Elif Bilge Kavun

PRINCE: a low-latency block cipher for pervasive computing applications

This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks.

Block Ciphers – Focus on the Linear Layer (feat. PRIDE )

The linear layer is a core component in any substitution-permutation network block cipher. Its design significantly influences both the security and the efficiency of the resulting block cipher. Surprisingly, not many general constructions are known that allow to choose trade-offs between security and efficiency. Especially, when compared to Sboxes, it seems that the linear layer is crucially understudied. In this paper, we propose a general methodology to construct good, sometimes optimal, linear layers allowing for a large variety of trade-offs. We give several instances of our construction and on top underline its value by presenting a new block cipher. PRIDE is optimized for 8-bit micro-controllers and significantly outperforms all academic solutions both in terms of code size and cycle count.

A lightweight implementation of Keccak hash function for radio-frequency identification applications

In this paper, we present a lightweight implementation of the permutation Keccak-f[200] and Keccak-f[400] of the SHA-3 candidate hash function Keccak. Our design is well suited for radio-frequency identification (RFID) applications that have limited resources and demand lightweight cryptographic hardware. Besides its low-area and low-power, our design gives a decent throughput. To the best of our knowledge, it is also the first lightweight implementation of a sponge function, which differentiates it from the previous works. By implementing the new hash algorithm Keccak, we have utilized unique advantages of the sponge construction. Although the implementation is targeted for Application Specific Integrated Circuit (ASIC) platforms, it is also suitable for Field Programmable Gate Arrays (FPGA). To obtain a compact design, serialized data processing principles are exploited together with algorithm-specific optimizations. The design requires only 2.52K gates with a throughput of 8 Kbps at 100 KHz system clock based on 0.13-µm CMOS standard cell library.

Dietary Recommendations for Lightweight Block Ciphers: Power, Energy and Area Analysis of Recently Developed Architectures

In this paper we perform a comprehensive area, power, and energy analysis of some of the most recently-developed lightweight block ciphers and we compare them to the standard AES algorithm. We do this for several different architectures of the considered block ciphers. Our evaluation method consists of estimating the pre-layout power consumption and the derived energy using Cadence Encounter RTL Compiler and ModelSIM simulations. We show that the area is not always correlated to the power and energy consumption, which is of importance for mobile battery-fed devices. As a result, this paper can be used to make a choice of architecture when the algorithm has already been fixed; or it can help deciding which algorithm to choose based on energy and key/block length requirements.

RAM-Based Ultra-Lightweight FPGA Implementation of PRESENT

In this paper, two different FPGA implementations of the lightweight cipher PRESENT are proposed. The main design strategy for both designs is the utilization of existing RAM blocks in FPGAs for the storage of internal states, thereby reducing the slice count. In the first design, S-boxes are realized within the slices, while in the second design they are also integrated into the same RAM block used for state storage. Both designs are well suited for lightweight applications, which are implemented on low-cost FPGA/CPLD devices. Besides low-area, a reasonable throughput is also obtained even though it is not the first concern. In addition to a single block RAM, the two designs occupy only 83 and 85 slices and produce a throughput of 6.03 and 5.13 Kbps at 100 KHz system clock on a Xilinx Spartan XC3S50 device, respectively.

Memory encryption for smart cards

With the latest advances in attack methods, it has become increasingly more difficult to secure data stored on smart cards, especially on non-volatile memories (NVMs), which may store sensitive information such as cryptographic keys or program code. Lightweight and low-latency cryptographic modules are a promising solution to this problem. In this study, memory encryption schemes using counter (CTR) and XOR-Encrypt-XOR (XEX) modes of operation are adapted for the target application, and utilized using various implementations of the block ciphers AES and PRESENT. Both schemes are implemented with a block cipher-based address scrambling scheme, as well as a special write counter scheme in order to extend the lifetime of the encryption key in CTR-mode. Using the lightweight cipher PRESENT, it is possible to implement a smart card NVM encryption scheme with less than 6K gate equivalents and zero additional latency.

IPSecco: A lightweight and reconfigurable IPSec core

In this paper we propose a reconfigurable lightweight Internet Protocol Security (IPSec) hardware core. Our architecture supports the main IPSec protocols; namely Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). In this work, the cryptographic algorithms and their modes of operation, which are at the heart of the IPSec protocols, are implemented in hardware. Instead of re-implementing common IPSec configurations, which are deemed “too heavy” for pervasive devices, we evaluate efficient implementations of standardized and/or well-known lightweight and hardware-friendly algorithms. In particular, we examine different versions of Present, Grøstl, Photon, and a very compact ECC core. As a consequence, we present IPSecco, a core with adequate security and only moderate resource requirements, making it suitable for lightweight devices. We selected the Xilinx Spartan family of Field Programmable Gate Arrays (FPGA) as target platform due its low-power footprint and reduced costs compared to other FPGAs. Our results show that it is possible to realize a high performance IPSec core even on members of the Spartan-3 family.

A reconfigurable architecture for searching optimal software code to implement block cipher permutation matrices

Programming in embedded systems has always been a challenge. Highly-constrained nature of embedded devices invalidates conventional coding practices. The whole practice turns into a skill game that heavily depends on the personal skills and experience of the programmer. Embedded security applications are no exceptions. Efficient software implementation of symmetric cryptography primitives such as substitution or permutation layers is a hard task and no systematic approach exists. In this study, we propose an efficient reconfigurable hardware architecture to find the most optimal code for the realization of block cipher permutation layers on embedded microcontrollers. The proposed architecture is highly parallel and realized on two Xilinx Virtex-6 XC6VLX240T FPGAs. It operates on a limited set of instructions pertinent to implementation of linear matrices. Predetermined number of instructions is executed in a pipelined manner and the resultant output register contents are checked either for match to a target matrix or for certain cryptographic properties. The realized architecture uses instructions from 8-bit AVR instruction set. However, it can easily be modified to work with instruction sets of different processors. Using our parallel architecture, we have been able to find several good permutation layer matrices with branch number 4 that can be realized with only 8 instructions. We were able to search up to 11 instructions and cover matrices with branch number 6 as well.

A pipelined camellia architecture for compact hardware implementation

In this paper, we present a compact and fast pipelined implementation of the block cipher Camellia for 128-bit data and 128-bit key lengths. The implementation is suitable for both Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) platforms, and is targeted for low area and low power applications. To obtain a compact design, pipelining principles are exploited and platform specific optimizations are made. The design requires only 321 slices with a throughput of 32.96 Mbps based on Xilinx Spartan-S XC3S50-5 chip and 4.31K gates with a throughput of 81 Mbps based on 0.13-μm CMOS standard cell library.

Efficient reconfigurable hardware architecture for accurately computing success probability and data complexity of linear attacks

An accurate estimation of the success probability and data complexity of linear cryptanalysis is a fundamental question in symmetric cryptography. In this paper, we propose an efficient reconfigurable hardware architecture to compute the success probability and data complexity of Matsuis Algorithm 2 which is the central technique in linear cryptanalysis for block ciphers. Using this dedicated architecture, we are able to investigate the complexity of the algorithm for up to 40-bit block ciphers for low-correlation lineaer approximations and high advantages. Performing experiments on larger block lengths ensures that any empirical observations are not due to differences in statistical behavior for artificially small block lengths. Rather surprisingly, we observed in previous experiments a significant deviation between the theory and practice for Matsuis Algorithm 2 for larger block sizes in a vast range of parameters. The new hardware architecture allows us to verify the existing theoretical models for the complexity estimation in linear cryptanalysis. The designed hardware architecture is realized on two Xilinx Virtex-6 XC6VLX240T FPGAs for smaller block lengths, and on RIVYERA platform with 128 Xilinx Spartan-3 XC3S5000 FPGAs for larger block lengths.