SPECK
| Documentation |
#include <cryptopp/speck.h>
|
SPECK64 and SPECK128 are lightweight block ciphers designed by Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks and Louis Wingers. The SIMON and SPECK homepage is located at http://iadgov.github.io/simon-speck. The ciphers were designed for resource constrained devices and gadgets that participate in the Internet of Things. NIST is considering applications of lightweight cryptography for sensor networks, healthcare and the smart grid. NASA has expanding programs for small satellites such as CubeSats which may need lightweight algorithms. Finally, Linux added SPECK support for efficient, opportunistic encryption on low-resource devices to the kernel in February 2018.
One of the security goals of SPECK was maintain an acceptable level of security in an environment where power, memory and processors were [sometimes severely] limited. The ciphers are associated with the NSA so there is some controversy about them. The ciphers also have a number of good attributes so speculation should not be hard to overcome. Also see Notes on the design and analysis of Simon and Speck. Also see Notes on the design and analysis of Simon and Speck.
SPECK-128 offers a specialized SSSE3 implementation for AMD and Intel that runs around 2.3 cycles per byte (cpb) on a modern Intel core; see Commit e7fee716d68a. SPECK-128 also provides a NEON based implementation for ARM A-32 that runs around 10 cpb; see Commit 304809a65dc3. The Aarch64 implementation also runs around 7.4 cpb; see Commit 304809a65dc34a.
Note: if your project is using encryption alone to secure your data, encryption alone is usually not enough. Please take a moment to read Authenticated Encryption and consider using an algorithm or mode like CCM, GCM, EAX or ChaCha20Poly1305.
Note: Simon and Speck were added at Crypto++ 6.0. We call the 6.0 implementation the "big-endian" implementation because it arrived at the test vector results published in the paper, and the test vectors were in big-endian format. Our implementation was wrong because we failed to follow the algorithmic description provided in the paper. At Crypto++ 6.1 we switched to a "little-endian" implementation, which followed the algorithmic description from the the paper. The little-endian version fails to arrive at the test vector results, but it agrees with the paper and the kernel's implementation. Also see Issue 585.
Algorithm Name
If you call StaticAlgorithmName then the function will return the partial name "SPECK-<block size>". Once the cipher is keyed you can call AlgorithmName which returns the full name presented as "SPECK-<block size>(<key length>)". In the case of SPECK the algorithms names are SPECK-64(96), SPECK-64(128), SPECK-128(128), SPECK-128(192) and SPECK-128(256).
The naming follows DSTU 7624:2014, where block size is provided first and then key length. The library uses a dash to identify block size and parenthesis to identify key length. For example, Kalyna-128(256) is Kalyna with a 128-bit block size and a 256-bit key length. If a mode is associated with the object, then it follows as expected. For example, Kalyna-256(512)/ECB denotes Kalyna with a 256-bit block and 512-bit key operated in ECB mode.
int main(int argc, char* argv[])
{
SPECK128::Encryption speck;
std::cout << "StaticAlgorithmName: " << speck.StaticAlgorithmName() << std::endl;
std::cout << "AlgorithmName (unkeyed): " << speck.AlgorithmName() << std::endl;
byte key[SPECK128::DEFAULT_KEYLENGTH] = {};
speck.SetKey(key, sizeof(key));
std::cout << "AlgorithmName (keyed): " << speck.AlgorithmName() << std::endl;
return 0;
}
The program results in the following output.
$ ./test.exe StaticAlgorithmName: SPECK-128 AlgorithmName (unkeyed): SPECK-128 AlgorithmName (keyed): SPECK-128(128)
Sample Programs
There are three sample programs. The first shows SPECK key and block sizes. The second and third use filters in a pipeline. Pipelining is a high level abstraction and it handles buffering input, buffering output and padding for you.
If you are benchmarking then you may want to visit Benchmarks | Sample Program . It shows you how to use StreamTransformation::ProcessString method to process blocks at a time. Calling a cipher's ProcessString or ProcessBlock eventually call a cipher's ProcessAndXorBlock or AdvancedProcessBlocks, and they are the lowest level API you can use.
The first snippet dumps the minimum, maximum, and default key lengths used by SPECK128.
std::cout << "key length: " << SPECK128::DEFAULT_KEYLENGTH << std::endl; std::cout << "key length (min): " << SPECK128::MIN_KEYLENGTH << std::endl; std::cout << "key length (max): " << SPECK128::MAX_KEYLENGTH << std::endl; std::cout << "block size: " << SPECK128::BLOCKSIZE << std::endl;
Output from the above snippet produces the following. Notice the default key size is 128 bits or 16 bytes.
$ ./test.exe key length: 16 key length (min): 16 key length (max): 32 block size: 16
The following program shows how t operate SPECK128 in CBC mode using a pipeline. The key is declared on the stack using a SecByteBlock to ensure the sensitive material is zeroized. Similar could be used for both plain text and recovered text.
#include "cryptlib.h"
#include "osrng.h"
#include "files.h"
#include "speck.h"
#include "modes.h"
#include "hex.h"
#include <iostream>
#include <string>
int main (int argc, char* argv[])
{
using namespace CryptoPP;
AutoSeededRandomPool prng;
SecByteBlock key(SPECK128::DEFAULT_KEYLENGTH);
prng.GenerateBlock(key, key.size());
byte iv[SPECK128::BLOCKSIZE];
prng.GenerateBlock(iv, sizeof(iv));
std::cout << "Key: ";
StringSource(key, key.size(), true, new HexEncoder(new FileSink(std::cout)));
std::cout << std::endl;
std::cout << "IV: ";
StringSource(iv, sizeof(iv), true, new HexEncoder(new FileSink(std::cout)));
std::cout << std::endl;
std::string plain = "CBC Mode Test";
std::string cipher, encoded, recovered;
/*********************************\
\*********************************/
try
{
std::cout << "plain text: " << plain << std::endl;
CBC_Mode< SPECK128 >::Encryption e;
e.SetKeyWithIV(key, key.size(), iv);
// The StreamTransformationFilter adds padding
// as required. ECB and CBC Mode must be padded
// to the block size of the cipher.
StringSource(plain, true,
new StreamTransformationFilter(e,
new StringSink(cipher)
) // StreamTransformationFilter
); // StringSource
}
catch(const Exception& e)
{
std::cerr << e.what() << std::endl;
exit(1);
}
/*********************************\
\*********************************/
// Pretty print
std::cout << "Cipher text: ";
StringSource(cipher, true, new HexEncoder(new FileSink(std::cout)));
std::cout << std::endl;
/*********************************\
\*********************************/
try
{
CBC_Mode< SPECK128 >::Decryption d;
d.SetKeyWithIV(key, key.size(), iv);
// The StreamTransformationFilter removes
// padding as required.
StringSource s(cipher, true,
new StreamTransformationFilter(d,
new StringSink(recovered)
) // StreamTransformationFilter
); // StringSource
std::cout << "recovered text: " << recovered << std::endl;
}
catch(const Exception& e)
{
std::cerr << e.what() << std::endl;
exit(1);
}
return 0;
}
A typical output is shown below. Note that each run will produce different results because the key and initialization vector are randomly generated.
$ ./test.exe Key: DB96D217DD5E48FBC551A6E52E3E6048 IV: 31D9CBA145C22DF9BFAD8261B39F6E88 plain text: CBC Mode Test Cipher text: 1007AB03F8AADDF6B4F88062F51BC6FA recovered text: CBC Mode Test
By switching to EAX mode, authenticity assurances can placed on the cipher text for nearly no programming costs. Below the StreamTransformationFilter was replaced by AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter.
#include "cryptlib.h"
#include "osrng.h"
#include "files.h"
#include "speck.h"
#include "modes.h"
#include "hex.h"
#include "eax.h"
#include <iostream>
#include <string>
int main (int argc, char* argv[])
{
using namespace CryptoPP;
AutoSeededRandomPool prng;
SecByteBlock key(SPECK128::DEFAULT_KEYLENGTH);
prng.GenerateBlock(key, key.size());
byte iv[SPECK128::BLOCKSIZE];
prng.GenerateBlock(iv, sizeof(iv));
std::cout << "Key: ";
StringSource(key, key.size(), true, new HexEncoder(new FileSink(std::cout)));
std::cout << std::endl;
std::cout << "IV: ";
StringSource(iv, sizeof(iv), true, new HexEncoder(new FileSink(std::cout)));
std::cout << std::endl;
std::string plain = "EAX mode Test";
std::string cipher, encoded, recovered;
/*********************************\
\*********************************/
try
{
std::cout << "plain text: " << plain << std::endl;
EAX< SPECK128 >::Encryption e;
e.SetKeyWithIV(key, key.size(), iv);
StringSource(plain, true,
new AuthenticatedEncryptionFilter(e,
new StringSink(cipher)
) // AuthenticatedEncryptionFilter
); // StringSource
}
catch(const Exception& e)
{
std::cerr << e.what() << std::endl;
exit(1);
}
/*********************************\
\*********************************/
// Pretty print
std::cout << "Cipher text: ";
StringSource(cipher, true, new HexEncoder(new FileSink(std::cout)));
std::cout << std::endl;
/*********************************\
\*********************************/
try
{
EAX< SPECK128 >::Decryption d;
d.SetKeyWithIV(key, key.size(), iv);
StringSource s(cipher, true,
new AuthenticatedDecryptionFilter(d,
new StringSink(recovered)
) // AuthenticatedDecryptionFilter
); // StringSource
std::cout << "recovered text: " << recovered << std::endl;
}
catch(const Exception& e)
{
std::cerr << e.what() << std::endl;
exit(1);
}
return 0;
}
Typical output is as follows. Notice the additional cipher text bytes due to the MAC bytes. See EAX Mode for details.
$ ./test.exe Key: DAEBAD63637C7FA02F4EB3D9DB10F422 IV: 6C498076321EE1FC00B67FAA816378C5 plain text: EAX mode test Cipher text: 78DB86E5A673255DFB17677C2CB45D4932E3E80489989291C481DA00A6 recovered text: EAX mode test
To manually insert bytes into the filter, perform multiple Puts. Though Get is used below, a StringSink could easily be attached and save the administrivia.
const size_t SIZE = 16 * 4;
string plain(SIZE, 0x00);
for(size_t i = 0; i < plain.size(); i++)
plain[i] = 'A' + (i%26);
...
CBC_Mode < SPECK128 >::Encryption encryption(key, sizeof(key), iv);
StreamTransformationFilter encryptor(encryption, NULL);
for(size_t j = 0; j < plain.size(); j++)
encryptor.Put((byte)plain[j]);
encryptor.MessageEnd();
size_t ready = encryptor.MaxRetrievable();
string cipher(ready, 0x00);
encryptor.Get((byte*) &cipher[0], cipher.size());
Validation
The Simon and Speck implementations can be tested with the cryptest.exe program. The program validates against modified test vectors from the Simon and Speck paper. Each test vector presented in the paper was modified to little-endian format.
There was one test vector for each block size and key size. After we had one working test vector we generated additional test vectors for later use. The additional test vectors are located at TestVectors/simon.txt and TestVectors/speck.txt.
The program used to generate the test vectors is available at Noloader | simon-speck-supercop. See the files simon-tv.cxx and speck-tv.cxx.
$ ./cryptest.exe tv speck Using seed: 1519379574 Testing SymmetricCipher algorithm SPECK-64/ECB. ................ Testing SymmetricCipher algorithm SPECK-64/CBC. .............. Testing SymmetricCipher algorithm SPECK-64/CTR. .............. Testing SymmetricCipher algorithm SPECK-128/ECB. ........................ Testing SymmetricCipher algorithm SPECK-128/CBC. ..................... Testing SymmetricCipher algorithm SPECK-128/CTR. ..................... Tests complete. Total tests = 110. Failed tests = 0.
A modified test vector from the Simon and Speck paper includes the work modified in the Source:
Source: Simon and Simon paper, Appendix C (modified) Comment: SPECK-64/ECB, 96-bit key Key: 00010203 08090A0B 10111213 Plaintext: 65616E73 20466174 Ciphertext: 6C947541 EC52799F
A Crypto++ generated test vector says so in the source:
Source: Crypto++ 6.0 generated Comment: SPECK-64/ECB, 96-bit key Key: F64F824B DA9DA2D0 D446ABE3 Plaintext: 48731C8B FE3260D4 Ciphertext: 55CABA8D E9F967C8
Downloads
No downloads.