gift a small present
play

GIFT : A Small Present Towards Reaching the Limit of Lightweight - PowerPoint PPT Presentation

Introduction Specification Design Rationale Security and Performances Conclusion GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2 Sumit Kumar Pandey 1 Thomas Peyrin 1 Yu Sasaki 3 Siang Meng Sim 1


  1. Introduction Specification Design Rationale Security and Performances Conclusion GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2 Sumit Kumar Pandey 1 Thomas Peyrin 1 Yu Sasaki 3 Siang Meng Sim 1 Yosuke Todo 3 1. Nanyang Technological University, Singapore 2. ´ Ecole Polytechnique F´ ed´ erale de Lausanne, Switzerland 3. NTT Secure Platform Laboratories, Japan CHES2017 1 / 41

  2. Introduction Specification Design Rationale Security and Performances Conclusion Table of Contents Introduction 1 Specification 2 Round Function Key Schedule and Round Constants Design Rationale 3 Understanding PRESENT Bit Permutation Designing the GIFT Permutation Searching for the GIFT Sbox Security and Performances 4 Differential and Linear Cryptanalysis Hardware and Software Performances Conclusion 5 2 / 41

  3. Introduction Specification Design Rationale Security and Performances Conclusion Table of Contents Introduction 1 Specification 2 Round Function Key Schedule and Round Constants Design Rationale 3 Understanding PRESENT Bit Permutation Designing the GIFT Permutation Searching for the GIFT Sbox Security and Performances 4 Differential and Linear Cryptanalysis Hardware and Software Performances Conclusion 5 3 / 41

  4. Introduction Specification Design Rationale Security and Performances Conclusion 10 Years Ago... A decade ago, a lightweight block cipher, PRESENT , was presented at CHES2007. 31-round SPN block cipher with 64-bit block size. Very simple design of Sbox layer and bit permutation (cost 0GE in hardware). In 2012, selected as ISO standards, ISO/IEC 29192. 4 / 41

  5. Introduction Specification Design Rationale Security and Performances Conclusion Block Cipher PRESENT Its resistance against differential cryptanalysis (DC) comes from its Sbox which has differential branching number 3. Differential branching number x (BN x ): Total Hamming weight of any nonzero input and output differences is at least x . Figure: Hamming wt2 Example. Figure: Hamming wt3 Example. 5 / 41

  6. Introduction Specification Design Rationale Security and Performances Conclusion Block Cipher PRESENT However, BN3 Sboxes are costly in general. PRESENT Sbox (BN3) costs 21.33GE, while SKINNY Sbox (BN2) costs 13.33GE. This difference is multiplied in round based implementation. Also, it is weaker against linear cryptanalysis (LC). 6 / 41

  7. Introduction Specification Design Rationale Security and Performances Conclusion Now... In CHES2017, we present a new lightweight block cipher, improving over PRESENT , we called it — GIFT . By carefully crafting the bit permutation in conjunction with the Sbox properties, we can remove the constraint of BN3. Advantages of GIFT compared to PRESENT : smaller area thanks to smaller Sbox and also lesser subkey additions, better resistance against LC thanks to good choice of Sbox and bit permutation, lesser rounds and higher throughput, simpler and faster key schedule. 7 / 41

  8. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion Table of Contents Introduction 1 Specification 2 Round Function Key Schedule and Round Constants Design Rationale 3 Understanding PRESENT Bit Permutation Designing the GIFT Permutation Searching for the GIFT Sbox Security and Performances 4 Differential and Linear Cryptanalysis Hardware and Software Performances Conclusion 5 8 / 41

  9. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion Block Cipher GIFT There are 2 versions of GIFT : GIFT-64 , 28-round with 64-bit block size, GIFT-128 , 40-round with 128-bit block size. Both versions have 128-bit key size. 9 / 41

  10. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion Round Function Each round of GIFT consists of 3 steps: SubCells, PermBits and AddRoundKey. 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS Denote rightmost bit as LSB b 0 and { b 4 i + j } as bit j . E.g. b 1 , b 5 , b 9 , . . . are bit 1. 10 / 41

  11. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion SubCells Apply 16 4-bit Sboxes, GS , in parallel to every nibble of the state. Table: GIFT Sbox GS x 0 1 2 3 4 5 6 7 8 9 a b c d e f GS ( x ) 1 a 4 c 6 f 3 9 2 d b 7 5 0 8 e 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS 11 / 41

  12. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion PermBits Pure bit permutation without any XOR gate. 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS Map bit j to bit j . 12 / 41

  13. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion AddRoundKey Add 32-bit round key RK to the state, RK = U � V = u 15 ... u 0 � v 15 ... v 0 . U and V are XORed to bit 1 and bit 0 respectively. 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS 13 / 41

  14. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion AddRoundKey Add a single bit ‘1’ is to the most significant bit, and a 6-bit round constant C = c 5 c 4 c 3 c 2 c 1 c 0 is XORed to bit 3 of the first 6 nibbles. 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS GS 14 / 41

  15. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion Table of Contents Introduction 1 Specification 2 Round Function Key Schedule and Round Constants Design Rationale 3 Understanding PRESENT Bit Permutation Designing the GIFT Permutation Searching for the GIFT Sbox Security and Performances 4 Differential and Linear Cryptanalysis Hardware and Software Performances Conclusion 5 15 / 41

  16. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion Round Key The 128-bit key is split into 8 16-bit words. K = k 7 � k 6 � . . . � k 1 � k 0 , where k i is 16-bit words. k 1 and k 0 are extracted as the round key RK = U � V . Key state is updated after key extraction. where ≫ i is an i bits right rotation within a 16-bit word. 16 / 41

  17. Introduction Specification Round Function Design Rationale Key Schedule and Round Constants Security and Performances Conclusion Round Constants Round constants are generated using a 6-bit affine LFSR with 1 XNOR gate (same as SKINNY ’s). Initialised to zero, and updated before using as round constants. Rounds Constants 1 - 16 01,03,07,0F,1F,3E,3D,3B,37,2F,1E,3C,39,33,27,0E 17 - 32 1D,3A,35,2B,16,2C,18,30,21,02,05,0B,17,2E,1C,38 33 - 48 31,23,06,0D,1B,36,2D,1A,34,29,12,24,08,11,22,04 17 / 41

  18. Introduction Specification Understanding PRESENT Bit Permutation Design Rationale Designing the GIFT Permutation Security and Performances Searching for the GIFT Sbox Conclusion Table of Contents Introduction 1 Specification 2 Round Function Key Schedule and Round Constants Design Rationale 3 Understanding PRESENT Bit Permutation Designing the GIFT Permutation Searching for the GIFT Sbox Security and Performances 4 Differential and Linear Cryptanalysis Hardware and Software Performances Conclusion 5 18 / 41

  19. Introduction Specification Understanding PRESENT Bit Permutation Design Rationale Designing the GIFT Permutation Security and Performances Searching for the GIFT Sbox Conclusion PRESENT Bit Permutation To understand why BN2 Sboxes do not work for PRESENT , we have to look into the PRESENT bit permutation. PRESENT bit permutation can be partitioned into 4 independent 16-bit permutations. S 15 S 14 S 13 S 12 S 11 S 10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 S 15 S 14 S 13 S 12 S 11 S 10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 19 / 41

Recommend


More recommend