lightweight block cipher design - radboud universiteit · fantomas. motivationindustryacademia a...
TRANSCRIPT
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Block Cipher Design
Gregor Leander
HGI, Ruhr University Bochum, Germany
Croatia 2014
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Upcoming IT-Landscape
Figure: Upcoming IT-Landscape
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
More Precisely: RFID-Tags
RFID Tag
RFID=Radio-Frequency IDentification
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Example I
Electronic Passports
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Example II
Logistics
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Example III
Pacemaker implants
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Security
QuestionDo we want this?
If we want it, we want it secure!
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Security
QuestionDo we want this?
If we want it, we want it secure!
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Attacks I
Iron attacks in Russia
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Attacks II
Fear: Terrorist attacks on pacemaker
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Cryptography
What is (not) Lightweight CryptographyCryptography tailored to (extremely) constrained devicesNot intended for everythingNot intended for extremely strong adversariesNot weak cryptography
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Cryptography
QuestionWhat about standard algorithms?
AES is great for almost everywhereMainly designed for softwareIt is too expensive for very small devicesIt protects data stronger than needed
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
AES: The Swiss Army Knife
Domain Specific CipherOn specific platforms/for specific criteria one can do better.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Cryptography: Industry vs. Academia
IndustryNon-existence of lightweight block ciphers a real problem sincethe 90’s.
Many proprietary solutionsOften: not very good.
AcademiaResearch on Lightweight block ciphers started only recently.
Several good proposals available.Developed a bit away from industry demands.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Lightweight Ciphers in Real Life
Example (Algorithms Used In Real Products)KeeloqMIFAREDECTKindle Cipher
What they have in common:efficientproprietary/not publicnon standard designsnot good
A lot more out there...
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Keeloq
KeeloqA 32 bit block-cipher with a 64 bit key.
Developed by Gideon Kuhn (around 1985).Sold for 10M$ to Microchip Technology Inc (1995).Algorithm for remote door openers: Cars, Garage, ...Used by: Chrysler, Daewoo, Fiat, GM, Honda, Toyota,Volvo, Volkswagen Group,...
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
KeeLoq
EUROCRYPT 2008
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
MIFARE
MIFARE CipherA stream cipher with an 48 bit key.
widely used in contactless smart cardsbillions of smart card chipselectronic bus and train tickets
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
MIFARE Cipher
CARDIS 2008
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
DECT
DECT CipherA stream cipher with an 64 bit key.
cordless home telephones30.000.000 base station in Germanyalso baby phones, traffic lights, etc
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
DECT Cipher
FSE 2010
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Kindle
Kindle Cipher (PC1)A stream cipher with an 128 bit key.
Amazons Kindle ebookDRM system
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Kindle Cipher
SAC 2012
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Why?
QuestionWhy do they do that?
We needsecurewell analyzedpublic
ciphers for highly resource constrained devices.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
General Design Philosophy
Guidelines/GoalsEfficiency: Here mainly areaSimplicitySecurity
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Considerations: Hardware
HardwareWhat do things cost in hardware?
SuggestionMake it an interdisciplinary project!
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Cost Overview
QuestionWhat should/should not be used?
Rule of Thumb:NOT: 0.5 GENOR: 1 GEAND: 1.33 GEOR: 1.33XOR: 2.67
Registers/Flipflops: 6− 12 GE per bit!
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Decisions I
QuestionBlock size/ Key size?
Storage (FF) is expensive in hardware.Block size of 128 is too much.We do not have to keep things secret forever.
DecisionRelative Small Block Size: 32,48 or 64Key size: 80 bit often enough
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Block Cipher Parts
SP-NetworkWe have to design
Non-linear-LayerLinear-LayerKey-scheduling
Here we focus on the Non-linear-Layer and the Linear-Layer.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Issues
Design Issues
The S-Layer has to maximize nonlinearity.It has to be cheap.
The S-Layer consist of a number of Sboxes executed in parallel
Si : Fb2 → Fb
2
In hardware realized as Boolean functions.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Issues
QuestionDifferent Sboxes vs. all Sboxes the same?
A serialized implementation becomes smaller if all Sboxes arethe same.
DecisionOnly one Sbox.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Design Issues
QuestionWhat size of Sbox?
In general: The bigger the Sbox the more expensive it is inhardware.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Sbox Costs
Figure: Comparison of Sboxes
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
P-Layer
Design Issues
The P-Layer has to maximize diffusion.It has to be cheap.
Many modern ciphers: MDS codes (great diffusion!)DES: Bit permutation (no cost!)
Design Decision
Use less diffusion per roundUse more rounds
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Examples
Modern Lightweight block ciphers
SEADESLPRESENTKATAN/ KTANTANHIGHTPrintCIPHER
A lot more out there...
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A comparison: (To be taken with care)
A fair comparison is difficultMany dimensionsDepends on the technology
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
First Example: PRESENT
PRESENT (CHES 2007)A 64 bit block cipher with 80/128 bit key and 31 rounds.
Developed by RUB/DTU/ORANGESP-network4 bit SboxBit permutation as P-layer
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
PRESENT: Overview
Figure: Overview of PRESENT
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Second Example: KATAN
KATAN (CHES 2009)
A 32/48/64 bit block cipher with 80 bit key and 254 rounds.
Developed by KULA (kind of) Feistel-cipherHighly unbalancedInspired by TriviumVery simple non-linear function
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
KATAN: Overview
Figure: Overview of KATAN
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Third Example: LED
LED (CHES 2011)A 64 bit block cipher with 64− 128 bit key and 32/48 rounds.
Developed by NTU and Orange LabsA SP-networkInspired by AESNice tweak to Mix Columns
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LED: Overview
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LED: Round Function
Very AES inspired:
Nice Trick – Hardware friendly MDS Matrix:
Very hardware friendly (but slower).
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Overview: As Time Goes By
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
How Far Can You Go?
MemoryGiven a block-size and a key-size the (minimal) memoryrequirements are fixed.
Focus on AreaMinimize the overhead to this.
PRESENT: 80 percent memoryKATAN: ≈ 90 percent memory
Even doing nothing is not a lot cheaper!
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A Critical View (I)
Even doing nothing is not a lot cheaper!
Good or Bad?In terms of area: GoodIn terms of energy: Bad
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Progress
Design Date vs. Area
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A Critical View (II)
Design Date vs. Speed
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
A Critical View (III)
Area OnlyThere seem only a few scenarios where the only criteria is area
For those good examples are available.
Time To Move OnFocus on other criteria!
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Time To Move OnFocus on other criteria!
Examples:LatencySide-channel
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Latency
LatencyTime to encrypt one block
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Latency
CHES 2012
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
PRINCE
PRINCE (ASIACRYPT’12)A block cipher optimized for low-latency (Designed by DTU,RUB, and NXP)
More precisely:one single clock cyclelow latency⇒ high clock ratesmoderate hardware costsencryption and decryption with low overhead.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
PRINCE - Overview
m R1
k
R2
k
I R−12
k ⊕ α
R−11
k ⊕ α
c
c R1 R2 I−1I R−12 R−1
1 m
(k ⊕ α) (k ⊕ α) (k ⊕ α)⊕ α (k ⊕ α)⊕ α
Enc vs. DecDecryption is Encryption with a different key!
E−1k (m) = Ek⊕α(m)
α = 0xc0ac29b7c97c50dd
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Side-Channel Resistance
Side-Channel ResistanceWithout protection having a strong cipher is useless
Therefore: Masking necessary
Usual Approach1 Design a cipher2 Try to mask it efficiently
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Side-Channel Resistance by Design
Usual Approach1 Design a cipher2 Try to mask it efficiently
BetterDesign ciphers that are easy to mask
First approach already in 2000: NOEKEON
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
FSE 2014: LS-Designs
A familiy of easy to mask block ciphers
Designed by UC-Louvain and INRIA
Main ideaOpposite approach of what is done usually:
Use tables for the linear-layerUse (few) logical operations for S-boxes
Two instances:RobinFantomas
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0
L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1
L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2
L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
LS-Designs: Structure
One box is a bitRegisters correspond to columns
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
S-Box
L0 L1 L2 L3
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Outline
1 Motivation
2 Industry
3 Academia
4 A Critical View
5 Lightweight: 2nd Generation
6 Wrap-Up
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
Conclusion
Lightweight Block CiphersAn interesting research area
Interesting problemsInnovative designsNew insights
Besides Practical RelevanceBetter understanding of block ciphers in general.
Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up
The End
Thank you