View
242
Download
5
Category
Preview:
Citation preview
ITUbee :A Software Oriented Lightweight Block
Cipher
Ferhat Karakoc1,2, Huseyin Demirci1, A. Emre Harmancı2
1 TUBITAK-BILGEM-UEKAE 2 Istanbul Technical University
May 6, 2013
Outline
Motivation
ITUbee
Security Analysis
Performance Analysis
Conclusion
Motivation
A software oriented lightweight block cipher
Software oriented:
Microcontroller based platform
Lightweight:Suitable for constrained devices
Power/energyMemory/areaTime/throughput
Most of the previous proposed lightweight ciphers are suitablefor hardware designs
Bitwise permutations4-bit S-boxes
Motivation (cont.)
Feistel structure with no key schedule and security againstalso related key attacks
Most of the previous proposed cipher with no key schedule areSPN structure
Feistel ciphers with so simple key schedule such as GOST
Related key attacks
Motivation (cont.)
ITUbee is suitable for 8-bit software based platforms which haveresource constraints.
Based on Feistel structure and has no key schedule.
An example platform: sensor nodes in wireless sensor networks(WSN)
Generally microcontroller based platformsHave constraints on power/energy, memory/area,time/throughputA specific example: Mica2 and Mica2Dot nodes produced byCrossbow Technology, Inc.
Based on the Atmel ATmega128L 8-bit microcontroller4 kB of EEPROM and 128 kB of Flash
Outline
Motivation
ITUbee
Security Analysis
Performance Analysis
Conclusion
Feistel Structure with No Key Schedule
Block size: 80 bits
Key length: 80 bits
Feistel Structure
Same program forencryption anddecryption
No key schedule
Save from memoryand energy
Related key attacks
Feistel Structure with No Key Schedule (cont.)
Inject round keys betweentwo non-linear operations
Self similarity attacks
Feistel Structure with No Key Schedule (cont.)
Round constants
F Function
Confusion on 8 bits just atable look-up
256 bytes of memory
4 clock cycles
Just 15 XOR operations(15 clock cycles)
Consecutive two S-boxes
ITUbee
Add L functionMinimize round constantlengths:8-bit?
An Observation
Patterns when 1-byte round constants used:
a‖b‖b‖a‖c S−→ s[a]‖s[b]‖s[b]‖s[a]‖s[c]
a‖b‖b‖a‖c RK=x‖y‖y‖x‖z−−−−−−−−−−→(a⊕ x)‖(b ⊕ y)‖(b ⊕ y)‖(a⊕ x)‖(c ⊕ z)
a‖b‖b‖a‖c RC=w−−−−→ a‖b‖b‖a‖(c ⊕ w)
a‖b‖b‖a‖c L−→(c ⊕ a⊕ b)‖(a⊕ b ⊕ b)‖(b ⊕ b ⊕ a)‖(b ⊕ a⊕ c)‖(a⊕ c ⊕ a)
An Observation (cont.)
ITUbee consists of S , RK , RC , L and XOR of 40 bits inFeistel.
These operations saves the pattern
IFP = (a‖b‖b‖a‖c)‖(d‖e‖e‖d‖f )
ANDK = (t‖u‖u‖t‖v)‖(x‖y‖y‖x‖z)
THENC = (g‖h‖h‖g‖i)‖(j‖k‖k‖j‖l)
This is independent of the number of rounds.
ITUbee
AES S-box
16-bit round constants
Outline
Motivation
ITUbee
Security Analysis
Performance Analysis
Conclusion
Security Analysis
Basic Differential and Linear Cryptanalysis
S-box and diffusion layer# of active S-boxes in one active round is at least 8# of active S-boxes in 3 rounds is at least 16Best differential probability for an S-box is 2−6
Differential effect:Best differential probability for an F function is at least 2−17
# of active F functions in 6 rounds is at least 8
Security Analysis (cont.)
Related Key Differential Cryptanalysis
Let only one half of master key have a difference# of active F functions in 2 rounds is at least 1# of active F functions in 10 rounds is at least 5Best differential probability for an F function is at least 2−17
Security Analysis (cont.)
Meet-in-the-Middle Type Attacks
Basic MITM: strong diffusion in two roundsBiclique: can be constructed at most on 2 roundsMulti Dimensional MITM: Block length and key size are same
Impossible Differential Cryptanalysis
Don’t have any impossible characteristics on more than 5rounds
Self-similarity Attacks: Slide, Reflection, Slidex
Round constants
Outline
Motivation
ITUbee
Security Analysis
Performance Analysis
Conclusion
Simulation Platform
AVR ATtiny45 microcontroller using the integrated developmentplatform Atmel Studio 6.
a 8-bit RISC (Reduced instruction set computing) basedmicrocontroller
Simple instructions
move data from memory to CPU registersEvaluate arithmetic operations for the data on the CPUregistersMove data from CPU registers to memory
Harvard architecture: the instruction and data memory areseparated.
4-kB Flash memory for the instructions.
256-byte static RAM for data.
Also we have simulated the same program on ATtiny128L onwhich Mica2 and Mica2Dot nodes based.
Implementation Details and Simulation Results
Details:
we stored the 8-bit S-box used in the cipher in the instructionmemory.
we used CPU registers for all internal variables and we didn’tuse any SRAM except for the plaintext/ciphertext and masterkey.
Results:
Clock cycle (energy) optimized implementation
716 bytes in program memory2607 clock cycles for one encryption
Memory optimized implementation
400 bytes in program memory3149 clock cycles for one encryption
Note that: the results are same for the microcontrollersATtniy45 and ATtiny128L
Performance Comparisons
Cipher Block size Key size Memory Clock cycles Clock cycles Cycle ×[bits] [bits] [bytes] per one enc. per one byte Memory
AES 1 128 128 1689 4557 284 479676
DESXL1 64 184 868 84602 10575 9179100
HIGHT1 64 128 434 19503 2437 1057658
IDEA1 64 128 1068 ≈ 8250 1031 1101108
KASUMI1 64 128 1288 11939 1492 1921696
KATAN1 64 80 356 72063 9007 3206492
KLEIN1 64 80 1286 6095 761 978646
mCrypton1 64 96 1104 16457 2057 2270928
NOEKEON1 128 128 396 23517 1469 581724
PRESEN1 64 80 1018 11342 1417 1442506
SEA1 96 96 450 41604 3467 1560150
TEA1 64 128 672 7408 926 622272ITUbee [this paper] 80 80 716 2607 261 186876cycle optimizedITUbee [this paper] 80 80 586 2937 294 172284memory optimized
1This results are taken from the Africacrypt 2012 paper by Eisenbarth et.al. Platform was ATtiny45.
Performance Comparisons
1689 284
868 10575
434 2437
1068 1031
1288 1492
356 9007
1286 761
1104 2057
396 1469
1018 1417
450 3467
672 926
716 261
586 294
AES
DESXL
HIGHT
IDEA
KASUMI
KATAN
KLEIN
mCrypton
NOEKEON PRESENT
SEA
TEA
ITUBEEITUBEE0
2000
4000
6000
8000
10000
12000
0 200 400 600 800 1000 1200 1400 1600 1800
# o
f cl
ock
cy
cle
s p
er
on
e b
yte
Memory [bytes]
Outline
Motivation
ITUbee
Security Analysis
Performance Analysis
Conclusion
Conclusion
A new software oriented lightweight block cipher
It has a Feistel Structure and no key schedule
There is another example of such a cipher: GOSTBut there is a related key attack on full GOST because of thisproperty.
To make the cipher stronger for related key attacks a newidea used: insert round keys between two F functions unlikeclassical Feistel ciphers
The number of clock cycles for an encryption is smaller thanmost of the ciphers
The storage requirement is also remarkable
Thank You
Questions?
Recommended