future challenges for lightweight cryptography
play

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL - PowerPoint PPT Presentation

Jan 23, 2023 •162 likes •844 views

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

  1. Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013

  2. Outline 1 1. Past results 2. Future challenges

  3. 1. Block ciphers 2 • TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT, mCrypton, SEA, PRESENT, KATAN, MIBS, LED, Piccolo, Lblock, KLEIN, PRINCE, …

  4. 1. Block ciphers 2 • TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT, mCrypton, SEA, PRESENT, KATAN, MIBS, LED, Piccolo, Lblock , KLEIN, PRINCE, … • Mostly developed independently (1994-2012)

  5. 1. Block ciphers 2 • TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT, mCrypton, SEA, PRESENT, KATAN, MIBS, LED, Piccolo, Lblock, KLEIN, PRINCE, … • Mostly developed independently (1994-2012) • Existing implementations in different technologies • Few comparative studies • Lack of standardization / competition?

  6. Comparison issue 3 • Evaluation criteria are usually relative … … and reflect algorithmic and implementation choices

  7. Comparison issue 3 • Evaluation criteria are usually relative … … and reflect algorithmic and implementation choices • But some of them reflect the algorithms better

  8. Comparison issue 4 • Evaluation criteria are usually relative … … and reflect algorithmic and implementation choices • But some of them reflect the algorithms better • More parameters fixed => easier interpretation • Comparisons also depend on the designer’s skills… => Next: various ECRYPT examples

  9. 1.1. Block ciphers in software 5 • e.g. lightweight platform: ATMEL AtTiny45 • 8-bit RISC • 4kB flash memory, 256 bytes RAM • Direct and indirect addressing • 120 instructions (no multiplier) • 2-stage pipeline • Typically 1 cycle per instruction

  10. 1.1. Block ciphers in software 5 • e.g. lightweight platform: ATMEL AtTiny45 • 8-bit RISC • 4kB flash memory, 256 bytes RAM • Direct and indirect addressing • 120 instructions (no multiplier) • 2-stage pipeline • Typically 1 cycle per instruction • Assembly language • Easy to read • Minimize code size and RAM ( up to some extent! ) • Encryption & decryption, on-the-fly key scheduling • Common interface for all designers

  11. Code size 6

  12. Code size 6 HW-oriented ciphers are bigger

  13. Code size 6 As well as “standard” ones (but not that much)

  14. Cycle count 7

  15. Cycle count 7 Iteration of many simple functions is slower

  16. RAM 8

  17. RAM 8 Precomputed key-scheduling

  18. RAM 8 Mostly reflects state size

  19. Combined metric 9

  20. Combined metric 9 No huge differences for most ciphers (factor<5)

  21. Combined metric 9 AES behaves pretty good!

  22. Lessons learned 10 • Software comparisons relatively easy to interpret • Because hardware is fixed • (limited code size vs. cycle count tradeoff)

  23. Lessons learned 10 • Software comparisons relatively easy to interpret • Because hardware is fixed • (limited code size vs. cycle count tradeoff) • Lightweight ciphers vs. AES • Gain in code size is possible • At the cost of higher cycle counts • RAM use essentially reflects state/key size

  24. Lessons learned 10 • Software comparisons relatively easy to interpret • Because hardware is fixed • (limited code size vs. cycle count tradeoff) • Lightweight ciphers vs. AES • Gain in code size is possible • At the cost of higher cycle counts • RAM use essentially reflects state/key size • BTW, all codes are open source: http://perso.uclouvain.be/fstandae/source_codes/lightweight_ciphers/

  25. 1.2. Block ciphers in hardware 11 • Hardware (instructions) not fixed • Criteria more reflective of HW design choices

  26. 1.2. Block ciphers in hardware 11 • Hardware (instructions) not fixed • Criteria more reflective of HW design choices • Yet, their relevance to algorithm may differ

  27. Case study: min. energy architectures 12 • Low-power 65nm CMOS • Two target frequencies: f max and f 100 • Metrics: area, delay, power, energy, throughput

  28. Case study: min. energy architectures 12 • Low-power 65nm CMOS • Two target frequencies: f max and f 100 • Metrics: area, delay, power, energy, throughput • Flexible architecture • 3 core options (Enc, Dec, Enc/Dec) • Unrolling parameter Nr rounds per cycle

  29. 13 ?

  30. 13 ? 12

  31. 14 ? 12

  32. 14 ? 12

  33. 15 ? 12

  34. 15 ? 12

  35. 16 ? 12

  36. 16 ? 12

  37. 17 ? 12

  38. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area

  39. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area • Most significant differences between algorithms depend on the key scheduling and E/D combination

  40. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area • Most significant differences between algorithms depend on the key scheduling and E/D combination • When using the same gate count / delay per cycle, all algorithms end up with similar cycle count • Suggests « complexity limit » for secure ciphers

  41. Lessons learned 18 • Normalized metrics more illustrative • Energy (integrated over time) • Throughput/area • Most significant differences between algorithms depend on the key scheduling and E/D combination • When using the same gate count / delay per cycle, all algorithms end up with similar cycle count • Suggests « complexity limit » for secure ciphers • AES again behaves pretty good

  42. 1.3. Technology scaling 19 • Between and within technologies (freq vs. Vdd)

  43. 65nm case study 20 • How relevant are algorithmic changes?

  44. Conclusion 21 • For most applications, AES is probably good enough

  45. Conclusion 21 • For most applications, AES is probably good enough • If a lightweight cipher is needed (for gate count, area), existing candidates are probably good enough

  46. Conclusion 21 • For most applications, AES is probably good enough • If a lightweight cipher is needed (for gate count, area), existing candidates are probably good enough • Changing algorithms is expensive and its impact on performances may be limited (yet, non negligible) compared to the one of technology scaling

  47. Conclusion 21 • For most applications, AES is probably good enough • If a lightweight cipher is needed (for gate count, area), existing candidates are probably good enough • Changing algorithms is expensive and its impact on performances may br limited (yet, non negligible) compared to the one of technology scaling • Does not mean we de not need new ciphers • Rather that new ciphers should bring new perspectives (design techniques, properties, …)

  48. Outline 22 1. Past results 2. Future challenges

  49. Q1. Hash functions in software? 23 • Similar case study as for block ciphers • Atmel AVR AtTiny45 benchmarking • Again open source: • http://perso.uclouvain.be/fstandae/source_codes/hash_atmel/

  50. RAM 24 * * * * * * * * *

  51. Cycle count 25

  52. Combined metric 26

  53. Open problem 27 • Much larger differences than for block ciphers • More differences in state sizes • e.g. Keccak has a 1600-bit state • More tradeoffs available (e.g. for sponges) • More versatility in designs • Larger security margins?

  54. Open problem 27 • Much larger differences than for block ciphers • More differences in state sizes • e.g. Keccak has a 1600-bit state • More tradeoffs available (e.g. for sponges) • More versatility in designs • Larger security margins? • What is the best approach for lightweight hash functions?

  55. Q2. Hash functions in hardware 28 • Reference point: AES in hardware ( cfr. Stefan Mangard’s talk at the AES day in Bruges ) • Extremely clear tradeoffs • For 8-bit, 32-bit, 64-bit and 128-bit designs • Most likely well optimized

  56. Q2. Hash functions in hardware 28 • Reference point: AES in hardware ( cfr. Stefan Mangard’s talk at the AES day in Bruges ) • Extremely clear tradeoffs • For 8-bit, 32-bit, 64-bit and 128-bit designs • Most likely well optimized • Implementations of SHA3 candidates (and Keccak) • More results on high-speed than low-cost

  57. Q2. Hash functions in hardware 28 • Reference point: AES in hardware ( cfr. Stefan Mangard’s talk at the AES day in Bruges ) • Extremely clear tradeoffs • For 8-bit, 32-bit, 64-bit and 128-bit designs • Most likely well optimized • Implementations of SHA3 candidates (and Keccak) • More results on high-speed than low-cost  More research needed in this direction • compact Keccak implementations seem non trivial • e.g. Kerckhof et al., Kaps et al. ( CARDIS, INDOCRYPT 2012 )

  58. Q3. Block cipher design 29

  59. Q3. Block cipher design 29 • How to design a key scheduling? • Sometimes as complex as rounds • KHAZAD, ICEBERG, SEA • Sometimes as simple as XORing the master key • NOEKEON, LED • Relations with recent works on Even-Mansour • Bogdanov et al., Dunkelman et al. ( EUROCRYPT 2012 )

Recommend

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event Cryptography for 2020 Tenerife January 23 rd , 2013 Organization Lightweight Cryptography: Mission Accomplished? Introduction Technical perspective

478 views • 20 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views • 38 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

590 views • 45 slides
The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop Taken from a document writen originally in English. The programming of billions of processors

903 views • 75 slides
NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance Performance of State-of-the-Art Cryptography on ARM-based Microprocessors Hannes Tschofenig &amp; Manuel Pegourie-Gonnard (Hannes.Tschofenig@arm.com,

509 views • 40 slides
PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST

PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST

PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST Alexan Alexandre dre Adomn Adomnicai, icai, cryptograph cryptography y expert expert at at Truste Trusted d Obje Objects cts will will

174 views • 3 slides
Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St

Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St

Towards Green Cryptography: a Comparison of Lightweight Ciphers from the Energy Viewpoint St ephanie Kerckhof, Fran cois Durvaux, C edric Hoquet, David Bol, Fran cois-Xavier Standaert CHES 2012 September 2012 UCL Crypto Group

931 views • 49 slides
Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing

Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing

Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing Intelligence (IAI), TCG CREST International Crypto-Webniar 2020 Aug 30, 2020 N. Datta (IAI, TCG CREST) Lightweight Crypto and Classification of

1.62k views • 98 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Light Lightweight Cryptography Pascal Lafourcade (LIMOS, France) Takaaki Mizuki (Tohoku

Light Lightweight Cryptography Pascal Lafourcade (LIMOS, France) Takaaki Mizuki (Tohoku

Light Lightweight Cryptography Pascal Lafourcade (LIMOS, France) Takaaki Mizuki (Tohoku University, Japan) Atsuki Nagao (Ochanomizu University, Japan) Kazumasa Shinagawa (Tokyo Tech / AIST, Japan) 1 2 3 4 5 6 Material 7 Agenda 1.

1.3k views • 38 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS Innovation Labs December 11, 2017 SUMANTA SARKAR Lightweight Cryptography Internet of Things / Connected Cars Internet of things (IoT): Network of

786 views • 45 slides
Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

199 views • 17 slides
Challenges for Future Cryogenic Electronics Challenges for Future Cryogenic Electronics Shaorui Li,

Challenges for Future Cryogenic Electronics Challenges for Future Cryogenic Electronics Shaorui Li,

Challenges for Future Cryogenic Electronics Challenges for Future Cryogenic Electronics Shaorui Li, Gianluigi De Geronimo, Jie Ma, Hucheng Chen, Jack Fried, Alessio DAndragora, and Veljko Radeka Brookhaven National Laboratory, NY, USA Outline:

490 views • 22 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp; http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
(New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert

(New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert

TRNG Design Challenges RNG security evaluation Conclusions (New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert Curien, UMR 5516 CNRS Jean Monnet University, Member of University of Lyon

685 views • 44 slides
Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept UDT

Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept UDT

Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept UDT 2020 Rune Fardal Introduction The Importance of Maritime MCM Open Sea Line of Communication (SLOC) and protection of harbors are essential for most

451 views • 16 slides
Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the Usefulness of Email

487 views • 28 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept R.

Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept R.

UDT 2020 UDT Extended Abstract Presentation Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept R. Fardal 1 and M. Nakjem 2 1 Principal scientist, FFI, Horten, Norway 2 Project manager, FFI, Horten, Norway

256 views • 4 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides

More recommend