Fast Software Implementation of QUARK on a 32-Bit Architecture

Abstract

Secure applications for the Internet of Things (IoT) are constantly increasing and many of them require some lightweight cryptographic algorithms. Most lightweight cryptographic algorithms were not designed to be efficient in software platforms. As a result the throughput in software of these algorithms is low on recent IoT devices. In this paper we present optimization techniques for improving the software implementation of the QUARK functions. QUARK is a family of lightweight hash functions that is efficient in hardware but its design was not oriented for software platforms. We obtained a reduction on the number of binary operations required in each iteration of QUARK, and by computing in parallel some internal functions we achieved a further speed up. In addition, we also present the results of our optimized implementations of S-QUARK and D-QUARK on the 32-bit Intel Galileo platform.

The authors were partially supported by Intel Labs University Research Office.

The first author was partially supported by CNPq, Bolsista de Desenvolvimento Tecnológico em TICs do CNPq - Nível F.

The second author was partially supported by a research productivity scholarship from CNPq Brazil.

A QUARK Family

Here is presented the definition of the QUARK family and the functions p, f, g and h for each member of the family. The function p, used by L, is the same for all three instances: given a vector L, \(p(L) = L_0 \oplus L_3\).

• U-QUARK. It is the lightest flavor of QUARK. It was designed to provide a 136-bit hash value and has a security level of 64 bits. The functions f, g and h used in this instance are defined as follows.

• Function f : Given a 68-bit vector X, the function f returns 1 bit computed as:

  $$\begin{aligned} \begin{aligned} f(X) =&X_{0} \oplus ~X_{55} \oplus X_{14} \oplus X_{21} \oplus X_{28} \oplus X_{33} \oplus X_{37} \oplus X_{45} \oplus X_{50} \oplus X_{52} \\&\oplus X_{9}X_{28}X_{45}X_{59} \oplus X_{9} \oplus X_{33}X_{37}X_{52}X_{55} \oplus X_{21}X_{28}X_{33}X_{37}X_{45}X_{52} \\&\oplus X_{55}X_{59} \oplus X_{9}X_{15}X_{21}X_{28}X_{33} \oplus X_{45}X_{52}X_{55} \oplus X_{21}X_{28}X_{33} \\&\oplus X_{37}X_{45}X_{52}X_{55}X_{59} \oplus X_{15}X_{21}X_{55}X_{59} \oplus X_{9}X_{15} \oplus X_{33}X_{37}. \end{aligned} \end{aligned}$$

• Function g : Given a 68-bit vector Y, the function g returns 1 bit computed as:

  $$\begin{aligned} \begin{aligned} g(Y) =&~Y_{0} \oplus Y_{7} \oplus Y_{15} \oplus Y_{20} \oplus Y_{30} \oplus Y_{35} \oplus Y_{37} \oplus Y_{42} \oplus Y_{49} \oplus Y_{51} \\&\oplus Y_{7}Y_{30}Y_{42}Y_{58} \oplus Y_{35}Y_{37}Y_{51}Y_{54} \oplus Y_{7}Y_{16} \oplus Y_{20}Y_{30}Y_{35}Y_{37}Y_{42}Y_{51} \\&\oplus Y_{54}Y_{58} \oplus Y_{35}Y_{37} \oplus Y_{7}Y_{16}Y_{20}Y_{30}Y_{35} \oplus Y_{42}Y_{51}Y_{54} \oplus Y_{20}Y_{30}Y_{35} \\&\oplus Y_{54} \oplus Y_{37}Y_{42}Y_{51}Y_{54}Y_{58} \oplus Y_{16}Y_{20}Y_{54}Y_{58}. \end{aligned} \end{aligned}$$

• Function h : Given two 68-bit vectors X and Y and a constant vector L, the function h returns 1 bit computed as:

  $$\begin{aligned} \begin{aligned} h(X,Y,L) =&~L_{0} \oplus X_{1} \oplus Y_{2} \oplus X_{4} \oplus Y_{10} \oplus X_{25} \oplus X_{31} \oplus Y_{43} \oplus X_{56} \oplus Y_{59} \\&\oplus Y_{3}X_{55} \oplus X_{46}X_{55} \oplus X_{55}Y_{59} \oplus Y_{3}X_{25}X_{46} \oplus Y_{3}X_{46}X_{55} \\&\oplus Y_{3}X_{46}Y_{59} \oplus L_{0}X_{25}X_{46}Y_{59} \oplus L_{0}X_{25}. \end{aligned} \end{aligned}$$

• D-QUARK. D-QUARK is the intermediary version of the QUARK family. It provides a hash value of 160 bits and has 80 bits of security level. The functions f, g, and h, are defined below:

• Function f : Uses the same function f of U-QUARK, but with taps, 0, 11, 18, 19, 27, 36, 42, 47, 58, 64, 67, 71, 79 instead of 0, 9, 14, 15, 21, 28, 33, 37, 45, 50, 52, 55, 59, respectively.

• Function g : Uses the same function g of U-QUARK, but with taps, 0, 9, 19, 20, 25, 38, 44, 47, 54, 63, 67, 69, 78 instead of 0, 7, 15, 16, 20, 30, 35, 37, 42, 49, 51, 54, 58, respectively.

• Function h : Given two 88-bit vectors X and Y and a constant vector L, the function h returns 1 bit computed as:

  $$\begin{aligned} \begin{aligned} h(X,Y,L) =&~L_{0} \oplus X_{1} \oplus Y_{2} \oplus X_{5} \oplus Y_{12} \oplus Y_{24} \oplus X_{35} \oplus X_{40} \oplus X_{48} \oplus Y_{55}\\&\oplus Y_{61} \oplus Y_{79} \oplus Y_{4}X_{68} \oplus X_{57}X_{68} \oplus X_{68}Y_{79} \oplus Y_{4}X_{35}X_{57} \\&\oplus X_{72} \oplus Y_{4}X_{57}X_{68} \oplus Y_{4}X_{57}Y_{79} \oplus L_{0}X_{35}X_{57}Y_{79} \oplus L_{0}X_{35}. \end{aligned} \end{aligned}$$

• S-QUARK. The S-QUARK is the version that provides the highest level of security in the family QUARK. It provides a hash value of 256-bits and has 112 bits of security level. Like the other versions of QUARK, it uses essentially three functions, f, g and h, which are defined below:

• Function f : Uses the same function f of U-QUARK, but with taps, 0, 16, 26, 28, 39, 52, 61, 69, 84, 94, 97, 103, 111 instead of 0, 9, 14, 15, 21, 28, 33, 37, 45, 50, 52, 55, 59, respectively.

• Function g : Uses the same function g of U-QUARK, but with taps, 0, 13, 28, 30, 37, 56, 65, 69, 79, 92, 96, 101, 109 instead of 0, 7, 15, 16, 20, 30, 35, 37, 42, 49, 51, 54, 58, respectively.

• Function h : Given two 128-bit vectors X and Y and a constant vector L, the function h returns 1 bit computed as:

  $$\begin{aligned} \begin{aligned} h(X,Y,L) =&~L_{0} \oplus X_{1} \oplus Y_{3} \oplus X_{7} \oplus Y_{18} \oplus Y_{34} \oplus X_{47} \oplus X_{58} \oplus Y_{71} \oplus Y_{80} \\&\oplus X_{90} \oplus Y_{91} \oplus X_{105} \oplus Y_{111} \oplus Y_{8}X_{100} \oplus X_{72}X_{100} \oplus X_{100}Y_{111} \\&\oplus Y_{8}X_{47}X_{72} \oplus Y_{8}X_{72}X_{100} \oplus Y_{8}X_{72}Y_{111} \oplus L_{0}X_{47}X_{72}Y_{111} \\&\oplus L_{0}X_{47}. \end{aligned} \end{aligned}$$