Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi - - PowerPoint PPT Presentation

lightweight cryptography
SMART_READER_LITE
LIVE PREVIEW

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi - - PowerPoint PPT Presentation

Jul 29, 2023 123 likes •597 views

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

slide-1
SLIDE 1

PAGE: 1 of 33

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

  • Hardware Perspective -

Miroslav Knežević NXP Semiconductors

Lightweight Cryptography

Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES

slide-2
SLIDE 2

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

PAGE: 2 of 33

Digital Continuum

~kb/s, μW ~Gb/s, MW

slide-3
SLIDE 3

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Typical T rade-offs in Crypto

PAGE: 3 of 33

       

slide-4
SLIDE 4

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Typical T rade-offs in Crypto

PAGE: 3 of 33

    

slide-5
SLIDE 5

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

A bit of History

PAGE: 4 of 33

450 900 1350 1800 2250 2700 3150 3600 4050 4500 1970 1977 1984 1991 1998 2005 2012

Block Ciphers

DES GOST (FK) TEA AES mCrypton SEA DESXL DESL PRESENT PUFFIN HUMMINGBIRD MIBS KATAN KATAN (FK) PRINTcipher KLEIN TWINE PICCOLO LED LED (FK) PICCOLO (FK) CLEFIA HIGHT KASUMI

Area (GE) Year

slide-6
SLIDE 6

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

A bit of History

PAGE: 4 of 33

450 900 1350 1800 2250 2700 3150 3600 4050 4500 1970 1977 1984 1991 1998 2005 2012

Block Ciphers Stream Ciphers

DES TEA mCrypton SEA HIGHT CLEFIA DESXL DESL PRESENT PUFFIN HUMMINGBIRD MIBS KATAN KATAN (FK) PRINTcipher KLEIN TWINE PICCOLO LED LED (FK) PICCOLO (FK) MICKEY TRIVIUM GRAIN KASUMI

Area (GE) Year

GOST (FK) AES

slide-7
SLIDE 7

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

A bit of History

PAGE: 4 of 33

450 900 1350 1800 2250 2700 3150 3600 4050 4500 1970 1977 1984 1991 1998 2005 2012

Block Ciphers Stream Ciphers Hash Functions

DES TEA mCrypton SEA KASUMI DESXL DESL PRESENT PUFFIN HUMMINGBIRD MIBS KATAN KATAN (FK) PRINTcipher KLEIN TWINE PICCOLO LED LED (FK) PICCOLO (FK) MICKEY TRIVIUM GRAIN HIGHT CLEFIA ARMADILLO KECCAK H-PRESENT QUARK PHOTON SPONGENT DM-PRESENT

Area (GE) Year

GOST (FK) AES

slide-8
SLIDE 8

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Block Cipher - Hardware Perspective

PAGE: 5 of 33

Block size 128-bits Key size 128-bits

Round function Key schedule

Control

Memory Datapath AES example: Round-Based Implementation Area: ~ 15,000 GE Latency: 10 cycles

slide-9
SLIDE 9

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Block Cipher - Hardware Perspective

PAGE: 5 of 33

Block size 128-bits Key size 128-bits

Round function Key schedule

Control

Memory Datapath AES example: Serial Implementation Area: ~ 2,400 GE Latency: 226 cycles

slide-10
SLIDE 10

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Key size ≥ 80 bits

PAGE: 6 of 33

Memory Round function Key schedule Control logic

90 - 95%

Block size ≥ 32 bits BALANCE! MINIMIZE!

Block Cipher - Hardware Perspective

slide-11
SLIDE 11

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Key size ≥ 80 bits Block size ≥ 32 bits

PAGE: 6 of 33

Block Cipher - Hardware Perspective

slide-12
SLIDE 12

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Key size ≥ 80 bits Block size ≥ 32 bits

PAGE: 6 of 33

Block Cipher - Hardware Perspective

Block size ≥ 32 bits

Fixed Key Arbitrary Key

slide-13
SLIDE 13

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

PAGE: 7 of 33

KATAN - Minimalistic Design

L1! L2!

x5! x4! x3! x2! x1! y2! y3! y4! y5! y6! y1! kb! ka! IR!

key_reg!

60!

kb!

79! 78! 59! 49! 48! 12! 11! 1! 0!

ka!

T!

6! 7! 4! 2! 0!

IR!

Round function and Control logic merged!

462 GE

slide-14
SLIDE 14

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

PAGE: 7 of 33

KATAN - Minimalistic Design

L1! L2!

x5! x4! x3! x2! x1! y2! y3! y4! y5! y6! y1! kb! ka! IR!

T!

6! 7! 4! 2! 0!

IR!

Round function and Control logic merged! Expanded Key stored in silicon! Only 508 bits of Expanded Key!

Avoid a weak key schedule: KTANTAN! 315 GE + 508 bits of ROM

slide-15
SLIDE 15

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

PAGE: 8 of 33

PRESENT - Small and Scalable

~ 1500 GE

PRESENT

  • like Permutation

Round-based Implementation

slide-16
SLIDE 16

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

PRESENT - Small and Scalable

~ 1000 GE

PRESENT

  • like Permutation

Serial Implementation

PAGE: 8 of 33

slide-17
SLIDE 17

Hardware Perspective

Lightweight Cryptography

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

A Battle for a Single Gate

PRESENT UMC180 IHP250 AMIS350 synopsys ~1kGE KATAN UMC130 synopsys ≥450 GE Piccolo 130nm synopsys ≥700 GE QUARK UMC180 synopsys cadence ≥1.4 kGE PHOTON UMC180 synopsys ≥850 GE SPONGENT UMC130 synopsys ≥750 GE LED 180nm synopsys ≥700 GE

PAGE: 11 of 33

slide-18
SLIDE 18

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

750 1500 2250 3000 521 737 918 1192 1340 738 1060 1329 1728 1950

759 1103 1367 1768 2012 868 1256 1571 2071 2323

88/80/8 128/128/8 160/160/16 224/224/16 256/256/16 NXP90 UMC130 UMC180 NANGATE45

Fair Comparison - Mission (Im)possible?

Spongent in 4 different techs U P T O 7 % D I F F E R E N C E ! Area (GE)

PAGE: 12 of 33

slide-19
SLIDE 19

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Fair Comparison - Mission (Im)possible?

2 4 6 8

scan FF NXP90 UMC130 UMC180 NANGATE45 < 5 GE/sFF 6.25 GE/sFF 7.67 GE/sFF 6.67 GE/sFF

Open Core Library!

Area (GE)

PAGE: 13 of 33

slide-20
SLIDE 20

Lightweight Cryptography

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

1000 2000 3000 4000 869 1257 1572 2070 2323 1067 1394 1741 2142 2675

1744 2200 3001

80/88 128 160 224 256 Spongent Photon Quark

Fair Comparison - Mission Possible?

Area (GE) Hash Output

Fixed Benchmark: 45 nm Open Core NANGATE library, Cadence RTL Compiler, Original RTL Code.

PAGE: 14 of 33

slide-21
SLIDE 21

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Typical T rade-offs in Crypto

   

PAGE: 15 of 33

slide-22
SLIDE 22

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Typical T rade-offs in Crypto

AES

Keccak Groestl B l a k e

NOEKEON PRESENT LED K L E I N M I N I

  • A

E S MCRYPTON

Photon K A T A N P i c c

  • l
  • S

P O N G E N T TEA SEA P R I N T c i p h e r Quark

?

Skein SHA-256 J H T R I V I U M Grain I D E A

                      

Serpent T w

  • fi

s h Square 3 D E S

PAGE: 16 of 33

slide-23
SLIDE 23

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Typical T rade-offs in Crypto

AES

Keccak Groestl B l a k e

NOEKEON PRESENT LED K L E I N M I N I

  • A

E S MCRYPTON

Photon K A T A N P i c c

  • l
  • S

P O N G E N T TEA SEA P R I N T c i p h e r Quark

?

Skein SHA-256 J H T R I V I U M Grain I D E A

       

Serpent T w

  • fi

s h Square 3 D E S

PAGE: 16 of 33

slide-24
SLIDE 24

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

AES

K e c c a k Groestl Blake

NOEKEON PRESENT LED K L E I N M I N I

  • A

E S M C R Y P T O N

Photon KATAN Piccolo SPONGENT TEA SEA P R I N T c i p h e r Quark Skein SHA-256 J H TRIVIUM Grain IDEA Serpent T w

  • fi

s h Square 3DES

A kid in a T

  • y store

PAGE: 17 of 33

slide-25
SLIDE 25

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

AES NOEKEON PRESENT LED K L E I N M I N I

  • A

E S M C R Y P T O N

A kid in a T

  • y store

PAGE: 17 of 33

slide-26
SLIDE 26

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

AES NOEKEON PRESENT LED KLEIN MINI-AES MCRYPTON

Variety of Choices

128 128 8 MDS LIGHT 128 128 4 BINARY NO 64 64 4 MDS LIGHT 64 64, 96, 128 4 BINARY LIGHT 64 80, 128 4

BIT PERMUTATION

LIGHT 64 64, 80, 96 4 MDS LIGHT 64 64, 128 4 MDS NO

BLOCK-SIZE KEY-SIZE S-BOX P-LAYER KEY SCHEDULE

PAGE: 18 of 33

slide-27
SLIDE 27

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Latency vs Throughput

Latency = 15 s Throughput = 0.067 beer/s

PAGE: 19 of 33

slide-28
SLIDE 28

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Latency vs Throughput

Latency = 15 s Throughput = 0.2 beer/s

Parallel Processing

PAGE: 19 of 33

slide-29
SLIDE 29

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Latency vs Throughput

Latency = 15 s Throughput = 0.2 beer/s

Pipelining

PAGE: 19 of 33

slide-30
SLIDE 30

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Latency vs Throughput

Latency = 5 s Throughput = 0.2 beer/s

Ad Fundum

PAGE: 19 of 33

slide-31
SLIDE 31

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Six Architectures

R1 R2 Rn … R1 Rn/2 … R1 R2 Rn … Rn Rn -1 R1 …

  • 1
  • 1
  • 1

R1 Rn/2 … Rn/2 R1 …

  • 1
  • 1

R1/Rn

… …

  • 1

R2/Rn -1

  • 1

Rn /R1

  • 1

R1/Rn/2

  • 1

Rn /2/R1

  • 1

(a) (b) (c) (d) (e) (f)

PAGE: 20 of 33

slide-32
SLIDE 32

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Number of Rounds vs Key Size

      



PAGE: 21 of 33

slide-33
SLIDE 33

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Results - Latency

12,5 25 37,5 50

17,8 15,3 20,3 25,3 31,2 46,6 9,8 9,8 9,8 9,9 14,8 15,5 14,8 14,7 20,2 16,4 21,4 26,4 32,8 48,2 10,8 10,8 11 12 17 17,4 16,4 16,6

1-cycle 2-cycle

A E S

  • 1

2 8 K L E I N

  • 6

4 K L E I N

  • 9

6 K L E I N

  • 1

2 8 L E D

  • 6

4 L E D

  • 1

2 8 M C R Y P T O N

  • 6

4 M C R Y P T O N

  • 9

6 M C R Y P T O N

  • 1

2 8 M I N I

  • A

E S

  • 6

4 N O E K E O N

  • 1

2 8 N O E K E O N s

  • 1

2 8 P R E S E N T

  • 8

P R E S E N T

  • 1

2 8

*ENC/DEC; Max Time-Constrained PAGE: 22 of 33

slide-34
SLIDE 34

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Results - Area

100 200 300 400

366,6 48,2 63,7 79,9 128,7 193,1 41,3 40,4 41,4 40 102,5 49,5 72,3 73,8 191,8 24,9 32,6 41,3 63,5 96 20,9 21,1 21 22 49,6 27,1 37,6 37,1

1-cycle 2-cycle

A E S

  • 1

2 8 K L E I N

  • 6

4 K L E I N

  • 9

6 K L E I N

  • 1

2 8 L E D

  • 6

4 L E D

  • 1

2 8 M C R Y P T O N

  • 6

4 M C R Y P T O N

  • 9

6 M C R Y P T O N

  • 1

2 8 M I N I

  • A

E S

  • 6

4 N O E K E O N

  • 1

2 8 N O E K E O N s

  • 1

2 8 P R E S E N T

  • 8

P R E S E N T

  • 1

2 8

*ENC/DEC; Max Time-Constrained PAGE: 23 of 33

slide-35
SLIDE 35

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Results - Average Latency per Round

0,5 1 1,5 2

1,78 1,28 1,27 1,27 0,98 0,97 0,82 0,82 0,82 0,99 0,93 0,97 0,48 0,47 1,48 0,93 0,93 0,92 0,97 0,96 0,81 0,81 0,81 0,86 0,93 0,46 0,46

ENC/DEC ENC

A E S

  • 1

2 8 K L E I N

  • 6

4 K L E I N

  • 9

6 K L E I N

  • 1

2 8 L E D

  • 6

4 L E D

  • 1

2 8 M C R Y P T O N

  • 6

4 M C R Y P T O N

  • 9

6 M C R Y P T O N

  • 1

2 8 M I N I

  • A

E S

  • 6

4 N O E K E O N

  • 1

2 8 N O E K E O N s

  • 1

2 8 P R E S E N T

  • 8

P R E S E N T

  • 1

2 8

*1-cycle Architecture; Max Time-Constrained PAGE: 24 of 33

slide-36
SLIDE 36

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Results - Area per Round Distribution

PRESENT-80, ENC only

         



         



         



         



         



         



PAGE: 25 of 33

slide-37
SLIDE 37

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

We provide hardware recommendations for designing low- latency primitives. Evaluated ciphers are designed with low-area and low-power in mind and not to satisfy new low-latency requirements. Still, we can learn quite a lot from their constructions.

PAGE: 26 of 33

slide-38
SLIDE 38

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

  • Sbox-

Use small Sboxes (4-bit or even 3-bit ones). Even among them there are significant differences in latency and area [24]. These differences are library dependent.

  • G. Leander and A. Poschmann, On the Classification of 4-bit Sboxes, in Arithmetic of Finite Fields, First International

Workshop - WAIFI 2007, volume 4547 of Lecture Notes in Computer Science, pages 159-176, 2007. [24] PAGE: 27 of 33

slide-39
SLIDE 39

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

  • Number of Rounds-

Minimize!

PAGE: 28 of 33

slide-40
SLIDE 40

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

  • Round Complexity-

Not too low complexity. Reduce the number of rounds at the cost of (slightly) heavier round.

PAGE: 29 of 33

slide-41
SLIDE 41

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

  • Key Schedule-

Number of rounds should be independent of the key schedule. Use constant addition instead of a key schedule (if possible).

PAGE: 30 of 33

slide-42
SLIDE 42

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

  • Heterogeneous Constructions-

Last few rounds of the cipher are smaller than the middle

  • nes.

Make those few rounds more computationally complex. Not very good for compact implementations.

PAGE: 31 of 33

slide-43
SLIDE 43

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Hardware Recommendations

  • Encryption vs Decryption-

Use involution: f(f(x)) = x. Make Encryption and Decryption procedures similar. BUT: Think “application oriented” - sometimes is beneficial to have “asymmetric” constructions.

PAGE: 32 of 33

slide-44
SLIDE 44

Hardware Perspective

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

Lightweight Cryptography

Conclusions

meet PRINCE

AES AES PRESENT PRESENT PRINCE PRINCE

Latency [ns] Area [kGE]

  • J. Borghoff, A. Canteaut, T. Guneysu, E. B. Kavun, M. Knezevic, L. R. Knudsen, G. Leander,
  • V. Nikov, C. Paar, C. Rechberger, P

. Rombouts, S. Thomsen, T. Yalcin, PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications, to appear in ASIACRYPT 2012. PAGE: 33 of 33

slide-45
SLIDE 45

Design and Security of Cryptographic Functions, Algorithms, and Devices, Summer School, Albena, Bulgaria, June 30-July 5, 2013.

PAGE: THE END

Thank you!