future challenges for lightweight cryptography
play

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL - PowerPoint PPT Presentation

Jan 23, 2023 •162 likes •844 views

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

  1. Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013

  2. Outline 1 1. Past results 2. Future challenges

  3. 1. Block ciphers 2 • TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT, mCrypton, SEA, PRESENT, KATAN, MIBS, LED, Piccolo, Lblock, KLEIN, PRINCE, …

  4. 1. Block ciphers 2 • TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT, mCrypton, SEA, PRESENT, KATAN, MIBS, LED, Piccolo, Lblock , KLEIN, PRINCE, … • Mostly developed independently (1994-2012)

  5. 1. Block ciphers 2 • TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT, mCrypton, SEA, PRESENT, KATAN, MIBS, LED, Piccolo, Lblock, KLEIN, PRINCE, … • Mostly developed independently (1994-2012) • Existing implementations in different technologies • Few comparative studies • Lack of standardization / competition?

  6. Comparison issue 3 • Evaluation criteria are usually relative … … and reflect algorithmic and implementation choices

  7. Comparison issue 3 • Evaluation criteria are usually relative … … and reflect algorithmic and implementation choices • But some of them reflect the algorithms better

  8. Comparison issue 4 • Evaluation criteria are usually relative … … and reflect algorithmic and implementation choices • But some of them reflect the algorithms better • More parameters fixed => easier interpretation • Comparisons also depend on the designer’s skills… => Next: various ECRYPT examples

  9. 1.1. Block ciphers in software 5 • e.g. lightweight platform: ATMEL AtTiny45 • 8-bit RISC • 4kB flash memory, 256 bytes RAM • Direct and indirect addressing • 120 instructions (no multiplier) • 2-stage pipeline • Typically 1 cycle per instruction

  10. 1.1. Block ciphers in software 5 • e.g. lightweight platform: ATMEL AtTiny45 • 8-bit RISC • 4kB flash memory, 256 bytes RAM • Direct and indirect addressing • 120 instructions (no multiplier) • 2-stage pipeline • Typically 1 cycle per instruction • Assembly language • Easy to read • Minimize code size and RAM ( up to some extent! ) • Encryption & decryption, on-the-fly key scheduling • Common interface for all designers

  11. Code size 6

  12. Code size 6 HW-oriented ciphers are bigger

  13. Code size 6 As well as “standard” ones (but not that much)

  14. Cycle count 7

  15. Cycle count 7 Iteration of many simple functions is slower

  16. RAM 8

  17. RAM 8 Precomputed key-scheduling

  18. RAM 8 Mostly reflects state size

  19. Combined metric 9

  20. Combined metric 9 No huge differences for most ciphers (factor<5)

  21. Combined metric 9 AES behaves pretty good!

  22. Lessons learned 10 • Software comparisons relatively easy to interpret • Because hardware is fixed • (limited code size vs. cycle count tradeoff)

  23. Lessons learned 10 • Software comparisons relatively easy to interpret • Because hardware is fixed • (limited code size vs. cycle count tradeoff) • Lightweight ciphers vs. AES • Gain in code size is possible • At the cost of higher cycle counts • RAM use essentially reflects state/key size

  24. Lessons learned 10 • Software comparisons relatively easy to interpret • Because hardware is fixed • (limited code size vs. cycle count tradeoff) • Lightweight ciphers vs. AES • Gain in code size is possible • At the cost of higher cycle counts • RAM use essentially reflects state/key size • BTW, all codes are open source: http://perso.uclouvain.be/fstandae/source_codes/lightweight_ciphers/

  25. 1.2. Block ciphers in hardware 11 • Hardware (instructions) not fixed • Criteria more reflective of HW design choices

  26. 1.2. Block ciphers in hardware 11 • Hardware (instructions) not fixed • Criteria more reflective of HW design choices • Yet, their relevance to algorithm may differ

  27. Case study: min. energy architectures 12 • Low-power 65nm CMOS • Two target frequencies: f max and f 100 • Metrics: area, delay, power, energy, throughput

  28. Case study: min. energy architectures 12 • Low-power 65nm CMOS • Two target frequencies: f max and f 100 • Metrics: area, delay, power, energy, throughput • Flexible architecture • 3 core options (Enc, Dec, Enc/Dec) • Unrolling parameter Nr rounds per cycle

  29. 13 ?

  30. 13 ? 12

  31. 14 ? 12

  32. 14 ? 12

  33. 15 ? 12

  34. 15 ? 12

  35. 16 ? 12

  36. 16 ? 12

  37. 17 ? 12

  38. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area

  39. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area • Most significant differences between algorithms depend on the key scheduling and E/D combination

  40. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area • Most significant differences between algorithms depend on the key scheduling and E/D combination • When using the same gate count / delay per cycle, all algorithms end up with similar cycle count • Suggests « complexity limit » for secure ciphers

  41. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area • Most significant differences between algorithms depend on the key scheduling and E/D combination • When using the same gate count / delay per cycle, all algorithms end up with similar cycle count • Suggests « complexity limit » for secure ciphers • AES again behaves pretty good

  42. 1.3. Technology scaling 19 • Between and within technologies (freq vs. Vdd)

  43. 65nm case study 20 • How relevant are algorithmic changes?

  44. Conclusion 21 • For most applications, AES is probably good enough

  45. Conclusion 21 • For most applications, AES is probably good enough • If a lightweight cipher is needed (for gate count, area), existing candidates are probably good enough

  46. Conclusion 21 • For most applications, AES is probably good enough • If a lightweight cipher is needed (for gate count, area), existing candidates are probably good enough • Changing algorithms is expensive and its impact on performances may be limited (yet, non negligible) compared to the one of technology scaling

  47. Conclusion 21 • For most applications, AES is probably good enough • If a lightweight cipher is needed (for gate count, area), existing candidates are probably good enough • Changing algorithms is expensive and its impact on performances may br limited (yet, non negligible) compared to the one of technology scaling • Does not mean we de not need new ciphers • Rather that new ciphers should bring new perspectives (design techniques, properties, …)

  48. Outline 22 1. Past results 2. Future challenges

  49. Q1. Hash functions in software? 23 • Similar case study as for block ciphers • Atmel AVR AtTiny45 benchmarking • Again open source: • http://perso.uclouvain.be/fstandae/source_codes/hash_atmel/

  50. RAM 24 * * * * * * * * *

  51. Cycle count 25

  52. Combined metric 26

  53. Open problem 27 • Much larger differences than for block ciphers • More differences in state sizes • e.g. Keccak has a 1600-bit state • More tradeoffs available (e.g. for sponges) • More versatility in designs • Larger security margins?

  54. Open problem 27 • Much larger differences than for block ciphers • More differences in state sizes • e.g. Keccak has a 1600-bit state • More tradeoffs available (e.g. for sponges) • More versatility in designs • Larger security margins? • What is the best approach for lightweight hash functions?

  55. Q2. Hash functions in hardware 28 • Reference point: AES in hardware ( cfr. Stefan Mangard’s talk at the AES day in Bruges ) • Extremely clear tradeoffs • For 8-bit, 32-bit, 64-bit and 128-bit designs • Most likely well optimized

  56. Q2. Hash functions in hardware 28 • Reference point: AES in hardware ( cfr. Stefan Mangard’s talk at the AES day in Bruges ) • Extremely clear tradeoffs • For 8-bit, 32-bit, 64-bit and 128-bit designs • Most likely well optimized • Implementations of SHA3 candidates (and Keccak) • More results on high-speed than low-cost

  57. Q2. Hash functions in hardware 28 • Reference point: AES in hardware ( cfr. Stefan Mangard’s talk at the AES day in Bruges ) • Extremely clear tradeoffs • For 8-bit, 32-bit, 64-bit and 128-bit designs • Most likely well optimized • Implementations of SHA3 candidates (and Keccak) • More results on high-speed than low-cost  More research needed in this direction • compact Keccak implementations seem non trivial • e.g. Kerckhof et al., Kaps et al. ( CARDIS, INDOCRYPT 2012 )

  58. Q3. Block cipher design 29

  59. Q3. Block cipher design 29 • How to design a key scheduling? • Sometimes as complex as rounds • KHAZAD, ICEBERG, SEA • Sometimes as simple as XORing the master key • NOEKEON, LED • Relations with recent works on Even-Mansour • Bogdanov et al., Dunkelman et al. ( EUROCRYPT 2012 )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event Cryptography for 2020 Tenerife January 23 rd , 2013 Organization Lightweight Cryptography: Mission Accomplished? Introduction Technical perspective

478 views • 20 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views • 38 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

590 views • 45 slides
The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop Taken from a document writen originally in English. The programming of billions of processors

903 views • 75 slides
NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance Performance of State-of-the-Art Cryptography on ARM-based Microprocessors Hannes Tschofenig &amp; Manuel Pegourie-Gonnard (Hannes.Tschofenig@arm.com,

509 views • 40 slides
PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST

PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST

PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST Alexan Alexandre dre Adomn Adomnicai, icai, cryptograph cryptography y expert expert at at Truste Trusted d Obje Objects cts will will

174 views • 3 slides
Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St

Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St

Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St ephanie Kerckhof, Fran cois Durvaux, C edric Hoquet, David Bol, Fran cois-Xavier Standaert CHES 2012 September 2012 UCL Crypto Group

931 views • 49 slides
Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing

Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing

Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing Intelligence (IAI), TCG CREST International Crypto-Webniar 2020 Aug 30, 2020 N. Datta (IAI, TCG CREST) Lightweight Crypto and Classification of

1.62k views • 98 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Light Lightweight Cryptography Pascal Lafourcade (LIMOS, France) Takaaki Mizuki (Tohoku

Light Lightweight Cryptography Pascal Lafourcade (LIMOS, France) Takaaki Mizuki (Tohoku

Light Lightweight Cryptography Pascal Lafourcade (LIMOS, France) Takaaki Mizuki (Tohoku University, Japan) Atsuki Nagao (Ochanomizu University, Japan) Kazumasa Shinagawa (Tokyo Tech / AIST, Japan) 1 2 3 4 5 6 Material 7 Agenda 1.

1.3k views • 38 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS Innovation Labs December 11, 2017 SUMANTA SARKAR Lightweight Cryptography Internet of Things / Connected Cars Internet of things (IoT): Network of

786 views • 45 slides
Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

199 views • 17 slides
Challenges for Future Cryogenic Electronics Challenges for Future Cryogenic Electronics Shaorui Li,

Challenges for Future Cryogenic Electronics Challenges for Future Cryogenic Electronics Shaorui Li,

Challenges for Future Cryogenic Electronics Challenges for Future Cryogenic Electronics Shaorui Li, Gianluigi De Geronimo, Jie Ma, Hucheng Chen, Jack Fried, Alessio DAndragora, and Veljko Radeka Brookhaven National Laboratory, NY, USA Outline:

490 views • 22 slides
Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Selecting cryptographic primitives NISTs final AES report, 2001: Security was

686 views • 50 slides
A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2

A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2

A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18 Outline

636 views • 46 slides
The Core of Our Existence God chose to create Man in His own image why? God then looked at Man

The Core of Our Existence God chose to create Man in His own image why? God then looked at Man

The Core of Our Existence God chose to create Man in His own image why? God then looked at Man and said It is not good for Man to be alone; I will make him a partner. why? There is something within our nature that compels us to

671 views • 24 slides

Haran died before his father Terah in the land of his birth, in Ur of the Chaldeans. Abram and Nahor took wives; the name of Abram's wife was

509 views • 13 slides
DASP Top 10 (Smart Contract Vulns) Reca ecall ll Bitcoin Scripting language intended for

DASP Top 10 (Smart Contract Vulns) Reca ecall ll Bitcoin Scripting language intended for

DASP Top 10 (Smart Contract Vulns) Reca ecall ll Bitcoin Scripting language intended for handling transfers of digital stores of value (i.e. cash) Limited functionality to validate conditions for transactions to occur Reasonable

648 views • 10 slides
Nuclear Energy Research in Cambridge Dr Eugene Shwageraus Department of Engineering SERPENT /

Nuclear Energy Research in Cambridge Dr Eugene Shwageraus Department of Engineering SERPENT /

Nuclear Energy Research in Cambridge Dr Eugene Shwageraus Department of Engineering SERPENT / Multi-physics Workshop, LPSC Grenoble 26-27 February 2015 Nuclear Energy Education in Cambridge Undergraduate Introduction to NE, Nuclear

511 views • 17 slides
Psalm 100:1-2 Psalm 32:11 - Be glad in the L ORD , and rejoice, O righteous, and shout for

Psalm 100:1-2 Psalm 32:11 - Be glad in the L ORD , and rejoice, O righteous, and shout for

Make a joyful noise to the LORD, all the earth! Serve the LORD with gladness! Come into his presence with singing! Psalm 100:1-2 Psalm 32:11 - Be glad in the L ORD , and rejoice, O righteous, and shout for joy, all you upright in heart!

380 views • 21 slides
Chakras Demystified Manju Joshi , MA, HHC,ERYT-500,YACEP, C-IAYT, MCO-Osteo Co-Founder,

Chakras Demystified Manju Joshi , MA, HHC,ERYT-500,YACEP, C-IAYT, MCO-Osteo Co-Founder,

Chakras Demystified Manju Joshi , MA, HHC,ERYT-500,YACEP, C-IAYT, MCO-Osteo Co-Founder, GurukulYoga and Food Yogini hello@foodyogini.com www.gurukulyoga.com *** www.foodyogini.com Billions Yet To Be Served... Billions Yet To Be Fed...

461 views • 12 slides

More recommend