Title: DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universit
1DESL An Efficient Block Cipher For
Lightweight CryptosystemsA. Poschmann, G.
Leander, K. Schramm, C. PaarRuhr-Universität
Bochum, Germany
2Agenda
1. Introduction 2. Design Criteria of the DESL 3.
Serialized Architecture of DESL 4. Implementation
Results 5. Conclusion
3 Introduction
4 Introduction (2)
What are the requirements of a block cipher so
that its hardware implementation has a low gate
count ?
- it must be possible to implement the cipher in a
serialized fashion (value chip size over
execution time)
- use smaller block size (e.g. 64 bits instead of
128 bits) in order to save gates on internal
flip-flop registers
- only use small subfunctions (e.g. 6-to-4 bit
S-boxes)
- use very few different subfunctions (e.g. only a
single S-box)
Using these conditions we tried to find a lower
bound with regard to gate count for a
DES-lightweight (DESL) block cipher which uses
only a single S-box.
5Introduction to DES (Data Encryption Standard)
plaintext
64
L0
R0
K0
32
32
f
round 1
L1
R1
6
K1
S
S
S
S
S
S
S
S
f
round 2
L2
R2
L15
R15
K15
f
round 16
Idea replace the eight different S-boxes by a
single one repeated eight times.
L16
R16
64
ciphertext
6Design Criteria of DES S-boxes (Coppersmith '94)
(S-3)
S(100010) 2
Each row contains all
possible output values
7Design Criteria of DES S-boxes (Coppersmith '94)
8Design Criteria of DES S-boxes (Coppersmith '94)
(S-8)
Minimise Collision Probability (p 1/234)
fghi
bcde
...a
p...
1ghi
1cd1
0ef0
0ab1
?Input
Expansion
000000
000000
10ef00
11cd10
00ab11
6
6
6
S-box i1
S-box i2
S-box i
Substitution
4
4
4
?Output
0000
0000
0000
Collision in 3 adjacent S-boxes!
9Resistance to Differential Cryptanalysis
10ef00
000000
...
(S-6')
6
?I 1xyz00
...
S-box i-1
6
4
S-box
0000
4
Collision in n adjacent S-boxes!
Y1 ? Y2
10 Currently proposed DESL S-box (under
construction!!!)
DESL
DES
VS.
gt at least 256 known plaintexts for LC
gt two-round character- istics impossible gt
classical DC impossible
11Serialized DES/DESL Architecture
12 Implementation Results (1)
DESL
DES
VS.
-25
-25
-33
-33
13 Implementation Results (2)
Cipher
Gate count
DESL DES DESXL DESX AES Trivium-1 Grain-1 Mosquito
-B Sfinks-B Hermes8
1848 2309 2168 2629 3628 2906 1558 4806 6311 6885
14 Conclusion
DESL
- Smaller than several eStream ciphers
- Low current draw (0.89 µA _at_ 100kHz)
- Seems to be secure against LC/DC attacks
- but the proposed S-box is still under
construction!
DESL is a further possible step towards
a lightweight block cipher for RFID tags.
15Thank you!
16 Implementation Results
DLX
AES
VS.
-40
-89
-85
Feldhofer et al. CHES 2004
17Introduction to DES (Data Encryption Standard)
Idea replace the eight different S-boxes by a
single one repeated eight times.
18Design Criteria of DES S-boxes (Coppersmith '94)
fghi
bcde
...a
jkmn
p...
1ghi
1gh1
0km0
0cd1
?Input
Expansion
(S-6)
(S-3)
(S-3)
(S-3)
000000
00cdef
000000
ijkm00
00cde1
e1ghij
1jkm00
e1gh1j
10km00
e1gh10
11gh10
00cd11
Substitution
?Output
Collision in 3 adjacent S-boxes!
19 2 Round Characteristic in DES
2105
gt impossible!
20 Linear Cryptanalysis (Matsui '93)
Swb(a) x Sb(x) lta,xgt - x Sb(x) ? lta,xgt
Swb(a) 2x Sb(x) lta,xgt - 26
ltb,S(x)gt b,S(x) ? GF(2)4
Sb(x) ltb,S(x)gt
21 Resistance to Linear Cryptanalysis
Walsh-coefficients Swb(a)
gt at least 256 known plaintexts needed for LC!