• PDF / 606,987 Bytes
• 21 Pages / 439.37 x 666.142 pts Page_size
• 18 Downloads / 190 Views

DOWNLOAD

REPORT

3

ANSSI Crypto Lab, Paris, France [email protected] 2 Horst G¨ ortz Institute for IT Security, Ruhr-Universit¨ at Bochum, Bochum, Germany {Amir.Moradi,Pascal.Sasdrich}@rub.de Temasek Laboratories, Nanyang Technological University, Singapore, Singapore [email protected] 4 School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore

Abstract. Area minimization is one of the main efficiency criterion for lightweight encryption primitives. While reducing the implementation data path is a natural strategy for achieving this goal, SubstitutionPermutation Network (SPN) ciphers are usually hard to implement in a bit-serial way (1-bit data path). More generally, this is hard for any data path smaller than its Sbox size, since many scan flip-flops would be required for storage, which are more area-expensive than regular flipflops. In this article, we propose the first strategy to obtain extremely small bit-serial ASIC implementations of SPN primitives. Our technique, which we call bit-sliding, is generic and offers many new interesting implementation trade-offs. It manages to minimize the area by reducing the data path to a single bit, while avoiding the use of many scan flip-flops. Following this general architecture, we could obtain the first bitserial and the smallest implementation of AES-128 to date (1560 GE for encryption only, and 1738 GE for encryption and decryption with IBM 130 nm standard-cell library), greatly improving over the smallest known implementations (about 30% decrease), making AES-128 competitive to many ciphers specifically designed for lightweight cryptography. To exhibit the generality of our strategy, we also applied it to the PRESENT and SKINNY block ciphers, again offering the smallest implementations of these ciphers thus far, reaching an area as low as 1065 GE for a 64bit block 128-bit key cipher. It is also to be noted that our bit-sliding seems to obtain very good power consumption figures, which makes this implementation strategy a good candidate for passive RFID tags. Keywords: Bit-serial cryptography

implementations

·

Bit-slide

·

Lightweight

c International Association for Cryptologic Research 2017  W. Fischer and N. Homma (Eds.): CHES 2017, LNCS 10529, pp. 687–707, 2017. DOI: 10.1007/978-3-319-66787-4 33

688

1

J. Jean et al.

Introduction

Due to the increasing importance of pervasive computing, lightweight cryptography has attracted a lot of attention in the last decade among the symmetric-key community. In particular, we have seen many improvements in both primitive design and their hardware implementations. We currently know much better how a lightweight encryption scheme should look like (small block size, small nonlinear components, very few or even no XORs gates for the linear layer, etc.). Lightweight cryptography can have different meanings depending on the applications and the situations. For example, for passive RFID tags, power consumption is very important, and for battery-driven devices energy consumption is a top priority. Powe

Recommend Documents

Computational Soundness for Interactive Primitives

151 72 837KB

Cube Implementations

161 94 4MB

Adapted Compressed Sensing for Effective Hardware Implementations A

187 41 11MB

Optimized Implementations for ZUC-256 on FPGA

184 30 2MB

A Generic Truthful Mechanism for Combinatorial Auctions

165 71 11MB

A Causal Power Semantics for Generic Sentences

152 110 446KB

Proposal for a Generic Materials Processing Course

208 101 255KB

Hierarchical Learning of Primitives Using Neurodynamic Model

185 85 77MB

Pythonic Geodynamics Implementations for Fast Computing

145 32 8MB

Simpler Constructions of Asymmetric Primitives from Obfuscation

110 1 32MB

VLSI Design A Practical Guide for FPGA and ASIC Implementations

206 80 8MB

Atypical Availability Group Implementations

159 101 9MB