skinny a family of lightweight tweakable block ciphers
play

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT - PowerPoint PPT Presentation

May 12, 2023 •759 likes •1.18k views

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

  1. Skinny – A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany Cryptography for the Internet of Things and Cloud November 6, 2017 C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 1 / 26

  2. Introduction to Skinny Skinny is a family of lightweight block ciphers presented at CRYPTO 2016. Its main features are: flexible tweakable cipher allowing several block- and tweak/key sizes an academic design that competes with the lightweight NSA cipher SIMON in terms of performance and efficiency (e.g., area in hardware) having strong security arguments against common attacks C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 2 / 26

  3. Introduction to Skinny Skinny is a family of lightweight block ciphers presented at CRYPTO 2016. Its main features are: flexible tweakable cipher allowing several block- and tweak/key sizes an academic design that competes with the lightweight NSA cipher SIMON in terms of performance and efficiency (e.g., area in hardware) having strong security arguments against common attacks A Tweakable Block Cipher and a Possible Application IV IV + 1 IV + n P P 0 P 1 P n . . . K E T K E K E K E C 0 C 1 C n C C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 2 / 26

  4. Table of Contents Introduction to Skinny 1 The Design 2 Implementation Results 3 Best Cryptanalysis so far 4 Skinny Cryptanalysis Competition (announced at FSE 2017) 5 C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 3 / 26

  5. Common Block Cipher Design - A Key-Alternating Cipher . . . K A A A . . . P R R R C Most common block ciphers iterate an unkeyed round function R Round keys are added in between The round keys are derived from the intial key K using a key-scheduling algorithm (here: a key-update function A ) C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 4 / 26

  6. Common Block Cipher Design - A Key-Alternating Cipher . . . K A A A . . . P R R R C Most common block ciphers iterate an unkeyed round function R Round keys are added in between The round keys are derived from the intial key K using a key-scheduling algorithm (here: a key-update function A ) What to do? In order to build a block cipher, one has to design a proper round function R that is efficient to implement a key schedule for deriving the round keys C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 4 / 26

  7. Designing a Round Function - Two Extremes Common block ciphers iterate a round function R several times. One can imagine two extremes: C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 5 / 26

  8. Designing a Round Function - Two Extremes Common block ciphers iterate a round function R several times. One can imagine two extremes: Employing very strong (but also very expensive) operations For instance, use very large S-boxes and a very strong diffusion layer. The number of rounds needed would be very low. C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 5 / 26

  9. Designing a Round Function - Two Extremes Common block ciphers iterate a round function R several times. One can imagine two extremes: Employing very strong (but also very expensive) operations For instance, use very large S-boxes and a very strong diffusion layer. The number of rounds needed would be very low. An extreme lightweight round function For instance, apply a single AND operation on two bits and permute the bits. The number of rounds needed would be extremely high. C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 5 / 26

  10. Designing a Round Function - Two Extremes Common block ciphers iterate a round function R several times. One can imagine two extremes: Employing very strong (but also very expensive) operations For instance, use very large S-boxes and a very strong diffusion layer. The number of rounds needed would be very low. An extreme lightweight round function For instance, apply a single AND operation on two bits and permute the bits. The number of rounds needed would be extremely high. Skinny is designed to achieve one of the best possible trade-offs! C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 5 / 26

  11. The Design Strategy the basis design is inspired by the well-known AES each of the building blocks is tailored to achieve an optimal trade-off the idea: removing any operation will lead to a much more insecure cipher the design should allow for strong security arguments against known attacks (e.g. differential and linear attacks) even in the related-key/related-tweak model C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 6 / 26

  12. Specifications and Initialization Specifications Skinny supports block sizes of either n = 64 or n = 128 bits. The tweak/key size t can be t = n , t = 2 n or t = 3 n We denote Skinny with n -bit blocks and t -bit tweak/key by Skinny-n-t C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 7 / 26

  13. Specifications and Initialization Specifications Skinny supports block sizes of either n = 64 or n = 128 bits. The tweak/key size t can be t = n , t = 2 n or t = 3 n We denote Skinny with n -bit blocks and t -bit tweak/key by Skinny-n-t The Internal State The internal state of Skinny is represented by a 4 × 4 matrix of b -bit elements: n = 64 → b = 4 n = 128 → b = 8 The plaintext P = m 0 m 1 . . . m 15 is mapped to the cipher’s initial state   m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 IS =   m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 7 / 26

  14. The Round Function The Round Function of Skinny The following ( AES -like) function is iterated on the cipher’s internal state: ART ShiftRows MixColumns >>> 1 SC AC >>> 2 >>> 3 Number of rounds for Skinny- n - t , with n -bit internal state, t -bit tweakey state. Tweakey size t Block size n n 2 n 3 n 64 32 rounds 36 rounds 40 rounds 128 40 rounds 48 rounds 56 rounds C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 8 / 26

  15. The Round Function The Round Function of Skinny The following ( AES -like) function is iterated on the cipher’s internal state: ART ShiftRows MixColumns >>> 1 SC AC >>> 2 >>> 3 Number of rounds for Skinny- n - t , with n -bit internal state, t -bit tweakey state. Tweakey size t Block size n n 2 n 3 n 64 32 rounds 36 rounds 40 rounds 128 40 rounds 48 rounds 56 rounds Number of Rounds in AES AES -128 applies 10 rounds , but uses more expensive components! C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 8 / 26

  16. The SubCells Layer Skinny SubCells The value in each cell is substituted according to the b -bit S-box S b . S b S 4 = [( x 3 , x 2 , x 1 , x 0 ) → ( x 2 , x 1 , x 0 ⊕ ( x 3 ∨ x 2 ) , x 3 )] 4 ≫ 1. (12 GE) S 8 employs a similar, very lightweight construction. (24 GE) C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 9 / 26

  17. The SubCells Layer Skinny SubCells The value in each cell is substituted according to the b -bit S-box S b . S b S 4 = [( x 3 , x 2 , x 1 , x 0 ) → ( x 2 , x 1 , x 0 ⊕ ( x 3 ∨ x 2 ) , x 3 )] 4 ≫ 1. (12 GE) S 8 employs a similar, very lightweight construction. (24 GE) AES SubBytes Each byte is substituted according to the AES S-box. It is affine equivalent to inversion in the finite field F 2 8 . x �→ L ( x 2 n − 2 ) + c (198 GE) C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 9 / 26

  18. The AddConstants Layer The Constant Addition in Skinny Round-specific constants c 0 , c 1 , c 2 are XORed to the first column of the state. They are derived c 0 from the 6-bit affine LFSR c 1 c 2 ( r 5 || r 4 || r 3 || r 2 || r 1 || r 0 ) → ( r 4 || r 3 || r 2 || r 1 || r 0 || r 5 ⊕ r 4 ⊕ 1 ) c 0 = ( r 3 || r 2 || r 1 || r 0 ) c 1 = ( 0 || 0 || r 5 || r 4 ) c 2 = 0x2 C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 10 / 26

  19. The AddConstants Layer The Constant Addition in Skinny Round-specific constants c 0 , c 1 , c 2 are XORed to the first column of the state. They are derived c 0 from the 6-bit affine LFSR c 1 c 2 ( r 5 || r 4 || r 3 || r 2 || r 1 || r 0 ) → ( r 4 || r 3 || r 2 || r 1 || r 0 || r 5 ⊕ r 4 ⊕ 1 ) c 0 = ( r 3 || r 2 || r 1 || r 0 ) c 1 = ( 0 || 0 || r 5 || r 4 ) c 2 = 0x2 ART ShiftRows MixColumns >>> 1 SC AC >>> 2 >>> 3 C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 10 / 26

  20. Introducing Tweaks - The TWEAKEY Framework 1 A Block Cipher vs. a Tweakable Block Cipher P P K E K E T C C 1 Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Tweaks and keys for block ciphers: the TWEAKEY framework . ASIACRYPT 2014. 2014. C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 11 / 26

  21. Introducing Tweaks - The TWEAKEY Framework 1 A Block Cipher vs. a Tweakable Block Cipher P P K E K E T C C The TWEAKEY Framework Tweak and key material should be handled in the same way by the tweakey schedule! tk 1 tk r − 1 tk r tk 0 . . . h h h g g g g . . . P = s 0 s r +1 = C R R s 1 s r 1 Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Tweaks and keys for block ciphers: the TWEAKEY framework . ASIACRYPT 2014. 2014. C. Beierle (HGI) The Skinny Family of Block Ciphers November 6, 2017 11 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with: Christof Beierle Stefan Klbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO 2016 August 17, 2016

472 views • 33 slides
The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya, Japan - September 30, 2016 The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY website C. Beierle, J. Jean, S.

1.91k views • 55 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France September 30, 2015 ASK 2015 Based on joint work with Benot Cogliati

1.79k views • 120 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren Rinne, Thomas Eisenbarth, and Christof Paar Horst Grtz Institute for IT Security Ruhr-Universitt Bochum, Germany 11.06.2007 SPEED Workshop,

469 views • 18 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS Innovation Labs December 11, 2017 SUMANTA SARKAR Lightweight Cryptography Internet of Things / Connected Cars Internet of things (IoT): Network of

786 views • 45 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED cipher algorithm would be the default cipher together with AES in SRTP Motivation In Korea, many companies provide VoIP service and we

294 views • 6 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 14, 2013 Announcements / Goals For

459 views • 9 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides
Types of Cache Misses Cold (compulsory) miss Occurs on

Types of Cache Misses Cold (compulsory) miss Occurs on

University of Washington University of Washington Types of Cache Misses Cold (compulsory) miss Occurs on very first access to a block The

512 views • 7 slides
CS 423 Operating System Design: Far too much information about interrupts Professor Adam

CS 423 Operating System Design: Far too much information about interrupts Professor Adam

CS 423 Operating System Design: Far too much information about interrupts Professor Adam Bates Fall 2018 CS423: Operating Systems Design Goals for Today Learning Objectives: Understand the role and types of of Interrupts

628 views • 43 slides

More recommend