lightweight block cipher design
play

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, - PowerPoint PPT Presentation

Aug 01, 2023 •17 likes •577 views

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

  1. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design

  2. Motivation Industry Academia We Start To Cheat... And Fail! Outline Motivation 1 Industry 2 Academia 3 We Start To Cheat... And Fail! 4 G. Leander Lightweight Block Cipher Design

  3. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography What is (not) Lightweight Cryptography Cryptography tailored to (extremely) constrained devices Not intended for everything Not intended for extremely strong adversaries Not weak cryptography Here we focus on block ciphers G. Leander Lightweight Block Cipher Design

  4. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography Figure: Upcoming IT-Landscape G. Leander Lightweight Block Cipher Design

  5. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography Question Why do we need Lightweight Crypto? Upcoming IT-Landscape is pervasive Many cheap devices (Extremely) constrained in computational power battery memory G. Leander Lightweight Block Cipher Design

  6. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography Question What about standard algorithms? AES is great for almost everywhere Mainly designed for software It is too expensive for very small devices It protects data stronger than needed G. Leander Lightweight Block Cipher Design

  7. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography Why not simply wait 18 month? Moore’s Law Devices become cheaper. Conclusion There is a strong need for new algorithms G. Leander Lightweight Block Cipher Design

  8. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography Figure: Tradeoffs between Security/Throughput/Area G. Leander Lightweight Block Cipher Design

  9. Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Cryptography: Industry vs. Academia Industry Non-existence of lightweight block ciphers a real problem since the 90’s. Many proprietary solutions Often: not very good. Academia Research on Lightweight block ciphers started only recently. Several proposals available. Still: some open questions. G. Leander Lightweight Block Cipher Design

  10. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Examples Algorithms Used In Real Products Keeloq DST DECT, C2, Mifare,... What they have in common: efficient proprietary/not public (violates Kerckhoffs’ principle) non standard designs not good A lot more out there... G. Leander Lightweight Block Cipher Design

  11. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Keeloq Keeloq A 32 bit block-cipher with a 64 bit key. Developed by Gideon Kuhn (around 1985). Sold for 10M $ to Microchip Technology Inc (1995). Algorithm for remote door openers: Cars, Garage, ... Used by: Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group,... G. Leander Lightweight Block Cipher Design

  12. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Keeloq: Overview Figure: Overview of Keeloq G. Leander Lightweight Block Cipher Design

  13. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Design Principles of Keeloq Keeloq Unbalanced Feistel-cipher. Many, very simple rounds. small block size. relatively small key. G. Leander Lightweight Block Cipher Design

  14. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Attacks on Keeloq Keeloq is broken (Biham, Dunkelman, Indesteege, Keller, Preneel 2008): Known plaintext: 2 16 plain-text/cipher-text pairs and 500 CPU days of computation. Chosen plaintext: 2 16 plain-text/cipher-text pairs and 200 CPU days of computation. Main weakness here: Key-scheduling is periodic. Side-Channel attack (Eisenbarth, Kasper, Moradi, Paar, Salmasizadeh, Shalmani 2008): 10 encryptions, negligible computation. Often: The master-key can be found. Summary Practical attacks with real consequences. G. Leander Lightweight Block Cipher Design

  15. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! DST DST A 40 bit block cipher with a 40 bit key. Developed by Texas Instruments Used in Exxon-Mobil Speedpass payment system (approximately 7 million transponders) In vehicle immobilizer systems of Ford, Lincoln, Mercury, Toyota, Nissan. following Wikipedia: “one of the most widely-used unbalanced Feistel ciphers in existence” G. Leander Lightweight Block Cipher Design

  16. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! DST: Overview Figure: Overview of DST G. Leander Lightweight Block Cipher Design

  17. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Design Principles of DST DST Unbalanced Feistel-cipher. Many, very simple rounds. small block size. very small key. non-standard key mixing. G. Leander Lightweight Block Cipher Design

  18. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Attacks on DST No attacks needed! Brute Force feasible. One a PC: Several weeks With specialized hardware (COPACOBANA 10kEUR): 9 min. Main weakness here: small key Question Is the design sound? Summary Practical attacks with real consequences. G. Leander Lightweight Block Cipher Design

  19. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! Why? Question Why do they do that? Answer I They do not know better Answer II They have to. Often a combination of both. G. Leander Lightweight Block Cipher Design

  20. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! How? Some common design principles: Relative small block-size Relative small key-size Many simple rounds We can learn from that! We will rediscover (some of) those in the modern lightweight block ciphers G. Leander Lightweight Block Cipher Design

  21. Motivation Keeloq Industry DST Academia What Can We Learn For Those? We Start To Cheat... And Fail! How? Some weaknesses: Overly simplified key scheduling Non-standard components We can learn from that!? We will rediscover (some of) those in the modern lightweight block ciphers G. Leander Lightweight Block Cipher Design

  22. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Why? Question Why do they do that? Answer II They have to. We need secure well analyzed public ciphers for highly resource constrained devices. G. Leander Lightweight Block Cipher Design

  23. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! General Design Philosophy Guidelines/Goals Efficiency: Here mainly area Simplicity Security G. Leander Lightweight Block Cipher Design

  24. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Design Considerations: Hardware Hardware What do things cost in hardware? Suggestion Make it an interdisciplinary project! G. Leander Lightweight Block Cipher Design

  25. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Cost Overview Question What should/should not be used? Rule of Thumb: NOT: 0 . 5 GE NOR: 1 GE AND: 1 . 33 GE OR: 1 . 33 XOR: 2 . 67 Registers/Flipflops: 6 − 12 GE per bit! G. Leander Lightweight Block Cipher Design

  26. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Design Decisions I Question Block size/ Key size? Storage (FF) is expensive in hardware. Block size of 128 is too much. We do not have to keep things secret forever. Decision Relative Small Block Size: 32,48 or 64 Key size: 80 bit often enough G. Leander Lightweight Block Cipher Design

  27. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Design Decisions Question Feistel vs. SP-Network? G. Leander Lightweight Block Cipher Design

  28. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Feistel Cipher Figure: Feistel Cipher (DES) G. Leander Lightweight Block Cipher Design

  29. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! SP-Network Figure: SP-Network (AES) G. Leander Lightweight Block Cipher Design

  30. Motivation Why? Industry Design Considerations Academia Examples We Start To Cheat... And Fail! Design Decisions Question Feistel vs. SP-Network? Pro-Feistel: Potentially Reduced complexity. (Strongly) unbalanced Feistel. Decryption can be almost free. Pro-SP: Often: Encryption only. Less rounds/Easier to analyze? Decision Both reasonable. G. Leander Lightweight Block Cipher Design

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia

Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia

Motivation Industry Academia Lightweight: 2nd Generation NIST Initiative Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Sardinia 2015 Motivation Industry Academia Lightweight: 2nd Generation NIST

1.4k views • 95 slides
Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014

Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014

Motivation Industry Academia A Critical View Lightweight: 2nd Generation Wrap-Up Lightweight Block Cipher Design Gregor Leander HGI, Ruhr University Bochum, Germany Croatia 2014 Motivation Industry Academia A Critical View Lightweight:

1.77k views • 79 slides
Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA, Switzerland - Mara Naya-Plasencia FHNW, Windisch, Switzerland and University of Versailles, France - Markku-Juhani O. Saarinen Revere

263 views • 15 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
observations on the simon block cipher family Stefan Klbl 1 lightweight cryptography What is

observations on the simon block cipher family Stefan Klbl 1 lightweight cryptography What is

Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum, Germany observations on the simon block cipher family Stefan Klbl 1

809 views • 60 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2016 ACORN 1 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN ) DIAC 2016 ACORN 2

358 views • 15 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014 ACORN 1 ACORN DIAC 2014 ACORN 2 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN

1.06k views • 13 slides
Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The SIMON and SPECK Families of Lightweight Block Ciphers Two families of lightweight block ciphers (10 variants for each) Tomer Ashur Simon:

784 views • 51 slides
January 15, 2013 MEMORANDUM TO: Chairman Macfarlane Commissioner Svinicki Commissioner

January 15, 2013 MEMORANDUM TO: Chairman Macfarlane Commissioner Svinicki Commissioner

January 15, 2013 MEMORANDUM TO: Chairman Macfarlane Commissioner Svinicki Commissioner Apostolakis Commissioner Magwood Commissioner Ostendorff FROM: R. W. Borchardt /RA/ Executive Director for Operations SUBJECT: BACKGROUND MATERIAL ON

287 views • 5 slides
Extending and Updating the Tool Interfaces in MPI: A Request for Feedback Martin Schulz

Extending and Updating the Tool Interfaces in MPI: A Request for Feedback Martin Schulz

Extending and Updating the Tool Interfaces in MPI: A Request for Feedback Martin Schulz Technische Universitt Mnchen Fakultt fr Informatik Scalable Tools Workshop 2018 Solitude, UT July 2018 With material from Marc-Andre

336 views • 18 slides
CSE 120 July 13, 2006 Scheduling Day 4 Scheduling Deadlock Instructor: Neil Rhodes

CSE 120 July 13, 2006 Scheduling Day 4 Scheduling Deadlock Instructor: Neil Rhodes

CSE 120 July 13, 2006 Scheduling Day 4 Scheduling Deadlock Instructor: Neil Rhodes Scheduling Scheduling Goals Scheduler Throughput Part of the operating system that decides which ready process to run next Number of jobs per time

280 views • 10 slides
HSC Queue Mode Implementation Plan ~ Stage I , II, III ~ Tae-Soo Pyo Subaru Telescope 2015.

HSC Queue Mode Implementation Plan ~ Stage I , II, III ~ Tae-Soo Pyo Subaru Telescope 2015.

HSC Queue Mode Implementation Plan ~ Stage I , II, III ~ Tae-Soo Pyo Subaru Telescope 2015. 6.16 06/01/15 Basic Principle Start simple Satisfying users requirements Information : Logs, completion reports Feedback : Q/A staff

380 views • 13 slides
Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki

Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki

Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki Trigoni Computing Laboratory, University of Oxford, UK Multi-Service Networks, 11th July 2008 Scenario A Group of mini robots (agents) is exploring

863 views • 34 slides
Ferrites-by-design for Millimeter waves and Terahertz Technologies (FeMiT) The FeMiT project

Ferrites-by-design for Millimeter waves and Terahertz Technologies (FeMiT) The FeMiT project

Ferrites-by-design for Millimeter waves and Terahertz Technologies (FeMiT) The FeMiT project explained in 5 minutes Have you ever experienced connectivity issues with your mobile? What will happen if as expected there are much more mobiles, in

528 views • 6 slides
Magnetics Design Tables Geometrical data for several standard ferrite core shapes are listed here.

Magnetics Design Tables Geometrical data for several standard ferrite core shapes are listed here.

Fundamentals of Power Electronics Appendix 2 Magnetics Design Tables Geometrical data for several standard ferrite core shapes are listed here. The geometrical constant K g is a measure of core size, useful for designing inductors and

61 views • 5 slides
MI/RR Upgrades: Overview and Plans Ioanis Kourbanis Fermilab PIP-II Collaboration Meeting

MI/RR Upgrades: Overview and Plans Ioanis Kourbanis Fermilab PIP-II Collaboration Meeting

MI/RR Upgrades: Overview and Plans Ioanis Kourbanis Fermilab PIP-II Collaboration Meeting June 3-4 2014 MI/RR Performance Requirements 50% more beam intensity Operate at different energies PIP-II, Collaboration Meeting, June 2

533 views • 26 slides

More recommend