PRESENT An Ultra-Lightweight Block Cipher

Similar documents
Small-Footprint Block Cipher Design -How far can you go?

Wenling Wu, Lei Zhang

A New Improved Key-Scheduling for Khudra

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Lightweight Crypto Design Principles - Approaches and Limitations

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers

LIGHTWEIGHT CRYPTOGRAPHY: A SURVEY

RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT

Design and Implementation of New Lightweight Encryption Technique

A Related-Key Attack on TREYFER

Cryptography for Resource Constrained Devices: A Survey

Small-Footprint Block Cipher Design - How far can you go?

Lightweight Block Cipher Design

From Lausanne to Geneva

Lightweight Block Cipher Design

Hybrid Lightweight and Robust Encryption Design for Security in IoT

I-PRESENT TM : An Involutive Lightweight Block Cipher

Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher

Efficient FPGA Implementations of PRINT CIPHER

Block Ciphers that are Easier to Mask How Far Can we Go?

Firoz Ahmed Siddiqui 1, Ranjeet Kumar 2 1 (Department of Electronics & Telecommunication, Anjuman College of Engineering & Technology, Nagpur,

BORON: an ultra-lightweight and low power encryption design for pervasive computing

Encryption / decryption system. Fig.1. Block diagram of Hummingbird

Designing a New Lightweight Image Encryption and Decryption to Strengthen Security

FPGA Implementation and Evaluation of lightweight block cipher - BORON

Practical attack on 8 rounds of the lightweight block cipher KLEIN

AVRprince - An Efficient Implementation of PRINCE for 8-bit Microprocessors

Algebraic-Differential Cryptanalysis of DES

Area efficient cryptographic ciphers for resource constrained devices. T. Blesslin Sheeba 1, Dr. P. Rangarajan 2

Implementation Tradeoffs for Symmetric Cryptography

PRESENT: An Ultra-Lightweight Block Cipher

Cryptanalysis of TWIS Block Cipher

Few Other Cryptanalytic Techniques

An Implementation of the AES cipher using HLS

ITUbee : A Software Oriented Lightweight Block Cipher

The SKINNY Family of Lightweight Tweakable Block Ciphers

Energy Evaluation of AES based Authenticated Encryption Algorithms (Online + NMR)

Syrvey on block ciphers

Design Space Exploration of the Lightweight Stream Cipher WG-8 for FPGAs and ASICs

A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Low-Latency Encryption Is Lightweight = Light + Wait?

Biclique Cryptanalysis of TWINE

Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64

IMPLEMENTATION OF LIGHTWEIGHT CRYPTOGRAPHIC PRIMITIVES

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

NIST s Lightweight Crypto Standardization Process

The Rectangle Attack

ADVANCES in NATURAL and APPLIED SCIENCES

FPGA Based Design of AES with Masked S-Box for Enhanced Security

Private-Key Encryption

KLEIN: A New Family of Lightweight Block Ciphers

Linear Cryptanalysis of Reduced Round Serpent

Blind Differential Cryptanalysis for Enhanced Power Attacks

Lightweight Cryptography: Designing Crypto for Low Energy and Low Power

TOWARDS AN AUTOMATED AND CUSTOMIZABLE LINEAR CRYPTANALYSIS OF A SUBSTITUTION-PERMUTATION NETWORK CIPHER. Bipeen Acharya

A Survey on Lightweight Block Ciphers

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Efficient Hardware Implementation of the Lightweight Block Encryption Algorithm LEA

EPCBC - A Block Cipher Suitable for Electronic Product Code Encryption

Recent Meet-in-the-Middle Attacks on Block Ciphers

FeW: A Lightweight Block Cipher

Hash Functions and RFID Tags: Mind the Gap

Computer and Data Security. Lecture 3 Block cipher and DES

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Dietary Recommendations for Lightweight Block Ciphers: Power, Energy and Area Analysis of Recently Developed Architectures

Differential Cryptanalysis

Lightweight Cryptography on ARM

PAPER On Design of Robust Lightweight Stream Cipher with Short Internal State

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

AES Advanced Encryption Standard

Selected Areas in Cryptography 04 University of Waterloo (Canada), August 9, 2004

Cache Timing Attacks on estream Finalists

On the Design of Secure Block Ciphers

A Brief Outlook at Block Ciphers

The New Approach of AES Key Schedule for Lightweight Block Ciphers

Symmetric Cryptography. Chapter 6

7. Symmetric encryption. symmetric cryptography 1

A Methodology for Differential-Linear Cryptanalysis and Its Applications

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Integral Cryptanalysis of the BSPN Block Cipher

CPS2323. Symmetric Ciphers: Stream Ciphers

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques

Secret Key Algorithms (DES)

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

The SIMON and SPECK lightweight block ciphers

Does Lightweight Cryptography Imply Slightsecurity?

Cryptographic Concepts

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Chapter 6: Contemporary Symmetric Ciphers

Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers

Software Performance Characterization of Block Cipher Structures Using S-boxes and Linear Mappings

Stream Ciphers and Block Ciphers

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Meet-in-the-Middle Attacks on 3-Line Generalized Feistel Networks

cube attack on stream cipher Trivium and quadraticity test

Challenges in Lightweight Crypto Standardization

Transcription:

PRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann1, M. J. B. Robshaw2, Y. Seurin2, C. Vikkelsoe3 1 Ruhr-Universität Bochum 2 Technical University Denmark, Denmark 3 Orange Lab, France CHES 2007

Outline Motivation PRESENT Specification Security Analysis Implementation Results Conclusion 2

Why yet another Block Cipher? (1) Paradigm shift towards Pervasive Computing: cost driven deployment very constrained devices in terms of CPU, memory, power, and energy small messages Traditionally efficient equivalent to high throughput Known ciphers designed for high troughput, high speed, high Demand for an ultra-lightweight block cipher 3

Why yet another Block Cipher? (2) Security properties well understood Sound building blocks and design principles available Block ciphers can be used as stream ciphers for hashing 4

Metric and Tradeoffs Resistance against attacks 256 bits 48 rounds 1 16 rounds 80 bits 2 Area, Power serial 3 parallel Throughput, Energy 5

Requirements on PRESENT Design goals Efficient hardware implementations Moderate security level (80 bits) Simplicity Small amounts of plaintexts encryption only core Metrics: 1. Security 2. Area, Power 3. Speed 6

Outline Motivation PRESENT Specification Security Analysis Implementation Results Conclusion 7

Top Level Description of PRESENT 8

S-Boxes in Hardware LUT are realized as boolean functions Highly non-linear High boolean complexity Big area 8x8 6x4 AES-LUT 1000 AES-CF 300 DES 120 PRESENT 28 4x4 9

S-Box Design Criteria 10

PRESENT S-Box Smallest 4x4 S-Boxes in hardware (28 GE) Fullfilling above conditions 11

PRESENT Permutation Simple bit permutation 12

PRESENT Permutation in Hardware 63 0123 0123 P(1) = 16 P(2) = 32 P(3) = Just wires No transistors required No delay 48 0 GE (some wiring) 13

PRESENT Key Schedule Notation: K 80-bit key register At round 1: K = k79k78 k1k0 = initial key At round i: Ki = k79k78 k1k16 = roundkey for round i Updating K: 2. [k79k78 k1k0] = [k18k17 k20k19] 3. [k79k78k77k76] = S[k79k78k77k76] 4. [k19k18k17k16k15] = [k19k18k17k16k15] XOR round_counter 14

Outline Motivation PRESENT Specification Security Analysis Implementation Results Conclusion 15

Differential Cryptanalysis Theorem 1: Any 5-round differential characteristic of PRESENT has at least 10 active S-Boxes. Any differential characteristic over 25 rounds must have at least 50 active S-Boxes Maximum differential characteristic is 2-2 Probability of 25-round characteristic is bounded by (2-2)50 = 2-100 2100 >> 264 (available PT/CT pairs) 2100 >> 280 (key size) 16

Linear Cryptanalysis Theorem 2: Let ε4r be the maximal bias of a linear approximation of four rounds of PRESENT. Then ε4r 2-7. The maximum bias of a 28-round linear approximation is 26 x (ε4r)7 = 26 x (2-7) = 2-43 About (243)2 = 286 known PT/CT pairs required 286 >> 264 (available plaintext) 286 >> 280 (key size) 17

Algebraic Cryptanalysis The PRESENT 4 x 4 S-Boxes can be described by 21 equations over GF(2) using 8 variables 21x17x31 = 11,067 quadratic equations 8x17x31 = 4,216 variables Small scale version analyzed 7 S-Boxes 28 bit block 2 rounds Buchberger and F4 algorithm fail to deliver a solution in a reasonable time for this 2-round 28-bit mini-present 18

Outline Motivation PRESENT Specification Security Analysis Implementation Results Conclusion 19

Toolchain Mentor Graphics ModelSim SE Plus 5.8c VHDL Synopsys DesignCompiler Y2006-06 Virtual Silicon UMCL18G212T3 20

PRESENT-80 Datapath 1.8 V 25 C 55% 29% 3% 11% 32 cycles 1570 GE 5 µw@100khz 21

Comparison of Lightweight Ciphers 5000 4993 4500 4000 3500 3000 2500 2000 1500 1000 500 0 CLEFIA 3400 TRIVIUM 2599 3048 2168 GRAIN 1294 1886 1570 AES HIGHT DESXL PRESENT- PRESENT128 80 22

Outline Motivation PRESENT Specification Security Analysis Implementation Results Conclusion 23

Conclusion Presented the new block cipher PRESENT SPN with 64-bit state, 80-bit key, 31 rounds Based on well-known design principles (feature) Very small footprint in hardware (1570 GE) Low power estimates (5 µw) Lightweight block ciphers have similar footprint as stream ciphers Please try to break PRESENT! 24

Thank you! Questions? www.crypto.rub.de poschmann@crypto.rub.de

PRESENT Permutation Further Notes P(i) = 16 * i mod 63, 1 i 62 i, i ε {0,63} Involution P(P(P(i))) = i Could be useful for serialization 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback