DESL
Download
1 / 15

Agenda - PowerPoint PPT Presentation


  • 63 Views
  • Uploaded on

DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität Bochum, Germany. Agenda. 1. Introduction 2. Design Criteria of the DESL 3. Serialized Architecture of DESL 4. Implementation Results 5. Conclusion. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Agenda' - lucius-lancaster


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

DESLAn Efficient Block Cipher For Lightweight CryptosystemsA. Poschmann, G. Leander, K. Schramm*, C. PaarRuhr-Universität Bochum, Germany


Agenda
Agenda

1. Introduction

2. Design Criteria of the DESL

3. Serialized Architecture of DESL

4. Implementation Results

5. Conclusion


Introduction
Introduction

Cryptography is needed to...

Design goals for RFID ciphers:

small gate count

implement authentication

low power consumption

prevent eavesdropping

high security


Introduction 2
Introduction (2)

What are the requirements of a block cipher so that its

hardware implementation has a low gate count ?

it must be possible to implement the cipher in a serialized fashion (value chip size over execution time)

use smaller block size (e.g. 64 bits instead of 128 bits) in order to save gates on internal flip-flop registers

only use small subfunctions (e.g. 6-to-4 bit S-boxes)

use very few different subfunctions (e.g. only a single S-box)

Using these conditions we tried to find a lower bound with regard to gate count for a DES-lightweight (DESL) block cipher which uses only a single S-box.


Introduction to des data encryption standard
Introduction to DES (Data Encryption Standard)

plaintext

64

L0

R0

K0

32

32

f

round 1

L1

R1

6

K1

S

S

S

S

S

S

S

S

f

round 2

L2

R2

L15

R15

K15

f

round 16

Idea: replace the eight different S-boxes by a single one repeated

eight times.

L16

R16

64

ciphertext


Design criteria of des s boxes coppersmith 94
Design Criteria of DES S-boxes (Coppersmith '94)

„No output bit of an S-box should be too close to a linear combination of input bits.“

Input

6

S-Box

4

Output = a*x+1

Output

(S-2)

(S-1)

00

01

10

11

|0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F|

(S-3)

S(1|0001|0) = 2

Each row

contains all

possible output values


Design criteria of des s boxes coppersmith 941
Design Criteria of DES S-boxes (Coppersmith '94)

HW(X1 X2) = 1

∆I = 001100

6

6

S-box

S-box

4

4

HW(Y1 Y2) ≥ 2

HW(Y1 Y2) ≥ 2

(S-4)

(S-5)

(S-6)

(S-7)

∆I = 11xy00

∆I ≠ 000000

6

6

S-box

S-box

4

4

Y1 ≠ Y2

P(Y1 = Y2) ≤ ¼


Design criteria of des s boxes coppersmith 942
Design Criteria of DES S-boxes (Coppersmith '94)

...0

0cde

jkm0

0...

0000ab

np0000

6

6

S-box

i-1

S-box

i+3

4

4

0000

0000

(S-8)

Minimise Collision Probability (p = 1/234)

bcde

fghi

1ghi

...a

0ab1

1cd1

0ef0

p...

∆Input

Expansion

000000

000000

10ef00

00ab11

11cd10

6

6

6

S-box

i

S-box

i+1

S-box

i+2

Substitution

4

4

4

∆Output

0000

0000

0000

Collision in 3 adjacent S-boxes!


Resistance to differential cryptanalysis
Resistance to Differential Cryptanalysis

00ab11

np0000

6

6

S-box

i-n

S-box

i

4

4

0000

0000

With our new criterion S-6' differential attacks based on

2-round characteristics are now impossible!

10ef00

000000

...

(S-6')

6

∆I = 1xyz00

...

S-box

i-1

6

4

S-box

0000

4

Collision in n adjacent S-boxes!

Y1 ≠ Y2


Currently proposed desl s box under construction
Currently proposed DESL S-box (under construction!!!)

28

(S-2')

40

7

(S-7)

8

0

(S-8)

1 / 234

DESL

VS.

DES

=> at least 256 known plaintexts for LC

=> two-round character-

istics impossible

=> classical DC impossible



Implementation results 1
Implementation Results (1)

#Transistors

7392

9236

#Gate count

1848

2309

Ø Power [µA] @ 100kHz

@ 500kHz

#clock

cycles

0.89

4.4477

144

1.19

5.95

144

DESL

VS.

DES

-25%

-25%

-33%

-33%


Implementation results 2
Implementation Results (2)

Cipher

Gate count

DESL

DES

DESXL

DESX

AES

Trivium-1

Grain-1

Mosquito-B

Sfinks-B

Hermes8

1848

2309

2168

2629

3628

2906

1558

4806

6311

6885


Conclusion
Conclusion

DESL

Low gate count (1848 GE)

Smaller than several eStream ciphers

Low current draw (0.89 µA @ 100kHz)

Seems to be secure against LC/DC attacks

but the proposed S-box is still under construction!

DESL is a further possible step towards a

lightweight block cipher for RFID tags.



ad