Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark...
Transcript of Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark...
![Page 1: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/1.jpg)
PAGE: 1 of 33 Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
- Hardware Perspective -
Miroslav KneževićNXP Semiconductors
Lightweight Cryptography
Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES
![Page 2: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/2.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
PAGE: 2 of 33
Digital Continuum~kb/s, μW
~Gb/s, MW
![Page 3: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/3.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
PAGE: 3 of 33
![Page 4: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/4.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
PAGE: 3 of 33
![Page 5: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/5.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
A bit of History
PAGE: 4 of 33
0
450
900
1350
1800
2250
2700
3150
3600
4050
4500
1970 1977 1984 1991 1998 2005 2012
Block Ciphers
DES
GOST (FK)
TEAAES
mCrypton
SEA
DESXL
DESL
PRESENT
PUFFIN
HUMMINGBIRD
MIBS
KATAN
KATAN (FK) PRINTcipher
KLEIN
TWINE
PICCOLOLEDLED (FK)PICCOLO (FK)
CLEFIA
HIGHTKASUMI
Are
a (G
E)
Year
![Page 6: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/6.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
A bit of History
PAGE: 4 of 33
0
450
900
1350
1800
2250
2700
3150
3600
4050
4500
1970 1977 1984 1991 1998 2005 2012
Block Ciphers Stream Ciphers
DES TEA mCrypton
SEA
HIGHT
CLEFIADESXL
DESL
PRESENT
PUFFIN
HUMMINGBIRD
MIBS
KATAN
KATAN (FK) PRINTcipher
KLEIN
TWINE
PICCOLOLEDLED (FK)PICCOLO (FK)
MICKEY
TRIVIUM
GRAIN
KASUMI
Are
a (G
E)
Year
GOST (FK)
AES
![Page 7: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/7.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
A bit of History
PAGE: 4 of 33
0
450
900
1350
1800
2250
2700
3150
3600
4050
4500
1970 1977 1984 1991 1998 2005 2012
Block Ciphers Stream Ciphers Hash Functions
DES TEA mCrypton
SEA
KASUMI
DESXL
DESL
PRESENT
PUFFIN
HUMMINGBIRD
MIBS
KATAN
KATAN (FK) PRINTcipher
KLEIN
TWINE
PICCOLOLEDLED (FK)PICCOLO (FK)
MICKEY
TRIVIUM
GRAIN
HIGHT
CLEFIA
ARMADILLO
KECCAKH-PRESENT
QUARK PHOTON
SPONGENT
DM-PRESENT
Are
a (G
E)
Year
GOST (FK)
AES
![Page 8: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/8.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Block Cipher - Hardware Perspective
PAGE: 5 of 33
Block size128-bits
Key size128-bits
Round function Key schedule
Control
Memory
Datapath
AES example:Round-Based Implementation
Area: ~ 15,000 GELatency: 10 cycles
![Page 9: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/9.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Block Cipher - Hardware Perspective
PAGE: 5 of 33
Block size128-bits
Key size128-bits
Round function
Key schedule
Control
Memory
Datapath
AES example:Serial Implementation
Area: ~ 2,400 GELatency: 226 cycles
![Page 10: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/10.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Key size ≥ 80 bits
PAGE: 6 of 33
Memory
Round function
Key schedule Control
logic
90 - 95%
Block size ≥ 32 bits
BALANCE!MINIMIZE!
Block Cipher - Hardware Perspective
![Page 11: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/11.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Key size ≥ 80 bits
Block size ≥ 32 bits
PAGE: 6 of 33
Block Cipher - Hardware Perspective
![Page 12: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/12.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Key size ≥ 80 bits
Block size ≥ 32 bits
PAGE: 6 of 33
Block Cipher - Hardware Perspective
Block size ≥ 32 bits
Fixed KeyArbitrary Key
![Page 13: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/13.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 7 of 33
KATAN - Minimalistic Design
L1!
L2!
x5! x4! x3! x2! x1!
y2! y3! y4! y5! y6!y1!
kb!
ka!IR!
key_reg!60!
kb!
79! 78! 59! 49! 48! 12! 11! 1! 0!
ka!
T!6!7! 4! 2! 0!
IR!
Round function and Control logic merged!
462 GE
![Page 14: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/14.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 7 of 33
KATAN - Minimalistic Design
L1!
L2!
x5! x4! x3! x2! x1!
y2! y3! y4! y5! y6!y1!
kb!
ka!IR!
T!6!7! 4! 2! 0!
IR!
Round function and Control logic merged!Expanded Key stored in silicon!
Only 508 bits of Expanded Key!Avoid a weak key schedule:
KTANTAN!315 GE + 508 bits of ROM
![Page 15: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/15.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 8 of 33
PRESENT - Small and Scalable
~ 1500 GE
PRESENT-like PermutationRound-based Implementation
![Page 16: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/16.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
PRESENT - Small and Scalable
~ 1000 GE
PRESENT-like PermutationSerial Implementation
PAGE: 8 of 33
![Page 17: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/17.jpg)
Hardware Perspective
Lightweight Cryptography
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
A Battle for a Single Gate
PRESENTUMC180IHP250
AMIS350synopsys
~1kGE
KATANUMC130synopsys≥450 GE Piccolo
130nmsynopsys≥700 GE
QUARKUMC180synopsyscadence≥1.4 kGE
PHOTONUMC180synopsys≥850 GE
SPONGENTUMC130synopsys≥750 GE
LED180nm
synopsys≥700 GE
PAGE: 11 of 33
![Page 18: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/18.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
0
750
1500
2250
3000
521 737 9181192 1340738
10601329
17281950
7591103
1367
17682012
8681256
1571
20712323
88/80/8128/128/8
160/160/16224/224/16
256/256/16
NXP90 UMC130 UMC180 NANGATE45
Fair Comparison - Mission (Im)possible?Spongent in 4 different techs
UP TO 70% DIFFERENCE!
Are
a (G
E)
PAGE: 12 of 33
![Page 19: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/19.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Fair Comparison - Mission (Im)possible?
0
2
4
6
8
scan FF
NXP90 UMC130 UMC180 NANGATE45
< 5 GE/sFF 6.25 GE/sFF 7.67 GE/sFF6.67 GE/sFF
Open CoreLibrary!
Are
a (G
E)
PAGE: 13 of 33
![Page 20: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/20.jpg)
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
0
1000
2000
3000
4000
8691257 1572
2070 2323
1067 13941741
2142
2675
17442200
3001
80/88128
160224
256
Spongent Photon Quark
Fair Comparison - Mission Possible?
Are
a (G
E)
Hash Output
Fixed Benchmark: 45 nm Open Core NANGATE library, Cadence RTL Compiler, Original RTL Code.
PAGE: 14 of 33
![Page 21: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/21.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
PAGE: 15 of 33
![Page 22: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/22.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
AES
Keccak
Groestl
Blake NOEKEON
PRESENT
LED
KLEINMINI-AESMCRYPTON
Photon
KATAN Piccolo
SPONGENT
TEA SEA
PRINTcipher
Quark
?
Skein
SHA-256JH
TRIVIUM
Grain
IDEA
Serpent
Two!sh
Square 3DES
PAGE: 16 of 33
![Page 23: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/23.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
AES
Keccak
Groestl
Blake NOEKEON
PRESENT
LED
KLEINMINI-AESMCRYPTON
Photon
KATAN Piccolo
SPONGENT
TEA SEA
PRINTcipher
Quark
?
Skein
SHA-256JH
TRIVIUM
Grain
IDEA
Serpent
Two!sh
Square 3DES
PAGE: 16 of 33
![Page 24: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/24.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
AES
Keccak
Groestl
BlakeNOEKEON
PRESENT
LED
KLEIN
MINI-AES
MCRYPTON
Photon
KATAN
PiccoloSPONGENT
TEASEA
cipher
QuarkSkein
SHA-256JH
TRIVIUM GrainIDEA
Serpent
Two!sh
Square
3DES
A kid in a Toy store
PAGE: 17 of 33
![Page 25: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/25.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
AES
NOEKEON
PRESENT
LED
KLEIN
MINI-AES
MCRYPTON
A kid in a Toy store
PAGE: 17 of 33
![Page 26: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/26.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
AES
NOEKEON
PRESENT
LED
KLEIN
MINI-AES
MCRYPTON
Variety of Choices
128 128 8 MDS LIGHT
128 128 4 BINARY NO
64 64 4 MDS LIGHT
64 64, 96, 128 4 BINARY LIGHT
64 80, 128 4 BITPERMUTATION LIGHT
64 64, 80, 96 4 MDS LIGHT
64 64, 128 4 MDS NO
BLOCK-SIZE KEY-SIZE S-BOX P-LAYER KEY SCHEDULE
PAGE: 18 of 33
![Page 27: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/27.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 15 sThroughput = 0.067 beer/s
PAGE: 19 of 33
![Page 28: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/28.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 15 sThroughput = 0.2 beer/s
Parallel Processing
PAGE: 19 of 33
![Page 29: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/29.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 15 sThroughput = 0.2 beer/s
Pipelining
PAGE: 19 of 33
![Page 30: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/30.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 5 sThroughput = 0.2 beer/s
Ad Fundum
PAGE: 19 of 33
![Page 31: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/31.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Six Architectures
R1
R2
Rn
…
R1
Rn/2
…
R1
R2
Rn
…
Rn
Rn -1
R1
…
-1
-1
-1
R1
Rn/2
…
Rn/2
R1
…
-1
-1
R1/Rn
…
…
-1
R2/Rn -1 -1
Rn /R1 -1
R1/Rn/2 -1
Rn /2/R1 -1
(a) (b) (c) (d) (e) (f)
PAGE: 20 of 33
![Page 32: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/32.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Number of Rounds vs Key Size
PAGE: 21 of 33
![Page 33: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/33.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Results - Latency
0
12,5
25
37,5
50
17,8
15,3
20,3
25,3
31,2
46,6
9,8 9,8 9,8 9,9
14,8 15,514,8
14,7
20,2
16,4
21,4
26,4
32,8
48,2
10,8 10,8 11 12
17 17,416,4 16,6
1-cycle 2-cycle
AES-1
28
KLEIN
-64
KLEIN
-96
KLEIN
-128
LED-6
4
LED-1
28
MCRYPT
ON-6
4
MCRYPT
ON-9
6
MCRYPT
ON-1
28
MINI-A
ES-6
4
NOEK
EON-1
28
NOEK
EONs-1
28
PRES
ENT-8
0
PRES
ENT-1
28
*ENC/DEC; Max Time-Constrained
PAGE: 22 of 33
![Page 34: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/34.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Results - Area
0
100
200
300
400366,6
48,2 63,7 79,9
128,7
193,1
41,3 40,4 41,440
102,5
49,572,3 73,8
191,8
24,9 32,6 41,363,5
96
20,9 21,1 21 2249,6
27,1 37,637,1
1-cycle 2-cycle
AES-1
28
KLEIN
-64
KLEIN
-96
KLEIN
-128
LED-6
4
LED-1
28
MCRYPT
ON-6
4
MCRYPT
ON-9
6
MCRYPT
ON-1
28
MINI-A
ES-6
4
NOEK
EON-1
28
NOEK
EONs-1
28
PRES
ENT-8
0
PRES
ENT-1
28
*ENC/DEC; Max Time-Constrained
PAGE: 23 of 33
![Page 35: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/35.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Results - Average Latency per Round
0
0,5
1
1,5
21,78
1,28 1,27 1,27
0,98 0,97
0,82 0,82 0,82
0,990,93 0,97
0,480,47
1,48
0,93 0,93 0,92 0,97 0,96
0,81 0,81 0,81 0,86 0,93
0,46 0,46
ENC/DEC ENC
AES-1
28
KLEIN
-64
KLEIN
-96
KLEIN
-128
LED-6
4
LED-1
28
MCRYPT
ON-6
4
MCRYPT
ON-9
6
MCRYPT
ON-1
28
MINI-A
ES-6
4
NOEK
EON-1
28
NOEK
EONs-1
28
PRES
ENT-8
0
PRES
ENT-1
28
*1-cycle Architecture; Max Time-Constrained
PAGE: 24 of 33
![Page 36: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/36.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyResults - Area per Round DistributionPRESENT-80, ENC only
PAGE: 25 of 33
![Page 37: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/37.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Hardware Recommendations
We provide hardware recommendations for designing low-latency primitives.
Evaluated ciphers are designed with low-area and low-power in mind and not to satisfy new low-latency requirements.
Still, we can learn quite a lot from their constructions.
PAGE: 26 of 33
![Page 38: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/38.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Sbox-
Use small Sboxes (4-bit or even 3-bit ones).
Even among them there are significant differences in latency and area [24].
These differences are library dependent.
G. Leander and A. Poschmann, On the Classification of 4-bit Sboxes, in Arithmetic of Finite Fields, First International Workshop - WAIFI 2007, volume 4547 of Lecture Notes in Computer Science, pages 159-176, 2007.
[24]
PAGE: 27 of 33
![Page 39: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/39.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Number of Rounds-
Minimize!
PAGE: 28 of 33
![Page 40: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/40.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Round Complexity-
Not too low complexity.
Reduce the number of rounds at the cost of (slightly) heavier round.
PAGE: 29 of 33
![Page 41: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/41.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Key Schedule-
Number of rounds should be independent of the key schedule.
Use constant addition instead of a key schedule (if possible).
PAGE: 30 of 33
![Page 42: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/42.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Heterogeneous Constructions-
Last few rounds of the cipher are smaller than the middle ones.
Make those few rounds more computationally complex.
Not very good for compact implementations.
PAGE: 31 of 33
![Page 43: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/43.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Encryption vs Decryption-
Use involution: f(f(x)) = x.
Make Encryption and Decryption procedures similar.
BUT: Think “application oriented” - sometimes is beneficial to have “asymmetric” constructions.
PAGE: 32 of 33
![Page 44: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/44.jpg)
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyConclusionsmeet PRINCE
AESAES
PRESENT PRESENT
PRINCEPRINCE
Latency [ns]Area [kGE]
J. Borghoff, A. Canteaut, T. Guneysu, E. B. Kavun, M. Knezevic, L. R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S. Thomsen, T. Yalcin, PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications, to appear in ASIACRYPT 2012.
PAGE: 33 of 33
![Page 45: Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark Fair Comparison - Mission Possible? E) Hash Output Fixed Benchmark: 45 nm Open](https://reader034.fdocuments.us/reader034/viewer/2022052022/60377d81af157c162f3c1c8d/html5/thumbnails/45.jpg)
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: THE END
Thank you!