VEST is a hardware-dedicated authenticated stream cipher and a collision-resistant hash function. VEST design is based on a bijective parallel non-linear feedback shift register (PNLFSR) assisted by a non-linear Residue Number System (RNS) based counter. The four VEST family trees are VEST-4 (80-bit secure), VEST-8 (128-bit secure), VEST-16 (160-bit secure), VEST-32 (256-bit secure). VEST ciphers support keys and IVs of variable sizes and instant re-keying. All VEST ciphers support key lengths of twice the length of the security rating. All VEST ciphers release output on every round, and each round takes one clock cycle to execute at very high clock speeds. VEST ciphers are designed so that each cipher family generated using a static family key can be efficiently synthesised in hardware.
High-Level Diagram of VEST's structure
Structure and operation:
VEST ciphers include four main components: a non-linear counter, a linear counter diffuser, a bijective non-linearly updated core accumulator and a linear output combiner. Authenticated encryption mode also includes ciphertext feedback. The RNS counter consists of sixteen NLFSRs with prime period lengths. The counter diffuser is a set of 5-to-1 linear combiners with feedback compressing outputs of the 16 counters into 10 bits. The core accumulator is a PNLFSR accepting 10 bits of the counter diffuser as input, and the output combiner is a set of 6-to-1 linear combiners.
High-Level Diagram of VEST-4 accumulator
The core accumulator in VEST ciphers can be seen as a bijective substitution-permutation network constructed using non-linear 6-to-1 feedback functions (f), one for each bit, all of which are updated simultaneously. It accepts 10 counter bits (d) and in the authenticated encryption mode, the previous-round ciphertext bits (e) as its input. The five least significant bits of the accumulator state are updated by a bijective 5x5 substitution box and are linearly combined with the first five input bits on each round. The next five accumulator bits are linearly combined with the next five input bits and with a non-linear function of four of the next least significant accumulator bits. All other bits in the VEST accumulator state are linearly combined with non-linear functions of five next least significant bits stored in the accumulator state on each round.
VEST-4 accumulator wires, substitution followed by permutation
This substitution operation is followed by a carefully selected permutation of all the bits in the state.
Unlike most ciphers, VEST ciphers load keys and IVs gradually. Generally 16 bits of key material are hashed every round, introducing a new bit of key material every round and requiring as many rounds as there are bits in the key. IVs are loaded 8 bits per round, in as many rounds as there are bytes in the IV. Both keying and IV loading processes are further secured with 32 sealing rounds.
During hashing, data is loaded one byte at a time, each bit into one of 8 separate counters, thus feeding the input linearly directly into the core accumulator, as well as into each of the 8 counters and into the counter diffuser, where input bits are linearly and non-linearly combined with all the previous bits by different feedback functions.
In authenticated encryption mode, the ciphertext is fed back into the core accumulator. Independent counters ensure guaranteed minimal period length even under complex adaptive chosen plaintext attacks.
Prior to producing MAC or HASH output, VEST cipher state is again secured by 32 sealing rounds and the MAC or HASH values are returned gradually as cipher output, 4 to 32 bits per round, not revealing any information about the cipher state and not requiring any additional logic.
Performance:
VEST ciphers show high speeds in FPGA and up to 20 Gigabit/s in 110ηm ASIC geometries. Our bitslice software implementation performs at speeds comparable to the DES or IDEA in server applications, which is about 3-4 times slower than the AES.
Click here for the complete technical information on the performance of VEST compared to AES in FPGA and ASIC hardware.
