1 / 15

Agenda

DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität Bochum, Germany. Agenda. 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion. Introduction.

Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DESLAn Efficient Block Cipher For Lightweight CryptosystemsA. Poschmann, G. Leander, K. Schramm*, C. PaarRuhr-Universität Bochum, Germany

  2. Agenda 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion

  3. Introduction Cryptography is needed to... Design goals for RFID ciphers: small gate count implement authentication low power consumption prevent eavesdropping high security

  4. Introduction (2) What are the requirements of a block cipher so that its hardware implementation has a low gate count ? it must be possible to implement the cipher in a serialized fashion (value chip size over execution time) use smaller block size (e.g. 64 bits instead of 128 bits) in order to save gates on internal flip-flop registers only use small subfunctions (e.g. 6-to-4 bit S-boxes) use very few different subfunctions (e.g. only a single S-box) Using these conditions we tried to find a lower bound with regard to gate count for a DES-lightweight (DESL) block cipher which uses only a single S-box.

  5. Introduction to DES (Data Encryption Standard) plaintext 64 L0 R0 K0 32 32 f round 1 L1 R1 6 K1 S S S S S S S S f round 2 L2 R2 L15 R15 K15 f round 16 Idea: replace the eight different S-boxes by a single one repeated eight times. L16 R16 64 ciphertext

  6. Design Criteria of DES S-boxes (Coppersmith '94) „No output bit of an S-box should be too close to a linear combination of input bits.“ Input 6 S-Box 4 Output = a*x+1 Output (S-2) (S-1) 00 01 10 11 |0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F| (S-3) S(1|0001|0) = 2 Each row contains all possible output values

  7. Design Criteria of DES S-boxes (Coppersmith '94) HW(X1 X2) = 1 ∆I = 001100 6 6 S-box S-box 4 4 HW(Y1 Y2) ≥ 2 HW(Y1 Y2) ≥ 2 (S-4) (S-5) (S-6) (S-7) ∆I = 11xy00 ∆I ≠ 000000 6 6 S-box S-box 4 4 Y1 ≠ Y2 P(Y1 = Y2) ≤ ¼

  8. Design Criteria of DES S-boxes (Coppersmith '94) ...0 0cde jkm0 0... 0000ab np0000 6 6 S-box i-1 S-box i+3 4 4 0000 0000 (S-8) Minimise Collision Probability (p = 1/234) bcde fghi 1ghi ...a 0ab1 1cd1 0ef0 p... ∆Input Expansion 000000 000000 10ef00 00ab11 11cd10 6 6 6 S-box i S-box i+1 S-box i+2 Substitution 4 4 4 ∆Output 0000 0000 0000 Collision in 3 adjacent S-boxes!

  9. Resistance to Differential Cryptanalysis 00ab11 np0000 6 6 S-box i-n S-box i 4 4 0000 0000 With our new criterion S-6' differential attacks based on 2-round characteristics are now impossible! 10ef00 000000 ... (S-6') 6 ∆I = 1xyz00 ... S-box i-1 6 4 S-box 0000 4 Collision in n adjacent S-boxes! Y1 ≠ Y2

  10. Currently proposed DESL S-box (under construction!!!) 28 (S-2') 40 7 (S-7) 8 0 (S-8) 1 / 234 DESL VS. DES => at least 256 known plaintexts for LC => two-round character- istics impossible => classical DC impossible

  11. Serialized DES/DESL Architecture

  12. Implementation Results (1) #Transistors 7392 9236 #Gate count 1848 2309 Ø Power [µA] @ 100kHz @ 500kHz #clock cycles 0.89 4.4477 144 1.19 5.95 144 DESL VS. DES -25% -25% -33% -33%

  13. Implementation Results (2) Cipher Gate count DESL DES DESXL DESX AES Trivium-1 Grain-1 Mosquito-B Sfinks-B Hermes8 1848 2309 2168 2629 3628 2906 1558 4806 6311 6885

  14. Conclusion DESL Low gate count (1848 GE) Smaller than several eStream ciphers Low current draw (0.89 µA @ 100kHz) Seems to be secure against LC/DC attacks but the proposed S-box is still under construction! DESL is a further possible step towards a lightweight block cipher for RFID tags.

  15. Thank you!

More Related