New Block Cipher for Ultra-Compact Hardware

1. New Block Cipher forUltra-Compact Hardware NBeeM みかか A. Satoh K. Aoki

2. Rapid Growth of RFID market

3. Security for RFID Security is very important for radio communication, but there is no room for cryptography in RFIDs We need More room! Bear (unpackaged) RFID chips AES-16 for ultra-compact hardware is proposed

4. Architecture of AES-16 • AES-16 uses the design concept of AES • All the basic components are shrunk down to 1/8 AES-16 AES Data ： 128 bits → 16bits Key : 128 bits → 16 bits

5. S-boxComparison AES AES-16 = S-box can be implemented as one inverter! 8-bit S-box defined over GF(28) is replaced by 1-bit S-box over GF(2)!

6. Performance comparison • Sizes and speeds were evaluated by using a 0.13-um ASIC library AES-16 achieved １/５ gates with x5 throughput

7. Secure against Power Analysis A switching probability highly dependent on the input data pattern is the key for DPA success Very low power S-box with 100% switching probability gives no clue for DPA Innovative "Linear" Round Function

8. Secure against Cache Attack Cache attack measures the operating time depending on cache hit or miss to estimate the secret data MPU has enough cache memory for a 1-bit S-box table Cash Miss Cash Hit

9. Security Assessment of AES-16 Provably secure against Linear cryptanalysis, Higher-order differential attack, SQUARE attack, Boomerang attack, Truncated linear attack, etc. Provably secure against differential cryptanalysis All candidates show the same differential probability Because, it’s linear Why? Gotcha! It’s a liner

10. Conclusion 16-bit block cipher AES-16 • Ultra compact and high-speed H/W • Astonishing linear 1-bit S-box • Probably secure against all the side channel attacks and all the conventional cryptanalysis Tip-top cryptographers never speak about trivial brute force attack