Results 1 - 10
of
52
The LED Block Cipher
- Cryptographic Hardware and Embedded Systems - CHES 2011, volume 6917 of LNCS
, 2011
"... Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in ..."
Abstract
-
Cited by 71 (7 self)
- Add to MetaCart
(Show Context)
Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation. Key words: lightweight, block cipher, RFID tag, AES. 1
PRINCE – A Low-latency Block Cipher for Pervasive Computing Applications Full version
"... Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very ..."
Abstract
-
Cited by 24 (1 self)
- Add to MetaCart
Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks. 1
Cryptanalysis of the SIMON Family of Block Ciphers
"... Abstract. Recently, the U.S National Security Agency has published the specifications of two families of lightweight block ciphers, SIMON and SPECK, on ePrint [2]. The ciphers are developed with optimization towards both hardware and software in mind. While the specification paper discusses design r ..."
Abstract
-
Cited by 17 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Recently, the U.S National Security Agency has published the specifications of two families of lightweight block ciphers, SIMON and SPECK, on ePrint [2]. The ciphers are developed with optimization towards both hardware and software in mind. While the specification paper discusses design requirements and performance of the presented lightweight ciphers thoroughly, no security assessment is given. This paper is a move towards filling that cryptanalysis gap for the SIMON family of ciphers. We present a series of observations on the presented construction that, in some cases, yield attacks, while in other cases may provide basis of further analysis by the cryptographic community. Specifically, we obtain attacks using classical- as well as truncated differentials. In the former case, we show how the smallest version of SIMON, Simon32/64, exhibits a strong differential effect.
Higher-Order Threshold Implementations
"... Abstract. Higher-order differential power analysis attacks are a seri-ous threat for cryptographic hardware implementations. In particular, glitches in the circuit make it hard to protect the implementation with masking. The existing higher-order masking countermeasures that guar-antee security in t ..."
Abstract
-
Cited by 14 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Higher-order differential power analysis attacks are a seri-ous threat for cryptographic hardware implementations. In particular, glitches in the circuit make it hard to protect the implementation with masking. The existing higher-order masking countermeasures that guar-antee security in the presence of glitches use multi-party computation techniques and require a lot of resources in terms of circuit area and randomness. The Threshold Implementation method is also based on multi-party computation but it is more area and randomness efficient. Moreover, it typically requires less clock-cycles since all parties can op-erate simultaneously. However, so far it is only provable secure against 1st-order DPA. We address this gap and extend the Threshold Implemen-tation technique to higher orders. We define generic constructions and prove their security. To illustrate the approach, we provide 1st, 2nd and 3rd-order DPA-resistant implementations of the block cipher KATAN-32. Our analysis of 300 million power traces measured from an FPGA implementation supports the security proofs. 1
Differential Analysis of Block Ciphers SIMON and SPECK
"... Abstract. In this paper we continue the previous line of research on the analysis of the differential properties of the lightweight block ciphers Simon and Speck. We apply a recently proposed technique for automatic search for differential trails in ARX ciphers and improve the trails in Simon32 and ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper we continue the previous line of research on the analysis of the differential properties of the lightweight block ciphers Simon and Speck. We apply a recently proposed technique for automatic search for differential trails in ARX ciphers and improve the trails in Simon32 and Simon48 previously reported as best. We further extend the search technique for the case of differen-tials and improve the best previously reported differentials on Simon32, Simon48 and Simon64 by exploiting more effectively the strong differential effect of the cipher. We also present improved trails and differentials on Speck32, Speck48 and Speck64. Using these new results we improve the currently best known attacks on several versions of Simon and Speck. A second major contribution of the paper is a graph based algorithm (linear time) for the computation of the exact differential probability of the main building block of Simon: an AND operation preceded by two bitwise shift operations. This gives us a better insight into the differential property of the Simon round function and differential effect in the cipher. Our algorithm is general and works for any rotation constants. The presented techniques are generic and are therefore applicable to a broader class of ARX designs.
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to . . .
"... In this paper, we propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry. In one method, in-equalities are generated according to some conditional differential properties of the S-box; ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
In this paper, we propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry. In one method, in-equalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-Integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attacks, and several techniques for obtaining tighter security bounds. we success-fully prove that 24-round PRESENT-80 is secure enough to resist against standard related-key differential attacks, and the probability of the best related-key differential characteristic of full LBlock is upper bounded by 2−60. These are the tightest security bound with respect to related-key differential attack published so far for PRESENT-80 and LBlock. Also, we present a new tool for finding (related-key) characteristics automatically for bit-oriented block ciphers. Using this tool, we obtain new related-key characteristics for LBlock, DESL and PRESENT-128, which cover larger number of rounds or have larger probability than all previously known results. The methodology presented in this paper is generic, automatic and ap-plicable to many bit-oriented block ciphers, including but not limited to
RECTANGLE: A Bit-slice Ultra-Lightweight Block Cipher Suitable for Multiple Platforms
"... Abstract. In this paper, we propose a new lightweight block cipher named RECT-ANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bit-slice techniques. RECTANGLE uses an SPnetwork. The substitution layer consists of 16 4 × 4 S-boxes in parallel. The ..."
Abstract
-
Cited by 5 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we propose a new lightweight block cipher named RECT-ANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bit-slice techniques. RECTANGLE uses an SPnetwork. The substitution layer consists of 16 4 × 4 S-boxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTAN-GLE offers great performance in both hardware and software environment, which proves enough flexibility for different application scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardwarefriendly. For the 80-bit key version, a one-cycle-per-round parallel implementation only needs 1467 gates for a throughput of 246 Kbits/sec at 100KHz clock and an energy efficiency of 1.11 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bit-slice style. Using 128-bit SSE instructions, a bit-slice implementation of RECTANGLE reaches an average encryption speed of about 5.38 cycles/byte for messages around 1000 bytes. Last but not least. We propose new design criteria for 4×4 S-boxes. RECTANGLE uses such a new type of S-box. Due to our careful selection of the S-box and the asymmetric design of the permutation layer, RECTANGLE achieves a very good security-performance tradeoff. Our extensive and deep security analysis finds distinguishers for up to 14 rounds only, and the highest number of rounds that we can attack, is 18 (out of 25).
WG-8: A Lightweight Stream Cipher for Resource-Constrained Smart Devices
"... Lightweight cryptographic primitives are essential for securing pervasive embedded devices like RFID tags, smart cards, and wireless sensor nodes. In this paper, we present a lightweight stream cipher WG-8, which is tailored from the well-known Welch-Gong (WG) stream cipher family, for resource-con ..."
Abstract
-
Cited by 4 (3 self)
- Add to MetaCart
(Show Context)
Lightweight cryptographic primitives are essential for securing pervasive embedded devices like RFID tags, smart cards, and wireless sensor nodes. In this paper, we present a lightweight stream cipher WG-8, which is tailored from the well-known Welch-Gong (WG) stream cipher family, for resource-constrained devices. WG-8 inherits the good randomness and cryptographic properties of the WG stream cipher family and is resistant to the most common attacks against stream ciphers. The software implementations of the WG-8 stream cipher on two popular low-power microcontrollers as well as the extensive comparison with other lightweight cryptography implementations highlight that in the context of securing lightweight embedded applications WG-8 has favorable performance and low energy consumption.
Multiple differential cryptanalysis of round-reduced PRINCE (Full version)?
"... Abstract. PRINCE is a lightweight block cipher proposed by Borghoff et al. at Asiacrypt 2012. Due to its originality, novel design and low num-ber of rounds, it has already attracted the attention of a large number of cryptanalysts. Several results on reduced versions have been published to date; th ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
Abstract. PRINCE is a lightweight block cipher proposed by Borghoff et al. at Asiacrypt 2012. Due to its originality, novel design and low num-ber of rounds, it has already attracted the attention of a large number of cryptanalysts. Several results on reduced versions have been published to date; the best one is an attack on 8 rounds out of the total number of 12. In this paper we improve this result by two rounds: we provide an attack on 10 rounds of the cipher with a data complexity of 257.94 and a time complexity of 260.62, corresponding to 118.56 security bits, instead of 126 for the generic attacks. Our attack uses multiple differen-tials and exploits some properties of PRINCE for recovering the whole key. PRINCE is defined as a member of a family of ciphers, differing by the choice of an Sbox among a distinguished set. We also show that the security offered by all the members of the family is not equivalent, by identifying an Sbox for which our attack can be extended up to 11 rounds with a data complexity of 259.81 and a time complexity of 262.43.
Differential Analysis of the LED Block Cipher ∗
"... Abstract. In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the Even-Mansour scheme, we first review existing attacks on this scheme and extend them to related-key and related-key-cipher s ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the Even-Mansour scheme, we first review existing attacks on this scheme and extend them to related-key and related-key-cipher settings before we apply them to LED. We obtain results for 12 and 16 rounds (out of 32) for LED-64 and 16 and 24 rounds (out of 48) for LED-128. Furthermore, we present an observation on LED in the relatedkey-cipher setting. For all these attacks we need to find good differentials for one step (4 rounds) of LED. Therefore, we extend the study of plateau characteristics for AES-like structures from two rounds to four rounds when the key addition is replaced with a constant addition. We introduce an algorithm that can be used to find good differentials and right pairs for one step of LED. To be more precise, we can find more than 2 10 right pairs for one step of LED with complexity of 2 16 and memory requirement of 5 × 2 17. Moreover, a similar algorithm can also be used to find iterative characteristics for LED. 1
