DESL An Efficient Block Cipher For Lightweight Cryptosystems
DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität Bochum, Germany RFIDsec 2006 14. 07. 2006 - Page 1/15
Agenda 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion RFIDsec 2006 14. 07. 2006 - Page 2/15
Introduction Cryptography is needed to. . . implement authentication prevent eavesdropping RFIDsec 2006 Design goals for RFID ciphers: small gate count low power consumption high security 14. 07. 2006 - Page 3/15
Introduction (2) What are the requirements of a block cipher so that its hardware implementation has a low gate count ? it must be possible to implement the cipher in a serialized fashion (value chip size over execution time) use smaller block size (e. g. 64 bits instead of 128 bits) in order to save gates on internal flip-flop registers only use small subfunctions (e. g. 6 -to-4 bit S-boxes) use very few different subfunctions (e. g. only a single Sbox) Using these conditions we tried to find a lower bound with regard to gate count for a DES-lightweight (DESL) block cipher which uses only a single S-box. RFIDsec 2006 14. 07. 2006 - Page 4/15
Introduction to DES (Data Encryption Standard) plaintext 64 L 0 32 R 0 K 0 32 f round 1 L 1 R 1 6 K 1 S f S S S S round 2 L 2 R 2 L 15 R 15 K 15 f round 16 L 16 R 16 64 RFIDsec 2006 ciphertext Idea: replace the eight different Sboxes by a single one repeated eight times. 14. 07. 2006 - Page 5/15
Design Criteria of DES S-boxes (Coppersmith '94) Input 6 „No output bit of an S-box should be too close to a linear combination of input bits. “ S-Box 4 Output = a*x+1 (S-1) (S-2) S(1|0001|0) = 2 00 01 10 11 |0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F | RFIDsec 2006 (S-3) Each row contains all possible output values 14. 07. 2006 - Page 6/15
Design Criteria of DES S-boxes (Coppersmith '94) HW(X 1 X 2) = 1 6 ∆I = 001100 6 S-box 4 HW(Y 1 Y 2) ≥ 2 ∆I = 11 xy 00 6 S-box 4 Y 1 ≠ Y 2 RFIDsec 2006 4 (S-4) (S-5) (S-6) (S-7) HW(Y 1 Y 2) ≥ 2 ∆I ≠ 000000 6 S-box 4 P(Y 1 = Y 2) ≤ ¼ 14. 07. 2006 - Page 7/15
Design Criteria of DES S-boxes (Coppersmith '94) (S-8) Minimise Collision Probability (p = 1/234) bcde 1 ghi fghi jkm 0. . . a 0 ab 1 0 cde 1 cd 1 0 ef 0 0. . . p. . . ∆Input Expansion 0000 ab 000000 6 00 ab 11 6 11 cd 10 6 10 ef 00 6 np 000000 6 Substitution S-box S-box i i+1 i+2 i+3 i-1 ∆Output 4 4 4 0000 0000 Collision in 3 adjacent S-boxes! RFIDsec 2006 14. 07. 2006 - Page 8/15
Resistance to Differential Cryptanalysis 00 ab 11 6 . . . S-box . . . i-n 4 0000 10 ef 00 6 np 000000 6 S-box i-1 i 4 4 0000 Collision in n adjacent S-boxes! (S-6') ∆I = 1 xyz 00 6 S-box 4 Y 1 ≠ Y 2 With our new criterion S-6' differential attacks based on 2 -round characteristics are now impossible! RFIDsec 2006 14. 07. 2006 - Page 9/15
Currently proposed DESL S-box (under construction!!!) DESL VS. DES 28 (S-2') 40 7 (S-7) 8 0 (S-8) 1 / 234 RFIDsec 2006 => at least 256 known plaintexts for LC => two-round characteristics impossible => classical DC impossible 14. 07. 2006 - Page 10/15
Serialized DES/DESL Architecture RFIDsec 2006 14. 07. 2006 - Page 11/15
Implementation Results (1) DESL VS. DES -25% 7392 1848 9236 2309 -33% 0. 89 4. 4477 #Transistors #Gate count Ø Power [µA] @ 100 k. Hz @ 500 k. Hz 144 #clock cycles RFIDsec 2006 1. 19 5. 95 144 14. 07. 2006 - Page 12/15
Implementation Results (2) RFIDsec 2006 Cipher Gate count DESL DESXL DESX AES Trivium-1 Grain-1 Mosquito-B Sfinks-B Hermes 8 1848 2309 2168 2629 3628 2906 1558 4806 6311 6885 14. 07. 2006 - Page 13/15
Conclusion DESL Low gate count (1848 GE) Smaller than several e. Stream ciphers Low current draw (0. 89 µA @ 100 k. Hz) Seems to be secure against LC/DC attacks but the proposed S-box is still under construction! DESL is a further possible step towards a lightweight block cipher for RFID tags. RFIDsec 2006 14. 07. 2006 - Page 14/15
Thank you! RFIDsec 2006 14. 07. 2006 - Page 15/15
- Slides: 15