Hi Arne,
Thanks a lot
for your comments!
We apologize
for our tardy response!
Regarding
your specific questions:
Romulus-T
and Romulus-H have been introduced in the Romulus
specification v1.3, with a release date of May 17, 2021, i.e.,
only after the end of Round 2.
NISTIR 8369
is titled "Status Report on the Second Round of the NIST
Lightweight Cryptography Standardization Process."
Thus, not
listing Romulus among the Round 2 candidates supporting hash
functionality appears to be correct.
The only
implementations of Romulus submitted to our group for FPGA
benchmarking were:
During
Round 2:
- Five
unprotected implementations of Romulus-N that differed only in
terms of hardware architectures.
These
implementations had properties summarized in
Table
1, Table 2, Figure 27, Figure 28, Appendix A, Figs. 106-111.
During
Final Round:
- Three
protected implementations of Romulus-N with protection orders
of 1, 2, and 3, respectively.
These
implementations were generated semi-automatically by the team
from Ruhr-University Bochum, Germany, using the tool called
AGEMA.
The
starting point for these implementations was an unprotected
implementation of Romulus-N.
No hardware
implementations supporting Romulus-T or Romulus-H have been
submitted to our group for FPGA benchmarking.
No hardware
implementations were included in the submission package of
Romulus submitted to NIST at the beginning of the Final Round.
As far as we
know, no new hardware implementations of Romulus were
announced on the lwc-forum during the Final Round.
Regarding
the general question on limitations of our study:
Our study
has relied on the voluntary effort of multiple groups from all
over the world.
We have
benchmarked only implementations either submitted directly to
our group or announced on the lwc-forum.
These
implementations had to pass all verification tests for correct
functionality.
Consequently,
as far as we know, as of November 2022:
A) Only 4
out of 10 finalists (Ascon, Elephant, TinyJAMBU, and Xoodyak)
had manually developed SCA-protected implementations based on
masking available for FPGA benchmarking.
Additionally, the implementation of Elephant did not pass
verification tests and thus was not included in benchmarking
results.
B) 9 out of
10 candidates (all except Grain-128AEAD) had protected
implementations developed semi-automatically using AGEMA.
Additionally, some of these implementations (e.g., GIFT-COFB,
SPARKLE, and TinyJAMBU) were not based on the best available
unprotected implementations.
Another
challenge is an inherent difficulty in comparing
mode-protected implementations with protected implementations
based on masking.
Any
additional questions and comments are very welcome!