Paper 2021/390

Orthros: A Low-Latency PRF

Subhadeep Banik, Takanori Isobe, Fukang Liu, Kazuhiko Minematsu, and Kosei Sakamoto


We present Orthros, a 128-bit block pseudorandom function. It is designed with primary focus on latency of fully unrolled circuits. For this purpose, we adopt a parallel structure comprising two keyed permutations. The round function of each permutation is similar to Midori, a low-energy block cipher, however we thoroughly revise it to reduce latency, and introduce different rounds to significantly improve cryptographic strength in a small number of rounds. We provide a comprehensive, dedicated security analysis. For hardware implementation, Orthros achieves the lowest latency among the state-of-the-art low-latency primitives. For example, using the STM 90nm library, Orthros achieves a minimum latency of around 2.4 ns, while other constructions like PRINCE, Midori-128 and QARMA_{9}-128-\sigma_{0} achieve 2.56 ns, 4.10 ns, 4.38 ns respectively.

Note: This is the revised version of the paper published from ToSC 2021 Issue 1. We revise some typos in the formula of the S-box from in Sect. 3.3. Other contents are the same as the original version.

Available format(s)
Secret-key cryptography
Publication info
A minor revision of an IACR publication in Fse 2022
Pseudorandom FunctionLow LatencyLightweight CryptographySum of Permutations
Contact author(s)
subhadeep banik @ epfl ch
takanori isobe @ ai u-hyogo ac jp
liufukangs @ gmail com
k-minematsu @ nec com
k sakamoto0728 @ gmail com
2021-03-27: received
Short URL
Creative Commons Attribution


      author = {Subhadeep Banik and Takanori Isobe and Fukang Liu and Kazuhiko Minematsu and Kosei Sakamoto},
      title = {Orthros: A Low-Latency PRF},
      howpublished = {Cryptology ePrint Archive, Paper 2021/390},
      year = {2021},
      doi = {10.46586/tosc.v2021.i1.37-77},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.