Lightweight Crypto Design for FPGAs

Lightweight Crypto-primitives on FPGAs
Souvik Kolay
11CS72P03
Under the supervision of
Dr. Debdeep Mukhopadhyay
Indian Institute of Technology
Kharagpur
MS Defense Seminar
11.02.2015
Souvik Kolay Lightweight Crypto-primitives on FPGAs 1/62

Outline
Lightweight Cryptography
Motivation
Objectives
Lightweight Bit-Permutation Instruction: PERMS
Lightweight Block Cipher for FPGAs: Khudra
Security Analysis of Khudra
Conclusion and Future Directions
Publications

1 Cryptography speciﬁcally for extremely constrained devices
Less Area Requirement
Low Power Consumption
2 Security is not compromised
3 Not a replacement of traditional cryptography
4 Not to defend all powerful adversary

Motivation
Microprocessors embedded in everyday objects - Pervasive
Computing

Motivation
Computing
Pervasive devices possess very limited resources
Less Memory
Less Computing Power
Less Power Supply

Motivation
Computing
Less Memory
Less Power Supply
But, contains sensitive information

Motivation
Computing
Less Memory
Less Power Supply
Need of cryptographic systems to ensure the security

Motivation
Computing
Less Memory
Less Power Supply
Need of cryptographic systems to ensure the security
Traditional cryptography cannot be used - alternative option:

Pervasive Devices
With General Purpose Processor

Pervasive Devices
Includes PDAs, mobiles etc.

Pervasive Devices
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc

Pervasive Devices
These protocols uses many crypto-algorithms, like:
- 3-DES, AES, RC4, RSA, DH, DSS, MD5, SHA-1,
SHA-2, Blowﬁsh, Twoﬁsh, IDEA, Serpent, Cast

Pervasive Devices
Need of dedicated lightweight instruction for cryptography

Pervasive Devices
Bit-permutation is one such instruction, which can be accelerated by
providing dedicated hardware

Pervasive Devices
Existing bit permutation instructions are not suitable for lightweight
cryptography

Pervasive Devices
Existing bit permutation instructions are not suitable for lightweight
cryptography
Need of a new lightweight bit-permutation instruction

Pervasive Devices (contd.)
With ASIC/FPGA Core

With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.

With ASIC/FPGA Core
ASIC is a popular choice for lightweight cryptosystems, due to the
amenability to mass productions.

With ASIC/FPGA Core
But, ASIC chips can not be reconﬁgured or modiﬁed to protect against
the new security threats.

With ASIC/FPGA Core
Design on FPGAs can be reconﬁgured or upgraded after manufacture.

With ASIC/FPGA Core
With the advent of recent low-cost and low-power FPGAs, FPGA
provides an alternative platform for lightweight applications.

With ASIC/FPGA Core
With the advent of recent low-cost and low-power FPGAs, FPGA
provides an alternative platform for lightweight applications.
Need of a new lightweight cryptographic algorithm, which will be
suitable for both FPGAs and ASICs

Thesis Objectives

Thesis Objectives
1 Design of a lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography.

Thesis Objectives
2 Design of a new lightweight block cipher: Khudra which is equally
suited for ASICs and FPGAs.

Thesis Objectives
2 Design of a new lightweight block cipher: Khudra which is equally
suited for ASICs and FPGAs.
3 Detailed security analysis of Khudra against popular cryptanalysis
techniques as well as recently proposed attacks.

Objective 1
Lightweight Bit-Permutation Instruction:
PERMS

Bit Permutation: A Costly Operation
Block ciphers use bit permutation to achieve ‘diﬀusion’
Preferred in Lightweight Cryptography
In hardware, can be achieved just by interconnecting the wires
But one of the costliest operation on Byte oriented processor
More than 23 instructions are needed for doing arbitrary 64 bit
permutation on a 64 bit, byte oriented processor
Performance can be improved signiﬁcantly by providing additional
hardware support for bit permutation
Existing bit permutation instructions: PPERM and PPERM3R,
SWPERM with SIEVE, CROSS, OMFLIP, BFLY and IBFLY, GRP
and PERMS

PERMS Instruction
Exploit the fact that permutation is the reverse of sorting

PERMS Instruction
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.

PERMS Instruction
The algorithm is composed of two steps:
Generating the control bits

PERMS Instruction
Achieving the permutation using the control bits

PERMS Instruction
Very simple, but...
Need log(n) instruction for performing n bit permutation

PERMS Instruction
Very simple, but...
Not scalable to perform 2n bit permutation, using n bit instruction

PERMS Instruction
Very simple, but...
Cannot be integrated with all the existing ISAs

PERMS Instruction
Very simple, but...
Most importantly, not enough lightweight to be considered for
lightweight cryptography

PERMS Instruction
Very simple, but...
Most importantly, not enough lightweight to be considered for
lightweight cryptography
Modiﬁcation needed

Modiﬁed PERMS Algorithm
For Generating Control Bits
Algorithm 1: Pseudo-code to generate control bits
Input: Arbitrary Permutation P , Sorted Array
A = {n − 1, n − 2, . . . , 1, 0}
Output: Sequence of control bits, C
for i = n − 1 to 1 do1
k = ﬁnd the index of P[i] in A.2
Swap A[i] with A[k].3
Append k in C using log(n) bits.4
end5

Modiﬁed PERMS Algorithm
For Generating Control Bits
Algorithm 1: Pseudo-code to generate control bits
Input: Arbitrary Permutation P , Sorted Array
A = {n − 1, n − 2, . . . , 1, 0}
Output: Sequence of control bits, C
k = ﬁnd the index of P[i] in A.2
Swap A[i] with A[k].3
Append k in C using log(n) bits.4
end5
For Achieving Permutation
Algorithm 2: Pseudo code to perform arbitrary permutation using
control bits
Input: B = (bn−1bn−2 · · · b1b0)2, Array of control bits C
Output: Permuted B
nextAddr = read log(n) bits from C starting with index 0.2
Swap Bi with BnextAddr.3
end4

PERMS Example
Let the permutation be P = (5 2 3 4 0 7 6 1).

PERMS Example
i search key contents of A control bits swapping
7 1 (7 6 5 4 3 2 1 0) 110 {7,6}
6 6 (7 6 5 4 3 2 0 1) 001 {6,1}
5 7 (7 0 5 4 3 2 6 1) 000 {5,0}
4 0 (2 0 5 4 3 7 6 1) 001 {4,1}
3 4 (2 3 5 4 0 7 6 1) 011 {3,3}
2 3 (2 3 5 4 0 7 6 1) 001 {2,1}
1 2 (2 5 3 4 0 7 6 1) 000 {1,0}

PERMS Example
i search key contents of A control bits swapping
7 1 (7 6 5 4 3 2 1 0) 110 {7,6}
6 6 (7 6 5 4 3 2 0 1) 001 {6,1}
5 7 (7 0 5 4 3 2 6 1) 000 {5,0}
4 0 (2 0 5 4 3 7 6 1) 001 {4,1}
3 4 (2 3 5 4 0 7 6 1) 011 {3,3}
2 3 (2 3 5 4 0 7 6 1) 001 {2,1}
1 2 (2 5 3 4 0 7 6 1) 000 {1,0}
Control bits are C = {110001000001011001000}

PERMS Example (contd.)
Conﬁguration bits are C = {110001000001011001000}
counter Bits read Resulting swapping
Permutation
7 110 (7 6 5 4 3 2 1 0) {7,6}
6 001 (7 6 5 4 3 2 0 1) {6,1}
5 000 (7 0 5 4 3 2 6 1) {5,0}
4 001 (2 0 5 4 3 7 6 1) {4,1}
3 011 (2 3 5 4 0 7 6 1) {3,3}
2 001 (2 3 5 4 0 7 6 1) {2,1}
1 000 (2 5 3 4 0 7 6 1) {1,0}
Achieved permutation P = (5 2 3 4 0 7 6 1)

PERMS Instruction Format
Generic Instruction Format:
PERMS RS, RC1, RC2, · · · RCn
RS contains the data to be permuted
RC1, RC2 ... contains the control bits for specifying the permutation

For most of the 64 bit CPU architectures, like: ALPHA, ARM-64,
MIPS-64, IA-64, MMIX, PA-RISC and SPARC, which support 3
operands.
PERMS RS, RC1, RC2

For most of the 64 bit CPU architectures, like: ALPHA, ARM-64,
MIPS-64, IA-64, MMIX, PA-RISC and SPARC, which support 3
operands.
PERMS RS, RC1, RC2
x86-64 (x64) does not support 3 operands, but it supports ‘Variable
Instruction Encoding’.
PERMS RS, RC1, < immediate >

PERMS: Number of Instruction Required
Total number of control bits:(n − 1) × log(n)

Maximum control bits per instruction: 2n

Usable control bits per instruction: 2n
log(n) × log(n)

log(n) × log(n)
Total number of instruction:
(n − 1) × log(n)
2n
log(n) × log(n)
=
n − 1
2n
log(n)
< log(n)

log(n) × log(n)
Total number of instruction:
(n − 1) × log(n)
2n
log(n) × log(n)
=
n − 1
2n
log(n)
< log(n)
Number of instructions required is less than log(n)

PERMS Architecture
(n:1)
Mux A Mux B
(n:1)
down−counter
datapathcontrolunit
selectsignals
swapblock
swap
control
DATAREGISTER
REGISTERS
CONTROL

Comparison
Instructions required for 128 bit permutation using 64 bit permutation
Bit-permutation Instructions Number of Instructions
PPERM3R 30
PPERM 51
GRP 16∗
/22∗∗
CROSS / OMFLIP 24
SWPERM / SIEVE 39
PERMS 18
*: for ISA with specialized instruction
**: for ISA without specialized instruction

Comparison (contd.)
Implementation result on ASICs and FPGAs
Instruction Transistor Count
PPERM 7k
GRP 68k
OMFLIP 3k
CROSS 4.6k
PERMS 2.7k
Instruction Area Delay Clock Throughput Throughput
(ns) Cycles (Mbit/sec) /Slice
GRP(A) 119 2.97 384 56.14 0.47
GRP(S) 16179 5.8 6 1839 0.11
PERMS 151 2.3 64 426.7 2.826

Objective 2
Lightweight Block Cipher for FPGAs:
Khudra

Design Criteria
The cipher is to be implemented in hardware and is expected to
occupy a small area.
80 bit security is considered to be enough.
Security and physical space are the main consideration.
After these two, throughput is also an important metric.
The cipher should have simple design:
- Less area requirements
- Accurate security bound

Performance Metric for ASIC and FPGA
For comparison of performance, two basic needs of lightweight
cryptography generally considered
Area:
For ASIC, the metric for area is Gate Equivalence
For FPGA, the metric for area is Slice Utilization
Throughput
Lightweight devices are meant to be used in low frequency (generally
less than 100 kHz)
The metric for throughput is number of data bits encrypted per second
in 100 kHz

Existing Lightweight Block Ciphers for ASIC
Comparison Among the Existing Lightweight Block Ciphers for ASIC
Cipher Key Block Cycles Throughput at GE
Size Size per block 100 kHz (Kbps)
MISTY1 128 64 60 106.67 3, 950
HIGHT 128 64 34 188.20 3, 048
Kasumi 128 64 54 118.51 2, 990
mCrypton 96 64 13 492.31 2, 681
Klein 80 64 17 376.47 2, 629
Puﬃn 128 64 33 193.94 2, 577
CLEFIA 128 128 328 39.02 2, 488
AES 128 128 226 56.64 2, 400
DESXL 184 64 144 44.44 2, 168
DESL 56 64 144 44.44 1, 848
Present 80 64 32 200.00 1, 570
MIBS 80 64 32 200.00 1, 530
TWINE 80 64 36 177.78 1, 503
Piccolo 80 64 27 237.04 1, 499
LBlock 80 64 32 200.00 1, 320

Strategies for Lightweight Implementation on ASICs
A: SPN structure with bit permutation
B: Feistel ‘F-Function’ with lesser Gate Equivalence
C: S-box with lesser Gate Equivalence
D: Using lesser register in the design

⇒ Bit permutation in hardware can be one by simple ‘wiring’

⇒ Directly reduce Gate Equivalence

⇒ Register has much more ‘GE/per bit’ than any ‘logic gates’

Strategies Used in Existing Lightweight Block Ciphers for
ASICs
Name of the Cipher Structure Strategies
Adopted used
Lightweight AES SPN C
Present SPN A, C
Puﬃn SPN A, C
LED SPN C, D
DESL and DESXL Feistel B
HIGHT Feistel B
CLEFIA Feistel B
MISTY Feistel B
Kasumi Feistel B
Twine Feistel B, C
MIBS Feistel B, C
LBlock Feistel B, C
Piccolo Feistel B, C, D

Structure of FPGA
A field-programmable gate array (FPGA) is an integrated circuit
designed to be configured by a customer or a designer after
manufacturing, hence ”field-programmable”.
An FPGA slice contains some number of n-input Look-up tables
(LUTs) and flip-flops(FFs).
An n-input LUT can map any combinatorial logic with n input
variables .
Flip-flops are used to design any sequential circuit.

Lightweight Design Strategies for FPGA
Lightweight design strategies for ASICs, are not suitable for
lightweight implementation on FPGAs.

For ASICs, less gates are desirable, while for FPGAs, less LUTs are
desirable.

desirable.
The number of LUTs depend on the number of input variables in the
function, and not on the complexity of the function.
Platform Present MIBS LBlock Piccolo
ASIC (GE) 28 24 22 12
FPGA (LUTs) 4 4 4 4

desirable.
The number of LUTs depend on the number of input variables in the
function, and not on the complexity of the function.
Platform Present MIBS LBlock Piccolo
ASIC (GE) 28 24 22 12
FPGA (LUTs) 4 4 4 4
For FPGAs, the ratio between the registers and the LUTs are crucial.
So, reducing the number of registers in the design makes this ratio
worse.

Lightweight Design Strategies for FPGA(contd)
Observation:
For the existing lightweight block ciphers for ASICs, LUT requirement
is much more than the Flip-Flop requirement.

Observation:
Number of slices can be reduced if we can decrease the LUT
requirements by utilizing some more ﬂip-ﬂops.

Observation:
Strategy for Lightweight Implementation on FPGAs

Observation:
Strategy for Lightweight Implementation on FPGAs
A new design for which number of LUTs reduces, number of ﬂip-ﬂops
increases and (RLUT/FFs) is close to 1, where
RLUT/FFs = Number of LUTs/Number of FFs

Broad Design Ideas

Broad Design Ideas
Large s-box can not be used, as they have adverse eﬀect on the LUTs

Broad Design Ideas
⇒ 4 × 4 s-boxes will be used.

Broad Design Ideas
Deciding the structure: SPN or Feistel?

Broad Design Ideas
⇒ In SPN more number of s-boxes are required than Feistel Structure

Broad Design Ideas
⇒ With the use of bit-permutation, diﬀusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure

Broad Design Ideas
Use of Feistel structure in a recursive way to avoid the use of
additional diﬀusion layer.

Broad Design Ideas
Advantage of this structure

Broad Design Ideas
⇒ Less s-boxes are required than traditional Feistel or SPN structure.

Broad Design Ideas
⇒ No additional diﬀusion are required like traditional Feistel structure.

Broad Design Ideas
⇒ No additional diﬀusion are required like traditional Feistel structure.
⇒ Less LUTs and more register is used, thus (RLUT/FFs) is close to 1.

Khudra: New Lightweight Block Cipher
Features of Khudra:

Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.

Features of Khudra:
There are two variants of Khudra: Khudra-I and Khudra-II.

Features of Khudra:
The design is free of any memory elements, consumes least slices and
also shows a high throughput per slice ratio compared to existing
crypto-systems.

Features of Khudra:
crypto-systems.
Khudra is a general purpose lightweight block cipher: not limited to
any particular application

Features of Khudra:
crypto-systems.
Khudra is also suitable for ASIC implementation.

Features of Khudra:
crypto-systems.
Decryption can be supported without much hardware requirement.

Features of Khudra:
crypto-systems.
Decryption can be supported without much hardware requirement.
Adequate security margin against the popular attacks as well as
recently proposed attacks.

Design of Khudra
F
F F
F F
P0 P1 P2 P3
S S
S S
4 4 4 4
F F
F
16 1616 16
6Rounds
OUTER STRUCTURE
INNER STRUCTURE
RK3
RK1RK0
RK2
WK2 WK3
WK1WK0
C0 C1 C2 C3
18Rounds
RK35RK34
RK32 RK33

Design of Khudra
38 Chapter 4 Khudra: A Lightweight Block Cipher for FPGAs
Algorithm 3: Encryption
Input: Plaintext P[63 : 0] and Round Key RK[36][15 : 0]
Output: Ciphertext C[63 : 0]
begin
for i = 0 to 17 do
tp3[15 : 0] ← P[63 : 48], tp1[15 : 0] ← P[31 : 16] ;
for j = 0 to 5 do
tq3[3 : 0] ← P[63 : 60], tq1[3 : 0] ← P[55 : 52] ;
P[63 : 60] ← S(P[63 : 60]) ⊕ P[59 : 56] ;
P[55 : 52] ← S(P[55 : 52]) ⊕ P[51 : 48] ;
P[59 : 56] ← tq1[3 : 0], P[51 : 48] ← tq3[3 : 0] ;
tr3[3 : 0] ← P[31 : 28], tr1[3 : 0] ← P[23 : 20];
P[31 : 28] ← S(P[31 : 28]) ⊕ P[27 : 24] ;
P[23 : 20] ← S(P[23 : 20]) ⊕ P[19 : 16] ;
P[27 : 24] ← tr1[3 : 0], P[19 : 16] ← tr3[3 : 0] ;
end
P[63 : 48] ← P[63 : 48] ⊕ P[47 : 32] ⊕ RK[2 × i + 1][15 : 0];
P[31 : 16] ← P[31 : 16] ⊕ P[15 : 0] ⊕ RK[2 × i][15 : 0];
P[47 : 32] ← tp1[15 : 0], P[15 : 0] ← tp3[15 : 0] ;
end
end
representation of the round counter i.

Design of Khudra (contd.)
F-function:
For Khudra employs type-2, 4 branching generalized Feistel structure as
F-function.
Substitution Layer:
Present’s s-box has been chosen for the substitution layer of Khudra
for the following reasons:

F-function:
F-function.
Substitution Layer:
Higher Algebraic Degree: A good s-box should have higher algebraic
degree, in case of Present’s sbox, it is four, which is very high for a
4 × 4 sbox.

F-function:
F-function.
Substitution Layer:
Higher Algebraic Degree: A good s-box should have higher algebraic
degree, in case of Present’s sbox, it is four, which is very high for a
4 × 4 sbox.
Lower differential and linear probability: A good s-box must possess
very less linear and differential probability. Maximum differential and
linear probability of this s-box is 2−2
.

Design of Khudra(contd.)
Key Scheduling:
The key scheduling part of Khudra takes a master key of 80 bits and
generates 36 round-keys and 4 whitening keys.

Key Scheduling:
All the round-keys are generated on-the-ﬂy at the time of encryption.
Therefore, it is not required to store all the round-keys.

Key Scheduling:
All the round-keys are generated on-the-ﬂy at the time of encryption.
Therefore, it is not required to store all the round-keys.
The detailed description of the key scheduling is as follows:
P[55 : 52] ← S(P[55 : 52]) ⊕ P[51 : 48] ;
P[59 : 56] ← tq1[3 : 0], P[51 : 48] ← tq3[3 : 0] ;
tr3[3 : 0] ← P[31 : 28], tr1[3 : 0] ← P[23 : 20];
P[31 : 28] ← S(P[31 : 28]) ⊕ P[27 : 24] ;
P[23 : 20] ← S(P[23 : 20]) ⊕ P[19 : 16] ;
P[27 : 24] ← tr1[3 : 0], P[19 : 16] ← tr3[3 : 0] ;
end
P[63 : 48] ← P[63 : 48] ⊕ P[47 : 32] ⊕ RK[2 × i + 1][15 : 0];
P[31 : 16] ← P[31 : 16] ⊕ P[15 : 0] ⊕ RK[2 × i][15 : 0];
P[47 : 32] ← tp1[15 : 0], P[15 : 0] ← tp3[15 : 0] ;
end
end
representation of the round counter i.
Algorithm 4: Key Scheduling (k0, k1, k2, k3, k4)
WK0 ← k0, WK1 ← k1, WK3 ← k3, WK4 ← k4
for i ← 0 to 35 do
RCi ← {0||i(6)||00||i(6)||0}
RKi ← ki mod 5 ⊕ RCi
end
4.3 Implementation Details and Comparison

Implementation on FPGAs

Target FPGA & Synthesis Properties

We have targeted the smallest and cheapest FPGA available.

Unfortunately, the low-cost Spartan-III XC3S200 FPGA has not
enough I/O pins.

enough I/O pins.
Therefore, we decided to switch to the slightly more expensive
Spartan-III XC3S400, which has a package (FG456) with 264 I/O
pins.

enough I/O pins.
pins.
The properties of synthesis were set to optimize area with a high
optimization eﬀort.

enough I/O pins.
pins.
The properties of synthesis were set to optimize area with a high
optimization eﬀort.
Xilinx ISE 11.1 is used for design synthesis.

Implementation on FPGAs (contd)
Block Diagram for Hardware Implementation on FPGAs
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Register
X Y
2r Feistel
F−function for KHUDRA−I
Y
en
X
clk
Register
X Y
3r Feistel
F−function for KHUDRA−II
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Register
YX
clk
rst
YX
clk
rst
Y[63:48]
X[63:48]
X[47:32]
Y[47:32]
X[31:16]
Y[31:16]
Register
X[15:0]
Y[15:0]
Register
Register
F−function
F−function
Y[31:16]
RKi
RK(i+1)
Y[15:0]
Y[47:32]
Y[63:48]
DATA PROCESSING PART
RegisterRegister
X
clk
en
Y
Register Register Register
RCi
RKi X
clk
en
Y
KEY SCHEDULING PART

Comparison
Comparison of Khudra with well known block ciphers
Platform and Block Area Cycles Throughput AT Product
Cipher Implementation Size (slice) per @ 100 kHz (slice × cycles)
Strategy (bits) block (kbits)
ICEBERG Virtex-II, L 64 631 34 188.2 21, 454
ICEBERG Virtex-II, L(R) 64 526 34 188.2 17, 884
AES XC2S30, S 128 393 534 23.9 209, 862
AES XC2S30, S(R) 128 222Λ
46 278 10, 212
Camellia XC3S50, S 128 318 875 14.63 278, 250
Camellia XC3S50, S(R) 128 214 875 14.63 187, 250
Khudra-I XC3S400 64 112 54 118.5 6, 048
Khudra-II XC3S400 64 128 36 177.8 4, 602
L: Loop Architecture, S: Serialize Architecture
(R) denotes that Block RAMs are used in the implementation
Λ The equivalent slice implementation requires 522 slices

Comparison(contd)
Comparison of Khudra with Lightweight Block Ciphers
Flip Area Cycle Throughput Throughput
Cipher LUTs -Flop RLUT/FF (Slice) /Block @ 100 kHz per Slice
PRESENT 159 114 1.39 117 256 200 29, 952
HIGHT 132 25 5.28 91 160 200 14, 560
PRESENT 350 154 2.27 202 32 200 6, 464
Piccolo 374 73 5.12 235 27 237 6, 345
Khudra-I∗ 214 182 1.17 112 54 118.5 6, 048
Khudra-II∗ 240 181 1.32 128 36 177.8 4, 602
* Though the number of Flip-Flops are more compared to others, it does not require any
extra Slice as the RLUT/FF ratio is greater than 1

Implementation on ASICs
Block Diagram for Hardware Implementation on ASICs
enXclk
Register
R[31:16]
X[63:48]
X[31:16]
R[63:48]
R[31:16]
1616
enclk
Register
X
Y
Register
enclk
X
Y
Register
enclk
X
Y
RKi
RCienclk
Register
X
Y
enclk
Register
X
Y
X
clk
Y
rst
F−function
enXclk
Register
R[15:0]
enXclk
Register
R[47:32]
enXclk
Register
R[63:48]
RKi
X[47:32]
X[15:0]
R[47:32]
R[15:0]
DATA PROCESSING PART KEY SCHEDULING PART

Implementation on ASICs
Area Requirement for the Individual Modules of Khudra
Module Component Utilized GE Module Component Utilized GE
Data State Scan Flip-Flop 32 200.00 Key State Scan Flip-Flop 16 100.00
2:1 MUX 64 128.00 D Flip-Flop 64 288.00
D Flip-Flop 32 144.00 Key-XOR XOR 16 32.00
Diﬀusion XOR 16 32.00 Round Const. XOR 16 32.00
F-Function S-box 12 288.00 Key
XOR 48 96.00 Schedule 452.00
Data Control
Processing 888.00 Logic 22.00
Total 1362.00

Implementation on ASICs (contd.)
Comparison Among the Existing Lightweight Block Ciphers for ASIC
Cipher Key Block Cycles Throughput at GE
Size Size per block 100 kHz (Kbps)
MISTY1 128 64 60 106.67 3, 950
HIGHT 128 64 34 188.20 3, 048
Kasumi 128 64 54 118.51 2, 990
mCrypton 96 64 13 492.31 2, 681
Klein 80 64 17 376.47 2, 629
Puﬃn 128 64 33 193.94 2, 577
CLEFIA 128 128 328 39.02 2, 488
AES 128 128 226 56.64 2, 400
DESXL 184 64 144 44.44 2, 168
DESL 56 64 144 44.44 1, 848
Present 80 64 32 200.00 1, 570
MIBS 80 64 32 200.00 1, 530
TWINE 80 64 36 177.78 1, 503
Piccolo 80 64 27 237.04 1, 499
Khudra 80 64 36 177.78 1, 362
LBlock 80 64 32 200.00 1, 320

Objective 3

Diﬀerential Cryptanalysis (DC) and Linear Cryptanalysis (LC)

In order to measure the resistance of Khudra against linear and diﬀerential
cryptanalysis, we have calculated the minimum number of so called ‘active
S-boxes’

S-boxes’
An exhaustive search has been performed to compute the number of active
s-boxes.

S-boxes’
s-boxes.
For both the variants of Khudra, there are at least 6 active s-boxes inside
the F-function.

S-boxes’
s-boxes.
the F-function.
There are at least 6 active F-function in 6 rounds of Khudra.
Cryptanalysis Properties DC LC
Active S-boxes 36 36
Diﬀerential/Linear Probability of s-box 2−2 2−2
Diﬀerential/Linear Probability of Khudra 2−72 2−72

S-boxes’
s-boxes.
the F-function.
There are at least 6 active F-function in 6 rounds of Khudra.
Cryptanalysis Properties DC LC
Active S-boxes 36 36
Differential/Linear Probability of s-box 2−2 2−2
Differential/Linear Probability of Khudra 2−72 2−72
6 rounds of Khudra is secure against differential and linear
cryptanalysis

Security Analysis of Khudra (contd.)

Impossible Diﬀerential Cryptanalysis

One of the most powerful attack for Feistel Structure, due to its slow
diﬀusion and use of smaller S-boxes in the F-function.

Attacker exploits the diﬀerences that are ‘impossible’ (having
probability 0) for some input diﬀerence.

Exhaustive search is not possible due to the huge search space of 264

Alternative option: m-bit truncated diﬀerential.

Alternative option: m-bit truncated differential.
m-bit truncated differential: an attacker can only induce difference in
a branch of m bits but unable to explicitly target a particular bit in
the branch.

To show the resistance against this kind of attack, we have searched
for 16-bit and 4-bit truncated impossible diﬀerential.

Khudra has no 16-bit and 4-bit truncated impossible diﬀerential after
7 round and 10 round respectively.

Using the best impossible diﬀerential found after 9 round, we have
tried an attack on 11 round Khudra.

In this case, the number of chosen plain text required is 257 and the
time complexity for ﬁnding RK19 and RK21 is around 261 encryptions
for 11 round of Khudra.

In this case, the number of chosen plain text required is 257 and the
time complexity for ﬁnding RK19 and RK21 is around 261 encryptions
for 11 round of Khudra.
This result shows that impossible diﬀerential cryptanalysis of full
round Khudra is impractical.

Algebraic Attack

Algebraic Attack
In this technique, cipher text is ﬁrst represented by multivariate
quadratic equations and then the these equations are solved to
recover the key.

Algebraic Attack
recover the key.
In general solving multivariate quadratic equations over a ﬁnite set of
numbers is an NP-hard problem.

Algebraic Attack
recover the key.
Several methods like XL and XSL has been proposed for solving this
kind of over-deﬁned and sparse system of equations.

Algebraic Attack
recover the key.
Present’s S-box is described by 21 quadratic equations in the eight
input/output-bit variables over GF(2).

Algebraic Attack
recover the key.
Present’s S-box is described by 21 quadratic equations in the eight
input/output-bit variables over GF(2).
Khudra have 14 × 24 + 24 = 432 S-boxes and can be described as a
system of 432 × 21 = 9072 quadratic equations with 432 × 8 = 3456
variables.

Algebraic Attack
The complexity of this attack is speciﬁed by Work Factor (WF). WF is
crudely estimated as follows:
WF = Tω
≈ Γω
· (Block Size)ω t−r
s · (Number of Rounds)2ω t−r
s
Tω
= complexity of the Gaussian reduction,
ω = 2.376, the best known Gaussian reduction exponent,
t = total number of monomials in those equations,
r = number of quadratic equation required to represent the s-box,
s = size of the s-box

Algebraic Attack
WF = Tω
≈ Γω
s
Tω
Work Factor for Khudra is found to be greater than 2150
.

Algebraic Attack
WF = Tω
≈ Γω
s
Tω
Work Factor for Khudra is found to be greater than 2150
.
Khudra is not susceptible to algebraic attack.

Boomerang Type Attacks

Boomerang type attacks include The Boomerang, Ampliﬁed Boomerang and
Rectangle Attack.

Rectangle Attack.
These attacks divide the cipher into two sub-ciphers, then ﬁnd a boomerang
quartet with high probability.

Rectangle Attack.
Any combination of two sub-ciphers of 8 round Khudra has at least 6 active
F-Functions.

Rectangle Attack.
F-Functions.
So, the highest probability boomerang quartet of 8 round Khudra can have
the probability at most 2−72
.

Rectangle Attack.
F-Functions.
So, the highest probability boomerang quartet of 8 round Khudra can have
the probability at most 2−72
.
Hence, we can say full round Khudra provides enough immunity against
the boomerang type attacks.

Diﬀerential-Linear Cryptanalysis

In this technique, the attacker utilizes the diﬀerential characteristic for the
ﬁrst part of the cipher and linear approximation for the remaining part of the
cipher.

cipher.
Mathematically, if p is the diﬀerential probability of the ﬁrst part and q is
the linear probability of the second part, then the complexity of the attack
would be p2
q2
.

cipher.
would be p2
q2
.
Due to the recursive Feistel construction any round of Khudra has the same
diﬀerential and linear probability.

cipher.
would be p2
q2
.
So, we can say that the second part of the cipher also has diﬀerential
probability of q.

cipher.
would be p2
q2
.
probability of q.
Thus for diﬀerential cryptanalysis, the complexity would be pq > p2
q2
.

cipher.
would be p2
q2
.
probability of q.
Thus for diﬀerential cryptanalysis, the complexity would be pq > p2
q2
.
Hence we can consider Khudra to be secure against diﬀerential-linear
cryptanalysis.

Truncated Diﬀerential Attacks

Truncated diﬀerential (TD) cryptanalysis is a general technique for the
analysis of block ciphers with byte oriented structure.

In differential attack, the attacker follows the differential trail through the
rounds of the cipher and checks the exact output difference after each
transformation.

transformation.
Whereas, for truncated diﬀerential attack, the attacker only examines the
position of the active bytes through the rounds and proceed even with the
knowledge of some bits of the output diﬀerence.

transformation.
To cover more rounds with the knowledge of partial output diﬀerence the
attacker tries to slow down the propagation non-zero diﬀerence.

transformation.
To cover more rounds with the knowledge of partial output difference the
attacker tries to slow down the propagation non-zero difference.
Hence, the diffusion property of the cipher has the only impact on the
probability of the truncated differential.

To ﬁnd the best round-reduced truncated diﬀerentials we have performed an
exhaustive search with the following standard assumptions:

1 S-boxes have no eﬀect on the probability because they cannot change
an active nibble into an non-active nibble and vice versa.

2 XOR can cancel two active nibbles with probability 2−4
.

.
Further, we consider a more stronger scenario, where the attacker can even
control the diﬀerence within a nibble.

.
The search result shows that 6 rounds of Khudra can have truncated
diﬀerential at most with probability at most 2−81.9
.

.
The search result shows that 6 rounds of Khudra can have truncated
differential at most with probability at most 2−81.9
.
Thus, we can conclude that the full round Khudra has sufficient security
margin against truncated differential attacks.

Slide and Relative key Attacks

Two well-known attacks on the key-scheduling algorithm, namely
Slide and Relative key Attacks, use the simple relations and
similarities among the round-keys to get the actual master key.

To remove the self-similarity in the key scheduling algorithm, in each
round, we have diﬀerent round constant, generated by the round
counter.

To remove the self-similarity in the key scheduling algorithm, in each
round, we have diﬀerent round constant, generated by the round
counter.
This strategy makes Khudra secure against these key-scheduling
attacks.

Relative key Diﬀerential Attacks

In related-key differential cryptanalysis, adversary can control the
difference both in plain text and key-schedule to cancel out
differences in data processing part.

Due to the simple key-scheduling algorithm, it is possible to
exhaustively search for the best diﬀerential probability in related-key
settings.

settings.
The search result shows that 11 rounds of Khudra has at least 6
‘active F-Functions’.

settings.
So the maximum diﬀerential probability of 11 round Khudra is 2−72.

settings.
So the maximum diﬀerential probability of 11 round Khudra is 2−72.
Hence, we can say that Khudra is secure against this attack.

Related-key Boomerang Attacks

In related-key boomerang attacks, attacker uses the diﬀerential
probability of related-key settings.

Any combination of two sub-ciphers of 14 round Khudra has at least
6 active F-Functions.

So, the highest probability boomerang quartet of 14 round Khudra
can have the probability at most 2−72 in related-key settings.

So, the highest probability boomerang quartet of 14 round Khudra
can have the probability at most 2−72 in related-key settings.
Hence, we can say full round Khudra is not vulnerable to
related-key boomerang attack.

Meet-in-the-Middle Attack (MITM)

This types of attack works well for block ciphers with slow diﬀusion
and simple key-schedule.

The computational complexity (Ccomp) of the attack can be bounded
by the following estimation:
Ccomp = 2|A0|
(2|A1|
+ 2|A2|
) + (2l−m
+ 2l−m−b
+ 2l−m−2b
+ · · · )

Ccomp = 2|A0|
(2|A1|
+ 2|A2|
) + (2l−m
+ 2l−m−b
+ 2l−m−2b
+ · · · )
We have performed an exhaustive search on 12 rounds of Khudra and
found that the complexity of the attack is 280.

Ccomp = 2|A0|
(2|A1|
+ 2|A2|
) + (2l−m
+ 2l−m−b
+ 2l−m−2b
+ · · · )
We have performed an exhaustive search on 12 rounds of Khudra and
found that the complexity of the attack is 280.
Hence, we can rule out MITM attack as a possible threats for Khudra.

Conclusion

Conclusion
A new lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography has been proposed which has the
following features:

Conclusion
following features:
can perform large permutation (larger than the width of the data-bus)
more eﬃciently compared to any of the existing bit-permutation
instruction found on literature

Conclusion
following features:
FPGA implementation requires only 151 slices and provides throughput
of 427 Mbit/sec

Conclusion
following features:
FPGA implementation requires only 151 slices and provides throughput
of 427 Mbit/sec
ASIC implementation requires only 670 GE and provides throughput
@1 bit per clock cycle

Conclusion (contd.)

Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:

Conclusion (contd.)
encrypts 64 bit data using 80 bit keys in 36 clock cycles

Conclusion (contd.)
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs

Conclusion (contd.)
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles

Conclusion (contd.)
6, 048 slice-cycles
also suitable for ASIC implementation: Khudra requires only 1362 GE
on ASICs

Conclusion (contd.)
6, 048 slice-cycles
on ASICs
Detailed security analysis of Khudra which shows that it is

Conclusion (contd.)
6, 048 slice-cycles
on ASICs
secure against the popular cryptanalysis techniques like linear
cryptanalysis, diﬀerential cryptanalysis, algebraic attacks

Conclusion (contd.)
6, 048 slice-cycles
on ASICs
secure against strong cryptanalysis techniques like impossible
diﬀerential cryptanalysis, related-key diﬀerential cryptanalysis,
Meet-in-the-Middle Attack

Conclusion (contd.)
6, 048 slice-cycles
on ASICs
secure against strong cryptanalysis techniques like impossible
diﬀerential cryptanalysis, related-key diﬀerential cryptanalysis,
Meet-in-the-Middle Attack
provides security margin comparable with the best lightweight block
ciphers

Future Directions
This work can further be extended to

Future Directions
ﬁnd new lightweight instruction for accelerating software cryptography

Future Directions
design new lightweight hash function using Khudra as a core

Future Directions
design new lightweight hash function using Khudra as a core
design side channel resistance lightweight block cipher, suitable for
both ASICs and FPGAs

Answers to Examiners’ Questions
[Q1.] You have used S-box of block cipher PRESENT. Explain the
motivation for using this particular S-box. An S-box with full cycle &
higher non-linearity might assume better security
⇒ We have followed the the four cryptographic properties mentioned in [1], i.e
differential probability, linear approximation, algebraic degree and branch number
to measure the security of a s-box. PRESENT s-box is one of the best
considering these four measures. The extensive list of 4 × 4 s-box, mentioned in
[1] also shows that PRESENT s-box is best in its class. We may get a more
non-linear s-box but that may not be balanced, which leads to other security
weakness. Beside this, we also have considered the fact that the ASIC
implementation of the s-box should be lightweight on hardware. To find a s-box
with less Gate Equivalence and good cryptographic properties, we have also tried
several s-boxes used in other lightweight block cipher, namely Piccolo, LED,
MIBS etc, but they reduce the security margin for either impossible differential
attack or related key differential attack. For these reasons, we can not use any of
them, in spite of having really low GE.
1
Markku-Juhani O. Saarinen, Cryptographic analysis of all 4 × 4-bit s-boxes,”

Lightweight Crypto Design for FPGAs

Lightweight Crypto Design for FPGAs

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to Lightweight Crypto Design for FPGAs

Similar to Lightweight Crypto Design for FPGAs (20)

Lightweight Crypto Design for FPGAs