Transcript DLX A Compact New DESX Variant

DESL
An Efficient Block Cipher For
Lightweight Cryptosystems
A. Poschmann, G. Leander, K. Schramm*, C. Paar
Ruhr-Universität Bochum, Germany
RFIDsec 2006
14.07.2006 - Page 1/15
Agenda
1. Introduction
2. Design Criteria of the DESL
3. Serialized Architecture of DESL
4. Implementation Results
5. Conclusion
RFIDsec 2006
14.07.2006 - Page 2/15
Introduction
Cryptography is needed to...
implement authentication
prevent eavesdropping
RFIDsec 2006
Design goals for RFID ciphers:
small gate count
low power consumption
high security
14.07.2006 - Page 3/15
Introduction (2)
What are the requirements of a block cipher so that its
hardware implementation has a low gate count ?
it must be possible to implement the cipher in a serialized
fashion (value chip size over execution time)
use smaller block size (e.g. 64 bits instead of 128 bits) in
order to save gates on internal flip-flop registers
only use small subfunctions (e.g. 6-to-4 bit S-boxes)
use very few different subfunctions (e.g. only a single Sbox)
Using these conditions we tried to find a lower bound with
regard to gate count for a DES-lightweight (DESL) block
cipher which uses only a single S-box.
RFIDsec 2006
14.07.2006 - Page 4/15
Introduction to DES (Data Encryption Standard)
plaintext
64
L0
R0
32
K0
32
f
round 1
L1
R1
6
K1
S
f
S
S
S
S
S
S
S
round 2
L2
R2
L15
R15
K15
f
round 16
L16
R16
64
RFIDsec 2006
ciphertext
Idea: replace the eight different Sboxes by a single one repeated
eight times.
14.07.2006 - Page 5/15
Design Criteria of DES S-boxes
(Coppersmith '94)
Input
6
„No output bit of an S-box
should be too close to a linear
combination of input bits.“
S-Box
4
Output
Output = a*x+1
(S-1) (S-2)
S(1|0001|0) = 2
00
01
10
11
|0|1|2|3|4|5|6|7|8|9|A|B|C|D|E|F
| 2006
RFIDsec
(S-3)
Each row
contains all
possible
output values
14.07.2006 - Page 6/15
Design Criteria of DES S-boxes
(Coppersmith '94)
HW(X1  X2) = 1
6
∆I = 001100
6
S-box
S-box
4
HW(Y1  Y2) ≥ 2
∆I = 11xy00
6
S-box
4
Y1 ≠ Y2
RFIDsec 2006
4
(S-4) (S-5)
(S-6) (S-7)
HW(Y1 Y2) ≥ 2
∆I ≠ 000000
6
S-box
4
P(Y1 = Y2) ≤ ¼
14.07.2006 - Page 7/15
Design Criteria of DES S-boxes
(Coppersmith '94)
(S-8)
Minimise Collision Probability (p = 1/234)
∆Input
Expansion
bcde
1ghi
fghi jkm0
...0
...a 0ab1
0cde 1cd1
0ef0 0...
p...
0000ab
000000
6
00ab11
6
11cd10
6
10ef00
6
np0000
000000
6
Substitution S-box
S-box
S-box
S-box
S-box
i
i+1
i+2
i+3
i-1
∆Output
4
4
4
4
4
0000
0000
0000
0000
0000
Collision in 3 adjacent S-boxes!
RFIDsec 2006
14.07.2006 - Page 8/15
Resistance to Differential Cryptanalysis
00ab11
6
...
S-box
...
i-n
10ef00
6
np0000
000000
6
S-box
S-box
i-1
i
4
4
4
0000
0000
0000
Collision in n adjacent S-boxes!
(S-6')
∆I = 1xyz00
6
S-box
4
Y1 ≠ Y2
With our new criterion S-6' differential attacks based on
2-round characteristics are now impossible!
RFIDsec 2006
14.07.2006 - Page 9/15
Currently proposed DESL S-box (under construction!!!)
DESL
VS.
DES
28
(S-2')
40
7
(S-7)
8
0
(S-8)
1 / 234
RFIDsec 2006
=> at least 256 known
plaintexts for LC
=> two-round characteristics impossible
=> classical DC impossible
14.07.2006 - Page 10/15
Serialized DES/DESL Architecture
RFIDsec 2006
14.07.2006 - Page 11/15
Implementation Results (1)
DESL
VS.
DES
-25%
-25%
7392
1848
9236
2309
-33%
-33%
0.89
4.4477
#Transistors
#Gate count
Ø Power [µA]
@ 100kHz
@ 500kHz
144
#clock
cycles
RFIDsec 2006
1.19
5.95
144
14.07.2006 - Page 12/15
Implementation Results (2)
RFIDsec 2006
Cipher
Gate count
DESL
DES
DESXL
DESX
AES
Trivium-1
Grain-1
Mosquito-B
Sfinks-B
Hermes8
1848
2309
2168
2629
3628
2906
1558
4806
6311
6885
14.07.2006 - Page 13/15
Conclusion
DESL
Low gate count (1848 GE)
Smaller than several eStream ciphers
Low current draw (0.89 µA @ 100kHz)
Seems to be secure against LC/DC attacks
but the proposed S-box is still under construction!
DESL is a further possible step towards a
lightweight block cipher for RFID tags.
RFIDsec 2006
14.07.2006 - Page 14/15
Thank you!
RFIDsec 2006
14.07.2006 - Page 15/15