The document discusses lightweight cryptography for constrained devices. It presents the objectives of designing a lightweight bit-permutation instruction called PERMS to accelerate cryptography in software, and a new lightweight block cipher called Khudra suitable for both FPGAs and ASICs. It also aims to analyze Khudra's security against cryptanalysis techniques. The PERMS instruction is based on bit swapping to achieve permutation efficiently in hardware using control bits.
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Lightweight Crypto Design for FPGAs
1. Lightweight Crypto-primitives on FPGAs
Souvik Kolay
11CS72P03
Under the supervision of
Dr. Debdeep Mukhopadhyay
Indian Institute of Technology
Kharagpur
MS Defense Seminar
11.02.2015
Souvik Kolay Lightweight Crypto-primitives on FPGAs 1/62
3. Lightweight Cryptography
1 Cryptography specifically for extremely constrained devices
Less Area Requirement
Low Power Consumption
2 Security is not compromised
3 Not a replacement of traditional cryptography
4 Not to defend all powerful adversary
Souvik Kolay Lightweight Crypto-primitives on FPGAs 3/62
5. Motivation
Microprocessors embedded in everyday objects - Pervasive
Computing
Pervasive devices possess very limited resources
Less Memory
Less Computing Power
Less Power Supply
Souvik Kolay Lightweight Crypto-primitives on FPGAs 4/62
6. Motivation
Microprocessors embedded in everyday objects - Pervasive
Computing
Pervasive devices possess very limited resources
Less Memory
Less Computing Power
Less Power Supply
But, contains sensitive information
Souvik Kolay Lightweight Crypto-primitives on FPGAs 4/62
7. Motivation
Microprocessors embedded in everyday objects - Pervasive
Computing
Pervasive devices possess very limited resources
Less Memory
Less Computing Power
Less Power Supply
But, contains sensitive information
Need of cryptographic systems to ensure the security
Souvik Kolay Lightweight Crypto-primitives on FPGAs 4/62
8. Motivation
Microprocessors embedded in everyday objects - Pervasive
Computing
Pervasive devices possess very limited resources
Less Memory
Less Computing Power
Less Power Supply
But, contains sensitive information
Need of cryptographic systems to ensure the security
Traditional cryptography cannot be used - alternative option:
Lightweight Cryptography
Souvik Kolay Lightweight Crypto-primitives on FPGAs 4/62
10. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
11. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
12. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc
These protocols uses many crypto-algorithms, like:
- 3-DES, AES, RC4, RSA, DH, DSS, MD5, SHA-1,
SHA-2, Blowfish, Twofish, IDEA, Serpent, Cast
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
13. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc
These protocols uses many crypto-algorithms, like:
- 3-DES, AES, RC4, RSA, DH, DSS, MD5, SHA-1,
SHA-2, Blowfish, Twofish, IDEA, Serpent, Cast
Need of dedicated lightweight instruction for cryptography
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
14. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc
These protocols uses many crypto-algorithms, like:
- 3-DES, AES, RC4, RSA, DH, DSS, MD5, SHA-1,
SHA-2, Blowfish, Twofish, IDEA, Serpent, Cast
Need of dedicated lightweight instruction for cryptography
Bit-permutation is one such instruction, which can be accelerated by
providing dedicated hardware
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
15. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc
These protocols uses many crypto-algorithms, like:
- 3-DES, AES, RC4, RSA, DH, DSS, MD5, SHA-1,
SHA-2, Blowfish, Twofish, IDEA, Serpent, Cast
Need of dedicated lightweight instruction for cryptography
Bit-permutation is one such instruction, which can be accelerated by
providing dedicated hardware
Existing bit permutation instructions are not suitable for lightweight
cryptography
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
16. Pervasive Devices
With General Purpose Processor
Includes PDAs, mobiles etc.
Uses standard cryptographic protocols, like:
- TSL, SSL, SSH, IPsec etc
These protocols uses many crypto-algorithms, like:
- 3-DES, AES, RC4, RSA, DH, DSS, MD5, SHA-1,
SHA-2, Blowfish, Twofish, IDEA, Serpent, Cast
Need of dedicated lightweight instruction for cryptography
Bit-permutation is one such instruction, which can be accelerated by
providing dedicated hardware
Existing bit permutation instructions are not suitable for lightweight
cryptography
Need of a new lightweight bit-permutation instruction
Souvik Kolay Lightweight Crypto-primitives on FPGAs 5/62
18. Pervasive Devices (contd.)
With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 6/62
19. Pervasive Devices (contd.)
With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.
ASIC is a popular choice for lightweight cryptosystems, due to the
amenability to mass productions.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 6/62
20. Pervasive Devices (contd.)
With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.
ASIC is a popular choice for lightweight cryptosystems, due to the
amenability to mass productions.
But, ASIC chips can not be reconfigured or modified to protect against
the new security threats.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 6/62
21. Pervasive Devices (contd.)
With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.
ASIC is a popular choice for lightweight cryptosystems, due to the
amenability to mass productions.
But, ASIC chips can not be reconfigured or modified to protect against
the new security threats.
Design on FPGAs can be reconfigured or upgraded after manufacture.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 6/62
22. Pervasive Devices (contd.)
With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.
ASIC is a popular choice for lightweight cryptosystems, due to the
amenability to mass productions.
But, ASIC chips can not be reconfigured or modified to protect against
the new security threats.
Design on FPGAs can be reconfigured or upgraded after manufacture.
With the advent of recent low-cost and low-power FPGAs, FPGA
provides an alternative platform for lightweight applications.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 6/62
23. Pervasive Devices (contd.)
With ASIC/FPGA Core
Includes RFIDs, WSN. Generally, one or two cryptographic protocols
are implemented in hardware.
ASIC is a popular choice for lightweight cryptosystems, due to the
amenability to mass productions.
But, ASIC chips can not be reconfigured or modified to protect against
the new security threats.
Design on FPGAs can be reconfigured or upgraded after manufacture.
With the advent of recent low-cost and low-power FPGAs, FPGA
provides an alternative platform for lightweight applications.
Need of a new lightweight cryptographic algorithm, which will be
suitable for both FPGAs and ASICs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 6/62
25. Thesis Objectives
1 Design of a lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 7/62
26. Thesis Objectives
1 Design of a lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography.
2 Design of a new lightweight block cipher: Khudra which is equally
suited for ASICs and FPGAs.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 7/62
27. Thesis Objectives
1 Design of a lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography.
2 Design of a new lightweight block cipher: Khudra which is equally
suited for ASICs and FPGAs.
3 Detailed security analysis of Khudra against popular cryptanalysis
techniques as well as recently proposed attacks.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 7/62
29. Bit Permutation: A Costly Operation
Block ciphers use bit permutation to achieve ‘diffusion’
Preferred in Lightweight Cryptography
In hardware, can be achieved just by interconnecting the wires
But one of the costliest operation on Byte oriented processor
More than 23 instructions are needed for doing arbitrary 64 bit
permutation on a 64 bit, byte oriented processor
Performance can be improved significantly by providing additional
hardware support for bit permutation
Existing bit permutation instructions: PPERM and PPERM3R,
SWPERM with SIEVE, CROSS, OMFLIP, BFLY and IBFLY, GRP
and PERMS
Souvik Kolay Lightweight Crypto-primitives on FPGAs 9/62
30. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
31. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
32. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
33. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Achieving the permutation using the control bits
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
34. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Achieving the permutation using the control bits
Very simple, but...
Need log(n) instruction for performing n bit permutation
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
35. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Achieving the permutation using the control bits
Very simple, but...
Need log(n) instruction for performing n bit permutation
Not scalable to perform 2n bit permutation, using n bit instruction
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
36. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Achieving the permutation using the control bits
Very simple, but...
Need log(n) instruction for performing n bit permutation
Not scalable to perform 2n bit permutation, using n bit instruction
Cannot be integrated with all the existing ISAs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
37. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Achieving the permutation using the control bits
Very simple, but...
Need log(n) instruction for performing n bit permutation
Not scalable to perform 2n bit permutation, using n bit instruction
Cannot be integrated with all the existing ISAs
Most importantly, not enough lightweight to be considered for
lightweight cryptography
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
38. PERMS Instruction
Exploit the fact that permutation is the reverse of sorting
Based on bit swapping and has been developed analogous to
comparison based sorting techniques.
The algorithm is composed of two steps:
Generating the control bits
Achieving the permutation using the control bits
Very simple, but...
Need log(n) instruction for performing n bit permutation
Not scalable to perform 2n bit permutation, using n bit instruction
Cannot be integrated with all the existing ISAs
Most importantly, not enough lightweight to be considered for
lightweight cryptography
Modification needed
Souvik Kolay Lightweight Crypto-primitives on FPGAs 10/62
39. Modified PERMS Algorithm
For Generating Control Bits
Algorithm 1: Pseudo-code to generate control bits
Input: Arbitrary Permutation P , Sorted Array
A = {n − 1, n − 2, . . . , 1, 0}
Output: Sequence of control bits, C
for i = n − 1 to 1 do1
k = find the index of P[i] in A.2
Swap A[i] with A[k].3
Append k in C using log(n) bits.4
end5
Souvik Kolay Lightweight Crypto-primitives on FPGAs 11/62
40. Modified PERMS Algorithm
For Generating Control Bits
Algorithm 1: Pseudo-code to generate control bits
Input: Arbitrary Permutation P , Sorted Array
A = {n − 1, n − 2, . . . , 1, 0}
Output: Sequence of control bits, C
for i = n − 1 to 1 do1
k = find the index of P[i] in A.2
Swap A[i] with A[k].3
Append k in C using log(n) bits.4
end5
For Achieving Permutation
Algorithm 2: Pseudo code to perform arbitrary permutation using
control bits
Input: B = (bn−1bn−2 · · · b1b0)2, Array of control bits C
Output: Permuted B
for i = n − 1 to 1 do1
nextAddr = read log(n) bits from C starting with index 0.2
Swap Bi with BnextAddr.3
end4
Souvik Kolay Lightweight Crypto-primitives on FPGAs 11/62
41. PERMS Example
Let the permutation be P = (5 2 3 4 0 7 6 1).
Souvik Kolay Lightweight Crypto-primitives on FPGAs 12/62
53. PERMS Instruction Format
Generic Instruction Format:
PERMS RS, RC1, RC2, · · · RCn
RS contains the data to be permuted
RC1, RC2 ... contains the control bits for specifying the permutation
Souvik Kolay Lightweight Crypto-primitives on FPGAs 14/62
54. PERMS Instruction Format
Generic Instruction Format:
PERMS RS, RC1, RC2, · · · RCn
RS contains the data to be permuted
RC1, RC2 ... contains the control bits for specifying the permutation
For most of the 64 bit CPU architectures, like: ALPHA, ARM-64,
MIPS-64, IA-64, MMIX, PA-RISC and SPARC, which support 3
operands.
PERMS RS, RC1, RC2
Souvik Kolay Lightweight Crypto-primitives on FPGAs 14/62
55. PERMS Instruction Format
Generic Instruction Format:
PERMS RS, RC1, RC2, · · · RCn
RS contains the data to be permuted
RC1, RC2 ... contains the control bits for specifying the permutation
For most of the 64 bit CPU architectures, like: ALPHA, ARM-64,
MIPS-64, IA-64, MMIX, PA-RISC and SPARC, which support 3
operands.
PERMS RS, RC1, RC2
x86-64 (x64) does not support 3 operands, but it supports ‘Variable
Instruction Encoding’.
PERMS RS, RC1, < immediate >
Souvik Kolay Lightweight Crypto-primitives on FPGAs 14/62
56. PERMS: Number of Instruction Required
Total number of control bits:(n − 1) × log(n)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 15/62
57. PERMS: Number of Instruction Required
Total number of control bits:(n − 1) × log(n)
Maximum control bits per instruction: 2n
Souvik Kolay Lightweight Crypto-primitives on FPGAs 15/62
58. PERMS: Number of Instruction Required
Total number of control bits:(n − 1) × log(n)
Maximum control bits per instruction: 2n
Usable control bits per instruction: 2n
log(n) × log(n)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 15/62
59. PERMS: Number of Instruction Required
Total number of control bits:(n − 1) × log(n)
Maximum control bits per instruction: 2n
Usable control bits per instruction: 2n
log(n) × log(n)
Total number of instruction:
(n − 1) × log(n)
2n
log(n) × log(n)
=
n − 1
2n
log(n)
< log(n)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 15/62
60. PERMS: Number of Instruction Required
Total number of control bits:(n − 1) × log(n)
Maximum control bits per instruction: 2n
Usable control bits per instruction: 2n
log(n) × log(n)
Total number of instruction:
(n − 1) × log(n)
2n
log(n) × log(n)
=
n − 1
2n
log(n)
< log(n)
Number of instructions required is less than log(n)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 15/62
61. PERMS Architecture
(n:1)
Mux A Mux B
(n:1)
down−counter
datapathcontrolunit
selectsignals
swapblock
swap
control
DATAREGISTER
REGISTERS
CONTROL
Souvik Kolay Lightweight Crypto-primitives on FPGAs 16/62
62. Comparison
Instructions required for 128 bit permutation using 64 bit permutation
Bit-permutation Instructions Number of Instructions
PPERM3R 30
PPERM 51
GRP 16∗
/22∗∗
CROSS / OMFLIP 24
SWPERM / SIEVE 39
PERMS 18
*: for ISA with specialized instruction
**: for ISA without specialized instruction
Souvik Kolay Lightweight Crypto-primitives on FPGAs 17/62
63. Comparison
Instructions required for 128 bit permutation using 64 bit permutation
Bit-permutation Instructions Number of Instructions
PPERM3R 30
PPERM 51
GRP 16∗
/22∗∗
CROSS / OMFLIP 24
SWPERM / SIEVE 39
PERMS 18
*: for ISA with specialized instruction
**: for ISA without specialized instruction
Souvik Kolay Lightweight Crypto-primitives on FPGAs 17/62
64. Comparison (contd.)
Implementation result on ASICs and FPGAs
Instruction Transistor Count
PPERM 7k
GRP 68k
OMFLIP 3k
CROSS 4.6k
PERMS 2.7k
Instruction Area Delay Clock Throughput Throughput
(ns) Cycles (Mbit/sec) /Slice
GRP(A) 119 2.97 384 56.14 0.47
GRP(S) 16179 5.8 6 1839 0.11
PERMS 151 2.3 64 426.7 2.826
Souvik Kolay Lightweight Crypto-primitives on FPGAs 18/62
65. Comparison (contd.)
Implementation result on ASICs and FPGAs
Instruction Transistor Count
PPERM 7k
GRP 68k
OMFLIP 3k
CROSS 4.6k
PERMS 2.7k
Instruction Area Delay Clock Throughput Throughput
(ns) Cycles (Mbit/sec) /Slice
GRP(A) 119 2.97 384 56.14 0.47
GRP(S) 16179 5.8 6 1839 0.11
PERMS 151 2.3 64 426.7 2.826
Souvik Kolay Lightweight Crypto-primitives on FPGAs 18/62
66. Comparison (contd.)
Implementation result on ASICs and FPGAs
Instruction Transistor Count
PPERM 7k
GRP 68k
OMFLIP 3k
CROSS 4.6k
PERMS 2.7k
Instruction Area Delay Clock Throughput Throughput
(ns) Cycles (Mbit/sec) /Slice
GRP(A) 119 2.97 384 56.14 0.47
GRP(S) 16179 5.8 6 1839 0.11
PERMS 151 2.3 64 426.7 2.826
Souvik Kolay Lightweight Crypto-primitives on FPGAs 18/62
68. Design Criteria
The cipher is to be implemented in hardware and is expected to
occupy a small area.
80 bit security is considered to be enough.
Security and physical space are the main consideration.
After these two, throughput is also an important metric.
The cipher should have simple design:
- Less area requirements
- Accurate security bound
Souvik Kolay Lightweight Crypto-primitives on FPGAs 20/62
69. Performance Metric for ASIC and FPGA
For comparison of performance, two basic needs of lightweight
cryptography generally considered
Area:
For ASIC, the metric for area is Gate Equivalence
For FPGA, the metric for area is Slice Utilization
Throughput
Lightweight devices are meant to be used in low frequency (generally
less than 100 kHz)
The metric for throughput is number of data bits encrypted per second
in 100 kHz
Souvik Kolay Lightweight Crypto-primitives on FPGAs 21/62
72. Strategies for Lightweight Implementation on ASICs
A: SPN structure with bit permutation
B: Feistel ‘F-Function’ with lesser Gate Equivalence
C: S-box with lesser Gate Equivalence
D: Using lesser register in the design
Souvik Kolay Lightweight Crypto-primitives on FPGAs 23/62
73. Strategies for Lightweight Implementation on ASICs
A: SPN structure with bit permutation
⇒ Bit permutation in hardware can be one by simple ‘wiring’
B: Feistel ‘F-Function’ with lesser Gate Equivalence
C: S-box with lesser Gate Equivalence
D: Using lesser register in the design
Souvik Kolay Lightweight Crypto-primitives on FPGAs 23/62
74. Strategies for Lightweight Implementation on ASICs
A: SPN structure with bit permutation
⇒ Bit permutation in hardware can be one by simple ‘wiring’
B: Feistel ‘F-Function’ with lesser Gate Equivalence
⇒ Directly reduce Gate Equivalence
C: S-box with lesser Gate Equivalence
D: Using lesser register in the design
Souvik Kolay Lightweight Crypto-primitives on FPGAs 23/62
75. Strategies for Lightweight Implementation on ASICs
A: SPN structure with bit permutation
⇒ Bit permutation in hardware can be one by simple ‘wiring’
B: Feistel ‘F-Function’ with lesser Gate Equivalence
⇒ Directly reduce Gate Equivalence
C: S-box with lesser Gate Equivalence
⇒ Directly reduce Gate Equivalence
D: Using lesser register in the design
Souvik Kolay Lightweight Crypto-primitives on FPGAs 23/62
76. Strategies for Lightweight Implementation on ASICs
A: SPN structure with bit permutation
⇒ Bit permutation in hardware can be one by simple ‘wiring’
B: Feistel ‘F-Function’ with lesser Gate Equivalence
⇒ Directly reduce Gate Equivalence
C: S-box with lesser Gate Equivalence
⇒ Directly reduce Gate Equivalence
D: Using lesser register in the design
⇒ Register has much more ‘GE/per bit’ than any ‘logic gates’
Souvik Kolay Lightweight Crypto-primitives on FPGAs 23/62
77. Strategies Used in Existing Lightweight Block Ciphers for
ASICs
Name of the Cipher Structure Strategies
Adopted used
Lightweight AES SPN C
Present SPN A, C
Puffin SPN A, C
LED SPN C, D
DESL and DESXL Feistel B
HIGHT Feistel B
CLEFIA Feistel B
MISTY Feistel B
Kasumi Feistel B
Twine Feistel B, C
MIBS Feistel B, C
LBlock Feistel B, C
Piccolo Feistel B, C, D
Souvik Kolay Lightweight Crypto-primitives on FPGAs 24/62
78. Structure of FPGA
A field-programmable gate array (FPGA) is an integrated circuit
designed to be configured by a customer or a designer after
manufacturing, hence ”field-programmable”.
An FPGA slice contains some number of n-input Look-up tables
(LUTs) and flip-flops(FFs).
An n-input LUT can map any combinatorial logic with n input
variables .
Flip-flops are used to design any sequential circuit.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 25/62
79. Lightweight Design Strategies for FPGA
Lightweight design strategies for ASICs, are not suitable for
lightweight implementation on FPGAs.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 26/62
80. Lightweight Design Strategies for FPGA
Lightweight design strategies for ASICs, are not suitable for
lightweight implementation on FPGAs.
For ASICs, less gates are desirable, while for FPGAs, less LUTs are
desirable.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 26/62
81. Lightweight Design Strategies for FPGA
Lightweight design strategies for ASICs, are not suitable for
lightweight implementation on FPGAs.
For ASICs, less gates are desirable, while for FPGAs, less LUTs are
desirable.
The number of LUTs depend on the number of input variables in the
function, and not on the complexity of the function.
Platform Present MIBS LBlock Piccolo
ASIC (GE) 28 24 22 12
FPGA (LUTs) 4 4 4 4
Souvik Kolay Lightweight Crypto-primitives on FPGAs 26/62
82. Lightweight Design Strategies for FPGA
Lightweight design strategies for ASICs, are not suitable for
lightweight implementation on FPGAs.
For ASICs, less gates are desirable, while for FPGAs, less LUTs are
desirable.
The number of LUTs depend on the number of input variables in the
function, and not on the complexity of the function.
Platform Present MIBS LBlock Piccolo
ASIC (GE) 28 24 22 12
FPGA (LUTs) 4 4 4 4
For FPGAs, the ratio between the registers and the LUTs are crucial.
So, reducing the number of registers in the design makes this ratio
worse.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 26/62
83. Lightweight Design Strategies for FPGA(contd)
Observation:
For the existing lightweight block ciphers for ASICs, LUT requirement
is much more than the Flip-Flop requirement.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 27/62
84. Lightweight Design Strategies for FPGA(contd)
Observation:
For the existing lightweight block ciphers for ASICs, LUT requirement
is much more than the Flip-Flop requirement.
Number of slices can be reduced if we can decrease the LUT
requirements by utilizing some more flip-flops.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 27/62
85. Lightweight Design Strategies for FPGA(contd)
Observation:
For the existing lightweight block ciphers for ASICs, LUT requirement
is much more than the Flip-Flop requirement.
Number of slices can be reduced if we can decrease the LUT
requirements by utilizing some more flip-flops.
Strategy for Lightweight Implementation on FPGAs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 27/62
86. Lightweight Design Strategies for FPGA(contd)
Observation:
For the existing lightweight block ciphers for ASICs, LUT requirement
is much more than the Flip-Flop requirement.
Number of slices can be reduced if we can decrease the LUT
requirements by utilizing some more flip-flops.
Strategy for Lightweight Implementation on FPGAs
A new design for which number of LUTs reduces, number of flip-flops
increases and (RLUT/FFs) is close to 1, where
RLUT/FFs = Number of LUTs/Number of FFs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 27/62
88. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
89. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
90. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
91. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
92. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
⇒ With the use of bit-permutation, diffusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
93. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
⇒ With the use of bit-permutation, diffusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure
Use of Feistel structure in a recursive way to avoid the use of
additional diffusion layer.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
94. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
⇒ With the use of bit-permutation, diffusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure
Use of Feistel structure in a recursive way to avoid the use of
additional diffusion layer.
Advantage of this structure
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
95. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
⇒ With the use of bit-permutation, diffusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure
Use of Feistel structure in a recursive way to avoid the use of
additional diffusion layer.
Advantage of this structure
⇒ Less s-boxes are required than traditional Feistel or SPN structure.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
96. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
⇒ With the use of bit-permutation, diffusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure
Use of Feistel structure in a recursive way to avoid the use of
additional diffusion layer.
Advantage of this structure
⇒ Less s-boxes are required than traditional Feistel or SPN structure.
⇒ No additional diffusion are required like traditional Feistel structure.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
97. Broad Design Ideas
Large s-box can not be used, as they have adverse effect on the LUTs
⇒ 4 × 4 s-boxes will be used.
Deciding the structure: SPN or Feistel?
⇒ In SPN more number of s-boxes are required than Feistel Structure
⇒ With the use of bit-permutation, diffusion comes in free in case of
SPN, whereas additional circuits are required for the Feistel Structure
Use of Feistel structure in a recursive way to avoid the use of
additional diffusion layer.
Advantage of this structure
⇒ Less s-boxes are required than traditional Feistel or SPN structure.
⇒ No additional diffusion are required like traditional Feistel structure.
⇒ Less LUTs and more register is used, thus (RLUT/FFs) is close to 1.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 28/62
98. Khudra: New Lightweight Block Cipher
Features of Khudra:
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
99. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
100. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
There are two variants of Khudra: Khudra-I and Khudra-II.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
101. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
There are two variants of Khudra: Khudra-I and Khudra-II.
The design is free of any memory elements, consumes least slices and
also shows a high throughput per slice ratio compared to existing
crypto-systems.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
102. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
There are two variants of Khudra: Khudra-I and Khudra-II.
The design is free of any memory elements, consumes least slices and
also shows a high throughput per slice ratio compared to existing
crypto-systems.
Khudra is a general purpose lightweight block cipher: not limited to
any particular application
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
103. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
There are two variants of Khudra: Khudra-I and Khudra-II.
The design is free of any memory elements, consumes least slices and
also shows a high throughput per slice ratio compared to existing
crypto-systems.
Khudra is a general purpose lightweight block cipher: not limited to
any particular application
Khudra is also suitable for ASIC implementation.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
104. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
There are two variants of Khudra: Khudra-I and Khudra-II.
The design is free of any memory elements, consumes least slices and
also shows a high throughput per slice ratio compared to existing
crypto-systems.
Khudra is a general purpose lightweight block cipher: not limited to
any particular application
Khudra is also suitable for ASIC implementation.
Decryption can be supported without much hardware requirement.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
105. Khudra: New Lightweight Block Cipher
Features of Khudra:
Khudra is a 64 bit block cipher, which supports 80 bit keys.
There are two variants of Khudra: Khudra-I and Khudra-II.
The design is free of any memory elements, consumes least slices and
also shows a high throughput per slice ratio compared to existing
crypto-systems.
Khudra is a general purpose lightweight block cipher: not limited to
any particular application
Khudra is also suitable for ASIC implementation.
Decryption can be supported without much hardware requirement.
Adequate security margin against the popular attacks as well as
recently proposed attacks.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 29/62
106. Design of Khudra
F
F F
F F
P0 P1 P2 P3
S S
S S
4 4 4 4
F F
F
16 1616 16
6Rounds
OUTER STRUCTURE
INNER STRUCTURE
RK3
RK1RK0
RK2
WK2 WK3
WK1WK0
C0 C1 C2 C3
18Rounds
RK35RK34
RK32 RK33
Souvik Kolay Lightweight Crypto-primitives on FPGAs 30/62
108. Design of Khudra (contd.)
F-function:
For Khudra employs type-2, 4 branching generalized Feistel structure as
F-function.
Substitution Layer:
Present’s s-box has been chosen for the substitution layer of Khudra
for the following reasons:
Souvik Kolay Lightweight Crypto-primitives on FPGAs 32/62
109. Design of Khudra (contd.)
F-function:
For Khudra employs type-2, 4 branching generalized Feistel structure as
F-function.
Substitution Layer:
Present’s s-box has been chosen for the substitution layer of Khudra
for the following reasons:
Higher Algebraic Degree: A good s-box should have higher algebraic
degree, in case of Present’s sbox, it is four, which is very high for a
4 × 4 sbox.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 32/62
110. Design of Khudra (contd.)
F-function:
For Khudra employs type-2, 4 branching generalized Feistel structure as
F-function.
Substitution Layer:
Present’s s-box has been chosen for the substitution layer of Khudra
for the following reasons:
Higher Algebraic Degree: A good s-box should have higher algebraic
degree, in case of Present’s sbox, it is four, which is very high for a
4 × 4 sbox.
Lower differential and linear probability: A good s-box must possess
very less linear and differential probability. Maximum differential and
linear probability of this s-box is 2−2
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 32/62
111. Design of Khudra(contd.)
Key Scheduling:
The key scheduling part of Khudra takes a master key of 80 bits and
generates 36 round-keys and 4 whitening keys.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 33/62
112. Design of Khudra(contd.)
Key Scheduling:
The key scheduling part of Khudra takes a master key of 80 bits and
generates 36 round-keys and 4 whitening keys.
All the round-keys are generated on-the-fly at the time of encryption.
Therefore, it is not required to store all the round-keys.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 33/62
113. Design of Khudra(contd.)
Key Scheduling:
The key scheduling part of Khudra takes a master key of 80 bits and
generates 36 round-keys and 4 whitening keys.
All the round-keys are generated on-the-fly at the time of encryption.
Therefore, it is not required to store all the round-keys.
The detailed description of the key scheduling is as follows:
P[55 : 52] ← S(P[55 : 52]) ⊕ P[51 : 48] ;
P[59 : 56] ← tq1[3 : 0], P[51 : 48] ← tq3[3 : 0] ;
tr3[3 : 0] ← P[31 : 28], tr1[3 : 0] ← P[23 : 20];
P[31 : 28] ← S(P[31 : 28]) ⊕ P[27 : 24] ;
P[23 : 20] ← S(P[23 : 20]) ⊕ P[19 : 16] ;
P[27 : 24] ← tr1[3 : 0], P[19 : 16] ← tr3[3 : 0] ;
end
P[63 : 48] ← P[63 : 48] ⊕ P[47 : 32] ⊕ RK[2 × i + 1][15 : 0];
P[31 : 16] ← P[31 : 16] ⊕ P[15 : 0] ⊕ RK[2 × i][15 : 0];
P[47 : 32] ← tp1[15 : 0], P[15 : 0] ← tp3[15 : 0] ;
end
end
representation of the round counter i.
Algorithm 4: Key Scheduling (k0, k1, k2, k3, k4)
WK0 ← k0, WK1 ← k1, WK3 ← k3, WK4 ← k4
for i ← 0 to 35 do
RCi ← {0||i(6)||00||i(6)||0}
RKi ← ki mod 5 ⊕ RCi
end
4.3 Implementation Details and Comparison
Souvik Kolay Lightweight Crypto-primitives on FPGAs 33/62
116. Implementation on FPGAs
Target FPGA & Synthesis Properties
We have targeted the smallest and cheapest FPGA available.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 34/62
117. Implementation on FPGAs
Target FPGA & Synthesis Properties
We have targeted the smallest and cheapest FPGA available.
Unfortunately, the low-cost Spartan-III XC3S200 FPGA has not
enough I/O pins.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 34/62
118. Implementation on FPGAs
Target FPGA & Synthesis Properties
We have targeted the smallest and cheapest FPGA available.
Unfortunately, the low-cost Spartan-III XC3S200 FPGA has not
enough I/O pins.
Therefore, we decided to switch to the slightly more expensive
Spartan-III XC3S400, which has a package (FG456) with 264 I/O
pins.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 34/62
119. Implementation on FPGAs
Target FPGA & Synthesis Properties
We have targeted the smallest and cheapest FPGA available.
Unfortunately, the low-cost Spartan-III XC3S200 FPGA has not
enough I/O pins.
Therefore, we decided to switch to the slightly more expensive
Spartan-III XC3S400, which has a package (FG456) with 264 I/O
pins.
The properties of synthesis were set to optimize area with a high
optimization effort.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 34/62
120. Implementation on FPGAs
Target FPGA & Synthesis Properties
We have targeted the smallest and cheapest FPGA available.
Unfortunately, the low-cost Spartan-III XC3S200 FPGA has not
enough I/O pins.
Therefore, we decided to switch to the slightly more expensive
Spartan-III XC3S400, which has a package (FG456) with 264 I/O
pins.
The properties of synthesis were set to optimize area with a high
optimization effort.
Xilinx ISE 11.1 is used for design synthesis.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 34/62
121. Implementation on FPGAs (contd)
Block Diagram for Hardware Implementation on FPGAs
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Register
X Y
2r Feistel
F−function for KHUDRA−I
Y
en
X
clk
Register
X Y
3r Feistel
F−function for KHUDRA−II
Y
en
X
clk
Y
en
X
clk
Y
en
X
clk
Register
YX
clk
rst
YX
clk
rst
Y[63:48]
X[63:48]
X[47:32]
Y[47:32]
X[31:16]
Y[31:16]
Register
X[15:0]
Y[15:0]
Register
Register
F−function
F−function
Y[31:16]
RKi
RK(i+1)
Y[15:0]
Y[47:32]
Y[63:48]
DATA PROCESSING PART
RegisterRegister
X
clk
en
Y
Register Register Register
RCi
RKi X
clk
en
Y
KEY SCHEDULING PART
Souvik Kolay Lightweight Crypto-primitives on FPGAs 35/62
122. Comparison
Comparison of Khudra with well known block ciphers
Platform and Block Area Cycles Throughput AT Product
Cipher Implementation Size (slice) per @ 100 kHz (slice × cycles)
Strategy (bits) block (kbits)
ICEBERG Virtex-II, L 64 631 34 188.2 21, 454
ICEBERG Virtex-II, L(R) 64 526 34 188.2 17, 884
AES XC2S30, S 128 393 534 23.9 209, 862
AES XC2S30, S(R) 128 222Λ
46 278 10, 212
Camellia XC3S50, S 128 318 875 14.63 278, 250
Camellia XC3S50, S(R) 128 214 875 14.63 187, 250
Khudra-I XC3S400 64 112 54 118.5 6, 048
Khudra-II XC3S400 64 128 36 177.8 4, 602
L: Loop Architecture, S: Serialize Architecture
(R) denotes that Block RAMs are used in the implementation
Λ The equivalent slice implementation requires 522 slices
Souvik Kolay Lightweight Crypto-primitives on FPGAs 36/62
123. Comparison
Comparison of Khudra with well known block ciphers
Platform and Block Area Cycles Throughput AT Product
Cipher Implementation Size (slice) per @ 100 kHz (slice × cycles)
Strategy (bits) block (kbits)
ICEBERG Virtex-II, L 64 631 34 188.2 21, 454
ICEBERG Virtex-II, L(R) 64 526 34 188.2 17, 884
AES XC2S30, S 128 393 534 23.9 209, 862
AES XC2S30, S(R) 128 222Λ
46 278 10, 212
Camellia XC3S50, S 128 318 875 14.63 278, 250
Camellia XC3S50, S(R) 128 214 875 14.63 187, 250
Khudra-I XC3S400 64 112 54 118.5 6, 048
Khudra-II XC3S400 64 128 36 177.8 4, 602
L: Loop Architecture, S: Serialize Architecture
(R) denotes that Block RAMs are used in the implementation
Λ The equivalent slice implementation requires 522 slices
Souvik Kolay Lightweight Crypto-primitives on FPGAs 36/62
124. Comparison(contd)
Comparison of Khudra with Lightweight Block Ciphers
Flip Area Cycle Throughput Throughput
Cipher LUTs -Flop RLUT/FF (Slice) /Block @ 100 kHz per Slice
PRESENT 159 114 1.39 117 256 200 29, 952
HIGHT 132 25 5.28 91 160 200 14, 560
PRESENT 350 154 2.27 202 32 200 6, 464
Piccolo 374 73 5.12 235 27 237 6, 345
Khudra-I∗ 214 182 1.17 112 54 118.5 6, 048
Khudra-II∗ 240 181 1.32 128 36 177.8 4, 602
* Though the number of Flip-Flops are more compared to others, it does not require any
extra Slice as the RLUT/FF ratio is greater than 1
Souvik Kolay Lightweight Crypto-primitives on FPGAs 37/62
125. Comparison(contd)
Comparison of Khudra with Lightweight Block Ciphers
Flip Area Cycle Throughput Throughput
Cipher LUTs -Flop RLUT/FF (Slice) /Block @ 100 kHz per Slice
PRESENT 159 114 1.39 117 256 200 29, 952
HIGHT 132 25 5.28 91 160 200 14, 560
PRESENT 350 154 2.27 202 32 200 6, 464
Piccolo 374 73 5.12 235 27 237 6, 345
Khudra-I∗ 214 182 1.17 112 54 118.5 6, 048
Khudra-II∗ 240 181 1.32 128 36 177.8 4, 602
* Though the number of Flip-Flops are more compared to others, it does not require any
extra Slice as the RLUT/FF ratio is greater than 1
Souvik Kolay Lightweight Crypto-primitives on FPGAs 37/62
126. Implementation on ASICs
Block Diagram for Hardware Implementation on ASICs
enXclk
Register
R[31:16]
X[63:48]
X[31:16]
R[63:48]
R[31:16]
1616
enclk
Register
X
Y
Register
enclk
X
Y
Register
enclk
X
Y
RKi
RCienclk
Register
X
Y
enclk
Register
X
Y
X
clk
Y
rst
F−function
enXclk
Register
R[15:0]
enXclk
Register
R[47:32]
enXclk
Register
R[63:48]
RKi
X[47:32]
X[15:0]
R[47:32]
R[15:0]
DATA PROCESSING PART KEY SCHEDULING PART
Souvik Kolay Lightweight Crypto-primitives on FPGAs 38/62
127. Implementation on ASICs
Area Requirement for the Individual Modules of Khudra
Module Component Utilized GE Module Component Utilized GE
Data State Scan Flip-Flop 32 200.00 Key State Scan Flip-Flop 16 100.00
2:1 MUX 64 128.00 D Flip-Flop 64 288.00
D Flip-Flop 32 144.00 Key-XOR XOR 16 32.00
Diffusion XOR 16 32.00 Round Const. XOR 16 32.00
F-Function S-box 12 288.00 Key
XOR 48 96.00 Schedule 452.00
Data Control
Processing 888.00 Logic 22.00
Total 1362.00
Souvik Kolay Lightweight Crypto-primitives on FPGAs 39/62
131. Security Analysis of Khudra
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
132. Security Analysis of Khudra
Differential Cryptanalysis (DC) and Linear Cryptanalysis (LC)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
133. Security Analysis of Khudra
Differential Cryptanalysis (DC) and Linear Cryptanalysis (LC)
In order to measure the resistance of Khudra against linear and differential
cryptanalysis, we have calculated the minimum number of so called ‘active
S-boxes’
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
134. Security Analysis of Khudra
Differential Cryptanalysis (DC) and Linear Cryptanalysis (LC)
In order to measure the resistance of Khudra against linear and differential
cryptanalysis, we have calculated the minimum number of so called ‘active
S-boxes’
An exhaustive search has been performed to compute the number of active
s-boxes.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
135. Security Analysis of Khudra
Differential Cryptanalysis (DC) and Linear Cryptanalysis (LC)
In order to measure the resistance of Khudra against linear and differential
cryptanalysis, we have calculated the minimum number of so called ‘active
S-boxes’
An exhaustive search has been performed to compute the number of active
s-boxes.
For both the variants of Khudra, there are at least 6 active s-boxes inside
the F-function.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
136. Security Analysis of Khudra
Differential Cryptanalysis (DC) and Linear Cryptanalysis (LC)
In order to measure the resistance of Khudra against linear and differential
cryptanalysis, we have calculated the minimum number of so called ‘active
S-boxes’
An exhaustive search has been performed to compute the number of active
s-boxes.
For both the variants of Khudra, there are at least 6 active s-boxes inside
the F-function.
There are at least 6 active F-function in 6 rounds of Khudra.
Cryptanalysis Properties DC LC
Active S-boxes 36 36
Differential/Linear Probability of s-box 2−2 2−2
Differential/Linear Probability of Khudra 2−72 2−72
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
137. Security Analysis of Khudra
Differential Cryptanalysis (DC) and Linear Cryptanalysis (LC)
In order to measure the resistance of Khudra against linear and differential
cryptanalysis, we have calculated the minimum number of so called ‘active
S-boxes’
An exhaustive search has been performed to compute the number of active
s-boxes.
For both the variants of Khudra, there are at least 6 active s-boxes inside
the F-function.
There are at least 6 active F-function in 6 rounds of Khudra.
Cryptanalysis Properties DC LC
Active S-boxes 36 36
Differential/Linear Probability of s-box 2−2 2−2
Differential/Linear Probability of Khudra 2−72 2−72
6 rounds of Khudra is secure against differential and linear
cryptanalysis
Souvik Kolay Lightweight Crypto-primitives on FPGAs 42/62
138. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
139. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
140. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
One of the most powerful attack for Feistel Structure, due to its slow
diffusion and use of smaller S-boxes in the F-function.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
141. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
One of the most powerful attack for Feistel Structure, due to its slow
diffusion and use of smaller S-boxes in the F-function.
Attacker exploits the differences that are ‘impossible’ (having
probability 0) for some input difference.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
142. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
One of the most powerful attack for Feistel Structure, due to its slow
diffusion and use of smaller S-boxes in the F-function.
Attacker exploits the differences that are ‘impossible’ (having
probability 0) for some input difference.
Exhaustive search is not possible due to the huge search space of 264
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
143. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
One of the most powerful attack for Feistel Structure, due to its slow
diffusion and use of smaller S-boxes in the F-function.
Attacker exploits the differences that are ‘impossible’ (having
probability 0) for some input difference.
Exhaustive search is not possible due to the huge search space of 264
Alternative option: m-bit truncated differential.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
144. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
One of the most powerful attack for Feistel Structure, due to its slow
diffusion and use of smaller S-boxes in the F-function.
Attacker exploits the differences that are ‘impossible’ (having
probability 0) for some input difference.
Exhaustive search is not possible due to the huge search space of 264
Alternative option: m-bit truncated differential.
m-bit truncated differential: an attacker can only induce difference in
a branch of m bits but unable to explicitly target a particular bit in
the branch.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 43/62
145. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
146. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
147. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
To show the resistance against this kind of attack, we have searched
for 16-bit and 4-bit truncated impossible differential.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
148. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
To show the resistance against this kind of attack, we have searched
for 16-bit and 4-bit truncated impossible differential.
Khudra has no 16-bit and 4-bit truncated impossible differential after
7 round and 10 round respectively.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
149. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
To show the resistance against this kind of attack, we have searched
for 16-bit and 4-bit truncated impossible differential.
Khudra has no 16-bit and 4-bit truncated impossible differential after
7 round and 10 round respectively.
Using the best impossible differential found after 9 round, we have
tried an attack on 11 round Khudra.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
150. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
To show the resistance against this kind of attack, we have searched
for 16-bit and 4-bit truncated impossible differential.
Khudra has no 16-bit and 4-bit truncated impossible differential after
7 round and 10 round respectively.
Using the best impossible differential found after 9 round, we have
tried an attack on 11 round Khudra.
In this case, the number of chosen plain text required is 257 and the
time complexity for finding RK19 and RK21 is around 261 encryptions
for 11 round of Khudra.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
151. Security Analysis of Khudra (contd.)
Impossible Differential Cryptanalysis
To show the resistance against this kind of attack, we have searched
for 16-bit and 4-bit truncated impossible differential.
Khudra has no 16-bit and 4-bit truncated impossible differential after
7 round and 10 round respectively.
Using the best impossible differential found after 9 round, we have
tried an attack on 11 round Khudra.
In this case, the number of chosen plain text required is 257 and the
time complexity for finding RK19 and RK21 is around 261 encryptions
for 11 round of Khudra.
This result shows that impossible differential cryptanalysis of full
round Khudra is impractical.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 44/62
152. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
153. Security Analysis of Khudra (contd.)
Algebraic Attack
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
154. Security Analysis of Khudra (contd.)
Algebraic Attack
In this technique, cipher text is first represented by multivariate
quadratic equations and then the these equations are solved to
recover the key.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
155. Security Analysis of Khudra (contd.)
Algebraic Attack
In this technique, cipher text is first represented by multivariate
quadratic equations and then the these equations are solved to
recover the key.
In general solving multivariate quadratic equations over a finite set of
numbers is an NP-hard problem.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
156. Security Analysis of Khudra (contd.)
Algebraic Attack
In this technique, cipher text is first represented by multivariate
quadratic equations and then the these equations are solved to
recover the key.
In general solving multivariate quadratic equations over a finite set of
numbers is an NP-hard problem.
Several methods like XL and XSL has been proposed for solving this
kind of over-defined and sparse system of equations.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
157. Security Analysis of Khudra (contd.)
Algebraic Attack
In this technique, cipher text is first represented by multivariate
quadratic equations and then the these equations are solved to
recover the key.
In general solving multivariate quadratic equations over a finite set of
numbers is an NP-hard problem.
Several methods like XL and XSL has been proposed for solving this
kind of over-defined and sparse system of equations.
Present’s S-box is described by 21 quadratic equations in the eight
input/output-bit variables over GF(2).
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
158. Security Analysis of Khudra (contd.)
Algebraic Attack
In this technique, cipher text is first represented by multivariate
quadratic equations and then the these equations are solved to
recover the key.
In general solving multivariate quadratic equations over a finite set of
numbers is an NP-hard problem.
Several methods like XL and XSL has been proposed for solving this
kind of over-defined and sparse system of equations.
Present’s S-box is described by 21 quadratic equations in the eight
input/output-bit variables over GF(2).
Khudra have 14 × 24 + 24 = 432 S-boxes and can be described as a
system of 432 × 21 = 9072 quadratic equations with 432 × 8 = 3456
variables.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 45/62
159. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 46/62
160. Security Analysis of Khudra (contd.)
Algebraic Attack
The complexity of this attack is specified by Work Factor (WF). WF is
crudely estimated as follows:
WF = Tω
≈ Γω
· (Block Size)ω t−r
s · (Number of Rounds)2ω t−r
s
Tω
= complexity of the Gaussian reduction,
ω = 2.376, the best known Gaussian reduction exponent,
t = total number of monomials in those equations,
r = number of quadratic equation required to represent the s-box,
s = size of the s-box
Souvik Kolay Lightweight Crypto-primitives on FPGAs 46/62
161. Security Analysis of Khudra (contd.)
Algebraic Attack
The complexity of this attack is specified by Work Factor (WF). WF is
crudely estimated as follows:
WF = Tω
≈ Γω
· (Block Size)ω t−r
s · (Number of Rounds)2ω t−r
s
Tω
= complexity of the Gaussian reduction,
ω = 2.376, the best known Gaussian reduction exponent,
t = total number of monomials in those equations,
r = number of quadratic equation required to represent the s-box,
s = size of the s-box
Work Factor for Khudra is found to be greater than 2150
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 46/62
162. Security Analysis of Khudra (contd.)
Algebraic Attack
The complexity of this attack is specified by Work Factor (WF). WF is
crudely estimated as follows:
WF = Tω
≈ Γω
· (Block Size)ω t−r
s · (Number of Rounds)2ω t−r
s
Tω
= complexity of the Gaussian reduction,
ω = 2.376, the best known Gaussian reduction exponent,
t = total number of monomials in those equations,
r = number of quadratic equation required to represent the s-box,
s = size of the s-box
Work Factor for Khudra is found to be greater than 2150
.
Khudra is not susceptible to algebraic attack.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 46/62
163. Security Analysis of Khudra
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
164. Security Analysis of Khudra
Boomerang Type Attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
165. Security Analysis of Khudra
Boomerang Type Attacks
Boomerang type attacks include The Boomerang, Amplified Boomerang and
Rectangle Attack.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
166. Security Analysis of Khudra
Boomerang Type Attacks
Boomerang type attacks include The Boomerang, Amplified Boomerang and
Rectangle Attack.
These attacks divide the cipher into two sub-ciphers, then find a boomerang
quartet with high probability.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
167. Security Analysis of Khudra
Boomerang Type Attacks
Boomerang type attacks include The Boomerang, Amplified Boomerang and
Rectangle Attack.
These attacks divide the cipher into two sub-ciphers, then find a boomerang
quartet with high probability.
Any combination of two sub-ciphers of 8 round Khudra has at least 6 active
F-Functions.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
168. Security Analysis of Khudra
Boomerang Type Attacks
Boomerang type attacks include The Boomerang, Amplified Boomerang and
Rectangle Attack.
These attacks divide the cipher into two sub-ciphers, then find a boomerang
quartet with high probability.
Any combination of two sub-ciphers of 8 round Khudra has at least 6 active
F-Functions.
So, the highest probability boomerang quartet of 8 round Khudra can have
the probability at most 2−72
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
169. Security Analysis of Khudra
Boomerang Type Attacks
Boomerang type attacks include The Boomerang, Amplified Boomerang and
Rectangle Attack.
These attacks divide the cipher into two sub-ciphers, then find a boomerang
quartet with high probability.
Any combination of two sub-ciphers of 8 round Khudra has at least 6 active
F-Functions.
So, the highest probability boomerang quartet of 8 round Khudra can have
the probability at most 2−72
.
Hence, we can say full round Khudra provides enough immunity against
the boomerang type attacks.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 47/62
170. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
171. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
172. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
In this technique, the attacker utilizes the differential characteristic for the
first part of the cipher and linear approximation for the remaining part of the
cipher.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
173. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
In this technique, the attacker utilizes the differential characteristic for the
first part of the cipher and linear approximation for the remaining part of the
cipher.
Mathematically, if p is the differential probability of the first part and q is
the linear probability of the second part, then the complexity of the attack
would be p2
q2
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
174. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
In this technique, the attacker utilizes the differential characteristic for the
first part of the cipher and linear approximation for the remaining part of the
cipher.
Mathematically, if p is the differential probability of the first part and q is
the linear probability of the second part, then the complexity of the attack
would be p2
q2
.
Due to the recursive Feistel construction any round of Khudra has the same
differential and linear probability.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
175. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
In this technique, the attacker utilizes the differential characteristic for the
first part of the cipher and linear approximation for the remaining part of the
cipher.
Mathematically, if p is the differential probability of the first part and q is
the linear probability of the second part, then the complexity of the attack
would be p2
q2
.
Due to the recursive Feistel construction any round of Khudra has the same
differential and linear probability.
So, we can say that the second part of the cipher also has differential
probability of q.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
176. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
In this technique, the attacker utilizes the differential characteristic for the
first part of the cipher and linear approximation for the remaining part of the
cipher.
Mathematically, if p is the differential probability of the first part and q is
the linear probability of the second part, then the complexity of the attack
would be p2
q2
.
Due to the recursive Feistel construction any round of Khudra has the same
differential and linear probability.
So, we can say that the second part of the cipher also has differential
probability of q.
Thus for differential cryptanalysis, the complexity would be pq > p2
q2
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
177. Security Analysis of Khudra (contd.)
Differential-Linear Cryptanalysis
In this technique, the attacker utilizes the differential characteristic for the
first part of the cipher and linear approximation for the remaining part of the
cipher.
Mathematically, if p is the differential probability of the first part and q is
the linear probability of the second part, then the complexity of the attack
would be p2
q2
.
Due to the recursive Feistel construction any round of Khudra has the same
differential and linear probability.
So, we can say that the second part of the cipher also has differential
probability of q.
Thus for differential cryptanalysis, the complexity would be pq > p2
q2
.
Hence we can consider Khudra to be secure against differential-linear
cryptanalysis.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 48/62
178. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
179. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
180. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Truncated differential (TD) cryptanalysis is a general technique for the
analysis of block ciphers with byte oriented structure.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
181. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Truncated differential (TD) cryptanalysis is a general technique for the
analysis of block ciphers with byte oriented structure.
In differential attack, the attacker follows the differential trail through the
rounds of the cipher and checks the exact output difference after each
transformation.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
182. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Truncated differential (TD) cryptanalysis is a general technique for the
analysis of block ciphers with byte oriented structure.
In differential attack, the attacker follows the differential trail through the
rounds of the cipher and checks the exact output difference after each
transformation.
Whereas, for truncated differential attack, the attacker only examines the
position of the active bytes through the rounds and proceed even with the
knowledge of some bits of the output difference.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
183. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Truncated differential (TD) cryptanalysis is a general technique for the
analysis of block ciphers with byte oriented structure.
In differential attack, the attacker follows the differential trail through the
rounds of the cipher and checks the exact output difference after each
transformation.
Whereas, for truncated differential attack, the attacker only examines the
position of the active bytes through the rounds and proceed even with the
knowledge of some bits of the output difference.
To cover more rounds with the knowledge of partial output difference the
attacker tries to slow down the propagation non-zero difference.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
184. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Truncated differential (TD) cryptanalysis is a general technique for the
analysis of block ciphers with byte oriented structure.
In differential attack, the attacker follows the differential trail through the
rounds of the cipher and checks the exact output difference after each
transformation.
Whereas, for truncated differential attack, the attacker only examines the
position of the active bytes through the rounds and proceed even with the
knowledge of some bits of the output difference.
To cover more rounds with the knowledge of partial output difference the
attacker tries to slow down the propagation non-zero difference.
Hence, the diffusion property of the cipher has the only impact on the
probability of the truncated differential.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 49/62
185. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
186. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
187. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
To find the best round-reduced truncated differentials we have performed an
exhaustive search with the following standard assumptions:
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
188. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
To find the best round-reduced truncated differentials we have performed an
exhaustive search with the following standard assumptions:
1 S-boxes have no effect on the probability because they cannot change
an active nibble into an non-active nibble and vice versa.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
189. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
To find the best round-reduced truncated differentials we have performed an
exhaustive search with the following standard assumptions:
1 S-boxes have no effect on the probability because they cannot change
an active nibble into an non-active nibble and vice versa.
2 XOR can cancel two active nibbles with probability 2−4
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
190. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
To find the best round-reduced truncated differentials we have performed an
exhaustive search with the following standard assumptions:
1 S-boxes have no effect on the probability because they cannot change
an active nibble into an non-active nibble and vice versa.
2 XOR can cancel two active nibbles with probability 2−4
.
Further, we consider a more stronger scenario, where the attacker can even
control the difference within a nibble.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
191. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
To find the best round-reduced truncated differentials we have performed an
exhaustive search with the following standard assumptions:
1 S-boxes have no effect on the probability because they cannot change
an active nibble into an non-active nibble and vice versa.
2 XOR can cancel two active nibbles with probability 2−4
.
Further, we consider a more stronger scenario, where the attacker can even
control the difference within a nibble.
The search result shows that 6 rounds of Khudra can have truncated
differential at most with probability at most 2−81.9
.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
192. Security Analysis of Khudra (contd.)
Truncated Differential Attacks
To find the best round-reduced truncated differentials we have performed an
exhaustive search with the following standard assumptions:
1 S-boxes have no effect on the probability because they cannot change
an active nibble into an non-active nibble and vice versa.
2 XOR can cancel two active nibbles with probability 2−4
.
Further, we consider a more stronger scenario, where the attacker can even
control the difference within a nibble.
The search result shows that 6 rounds of Khudra can have truncated
differential at most with probability at most 2−81.9
.
Thus, we can conclude that the full round Khudra has sufficient security
margin against truncated differential attacks.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 50/62
193. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 51/62
194. Security Analysis of Khudra (contd.)
Slide and Relative key Attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 51/62
195. Security Analysis of Khudra (contd.)
Slide and Relative key Attacks
Two well-known attacks on the key-scheduling algorithm, namely
Slide and Relative key Attacks, use the simple relations and
similarities among the round-keys to get the actual master key.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 51/62
196. Security Analysis of Khudra (contd.)
Slide and Relative key Attacks
Two well-known attacks on the key-scheduling algorithm, namely
Slide and Relative key Attacks, use the simple relations and
similarities among the round-keys to get the actual master key.
To remove the self-similarity in the key scheduling algorithm, in each
round, we have different round constant, generated by the round
counter.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 51/62
197. Security Analysis of Khudra (contd.)
Slide and Relative key Attacks
Two well-known attacks on the key-scheduling algorithm, namely
Slide and Relative key Attacks, use the simple relations and
similarities among the round-keys to get the actual master key.
To remove the self-similarity in the key scheduling algorithm, in each
round, we have different round constant, generated by the round
counter.
This strategy makes Khudra secure against these key-scheduling
attacks.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 51/62
198. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
199. Security Analysis of Khudra (contd.)
Relative key Differential Attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
200. Security Analysis of Khudra (contd.)
Relative key Differential Attacks
In related-key differential cryptanalysis, adversary can control the
difference both in plain text and key-schedule to cancel out
differences in data processing part.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
201. Security Analysis of Khudra (contd.)
Relative key Differential Attacks
In related-key differential cryptanalysis, adversary can control the
difference both in plain text and key-schedule to cancel out
differences in data processing part.
Due to the simple key-scheduling algorithm, it is possible to
exhaustively search for the best differential probability in related-key
settings.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
202. Security Analysis of Khudra (contd.)
Relative key Differential Attacks
In related-key differential cryptanalysis, adversary can control the
difference both in plain text and key-schedule to cancel out
differences in data processing part.
Due to the simple key-scheduling algorithm, it is possible to
exhaustively search for the best differential probability in related-key
settings.
The search result shows that 11 rounds of Khudra has at least 6
‘active F-Functions’.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
203. Security Analysis of Khudra (contd.)
Relative key Differential Attacks
In related-key differential cryptanalysis, adversary can control the
difference both in plain text and key-schedule to cancel out
differences in data processing part.
Due to the simple key-scheduling algorithm, it is possible to
exhaustively search for the best differential probability in related-key
settings.
The search result shows that 11 rounds of Khudra has at least 6
‘active F-Functions’.
So the maximum differential probability of 11 round Khudra is 2−72.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
204. Security Analysis of Khudra (contd.)
Relative key Differential Attacks
In related-key differential cryptanalysis, adversary can control the
difference both in plain text and key-schedule to cancel out
differences in data processing part.
Due to the simple key-scheduling algorithm, it is possible to
exhaustively search for the best differential probability in related-key
settings.
The search result shows that 11 rounds of Khudra has at least 6
‘active F-Functions’.
So the maximum differential probability of 11 round Khudra is 2−72.
Hence, we can say that Khudra is secure against this attack.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 52/62
205. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 53/62
206. Security Analysis of Khudra (contd.)
Related-key Boomerang Attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 53/62
207. Security Analysis of Khudra (contd.)
Related-key Boomerang Attacks
In related-key boomerang attacks, attacker uses the differential
probability of related-key settings.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 53/62
208. Security Analysis of Khudra (contd.)
Related-key Boomerang Attacks
In related-key boomerang attacks, attacker uses the differential
probability of related-key settings.
Any combination of two sub-ciphers of 14 round Khudra has at least
6 active F-Functions.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 53/62
209. Security Analysis of Khudra (contd.)
Related-key Boomerang Attacks
In related-key boomerang attacks, attacker uses the differential
probability of related-key settings.
Any combination of two sub-ciphers of 14 round Khudra has at least
6 active F-Functions.
So, the highest probability boomerang quartet of 14 round Khudra
can have the probability at most 2−72 in related-key settings.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 53/62
210. Security Analysis of Khudra (contd.)
Related-key Boomerang Attacks
In related-key boomerang attacks, attacker uses the differential
probability of related-key settings.
Any combination of two sub-ciphers of 14 round Khudra has at least
6 active F-Functions.
So, the highest probability boomerang quartet of 14 round Khudra
can have the probability at most 2−72 in related-key settings.
Hence, we can say full round Khudra is not vulnerable to
related-key boomerang attack.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 53/62
211. Security Analysis of Khudra (contd.)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 54/62
212. Security Analysis of Khudra (contd.)
Meet-in-the-Middle Attack (MITM)
Souvik Kolay Lightweight Crypto-primitives on FPGAs 54/62
213. Security Analysis of Khudra (contd.)
Meet-in-the-Middle Attack (MITM)
This types of attack works well for block ciphers with slow diffusion
and simple key-schedule.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 54/62
214. Security Analysis of Khudra (contd.)
Meet-in-the-Middle Attack (MITM)
This types of attack works well for block ciphers with slow diffusion
and simple key-schedule.
The computational complexity (Ccomp) of the attack can be bounded
by the following estimation:
Ccomp = 2|A0|
(2|A1|
+ 2|A2|
) + (2l−m
+ 2l−m−b
+ 2l−m−2b
+ · · · )
Souvik Kolay Lightweight Crypto-primitives on FPGAs 54/62
215. Security Analysis of Khudra (contd.)
Meet-in-the-Middle Attack (MITM)
This types of attack works well for block ciphers with slow diffusion
and simple key-schedule.
The computational complexity (Ccomp) of the attack can be bounded
by the following estimation:
Ccomp = 2|A0|
(2|A1|
+ 2|A2|
) + (2l−m
+ 2l−m−b
+ 2l−m−2b
+ · · · )
We have performed an exhaustive search on 12 rounds of Khudra and
found that the complexity of the attack is 280.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 54/62
216. Security Analysis of Khudra (contd.)
Meet-in-the-Middle Attack (MITM)
This types of attack works well for block ciphers with slow diffusion
and simple key-schedule.
The computational complexity (Ccomp) of the attack can be bounded
by the following estimation:
Ccomp = 2|A0|
(2|A1|
+ 2|A2|
) + (2l−m
+ 2l−m−b
+ 2l−m−2b
+ · · · )
We have performed an exhaustive search on 12 rounds of Khudra and
found that the complexity of the attack is 280.
Hence, we can rule out MITM attack as a possible threats for Khudra.
Souvik Kolay Lightweight Crypto-primitives on FPGAs 54/62
218. Conclusion
A new lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography has been proposed which has the
following features:
Souvik Kolay Lightweight Crypto-primitives on FPGAs 55/62
219. Conclusion
A new lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography has been proposed which has the
following features:
can perform large permutation (larger than the width of the data-bus)
more efficiently compared to any of the existing bit-permutation
instruction found on literature
Souvik Kolay Lightweight Crypto-primitives on FPGAs 55/62
220. Conclusion
A new lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography has been proposed which has the
following features:
can perform large permutation (larger than the width of the data-bus)
more efficiently compared to any of the existing bit-permutation
instruction found on literature
FPGA implementation requires only 151 slices and provides throughput
of 427 Mbit/sec
Souvik Kolay Lightweight Crypto-primitives on FPGAs 55/62
221. Conclusion
A new lightweight ‘bit-permutation’ instruction: PERMS, for
accelerating software cryptography has been proposed which has the
following features:
can perform large permutation (larger than the width of the data-bus)
more efficiently compared to any of the existing bit-permutation
instruction found on literature
FPGA implementation requires only 151 slices and provides throughput
of 427 Mbit/sec
ASIC implementation requires only 670 GE and provides throughput
@1 bit per clock cycle
Souvik Kolay Lightweight Crypto-primitives on FPGAs 55/62
223. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
224. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
225. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
226. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
227. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles
also suitable for ASIC implementation: Khudra requires only 1362 GE
on ASICs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
228. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles
also suitable for ASIC implementation: Khudra requires only 1362 GE
on ASICs
Detailed security analysis of Khudra which shows that it is
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
229. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles
also suitable for ASIC implementation: Khudra requires only 1362 GE
on ASICs
Detailed security analysis of Khudra which shows that it is
secure against the popular cryptanalysis techniques like linear
cryptanalysis, differential cryptanalysis, algebraic attacks
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
230. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles
also suitable for ASIC implementation: Khudra requires only 1362 GE
on ASICs
Detailed security analysis of Khudra which shows that it is
secure against the popular cryptanalysis techniques like linear
cryptanalysis, differential cryptanalysis, algebraic attacks
secure against strong cryptanalysis techniques like impossible
differential cryptanalysis, related-key differential cryptanalysis,
Meet-in-the-Middle Attack
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
231. Conclusion (contd.)
A new lightweight block cipher: Khudra, for FPGAs has been
proposed which has the following features:
encrypts 64 bit data using 80 bit keys in 36 clock cycles
based on the proposed design strategies for implementing lightweight
block cipher on FPGAs
FPGA implementation requires only 128 slices with AT Product of
6, 048 slice-cycles
also suitable for ASIC implementation: Khudra requires only 1362 GE
on ASICs
Detailed security analysis of Khudra which shows that it is
secure against the popular cryptanalysis techniques like linear
cryptanalysis, differential cryptanalysis, algebraic attacks
secure against strong cryptanalysis techniques like impossible
differential cryptanalysis, related-key differential cryptanalysis,
Meet-in-the-Middle Attack
provides security margin comparable with the best lightweight block
ciphers
Souvik Kolay Lightweight Crypto-primitives on FPGAs 56/62
232. Future Directions
This work can further be extended to
Souvik Kolay Lightweight Crypto-primitives on FPGAs 57/62
233. Future Directions
This work can further be extended to
find new lightweight instruction for accelerating software cryptography
Souvik Kolay Lightweight Crypto-primitives on FPGAs 57/62
234. Future Directions
This work can further be extended to
find new lightweight instruction for accelerating software cryptography
design new lightweight hash function using Khudra as a core
Souvik Kolay Lightweight Crypto-primitives on FPGAs 57/62
235. Future Directions
This work can further be extended to
find new lightweight instruction for accelerating software cryptography
design new lightweight hash function using Khudra as a core
design side channel resistance lightweight block cipher, suitable for
both ASICs and FPGAs
Souvik Kolay Lightweight Crypto-primitives on FPGAs 57/62
236. Answers to Examiners’ Questions
[Q1.] You have used S-box of block cipher PRESENT. Explain the
motivation for using this particular S-box. An S-box with full cycle &
higher non-linearity might assume better security
⇒ We have followed the the four cryptographic properties mentioned in [1], i.e
differential probability, linear approximation, algebraic degree and branch number
to measure the security of a s-box. PRESENT s-box is one of the best
considering these four measures. The extensive list of 4 × 4 s-box, mentioned in
[1] also shows that PRESENT s-box is best in its class. We may get a more
non-linear s-box but that may not be balanced, which leads to other security
weakness. Beside this, we also have considered the fact that the ASIC
implementation of the s-box should be lightweight on hardware. To find a s-box
with less Gate Equivalence and good cryptographic properties, we have also tried
several s-boxes used in other lightweight block cipher, namely Piccolo, LED,
MIBS etc, but they reduce the security margin for either impossible differential
attack or related key differential attack. For these reasons, we can not use any of
them, in spite of having really low GE.
1
Markku-Juhani O. Saarinen, Cryptographic analysis of all 4 × 4-bit s-boxes,”
Souvik Kolay Lightweight Crypto-primitives on FPGAs 58/62