel Otte, RUB, Germany
     bg(at)nerilex.org
     Mohamed El-Hadedy, CPP, USA
     mealy(at)cpp.edu
    Made with Pingendo Free  Pingendo logo
    Made with Pingendo Free  Pingendo logo