64 research outputs found
A Dynamic Cube Attack on round Grain v1
As far as the Differential Cryptanalysis of reduced round Grain v1 is concerned, the best results were those published by Knellwolf et al. in Asiacrypt . In an extended version of the paper, it was shown that it was possible to retrieve {\bf (i)} expressions in the Secret Key bits for a variant of Grain v1 that employs rounds (in place of ) in its Key Scheduling process using chosen IVs and {\bf (ii)} expression in Secret Key bits for a variant that employs rounds in its Key Scheduling using chosen IVs. However, the second attack on rounds, had a success probability of around \%, which is to say that the attack worked for only around one half of the Secret Keys.
In this paper we propose a dynamic cube attack on round Grain v1, that has a success probability of \%, and thus we report an improvement of rounds over the previous best attack on Grain v1 that attacks the entire Keyspace. We take the help of the tool {\sf Grain}, proposed by Banik at ACISP 2014, to track the differential trails induced in the internal state of Grain v1 by any difference in the IV bits, and we prove that a suitably introduced difference in the IV leads to a distinguisher for the output bit produced in the round. This, in turn, helps determine the values of expressions in the Secret Key bits
Exploring Energy Efficiency of Lightweight Block Ciphers
Abstract. In the last few years, the field of lightweight cryptography has seen an influx in the number of block ciphers and hash functions being proposed. One of the metrics that define a good lightweight design is the energy consumed per unit operation of the algorithm. For block ciphers, this operation is the encryption of one plaintext. By studying the energy consumption model of a CMOS gate, we arrive at the conclusion that the total energy consumed during the encryption operation of an r-round unrolled architecture of any block cipher is a quadratic function in r. We then apply our model to 9 well known lightweight block ciphers, and thereby try to predict the optimal value of r at which an r-round unrolled architecture for a cipher is likely to be most energy efficient. We also try to relate our results to some physical design parameters like the signal delay across a round and algorithmic parameters like the number of rounds taken to achieve full diffusion of a difference in the plaintext/key
Some cryptanalytic results on Lizard
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120 bit Secret Key and a 64 bit IV. The authors claim that Lizard provides 80 bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing random trials it is possible to a set of triplets such that the Key-IV pairs and produce identical keystream bits. Second, we show that by performing only around random trials it is possible to obtain Key-IV pairs and that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around random IV encryptions
and around bits of memory. Finally, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions
Compact Circuits for Combined AES Encryption/Decryption
The implementation of the AES encryption core by Moradi et al. at Eurocrypt 2011 is one of the smallest in terms of gate area. The circuit takes around 2400 gates and operates on an 8 bit datapath. However this is an encryption only core and unable to cater to block cipher modes like CBC and ELmD that require access to both the AES encryption and decryption modules. In this paper we look to investigate whether the basic circuit of Moradi et al. can be tweaked to provide dual functionality of encryption and decryption (ENC/DEC) while keeping the hardware overhead as low as possible. We report two constructions of the AES circuit. The first is an 8-bit serialized implementation that provides the functionality of both encryption and decryption and occupies around 2605 GE with a latency of 226 cycles. This is a substantial improvement over the next smallest AES ENC/DEC circuit (Grain of Sand) by Feldhofer et al. which takes around 3400 gates but has a latency of over 1000 cycles for both the encryption and decryption cycles. In the second part, we optimize the above architecture to provide the dual encryption/decryption functionality in only 2227 GE and latency of 246/326 cycles for the encryption and decryption operations respectively. We take advantage of clock gating techniques to achieve Shiftrow and Inverse Shiftrow operations in 3 cycles instead of 1. This helps us replace many of the scan flip-flops in the design with ordinary flip-flops.Furthermore we take advantage of the fact that the Inverse Mixcolumn matrix in AES is the cube of the Forward Mixcolumn matrix. Thus by executing the Forward Mixcolumn operation three times over the state, one can achieve the functionality of Inverse Mixcolumn. This saves some more gate area as one is no longer required to have a combined implementation of the Forward and Inverse Mixcolumn circuit
Atomic-AES v2.0
Very recently, the {\sf Atomic AES} architecture that provides dual functionality of the AES encryption and decryption module was proposed.
It was surprisingly compact and occupied only around 2605 GE of silicon area and took 226 cycles for both the encryption and decryption operations. In this work we further optimize the above architecture to provide the dual encryption/decryption functionality in only 2060 GE and latency of 246/326 cycles for the encryption and decryption operations respectively. We take advantage of
clock gating techniques to achieve Shiftrow and Inverse Shiftrow operations in 3 cycles instead of 1. This helps us replace many of the scan flip-flops in the design with ordinary flip-flops.
Furthermore we take advantage of the fact that the Inverse Mixcolumn matrix in AES is the cube of the forward Mixcolumn matrix. Thus by executing the forward Mixcolumn operation three times over the
state, one can achieve the functionality of Inverse Mixcolumn. This saves some more gate area as one is no longer required to have a combined implementation of the Forward and Inverse Mixcolumn circuit
Lightweight Circuits with Shift and Swap
In CHES 2017, Moradi et al. presented a paper on ``Bit-Sliding\u27\u27 in which the authors proposed lightweight constructions
for SPN based block ciphers like AES, Present and SKINNY. The main idea behind these constructions was to reduce the
length of the datapath to 1 bit and to reformulate the linear layer for these ciphers so that they require fewer scan flip-flops (which have built-in multiplexer functionality and so larger in area as compared to a simple flip-flop). In this paper we take the idea forward: is it possible to construct the linear layer using only 2 scan flip-flops? Take the case of Present: in the language of mathematics, the above question translates to: can the Present permutation be generated by some ordered composition only two types of permutations?
The question can be answered in the affirmative by drawing upon the theory of permutation groups. However straightforward constructions would require that the ``ordered composition\u27\u27
consist of a large number of simpler permutations. This would naturally take a large number of clock cycles to execute in a flip-flop array having only two scan flip-flops and thus incur heavy loss of throughput.
In this paper we try to analyze SPN ciphers like Present and Gift that have a bit permutation as their linear layer.
We tried to construct the linear layer of the cipher using as little clock cycles as possible. As an outcome we propose
smallest known constructions for Present and Gift block ciphers for both encryption and combined encryption+decryption functionalities.
We extend the above ideas to propose the first known construction of the Flip stream cipher
Some Applications of Hamming Weight Correlations
It is a well-known fact that the power consumption during certain
stages of a cryptographic algorithm exhibits a strong correlation
with the Hamming Weight of its underlying variables. This phenomenon
has been widely exploited in the cryptographic literature in various
attacks targeting a broad range of schemes such as block ciphers or public-key
cryptosystems.
A common way of breaking this correlation is through the inclusion of countermeasures involving additional randomness
into the computation in the form of hidden (undisclosed) component functions
or masking strategies that complicate the inference of any sensitive information from the
gathered power traces.
In this work, we revisit the tight correlation between the Hamming Weight
and the observed power consumption of an algorithm and demonstrate,
in the first part, a practical reverse-engineering attack of
proprietary AES-like constructions with secret internal components
like the SubBytes, MixColumns and ShiftRows functions.
This approach is used in some
commercial products such as the Dynamic Encryption
package from the communication services provider Dencrypt as an extra layer of security.
We recover the encryption key alongside
the hidden substitution and permutation layer as well as the
MixColumns matrix on both 8-bit and 32-bit architectures.
In a second effort, we shift our attention to a masked implementation
of AES, specifically the secAES proposal put forward by the
French National Cybersecurity Agency (ANSSI) that concisely
combines several side-channel countermeasure techniques. We show its
insecurity in a novel side-channel-assisted statistical key-recovery attack
that only necessitates a few hundreds of collected power traces
SUNDAE: Small Universal Deterministic Authenticated Encryption for the Internet of Things
Lightweight cryptography was developed in response to the increasing need to secure devices for the Internet of Things. After significant research effort, many new block ciphers have been designed targeting lightweight settings, optimizing efficiency metrics which conventional block ciphers did not. However, block ciphers must be used in modes of operation to achieve more advanced security goals such as data confidentiality and authenticity, a research area given relatively little attention in the lightweight setting. We introduce a new authenticated encryption (AE) mode of operation, SUNDAE, specially targeted for constrained environments. SUNDAE is smaller than other known lightweight modes in implementation area, such as CLOC, JAMBU, and COFB, however unlike these modes, SUNDAE is designed as a deterministic authenticated encryption (DAE) scheme, meaning it provides maximal security in settings where proper randomness is hard to generate, or secure storage must be minimized due to expense. Unlike other DAE schemes, such as GCM-SIV, SUNDAE can be implemented efficiently on both constrained devices, as well as the servers communicating with those devices. We prove SUNDAE secure relative to its underlying block cipher, and provide an extensive implementation study, with results in both software and hardware, demonstrating that SUNDAE offers improved compactness and power consumption in hardware compared to other lightweight AE modes, while simultaneously offering comparable performance to GCM-SIV on parallel high-end platforms
- …