Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark...

PAGE: 1 of 33 Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

- Hardware Perspective -

Miroslav KneževićNXP Semiconductors

Lightweight Cryptography

Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.


PAGE: 2 of 33

Digital Continuum~kb/s, μW

~Gb/s, MW




Typical Trade-offs in Crypto

PAGE: 3 of 33





PAGE: 3 of 33




A bit of History

PAGE: 4 of 33

0

450

900

1350

1800

2250

2700

3150

3600

4050

4500

1970 1977 1984 1991 1998 2005 2012

Block Ciphers

DES

GOST (FK)

TEAAES

mCrypton

SEA

DESXL

DESL

PRESENT

PUFFIN

HUMMINGBIRD

MIBS

KATAN

KATAN (FK) PRINTcipher

KLEIN

TWINE

PICCOLOLEDLED (FK)PICCOLO (FK)

CLEFIA

HIGHTKASUMI

Are

a (G

E)

Year




A bit of History

PAGE: 4 of 33

0

450

900

1350

1800

2250

2700

3150

3600

4050

4500

1970 1977 1984 1991 1998 2005 2012

Block Ciphers Stream Ciphers

DES TEA mCrypton

SEA

HIGHT

CLEFIADESXL

DESL

PRESENT

PUFFIN

HUMMINGBIRD

MIBS

KATAN


KLEIN

TWINE


MICKEY

TRIVIUM

GRAIN

KASUMI

Are

a (G

E)

Year

GOST (FK)

AES




A bit of History

PAGE: 4 of 33

0

450

900

1350

1800

2250

2700

3150

3600

4050

4500

1970 1977 1984 1991 1998 2005 2012

Block Ciphers Stream Ciphers Hash Functions

DES TEA mCrypton

SEA

KASUMI

DESXL

DESL

PRESENT

PUFFIN

HUMMINGBIRD

MIBS

KATAN


KLEIN

TWINE


MICKEY

TRIVIUM

GRAIN

HIGHT

CLEFIA

ARMADILLO

KECCAKH-PRESENT

QUARK PHOTON

SPONGENT

DM-PRESENT

Are

a (G

E)

Year

GOST (FK)

AES




Block Cipher - Hardware Perspective

PAGE: 5 of 33

Block size128-bits

Key size128-bits

Round function Key schedule

Control

Memory

Datapath

AES example:Round-Based Implementation

Area: ~ 15,000 GELatency: 10 cycles





PAGE: 5 of 33

Block size128-bits

Key size128-bits

Round function

Key schedule

Control

Memory

Datapath

AES example:Serial Implementation

Area: ~ 2,400 GELatency: 226 cycles




Key size ≥ 80 bits

PAGE: 6 of 33

Memory

Round function

Key schedule Control

logic

90 - 95%

Block size ≥ 32 bits

BALANCE!MINIMIZE!







PAGE: 6 of 33







PAGE: 6 of 33



Fixed KeyArbitrary Key



Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: 7 of 33

KATAN - Minimalistic Design

L1!

L2!

x5! x4! x3! x2! x1!

y2! y3! y4! y5! y6!y1!

kb!

ka!IR!

key_reg!60!

kb!

79! 78! 59! 49! 48! 12! 11! 1! 0!

ka!

T!6!7! 4! 2! 0!

IR!

Round function and Control logic merged!

462 GE




KATAN - Minimalistic Design

L1!

L2!

x5! x4! x3! x2! x1!

y2! y3! y4! y5! y6!y1!

kb!

ka!IR!

T!6!7! 4! 2! 0!

IR!

Round function and Control logic merged!Expanded Key stored in silicon!

Only 508 bits of Expanded Key!Avoid a weak key schedule:

KTANTAN!315 GE + 508 bits of ROM




PRESENT - Small and Scalable

~ 1500 GE

PRESENT-like PermutationRound-based Implementation




PRESENT - Small and Scalable

~ 1000 GE

PRESENT-like PermutationSerial Implementation

PAGE: 8 of 33




A Battle for a Single Gate

PRESENTUMC180IHP250

AMIS350synopsys

~1kGE

KATANUMC130synopsys≥450 GE Piccolo

130nmsynopsys≥700 GE

QUARKUMC180synopsyscadence≥1.4 kGE

PHOTONUMC180synopsys≥850 GE

SPONGENTUMC130synopsys≥750 GE

LED180nm

synopsys≥700 GE

PAGE: 11 of 33




0

750

1500

2250

3000

521 737 9181192 1340738

10601329

17281950

7591103

1367

17682012

8681256

1571

20712323

88/80/8128/128/8

160/160/16224/224/16

256/256/16

NXP90 UMC130 UMC180 NANGATE45

Fair Comparison - Mission (Im)possible?Spongent in 4 different techs

UP TO 70% DIFFERENCE!

Are

a (G

E)

PAGE: 12 of 33




Fair Comparison - Mission (Im)possible?

0

2

4

6

8

scan FF

NXP90 UMC130 UMC180 NANGATE45

< 5 GE/sFF 6.25 GE/sFF 7.67 GE/sFF6.67 GE/sFF

Open CoreLibrary!

Are

a (G

E)

PAGE: 13 of 33




0

1000

2000

3000

4000

8691257 1572

2070 2323

1067 13941741

2142

2675

17442200

3001

80/88128

160224

256

Spongent Photon Quark

Fair Comparison - Mission Possible?

Are

a (G

E)

Hash Output

Fixed Benchmark: 45 nm Open Core NANGATE library, Cadence RTL Compiler, Original RTL Code.

PAGE: 14 of 33





PAGE: 15 of 33





AES

Keccak

Groestl

Blake NOEKEON

PRESENT

LED

KLEINMINI-AESMCRYPTON

Photon

KATAN Piccolo

SPONGENT

TEA SEA

PRINTcipher

Quark

?

Skein

SHA-256JH

TRIVIUM

Grain

IDEA

Serpent

Two!sh

Square 3DES

PAGE: 16 of 33





AES

Keccak

Groestl

Blake NOEKEON

PRESENT

LED

KLEINMINI-AESMCRYPTON

Photon

KATAN Piccolo

SPONGENT

TEA SEA

PRINTcipher

Quark

?

Skein

SHA-256JH

TRIVIUM

Grain

IDEA

Serpent

Two!sh

Square 3DES

PAGE: 16 of 33




AES

Keccak

Groestl

BlakeNOEKEON

PRESENT

LED

KLEIN

MINI-AES

MCRYPTON

Photon

KATAN

PiccoloSPONGENT

TEASEA

PRINT

cipher

QuarkSkein

SHA-256JH

TRIVIUM GrainIDEA

Serpent

Two!sh

Square

3DES

A kid in a Toy store

PAGE: 17 of 33




AES

NOEKEON

PRESENT

LED

KLEIN

MINI-AES

MCRYPTON

A kid in a Toy store

PAGE: 17 of 33




AES

NOEKEON

PRESENT

LED

KLEIN

MINI-AES

MCRYPTON

Variety of Choices

128 128 8 MDS LIGHT

128 128 4 BINARY NO

64 64 4 MDS LIGHT

64 64, 96, 128 4 BINARY LIGHT

64 80, 128 4 BITPERMUTATION LIGHT

64 64, 80, 96 4 MDS LIGHT

64 64, 128 4 MDS NO

BLOCK-SIZE KEY-SIZE S-BOX P-LAYER KEY SCHEDULE

PAGE: 18 of 33




Latency vs Throughput

Latency = 15 sThroughput = 0.067 beer/s

PAGE: 19 of 33






Parallel Processing

PAGE: 19 of 33






Pipelining

PAGE: 19 of 33






Ad Fundum

PAGE: 19 of 33




Six Architectures

R1

R2

Rn

…

R1

Rn/2

…

R1

R2

Rn

…

Rn

Rn -1

R1

…

-1

-1

-1

R1

Rn/2

…

Rn/2

R1

…

-1

-1

R1/Rn

…

…

-1

R2/Rn -1 -1

Rn /R1 -1

R1/Rn/2 -1

Rn /2/R1 -1

(a) (b) (c) (d) (e) (f)

PAGE: 20 of 33




Number of Rounds vs Key Size

PAGE: 21 of 33




Results - Latency

0

12,5

25

37,5

50

17,8

15,3

20,3

25,3

31,2

46,6

9,8 9,8 9,8 9,9

14,8 15,514,8

14,7

20,2

16,4

21,4

26,4

32,8

48,2

10,8 10,8 11 12

17 17,416,4 16,6

1-cycle 2-cycle

AES-1

28

KLEIN

-64

KLEIN

-96

KLEIN

-128

LED-6

4

LED-1

28

MCRYPT

ON-6

4

MCRYPT

ON-9

6

MCRYPT

ON-1

28

MINI-A

ES-6

4

NOEK

EON-1

28

NOEK

EONs-1

28

PRES

ENT-8

0

PRES

ENT-1

28

*ENC/DEC; Max Time-Constrained

PAGE: 22 of 33




Results - Area

0

100

200

300

400366,6

48,2 63,7 79,9

128,7

193,1

41,3 40,4 41,440

102,5

49,572,3 73,8

191,8

24,9 32,6 41,363,5

96

20,9 21,1 21 2249,6

27,1 37,637,1

1-cycle 2-cycle

AES-1

28

KLEIN

-64

KLEIN

-96

KLEIN

-128

LED-6

4

LED-1

28

MCRYPT

ON-6

4

MCRYPT

ON-9

6

MCRYPT

ON-1

28

MINI-A

ES-6

4

NOEK

EON-1

28

NOEK

EONs-1

28

PRES

ENT-8

0

PRES

ENT-1

28

*ENC/DEC; Max Time-Constrained

PAGE: 23 of 33




Results - Average Latency per Round

0

0,5

1

1,5

21,78

1,28 1,27 1,27

0,98 0,97

0,82 0,82 0,82

0,990,93 0,97

0,480,47

1,48

0,93 0,93 0,92 0,97 0,96

0,81 0,81 0,81 0,86 0,93

0,46 0,46

ENC/DEC ENC

AES-1

28

KLEIN

-64

KLEIN

-96

KLEIN

-128

LED-6

4

LED-1

28

MCRYPT

ON-6

4

MCRYPT

ON-9

6

MCRYPT

ON-1

28

MINI-A

ES-6

4

NOEK

EON-1

28

NOEK

EONs-1

28

PRES

ENT-8

0

PRES

ENT-1

28

*1-cycle Architecture; Max Time-Constrained

PAGE: 24 of 33



Lightweight CryptographyResults - Area per Round DistributionPRESENT-80, ENC only

PAGE: 25 of 33




Hardware Recommendations

We provide hardware recommendations for designing low-latency primitives.

Evaluated ciphers are designed with low-area and low-power in mind and not to satisfy new low-latency requirements.

Still, we can learn quite a lot from their constructions.

PAGE: 26 of 33



Lightweight CryptographyHardware Recommendations-Sbox-

Use small Sboxes (4-bit or even 3-bit ones).

Even among them there are significant differences in latency and area [24].

These differences are library dependent.

G. Leander and A. Poschmann, On the Classification of 4-bit Sboxes, in Arithmetic of Finite Fields, First International Workshop - WAIFI 2007, volume 4547 of Lecture Notes in Computer Science, pages 159-176, 2007.

[24]

PAGE: 27 of 33



Lightweight CryptographyHardware Recommendations-Number of Rounds-

Minimize!

PAGE: 28 of 33



Lightweight CryptographyHardware Recommendations-Round Complexity-

Not too low complexity.

Reduce the number of rounds at the cost of (slightly) heavier round.

PAGE: 29 of 33



Lightweight CryptographyHardware Recommendations-Key Schedule-

Number of rounds should be independent of the key schedule.

Use constant addition instead of a key schedule (if possible).

PAGE: 30 of 33



Lightweight CryptographyHardware Recommendations-Heterogeneous Constructions-

Last few rounds of the cipher are smaller than the middle ones.

Make those few rounds more computationally complex.

Not very good for compact implementations.

PAGE: 31 of 33



Lightweight CryptographyHardware Recommendations-Encryption vs Decryption-

Use involution: f(f(x)) = x.

Make Encryption and Decryption procedures similar.

BUT: Think “application oriented” - sometimes is beneficial to have “asymmetric” constructions.

PAGE: 32 of 33



Lightweight CryptographyConclusionsmeet PRINCE

AESAES

PRESENT PRESENT

PRINCEPRINCE

Latency [ns]Area [kGE]

J. Borghoff, A. Canteaut, T. Guneysu, E. B. Kavun, M. Knezevic, L. R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S. Thomsen, T. Yalcin, PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications, to appear in ASIACRYPT 2012.

PAGE: 33 of 33

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.PAGE: THE END

Thank you!

Date post:	08-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Lightweight Cryptography - COSIC · 2675 1744 2200 3001 80/88 128 160 224 256 Spongent Photon Quark...

Documents