Axel Poschmann

The LED block cipher

We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

Pushing the limits: a very compact and a threshold implementation of AES

Our contribution is twofold: first we describe a very compact hardware implementation of AES-128, which requires only 2400 GE. This is to the best of our knowledge the smallest implementation reported so far. Then we apply the threshold countermeasure by Nikova et al. to the AES S-box and yield an implementation of the AES improving the level of resistance against first-order side-channel attacks. Our experimental results on real-world power traces show that although our implementation provides additional security, it is still susceptible to some sophisticated attacks having enough number of measurements.

The PHOTON family of lightweight Hash functions

RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware.

New Lightweight DES Variants

In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box repeated eight times. On this account we adapt well-known DES S-box design criteria, such that they can be applied to the special case of a single S-box. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the Davies-Murphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultra-constrained devices such as RFID tags.

PRINTcipher: a block cipher for IC-printing

In this paper we consider some cryptographic implications of integrated circuit (IC) printing. While still in its infancy, IC-printing allows the production and personalisation of circuits at very low cost. In this paper we present two block ciphers PRINTcipher-48 and PRINTcipher-96 that are designed to exploit the properties of IC-printing technology and we further extend recent advances in lightweight block cipher design.

Hash Functions and RFID Tags: Mind the Gap

The security challenges posed by RFID-tag deployments are well-known. In response there is a rich literature on new cryptographic protocols and an on-tag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFID-tag protocol.

Ultra-Lightweight Implementations for Smart Devices --- Security for 1000 Gate Equivalents

In recent years more and more security sensitive applications use passive smart devices such as contactless smart cards and RFID tags. Cost constraints imply a small hardware footprint of all components of a smart device. One particular problem of all passivesmart devices such as RFID tags and contactless smart cards are the harsh power constraints. On the other hand, activesmart devices have to minimize energyconsumption. Recently, many lightweight block ciphers have been published. In this paper we present three different architecture of the ultra-lightweight algorithm present and highlight their suitability for both active and passive smart devices. Our implementation results of the serialized architecture require only 1000 GE. To the best of our knowledge this is the smallest hardware implementation of a cryptographic algorithm with a moderate security level.

On the Classification of 4 Bit S-Boxes

In this paper we classify all optimal 4 bit S-boxes. Remarkably, up to affine equivalence, there are only 16 different optimal S-boxes. This observation can be used to efficiently generate optimal S-boxes fulfilling additional criteria. One result is that an S-box which is optimal against differential and linear attacks is always optimal with respect to algebraic attacks as well. We also classify all optimal S-boxes up to the so called CCZ equivalence. We furthermore generated all S-boxes fulfilling the conditions on nonlinearity and uniformity for S-boxes used in the block cipher Serpent. Up to a slightly modified notion of equivalence, there are only 14 different S-boxes. Due to this small number it is not surprising that some of the S-boxes of the Serpent cipher are linear equivalent. Another advantage of our characterization is that it eases the highly non-trivial task of choosing good S-boxes for hardware dedicated ciphers a lot.

Side-Channel Resistant Crypto for Less than 2,300 GE

A provably secure countermeasure against first order side-channel attacks was proposed by Nikova et al. (P. Ning, S. Qing, N. Li (eds.) International conference in information and communications security. Lecture notes in computer science, vol. 4307, pp. 529–545, Springer, Berlin, 2006). We have implemented the lightweight block cipher PRESENT using the proposed countermeasure. For this purpose we had to decompose the S-box used in PRESENT and split it into three shares that fulfill the properties of the scheme presented by Nikova et al. (P. Lee, J. Cheon (eds.) International conference in information security and cryptology. Lecture notes in computer science, vol. 5461, pp. 218–234, Springer, Berlin, 2008). Our experimental results on real-world power traces show that this countermeasure provides additional security. Post-synthesis figures for an ASIC implementation require only 2,300 GE, which makes this implementation suitable for low-cost passive RFID-tags.

New Light-Weight Crypto Algorithms for RFID

The authors propose a new block cipher, DESL (DES lightweight extension), which is strong, compact and efficient. Due to its low area constraints DESL is especially suited for RFID (radiofrequency identification) devices. DESL is based on the classical DES (data encryption standard) design, however, unlike DES it uses a single S-box repeated eight times. This approach makes it possible to considerably decrease chip size requirements. The S-box has been highly optimized in such a way that DESL resists common attacks, i.e., linear and differential cryptanalysis, and the Davies-Murphy-attack. Therefore DESL achieves a security level which is appropriate for many applications. Furthermore, we propose a light-weight implementation of DESL which requires 45% less chip size and 86% less clock cycles than the best AES implementations with regard to RFID applications. Compared to the smallest DES implementation published, our DESL design requires 38% less transistors. Our 0.18mum DESL implementation requires a chip size of 7392 transistors (1848 gate equivalences) and is capable to encrypt a 64-bit plaintext in 144 clock cycles. When clocked at 100 kHz, it draws an average current of only 0.89muA. These hardware figures are in the range of the best eSTREAM streamcipher candidates, comprising DESL as a new alternative for ultra low-cost encryption