SCREAM Authenticated Encryption Code Page

Implementations of the SCREAM authenticated encryption algorithm.

  • Specifications. V. Grosso, G. Leurent, F.-X. Standaert, K. Varici, A. Journault, F. Durvaux, L. Gaspar, S. Kerckhof, SCREAM, Side-Channel Resistant Authenticated Encryption with Masking, submission to the CAESAR competition, second round specifications, (pdf file). Test vectors (zip file).

    1. High-end CPUs

  • Reference implementations (generic code), (basic code).
  • Optimized implementations (neon code, sse code).

  • Implementation results:

    Platform Cipher   cycles/byte (long messages)  
      Bonnel     SCREAM-10 (Enc/Dec)   51
    SCREAM-12 (Enc/Dec) 61
      ARMv7-A Krait     SCREAM-10 (Enc/Dec)   50
    SCREAM-12 (Enc/Dec) 60
      Silvermont     SCREAM-10 (Enc/Dec)   48
    SCREAM-12 (Enc/Dec) 57
      Nehalem     SCREAM-10 (Enc/Dec)  10.1
    SCREAM-12 (Enc/Dec) 12.1
      Ivy Bridge     SCREAM-10 (Enc/Dec)  7.1
    SCREAM-12 (Enc/Dec) 8.5
      Haswell     SCREAM-10 (Enc/Dec)  7.1
    SCREAM-12 (Enc/Dec) 8.5

  • Cycle counts for encryption & decryption are similar for these platforms.
  • CPUs used. Krait: Qualcomm Snapdragon MSM8260A. Bonnel: Atom N2800 (Cedarview). Silvermont: Celeron N2830. Nehalem: Core i5 750. Ivy Bridge: Xeon E5-2680 v2. Haswell: Core i5-4570S.

    2. 8-bit microcontrollers

  • Atmel AVR (source code).

  • Implementation results:

    Platform Cipher   Code size (bytes)     RAM (bytes)     cycle count (Enc)     cycle count (Dec)  
      Atmel AVR ATTiny85     SCREAM-10 (Enc/Dec)   4332 160 24490
    + 7940/additional block
    24630
    + 7940/additional block
      SCREAM-12 (Enc/Dec)   4332 160 28604
    + 9360/additional block
    26053
    + 9360/additional block

  • Code size is roughly divided by two for Enc-only or Dec-only designs.
  • Methodology & interface borrowed from this lightweight cipher implementation project.

    3. FPGAs

  • Reference 128-bit implementations (VHDL code).

  • Implementation results:

    Platform Cipher   Architecture    Regs/LUTs     Slices     BRAMs     Fmax     Latency (long messages)     Throughput  
      Xilinx Virtex 7 (xc7vx485tffg1761-2)     SCREAM-10 (Enc/Dec)     128-bit, 2-rounds   3113/928 885 0 124.22 MHz 11 cycles 1,35 Gib/s
    128-bit, 1-rounds 2174/926 646 0 217.39 MHz 21 cycles 1,24 Gib/s
      SCREAM-12 (Enc/Dec)   128-bit, 2-rounds 3033/925 840 0 122.25 MHz 13 cycles 1,12 Gib/s
    128-bit, 1-rounds 2232/930 652 0   218.34 MHz   25 cycles 1,04 Gib/s

  • Gib means IEC Gibibit per second, where 1 Gib = 230 bits = 1,073,741,824 bits.
  • Cycle counts for encryption & decryption are identical.
  • Area roughly divided by two for Enc-only or Dec-only designs.
  • Methodology & interface borrowed from this paper.
  • Synthesis options maximizing the throughput/area ratio.