lightweight block cipher design - radboud universiteit · fantomas. motivationindustryacademia a...
TRANSCRIPT
![Page 1: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/1.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Block Cipher Design
Gregor Leander
HGI, Ruhr University Bochum, Germany
Croatia 2014
![Page 2: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/2.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 3: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/3.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 4: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/4.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Upcoming IT-Landscape
Figure: Upcoming IT-Landscape
![Page 5: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/5.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
More Precisely: RFID-Tags
RFID Tag
RFID=Radio-Frequency IDentification
![Page 6: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/6.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Example I
Electronic Passports
![Page 7: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/7.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Example II
Logistics
![Page 8: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/8.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Example III
Pacemaker implants
![Page 9: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/9.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Security
QuestionDo we want this?
If we want it, we want it secure!
![Page 10: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/10.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Security
QuestionDo we want this?
If we want it, we want it secure!
![Page 11: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/11.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Attacks I
Iron attacks in Russia
![Page 12: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/12.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Attacks II
Fear: Terrorist attacks on pacemaker
![Page 13: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/13.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Cryptography
What is (not) Lightweight CryptographyCryptography tailored to (extremely) constrained devicesNot intended for everythingNot intended for extremely strong adversariesNot weak cryptography
![Page 14: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/14.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Cryptography
QuestionWhat about standard algorithms?
AES is great for almost everywhereMainly designed for softwareIt is too expensive for very small devicesIt protects data stronger than needed
![Page 15: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/15.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
AES: The Swiss Army Knife
Domain Specific CipherOn specific platforms/for specific criteria one can do better.
![Page 16: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/16.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Cryptography: Industry vs. Academia
IndustryNon-existence of lightweight block ciphers a real problem sincethe 90’s.
Many proprietary solutionsOften: not very good.
AcademiaResearch on Lightweight block ciphers started only recently.
Several good proposals available.Developed a bit away from industry demands.
![Page 17: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/17.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 18: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/18.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Ciphers in Real Life
Example (Algorithms Used In Real Products)KeeloqMIFAREDECTKindle Cipher
What they have in common:efficientproprietary/not publicnon standard designsnot good
A lot more out there...
![Page 19: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/19.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Keeloq
KeeloqA 32 bit block-cipher with a 64 bit key.
Developed by Gideon Kuhn (around 1985).Sold for 10M$ to Microchip Technology Inc (1995).Algorithm for remote door openers: Cars, Garage, ...Used by: Chrysler, Daewoo, Fiat, GM, Honda, Toyota,Volvo, Volkswagen Group,...
![Page 20: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/20.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
KeeLoq
EUROCRYPT 2008
![Page 21: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/21.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
MIFARE
MIFARE CipherA stream cipher with an 48 bit key.
widely used in contactless smart cardsbillions of smart card chipselectronic bus and train tickets
![Page 22: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/22.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
MIFARE Cipher
CARDIS 2008
![Page 23: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/23.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
DECT
DECT CipherA stream cipher with an 64 bit key.
cordless home telephones30.000.000 base station in Germanyalso baby phones, traffic lights, etc
![Page 24: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/24.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
DECT Cipher
FSE 2010
![Page 25: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/25.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Kindle
Kindle Cipher (PC1)A stream cipher with an 128 bit key.
Amazons Kindle ebookDRM system
![Page 26: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/26.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Kindle Cipher
SAC 2012
![Page 27: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/27.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 28: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/28.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Why?
QuestionWhy do they do that?
We needsecurewell analyzedpublic
ciphers for highly resource constrained devices.
![Page 29: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/29.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
General Design Philosophy
Guidelines/GoalsEfficiency: Here mainly areaSimplicitySecurity
![Page 30: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/30.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Considerations: Hardware
HardwareWhat do things cost in hardware?
SuggestionMake it an interdisciplinary project!
![Page 31: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/31.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Cost Overview
QuestionWhat should/should not be used?
Rule of Thumb:NOT: 0.5 GENOR: 1 GEAND: 1.33 GEOR: 1.33XOR: 2.67
Registers/Flipflops: 6− 12 GE per bit!
![Page 32: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/32.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Decisions I
QuestionBlock size/ Key size?
Storage (FF) is expensive in hardware.Block size of 128 is too much.We do not have to keep things secret forever.
DecisionRelative Small Block Size: 32,48 or 64Key size: 80 bit often enough
![Page 33: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/33.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Block Cipher Parts
SP-NetworkWe have to design
Non-linear-LayerLinear-LayerKey-scheduling
Here we focus on the Non-linear-Layer and the Linear-Layer.
![Page 34: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/34.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Issues
Design Issues
The S-Layer has to maximize nonlinearity.It has to be cheap.
The S-Layer consist of a number of Sboxes executed in parallel
Si : Fb2 → Fb
2
In hardware realized as Boolean functions.
![Page 35: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/35.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Issues
QuestionDifferent Sboxes vs. all Sboxes the same?
A serialized implementation becomes smaller if all Sboxes arethe same.
DecisionOnly one Sbox.
![Page 36: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/36.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Issues
QuestionWhat size of Sbox?
In general: The bigger the Sbox the more expensive it is inhardware.
![Page 37: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/37.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Sbox Costs
Figure: Comparison of Sboxes
![Page 38: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/38.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
P-Layer
Design Issues
The P-Layer has to maximize diffusion.It has to be cheap.
Many modern ciphers: MDS codes (great diffusion!)DES: Bit permutation (no cost!)
Design Decision
Use less diffusion per roundUse more rounds
![Page 39: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/39.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Examples
Modern Lightweight block ciphers
SEADESLPRESENTKATAN/ KTANTANHIGHTPrintCIPHER
A lot more out there...
![Page 40: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/40.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A comparison: (To be taken with care)
A fair comparison is difficultMany dimensionsDepends on the technology
![Page 41: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/41.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
First Example: PRESENT
PRESENT (CHES 2007)A 64 bit block cipher with 80/128 bit key and 31 rounds.
Developed by RUB/DTU/ORANGESP-network4 bit SboxBit permutation as P-layer
![Page 42: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/42.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
PRESENT: Overview
Figure: Overview of PRESENT
![Page 43: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/43.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Second Example: KATAN
KATAN (CHES 2009)
A 32/48/64 bit block cipher with 80 bit key and 254 rounds.
Developed by KULA (kind of) Feistel-cipherHighly unbalancedInspired by TriviumVery simple non-linear function
![Page 44: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/44.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
KATAN: Overview
Figure: Overview of KATAN
![Page 45: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/45.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Third Example: LED
LED (CHES 2011)A 64 bit block cipher with 64− 128 bit key and 32/48 rounds.
Developed by NTU and Orange LabsA SP-networkInspired by AESNice tweak to Mix Columns
![Page 46: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/46.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LED: Overview
![Page 47: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/47.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LED: Round Function
Very AES inspired:
Nice Trick – Hardware friendly MDS Matrix:
Very hardware friendly (but slower).
![Page 48: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/48.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Overview: As Time Goes By
![Page 49: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/49.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 50: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/50.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
How Far Can You Go?
MemoryGiven a block-size and a key-size the (minimal) memoryrequirements are fixed.
Focus on AreaMinimize the overhead to this.
PRESENT: 80 percent memoryKATAN: ≈ 90 percent memory
Even doing nothing is not a lot cheaper!
![Page 51: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/51.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A Critical View (I)
Even doing nothing is not a lot cheaper!
Good or Bad?In terms of area: GoodIn terms of energy: Bad
![Page 52: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/52.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Progress
Design Date vs. Area
![Page 53: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/53.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A Critical View (II)
Design Date vs. Speed
![Page 54: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/54.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A Critical View (III)
Area OnlyThere seem only a few scenarios where the only criteria is area
For those good examples are available.
Time To Move OnFocus on other criteria!
![Page 55: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/55.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 56: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/56.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Time To Move OnFocus on other criteria!
Examples:LatencySide-channel
![Page 57: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/57.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Latency
LatencyTime to encrypt one block
![Page 58: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/58.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Latency
CHES 2012
![Page 59: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/59.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
PRINCE
PRINCE (ASIACRYPT’12)A block cipher optimized for low-latency (Designed by DTU,RUB, and NXP)
More precisely:one single clock cyclelow latency⇒ high clock ratesmoderate hardware costsencryption and decryption with low overhead.
![Page 60: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/60.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
PRINCE - Overview
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1 R2 I−1I R−12 R−1
1 m
(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
α = 0xc0ac29b7c97c50dd
![Page 61: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/61.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Side-Channel Resistance
Side-Channel ResistanceWithout protection having a strong cipher is useless
Therefore: Masking necessary
Usual Approach1 Design a cipher2 Try to mask it efficiently
![Page 62: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/62.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Side-Channel Resistance by Design
Usual Approach1 Design a cipher2 Try to mask it efficiently
BetterDesign ciphers that are easy to mask
First approach already in 2000: NOEKEON
![Page 63: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/63.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
FSE 2014: LS-Designs
A familiy of easy to mask block ciphers
Designed by UC-Louvain and INRIA
Main ideaOpposite approach of what is done usually:
Use tables for the linear-layerUse (few) logical operations for S-boxes
Two instances:RobinFantomas
![Page 64: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/64.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 65: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/65.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 66: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/66.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 67: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/67.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 68: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/68.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 69: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/69.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 70: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/70.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 71: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/71.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 72: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/72.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 73: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/73.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0
L1 L2 L3
![Page 74: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/74.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1
L2 L3
![Page 75: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/75.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2
L3
![Page 76: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/76.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
![Page 77: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/77.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
![Page 78: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/78.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Conclusion
Lightweight Block CiphersAn interesting research area
Interesting problemsInnovative designsNew insights
Besides Practical RelevanceBetter understanding of block ciphers in general.
![Page 79: Lightweight Block Cipher Design - Radboud Universiteit · Fantomas. MotivationIndustryAcademia A Critical ViewLightweight: 2nd GenerationWrap-Up LS-Designs: Structure One box is a](https://reader033.vdocuments.net/reader033/viewer/2022041513/5e2964118755293de0754751/html5/thumbnails/79.jpg)
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
The End
Thank you