Saturnin: a suite of lightweight symmetric algorithms for post-quantum security - Archive ouverte HAL Access content directly
Other Publications Year : 2019

Saturnin: a suite of lightweight symmetric algorithms for post-quantum security

Anne Canteaut
Sébastien Duval
Gaëtan Leurent
  • Function : Author
  • PersonId : 951331
Léo Perrin
  • Function : Author
  • PersonId : 1023885
Thomas Pornin
  • Function : Author


The cryptographic algorithms needed to ensure the security of our communications have a cost. For devices with little computing power, whose number is expected to grow significantly with the spread of the Internet of Things (IoT), this cost can be a problem. A simple answer to this problem is a compromise on the security level: through a weaker round function or a smaller number of rounds, the security level can be decreased in order to cheapen the implementation of the cipher. At the same time, quantum computers are expected to disrupt the state of the art in cryptography in the near future. For public key cryptography, the NIST has organized a dedicated process to standardize new algorithms. The impact of quantum computing is harder to assess in the symmetric case but its study is an active research area. In this document, we specify a new block cipher, Saturnin, and its usage in different modes to provide hashing and authenticated encryption in such a way that we can rigorously argue its security in the post-quantum setting. Its security analysis follows naturally from that of the AES, while our use of components that are easily implemented in a bitsliced fashion ensures a low cost for our primitives. Our aim is to provide a new lightweight suite of algorithms that performs well on small devices, in particular micro-controllers, while providing a high security level even in the presence of quantum computers. Saturnin is a 256-bit block cipher with a 256-bit key and an additional 9-bit parameter for domain separation. Using it, we built two authenticated ciphers and a hash function. • Saturnin-CTR-Cascade is an authenticated cipher using the counter mode and a separate MAC. It requires two passes over the data but its implementation does not require the inverse block cipher. • Saturnin-Short is an authenticated cipher intended for messages with a length strictly smaller than 128 bits which uses only one call to Saturnin to provide confidentiality and integrity. • Saturnin-Hash is a 256-bit hash function. In this document, we specify this suite of algorithms and argue about their security in both the classical and the post-quantum setting.
Fichier principal
Vignette du fichier
SATURNIN-spec (1).pdf (1.83 Mo) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-02436763 , version 1 (13-01-2020)


  • HAL Id : hal-02436763 , version 1


Anne Canteaut, Sébastien Duval, Gaëtan Leurent, María Naya-Plasencia, Léo Perrin, et al.. Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. 2019. ⟨hal-02436763⟩


240 View
188 Download


Gmail Facebook Twitter LinkedIn More