SLIDE 1
FIDES:
Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware
Begül Bilgin, Andrey Bogdanov, Miroslav Knežević, Florian Mendel, and Qingju Wang
DIAC 2013, Chicago 1
Side Channel Resistance
2
FIDES: Lightweight Authentication Cipher with Side-Channel - - PowerPoint PPT Presentation
FIDES: Lightweight Authentication Cipher with Side-Channel - - PowerPoint PPT Presentation
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side
SLIDE 2
SLIDE 3
Side Channel Resistance
The Game...
2
SLIDE 4
Side Channel Resistance
- Mathematically secure crypto algorithms
The Game...
2
SLIDE 5
Side Channel Resistance
- Mathematically secure crypto algorithms
The Game...
2
✓ AES, RSA, Keccak, OCB, …
SLIDE 6
Side Channel Resistance
- Mathematically secure crypto algorithms
The Game...
2
- Weak implementation
✓ AES, RSA, Keccak, OCB, …
SLIDE 7
Side Channel Resistance
- Mathematically secure crypto algorithms
The Game...
2
- Weak implementation
✓ AES, RSA, Keccak, OCB, …
SLIDE 8
Side Channel Resistance
- Mathematically secure crypto algorithms
Dependency between power consumption and intermediate value (depends on the key)
The Game...
2
- Weak implementation
✓ AES, RSA, Keccak, OCB, …
SLIDE 9
Side Channel Resistance
3
SLIDE 10
Side Channel Resistance
x Change the key frequently
3
SLIDE 11
Side Channel Resistance
x Change the key frequently x Equalize power consumption
3
SLIDE 12
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
3
SLIDE 13
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Boolean masking
3
SLIDE 14
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Boolean masking
inp^m0 m0 L L
- ut^m1
m1
3
SLIDE 15
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Boolean masking
3
SLIDE 16
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Boolean masking
inp^m0 m0 S S
- ut^m1
m1
3
SLIDE 17
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Multiplicative masking
- Boolean masking
inp^m0 m0 S S
- ut^m1
m1
3
SLIDE 18
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Multiplicative masking
- Boolean masking
3
SLIDE 19
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Multiplicative masking
- Secret sharing e.g. Threshold Implementations [Nikova’11]
- Boolean masking
3
SLIDE 20
Side Channel Resistance
x Change the key frequently x Equalize power consumption ✓ Randomize power consumption
- Multiplicative masking
- Secret sharing e.g. Threshold Implementations [Nikova’11]
- Boolean masking
inp^m0^m1 m0 S S
- ut^m2^m3
m2 m1 S m3
3
SLIDE 21
Side Channel Resistance
4
SLIDE 22
Side Channel Resistance
Have the design
4
SLIDE 23
Side Channel Resistance
Have the design Need efficient impl.
4
SLIDE 24
Side Channel Resistance
Have the design Need efficient impl. Need secure impl.
4
SLIDE 25
Side Channel Resistance
Have the design Need efficient impl. Need secure impl. Boolean Mask Multipl. Mask TI 1st Order 2nd Order ?? Still efficient ?? HW SW
4
SLIDE 26
Side Channel Resistance
Have the design Need efficient impl. Need secure impl. Boolean Mask Multipl. Mask TI 1st Order 2nd Order
Still efficient
HW SW
5
SLIDE 27
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
6
SLIDE 28
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
- Similar to duplex sponge
6
SLIDE 29
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
- Similar to duplex sponge
- Rounds are not keyed
6
SLIDE 30
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
- Similar to duplex sponge
- Rounds are not keyed
✓
Online
6
SLIDE 31
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
- Similar to duplex sponge
- Rounds are not keyed
✓
Online
✓
Single pass
6
SLIDE 32
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12
- Similar to duplex sponge
- Rounds are not keyed
✓
Online
✓
Single pass
6
SLIDE 33
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12
- Similar to duplex sponge
- Rounds are not keyed
✓
Online
✓
Single pass
7
SLIDE 34
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12
- Similar to duplex sponge
- Rounds are not keyed
✓
Online
✓
Single pass
8
SLIDE 35
Design - Structure
16R
K||N
1R
K||0
1R
. . .
1R 1R
A1 A2 Av
1R
. . .
1R
C1
16R
Cu Mu T M1 a
b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12
- Similar to duplex sponge
- Rounds are not keyed
✓
Online
✓
Single pass
9
SLIDE 36
Design - Structure
State SubBytes ShiftRows MixColumns ConstantAddition 1R
10
SLIDE 37
Design - Structure
State SubBytes ShiftRows MixColumns ConstantAddition 1R
11
SLIDE 38
Design - Structure
State SubBytes ShiftRows MixColumns ConstantAddition 1 2 7 1R
12
SLIDE 39
Design - Structure
State SubBytes ShiftRows MixColumns ConstantAddition Almost MDS
branch number is 4
1R
13
SLIDE 40
Design - Structure
State SubBytes ShiftRows MixColumns ConstantAddition 1R
14
SLIDE 41
- FIDES-80: 5-bit Almost Bent (AB)
- ptimal resistance against differential & linear cryptanalysis
- degree 2 (two), 3(one), 4(one)
- FIDES-96: 6-bit Almost Perfect Nonlinear (APN)
- ptimal resistance against differential cryptanalysis
- degree 4
Design - S-boxes
15
SLIDE 42
- FIDES-80: 5-bit Almost Bent (AB)
- ptimal resistance against differential & linear cryptanalysis
- degree 2 (two), 3(one), 4(one)
- FIDES-96: 6-bit Almost Perfect Nonlinear (APN)
- ptimal resistance against differential cryptanalysis
- degree 4
Design - S-boxes
++Low latency++
15
SLIDE 43
- FIDES-80: 5-bit Almost Bent (AB)
- ptimal resistance against differential & linear cryptanalysis
- degree 2 (two), 3(one), 4(one)
- FIDES-96: 6-bit Almost Perfect Nonlinear (APN)
- ptimal resistance against differential cryptanalysis
- degree 4
Design - S-boxes
++Low latency++
15
SLIDE 44
- FIDES-80: 5-bit Almost Bent (AB)
- ptimal resistance against differential & linear cryptanalysis
- degree 2 (two), 3(one), 4(one)
- FIDES-96: 6-bit Almost Perfect Nonlinear (APN)
- ptimal resistance against differential cryptanalysis
- degree 4
Design - S-boxes
++Low latency++
16
SLIDE 45
Design - S-boxes
17
SLIDE 46
Design - S-boxes
Affine Equivalent to AB permutation with degree 2
17
SLIDE 47
Design - S-boxes
Affine Equivalent to AB permutation with degree 2
17
# of S-boxes # of GE (UMC 180nm)
Unshared S-box Shared S-box
45 50 55 60 65 70 75 80 85 95 100 105 5000 10000 15000 20000 25000 5000 10000 15000 20000 25000 135 145 155 165 175 185 195 205 215 225 235 245 255 90
SLIDE 48
Design - S-boxes
# of S-boxes
Unshared S-box Shared S-box
45 50 55 60 65 70 75 80 85 90 95 100 105 5000 10000 15000 20000 25000 5000 10000 15000 20000 25000 135 145 155 165 175 185 195 205 215 225 235 245 255
# of GE (UMC 180nm)
18
Affine Equivalent to AB permutation with degree 2
SLIDE 49
Design - S-boxes
# of S-boxes
Unshared S-box Shared S-box
45 50 55 60 65 70 75 80 85 90 95 100 105 5000 10000 15000 20000 25000 5000 10000 15000 20000 25000 135 145 155 165 175 185 195 205 215 225 235 245 255
# of GE (UMC 180nm)
18
Affine Equivalent to AB permutation with degree 2 Similar for APN
SLIDE 50
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
19
SLIDE 51
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
- Differential & Linear Cryptanalysis
19
SLIDE 52
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
- Differential & Linear Cryptanalysis
16 rounds: 2-4x48x2= 2-384
19
SLIDE 53
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
- Differential & Linear Cryptanalysis
16 rounds: 2-4x48x2= 2-384
- Collision Trails
19
SLIDE 54
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
- Differential & Linear Cryptanalysis
16 rounds: 2-4x48x2= 2-384
- Collision Trails
16 rounds: 2-4x(48+48)= 2-384
19
SLIDE 55
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
- Differential & Linear Cryptanalysis
16 rounds: 2-4x48x2= 2-384
- Collision Trails
16 rounds: 2-4x(48+48)= 2-384
- Impossible Differential
19
SLIDE 56
Security Analysis
# # Active Active S-box # rnd. any diff. zero diff. 1
- 2
4
- 3
7
- 4
16
- 5
22
- 6
32 52 7 42 49 8 48 48
- Differential & Linear Cryptanalysis
16 rounds: 2-4x48x2= 2-384
- Collision Trails
16 rounds: 2-4x(48+48)= 2-384
- Impossible Differential
9 rounds
19
SLIDE 57
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
20
SLIDE 58
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
21
SLIDE 59
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
21
SLIDE 60
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
21
SLIDE 61
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
21
SLIDE 62
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
21
SLIDE 63
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
22
SLIDE 64
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
23
SLIDE 65
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
23
SLIDE 66
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
23
SLIDE 67
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
23
SLIDE 68
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
23
SLIDE 69
- FIDES-S
- FIDES-4S
- FIDES-R
- FIDES-T
Implementation
24
SLIDE 70
Performance
3000 6000 9000 12000 15000 FIDES-80-S FIDES-80-4S FIDES-80-R FIDES-80-T FIDES-96-S FIDES-96-4S FIDES-96-R FIDES-96-T
Area in GE
NXP 90nm NANGATE 45nm UMC 130nm
FIDES on Different Technologies
25
SLIDE 71
Performance
120 240 360 480 600 2000 4000 6000 8000 Throughput (kb/s) Area (GE)
FIDES-80 FIDES-96 ALE AES-CCM ASC-1 A ASC-1 B c-QUARK KECCAK-200-MD Hummingbird2
26
SLIDE 72
Conclusion
FIDES
27
SLIDE 73
- Lightweight AE
- less than 1500GE
- online, single-pass
Conclusion
FIDES
27
SLIDE 74
- Lightweight AE
- less than 1500GE
- online, single-pass
- with Side Channel Resistance
- TI less than 5000 GE
Conclusion
FIDES
27
SLIDE 75
- Lightweight AE
- less than 1500GE
- online, single-pass
- with Side Channel Resistance
- TI less than 5000 GE
- and 80-bit or 90-bit security
- AB and APN permutations
- almost MDS
Conclusion
FIDES
27
SLIDE 76
THANK YOU!
28