bit sliding a generic technique for bit serial
play

Bit-Sliding: A Generic Technique for Bit-Serial Implementations of - PowerPoint PPT Presentation

Jun 03, 2023 •302 likes •663 views

Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives 28. Sep. 2017 Jrmy Jean, Amir Moradi, Thomas Peyrin, Pascal Sasdrich ANSSI Crypto Lab, Paris, France Ruhr University Bochum, Germany Temasek

  1. Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives 28. Sep. 2017 Jérémy Jean, Amir Moradi, Thomas Peyrin, Pascal Sasdrich ANSSI Crypto Lab, Paris, France Ruhr University Bochum, Germany Temasek Laboratories, Nanyang Technological University, Singapore

  2. Embedded Security Group Story?  motivated by KATAN & Simon bit‐serial implementations – KATAN: NLFSR/steam‐cipher construction (borrowed from KeeLoq)  CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 2

  3. Embedded Security Group Story?  motivated by KATAN & Simon bit‐serial implementations – KATAN: NLFSR/steam‐cipher construction (borrowed from KeeLoq) – Simon: Feistel • allows even a scalable architecture *  * Aysu, Gulcan, Schaumont: SIMON Says: Break Area Records of Block Ciphers on FPGAs. Embedded Systems Letters 2014 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 3

  4. Embedded Security Group Story?  motivated by KATAN & Simon bit‐serial implementations – KATAN: NLFSR/steam‐cipher construction (borrowed from KeeLoq) – Simon: Feistel • allows even a scalable architecture *  How about SPN constructions? * Aysu, Gulcan, Schaumont: SIMON Says: Break Area Records of Block Ciphers on FPGAs. Embedded Systems Letters 2014 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 4

  5. Embedded Security Group SPN & Implementation Trade‐offs  fully unrolled … pipeline … round‐based … serial latency area  lightweight cryptography (smallest footprint): serial arch. – s ‐bit Sbox and l ‐bit linear function • s ‐bit data path, l a multiple of s ( s ‐bit serial implementation) – PRESENT, LED, Klein, …: 4‐bit serial – AES: 8‐bit serial – enables to employ scan flip‐flops CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 5

  6. Embedded Security Group Scan Flip‐flop  developed & used in scan chain for testing purposes  operates as (but smaller than) a MUX + D‐FF MUX ≈ 2.33 GE GE: Gate Equivalence: area of a NAND gate CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 6

  7. Embedded Security Group Smallest Known Serial AES, Atomic AES v2.0 Banik, Bogdanov, Regazzoni, ePrint Archive: Report 2016/1005 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 7

  8. Embedded Security Group Atomic AES v2.0  supports both ENC & DEC  clock gating for each row (due to ShiftRows & ShiftRows ‐1 )  3  8‐bit scan FF(state) + 8  8‐bit scan FF(key): 88 scan FF  MC ‐1 (x) = MC(MC(MC(x)))  Canright Sbox (supporting Sbox ‐1 )  2060 GE (STM 90nm) – 246 clock cycles ENC – 326 clock cycles DEC CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 8

  9. Embedded Security Group Bit‐Sliding  use as many as possible regular FF, use less scan FF  almost all register cells always shift (regular FF) – a few have multiple inputs (scan FF)  challenge 1: s ‐bit Sbox – easy for PICCOLO & SKINNY Sboxes – how about AES, PRESENT, …? • no way (yet) than using the Sbox in parallel  challenge 2: permutation – ad hoc, easy for AES, hard for PRESENT CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 9

  10. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 10

  11. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 11

  12. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 12

  13. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 13

  14. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 14

  15. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 15

  16. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 16

  17. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 17

  18. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 18

  19. Embedded Security Group How Sbox works CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 19

  20. Embedded Security Group Bit‐Serial AES‐128, ENC only (state)  20 scan FF (state)  no clock gating, no enable signal CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 20

  21. Embedded Security Group Bit‐Serial AES‐128, ENC only (state) 1776 clock cycles  128 clock cycles: plaintext & key load  128 clock cycles: AddKey & SubBytes  8 clock cycles: ShiftRows 32 clock cycles: MixColumns CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 21

  22. Embedded Security Group Bit‐Serial AES‐128, ENC only (key)  1 scan FF (state)  1 clock gating  7 extra FF (shared with MC)  the largest difference compared to state of the art CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 22

  23. Embedded Security Group Bit‐Serial AES‐128, ENC & DEC (state)  27 scan FF (state) + 1 scan FF (key)  no clock gating, no enable signal  MC ‐1 =MC 3 , SR ‐1 =SR 3 (no extra logic) CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 23

  24. Embedded Security Group Results (AES‐128) [2] Banik, Bogdanov, Regazzoni: Atomic‐AES: A compact implementation of the AES enc/dec core. INDOCRYPT 2016 [3] Banik, Bogdanov, Regazzoni: Atomic‐AES v2.0. ePrint Archive: Report 2016/1005 [21] Moradi, Poschmann, Ling, Paar, Wang: Pushing the limits: A very compact and a TI of AES. EUROCRYPT 2011 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 24

  25. Embedded Security Group Results (AES‐128) [2] Banik, Bogdanov, Regazzoni: Atomic‐AES: A compact implementation of the AES enc/dec core. INDOCRYPT 2016 [3] Banik, Bogdanov, Regazzoni: Atomic‐AES v2.0. ePrint Archive: Report 2016/1005 [21] Moradi, Poschmann, Ling, Paar, Wang: Pushing the limits: A very compact and a TI of AES. EUROCRYPT 2011 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 25

  26. Embedded Security Group Results (AES‐128) Visconti, Schiavo, Peralta: Improved upper bounds for the expected circuit complexity of dense systems of linear equations over GF(2). ePrint 2017/194 [2] Banik, Bogdanov, Regazzoni: Atomic‐AES: A compact implementation of the AES enc/dec core. INDOCRYPT 2016 David Canright: A Very Compact S‐Box for AES. CHES 2005 [3] Banik, Bogdanov, Regazzoni: Atomic‐AES v2.0. ePrint Archive: Report 2016/1005 [21] Moradi, Poschmann, Ling, Paar, Wang: Pushing the limits: A very compact and a TI of AES. EUROCRYPT 2011 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 26

  27. Embedded Security Group Results (AES‐128) AES as a lightweight cipher? [2] Banik, Bogdanov, Regazzoni: Atomic‐AES: A compact implementation of the AES enc/dec core. INDOCRYPT 2016 [3] Banik, Bogdanov, Regazzoni: Atomic‐AES v2.0. ePrint Archive: Report 2016/1005 [21] Moradi, Poschmann, Ling, Paar, Wang: Pushing the limits: A very compact and a TI of AES. EUROCRYPT 2011 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 27

  28. Embedded Security Group Bit‐Serial PRESENT  the same principle for Sbox  the diffusion layer: bit‐permutation network  CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 28

  29. Embedded Security Group Bit‐Serial PRESENT  the same principle for Sbox  the diffusion layer: bit‐permutation network – our approach: two‐level permutation the same independently found by Reis, Aranha, López: PRESENT Runs Fast ‐ Efficient and Secure Implementation in Software. CHES 2017 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 29

  30. Embedded Security Group Results (PRESENT) [31] Ya, Khoo, Poschmann, Henricksen: EPCBC ‐ A Block Cipher Suitable for Electronic Product Code Encryption. CANS 2011 CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 30

  31. Embedded Security Group Skinny  first glance: iterative Sbox construction helps  reality: the parallel technique still better – not fully iterative (last round different) – Sbox itself small – Bit‐serial already slow • becomes almost 4 times slower  the same for 8‐bit variant CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 31

  32. Embedded Security Group Conclusions  not anymore monopoly on bit‐serial and scalable architecture by Simon & Speck  iterative Sbox not necessarily helps  small Sboxes in lightweight crypto anyways – see GIFT: A Small PRESENT. CHES 2017  diffusion layer more important to enable bit‐serialization  CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 32

  33. Embedded Security Group Conclusions  not anymore monopoly on bit‐serial and scalable architecture by Simon & Speck  iterative Sbox not necessarily helps  small Sboxes in lightweight crypto anyways – see GIFT: A Small PRESENT. CHES 2017  diffusion layer more important to enable bit‐serialization – Skinny < PRESENT < GIFT • (for 64‐bit state & 128‐bit key)  CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 33

  34. Embedded Security Group Conclusions  not anymore monopoly on bit‐serial and scalable architecture by Simon & Speck  iterative Sbox not necessarily helps  small Sboxes in lightweight crypto anyways – see GIFT: A Small PRESENT. CHES 2017  diffusion layer more important to enable bit‐serialization – Skinny < PRESENT < GIFT • (for 64‐bit state & 128‐bit key)  latency high anyway – high energy consumption, but expected low power consumption CHES 2017 | Taipei | 28. Sep 2017 Amir Moradi 34

Recommend

Serial Communications time. 3 4 Serial Interfaces Serial vs. Parallel Different from a

Serial Communications time. 3 4 Serial Interfaces Serial vs. Parallel Different from a

1 2 Serial Interfaces Embedded systems often use a serial interface to communicate with other devices. Serial implies that it sends or receives one bit at a Serial Communications time. 3 4 Serial Interfaces Serial vs. Parallel

225 views • 6 slides
SPI Serial Port (in AVR Microcontrollers) Contents Serial communication with SPI Serial

SPI Serial Port (in AVR Microcontrollers) Contents Serial communication with SPI Serial

Microprocessors , Lecture 7: SPI Serial Port (in AVR Microcontrollers) Contents Serial communication with SPI Serial communication programming in C Reference: Chapter 17 of the Mazidis book University of Tehran 2 Serial ports

470 views • 30 slides
Glacier Sliding Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Sliding / friction laws -

Glacier Sliding Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Sliding / friction laws -

Glacier Sliding Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Sliding / friction laws - Numerical models Classical sliding theory ( hard bed ) - Regelation - Viscous deformation - Cavitation Soft bed sliding - Till strength - Bed

235 views • 22 slides
Unit D time. Serial Communications D.3 D.4 Serial vs. Parallel Parallel Interfaces Serial

Unit D time. Serial Communications D.3 D.4 Serial vs. Parallel Parallel Interfaces Serial

D.1 D.2 Serial Interfaces Embedded systems often use a serial interface to communicate with other devices. Serial implies that it sends or receives one bit at a Unit D time. Serial Communications D.3 D.4 Serial vs. Parallel

174 views • 6 slides
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim

Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim

Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink , Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom September 28th, 2017 Sliding

581 views • 44 slides
Sweep as a Generic Pruning Technique Applied to Constraint Relaxation Nicolas Beldiceanu and

Sweep as a Generic Pruning Technique Applied to Constraint Relaxation Nicolas Beldiceanu and

Sweep as a Generic Pruning Technique Applied to Constraint Relaxation Nicolas Beldiceanu and Mats Carlsson SICS Lgerhyddsvgen 18 75237 Uppsala email: nicolas@sics.se Soft01, Paphos, Cyprus Outline of the Presentation

333 views • 16 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Serial Peripheral Interface (SPI) Synchronous serial data transfers Multipoint serial

Serial Peripheral Interface (SPI) Synchronous serial data transfers Multipoint serial

Serial Peripheral Interface (SPI) Synchronous serial data transfers Multipoint serial communication between a master and a slave device Clock permits faster data rates than async communications (framing unnecessary)

337 views • 21 slides
procedure SERIAL MIN ( A , n ) 1. 2. begin 3. min = A [ 0 ] ; 4. for i := 1 to n 1 do 5.

procedure SERIAL MIN ( A , n ) 1. 2. begin 3. min = A [ 0 ] ; 4. for i := 1 to n 1 do 5.

procedure SERIAL MIN ( A , n ) 1. 2. begin 3. min = A [ 0 ] ; 4. for i := 1 to n 1 do 5. if ( A [ i ] &lt; min ) min := A [ i ] ; 6. endfor ; 7. return min ; 8. end SERIAL MIN Algorithm 3.1 A serial program for finding the minimum in

406 views • 4 slides
Optimal Matching For SLiding Window Compression With Suffix Tries An advantage of sliding

Optimal Matching For SLiding Window Compression With Suffix Tries An advantage of sliding

Optimal Matching For SLiding Window Compression With Suffix Tries An advantage of sliding window compression is fast decoding. However, encoding is a different story. Simple hashing schemes such as that employed by gzip work well in

609 views • 21 slides
Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode

Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode

ELEC8406 Sliding Mode Control of Power Electronics Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode Control of Switching Power Converters History (1) SM control can be traced back to the 1930s

882 views • 45 slides
The Sliding Window Algorithm The Sliding Window algorithm sums several small

The Sliding Window Algorithm The Sliding Window algorithm sums several small

The Sliding Window Algorithm The Sliding Window algorithm sums several small sub-matrices of a matrix of values. The maximum of these sums is then located and it's coordinates passed out of the program. This is used as a

466 views • 22 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Serial Port Serial communications High speed CMOS signal levels Full duplex No modem status/control signals Registers SBUF Two

661 views • 7 slides
Section 13 Section 13 ADSP-BF533 Serial Communications a 13-1 1 BF533 Serial Communications

Section 13 Section 13 ADSP-BF533 Serial Communications a 13-1 1 BF533 Serial Communications

Section 13 Section 13 ADSP-BF533 Serial Communications a 13-1 1 BF533 Serial Communications BF533 Serial Communications Three Serial Comms Peripherals SPORTs (synchronous Serial PORTs) High Speed (up to SCLK/2) Two SPORTs

703 views • 58 slides
Sliding Window Protocol Sliding window protocol: Stop &amp; Wait: inefficient if a is

Sliding Window Protocol Sliding window protocol: Stop &amp; Wait: inefficient if a is

Computer Networks Prof. Hema A Murthy Sliding Window Protocol Sliding window protocol: Stop &amp; Wait: inefficient if a is large. Data: - stream of bulk data - data can be pipelined - transmit window of date - donot

1.71k views • 13 slides
Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features

Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features

Sliding system for concertina doors Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features The Salice system for concertina doors has been designed to open both doors on one side only, giving good access

512 views • 10 slides
Communicating with Others Arduino can use same USB cable for programming and to talk with

Communicating with Others Arduino can use same USB cable for programming and to talk with

Communicating with Others Arduino can use same USB cable for programming and to talk with computers Talking to other devices uses the Serial commands Serial.begin() prepare to use serial Serial.print() send data to

470 views • 17 slides
Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type parameters Similar to declaring a generic type but type parameter's scope is limited to method where it is declared The following are

584 views • 6 slides
USART Serial Port in AVR Microcontrollers (Chapter 11 of the Mazidis book) 1 Contents

USART Serial Port in AVR Microcontrollers (Chapter 11 of the Mazidis book) 1 Contents

Microprocessors, Lecture 6: USART Serial Port in AVR Microcontrollers (Chapter 11 of the Mazidis book) 1 Contents Serial communication Serial communication programming in C University of Tehran 2 Serial ports in AVR University of

608 views • 37 slides
Generic classes Declaration Use Annotations 54 Generic classes Declaration add

Generic classes Declaration Use Annotations 54 Generic classes Declaration add

Generic classes Declaration Use Annotations 54 Generic classes Declaration add generic types between angle brackets: public class MyStack &lt; E,F &gt;{ E item; } 55 Generic Classes Use MyStack&lt;Integer&gt; ms= new

273 views • 23 slides
1999 Gulfstream G-V serial V-581 Registration: N280PH

1999 Gulfstream G-V serial V-581 Registration: N280PH

1999 Gulfstream G-V serial V-581 Registration: N280PH Serial Number: V-581 Proven performance. With robust capabilities, flexible configurations and the maximum payload in its class,

290 views • 11 slides
Generic functional programming Basic idea: define generic functions by induction on the

Generic functional programming Basic idea: define generic functions by induction on the

A Hitchhikers Guide to the Universes (Universes for Generic Programs and Proofs) Marcin Benke Peter Dybjer Patrik Jansson Chalmers Technical University Main goals: extend generic programming to functional languages with dependent types

250 views • 10 slides
Microprocessors &amp; Interfacing Concepts Standards USART in AVR Serial

Microprocessors &amp; Interfacing Concepts Standards USART in AVR Serial

Lecture Overview Serial Communication Microprocessors &amp; Interfacing Concepts Standards USART in AVR Serial Input/Output Lecturer : Dr. Annie Guo S2, 2008 COMP9032 Week10 1 S2, 2008 COMP9032 Week10 2 Serial

335 views • 17 slides
Generic Programming in a Dependently Typed Language Generic proofs for generic programs Peter

Generic Programming in a Dependently Typed Language Generic proofs for generic programs Peter

Generic Programming in a Dependently Typed Language Generic proofs for generic programs Peter Morris pwm@cs.nott.ac.uk University of Nottingham Generic Programming in a Dependently Typed Language p. 1/12 This talk We introduce a

599 views • 45 slides

More recommend