New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007
Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES? How to change DES? What are the benefits? 26.03.2007 2
Why Lightweight? – Paradigm Shift past present future Pervasive Mainframe Personal (1 : n) (n : 1) (1 : 1) Pervasive = wireless + embedded + cheap = constrained in CPU, memory, battery 26.03.2007 3
Why choose DES? „People who are still working on DES should probably start a self-help group.“ 3 approaches for lightweight crypto: 1. Minimal implementation of standard ciphers • Cipher design usually SW optimization driven • If HW optimized, then for high throughput 2. Design a new HW optimized cipher • No trust in new ciphers 3. Modify a trusted HW optimized cipher • Hope for a transition of trust 26.03.2007 4
Recall DES DES: • Published in 1977 • Probably best investigated cipher HW optimized for 1970s technology • Plenty of HW-friendly Factor 2 20 = 1.000.000 operations DES = lightweight Major Drawback: • Short keylength DESX 26.03.2007 5
Why change DES? State register S-Boxes • 6-to-4 substitution tables • highly non-linear → high Boolean compl. • 34% of area! Key schedule 32% Idea: • Replace S1...S8 by S together 30% 26.03.2007 6
How to change DES? Plenty of previous work during the 1990s… • DES design criteria (Coppersmith) • Improved resistancy against DC, LC, and DMA (Kim et al.) …But: • All previous work focused on 8 different S-boxes • No S-box fulfills all criteria by Kim et al. Detailed look on the criteria by Kim et al. 26.03.2007 7
Design Criteria for single S-box DES DESL LC Davies-Murphy Differential Attack Cryptanalysis Linear Cryptanalysis C1 C1 4R nR 3R 5R C1 C3 A=(1,2), A=(1,1) rest A=(2,1) A=(2,2) b=1 b=2 b>=2 C3 C3 C4 C2 C2 a=2 a>2 a=1 a=2 a>2 a=1 C6 C5 C2 C6 C4 C2 (000010) (010000) = Condition i C7 C8 Ci 26.03.2007 8
…18 Months later Improved DESL S-box: • Satifies all conditions • Resistant against • certain Differential Cryptanalysis, • Linear Cryptanalysis, and • Davies-Murphy Attack • Results in total area saving of 20 % 26.03.2007 9
What are the benefits? gates 1032 clk 1 clk 1 clk 1 clk 144 clk 144 clk 3400 3000 2599 2168 1857 1848 AES-128 HIGHT-128 Grain- Trivium- DESL-56 DESXL-118 128 80 Smallest known secure block cipher • Very small footprint (=cheap) in hardware • Comparable even to streamciphers • 26.03.2007 10
Thank you! Questions? www.crypto.rub.de, poschmann@crypto.rub.de
Example: 4-Round Linear Characteristic K 1 O 1 A: <I 2 ,Z 1 > + <K 2 ,Z 3 > = <O 2 ,Z 2 > I 1 B: <I 3 ,Y 1 > + <K 3 ,Y 3 > = <O 3 ,Y 2 > O 2 = I 1 + I 3 , O 3 = I 2 + I 4 K 2 O 2 I 2 15-round approximation: -AB-BA-AB-BA-AB Kim et al. Use two conditions: General: ≤ ∈ ∈ ≤ S W 6 4 • a a GF b GF wt a wt b ( ) 20 , ( 2 ) , ( 2 ) , ( ), ( ) 2 b K 3 Special: No occurence of 18 sub-cases for O 3 • I 3 wt(a)=wt(b)=1 Our conditions: General: ≤ ∈ ∈ ≤ S W 6 4 • ( a ) 20 , a GF ( 2 ) , b GF ( 2 ) , wt ( a ), wt ( b ) 2 b I 4 Special: ≤ ∈ ∈ = = • S W 6 4 ( a ) 4 , a GF ( 2 ) , b GF ( 2 ) , wt ( a ) wt ( b ) 1 b 26.03.2007 12
Recommend
More recommend
