Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Symfrog-512: High-Capacity Sponge-Based AEAD Cipher (1024-bit State)

Victor Duarte Melo

TL;DR

The implementation aims for constant time behavior with respect to secret dependent operations, although no formal side channel proof is provided and no stronger guarantees are asserted for the concrete permutation beyond the documented analysis and empirical behavior.

Abstract

This submission includes a complete reference implementation together with deterministic test vectors and a reproducible benchmark suite. All source code, build instructions, and regression artifacts are publicly available in the project repository, enabling independent verification and reimplementation of the scheme. The AEAD construction is fully specified, including domain separation, rate and capacity choices, tag generation, and the exact file format used by the reference CLI. Reported performance numbers are produced by the built in benchmark tool under documented hardware and compiler settings. All security claims are made strictly within the ideal permutation model following standard sponge and duplex bounds, and no stronger guarantees are asserted for the concrete permutation beyond the documented analysis and empirical behavior. The implementation aims for constant time behavior with respect to secret dependent operations, although no formal side channel proof is provided. The project is released under the MIT license, and external cryptanalysis, feedback, and reproducibility checks are explicitly encouraged.

Symfrog-512: High-Capacity Sponge-Based AEAD Cipher (1024-bit State)

TL;DR

The implementation aims for constant time behavior with respect to secret dependent operations, although no formal side channel proof is provided and no stronger guarantees are asserted for the concrete permutation beyond the documented analysis and empirical behavior.

Abstract

This submission includes a complete reference implementation together with deterministic test vectors and a reproducible benchmark suite. All source code, build instructions, and regression artifacts are publicly available in the project repository, enabling independent verification and reimplementation of the scheme. The AEAD construction is fully specified, including domain separation, rate and capacity choices, tag generation, and the exact file format used by the reference CLI. Reported performance numbers are produced by the built in benchmark tool under documented hardware and compiler settings. All security claims are made strictly within the ideal permutation model following standard sponge and duplex bounds, and no stronger guarantees are asserted for the concrete permutation beyond the documented analysis and empirical behavior. The implementation aims for constant time behavior with respect to secret dependent operations, although no formal side channel proof is provided. The project is released under the MIT license, and external cryptanalysis, feedback, and reproducibility checks are explicitly encouraged.
Paper Structure (52 sections, 3 theorems, 15 equations, 4 figures)

This paper contains 52 sections, 3 theorems, 15 equations, 4 figures.

Table of Contents

  1. Introduction
  2. Non-goals.
  3. Related Work
  4. Parameters, Notation, and Conventions
  5. Bit and byte conventions
  6. Fixed parameters
  7. Padding on the rate
  8. The P1024-v2 Permutation
  9. State layout
  10. Round constants
  11. Round function
  12. Chi layer.
  13. Kick layer.
  14. Rotate and shuffle.
  15. Rationale and expected properties
  16. ...and 37 more sections

Key Result

Lemma 1

If the capacity values are uniform and independent until the first collision, then where $q$ is the number of permutation calls.

Figures (4)

  • Figure 1: Permutation benchmark: 435.1 ns per P1024-v2 call (200,000 iterations).
  • Figure 2: AEAD core benchmark: 131.7 MiB/s for a 64 MiB buffer (excluding I/O and KDF).
  • Figure 3: Avalanche measurement for P1024-v2. This is an empirical sanity check, not a proof of security.
  • Figure 4: Ciphertext file size versus plaintext length for test vectors. The overhead is constant: 152 bytes of header plus 32 bytes of final tag.

Theorems & Definitions (6)

  • Definition 1: Capacity collision event
  • Lemma 1: Birthday bound
  • Theorem 1: IND-CPA bound
  • proof : Proof sketch
  • Theorem 2: INT-CTXT bound
  • proof : Proof sketch