PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A....
Transcript of PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A....
![Page 1: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/1.jpg)
PRESENT
An Ultra-Lightweight Block Cipher
A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2, C. Vikkelsoe3
CHES 2007
1 Ruhr-Universität Bochum2 Technical University Denmark, Denmark
3 Orange Lab, France
![Page 2: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/2.jpg)
13.09.2007 2Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Outline
MotivationPRESENT SpecificationSecurity AnalysisImplementation ResultsConclusion
![Page 3: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/3.jpg)
13.09.2007 3Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Why yet another Block Cipher? (1)
• Paradigm shift towards Pervasive Computing:
• cost driven deployment
• very constrained devices in terms of CPU, memory, power, and energy
• small messages
•Traditionally efficient equivalent to high throughput
• Known ciphers designed for high troughput, high speed, high …
Demand for an ultra-lightweight block cipher
![Page 4: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/4.jpg)
13.09.2007 4Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Why yet another Block Cipher? (2)
• Security properties well understood
• Sound building blocks and design principles available
• Block ciphers can be used
• as stream ciphers
• for hashing
![Page 5: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/5.jpg)
13.09.2007 5Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Metric and Tradeoffs
Resistance
against attacks
1
2 3
256 bits
80 bits
48 rounds
16 rounds
Throughput,
EnergyArea,
Powerparallelserial
![Page 6: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/6.jpg)
13.09.2007 6Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Requirements on PRESENT
• Design goals
• Efficient hardware implementations
• Moderate security level (80 bits)
• Simplicity
• Small amounts of plaintexts
• encryption only core
• Metrics:
1. Security
2. Area, Power
3. Speed
![Page 7: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/7.jpg)
13.09.2007 7Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Outline
MotivationPRESENT SpecificationSecurity AnalysisImplementation ResultsConclusion
![Page 8: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/8.jpg)
13.09.2007 8Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Top Level Description of PRESENT
![Page 9: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/9.jpg)
13.09.2007 9Lightweight Cryptography From An Engineers Perspective Axel Poschmann
S-Boxes in Hardware
AES-LUT 1000
AES-CF 300
DES 120
PRESENT 286 x 4
4 x 4
8 x 8
• LUT are realized as boolean functions
• Highly non-linear • High boolean
complexity • Big area
![Page 10: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/10.jpg)
13.09.2007 10Lightweight Cryptography From An Engineers Perspective Axel Poschmann
S-Box Design Criteria
![Page 11: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/11.jpg)
13.09.2007 11Lightweight Cryptography From An Engineers Perspective Axel Poschmann
PRESENT S-Box
• Smallest 4x4 S-Boxes in hardware (28 GE)
• Fullfilling above conditions
![Page 12: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/12.jpg)
13.09.2007 12Lightweight Cryptography From An Engineers Perspective Axel Poschmann
PRESENT Permutation
• Simple bit permutation
![Page 13: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/13.jpg)
13.09.2007 13Lightweight Cryptography From An Engineers Perspective Axel Poschmann
PRESENT Permutation - in Hardware
– Just wires– No transistors required– No delay
0123… …63
0123… P(1) = 16P(2) = 32 P(3) = 48
0 GE(some wiring)
![Page 14: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/14.jpg)
13.09.2007 14Lightweight Cryptography From An Engineers Perspective Axel Poschmann
PRESENT Key Schedule
Notation:
• K 80-bit key register
• At round 1: K = k79k78…k1k0 = initial key
• At round i: Ki = k79k78…k1k16 = roundkey for round i
Updating K:
2. [k79k78…k1k0] = [k18k17…k20k19]
3. [k79k78k77k76] = S[k79k78k77k76]
4. [k19k18k17k16k15] = [k19k18k17k16k15] XOR round_counter
![Page 15: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/15.jpg)
13.09.2007 15Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Outline
MotivationPRESENT SpecificationSecurity AnalysisImplementation ResultsConclusion
![Page 16: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/16.jpg)
13.09.2007 16Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Differential Cryptanalysis
Theorem 1:
Any 5-round differential characteristic of PRESENT has at least 10 active S-Boxes.
• Any differential characteristic over 25 rounds must have at least 50 active S-Boxes
• Maximum differential characteristic is 2-2
• Probability of 25-round characteristic is bounded by (2-2)50 = 2-100
2100 >> 264 (available PT/CT pairs)
2100 >> 280 (key size)
![Page 17: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/17.jpg)
13.09.2007 17Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Linear Cryptanalysis
Theorem 2:Let ε4R be the maximal bias of a linear approximation of four rounds of PRESENT. Then ε4R ≤ 2-7.
• The maximum bias of a 28-round linear approximation is 26 x (ε4R)7 = 26 x (2-7) = 2-43
• About (243)2 = 286 known PT/CT pairs required
286 >> 264 (available plaintext)
286 >> 280 (key size)
![Page 18: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/18.jpg)
13.09.2007 18Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Algebraic Cryptanalysis
• The PRESENT 4 x 4 S-Boxes can be described by 21 equations over GF(2) using 8 variables
• 21x17x31 = 11,067 quadratic equations
• 8x17x31 = 4,216 variables
Buchberger and F4 algorithm fail to deliver a solution in a reasonable time for this 2-round 28-bit mini-PRESENT
• Small scale version analyzed
• 7 S-Boxes
• 28 bit block
• 2 rounds
![Page 19: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/19.jpg)
13.09.2007 19Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Outline
MotivationPRESENT SpecificationSecurity AnalysisImplementation ResultsConclusion
![Page 20: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/20.jpg)
13.09.2007 20Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Toolchain
VHDLVirtual Silicon
UMCL18G212T3
Mentor Graphics ModelSim SE Plus 5.8c
Synopsys DesignCompiler Y-2006-06
![Page 21: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/21.jpg)
13.09.2007 21Lightweight Cryptography From An Engineers Perspective Axel Poschmann
PRESENT-80 Datapath
55%29% 3%
11%
• 32 cycles• 1570 GE• 5 µW@100kHz
• 1.8 V• 25°C
![Page 22: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/22.jpg)
13.09.2007 22Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Comparison of Lightweight Ciphers
4993
34003048
21681886
1570
0500
10001500
200025003000
35004000
45005000
CLEFIA AES HIGHT DESXL PRESENT-128
PRESENT-80
TRIVIUM2599
GRAIN1294
![Page 23: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/23.jpg)
13.09.2007 23Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Outline
MotivationPRESENT SpecificationSecurity AnalysisImplementation ResultsConclusion
![Page 24: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/24.jpg)
13.09.2007 24Lightweight Cryptography From An Engineers Perspective Axel Poschmann
Conclusion
• Presented the new block cipher PRESENT
• SPN with 64-bit state, 80-bit key, 31 rounds
• Based on well-known design principles (feature)
• Very small footprint in hardware (1570 GE)
• Low power estimates (5 µW)
• Lightweight block ciphers have similar footprint as stream ciphers
Please try to break PRESENT!
![Page 26: PRESENT An Ultra-Lightweight Block · PDF filePRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann 1, M. J. B. Robshaw2, Y. Seurin2,](https://reader031.fdocuments.us/reader031/viewer/2022030419/5aa6456b7f8b9ab4788e41cf/html5/thumbnails/26.jpg)
13.09.2007 26Lightweight Cryptography From An Engineers Perspective Axel Poschmann
PRESENT Permutation - Further Notes
P(i) = 16 * i mod 63, 1≤ i ≤ 62
i, i ε {0,63}
• Involution P(P(P(i))) = i
• Could be useful for serialization