The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University, 2.2.2014.

Slides:



Advertisements
Similar presentations
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Cryptography and Network Security
1 Pertemuan 07 Enkripsi Simetrik Kontemporer Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
AES clear a replacement for DES was needed
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, and J.D. Tygar – University of California, Berkeley.
Lecture 23 Symmetric Encryption
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus.
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.
Manufacturing Control system. manufacturing control and data collection systems For any manufacturing control system a kind of drawback of an excessive.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Cryptography and Network Security
Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable."
1 Telematics/Networkengineering Confidential Transmission of Lossless Visual Data: Experimental Modelling and Optimization.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
1 Chapter 3 Ciphers Mechanism that decides the process of encryption/decryption Stream Cipher: Bit-by-bit encryption / decryption Block Cipher: Block-by-block.
TWOFISH ENCRYPTION ALGORITHM CS–627: Cryptology Fall 2004 Horatiu Paul Stancu.
Blowfish A widely used block cipher. Blowfish Designed by Bruce Schneier (1993) A variant of it (Twofish) was an AES finalist candidate 64-bit block size,
9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
Chapter 20 Symmetric Encryption and Message Confidentiality.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Chapter 20 Symmetric Encryption and Message Confidentiality.
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
Block ciphers Structure of a multiround block cipher
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
Page 1/15RFIDsec 2006 DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität.
The Latest Attacks on AES Mehrdad Abdi 1 بسم الله الرحمن الرحیم.
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
Advanced Encryption Standard. Origins NIST issued a new version of DES in 1999 (FIPS PUB 46-3) DES should only be used in legacy systems 3DES will be.
Lecture 23 Symmetric Encryption
Fifth Edition by William Stallings
Advanced Encryption Standard Dr. Shengli Liu Tel: (O) Cryptography and Information Security Lab. Dept. of Computer.
Computer and Network Security Rabie A. Ramadan Lecture 3.
A Ultra-Light Block Cipher KB1 Changhoon Lee Center for Information Security Technologies, Korea University.
Chapter 2 Symmetric Encryption.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Cipher Transmission and Storage Modes Part 2: Stream Cipher Modes CSCI 5857: Encoding and Encryption.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
@Yuan Xue Announcement Project Release Team forming Homework 1 will be released next Tuesday.
School of Computer Science and Engineering Pusan National University
Block Ciphers (Crypto 2)
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Resource-efficient Cryptography for Ubiquitous Computing
Presentation transcript:

The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University,

Talk outline Block ciphers in general – definition and some history DES (and Feistel constructions in general) AES (and SP networks in general) Attacks on AES (related-key, side channel) Lightweight crypto in general The target applications (RFID tags, WSNs) Why block ciphers and not stream ciphers? Design criteria Hardware vs. Software efficiency

Talk outline (cont.) The lightweight block ciphers (LBC) zoo The ciphers (divided to groups) Specific examples (Present, Piccolo, Ktantan) Special features in LBC design Key schedule (simplicity, on-the-fly computation) Decryption (is possible or not, involution structures) Simple operations

Talk outline (cont.) Theoretical foundations Generalized Even-Mansour constructions Different security models ?! Cryptanalysis Are the attacks on lightweight block ciphers different?

History See auxiliary presentation.

Lightweight Crypto in General What are the target platforms? Radio-frequency identification (RFID) is the wireless non-contact use of radio-frequency electromagnetic fields to transfer data, for the purposes of automatically identifying and tracking tags attached to objects.radio-frequencyelectromagnetic fields A wireless sensor network (WSN) of spatially distributed autonomous sensors to monitor physical or environmental conditions, such as temperature, sound, pressure, etc. and to cooperatively pass their data through the network to a main location.autonomoussensorstemperature soundpressure Various other platforms.

Why block ciphers? Security – it is believed that our understanding in block cipher design is better than in stream cipher design. Various modes of operations possible (e.g., can act as a stream cipher in the CBC mode). Other reasons.

Design criteria Speed (a.k.a throughput, or cycle count) A single block or many blocks? Memory consumption (SW) ROM use (usually between 300 to 2000 bytes). RAM use (a few dozens of bytes). Area consumption (HW) Measured in Gate Equivalents, between Energy consumption Correlated with cycle count.

Hardware/Software efficiency Some of the ciphers are especially optimized for hardware/software, while others try to achieve good performance on both platforms. Comparative studies show that they are quite inherent tradeoffs between software and hardware efficiency. So, should we try to optimize both in the same primitive, or different primitives for hardware and software are better?

The lightweight block ciphers Zoo SP networks: AES (various lightweight implementations). mCrypton [Lim05] (lightweight version of Crypton). Present [Bogdanov+07] (the most well-known one, accepted as an ISO standard). PrintCipher [Knudsen+10] (Uses the ability to “print” the circuit on the RFID tag, 3*3 S-boxes). Klein [Gong+11] (similar to Present, more effective). LED [Guo+11] (Hardware oriented, no key schedule). Prince [Borghoff+12] (involution structure, no claims against related-key attacks, similar to Present). Zorro [Gerard+13] (designed to resist side-channel attacks, similar to LED but less S-boxes).

The lightweight block ciphers Zoo Feistel (or generalized Feistel) constructions: TEA, XTEA [Needham+94] (Very simple code, no S- boxes, the same key used each round. TEA was vulnerable to related-key attacks, fixed in XTEA). DESL,DESXL [Poschmann06] (A variant of DES, using the same S-box in all places. In DESXL, independent keys are XORed before and after encryption). SEA [Standaert+05] (variable block/key size). Hight [Hong+06] (8-branch Feistel-II). MIBS [Izadi+09] (Similar to Camellia). Piccolo [Shibutani+11] (4-branch Feistel-II, with a byte transformation after each round).

The lightweight block ciphers Zoo Feistel (or generalized Feistel) constructions: LBlock [Wu+11] (4-bit S-boxes and wiring). Twine [Suzaki+12] (16-branch Feistel-II, similar to LBlock). Stream-cipher like constructions: KATAN, KTANTAN [deCanniere+09] (Based on two NLFSRs that influence each other. The full state after many steps is the ciphertext. In KTANTAN, the key is burnt into the device).

Specific examples SP network Present Feistel construction Piccolo (see auxiliary presentation) Stream-cipher like construction KTANTAN

Special features in LBC design Simple operations and small S-boxes In many of the target devices, only simple operations are supported (e.g., not multiplication). As a result, most of the designs are based on modular additions, rotations and xors (except for S-boxes). The S-boxes are small (4*4 or even 3*3). Very simple key schedule Allows on-the-fly computation, including the decryption direction (as opposed to IDEA). The key schedule is mostly linear, and in some of the ciphers (LED, Zorro, CGEN, PrintCipher, Prince) is absent at all!

Special features in LBC design Decryption Some of the ciphers (e.g., Present) prefer to not allow decryption, in order to save space on the device. If decryption is allowed, there is a try to make it as similar to encryption as possible: Feistel constructions Involutional elements (ranging from S-boxes to the entire cipher, like in Iceberg, SEA, Prince). Re-using of components In order to save space, there is a try to re-use components: The same S-box is used for all purposes. Key generation uses the same procedure as encryption.

Theoretical foundations Due to the simplicity of the key schedule, some of the lightweight block ciphers can be viewed as a special case of the Generalized Even-Mansour construction. This allows to achieve security bounds (under some assumptions, of course ). Very extensive research in the last three years.

Theoretical foundations Attack model issues Several of the lightweight designs base their security claims on the anticipated threats in lightweight environment: The amount of available data is limited. Related-key attacks are not considered a threat. Is this a good practice?

Cryptanalysis Are the attacks on LBC similar to the attacks on classical block ciphers? In general, yes. In particular, almost no proposal was broken. But there are a few differences: In LBC, the complexities are lower (e.g., 80-bit keys), so we are closer to being practical. The simple key schedules lead to new kinds of attacks, which weren’t relevant in classical ciphers.

Thanks for your attention This was just the appetizer, all the real stuff will be in the next talks (and was in Roberto’s talk, of course )

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.