Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Similar documents
The PHOTON Family of Lightweight Hash Functions

The Hash Function JH 1

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Human-readable Proof of the Related-Key Security of AES-128

How Fast can be Algebraic Attacks on Block Ciphers?

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Algebraic Techniques in Differential Cryptanalysis

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Algebraic properties of SHA-3 and notable cryptanalysis results

Invariant Subspace Attack Against Full Midori64

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Linear Approximations for 2-round Trivium

Cube Attacks on Stream Ciphers Based on Division Property

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Improving and Evaluating Differential Fault Analysis on LED with Algebraic Techniques

Symmetric Crypto Systems

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Subspace Trail Cryptanalysis and its Applications to AES

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

Cryptanalysis of EnRUPT

The Invariant Set Attack 26th January 2017

Solution of Exercise Sheet 7

Avoiding collisions Cryptographic hash functions. Table of contents

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Structural Evaluation by Generalized Integral Property

Quantum Differential and Linear Cryptanalysis

On related-key attacks and KASUMI: the case of A5/3

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

New attacks on Keccak-224 and Keccak-256

Lightweight Cryptography for RFID Systems

Type 1.x Generalized Feistel Structures

Differential Analysis of the LED Block Cipher

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Zero-Sum Partitions of PHOTON Permutations

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Symmetric Crypto Systems

The Advanced Encryption Standard

Analysis of cryptographic hash functions

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Practical Free-Start Collision Attacks on full SHA-1

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Linear Cryptanalysis

Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis

On the Design of Trivium

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

A Brief Comparison of Simon and Simeck

Practical Free-Start Collision Attacks on 76-step SHA-1

Foundations of Network and Computer Security

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

A New Distinguisher on Grain v1 for 106 rounds

Differential Fault Analysis of Trivium

A block cipher enciphers each block with the same key.

Extended Criterion for Absence of Fixed Points

Known and Chosen Key Differential Distinguishers for Block Ciphers

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Fault Attack on the LED Block Cipher

THRESHOLD IMPLEMENTATIONS OF ALL 3x3 AND 4x4 S-BOXES

Analysis of Some Quasigroup Transformations as Boolean Functions

Lecture 12: Block ciphers

Towards Provable Security of Substitution-Permutation Encryption Networks

Numerical Solvers in Cryptanalysis

Cryptanalysis of the SIMON Family of Block Ciphers

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes

Foundations of Network and Computer Security

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Rebound Distinguishers: Results on the Full Whirlpool Compression Function

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

On the Salsa20 Core Function

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Multiplicative complexity in block cipher design and analysis

Block Cipher Cryptanalysis: An Overview

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Direct Construction of Lightweight Rotational-XOR MDS Diffusion Layers

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Cryptanalysis of Achterbahn

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Cube Analysis of KATAN Family of Block Ciphers

Lecture 4: DES and block ciphers

Optimized Interpolation Attacks on LowMC

Block Ciphers that are Easier to Mask: How Far Can we Go?

1 Cryptographic hash functions

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Linear Cryptanalysis of Reduced-Round PRESENT

Linear Cryptanalysis of Reduced-Round Speck

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Transcription:

The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs CHE 2011 Nara, Japan

Outline Introduction The LED Round Function Minimalism for ey chedule ecurity Analysis Implementations and Results

2500 2000 1500 1000 500 GE Current picture of lightweight primitives - graphically TANTAN32 TANTAN64 PRINTcipher-48 ATAN-64 PHOTON-128/16/16 PREENT-80 AE -QUAR DEXL TRIVIUM PHOTON-256/32/32 Th optimum D-QUAR PHOTON-224/32/32 LEIN-96 LEIN-80 PREENT-128 U-QUAR GRAIN PHOTON-160/36/36 LEIN-64 DEL PHOTON-80/20/16 PRINTcipher-96 64 128 192 256 internal memory

Current picture of lightweight block ciphers - graphically GE 2500 2000 1500 DEL LEIN-80 AE DEXL LEIN-96 PREENT-128/PICCOLO-128 Th optimum 1000 500 LEIN-64 ATAN-64 PREENT-80/PICCOLO-80 TANTAN64 PRINTcipher-96 TANTAN32 PRINTcipher-48 64 128 192 256 internal memory

Lightweight block ciphers are too provocative? ARMADILLO: key-recovery attacks [A+-2011] HIGHT: related-key attacks [+-2010] Hummingbird-1: practical related-iv attacks [-2011] TANTAN: practical related-key attacks [Å-2011] PRINTcipher: large weak-keys classes [ÅJ-2011] PREENT is still unbroken

Light Encryption Device We propose a new 64-bit block cipher LED: as small as PREENT faster than PREENT in software (and slower in hardware) significant security margin can take any key size from 64 to 128 bits key can be directly hardwired (without any modification) provable resistance to classical differential and linear attacks both in the single-key and related-key models

Outline Introduction The LED Round Function Minimalism for ey chedule ecurity Analysis Implementations and Results

A single round of LED AddConstants ubcells hiftrows MixColumnserial 4 cells 4 cells 4 bits The 64-bit round function is an P-network: AddConstants: xor round-dependent constants to the two first columns ubcells: apply the PREENT 4-bit box to each cell hiftrows: rotate the i-th line by i positions to the left MixColumnserial: apply the special MD matrix to each columns independently

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) A = 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 v 0 v 1 v d 4 v d 3 v d 2 = Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v d 1

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v 0 v 1 v d 4 v d 3 v d 2 v d 1 = v 1

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v 0 v 1 v d 4 v d 3 v d 2 v d 1 = v 1 v 2

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v 0 v 1 v d 4 v d 3 v d 2 v d 1 = v 1 v 2 v d 3

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v 0 v 1 v d 4 v d 3 v d 2 v d 1 = v 1 v 2 v d 3 v d 2

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v 0 v 1 v d 4 v d 3 v d 2 v d 1 = v 1 v 2 v d 3 v d 2 v d 1

Efficient erially Computable MD Matrices MD Matrices ( Maximum Distance eparable ) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active We use the same trick as in PHOTON (CRYPTO 2011): implement an MD matrix that can be efficiently computed in a serial way We keep the same good diffusion properties and good software performances as the classical MD constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering) 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 v 0 v 1 v d 4 v d 3 v d 2 = v 1 v 2 v d 3 v d 2 v d 1 Z 0 Z 1 Z 2 Z 3 Z d 4 Z d 3 Z d 2 Z d 1 v d 1 v 0

The MixColumnserial matrix for LED The serial decomposition of our MixColumnserial matrix is very lightweight (the matrix (B) 4 is MD): (B) 4 = 0 1 0 0 0 0 1 0 0 0 0 1 4 1 2 2 4 = 4 1 2 2 8 6 5 6 B E A 9 2 2 F B o is its inverse: (B 1 ) 4 = 1 2 2 4 1 0 0 0 0 1 0 0 0 0 1 0 4 = C C D 4 3 8 4 5 7 6 2 E D 9 9 D

Outline Introduction The LED Round Function Minimalism for ey chedule ecurity Analysis Implementations and Results

The ey chedule of LED Recent lessons learned in block ciphers design: designing key schedules is hard (see recent attacks on AE), same for message expansions in hash functions (look at the HA-3 competition) obtaining security proofs when also considering differences in the key schedule is not trivial either you use the very same function (can be bad, see attacks on Whirlpool) either you use a purposely different function in order to make cryptanalysis hard (see AE, PREENT, ) Our rationale: use NO key schedule much simpler for cryptanalysts, not relying on the difficulty to analyze only leverages the quality of the permutation and we DO know how to build good permutations you can directly hardwire the key in some particular scenarios

ey repeated every round First attempt P 1 round 1 round 1 round 1 round C But paths exist with only 1 active box per round on average 1 round AC B hr MC

ey repeated every two rounds econd attempt P 2 rounds 2 rounds 2 rounds 2 rounds C But paths exist with only 25 active boxes per round on average 1 round AC B hr MC 1 round AC B hr MC

ey repeated every four rounds Third attempt P 4 rounds 4 rounds 4 rounds 4 rounds C The best path has 3125 active boxes per round on average 1 round 1 round 1 round 1 round AC B hr MC AC B hr MC AC B hr MC AC B hr MC

LED key schedule For 64-bit key, we xored it to the internal state every four rounds We apply a total of 8 steps (or 32 rounds): P 4 rounds 4 rounds 4 rounds 4 rounds C For up to 128-bit key, we divide it into two equal chunks 1 and 2 that are alternatively xored to the internal state every four rounds We apply a total of 12 steps (or 48 rounds): 1 2 1 2 P 4 rounds 4 rounds 4 rounds 2 1 4 rounds C

Outline Introduction The LED Round Function Minimalism for ey chedule ecurity Analysis Implementations and Results

Differential/linear attacks AE-like permutations are simple to understand, well studied, provide very good security In single-key model: one can easily derive proofs on the minimal number of active boxes for 4 rounds of the permutation: (d + 1) 2 = 25 active boxes for 4 rounds of LED In related-key model: we have at least half of the 4-round steps active, using the same reasoning we obtain: (d + 1) 2 = 25 active boxes for 8 rounds of LED LED-64 LED-64 R LED-128 LED-128 R minimal no of active boxes 200 100 300 150 differential path probability 2 400 2 200 2 600 2 300 linear approx probability 2 400 2 200 2 600 2 300

Rebound attack and improvements 1 round 4 rounds 4 rounds 4 rounds 2 rounds In the chosen-related-key model, one can distinguish 15 rounds (over 32) of LED-64 with complexity 2 16 1 round 8 rounds 4 rounds 4 rounds 8 rounds 2 rounds In the chosen-related-key model, one can distinguish 27 rounds (over 48) of LED-128 with complexity 2 16 Improvements are unlikely since no key is used during four rounds of the permutation, so the amount of freedom degrees given to the attacker is limited to the minimum

Other cryptanalysis techniques cube testers: the best we could find within practical time complexity is at most 3 rounds zero-sum partitions: distinguishers for at most 12 rounds with 2 64 complexity in the known-key model algebraic attacks: the entire system for a 64-bit fixed-key LED permutation consists of 10752 quadratic equations in 4096 variables slide attacks: all rounds are made different thanks to the round-dependent constants addition rotational cryptanalysis: any rotation property in a cell will be directly removed by the application of the box layer integral attacks: currently can t even break 2 steps

Outline Introduction The LED Round Function Minimalism for ey chedule ecurity Analysis Implementations and Results

Hardware implementation MC A 00 01 02 03 4 ena 00 01 02 03 4 RC A 10 11 12 13 20 21 22 23 30 31 32 33 4 4 4 4 2 4 C AC enac IC Controler enac ena IC RC 10 11 12 13 20 21 22 23 30 31 32 33 4 4 4 4 tate 4 input outready output ey tate ey

Hardware implementation

Hardware implementation results 2500 2000 GE DEL AE DEXL Th optimum 1500 1000 500 TANTAN32 TANTAN64 LED-64 PRINTcipher-48 LEIN-64 LEIN-80 ATAN-64 LED-64 PRINTcipher-96 LEIN-96 PREENT-128/PICCOLO-128 LED-128 LED-96 PREENT-80/PICCOLO-80/LED-80 64 128 192 256 internal memory

oftware implementation results Table: oftware implementation results of LED LED-64 LED-128 table-based implementation 57 cycles/byte 86 cycles/byte One can use uper-box implementations (ongoing work)

The LED block cipher: is very simple and clean is as small as PREENT Conclusion faster than PREENT in software (and slower in hardware) key can be hardwired without modification of the algorithm provides provable security against classical linear/differential cryptanalysis both in the single-key and related-key models extremely large security margin in the single-key model security analysis done in the very optimistic known/chosen-keys model Latest results on https://sitesgooglecom/site/ledblockcipher/

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback