150 likes | 221 Views
DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität Bochum, Germany. Agenda. 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion. Introduction.
E N D
DESLAn Efficient Block Cipher For Lightweight CryptosystemsA. Poschmann, G. Leander, K. Schramm*, C. PaarRuhr-Universität Bochum, Germany
Agenda 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion
Introduction Cryptography is needed to... Design goals for RFID ciphers: small gate count implement authentication low power consumption prevent eavesdropping high security
Introduction (2) What are the requirements of a block cipher so that its hardware implementation has a low gate count ? it must be possible to implement the cipher in a serialized fashion (value chip size over execution time) use smaller block size (e.g. 64 bits instead of 128 bits) in order to save gates on internal flip-flop registers only use small subfunctions (e.g. 6-to-4 bit S-boxes) use very few different subfunctions (e.g. only a single S-box) Using these conditions we tried to find a lower bound with regard to gate count for a DES-lightweight (DESL) block cipher which uses only a single S-box.
Introduction to DES (Data Encryption Standard) plaintext 64 L0 R0 K0 32 32 f round 1 L1 R1 6 K1 S S S S S S S S f round 2 L2 R2 L15 R15 K15 f round 16 Idea: replace the eight different S-boxes by a single one repeated eight times. L16 R16 64 ciphertext
Design Criteria of DES S-boxes (Coppersmith '94) „No output bit of an S-box should be too close to a linear combination of input bits.“ Input 6 S-Box 4 Output = a*x+1 Output (S-2) (S-1) 00 01 10 11 |0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F| (S-3) S(1|0001|0) = 2 Each row contains all possible output values
Design Criteria of DES S-boxes (Coppersmith '94) HW(X1 X2) = 1 ∆I = 001100 6 6 S-box S-box 4 4 HW(Y1 Y2) ≥ 2 HW(Y1 Y2) ≥ 2 (S-4) (S-5) (S-6) (S-7) ∆I = 11xy00 ∆I ≠ 000000 6 6 S-box S-box 4 4 Y1 ≠ Y2 P(Y1 = Y2) ≤ ¼
Design Criteria of DES S-boxes (Coppersmith '94) ...0 0cde jkm0 0... 0000ab np0000 6 6 S-box i-1 S-box i+3 4 4 0000 0000 (S-8) Minimise Collision Probability (p = 1/234) bcde fghi 1ghi ...a 0ab1 1cd1 0ef0 p... ∆Input Expansion 000000 000000 10ef00 00ab11 11cd10 6 6 6 S-box i S-box i+1 S-box i+2 Substitution 4 4 4 ∆Output 0000 0000 0000 Collision in 3 adjacent S-boxes!
Resistance to Differential Cryptanalysis 00ab11 np0000 6 6 S-box i-n S-box i 4 4 0000 0000 With our new criterion S-6' differential attacks based on 2-round characteristics are now impossible! 10ef00 000000 ... (S-6') 6 ∆I = 1xyz00 ... S-box i-1 6 4 S-box 0000 4 Collision in n adjacent S-boxes! Y1 ≠ Y2
Currently proposed DESL S-box (under construction!!!) 28 (S-2') 40 7 (S-7) 8 0 (S-8) 1 / 234 DESL VS. DES => at least 256 known plaintexts for LC => two-round character- istics impossible => classical DC impossible
Implementation Results (1) #Transistors 7392 9236 #Gate count 1848 2309 Ø Power [µA] @ 100kHz @ 500kHz #clock cycles 0.89 4.4477 144 1.19 5.95 144 DESL VS. DES -25% -25% -33% -33%
Implementation Results (2) Cipher Gate count DESL DES DESXL DESX AES Trivium-1 Grain-1 Mosquito-B Sfinks-B Hermes8 1848 2309 2168 2629 3628 2906 1558 4806 6311 6885
Conclusion DESL Low gate count (1848 GE) Smaller than several eStream ciphers Low current draw (0.89 µA @ 100kHz) Seems to be secure against LC/DC attacks but the proposed S-box is still under construction! DESL is a further possible step towards a lightweight block cipher for RFID tags.