Piccolo: An Ultra-Lightweight Blockcipher

Size: px

Start display at page:

Download "Piccolo: An Ultra-Lightweight Blockcipher"

Dwayne Davidson
5 years ago
Views:

1 Piccolo: An Ultra-Lightweight Blockcipher Kyoji hibutani, Takanori Iobe, Harunaga Hiwatari, Atuhi Mituda, Toru Akihita and Taizo hirai ony Corporation CHE 2011, October 1, 2011

2 Motivation for New Deign Cryptography i required everywhere RFID, enor node, IoT, low reource device,.. trong demand for lightweight cryptography Peronal Pervaive Our Target Blockcipher Bulk encryption, MAC, entity authentication protocol,... 2

3 Piccolo i Feitel-type lightweight blockcipher that achieve: High ecurity ecure againt known attack including MITM and RKA Compact implementation Le than 700 GE low power conumption Low required GE keeping high throughput low energy conumption General purpoe lightweight blockcipher Not limited to application Decryption can be upported without much cot Becaue of involution tructure uitable for both flexible key and fixed key etting Becaue of permutation baed key cheduling 3

4 pecification 4

5 The Blockcipher Piccolo Baic Information Block ize : Key ize : tructure : # Round : 64-bit 80-bit, 128-bit (referred a Piccolo-80/128) variant of 4-line type-ii generalized Feitel network 25 (80-bit key), 31 (128-bit key) 5

6 The Blockcipher Piccolo key 80 or 128 plaintext F F RP 64 1-round operation F F RP... F... F 25 or 31 round RP F F 64 ciphertext 6

7 Round function (F and RP) 16 Round function rk 2i rk 2i+1 F F 4 F (F-function) M on GF(2 4 ) RP RP (round permutation)

8 What new in round function Compact 4-bit -box only 4 NOR, 3 XOR and 1 XNOR (about 12 GE) andwich contruction make F-function trong 4 M Byte permutation RP provide fat diffuion without HW implementation cot enhance ecurity againt impoible diff., aturation, MITM,... F F F F 8

9 Key cheduling function (KF) KF coniting of elector key 80 or 128 KF requiring key regiter key 16 key regiter MUX 16 round key v key regiter update round key GOT, KTANTAN, LED, Piccolo,... PREENT, KATAN,... MUX baed KF Key regiter i not neceary uitable for both fixed and flexible key etting Carefully choe the permutation to have enough immunity againt RKA and MITM 9

10 ecurity analyi 10

11 ecurity analyi Active F-function baed evaluation Differential attack Linear attack Boomerang-type attack Related key differential-type attack Related key boomerang/rectangle attack Related key impoible differential attack Diffuion property baed evaluation Impoible differential attack aturation attack Meet-in-the-middle attack Other Higher-order differential attack Algebraic attack 11

12 ecurity analyi Active F-function baed evaluation Differential attack Linear attack Boomerang-type attack Related key differential-type attack Related key boomerang/rectangle attack Related key impoible differential attack Diffuion property baed evaluation Impoible differential attack aturation attack Meet-in-the-middle attack Other Higher-order differential attack Algebraic attack 12

13 Active F-function input difference output linear mak Δx 0 Γy 0 x F y x F y differentially active F-function linearly active F-function Each differentially/linearly active F-function reduce differential/linear probability minimum number of active F-function implie the ecurity againt differential and linear type attack Counted the number of active F-function by exhautively earching all poible differential/linear trail 13

14 # active F-function of Piccolo # active F-function total # round 25 / 31 round (Piccolo-80 / 128) ecurity threhold 7R (8R for linear) 14R 16R # round MDP of F = (7 active F-function needed) MLP of F = (8 active F-function needed) 14

15 Implementation apect 15

16 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function M reg. B 16

17 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function additional reg. reg. C M reg. B 17

18 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function additional reg. reg. C M reg. B reg. B 18

19 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function intermediate regiter can be reduced by adding -1 function additional reg. reg. C M reg. B reg. B 19

20 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function intermediate regiter can be reduced by adding -1 function M reg. B 20

21 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function intermediate regiter can be reduced by adding -1 function M reg. B -1 21

22 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function intermediate regiter can be reduced by adding -1 function M reg. B -1 22

23 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function intermediate regiter can be reduced by adding -1 function M reg. B -1 reg. B 23

24 Optimization for F-function in 4-bit erialized architecture Feitel-type require intermediate regiter for F-function intermediate regiter can be reduced by adding -1 function -1 of Piccolo i mall required gate i reduced reg. C reg. B if -1 <, required gate can be reduced M reg. B 24

25 Countermeaure againt CA Threhold implementation [ICIC06] provably ecure countermeaure againt 1t order CA at leat 3 hare are neceary (required gate depend on # hare, and 3 i the mallet) x y x -box of Piccolo = f 1 f 2 f 3 = y belong to the alternating group A 16 can be decompoed uing quadratic bijection [CHE10] Thu, Piccolo -box require only 3 hare when applying threhold implementation 25

26 Hardware performance (ummary) algorithm * FOM = (nanobit per cycle) / area quared [GE 2 ] ** 0.13 um tandard cell library *** 1 GE = 2-way NAND erialized arch. round-baed arch. Piccolo-80 Piccolo-128 Piccolo-80 Piccolo-128 cycle/block fixed key flexible key fixed key flexible key area FOM area FOM area area including decryption function Adding decryption function i almot free! 26

Efficiency comparion Piccolo i mallet in

round [GE] [bit/cycle/ge 2 x10 9 ] Piccolo i

FOM round erial FOM round erial FOM round

27 Efficiency comparion Piccolo i mallet in fixed key etting! Target: ame block ize ame key ize round erial FOM round erial FOM erial FOM erial round [GE] [bit/cycle/ge 2 x10 9 ] Piccolo i very mall and high FOM in flexible key etting! FOM erial round [GE] [bit/cycle/ge 2 x10 9 ] FOM round erial FOM round erial FOM round erial erial erial [GE] [bit/cycle/ge 2 x10 9 ] FOM erial round FOM round erial FOM round erial [GE] [bit/cycle/ge 2 x10 9 ] 27

28 Concluion Propoed an ultra-lightweight blockcipher Piccolo ecurity ecure againt known attack including MITM and RKA Performance one of the mot compact cipher achieved the bet performance w.r.t. energy conumption Further analyi i very welcome! 28

29 Thank you for your attention! 29

Advanced Encryption Standard and Modes of Operation

Advanced Encryption Standard and Mode of Operation G. Bertoni L. Breveglieri Foundation of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) i a ymmetric cryptographic algorithm AES