new block cipher for ultra-compact hardware beem みかか a. satoh k. aoki
TRANSCRIPT
New Block Cipher forNew Block Cipher forUltra-Compact HardwareUltra-Compact HardwareNew Block Cipher forNew Block Cipher forUltra-Compact HardwareUltra-Compact Hardware
BeeMみかか
A. SatohK. Aoki
SCIS2006
Rapid Growth of RFID market
0
5
10
15
20
25
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
ServicesAnalytics and storageSCE applicationsTags and readers
$Millions
SCIS2006
Security for RFID
Security is very important for radio communication, but there is no room for cryptography in RFIDs
We needMore room!
AES-16 for ultra-compact hardware is proposed
Bear (unpackaged) RFID chips
SCIS2006
Architecture of AES-16
4 4 4
SubBytes
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
4 4 4
AddRoundKey
16-bit 11 round keysa00
a10
a20
a30
a b00 a01 03aa10 a11 13aa20 a21 23aa30 a31 33a
00 01 03
10 11 13
20 21 23
30 31 33
b bb b bb b bb b b
a j
S-Box
0
a j1
a j2
a j3
b j0
b j1
b j2
b j3
c( )
a00 02a01 a 03aa10 a11 13aa20 22a21 a 23aa30 32a31 a 33a
12aa00 02a01 a 03a
10a
20a 21a
31a30 a 32a
left rotation by 1
left rotation by 2
left rotation by 3
1 +
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
a ijb00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
b ij
no shift
a00
a10
a20
a30
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
k00 0201 03
10 1211 13
20 2221 23
30 3231 33
k k kk k k kk k k kk k k k
12ab00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
=
x
bij = 1
MixColumns
ShiftRows
16-bit plain text
16-bit cipher text
aij-1
1101
1110
0111
1011
8 8 8
SubBytes
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
8 8 8
AddRoundKey
128-bit 11 round keysa00
a10
a20
a30
a b00 a01 03aa10 a11 13aa20 a21 23aa30 a31 33a
00 01 03
10 11 13
20 21 23
30 31 33
b bb b bb b bb b b
a j
S-Box
0
a j1
a j2
a j3
b j0
b j1
b j2
b j3
c( )
a00 02a01 a 03aa10 a11 13aa20 22a21 a 23aa30 32a31 a 33a
12aa00 02a01 a 03a
10a
20a 21a
31a30 a 32a
left rotation by 1
left rotation by 2
left rotation by 3
1 1000110
+
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
a ijb00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
b ij
no shift
a00
a10
a20
a30
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
k00 0201 03
10 1211 13
20 2221 23
30 3231 33
k k kk k k kk k k kk k k k
12ab00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
=
x
bij =
100011 11
11 111000
011 11100
0011 1110
00011 111
1100011 1
11100011
11 110001
MixColumns
ShiftRows
128-bit plain text
128-bit cipher text
aij-1
1321
1132
2113
3211
AES AES-16
Data : 128 bits → 16 bitsKey : 128 bits → 16 bits
AES-16 uses the design concept of AES All the basic components are shrunk down to 1/8
SCIS2006
S-box Comparison
HP
LP
4
4
2x-1x
HP
LP -1
-14
4
2
2
2
2
2
2
4
4
4
GF((2 ) ) multiplier2
2
1 +bij = 1 aij-11 1000110
+bij =
100011 11
11 111000
011 11100
0011 1110
00011 111
1100011 1
11100011
11 110001
aij-1
AES AES-16
=
8-bit S-box defined over GF(28) is replaced by 1-bit S-box over GF(2)!
S-box can be implemented as one inverter!
SCIS2006
Performance comparison
Algorithm Size Frequency Throughput
AES-16 1.0 Kgates 1 GHz 1.6 Gbps
AES 5.4 Kgates 131 MHz 311 Mbps
AES-16 achieved 1 / 5 gates withx5 throughput
Sizes and speeds were evaluated by using a 0.13-um ASIC library
SCIS2006
Secure against Power Analysis
A switching probability highly dependent on the input data pattern is the key for DPA success
In0
Out
011
AES16Sbox
Very low power S-box with 100% switching probability gives no clue for DPA
SCIS2006
Secure against Cache Attack
In0
Out
011AES-16
S-box
Cache attack measures the operating time depending on cache hit or miss to estimate the secret data
MPU has enough cache memory for a 1-bit S-box table
Cash Hit Cash Miss
SCIS2006
Provably secure against differential cryptanalysis
Security Assessment of AES-16Security Assessment of AES-16
}{max}0),(),(|{# kkiiik TkCRCPDiT All candidates show the same differential probability
Why?Why? Because,
it’s linear
Because,
it’s linearGotcha!Gotcha! It’s a linerIt’s a liner
Provably secure against Linear cryptanalysis, Higher-order differential attack, SQUARE attack, Boomerang attack, Truncated linear attack, etc.
SCIS2006
Conclusion
Ultra compact and high-speed H/W Astonishing linear 1-bit S-box Probably secure against all the side channel attacks
and all the conventional cryptanalysis
Tip-top cryptographers never speak about trivial brute force attack
16-bit block cipher AES-16