New Lightweight DES Variants Suited for RFID Applications G. - PowerPoint PPT Presentation

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007

Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES? How to change DES? What are the benefits? 26.03.2007 2

Why Lightweight? – Paradigm Shift past present future Pervasive Mainframe Personal (1 : n) (n : 1) (1 : 1) Pervasive = wireless + embedded + cheap = constrained in CPU, memory, battery 26.03.2007 3

Why choose DES? „People who are still working on DES should probably start a self-help group.“ 3 approaches for lightweight crypto: 1. Minimal implementation of standard ciphers • Cipher design usually SW optimization driven • If HW optimized, then for high throughput 2. Design a new HW optimized cipher • No trust in new ciphers 3. Modify a trusted HW optimized cipher • Hope for a transition of trust 26.03.2007 4

Recall DES DES: • Published in 1977 • Probably best investigated cipher HW optimized for 1970s technology • Plenty of HW-friendly Factor 2 20 = 1.000.000 operations DES = lightweight Major Drawback: • Short keylength DESX 26.03.2007 5

Why change DES? State register S-Boxes • 6-to-4 substitution tables • highly non-linear → high Boolean compl. • 34% of area! Key schedule 32% Idea: • Replace S1...S8 by S together 30% 26.03.2007 6

How to change DES? Plenty of previous work during the 1990s… • DES design criteria (Coppersmith) • Improved resistancy against DC, LC, and DMA (Kim et al.) …But: • All previous work focused on 8 different S-boxes • No S-box fulfills all criteria by Kim et al. Detailed look on the criteria by Kim et al. 26.03.2007 7

Design Criteria for single S-box DES DESL LC Davies-Murphy Differential Attack Cryptanalysis Linear Cryptanalysis C1 C1 4R nR 3R 5R C1 C3 A=(1,2), A=(1,1) rest A=(2,1) A=(2,2) b=1 b=2 b>=2 C3 C3 C4 C2 C2 a=2 a>2 a=1 a=2 a>2 a=1 C6 C5 C2 C6 C4 C2 (000010) (010000) = Condition i C7 C8 Ci 26.03.2007 8

…18 Months later Improved DESL S-box: • Satifies all conditions • Resistant against • certain Differential Cryptanalysis, • Linear Cryptanalysis, and • Davies-Murphy Attack • Results in total area saving of 20 % 26.03.2007 9

What are the benefits? gates 1032 clk 1 clk 1 clk 1 clk 144 clk 144 clk 3400 3000 2599 2168 1857 1848 AES-128 HIGHT-128 Grain- Trivium- DESL-56 DESXL-118 128 80 Smallest known secure block cipher • Very small footprint (=cheap) in hardware • Comparable even to streamciphers • 26.03.2007 10

Thank you! Questions? www.crypto.rub.de, poschmann@crypto.rub.de

Example: 4-Round Linear Characteristic K 1 O 1 A: <I 2 ,Z 1 > + <K 2 ,Z 3 > = <O 2 ,Z 2 > I 1 B: <I 3 ,Y 1 > + <K 3 ,Y 3 > = <O 3 ,Y 2 > O 2 = I 1 + I 3 , O 3 = I 2 + I 4 K 2 O 2 I 2 15-round approximation: -AB-BA-AB-BA-AB Kim et al. Use two conditions: General: ≤ ∈ ∈ ≤ S W 6 4 • a a GF b GF wt a wt b ( ) 20 , ( 2 ) , ( 2 ) , ( ), ( ) 2 b K 3 Special: No occurence of 18 sub-cases for O 3 • I 3 wt(a)=wt(b)=1 Our conditions: General: ≤ ∈ ∈ ≤ S W 6 4 • ( a ) 20 , a GF ( 2 ) , b GF ( 2 ) , wt ( a ), wt ( b ) 2 b I 4 Special: ≤ ∈ ∈ = = • S W 6 4 ( a ) 4 , a GF ( 2 ) , b GF ( 2 ) , wt ( a ) wt ( b ) 1 b 26.03.2007 12