DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universit

1
DESL An Efficient Block Cipher For
Lightweight CryptosystemsA. Poschmann, G.
Leander, K. Schramm, C. PaarRuhr-Universität
Bochum, Germany
2
Agenda
1. Introduction 2. Design Criteria of the DESL 3.
Serialized Architecture of DESL 4. Implementation
Results 5. Conclusion
3
Introduction

• small gate count

• implement authentication

• low power consumption

• prevent eavesdropping

• high security

4
Introduction (2)
What are the requirements of a block cipher so
that its hardware implementation has a low gate
count ?

• it must be possible to implement the cipher in a
  serialized fashion (value chip size over
  execution time)

• use smaller block size (e.g. 64 bits instead of
  128 bits) in order to save gates on internal
  flip-flop registers

• only use small subfunctions (e.g. 6-to-4 bit
  S-boxes)

• use very few different subfunctions (e.g. only a
  single S-box)

Using these conditions we tried to find a lower
bound with regard to gate count for a
DES-lightweight (DESL) block cipher which uses
only a single S-box.
5
Introduction to DES (Data Encryption Standard)
plaintext
64
L0
R0
K0
32
32
f
round 1
L1
R1
6
K1
S
S
S
S
S
S
S
S
f
round 2
L2
R2
L15
R15
K15
f
round 16
Idea replace the eight different S-boxes by a
single one repeated eight times.
L16
R16
64
ciphertext
6
Design Criteria of DES S-boxes (Coppersmith '94)
(S-3)
S(100010) 2
Each row contains all
possible output values
7
Design Criteria of DES S-boxes (Coppersmith '94)
8
Design Criteria of DES S-boxes (Coppersmith '94)
(S-8)
Minimise Collision Probability (p 1/234)
fghi
bcde
...a
p...
1ghi
1cd1
0ef0
0ab1
?Input
Expansion
000000
000000
10ef00
11cd10
00ab11
6
6
6
S-box i1
S-box i2
S-box i
Substitution
4
4
4
?Output
0000
0000
0000
Collision in 3 adjacent S-boxes!
9
Resistance to Differential Cryptanalysis
10ef00
000000
...
(S-6')
6
?I 1xyz00
...
S-box i-1
6
4
S-box
0000
4
Collision in n adjacent S-boxes!
Y1 ? Y2
10
Currently proposed DESL S-box (under
construction!!!)
DESL
DES
VS.
gt at least 256 known plaintexts for LC
gt two-round character- istics impossible gt
classical DC impossible
11
Serialized DES/DESL Architecture
12
Implementation Results (1)
DESL
DES
VS.
-25
-25
-33
-33
13
Implementation Results (2)
Cipher
Gate count
DESL DES DESXL DESX AES Trivium-1 Grain-1 Mosquito
-B Sfinks-B Hermes8
1848 2309 2168 2629 3628 2906 1558 4806 6311 6885
14
Conclusion
DESL

• Low gate count (1848 GE)

• Smaller than several eStream ciphers

• Low current draw (0.89 µA _at_ 100kHz)

• Seems to be secure against LC/DC attacks
• but the proposed S-box is still under
  construction!

DESL is a further possible step towards
a lightweight block cipher for RFID tags.
15
Thank you!
16
Implementation Results
DLX
AES
VS.
-40
-89
-85
Feldhofer et al. CHES 2004
17
Introduction to DES (Data Encryption Standard)
Idea replace the eight different S-boxes by a
single one repeated eight times.
18
Design Criteria of DES S-boxes (Coppersmith '94)
fghi
bcde
...a
jkmn
p...
1ghi
1gh1
0km0
0cd1
?Input
Expansion
(S-6)
(S-3)
(S-3)
(S-3)
000000
00cdef
000000
ijkm00
00cde1
e1ghij
1jkm00
e1gh1j
10km00
e1gh10
11gh10
00cd11
Substitution
?Output
Collision in 3 adjacent S-boxes!
19
2 Round Characteristic in DES
2105
gt impossible!
20
Linear Cryptanalysis (Matsui '93)
Swb(a) x Sb(x) lta,xgt - x Sb(x) ? lta,xgt
Swb(a) 2x Sb(x) lta,xgt - 26
ltb,S(x)gt b,S(x) ? GF(2)4
Sb(x) ltb,S(x)gt
21
Resistance to Linear Cryptanalysis
Walsh-coefficients Swb(a)
gt at least 256 known plaintexts needed for LC!