new block cipher for ultra-compact hardware
DESCRIPTION
New Block Cipher for Ultra-Compact Hardware. N BeeM みかか. A. Satoh K. Aoki. Rapid Growth of RFID market. Security for RFID. Security is very important for radio communication, but there is no room for cryptography in RFIDs. We need More room!. Bear (unpackaged) RFID chips. - PowerPoint PPT PresentationTRANSCRIPT
New Block Cipher forNew Block Cipher forUltra-Compact HardwareUltra-Compact HardwareNew Block Cipher forNew Block Cipher forUltra-Compact HardwareUltra-Compact Hardware
BeeMみかか
A. SatohK. Aoki
SCIS2006
Rapid Growth of RFID market
0
5
10
15
20
25
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
ServicesAnalytics and storageSCE applicationsTags and readers
$Millions
SCIS2006
Security for RFID
Security is very important for radio communication, but there is no room for cryptography in RFIDs
We needMore room!
AES-16 for ultra-compact hardware is proposed
Bear (unpackaged) RFID chips
SCIS2006
Architecture of AES-16
4 4 4
SubBytes
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
4 4 4
AddRoundKey
16-bit 11 round keysa00
a10
a20
a30
a b00 a01 03aa10 a11 13aa20 a21 23aa30 a31 33a
00 01 03
10 11 13
20 21 23
30 31 33
b bb b bb b bb b b
a j
S-Box
0
a j1
a j2
a j3
b j0
b j1
b j2
b j3
c( )
a00 02a01 a 03aa10 a11 13aa20 22a21 a 23aa30 32a31 a 33a
12aa00 02a01 a 03a
10a
20a 21a
31a30 a 32a
left rotation by 1
left rotation by 2
left rotation by 3
1 +
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
a ijb00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
b ij
no shift
a00
a10
a20
a30
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
k00 0201 03
10 1211 13
20 2221 23
30 3231 33
k k kk k k kk k k kk k k k
12ab00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
=
x
bij = 1
MixColumns
ShiftRows
16-bit plain text
16-bit cipher text
aij-1
1101
1110
0111
1011
8 8 8
SubBytes
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
8 8 8
AddRoundKey
128-bit 11 round keysa00
a10
a20
a30
a b00 a01 03aa10 a11 13aa20 a21 23aa30 a31 33a
00 01 03
10 11 13
20 21 23
30 31 33
b bb b bb b bb b b
a j
S-Box
0
a j1
a j2
a j3
b j0
b j1
b j2
b j3
c( )
a00 02a01 a 03aa10 a11 13aa20 22a21 a 23aa30 32a31 a 33a
12aa00 02a01 a 03a
10a
20a 21a
31a30 a 32a
left rotation by 1
left rotation by 2
left rotation by 3
1 1000110
+
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
a ijb00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
b ij
no shift
a00
a10
a20
a30
a01 03aa11 13aa21 23aa31 33a
02a
22a
32a
k00 0201 03
10 1211 13
20 2221 23
30 3231 33
k k kk k k kk k k kk k k k
12ab00 0201 03
10 1211 13
20 2221 23
30 3231 33
b b bb b b bb b b bb b b b
=
x
bij =
100011 11
11 111000
011 11100
0011 1110
00011 111
1100011 1
11100011
11 110001
MixColumns
ShiftRows
128-bit plain text
128-bit cipher text
aij-1
1321
1132
2113
3211
AES AES-16
Data : 128 bits → 16 bitsKey : 128 bits → 16 bits
AES-16 uses the design concept of AES All the basic components are shrunk down to 1/8
SCIS2006
S-box Comparison
HP
LP
4
4
2x-1x
HP
LP -1
-14
4
2
2
2
2
2
2
4
4
4
GF((2 ) ) multiplier2
2
1 +bij = 1 aij-11 1000110
+bij =
100011 11
11 111000
011 11100
0011 1110
00011 111
1100011 1
11100011
11 110001
aij-1
AES AES-16
=
8-bit S-box defined over GF(28) is replaced by 1-bit S-box over GF(2)!
S-box can be implemented as one inverter!
SCIS2006
Performance comparison
Algorithm Size Frequency Throughput
AES-16 1.0 Kgates 1 GHz 1.6 Gbps
AES 5.4 Kgates 131 MHz 311 Mbps
AES-16 achieved 1 / 5 gates withx5 throughput
Sizes and speeds were evaluated by using a 0.13-um ASIC library
SCIS2006
Secure against Power Analysis
A switching probability highly dependent on the input data pattern is the key for DPA success
In0
Out
011
AES16Sbox
Very low power S-box with 100% switching probability gives no clue for DPA
SCIS2006
Secure against Cache Attack
In0
Out
011AES-16
S-box
Cache attack measures the operating time depending on cache hit or miss to estimate the secret data
MPU has enough cache memory for a 1-bit S-box table
Cash Hit Cash Miss
SCIS2006
Provably secure against differential cryptanalysis
Security Assessment of AES-16Security Assessment of AES-16
}{max}0),(),(|{# kkiiik TkCRCPDiT All candidates show the same differential probability
Why?Why? Because,
it’s linear
Because,
it’s linearGotcha!Gotcha! It’s a linerIt’s a liner
Provably secure against Linear cryptanalysis, Higher-order differential attack, SQUARE attack, Boomerang attack, Truncated linear attack, etc.
SCIS2006
Conclusion
Ultra compact and high-speed H/W Astonishing linear 1-bit S-box Probably secure against all the side channel attacks
and all the conventional cryptanalysis
Tip-top cryptographers never speak about trivial brute force attack
16-bit block cipher AES-16