Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs

CHES 2011 Nara, Japan

Introduction

The LED Round Function

Minimalism for Key Schedule

Outline

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Security Analysis

Implementations and Results

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Current picture of lightweight primitives - graphically

GE TRIVIUM

2500

AES S-QUARK DESXL

PHOTON-256/32/32

Th. optimum

2000 DESL

D-QUARK PHOTON-224/32/32 KLEIN-96 PRESENT-128 KLEIN-80 U-QUARK PHOTON-160/36/36 GRAIN

1500

KLEIN-64 KATAN-64

1000 KTANTAN64

500

PHOTON-128/16/16 PRESENT-80

PHOTON-80/20/16 PRINTcipher-96

KTANTAN32 PRINTcipher-48

64

128

192

256

internal memory

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Current picture of lightweight block ciphers - graphically

GE 2500

AES DESXL

Th. optimum

2000 DESL

1500

KLEIN-80

KLEIN-96 PRESENT-128/PICCOLO-128

KLEIN-64 KATAN-64

1000 KTANTAN64

500

PRESENT-80/PICCOLO-80

PRINTcipher-96

KTANTAN32 PRINTcipher-48

64

128

192

256

internal memory

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Lightweight block ciphers are too provocative ?

• ARMADILLO: key-recovery attacks [A+-2011] • HIGHT: related-key attacks [K+-2010] • Hummingbird-1: practical related-IV attacks [S-2011]

˚ • KTANTAN: practical related-key attacks [A-2011] ˚ • PRINTcipher: large weak-keys classes [AJ-2011]

PRESENT is still unbroken.

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Light Encryption Device We propose a new 64-bit block cipher LED: • as small as PRESENT • faster than PRESENT in software (and slower in hardware) • significant security margin • can take any key size from 64 to 128 bits • key can be directly hardwired (without any modification) • provable resistance to classical differential and linear attacks ... • ... both in the single-key and related-key models

Introduction

The LED Round Function

Minimalism for Key Schedule

Outline

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Security Analysis

Implementations and Results

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

A single round of LED AddConstants

SubCells S S S S

4 cells

4 cells

S S S S

S S S S

ShiftRows

MixColumnsSerial

S S S S

4 bits

The 64-bit round function is an SP-network: • AddConstants: xor round-dependent constants to the two first columns • SubCells: apply the PRESENT 4-bit Sbox to each cell • ShiftRows: rotate the i-th line by i positions to the left • MixColumnsSerial: apply the special MDS matrix to each columns independently

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0



       A=       

0

0

1

0

···

0

0

0

0

              

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

 

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

 v0      v1        .    .    .    · =    v   d−4       vd−3          vd−2 

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

vd−1

. . .

. . .

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

 

  v0 v1       v1         .   .     . .     .     . · =     v   d−4         vd−3             vd−2   vd−1

               

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

 

   v0 v1        v1   v2            .     ..  .      .     .  · =       v   d−4           vd−3                vd−2    vd−1

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

 

  v0 v1       v1   v2         . .     . .     . .     · =   v   v   d−4   d−3       vd−3             vd−2   vd−1

               

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

 

   v0 v1        v1   v2            . .      . .      . .      · =    v    v   d−4   d−3         vd−3   vd−2              vd−2    vd−1

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

 

   v0 v1        v1   v2            . .      . .      . .      · =    v    v   d−4   d−3         vd−3   vd−2              vd−2   vd−1  vd−1

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 

0

1

0

0

···

0

0

0

0

              

0

0

1

0

···

0

0

0

0

. . .

. . .

0

0

0

0

···

0

1

0

0

0

0

0

0

···

0

0

1

0

0

0

0

0

···

0

0

0

1

Z0

Z1

Z2

Z3

···

Zd−4

Zd−3

Zd−2

Zd−1

 

   v0 v1        v1   v2            . .      . .      . .      · =    v    v   d−4   d−3         vd−3   vd−2              vd−2   vd−1  vd−1

v00

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

The MixColumnsSerial matrix for LED The serial decomposition of our MixColumnsSerial matrix is very lightweight (the matrix (B)4 is MDS): 

0  0  (B)4 =   0 4

1 0 0 1

0 1 0 2

0 0 1 2

4

 4   8    =   B 2

1 6 E 2

2 5 A F

2 6 9 B

    

So is its inverse:    (B−1 )4 =  

1 1 0 0

2 0 1 0

2 0 0 1

4 0 0 0

4



     =  

C 3 7 D

C 8 6 9

D 4 2 9

4 5 E D

    

Introduction

The LED Round Function

Minimalism for Key Schedule

Outline

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Security Analysis

Implementations and Results

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

The Key Schedule of LED Recent lessons learned in block ciphers design: • designing key schedules is hard (see recent attacks on AES), same for message expansions in hash functions (look at the SHA-3 competition) • obtaining security proofs when also considering differences in the key schedule is not trivial ... • either you use the very same function (can be bad, see attacks on Whirlpool) • either you use a purposely different function in order to make cryptanalysis hard (see AES, PRESENT, ...)

Our rationale: use NO key schedule • much simpler for cryptanalysts, not relying on the difficulty to analyze • only leverages the quality of the permutation and we DO know how to build good permutations • you can directly hardwire the key in some particular scenarios

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

First attempt Key repeated every round K P

K 1 round

K 1 round

K 1 round

K

K 1 round

But paths exist with only 1 active Sbox per round on average

1 round AC SB ShR MC

C

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Second attempt Key repeated every two rounds K P

K 2 rounds

K 2 rounds

K

K

2 rounds

K 2 rounds

C

But paths exist with only 2.5 active Sboxes per round on average

1 round

1 round

AC SB ShR MC

AC SB ShR MC

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Third attempt Key repeated every four rounds K P

K 4 rounds

K 4 rounds

K

K

4 rounds

K 4 rounds

The best path has 3.125 active Sboxes per round on average

1 round

1 round

1 round

1 round

AC SB ShR MC

AC SB ShR MC

AC SB ShR MC

AC SB ShR MC

C

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

LED key schedule For 64-bit key, we xored it to the internal state every four rounds. We apply a total of 8 steps (or 32 rounds): K P

K 4 rounds

K 4 rounds

K

K

4 rounds

K C

4 rounds

For up to 128-bit key, we divide it into two equal chunks K1 and K2 that are alternatively xored to the internal state every four rounds. We apply a total of 12 steps (or 48 rounds): K1 P

K1

K2 4 rounds

4 rounds

K2 4 rounds

K1

K2 4 rounds

C

Introduction

The LED Round Function

Minimalism for Key Schedule

Outline

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Security Analysis

Implementations and Results

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Differential/linear attacks • AES-like permutations are simple to understand, well studied,

provide very good security • In single-key model: one can easily derive proofs on the

minimal number of active Sboxes for 4 rounds of the permutation: (d + 1)2 = 25 active Sboxes for 4 rounds of LED • In related-key model: we have at least half of the 4-round steps

active, using the same reasoning we obtain: (d + 1)2 = 25 active Sboxes for 8 rounds of LED LED-64 SK

LED-64 RK

LED-128 SK

LED-128 RK

minimal no. of active Sboxes

200

100

300

150

differential path probability

2−400

2−200

2−600

2−300

linear approx. probability

2−400

2−200

2−600

2−300

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Rebound attack and improvements

1 round

4 rounds

4 rounds

4 rounds

2 rounds

In the chosen-related-key model, one can distinguish 15 rounds (over 32) of LED-64 with complexity 216

1 round

8 rounds

4 rounds

4 rounds

8 rounds

2 rounds

In the chosen-related-key model, one can distinguish 27 rounds (over 48) of LED-128 with complexity 216 Improvements are unlikely since no key is used during four rounds of the permutation, so the amount of freedom degrees given to the attacker is limited to the minimum.

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Other cryptanalysis techniques • cube testers: the best we could find within practical time complexity is at most 3 rounds • zero-sum partitions: distinguishers for at most 12 rounds with 264 complexity in the known-key model • algebraic attacks: the entire system for a 64-bit fixed-key LED permutation consists of 10752 quadratic equations in 4096 variables • slide attacks: all rounds are made different thanks to the round-dependent constants addition • rotational cryptanalysis: any rotation property in a cell will be directly removed by the application of the Sbox layer • integral attacks: currently can’t even break 2 steps

Introduction

The LED Round Function

Minimalism for Key Schedule

Outline

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Security Analysis

Implementations and Results

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Hardware implementation

MCS

AK

00

01 02

03

11 12

13

4 enAK

00 01 02

03

10

11 12

13

20 21 22

23

30 31 32

33

4

RC

10

4

4

AC 2

A 4

20

21 22

23

30

31 32

33

4

S 4

SC

4

enAC IC Controler enAC enAK IC RC

4

4

4

4

Key State

State input

outReady

output

Key

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Hardware implementation

Implementations and Results

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Hardware implementation results GE 2500

AES DESXL

Th. optimum

2000 DESL

1500

KLEIN-80 KLEIN-64 KATAN-64 LED-64

1000 KTANTAN64 LED-64

500

KLEIN-96 PRESENT-128/PICCOLO-128 LED-128 LED-96 PRESENT-80/PICCOLO-80/LED-80

PRINTcipher-96

KTANTAN32 PRINTcipher-48

64

128

192

256

internal memory

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Software implementation results

Table: Software implementation results of LED.

table-based implementation LED-64

57 cycles/byte

LED-128

86 cycles/byte

One can use “Super-Sbox” implementations (ongoing work).

Introduction

The LED Round Function

Minimalism for Key Schedule

Security Analysis

Implementations and Results

Conclusion The LED block cipher: • is very simple and clean • is as small as PRESENT • faster than PRESENT in software (and slower in hardware) • key can be hardwired without modification of the algorithm • provides provable security against classical linear/differential

cryptanalysis both in the single-key and related-key models • extremely large security margin in the single-key model • security analysis done in the very optimistic

known/chosen-keys model Latest results on https://sites.google.com/site/ledblockcipher/

The LED Block Cipher

AddConstants: xor round-dependent constants to the two first columns ..... cube testers: the best we could find within practical time complexity is ... 57 cycles/byte.

824KB Sizes 2 Downloads 495 Views

Recommend Documents

Linearity within the SMS4 Block Cipher
Queensland University of Technology, Australia ...... Techniques, volume 765 of Lecture Notes in Computer Science, ... Princeton University Press, 1980. Wentao ...

FPGA Implementations of the RC6 Block Cipher
ten exceed 128 bits and a simple solution, known as Electronic Codebook (ECB) ..... designer with libraries containing the basic building blocks of a given FPGA.

Weak Keys of the Full MISTY1 Block Cipher for Related ...
keys and a related-key differential attack on the full MISTY1 with a data complexity of 261 chosen ... their paper appeared in the LNCS website a few days ago, acknowledging us, where the results were modified as ..... round MISTY1 without the first

Attacking 44 Rounds of the SHACAL-2 Block Cipher ...
formation Technology Research Center) support program .... Ci+1 = Bi,. Bi+1 = Ai,. Ai+1 = Ti+1. 1. Ш Ti+1. 2 . 3. The ciphertext C is (A64,B64,C64,D64,E64,F64,.

Weak Keys of the Full MISTY1 Block Cipher for Related ...
(02||(a⊕D)))), and it can take about 215 values in {0,1}16; we denote the set of 215 values ...... Set a binary marker with two possible statuses, “up” and “down”, to the ..... B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Spri

The Shadow Cipher
epic alternate history series about three kids who try to solve the greatest mystery of the modern world: a puzzle and treasure hunt laid into the very streets and ...

IDEA cipher - GitHub
signed by James Massey of ETH Zurich and Xuejia Lai and was first de- scribed in ... A symmetric key algorithm is a cryptography algorithm that use the same.

THROUGHPUT OPTIMIZATION OF THE CIPHER ...
digital signatures, MACs are computed and verified with the ... MACs are used in public key digital .... access and read the security system's memory (RAM) to.

THROUGHPUT OPTIMIZATION OF THE CIPHER ...
primitive IP in the system, such as common block ciphers, and not a special .... access and read the security system's memory (RAM) to reveal our keys and ...

Block
What does Elie's father learn at the special meeting of the Council? 11. Who were their first oppressors and how did Wiesel say he felt about them? 12. Who was ...

Block
10. What does Elie's father learn at the special meeting of the Council? 11. Who were their ... 5. What did the Jews in the train car discover when they looked out the window? 6. When did ... How did Elie describe the men after the air raid? 8.

Block the Vote
Oct 30, 2008 - prisoned for their role in the conspiracy.) In practice, many of the “reforms” .... But under the new rules, those mis- takes are costing citizens the ...

π–Cipher v2 -
2ITEM, Norwegian University of Science and Technology, Trondheim, Norway .... rn a l. S ta te. C. I. S tag T. C1. Mm pctr ` a ` 1q ` m||UpdCtrm π fu n ction π fu n.

Novel Hardware Implementation of the Cipher Message ...
been deployed by VISA, MasterCard, and many other leading companies .... the computation of the MAC may begin “online” before the entire message is ...

Novel Hardware Implementation of the Cipher ...
MACs are used in public key digital signature tech- niques that provide data .... portable clients (for data collection), that need to be cheap, small, and have minor ...

vigenere cipher example pdf
Page 1 of 1. vigenere cipher example pdf. Click here if your download doesn't start automatically. Page 1 of 1. vigenere cipher example pdf. vigenere cipher ...

π–Cipher v2 -
2ITEM, Norwegian University of Science and Technology, Trondheim, Norway .... rn a l. S ta te. C. I. S tag T. C1. Mm pctr ` a ` 1q ` m||UpdCtrm π fu n ction π fu n.

LED-mirror layout - GitHub
We defined all pixelsstrips in the screen as one big row (MAX config during startup). This all means every byte of pixel data controls 4 leds at a time. And MAX ...