New Lightweight DES Variants Suited for RFID Applications G. - - PowerPoint PPT Presentation

New Lightweight DES Variants Suited for RFID Applications

• G. Leander, C. Paar, A. Poschmann, K. Schramm

Workshop on Fast Software Encryption 2007

26.03.2007 2

Outline

Introduction

Why lightweight? Why choose DES?

DESL: DES Lightweight

Why change DES? How to change DES? What are the benefits?

26.03.2007 3

Why Lightweight? – Paradigm Shift

past Mainframe (n : 1) Personal (1 : 1) Pervasive (1 : n) present future Pervasive = wireless + embedded + cheap = constrained in CPU, memory, battery

26.03.2007 4

Why choose DES?

3 approaches for lightweight crypto:

• 1. Minimal implementation of standard ciphers
• Cipher design usually SW optimization driven
• If HW optimized, then for high throughput
• 2. Design a new HW optimized cipher
• No trust in new ciphers
• 3. Modify a trusted HW optimized cipher
• Hope for a transition of trust

„People who are still working on DES should probably start a self-help group.“

26.03.2007 5

Recall DES

DES:

• Published in 1977
• Probably best investigated

cipher

• Plenty of HW-friendly
• perations

HW optimized for 1970s technology Factor 220 = 1.000.000 DES = lightweight

Major Drawback:

• Short keylength

DESX

26.03.2007 6

Why change DES?

S-Boxes

• 6-to-4 substitution tables
• highly non-linear

→ high Boolean compl.

• 34% of area!

Idea:

• Replace S1...S8 by S

Key schedule 32% State register together 30%

26.03.2007 7

How to change DES?

Plenty of previous work during the 1990s…

• DES design criteria (Coppersmith)
• Improved resistancy against DC, LC, and DMA (Kim

et al.) …But:

• All previous work focused on 8 different S-boxes
• No S-box fulfills all criteria by Kim et al.

Detailed look on the criteria by Kim et al.

26.03.2007 8

Design Criteria for single S-box DES

LC

DESL

Linear Cryptanalysis Differential Cryptanalysis Davies-Murphy Attack C1 C1

A=(1,1)

C3

A=(1,2), A=(2,1)

C3

A=(2,2)

C4

rest

C2 C1 C3

3R nR 4R 5R b=1 a>2 a=2 a=1

C2 C5 C6 C7 C8

(000010) (010000) b=2 a>2

C2

a=2

C4

a=1

C6

b>=2

C2 Ci

= Condition i

26.03.2007 9

…18 Months later

Improved DESL S-box:

• Satifies all conditions
• Resistant against
• certain Differential Cryptanalysis,
• Linear Cryptanalysis, and
• Davies-Murphy Attack
• Results in total area saving of 20 %

26.03.2007 10

What are the benefits?

gates

3400

AES-128 1032 clk

1848

DESL-56 144 clk

2168

DESXL-118 144 clk

• Smallest known secure block cipher
• Very small footprint (=cheap) in hardware
• Comparable even to streamciphers

3000

HIGHT-128 1 clk

1857

Grain- 128 1 clk

2599

Trivium- 80 1 clk

Questions?

www.crypto.rub.de, poschmann@crypto.rub.de

Thank you!

26.03.2007 12

Example: 4-Round Linear Characteristic

Kim et al. Use two conditions:

• General:
• Special: No occurence of 18 sub-cases for

wt(a)=wt(b)=1

2 ) ( ), ( , ) 2 ( , ) 2 ( , 20 ) (

4 6

≤ ∈ ∈ ≤ b wt a wt GF b GF a a SW

b

A: <I2,Z1> + <K2,Z3> = <O2,Z2> B: <I3,Y1> + <K3,Y3> = <O3,Y2>

I1 I2 I3 O3 O2 O1 K2 K1 K3

O2 = I1 + I3, O3 = I2 + I4

I4

15-round approximation: -AB-BA-AB-BA-AB Our conditions:

• General:
• Special:

1 ) ( ) ( , ) 2 ( , ) 2 ( , 4 ) (

4 6

= = ∈ ∈ ≤ b wt a wt GF b GF a a SW

b

2 ) ( ), ( , ) 2 ( , ) 2 ( , 20 ) (

4 6

≤ ∈ ∈ ≤ b wt a wt GF b GF a a SW

b