PAGE: 1 of 33 Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
- Hardware Perspective -
Miroslav KneževićNXP Semiconductors
Lightweight Cryptography
Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
PAGE: 2 of 33
Digital Continuum~kb/s, μW
~Gb/s, MW
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
PAGE: 3 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
PAGE: 3 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
A bit of History
PAGE: 4 of 33
0
450
900
1350
1800
2250
2700
3150
3600
4050
4500
1970 1977 1984 1991 1998 2005 2012
Block Ciphers
DES
GOST (FK)
TEAAES
mCrypton
SEA
DESXL
DESL
PRESENT
PUFFIN
HUMMINGBIRD
MIBS
KATAN
KATAN (FK) PRINTcipher
KLEIN
TWINE
PICCOLOLEDLED (FK)PICCOLO (FK)
CLEFIA
HIGHTKASUMI
Are
a (G
E)
Year
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
A bit of History
PAGE: 4 of 33
0
450
900
1350
1800
2250
2700
3150
3600
4050
4500
1970 1977 1984 1991 1998 2005 2012
Block Ciphers Stream Ciphers
DES TEA mCrypton
SEA
HIGHT
CLEFIADESXL
DESL
PRESENT
PUFFIN
HUMMINGBIRD
MIBS
KATAN
KATAN (FK) PRINTcipher
KLEIN
TWINE
PICCOLOLEDLED (FK)PICCOLO (FK)
MICKEY
TRIVIUM
GRAIN
KASUMI
Are
a (G
E)
Year
GOST (FK)
AES
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
A bit of History
PAGE: 4 of 33
0
450
900
1350
1800
2250
2700
3150
3600
4050
4500
1970 1977 1984 1991 1998 2005 2012
Block Ciphers Stream Ciphers Hash Functions
DES TEA mCrypton
SEA
KASUMI
DESXL
DESL
PRESENT
PUFFIN
HUMMINGBIRD
MIBS
KATAN
KATAN (FK) PRINTcipher
KLEIN
TWINE
PICCOLOLEDLED (FK)PICCOLO (FK)
MICKEY
TRIVIUM
GRAIN
HIGHT
CLEFIA
ARMADILLO
KECCAKH-PRESENT
QUARK PHOTON
SPONGENT
DM-PRESENT
Are
a (G
E)
Year
GOST (FK)
AES
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Block Cipher - Hardware Perspective
PAGE: 5 of 33
Block size128-bits
Key size128-bits
Round function Key schedule
Control
Memory
Datapath
AES example:Round-Based Implementation
Area: ~ 15,000 GELatency: 10 cycles
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Block Cipher - Hardware Perspective
PAGE: 5 of 33
Block size128-bits
Key size128-bits
Round function
Key schedule
Control
Memory
Datapath
AES example:Serial Implementation
Area: ~ 2,400 GELatency: 226 cycles
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Key size ≥ 80 bits
PAGE: 6 of 33
Memory
Round function
Key schedule Control
logic
90 - 95%
Block size ≥ 32 bits
BALANCE!MINIMIZE!
Block Cipher - Hardware Perspective
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Key size ≥ 80 bits
Block size ≥ 32 bits
PAGE: 6 of 33
Block Cipher - Hardware Perspective
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Key size ≥ 80 bits
Block size ≥ 32 bits
PAGE: 6 of 33
Block Cipher - Hardware Perspective
Block size ≥ 32 bits
Fixed KeyArbitrary Key
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 7 of 33
KATAN - Minimalistic Design
L1!
L2!
x5! x4! x3! x2! x1!
y2! y3! y4! y5! y6!y1!
kb!
ka!IR!
key_reg!60!
kb!
79! 78! 59! 49! 48! 12! 11! 1! 0!
ka!
T!6!7! 4! 2! 0!
IR!
Round function and Control logic merged!
462 GE
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 7 of 33
KATAN - Minimalistic Design
L1!
L2!
x5! x4! x3! x2! x1!
y2! y3! y4! y5! y6!y1!
kb!
ka!IR!
T!6!7! 4! 2! 0!
IR!
Round function and Control logic merged!Expanded Key stored in silicon!
Only 508 bits of Expanded Key!Avoid a weak key schedule:
KTANTAN!315 GE + 508 bits of ROM
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 8 of 33
PRESENT - Small and Scalable
~ 1500 GE
PRESENT-like PermutationRound-based Implementation
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
PRESENT - Small and Scalable
~ 1000 GE
PRESENT-like PermutationSerial Implementation
PAGE: 8 of 33
Hardware Perspective
Lightweight Cryptography
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
A Battle for a Single Gate
PRESENTUMC180IHP250
AMIS350synopsys
~1kGE
KATANUMC130synopsys≥450 GE Piccolo
130nmsynopsys≥700 GE
QUARKUMC180synopsyscadence≥1.4 kGE
PHOTONUMC180synopsys≥850 GE
SPONGENTUMC130synopsys≥750 GE
LED180nm
synopsys≥700 GE
PAGE: 11 of 33
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
0
750
1500
2250
3000
521 737 9181192 1340738
10601329
17281950
7591103
1367
17682012
8681256
1571
20712323
88/80/8128/128/8
160/160/16224/224/16
256/256/16
NXP90 UMC130 UMC180 NANGATE45
Fair Comparison - Mission (Im)possible?Spongent in 4 different techs
UP TO 70% DIFFERENCE!
Are
a (G
E)
PAGE: 12 of 33
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Fair Comparison - Mission (Im)possible?
0
2
4
6
8
scan FF
NXP90 UMC130 UMC180 NANGATE45
< 5 GE/sFF 6.25 GE/sFF 7.67 GE/sFF6.67 GE/sFF
Open CoreLibrary!
Are
a (G
E)
PAGE: 13 of 33
Lightweight Cryptography
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
0
1000
2000
3000
4000
8691257 1572
2070 2323
1067 13941741
2142
2675
17442200
3001
80/88128
160224
256
Spongent Photon Quark
Fair Comparison - Mission Possible?
Are
a (G
E)
Hash Output
Fixed Benchmark: 45 nm Open Core NANGATE library, Cadence RTL Compiler, Original RTL Code.
PAGE: 14 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
PAGE: 15 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
AES
Keccak
Groestl
Blake NOEKEON
PRESENT
LED
KLEINMINI-AESMCRYPTON
Photon
KATAN Piccolo
SPONGENT
TEA SEA
PRINTcipher
Quark
?
Skein
SHA-256JH
TRIVIUM
Grain
IDEA
Serpent
Two!sh
Square 3DES
PAGE: 16 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Typical Trade-offs in Crypto
AES
Keccak
Groestl
Blake NOEKEON
PRESENT
LED
KLEINMINI-AESMCRYPTON
Photon
KATAN Piccolo
SPONGENT
TEA SEA
PRINTcipher
Quark
?
Skein
SHA-256JH
TRIVIUM
Grain
IDEA
Serpent
Two!sh
Square 3DES
PAGE: 16 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
AES
Keccak
Groestl
BlakeNOEKEON
PRESENT
LED
KLEIN
MINI-AES
MCRYPTON
Photon
KATAN
PiccoloSPONGENT
TEASEA
cipher
QuarkSkein
SHA-256JH
TRIVIUM GrainIDEA
Serpent
Two!sh
Square
3DES
A kid in a Toy store
PAGE: 17 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
AES
NOEKEON
PRESENT
LED
KLEIN
MINI-AES
MCRYPTON
A kid in a Toy store
PAGE: 17 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
AES
NOEKEON
PRESENT
LED
KLEIN
MINI-AES
MCRYPTON
Variety of Choices
128 128 8 MDS LIGHT
128 128 4 BINARY NO
64 64 4 MDS LIGHT
64 64, 96, 128 4 BINARY LIGHT
64 80, 128 4 BITPERMUTATION LIGHT
64 64, 80, 96 4 MDS LIGHT
64 64, 128 4 MDS NO
BLOCK-SIZE KEY-SIZE S-BOX P-LAYER KEY SCHEDULE
PAGE: 18 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 15 sThroughput = 0.067 beer/s
PAGE: 19 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 15 sThroughput = 0.2 beer/s
Parallel Processing
PAGE: 19 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 15 sThroughput = 0.2 beer/s
Pipelining
PAGE: 19 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Latency vs Throughput
Latency = 5 sThroughput = 0.2 beer/s
Ad Fundum
PAGE: 19 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Six Architectures
R1
R2
Rn
…
R1
Rn/2
…
R1
R2
Rn
…
Rn
Rn -1
R1
…
-1
-1
-1
R1
Rn/2
…
Rn/2
R1
…
-1
-1
R1/Rn
…
…
-1
R2/Rn -1 -1
Rn /R1 -1
R1/Rn/2 -1
Rn /2/R1 -1
(a) (b) (c) (d) (e) (f)
PAGE: 20 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Number of Rounds vs Key Size
PAGE: 21 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Results - Latency
0
12,5
25
37,5
50
17,8
15,3
20,3
25,3
31,2
46,6
9,8 9,8 9,8 9,9
14,8 15,514,8
14,7
20,2
16,4
21,4
26,4
32,8
48,2
10,8 10,8 11 12
17 17,416,4 16,6
1-cycle 2-cycle
AES-1
28
KLEIN
-64
KLEIN
-96
KLEIN
-128
LED-6
4
LED-1
28
MCRYPT
ON-6
4
MCRYPT
ON-9
6
MCRYPT
ON-1
28
MINI-A
ES-6
4
NOEK
EON-1
28
NOEK
EONs-1
28
PRES
ENT-8
0
PRES
ENT-1
28
*ENC/DEC; Max Time-Constrained
PAGE: 22 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Results - Area
0
100
200
300
400366,6
48,2 63,7 79,9
128,7
193,1
41,3 40,4 41,440
102,5
49,572,3 73,8
191,8
24,9 32,6 41,363,5
96
20,9 21,1 21 2249,6
27,1 37,637,1
1-cycle 2-cycle
AES-1
28
KLEIN
-64
KLEIN
-96
KLEIN
-128
LED-6
4
LED-1
28
MCRYPT
ON-6
4
MCRYPT
ON-9
6
MCRYPT
ON-1
28
MINI-A
ES-6
4
NOEK
EON-1
28
NOEK
EONs-1
28
PRES
ENT-8
0
PRES
ENT-1
28
*ENC/DEC; Max Time-Constrained
PAGE: 23 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Results - Average Latency per Round
0
0,5
1
1,5
21,78
1,28 1,27 1,27
0,98 0,97
0,82 0,82 0,82
0,990,93 0,97
0,480,47
1,48
0,93 0,93 0,92 0,97 0,96
0,81 0,81 0,81 0,86 0,93
0,46 0,46
ENC/DEC ENC
AES-1
28
KLEIN
-64
KLEIN
-96
KLEIN
-128
LED-6
4
LED-1
28
MCRYPT
ON-6
4
MCRYPT
ON-9
6
MCRYPT
ON-1
28
MINI-A
ES-6
4
NOEK
EON-1
28
NOEK
EONs-1
28
PRES
ENT-8
0
PRES
ENT-1
28
*1-cycle Architecture; Max Time-Constrained
PAGE: 24 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyResults - Area per Round DistributionPRESENT-80, ENC only
PAGE: 25 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight Cryptography
Hardware Recommendations
We provide hardware recommendations for designing low-latency primitives.
Evaluated ciphers are designed with low-area and low-power in mind and not to satisfy new low-latency requirements.
Still, we can learn quite a lot from their constructions.
PAGE: 26 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Sbox-
Use small Sboxes (4-bit or even 3-bit ones).
Even among them there are significant differences in latency and area [24].
These differences are library dependent.
G. Leander and A. Poschmann, On the Classification of 4-bit Sboxes, in Arithmetic of Finite Fields, First International Workshop - WAIFI 2007, volume 4547 of Lecture Notes in Computer Science, pages 159-176, 2007.
[24]
PAGE: 27 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Number of Rounds-
Minimize!
PAGE: 28 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Round Complexity-
Not too low complexity.
Reduce the number of rounds at the cost of (slightly) heavier round.
PAGE: 29 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Key Schedule-
Number of rounds should be independent of the key schedule.
Use constant addition instead of a key schedule (if possible).
PAGE: 30 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Heterogeneous Constructions-
Last few rounds of the cipher are smaller than the middle ones.
Make those few rounds more computationally complex.
Not very good for compact implementations.
PAGE: 31 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyHardware Recommendations-Encryption vs Decryption-
Use involution: f(f(x)) = x.
Make Encryption and Decryption procedures similar.
BUT: Think “application oriented” - sometimes is beneficial to have “asymmetric” constructions.
PAGE: 32 of 33
Hardware Perspective
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.
Lightweight CryptographyConclusionsmeet PRINCE
AESAES
PRESENT PRESENT
PRINCEPRINCE
Latency [ns]Area [kGE]
J. Borghoff, A. Canteaut, T. Guneysu, E. B. Kavun, M. Knezevic, L. R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S. Thomsen, T. Yalcin, PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications, to appear in ASIACRYPT 2012.
PAGE: 33 of 33
Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: THE END
Thank you!