Lightweight Block Cipher Design...LED (CHES 2011) A 64 bit block cipher with 64 128 bit key and...

Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative

Lightweight Block Cipher Design

Gregor Leander

HGI, Ruhr University Bochum, Germany

Sardinia 2015


Outline

1 Motivation

2 Industry

3 Academia

4 Lightweight: 2nd Generation

5 NIST Initiative


Upcoming IT-Landscape


Popular Example: RFID-Tags

RFID Tag

RFID=Radio-Frequency IDentification


Example I

Electronic Passports


Example II

Logistics


Example III

Pacemaker implants


Security

QuestionDo we want this?

If we want it, we want it secure!


Attacks I

Iron attacks in Russia


Attacks II

Fear: Terrorist attacks on pacemaker


Lightweight Cryptography

What is (not) Lightweight CryptographyCryptography tailored to (extremely) constrained devicesNot intended for everythingNot intended for extremely strong adversariesNot weak cryptography


Lightweight Cryptography

QuestionWhat about standard algorithms?

AES is great for almost everywhereMainly designed for softwareIt is too expensive for very small devicesIt protects data stronger than needed


AES: The Swiss Army Knife

Domain Specific CipherOn specific platforms/for specific criteria one can do better.


Lightweight Cryptography: Industry vs. Academia

IndustryNon-existence of lightweight block ciphers a real problem sincethe 90’s.

Many proprietary solutionsOften: not very good.

AcademiaResearch on Lightweight block ciphers started only recently.

Several good proposals available.Developed a bit away from industry demands.


Outline

1 Motivation

2 Industry

3 Academia


5 NIST Initiative


Lightweight Ciphers in Real Life

Example (Algorithms Used In Real Products)KeeloqMIFAREDECTKindle Cipher

What they have in common:efficientproprietary/not publicnon standard designsnot good

A lot more out there...


Keeloq

KeeloqA 32 bit block-cipher with a 64 bit key.

Developed by Gideon Kuhn (around 1985).Sold for 10M$ to Microchip Technology Inc (1995).Algorithm for remote door openers: Cars, Garage, ...Used by: Chrysler, Daewoo, Fiat, GM, Honda, Toyota,Volvo, Volkswagen Group,...


KeeLoq

EUROCRYPT 2008


MIFARE

MIFARE CipherA stream cipher with an 48 bit key.

widely used in contactless smart cardsbillions of smart card chipselectronic bus and train tickets


MIFARE Cipher

CARDIS 2008


DECT

DECT CipherA stream cipher with an 64 bit key.

cordless home telephones30.000.000 base station in Germanyalso baby phones, traffic lights, etc


DECT Cipher

FSE 2010


Kindle

Kindle Cipher (PC1)A stream cipher with an 128 bit key.

Amazons Kindle ebookDRM system


Kindle Cipher

SAC 2012


Outline

1 Motivation

2 Industry

3 Academia


5 NIST Initiative


Why?

QuestionWhy do they do that?

We needsecurewell analyzedpublic

ciphers for highly resource constrained devices.


General Design Philosophy

Guidelines/GoalsEfficiency: Here mainly areaSimplicitySecurity


Design Considerations: Hardware

HardwareWhat do things cost in hardware?

SuggestionMake it an interdisciplinary project!


Cost Overview

QuestionWhat should/should not be used?

Rule of Thumb:NOT: 0.5 GENOR: 1 GEAND: 1.33 GEOR: 1.33XOR: 2.67

Registers/Flipflops: 6− 12 GE per bit!


Design Decisions I

QuestionBlock size/ Key size?

Storage (FF) is expensive in hardware.Block size of 128 is too much.We do not have to keep things secret forever.

DecisionRelative Small Block Size: 32,48 or 64Key size: 80 bit often enough


Block Cipher Parts

SP-NetworkWe have to design

Non-linear-LayerLinear-LayerKey-scheduling

Here we focus on the Non-linear-Layer and the Linear-Layer.


Design Issues

Design Issues

The S-Layer has to maximize nonlinearity.It has to be cheap.

The S-Layer consist of a number of Sboxes executed in parallel

Si : Fb2 → Fb

2

In hardware realized as Boolean functions.


Design Issues

QuestionDifferent Sboxes vs. all Sboxes the same?

A serialized implementation becomes smaller if all Sboxes arethe same.

DecisionOnly one Sbox.


Design Issues

QuestionWhat size of Sbox?

In general: The bigger the Sbox the more expensive it is inhardware.


Sbox Costs

Figure: Comparison of Sboxes


P-Layer

Design Issues

The P-Layer has to maximize diffusion.It has to be cheap.

Many modern ciphers: MDS codes (great diffusion!)DES: Bit permutation (no cost!)

Design Decision

Use less diffusion per roundUse more rounds


Examples

Modern Lightweight block ciphers

SEADESLPRESENTKATAN/ KTANTANHIGHTPrintCIPHER

A lot more out there...


A comparison: (To be taken with care)

A fair comparison is difficultMany dimensionsDepends on the technology


First Example: PRESENT

PRESENT (CHES 2007)A 64 bit block cipher with 80/128 bit key and 31 rounds.

Developed by RUB/DTU/ORANGESP-network4 bit SboxBit permutation as P-layer


PRESENT: Overview

Figure: Overview of PRESENT


Second Example: KATAN

KATAN (CHES 2009)

A 32/48/64 bit block cipher with 80 bit key and 254 rounds.

Developed by KULA (kind of) Feistel-cipherHighly unbalancedInspired by TriviumVery simple non-linear function


KATAN: Overview

Figure: Overview of KATAN


Third Example: LED

LED (CHES 2011)A 64 bit block cipher with 64− 128 bit key and 32/48 rounds.

Developed by NTU and Orange LabsA SP-networkInspired by AESNice tweak to Mix Columns


LED: Overview


LED: Round Function

Very AES inspired:

Nice Trick – Hardware friendly MDS Matrix:

Very hardware friendly (but slower).


Overview: As Time Goes By


How Far Can You Go?

MemoryGiven a block-size and a key-size the (minimal) memoryrequirements are fixed.

Focus on AreaMinimize the overhead to this.

PRESENT: 80 percent memoryKATAN: ≈ 90 percent memory

Even doing nothing is not a lot cheaper!


A Critical View (I)

Even doing nothing is not a lot cheaper!

Good or Bad?In terms of area: GoodIn terms of energy: Bad


Progress

Design Date vs. Area


A Critical View (II)

Design Date vs. Speed


A Critical View (III)

Area OnlyThere seem only a few scenarios where the only criteria is area

For those good examples are available.

Time To Move OnFocus on other criteria!


Outline

1 Motivation

2 Industry

3 Academia


5 NIST Initiative


Time To Move OnFocus on other criteria!

Examples:LatencySide-channelCode-sizeEnergy


Latency

LatencyTime to encrypt one block


Latency

CHES 2012


PRINCE

PRINCE (ASIACRYPT’12)A block cipher optimized for low-latency (Designed by DTU,RUB, and NXP)

More precisely:one single clock cyclelow latency⇒ high clock ratesmoderate hardware costsencryption and decryption with low overhead.


Decryption vs. Encryption

m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c

R1

k ⊕ α

R2

k ⊕ α

I−1I R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α

Enc vs. DecDecryption is Encryption with a different key!

E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1I R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I

R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k

(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k(k ⊕ α)

(k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α)

(k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α

(k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)



m R1

k

R2

k

I R−12

k ⊕ α

R−11

k ⊕ α

c

c R1

k ⊕ α

R2

k ⊕ α

I−1

I R−12

k

R−11 m

k

(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α


E−1k (m) = Ek⊕α(m)


Side-Channel Resistance

Side-Channel ResistanceWithout protection having a strong cipher is useless

Therefore: Masking necessary

Usual Approach1 Design a cipher2 Try to mask it efficiently


Side-Channel Resistance by Design

Usual Approach1 Design a cipher2 Try to mask it efficiently

BetterDesign ciphers that are easy to mask

First approach already in 2000: NOEKEON


FSE 2014: LS-Designs

A familiy of easy to mask block ciphers

Designed by UC-Louvain and INRIA

Main ideaOpposite approach of what is done usually:

Use tables for the linear-layerUse (few) logical operations for S-boxes

Two instances:RobinFantomas


LS-Designs: Structure

One box is a bitRegisters correspond to columns

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

L0 L1 L2 L3




S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

L0

L1 L2 L3




S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

L0 L1

L2 L3




S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

L0 L1 L2

L3




S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

S-Box

L0 L1 L2 L3


Outline

1 Motivation

2 Industry

3 Academia


5 NIST Initiative


NIST Lightweight Crypto

NIST Lightweight Crypto Project

Started in 2015to understand the need/ requirements/ characteristics ofreal world applications,to understand where the NIST-approved algorithms fallshort,to bring industry/academia/government together,to think about future standardization of lightweightprimitives.

www.nist.gov/itl/csd/ct/lwc-project.cfm

Credit: Meltem Sonmez Turan from NIST@LightSec2015



Key-SizesNIST will not accept key-sizes < 112 Bits.

But: Tradeoffs possible (cf. PRINCE)




NIST Research IdeasNew dedicated proposals, e.g.

an AE primitive for short payloadnew modes of operationsauthentication mechanisms for stream cipherstweakableblock ciphers with small block size

Analysis recent lightweight crypto proposals, such asPresent, Prince, Chaskey, Simon/Speck, etc.Analysis of smaller Keccak variants using 200, 400, 800bits.Efficient implementations of lightweight crypto proposalson constrained environments(cf. FELICS Competition)


https://www.cryptolux.org/index.php/FELICS_Triathlon


Choose your favorite

NSA:Simon/Speck are crowsothers are Koalas


Conclusion

Lightweight Block CiphersAn interesting research area

Interesting problemsInnovative designsNew insights

Besides Practical RelevanceBetter understanding of block ciphers in general.


The End

Thank you

Lightweight Block Cipher Design...LED (CHES 2011) A 64 bit block cipher with 64 128 bit key and...

Documents

Transcript of Lightweight Block Cipher Design...LED (CHES 2011) A 64 bit block cipher with 64 128 bit key and...