New Block Cipher forNew Block Cipher forUltra-Compact HardwareUltra-Compact HardwareNew Block Cipher forNew Block Cipher forUltra-Compact HardwareUltra-Compact Hardware

BeeMみかか

A. SatohK. Aoki

SCIS2006

Rapid Growth of RFID market

0

5

10

15

20

25

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

ServicesAnalytics and storageSCE applicationsTags and readers

$Millions

SCIS2006

Security for RFID

Security is very important for radio communication, but there is no room for cryptography in RFIDs

We needMore room!

AES-16 for ultra-compact hardware is proposed

Bear (unpackaged) RFID chips

SCIS2006

Architecture of AES-16

4 4 4

SubBytes

MixColumns

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

4 4 4

AddRoundKey

16-bit 11 round keysa00

a10

a20

a30

a b00 a01 03aa10 a11 13aa20 a21 23aa30 a31 33a

00 01 03

10 11 13

20 21 23

30 31 33

b bb b bb b bb b b

a j

S-Box

0

a j1

a j2

a j3

b j0

b j1

b j2

b j3

c( )

a00 02a01 a 03aa10 a11 13aa20 22a21 a 23aa30 32a31 a 33a

12aa00 02a01 a 03a

10a

20a 21a

31a30 a 32a

left rotation by 1

left rotation by 2

left rotation by 3

1 +

a01 03aa11 13aa21 23aa31 33a

02a

22a

32a

a ijb00 0201 03

10 1211 13

20 2221 23

30 3231 33

b b bb b b bb b b bb b b b

b ij

no shift

a00

a10

a20

a30

a01 03aa11 13aa21 23aa31 33a

02a

22a

32a

k00 0201 03

10 1211 13

20 2221 23

30 3231 33

k k kk k k kk k k kk k k k

12ab00 0201 03

10 1211 13

20 2221 23

30 3231 33

b b bb b b bb b b bb b b b

=

x

bij = 1

MixColumns

ShiftRows

16-bit plain text

16-bit cipher text

aij-1

1101

1110

0111

1011

8 8 8

SubBytes

MixColumns

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

8 8 8

AddRoundKey

128-bit 11 round keysa00

a10

a20

a30

a b00 a01 03aa10 a11 13aa20 a21 23aa30 a31 33a

00 01 03

10 11 13

20 21 23

30 31 33

b bb b bb b bb b b

a j

S-Box

0

a j1

a j2

a j3

b j0

b j1

b j2

b j3

c( )

a00 02a01 a 03aa10 a11 13aa20 22a21 a 23aa30 32a31 a 33a

12aa00 02a01 a 03a

10a

20a 21a

31a30 a 32a

left rotation by 1

left rotation by 2

left rotation by 3

1 1000110

+

a01 03aa11 13aa21 23aa31 33a

02a

22a

32a

a ijb00 0201 03

10 1211 13

20 2221 23

30 3231 33

b b bb b b bb b b bb b b b

b ij

no shift

a00

a10

a20

a30

a01 03aa11 13aa21 23aa31 33a

02a

22a

32a

k00 0201 03

10 1211 13

20 2221 23

30 3231 33

k k kk k k kk k k kk k k k

12ab00 0201 03

10 1211 13

20 2221 23

30 3231 33

b b bb b b bb b b bb b b b

=

x

bij =

100011 11

11 111000

011 11100

0011 1110

00011 111

1100011 1

11100011

11 110001

MixColumns

ShiftRows

128-bit plain text

128-bit cipher text

aij-1

1321

1132

2113

3211

AES AES-16

Data ： 128 bits → 16 bitsKey : 128 bits → 16 bits

AES-16 uses the design concept of AES All the basic components are shrunk down to 1/8

SCIS2006

S-box Comparison

HP

LP

4

4

2x-1x

HP

LP -1

-14

4

2

2

2

2

2

2

4

4

4

GF((2 ) ) multiplier2

2

1 +bij = 1 aij-11 1000110

+bij =

100011 11

11 111000

011 11100

0011 1110

00011 111

1100011 1

11100011

11 110001

aij-1

AES AES-16

=

8-bit S-box defined over GF(28) is replaced by 1-bit S-box over GF(2)!

S-box can be implemented as one inverter!

SCIS2006

Performance comparison

Algorithm Size Frequency Throughput

AES-16 1.0 Kgates 1 GHz 1.6 Gbps

AES 5.4 Kgates 131 MHz 311 Mbps

AES-16 achieved １ / ５ gates withx5 throughput

Sizes and speeds were evaluated by using a 0.13-um ASIC library

SCIS2006

Secure against Power Analysis

A switching probability highly dependent on the input data pattern is the key for DPA success

In0

Out

011

AES16Sbox

Very low power S-box with 100% switching probability gives no clue for DPA

SCIS2006

Secure against Cache Attack

In0

Out

011AES-16

S-box

Cache attack measures the operating time depending on cache hit or miss to estimate the secret data

MPU has enough cache memory for a 1-bit S-box table

Cash Hit Cash Miss

SCIS2006

Provably secure against differential cryptanalysis

Security Assessment of AES-16Security Assessment of AES-16

}{max}0),(),(|{# kkiiik TkCRCPDiT All candidates show the same differential probability

Why?Why? Because,

it’s linear

Because,

it’s linearGotcha!Gotcha! It’s a linerIt’s a liner

Provably secure against Linear cryptanalysis, Higher-order differential attack, SQUARE attack, Boomerang attack, Truncated linear attack, etc.

SCIS2006

Conclusion

Ultra compact and high-speed H/W Astonishing linear 1-bit S-box Probably secure against all the side channel attacks

and all the conventional cryptanalysis

Tip-top cryptographers never speak about trivial brute force attack

16-bit block cipher AES-16