Lightweight Block Cipher Design...LED (CHES 2011) A 64 bit block cipher with 64 128 bit key and...
Transcript of Lightweight Block Cipher Design...LED (CHES 2011) A 64 bit block cipher with 64 128 bit key and...
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Lightweight Block Cipher Design
Gregor Leander
HGI, Ruhr University Bochum, Germany
Sardinia 2015
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Outline
1 Motivation
2 Industry
3 Academia
4 Lightweight: 2nd Generation
5 NIST Initiative
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Outline
1 Motivation
2 Industry
3 Academia
4 Lightweight: 2nd Generation
5 NIST Initiative
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Upcoming IT-Landscape
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Popular Example: RFID-Tags
RFID Tag
RFID=Radio-Frequency IDentification
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Example I
Electronic Passports
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Example II
Logistics
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Example III
Pacemaker implants
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Security
QuestionDo we want this?
If we want it, we want it secure!
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Security
QuestionDo we want this?
If we want it, we want it secure!
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Attacks I
Iron attacks in Russia
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Attacks II
Fear: Terrorist attacks on pacemaker
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Attacks II
Fear: Terrorist attacks on pacemaker
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Lightweight Cryptography
What is (not) Lightweight CryptographyCryptography tailored to (extremely) constrained devicesNot intended for everythingNot intended for extremely strong adversariesNot weak cryptography
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Lightweight Cryptography
QuestionWhat about standard algorithms?
AES is great for almost everywhereMainly designed for softwareIt is too expensive for very small devicesIt protects data stronger than needed
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
AES: The Swiss Army Knife
Domain Specific CipherOn specific platforms/for specific criteria one can do better.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Lightweight Cryptography: Industry vs. Academia
IndustryNon-existence of lightweight block ciphers a real problem sincethe 90’s.
Many proprietary solutionsOften: not very good.
AcademiaResearch on Lightweight block ciphers started only recently.
Several good proposals available.Developed a bit away from industry demands.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Outline
1 Motivation
2 Industry
3 Academia
4 Lightweight: 2nd Generation
5 NIST Initiative
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Lightweight Ciphers in Real Life
Example (Algorithms Used In Real Products)KeeloqMIFAREDECTKindle Cipher
What they have in common:efficientproprietary/not publicnon standard designsnot good
A lot more out there...
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Keeloq
KeeloqA 32 bit block-cipher with a 64 bit key.
Developed by Gideon Kuhn (around 1985).Sold for 10M$ to Microchip Technology Inc (1995).Algorithm for remote door openers: Cars, Garage, ...Used by: Chrysler, Daewoo, Fiat, GM, Honda, Toyota,Volvo, Volkswagen Group,...
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
KeeLoq
EUROCRYPT 2008
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
MIFARE
MIFARE CipherA stream cipher with an 48 bit key.
widely used in contactless smart cardsbillions of smart card chipselectronic bus and train tickets
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
MIFARE Cipher
CARDIS 2008
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
DECT
DECT CipherA stream cipher with an 64 bit key.
cordless home telephones30.000.000 base station in Germanyalso baby phones, traffic lights, etc
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
DECT Cipher
FSE 2010
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Kindle
Kindle Cipher (PC1)A stream cipher with an 128 bit key.
Amazons Kindle ebookDRM system
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Kindle Cipher
SAC 2012
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Outline
1 Motivation
2 Industry
3 Academia
4 Lightweight: 2nd Generation
5 NIST Initiative
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Why?
QuestionWhy do they do that?
We needsecurewell analyzedpublic
ciphers for highly resource constrained devices.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
General Design Philosophy
Guidelines/GoalsEfficiency: Here mainly areaSimplicitySecurity
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Design Considerations: Hardware
HardwareWhat do things cost in hardware?
SuggestionMake it an interdisciplinary project!
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Cost Overview
QuestionWhat should/should not be used?
Rule of Thumb:NOT: 0.5 GENOR: 1 GEAND: 1.33 GEOR: 1.33XOR: 2.67
Registers/Flipflops: 6− 12 GE per bit!
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Design Decisions I
QuestionBlock size/ Key size?
Storage (FF) is expensive in hardware.Block size of 128 is too much.We do not have to keep things secret forever.
DecisionRelative Small Block Size: 32,48 or 64Key size: 80 bit often enough
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Block Cipher Parts
SP-NetworkWe have to design
Non-linear-LayerLinear-LayerKey-scheduling
Here we focus on the Non-linear-Layer and the Linear-Layer.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Design Issues
Design Issues
The S-Layer has to maximize nonlinearity.It has to be cheap.
The S-Layer consist of a number of Sboxes executed in parallel
Si : Fb2 → Fb
2
In hardware realized as Boolean functions.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Design Issues
QuestionDifferent Sboxes vs. all Sboxes the same?
A serialized implementation becomes smaller if all Sboxes arethe same.
DecisionOnly one Sbox.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Design Issues
QuestionWhat size of Sbox?
In general: The bigger the Sbox the more expensive it is inhardware.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Sbox Costs
Figure: Comparison of Sboxes
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
P-Layer
Design Issues
The P-Layer has to maximize diffusion.It has to be cheap.
Many modern ciphers: MDS codes (great diffusion!)DES: Bit permutation (no cost!)
Design Decision
Use less diffusion per roundUse more rounds
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Examples
Modern Lightweight block ciphers
SEADESLPRESENTKATAN/ KTANTANHIGHTPrintCIPHER
A lot more out there...
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
A comparison: (To be taken with care)
A fair comparison is difficultMany dimensionsDepends on the technology
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
First Example: PRESENT
PRESENT (CHES 2007)A 64 bit block cipher with 80/128 bit key and 31 rounds.
Developed by RUB/DTU/ORANGESP-network4 bit SboxBit permutation as P-layer
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
PRESENT: Overview
Figure: Overview of PRESENT
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Second Example: KATAN
KATAN (CHES 2009)
A 32/48/64 bit block cipher with 80 bit key and 254 rounds.
Developed by KULA (kind of) Feistel-cipherHighly unbalancedInspired by TriviumVery simple non-linear function
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
KATAN: Overview
Figure: Overview of KATAN
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Third Example: LED
LED (CHES 2011)A 64 bit block cipher with 64− 128 bit key and 32/48 rounds.
Developed by NTU and Orange LabsA SP-networkInspired by AESNice tweak to Mix Columns
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LED: Overview
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LED: Round Function
Very AES inspired:
Nice Trick – Hardware friendly MDS Matrix:
Very hardware friendly (but slower).
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Overview: As Time Goes By
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
How Far Can You Go?
MemoryGiven a block-size and a key-size the (minimal) memoryrequirements are fixed.
Focus on AreaMinimize the overhead to this.
PRESENT: 80 percent memoryKATAN: ≈ 90 percent memory
Even doing nothing is not a lot cheaper!
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
A Critical View (I)
Even doing nothing is not a lot cheaper!
Good or Bad?In terms of area: GoodIn terms of energy: Bad
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Progress
Design Date vs. Area
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
A Critical View (II)
Design Date vs. Speed
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
A Critical View (III)
Area OnlyThere seem only a few scenarios where the only criteria is area
For those good examples are available.
Time To Move OnFocus on other criteria!
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Outline
1 Motivation
2 Industry
3 Academia
4 Lightweight: 2nd Generation
5 NIST Initiative
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Time To Move OnFocus on other criteria!
Examples:LatencySide-channelCode-sizeEnergy
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Latency
LatencyTime to encrypt one block
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Latency
CHES 2012
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
PRINCE
PRINCE (ASIACRYPT’12)A block cipher optimized for low-latency (Designed by DTU,RUB, and NXP)
More precisely:one single clock cyclelow latency⇒ high clock ratesmoderate hardware costsencryption and decryption with low overhead.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c
R1
k ⊕ α
R2
k ⊕ α
I−1I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I
R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k
(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k(k ⊕ α)
(k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α)
(k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α
(k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k
(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Decryption vs. Encryption
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1
k ⊕ α
R2
k ⊕ α
I−1
I R−12
k
R−11 m
k
(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Side-Channel Resistance
Side-Channel ResistanceWithout protection having a strong cipher is useless
Therefore: Masking necessary
Usual Approach1 Design a cipher2 Try to mask it efficiently
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Side-Channel Resistance by Design
Usual Approach1 Design a cipher2 Try to mask it efficiently
BetterDesign ciphers that are easy to mask
First approach already in 2000: NOEKEON
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
FSE 2014: LS-Designs
A familiy of easy to mask block ciphers
Designed by UC-Louvain and INRIA
Main ideaOpposite approach of what is done usually:
Use tables for the linear-layerUse (few) logical operations for S-boxes
Two instances:RobinFantomas
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0
L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1
L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2
L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Outline
1 Motivation
2 Industry
3 Academia
4 Lightweight: 2nd Generation
5 NIST Initiative
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
NIST Lightweight Crypto
NIST Lightweight Crypto Project
Started in 2015to understand the need/ requirements/ characteristics ofreal world applications,to understand where the NIST-approved algorithms fallshort,to bring industry/academia/government together,to think about future standardization of lightweightprimitives.
www.nist.gov/itl/csd/ct/lwc-project.cfm
Credit: Meltem Sonmez Turan from NIST@LightSec2015
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
NIST Lightweight Crypto
Key-SizesNIST will not accept key-sizes < 112 Bits.
But: Tradeoffs possible (cf. PRINCE)
Credit: Meltem Sonmez Turan from NIST@LightSec2015
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
NIST Lightweight Crypto
NIST Research IdeasNew dedicated proposals, e.g.
an AE primitive for short payloadnew modes of operationsauthentication mechanisms for stream cipherstweakableblock ciphers with small block size
Analysis recent lightweight crypto proposals, such asPresent, Prince, Chaskey, Simon/Speck, etc.Analysis of smaller Keccak variants using 200, 400, 800bits.Efficient implementations of lightweight crypto proposalson constrained environments(cf. FELICS Competition)
Credit: Meltem Sonmez Turan from NIST@LightSec2015
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Choose your favorite
NSA:Simon/Speck are crowsothers are Koalas
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Choose your favorite
NSA:Simon/Speck are crowsothers are Koalas
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
Conclusion
Lightweight Block CiphersAn interesting research area
Interesting problemsInnovative designsNew insights
Besides Practical RelevanceBetter understanding of block ciphers in general.
Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative
The End
Thank you