Embed Size (px)
DESCRIPTION
DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität Bochum, Germany. Agenda. 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion. Introduction. - PowerPoint PPT Presentation
Citation preview
14.07.2006 - Page 1/15RFIDsec 2006
DESLDESL
An Efficient Block Cipher For An Efficient Block Cipher For
Lightweight CryptosystemsLightweight Cryptosystems
A. Poschmann, G. Leander, K. Schramm*, C. PaarA. Poschmann, G. Leander, K. Schramm*, C. Paar
Ruhr-Universität Bochum, GermanyRuhr-Universität Bochum, Germany
14.07.2006 - Page 2/15RFIDsec 2006
AgendaAgenda
1. Introduction1. Introduction
2. Design Criteria of the DESL2. Design Criteria of the DESL
3. Serialized Architecture of DESL3. Serialized Architecture of DESL
4. Implementation Results4. Implementation Results
5. Conclusion5. Conclusion
14.07.2006 - Page 3/15RFIDsec 2006
IntroductionIntroduction
Design goals for RFID ciphers:
small gate count low power consumption
Cryptography is needed to...
implement authentication
prevent eavesdropping high security
14.07.2006 - Page 4/15RFIDsec 2006
Introduction (2)Introduction (2)
What are the requirements of a block cipher so that itshardware implementation has a low gate count ?
it must be possible to implement the cipher in a serialized fashion (value chip size over execution time)
use smaller block size (e.g. 64 bits instead of 128 bits) in order to save gates on internal flip-flop registers
Using these conditions we tried to find a lower bound with regard to gate count for a DES-lightweight (DESL) block cipher which uses only a single S-box.
only use small subfunctions (e.g. 6-to-4 bit S-boxes)
use very few different subfunctions (e.g. only a single S-box)
14.07.2006 - Page 5/15RFIDsec 2006
Introduction to DES (Data Encryption Standard)Introduction to DES (Data Encryption Standard)
Idea: replace the eight different S-boxes by a single one repeatedeight times.
ff
LL00 RR00
LL11 RR11
ff
LL22 RR22
ff
LL1515 RR1515
LL1616 RR1616
KK00
KK11
KK1515
plaintextplaintext
ciphertextciphertext
6464
32323232
6464
round 1round 1
round 2round 2
round 16round 16
S S S S S S S S
6
14.07.2006 - Page 6/15RFIDsec 2006
|0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F|
00011011
Design Criteria of DES S-boxes Design Criteria of DES S-boxes (Coppersmith '94)(Coppersmith '94)
(S-1)
S-Box
6Input
Output4
possible output values
(S-3)
Each rowcontains all
S(1|0001|0) = 2
Output = a*x+1
(S-2)
„No output bit of an S-box should be too close to a linear combination of input bits.“
14.07.2006 - Page 7/15RFIDsec 2006
Design Criteria of DES S-boxes Design Criteria of DES S-boxes (Coppersmith '94)(Coppersmith '94)
S-box
6HW(X
1 X
2) = 1
HW(Y1 Y
2) ≥ 2
4
(S-4) (S-5)
S-box
6∆I = 001100
HW(Y1 Y
2) ≥ 2
4
(S-6)
S-box
6∆I = 11xy00
Y1
≠ Y2
4
S-box
6∆I ≠ 000000
P(Y1
= Y2) ≤ ¼
4
(S-7)
14.07.2006 - Page 8/15RFIDsec 2006
Design Criteria of DES S-boxes Design Criteria of DES S-boxes (Coppersmith '94)(Coppersmith '94)
S-boxi+1
6
0000
4
S-boxi+2
6
0000
4
fghi
S-boxi-1
60000ab
0000
4
S-boxi+3
6np0000
0000
4
Collision in 3 adjacent S-boxes!
bcde...a p...
Expansion
∆Input
∆Output
Substitution
000000 00000010ef0011cd1000ab11
...0 0cde 0...jkm01ghi1cd1 0ef00ab1
Minimise Collision Probability (p = 1/234)(S-8)
S-boxi
6
0000
4
14.07.2006 - Page 9/15RFIDsec 2006
Resistance to Differential CryptanalysisResistance to Differential Cryptanalysis
S-boxi-n
600ab11
0000
4
S-boxi-1
6
0000
4
S-boxi
6np0000
0000
4
00000010ef00...
...
Collision in n adjacent S-boxes!
S-box
6
Y1
≠ Y2
4
(S-6')∆I = 1xyz00
With our new criterion S-6' differential attacks based on 2-round characteristics are now impossible!
14.07.2006 - Page 10/15RFIDsec 2006
Currently proposed DESL S-boxCurrently proposed DESL S-box (under construction!!!) (under construction!!!)
DESL DESVS.(S-2')28 40
(S-7)7 8
(S-8)0 1 / 234
=> at least 256 known plaintexts for LC
=> two-round character-istics impossible=> classical DC impossible
14.07.2006 - Page 11/15RFIDsec 2006
Serialized DES/DESL ArchitectureSerialized DES/DESL Architecture
14.07.2006 - Page 12/15RFIDsec 2006
Implementation Results (1)Implementation Results (1)
DESL DES#Transistors7392 9236#Gate count1848 2309
Ø Power [µA] @ 100kHz@ 500kHz
#clockcycles
1.195.95
144
0.894.4477
144
-25%-25%
-33%-33%
VS.
14.07.2006 - Page 13/15RFIDsec 2006
Implementation Results (2)Implementation Results (2)
Cipher
DESLDES
DESXLDESXAES
Trivium-1Grain-1
Mosquito-BSfinks-BHermes8
Gate count1848230921682629362829061558480663116885
14.07.2006 - Page 14/15RFIDsec 2006
ConclusionConclusion
Low gate count (1848 GE)
Low current draw (0.89 µA @ 100kHz) Seems to be secure against LC/DC attacks
but the proposed S-box is still under construction!
DESL is a further possible step towards alightweight block cipher for RFID tags.
DESL
Smaller than several eStream ciphers
14.07.2006 - Page 15/15RFIDsec 2006
Thank you!
