Presentation is loading. Please wait.

Presentation is loading. Please wait.

The C URUPIRA -2 Block Cipher for Constrained Platforms: Specification and Benchmarking Marcos Simplicio Paulo Barreto Tereza Carvalho Cintia Margi Mats.

Published byDeirdre Gardner Modified over 8 years ago

Similar presentations

Presentation on theme: "The C URUPIRA -2 Block Cipher for Constrained Platforms: Specification and Benchmarking Marcos Simplicio Paulo Barreto Tereza Carvalho Cintia Margi Mats."— Presentation transcript:

1 The C URUPIRA -2 Block Cipher for Constrained Platforms: Specification and Benchmarking Marcos Simplicio Paulo Barreto Tereza Carvalho Cintia Margi Mats Näslund

2 Agenda Context & Motivation Proposal: C URUPIRA -2 C URUPIRA -1 overview Structure Security and Performance Conclusions

3 Location-Based Services (LBS) Wide applicability Navigation, Monitoring and Tracking Systems Emergency Services and all sort of context-aware applications… Intensive use of resource-constrained devices Mobile Devices (Mobile Phones, PDAs) Sensors Privacy is essential Data confidentiality: lightweight cryptography

4 Secure & Lightweight Algorithms? Sensors Security: TinySec [ Karlof et al. 2004 ] and others Access Control, Integrity and Confidentiality Default Cipher: Skipjack Very energy-efficient [ Law et al. 2006 ] AES, MISTY1 and RC5 are less suitable Skipjack: Keys are too small (80 bits); 31/32 round can be broken [ Biham et al. 1999 ] Can we do better? Higher security Better (or at least similar) performance

5 Proposal: the C URUPIRA Block cipher with variable number of rounds Data block : 96 bits Keys: 96, 144 or 192 bits Wide Trail Strategy Family Such as AES Involutional Structure A single algorithm both to encrypt and decrypt (different key schedule)

6 C URUPIRA Overview Non-linear Layer γ Permutation Layer π Linear Diffusion Layer θ Key Addition Layer σ(k) Initial Key Addition Round Function Last Round Function Non-linear Layer γ Permutation Layer π Key Addition Layer σ(k) Ψr: Key Evolution K P Last Round? N Y C Key Selection

7 Round Structure: Non-linear Layer γ (ByteSub) Permutation Layer π (ShiftRows) Linear Diffusion Layer θ (MixColumns) 766 454 223 X Key Addition Layer σ(k) Involutional Functions

8 The inverse cipher Same Keys used for Encryption (inverse order) Initial Key Addition Round Function Last Round Function CP (R)(0)(n)

9 Key Schedule C URUPIRA -1 [ Barreto, Simplicio, 2007 ] : Cyclic key-schedule: initial key recovered after some rounds Fast diffusion Heavier C URUPIRA -2 (New proposal): Higher performance Same speed in both directions Lesser diffusion speed Non-cyclic K (0) K (1) K (T-1)

10 Ψr : Key Evolution σ(q): Constant Addition ξ: Cyclic Shift μ : Linear Diffusion Φ : K ey Selection 0000 0000 Sub-key: K n Sub-key: K n+1 Next subkey Round key cc cc cc 1+c1+c X 1+c1+c 1+c1+c Key Schedule – C URUPIRA -1

11 Υ r : Key Evolution σ(q*): constant addition א : Linear Diffusion η : Linear Combination Φ * : K ey Selection Sub-key: K n Sub-key: K n+1 Next subkey Round key 00000 … 00000 x 8 Key Schedule – C URUPIRA -2 ≤ 5XORs + 4 shifts

12 Security Analysis No attack faster than exhaustive search found for more than 7 rounds of the C URUPIRA, whichever the key-schedule adopted Better security! What about performance…?

13 Benchmarks Platforms : PIC18F8490, Avrora and Pentium 4 Implementations: similar structures for C URUPIRA, Skipjack e AES Tested variables: Pointers/matrices X simple-type variables Tables X on demand function calculation Key sizes: 96/144/192 bits X 96 bits only Compiler optimizations (PIC)

14 Results Memory : Code: about 2K (more than Skipjack: ~1.5K) RAM: not directly measured; higher usage than Skipjack, but yet reduced (no intermediary key storage) Performance : theoretical calculation (-key schedule)  roughly 70% of Skipjack. In practice: Considerably faster than Skipjack in 32 bits platform (similar to highly optimized AES)

15 20% faster 45% faster 20% faster 13% slower Full Versions, Indirect Addressing 1 key-size, basic- type variables PIC Microcontroller

16 20% faster 45% faster 3% slower 45% slower 1 key-size, basic- type variables Avrora Simulator Full Versions, Indirect Addressing

17 Encryption – Pentium 4

18 Key Schedule – Pentium 4

19 Conclusions C URUPIRA -2: high potential to deployment on constrained platforms Implementation flexibility Higher security Wide Trail Strategy At least 96-bit keys High performance at low memory cost: Benchmark: similar and potentially superior to Skipjack Slightly higher memory usage

20 References C. Karlof, N. Sastry, and D.Wagner. Tinysec: a link layer security architecture for wireless sensor networks. In 2nd International Conference on Embedded Networked Sensor Systems – SenSys’2004, pages 162–175, Baltimore, USA, 2004. ACM. Y. W. Law, J. Doumen, and P. Hartel. Survey and benchmark of block ciphers for wireless sensor networks. ACM Transactions on Sensor Networks (TOSN), 2(1):65–93, 2006. E. Biham, A. Biryukov, and A. Shamir. Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In Advances in Cryptology – Eurocrypt’99, volume 1592 of Lecture Notes in Computer Science, pages 55–64. Springer, 1999. P. Barreto and M. Simplicio. C URUPIRA, a block cipher for constrained platforms. In Proceedings of the 25th Simpósio Brasileiro de Redes de Computadores e Sistemas Distribudos - SBRC 2007, vol. 1, pages 61–74. SBC, 2007. J. Nakahara. Analysis of Curupira Block Cipher. In: Proceeding of the 8th Simpósio Brasileiro em Segurança da Informação e Sistemas Computacionais, 2008.

21 Thank You! Questions ?

Download ppt "The C URUPIRA -2 Block Cipher for Constrained Platforms: Specification and Benchmarking Marcos Simplicio Paulo Barreto Tereza Carvalho Cintia Margi Mats."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.

Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
Advanced Encryption Standard

Advanced Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.
Secure Group Communications in Wireless Sensor Networks December 8, 2003 CS 526 Advance Internet and Web Systems Patrick D. Cook.

Secure Group Communications in Wireless Sensor Networks December 8, 2003 CS 526 Advance Internet and Web Systems Patrick D. Cook.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.

Similar presentations

Ads by Google