Isap is a mode for lightweight authenticated encryption that was designed with a focus on robustness against implementations attacks such as power analysis and fault attacks. The mode is based on the well-studied Ascon-p and Keccak-p[400] permutation.
ISAP-Code-Package [git]
We developed generic and platform-optimized implementations of all Isap instances for various CPU architectures such as x64, ARMv6, and ARMv7. The codebase thus covers high performance scenarios like 64-bit CPUs, as well as more constrained devices such as 32-bit ARM Cortex-A application processors and Cortex-M microprocessors, where implementation security is often of particular interest.
Software performance of Isap instances in cycles/byte (X+0 encrypt)
| Isap-A-128a | Isap-K-128a | |||||||
|---|---|---|---|---|---|---|---|---|
| Message Length in Bytes | 64 B | 1536 B | long | 64 B | 1536 B | long | ||
| AMD EPYC 7742 (x64)2 | - | - | 18.94 | - | - | 47.05 | ||
| AMD Ryzen 7 1700 (x64)1 | 85.7 | 24.5 | 21.9 | 295.0 | 64.1 | 54.3 | ARM Cortex-A53 (ARMv8-A)2 | - | - | 41.5 | - | - | 162.0 |
| STM32F303 (ARMv7-M)1 | 542.0 | 168.0 | 152.0 | 2135.0 | 415.0 | 338.0 | ||
| ARM Cortex-M4F (ARMv7-M)3 | 614.0 | - | - | 2164.6 | - | - | ||
| ATmega328P (AVR)3 | 450.0 | - | - | 543.0 | - | - | ||
1 Taken from the ISAP Code Package.
2 Taken from eBACS.
3 Taken from the NIST LWC benchmarks.
ISAP-Hardware-Package [git]
We developed generic generic HDL implementations of Isap-A-128a and Isap-K-128a. In the following, we present various benchmark results for FPGA and ASIC platforms.
FPGA metrics of Isap compared to the NIST standardized AES GCM mode. The columns SCA and FI indicate if the designs offer some protection against side-channel / fault-injection attacks.
| FPGA | Slices | SCA | FI | Throughput [cycles/byte] |
|
|---|---|---|---|---|---|
| AES GCM1 | Artix-7 | 1008 | ✘ | ✘ | 0.68 |
| AES GCM1 | Artix-7 | 810 | ✘ | ✘ | 2.06 |
| AES GCM TI2 | Virtex-7 | 3433 | ✔ | ✘ | 11.82 |
| Isap-A-128a1 | Artix-7 | 618 | ✔ | ✔ | 2.75 |
| Isap-K-128a1 | Artix-7 | 655 | ✔ | ✔ | 2.33 |
1 From [MHN+20].
2 From [MMNV18], area without RNG.
ASIC metrics for Isap-A-128a and Isap-K-128a for AEAD (long+0 enc.) at 50 MHz as reported in [AZ21].
| Scheme | Interface | Cell Lib | Synthesizer∗ | Throughput [cycles/byte] |
Area [kGE] |
|---|---|---|---|---|---|
| AES GCM | 32-bit | STM65nm | SDC + CE | 2.1 | 53.0 |
| AES GCM | 32-bit | STM65nm | CG + CI | 2.1 | 27.0 |
| AES GCM | 32-bit | TSMC65nm | SDC + CE | 2.1 | 25.8 |
| AES GCM | 32-bit | TSMC65nm | CG + CI | 2.1 | 26.2 |
| Isap-A-128a | 32-bit | STM65nm | SDC + CE | 3.2 | 17.2 |
| Isap-A-128a | 32-bit | STM65nm | CG + CI | 3.2 | 12.9 |
| Isap-A-128a | 32-bit | TSMC65nm | SDC + CE | 3.2 | 11.4 |
| Isap-A-128a | 32-bit | TSMC65nm | CG + CI | 3.2 | 12.0 |
| Isap-K-128a | 16-bit | STM65nm | SDC + CE | 2.3 | 19.6 |
| Isap-K-128a | 16-bit | STM65nm | CG + CI | 2.3 | 14.0 |
| Isap-K-128a | 16-bit | TSMC65nm | SDC + CE | 2.3 | 13.4 |
| Isap-K-128a | 16-bit | TSMC65nm | CG + CI | 2.3 | 13.0 |
∗ SPC = Synopsys Design Compiler vP-2019.03, CE = Cadence Encounter v14.13, CG = Cadence Genus v18.10, CI = Cadence Innovus v18.10.
RISC-V Ascon-p Accelerator [paper, git]
A fast and compact accelerator design for Ascon and Isap that can perform AEAD/hashing with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired. This accelerator requires only 4.7 kGE, or about half the area of dedicated co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors.
Runtime and code size comparison of ASM implementations of Ascon and Isap, with 1-round Ascon-p hardware acceleration on the RISC-V RI5CY core.
| Scheme | Cycles/Byte 64 B 1536 B long |
Code Size [Bytes] |
||
|---|---|---|---|---|
| Ascon-128 | 4.2 | 2.2 | 2.1 | 888 |
| Ascon-Hash | 4.6 | 2.6 | 2.5 | 484 |
| Isap-A-128a | 29.1 | 5.2 | 4.2 | 1844 |
| Isap-A-128 | 73.6 | 7.7 | 5.0 | 2552 |