Design

CRAFT is a lightweight tweakable block cipher which consists of a 64-bit block, a 128-bit key and a 64-bit tweak. The state is viewed as a 4 × 4 square array of nibbles. The encryption process is an iteration of 31 identical round functions and one more linear round.

Each round function applies five involutory round operations: SubBox (SB), MixColumn (MC), PermuteNibbles (PN), AddConstant (ARC) and AddTweakey (ATK), while the last round only applies the MixColumn, AddConstant and AddTweakey operations.

  • SubBox (SB): The 4-bit involutory Sbox is applied 16 times in parallel to each nibble of the state.
  • MixColumn (MC): The following involutory binary matrix M is multiplied to each column of the state:
  • PermuteNibbles (PN): An involutory permutation is applied on the nibble positions of the state. In particular, the i-th nibble is replaced by the P(i)-th nibble, where

P = [15, 12, 13, 14, 10, 9, 8, 11, 6, 5, 4, 7, 1, 2, 3, 0].

  • AddConstants (ARC): In every round, the corresponding values for a and b are XOR-ed with the 4th and 5th state nibbles, respectively.
  • AddTweakey (ATK): The 128-bit key K is split into two 64-bit keys K0 and K1. Together with the 64-bit tweak input T, using a permutation Q on the nibbles of the given tweak, the cipher derives four 64-bit tweakeys: TK0, TK1, TK2 and TK3. Then in each round, depending on the remainder of the round index divided by 4, without any key update, one of the tweakeys gets XOR-ed to the state.

The corresponding Q permutation is Q = [12, 10, 15, 5, 14, 8, 9, 2, 11, 3, 7, 4, 6, 0, 1, 13]

and the tweakey schedule is TK0 = K0 + T, TK1 = K1 + T, TK2 = K0 + Q(T), TK3 = K0 + Q(T).

To conclude, using the above explained operations, the round functions (except the last round) are defined as

SB o PN o ATK o ARC o MC

and the last round as

ATK o ARC o MC.

To design CRAFT with a similar structure for both encryption and decryption, we restricted our choices for the components of substitution and permutation to involutory mappings. From the fact that all round operations are involutions and by applying the last linear round, we made the CRAFT decryption a parametrized CRAFT encryption. Actually, decryption with tweakeys (TK0, TK1, TK2, TK3) and round constants (RC0, ... , RC31) is the same as the encryption with tweakeys (TK0', TK1', TK2', TK3') and round constants (RC31, ... , RC0), where TKi' = MC(TKi).