Lightweight symmetric cryptography

The Internet of Things is one of the principal trends in information technology nowadays. The main idea behind this concept is that devices communicate autonomously with each other over the Internet. Some of these devices have extremely limited resources, such as power and energy, available time for computations, amount of silicon to produce the chip, computational power, etc. Classical cryptographic primitives are often infeasible for such constrained devices. The goal of lightweight cryptography is to introduce cryptographic solutions with reduced resource consumption, but with a sufficient security level. Although this research area was of great interest to academia during the last years and a large number of proposals for lightweight cryptographic primitives have been introduced, almost none of them are used in real-word. Probably one of the reasons is that, for academia, lightweight usually meant to design cryptographic primitives such that they require minimal resources among all existing solutions. This exciting research problem became an important driver which allowed the academic community to better understand many cryptographic design concepts and to develop new attacks. However, this criterion does not seem to be the most important one for industry, where lightweight may be considered as "rightweight". In other words, a given cryptographic solution just has to fit the constraints of the specific use cases rather than to be the smallest. Unfortunately, academic researchers tended to neglect vital properties of the particular types of devices, into which they intended to apply their primitives. That is, often solutions were proposed where the usage of some resources was reduced to a minimum. However, this was achieved by introducing new costs which were not appropriately taken into account or in such a way that the reduction of costs also led to a decrease in the security level. Hence, there is a clear gap between academia and industry in understanding what lightweight cryptography is. In this work, we are trying to fill some of these gaps. We carefully investigate a broad number of existing lightweight cryptographic primitives proposed by academia including authentication protocols, stream ciphers, and block ciphers and evaluate their applicability for real-world scenarios. We then look at how individual components of design of the primitives influence their cost and summarize the steps to be taken into account when designing primitives for concrete cost optimization, more precisely - for low energy consumption. Next, we propose new implementation techniques for existing designs making them more efficient or smaller in hardware without the necessity to pay any additional costs. After that, we introduce a new stream cipher design philosophy which enables secure stream ciphers with smaller area size than ever before and, at the same time, considerably higher throughput compared to any other encryption schemes of similar hardware cost. To demonstrate the feasibility of our findings we propose two ciphers with the smallest area size so far, namely Sprout and Plantlet, and the most energy efficient encryption scheme called Trivium-2. Finally, this thesis solves a concrete industrial problem. Based on standardized cryptographic solutions, we design an end-to-end data-protection scheme for low power networks. This scheme was deployed on the water distribution network in the City of Antibes, France

Evaluating GPT-4’s Proficiency in Addressing Cryptography Examinations

In the rapidly advancing domain of artificial intelligence, ChatGPT, powered by the GPT-4 model, has emerged as a state-of-the-art interactive agent, exhibiting substantial capabilities across various domains. This paper aims to assess the efficacy of GPT-4 in addressing and solving problems found within cryptographic examinations. We devised a multi-faceted methodology, presenting the model with a series of cryptographic questions of varying complexities derived from real academic examinations. Our evaluation encompasses both classical and modern cryptographic challenges, focusing on the model\u27s ability to understand, interpret, and generate correct solutions while discerning its limitations. The model was challenged with a spectrum of cryptographic tasks, earning 201 out of 208 points by solving fundamental queries inspired by an oral exam, 80.5 out of 90 points on a written Crypto 1 exam, and 287 out of 385 points on advanced exercises from the Crypto 2 course. The results demonstrate that while GPT-4 shows significant promise in grasping fundamental cryptographic concepts and techniques, certain intricate problems necessitate domain-specific knowledge that may sometimes lie beyond the model\u27s general training. Insights from this study can provide educators, researchers, and examiners with a deeper understanding of how cutting-edge AI models can be both an asset and a potential concern in academic settings related to cryptology. To enhance the clarity and coherence of our work, we utilized ChatGPT-4 to help us in formulating sentences in this paper

On Ciphers that Continuously Access the Non-Volatile Key

Due to the increased use of devices with restricted resources such as limited area size, power or energy, the community has developed various techniques for designing lightweight ciphers. One approach that is increasingly discussed is to use the cipher key that is stored on the device in non-volatile memory not only for the initialization of the registers but during the encryption/decryption process as well. Recent examples are the ciphers Midori (Asiacrypt’15) and Sprout (FSE’15). This may on the one hand help to save resources, but also may allow for a stronger key involvement and hence higher security. However, only little is publicly known so far if and to what extent this approach is indeed practical. Thus, cryptographers without strong engineering background face the problem that they cannot evaluate whether certain designs are reasonable (from a practical point of view) which hinders the development of new designs. In this work, we investigate this design principle from a practical point of view. After a discussion on reasonable approaches for storing a key in non-volatile memory, motivated by several commercial products we focus on the case that the key is stored in EEPROM. Here, we highlight existing constraints and derive that some designs, based on the impact on their throughput, are better suited for the approach of continuously reading the key from all types of non-volatile memory. Based on these findings, we improve the design of Sprout for proposing a new lightweight stream cipher that (i) has a significantly smaller area size than almost all other stream ciphers and (ii) can be efficiently realized using common non-volatile memory techniques. Hence, we see our work as an important step towards putting such designs on a more solid ground and to initiate further discussions on realistic designs

Towards low energy stream ciphers

Energy optimization is an important design aspect of lightweight cryptography. Since low energy ciphers drain less battery, they are invaluable components of devices that operate on a tight energy budget such as handheld devices or RFID tags. At Asiacrypt 2015, Banik et al. presented the block cipher family Midori which was designed to optimize the energy consumed per encryption and which reduces the energy consumption by more than 30% compared to previous block ciphers. However, if one has to encrypt/decrypt longer streams of data, i.e. for bulk data encryption/decryption, it is expected that a stream cipher should perform even better than block ciphers in terms of energy required to encrypt. In this paper, we address the question of designing low energy stream ciphers. To this end, we analyze for common stream cipher design components their impact on the energy consumption. Based on this, we give arguments why indeed stream ciphers allow for encrypting long data streams with less energy than block ciphers and validate our findings by implementations. Afterwards, we use the analysis results to identify energy minimizing design principles for stream ciphers

Lightweight symmetric cryptography

The Internet of Things is one of the principal trends in information technology nowadays. The main idea behind this concept is that devices communicate autonomously with each other over the Internet. Some of these devices have extremely limited resources, such as power and energy, available time for computations, amount of silicon to produce the chip, computational power, etc. Classical cryptographic primitives are often infeasible for such constrained devices. The goal of lightweight cryptography is to introduce cryptographic solutions with reduced resource consumption, but with a sufficient security level. Although this research area was of great interest to academia during the last years and a large number of proposals for lightweight cryptographic primitives have been introduced, almost none of them are used in real-word. Probably one of the reasons is that, for academia, lightweight usually meant to design cryptographic primitives such that they require minimal resources among all existing solutions. This exciting research problem became an important driver which allowed the academic community to better understand many cryptographic design concepts and to develop new attacks. However, this criterion does not seem to be the most important one for industry, where lightweight may be considered as "rightweight". In other words, a given cryptographic solution just has to fit the constraints of the specific use cases rather than to be the smallest. Unfortunately, academic researchers tended to neglect vital properties of the particular types of devices, into which they intended to apply their primitives. That is, often solutions were proposed where the usage of some resources was reduced to a minimum. However, this was achieved by introducing new costs which were not appropriately taken into account or in such a way that the reduction of costs also led to a decrease in the security level. Hence, there is a clear gap between academia and industry in understanding what lightweight cryptography is. In this work, we are trying to fill some of these gaps. We carefully investigate a broad number of existing lightweight cryptographic primitives proposed by academia including authentication protocols, stream ciphers, and block ciphers and evaluate their applicability for real-world scenarios. We then look at how individual components of design of the primitives influence their cost and summarize the steps to be taken into account when designing primitives for concrete cost optimization, more precisely - for low energy consumption. Next, we propose new implementation techniques for existing designs making them more efficient or smaller in hardware without the necessity to pay any additional costs. After that, we introduce a new stream cipher design philosophy which enables secure stream ciphers with smaller area size than ever before and, at the same time, considerably higher throughput compared to any other encryption schemes of similar hardware cost. To demonstrate the feasibility of our findings we propose two ciphers with the smallest area size so far, namely Sprout and Plantlet, and the most energy efficient encryption scheme called Trivium-2. Finally, this thesis solves a concrete industrial problem. Based on standardized cryptographic solutions, we design an end-to-end data-protection scheme for low power networks. This scheme was deployed on the water distribution network in the City of Antibes, France

On ciphers that continuously access the non-volatile key

Due to the increased use of devices with restricted resources such as limited area size, power or energy, the community has developed various techniques for designing lightweight ciphers. One approach that is increasingly discussed is to use the cipher key that is stored on the device in non-volatile memory not only for the initialization of the registers but during the encryption/decryption process as well. Recent examples are the ciphers Midori (Asiacrypt’15) and Sprout (FSE’15). This may on the one hand help to save resources, but also may allow for a stronger key involvement and hence higher security. However, only little is publicly known so far if and to what extent this approach is indeed practical. Thus, cryptographers without strong engineering background face the problem that they cannot evaluate whether certain designs are reasonable (from a practical point of view) which hinders the development of new designs. In this work, we investigate this design principle from a practical point of view. After a discussion on reasonable approaches for storing a key in non-volatile memory, motivated by several commercial products we focus on the case that the key is stored in EEPROM. Here, we highlight existing constraints and derive that some designs, based on the impact on their throughput, are better suited for the approach of continuously reading the key from all types of non-volatile memory. Based on these findings, we improve the design of Sprout for proposing a new lightweight stream cipher that (i) has a significantly smaller area size than almost all other stream ciphers and (ii) can be efficiently realized using common non-volatile memory techniques. Hence, we see our work as an important step towards putting such designs on a more solid ground and to initiate further discussions on realistic designs

On Ciphers that Continuously Access the Non-Volatile Key

Due to the increased use of devices with restricted resources such as limited area size, power or energy, the community has developed various techniques for designing lightweight ciphers. One approach that is increasingly discussed is to use the cipher key that is stored on the device in non-volatile memory not only for the initialization of the registers but during the encryption/decryption process as well. Recent examples are the ciphers Midori (Asiacrypt’15) and Sprout (FSE’15). This may on the one hand help to save resources, but also may allow for a stronger key involvement and hence higher security. However, only little is publicly known so far if and to what extent this approach is indeed practical. Thus, cryptographers without strong engineering background face the problem that they cannot evaluate whether certain designs are reasonable (from a practical point of view) which hinders the development of new designs.In this work, we investigate this design principle from a practical point of view. After a discussion on reasonable approaches for storing a key in non-volatile memory, motivated by several commercial products we focus on the case that the key is stored in EEPROM. Here, we highlight existing constraints and derive that some designs, based on the impact on their throughput, are better suited for the approach of continuously reading the key from all types of non-volatile memory. Based on these findings, we improve the design of Sprout for proposing a new lightweight stream cipher that (i) has a significantly smaller area size than almost all other stream ciphers and (ii) can be efficiently realized using common non-volatile memory techniques. Hence, we see our work as an important step towards putting such designs on a more solid ground and to initiate further discussions on realistic designs

The DRACO Stream Cipher: A Power-efficient Small-state Stream Cipher with Full Provable Security against TMDTO Attacks

Stream ciphers are vulnerable to generic time-memory-data tradeoff attacks. These attacks reduce the security level to half of the cipher’s internal state size. The conventional way to handle this vulnerability is to design the cipher with an internal state twice as large as the desired security level. In lightweight cryptography and heavily resource constrained devices, a large internal state size is a big drawback for the cipher. This design principle can be found in the eSTREAM portfolio members Grain and Trivium.Recently proposals have been made that reduce the internal state size. These ciphers distinguish between a volatile internal state and a non-volatile internal state. The volatile part would typically be updated during a state update while the non-volatile part remained constant. Cipher proposals like Sprout, Plantlet, Fruit and Atom reuse the secret key as non-volatile part of the cipher. However, when considering indistinguishability none of the ciphers mentioned above provides security beyond the birthday bound with regard to the volatile internal state. Partially this is due to the lack of a proper proof of security.We present a new stream cipher proposal called Draco which implements a construction scheme called CIVK. In contrast to the ciphers mentioned above, CIVK uses the initial value and a key prefix as its non-volatile state. Draco builds upon CIVK and uses a 128-bit key and a 96-bit initial value and requires 23 % less area and 31 % less power than Grain-128a at 10 MHz. Further, we present a proof that CIVK provides full security with regard to the volatile internal state length against distinguishing attacks. This makes Draco a suitable cipher choice for ultra-lightweight devices like RFID tags