Citation Context

...ormance criteria. Recently, resistance against side-channel attacks has been considered as an additional optimization goal for low-cost ciphers, as exemplified by the algorithms PICARO [41] and Zorro =-=[20]-=-. Both proposals aim at leading to efficient masked implementations (i.e. where all the computations are performed on shared secrets). Starting from the observation that the performance overheads in s...

Citation Context

...ucture of an S-Box can be leveraged for instance to improve the implementation of a primitive using it. The hash function Whirlpool [6] and the block ciphers Khazad [7], Fantomas, Robin [8] and Zorro =-=[9]-=- among others use 8 × 8 bits S-Boxes built from smaller 4 × 4 ones, since storing several 4 × 4 permutations as tables of 16 4-bits nibbles is more memory efficient than storing one 8×8 permutation as...

Citation Context

...n be regarded as two of the oldest and most important statistical methods to analyse the security of the block ciphers. Zorro is a newly proposed lightweight block cipher whose design is based on AES =-=[4]-=-. It is basically designed with the aim of increasing the resistance against side-channel attacks while still remaining a lightweight block cipher. In spite of its 16-byte state, the SubByte layer of ...

Citation Context

... to find at least one slid pair for an n-bit block cipher. The total time complexity of the cryptanalysis consists of the complexities of three steps: preparing the required data, detecting a slid pair, and finally obtaining the key from the slide pair. Slide attacks and other self-similarity cryptanalysis can be prevented by a careful design of a key schedule. But a strong key schedule cannot be achieved for free. It has impact on latency, power consumption and size of the implementation. Therefore the designers of lightweight ciphers such as PRINTcipher [23], LED [20], PRINCE [11] and Zorro [17], adopted another direction to establish security against self-similarity cryptanalysis. They introduced round-dependent constants added to the data input at each round to make the rounds different. Then a single master key is simply added after every fixed number of rounds called as step. Even if in such a construction each step has the same structure and the key used at every step is the same, the computation at each step is varied by the round constants. In this manner, the slide cryptanalysis can be prevented. Such a cipher construction can be seen as an instance of the generalized Even-Ma...

Citation Context

...ght block ciphers that share some characteristics (namely KLEIN, LED, and PRESENT) is investigated against profiled singletrace attacks. Unprotected hardware implementations of Simon and LED were analyzed with respect to DPA in [34]. An evaluation of both an unmasked and a masked implementation of Simon for FPGAs was reported in [5]. In [33], the vulnerability of PRINCE and RECTANGLE against DPA is studied. A second line of research focussed on the design of new ligthweight primitives that can be efficiently protected against DPA via masking; representative examples include PICARO [30], Zorro [15], and the LS-designs Robin and Fantomas [17]. The above-mentioned studies on DPA attacks against (lightweight) ciphers other than the AES were mainly “isolated” efforts in the sense that they were carried out on different execution platforms with different measurement setups and different analysis frameworks. A comparative (and consistent) study of the DPA-vulnerability of lightweight block ciphers based on power traces acquired with the same target device is, to our knowledge, still missing. However, such a study would allow one to answer the question of whether different ciphers are equally ...

Citation Context

...k (Eds.): SAC 2013, LNCS xxxx, pp. xxx–xxx. c○ Springer-Verlag Berlin Heidelberg 2014Finally, another future work is to study other recently proposed block cipher designs such as PRINCE [5] or Zorro =-=[10]-=-, and the lightweight SPN-based hash functions such as PHOTON [11] or SPONGENT [3]. The analysis would be quite different since their internal state sizes (which vary with the intended output size) is...

Citation Context

...s are in S + (a + b), then this property is iterative. This is the case for some Even-Mansour block ciphers, where the same master key is used as subkey through the whole cipher, e.g. LED [11], Zorro =-=[8]-=-, Noekeon [5], Fantomas and Robin [10], which are therefore natural targets for invariant subspace attacks. The Eurocrypt 2015 paper that exhibits a weak keys set of density 2−32 for Robin is based in...

Citation Context

...dependent but are produced from a single master by the key scheduling algorithm. Moreover, some ciphers do not use round keys in every round (after each non-linear operation) – see LED [11] and Zorro =-=[9]-=-, for an example of such ciphers. Nevertheless, in practical cryptographic primitives, the role of independent and random round keys is usually replaced by some state words. They introduce sufficient ...

Citation Context

... MISTY block cipher. Later Leander and Poschmann [79] derived the list of all the differentially 4-uniform permutations of Z42. Explanation on 138 C. Blondeau, K. Nyberg / Finite Fields and Their Applications 32 (2015) 120–147how to reduce the exhaustive search using the EA-equivalence is then provided. This approach is not effective for larger dimension and in [80], another method to find all APN permutations up to dimension 5 is described. In more recent designs, affine equivalence has been used to find S-boxes with low latency [81] and S-boxes easier to protect against side channel attacks [64,82,83]. In these recent works, no concrete methods are proposed to find functions which meet the requirements and the functions are found by randomly searching for the best ones among the equivalent functions. This approach allows search while preserving good differential and nonlinearity properties. Another approach is to focus at limiting the number of instructions needed for the implementation of S-boxes. For instance in [84], the authors concentrate on 4-bit S-boxes and show how to find a permutation which is differentially 4-uniform, using only 9 instructions. This S-box is good also with respe...