Presentation is loading. Please wait.

Presentation is loading. Please wait.

14.07.2006 - Page 1/15RFIDsec 2006 DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität.

Published bySilas Cameron Modified over 9 years ago

Similar presentations

Presentation on theme: "14.07.2006 - Page 1/15RFIDsec 2006 DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität."— Presentation transcript:

1 14.07.2006 - Page 1/15RFIDsec 2006 DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität Bochum, Germany

2 14.07.2006 - Page 2/15RFIDsec 2006 Agenda 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion

3 14.07.2006 - Page 3/15RFIDsec 2006 Introduction Introduction Design goals for RFID ciphers: small gate count low power consumption Cryptography is needed to... implement authentication prevent eavesdropping high security

4 14.07.2006 - Page 4/15RFIDsec 2006 Introduction (2) Introduction (2) What are the requirements of a block cipher so that its hardware implementation has a low gate count ? it must be possible to implement the cipher in a serialized fashion (value chip size over execution time) use smaller block size (e.g. 64 bits instead of 128 bits) in order to save gates on internal flip-flop registers Using these conditions we tried to find a lower bound with regard to gate count for a DES-lightweight (DESL) block cipher which uses only a single S-box. only use small subfunctions (e.g. 6-to-4 bit S-boxes) use very few different subfunctions (e.g. only a single S- box)

5 14.07.2006 - Page 5/15RFIDsec 2006 Introduction to DES (Data Encryption Standard) Idea: replace the eight different S- boxes by a single one repeated eight times. f L0L0L0L0 R0R0R0R0 L1L1L1L1 R1R1R1R1 f L2L2L2L2 R2R2R2R2 f L 15 R 15 L 16 R 16 K0K0K0K0 K1K1K1K1 K 15 plaintext ciphertext 64 32 32 64 round 1 round 2 round 16 S S S S SSSS 6

6 14.07.2006 - Page 6/15RFIDsec 2006 |0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F | 00 01 10 11 Design Criteria of DES S-boxes (Coppersmith '94) (S-1) S-Box 6 Input Output 4 possible output values (S-3) Each row contains all S(1|0001|0) = 2 Output = a*x+1 (S-2) „No output bit of an S-box should be too close to a linear combination of input bits.“

7 14.07.2006 - Page 7/15RFIDsec 2006 Design Criteria of DES S-boxes (Coppersmith '94) S-box 6 HW(X 1  X 2 ) = 1 HW(Y 1  Y 2 ) ≥ 2 4 (S-4) (S-5) S-box 6 ∆I = 001100 HW(Y 1  Y 2 ) ≥ 2 4 (S-6) S-box 6 ∆I = 11xy00 Y 1 ≠ Y 2 4 S-box 6 ∆I ≠ 000000 P(Y 1 = Y 2 ) ≤ ¼ 4 (S-7)

8 14.07.2006 - Page 8/15RFIDsec 2006 Design Criteria of DES S-boxes (Coppersmith '94) S-box i+1 6 0000 4 S-box i+2 6 0000 4 fghi S-box i-1 6 0000ab 0000 4 S-box i+3 6 np0000 0000 4 Collision in 3 adjacent S-boxes! bcde...a p... Expansion ∆Input ∆Output Substitution 000000 10ef00 11cd10 00ab11...00cde 0...jkm0 1ghi 1cd10ef00ab1 Minimise Collision Probability (p = 1/234) (S-8) S-box i 6 0000 4

9 14.07.2006 - Page 9/15RFIDsec 2006 Resistance to Differential Cryptanalysis S-box i-n 6 00ab11 0000 4 S-box i-1 6 0000 4 S-box i 6 np0000 0000 4 000000 10ef00... Collision in n adjacent S-boxes! S-box 6 Y 1 ≠ Y 2 4 (S-6') ∆I = 1xyz00 With our new criterion S-6' differential attacks based on 2-round characteristics are now impossible!

10 14.07.2006 - Page 10/15RFIDsec 2006 Currently proposed DESL S-box (under construction!!!) Currently proposed DESL S-box (under construction!!!) DESLDESVS. (S-2')2840 (S-7)7 8 (S-8)0 1 / 234 => at least 2 56 known plaintexts for LC => two-round character- istics impossible => classical DC impossible

11 14.07.2006 - Page 11/15RFIDsec 2006 Serialized DES/DESL Architecture

12 14.07.2006 - Page 12/15RFIDsec 2006 Implementation Results (1) Implementation Results (1) DESLDES #Transistors 73929236 #Gate count 18482309 Ø Power [µA] @ 100kHz @ 500kHz #clock cycles 1.19 5.95 144 0.89 4.4477 144 -25% -33% VS.

13 14.07.2006 - Page 13/15RFIDsec 2006 Implementation Results (2) Implementation Results (2) Cipher DESL DES DESXL DESX AES Trivium-1 Grain-1 Mosquito-B Sfinks-B Hermes8 Gate count 1848 2309 2168 2629 3628 2906 1558 4806 6311 6885

14 14.07.2006 - Page 14/15RFIDsec 2006 Conclusion Conclusion Low gate count (1848 GE) Low current draw (0.89 µA @ 100kHz) Seems to be secure against LC/DC attacks but the proposed S-box is still under construction! DESL is a further possible step towards a lightweight block cipher for RFID tags. DESL Smaller than several eStream ciphers

15 14.07.2006 - Page 15/15RFIDsec 2006 Thank you!

16 14.07.2006 - Page 16/15RFIDsec 2006 Implementation Results Implementation Results DLXAES* Gates [GE] 21683628 Ø Power [µA] @ 100kHz 8.150.89 -40% -85% -89% VS. Clock Cycles144992 *Feldhofer et al. [CHES 2004]

17 14.07.2006 - Page 17/15RFIDsec 2006 Introduction to DES (Data Encryption Standard) Idea: replace the eight different S-boxes by a single one repeated eight times.

18 14.07.2006 - Page 18/15RFIDsec 2006 (S-6) Design Criteria of DES S-boxes (Coppersmith '94) S-box i 6 abcdef 0000 4 S-box i+1 6 efghij 0000 4 S-box i+2 6 ijkmnp 0000 4 fghi S-box i-1 6 0000ab 0000 4 S-box i+3 6 np0000 0000 4 Collision in 3 adjacent S-boxes! bcde...ajkmn p... Expansion ∆Input ∆Output Substitution 00000000cdef 000000 ijkm00 00cde1e1ghij1jkm00e1gh1j (S-3) 10km00e1gh10 11gh10 (S-3) 00cd11...00cde 0...jkm0 1ghi 1gh10km00cd1 Minimise Collision Probability (S-8)

19 14.07.2006 - Page 19/15RFIDsec 2006 cpcp m = 2 Round Characteristic in DES 2 Round Characteristic in DES = 2 105 => impossible!

20 14.07.2006 - Page 20/15RFIDsec 2006 Linear Cryptanalysis (Matsui '93) Linear Cryptanalysis (Matsui '93) S-box 6 x S(x) 4 b,S(x) Є GF(2) 4 S b (x) = S w b (a) = #{x| S b (x) = } - #{x| S b (x) ≠ } S w b (a) = 2#{x| S b (x) = } - 2 6 Walsh-Coefficient: p i = #{x| S b (x) = } 2 6 p i = 2#{x| S b (x) = } - 2 6 2 7 + 1/2 S w b (a) 2 7 p i = + 1/2 ε = p i - 1/2 S w b (a) 2 7 ε = a,x Є GF(2) 6

21 14.07.2006 - Page 21/15RFIDsec 2006 Resistance to Linear Cryptanalysis Resistance to Linear Cryptanalysis (S-2') No combination of output bits of an S-box should have a maximum Walsh-coefficient greater than 28. S-box 6 x S(x) 4 Walsh-coefficients S w b (a) => at least 2 56 known plaintexts needed for LC!

Download ppt "14.07.2006 - Page 1/15RFIDsec 2006 DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität."

Similar presentations

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant

About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University, 2.2.2014.

The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University,
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Cryptography and Network Security

Cryptography and Network Security
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
ICS 454: Principles of Cryptography

ICS 454: Principles of Cryptography
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.

Similar presentations

Ads by Google