ITUbee :A Software Oriented Lightweight Block

Cipher

Ferhat Karakoc1,2, Huseyin Demirci1, A. Emre Harmancı2

1 TUBITAK-BILGEM-UEKAE 2 Istanbul Technical University

May 6, 2013

Outline

Motivation

ITUbee

Security Analysis

Performance Analysis

Conclusion

Motivation

A software oriented lightweight block cipher

Software oriented:

Microcontroller based platform

Lightweight:Suitable for constrained devices

Power/energyMemory/areaTime/throughput

Most of the previous proposed lightweight ciphers are suitablefor hardware designs

Bitwise permutations4-bit S-boxes

Motivation (cont.)

Feistel structure with no key schedule and security againstalso related key attacks

Most of the previous proposed cipher with no key schedule areSPN structure

Feistel ciphers with so simple key schedule such as GOST

Related key attacks

Motivation (cont.)

ITUbee is suitable for 8-bit software based platforms which haveresource constraints.

Based on Feistel structure and has no key schedule.

An example platform: sensor nodes in wireless sensor networks(WSN)

Generally microcontroller based platformsHave constraints on power/energy, memory/area,time/throughputA specific example: Mica2 and Mica2Dot nodes produced byCrossbow Technology, Inc.

Based on the Atmel ATmega128L 8-bit microcontroller4 kB of EEPROM and 128 kB of Flash

Outline

Motivation

ITUbee

Security Analysis

Performance Analysis

Conclusion

Feistel Structure with No Key Schedule

Block size: 80 bits

Key length: 80 bits

Feistel Structure

Same program forencryption anddecryption

No key schedule

Save from memoryand energy

Related key attacks

Feistel Structure with No Key Schedule (cont.)

Inject round keys betweentwo non-linear operations

Self similarity attacks

Feistel Structure with No Key Schedule (cont.)

Round constants

F Function

Confusion on 8 bits just atable look-up

256 bytes of memory

4 clock cycles

Just 15 XOR operations(15 clock cycles)

Consecutive two S-boxes

ITUbee

Add L functionMinimize round constantlengths:8-bit?

An Observation

Patterns when 1-byte round constants used:

a‖b‖b‖a‖c S−→ s[a]‖s[b]‖s[b]‖s[a]‖s[c]

a‖b‖b‖a‖c RK=x‖y‖y‖x‖z−−−−−−−−−−→(a⊕ x)‖(b ⊕ y)‖(b ⊕ y)‖(a⊕ x)‖(c ⊕ z)

a‖b‖b‖a‖c RC=w−−−−→ a‖b‖b‖a‖(c ⊕ w)

a‖b‖b‖a‖c L−→(c ⊕ a⊕ b)‖(a⊕ b ⊕ b)‖(b ⊕ b ⊕ a)‖(b ⊕ a⊕ c)‖(a⊕ c ⊕ a)

An Observation (cont.)

ITUbee consists of S , RK , RC , L and XOR of 40 bits inFeistel.

These operations saves the pattern

IFP = (a‖b‖b‖a‖c)‖(d‖e‖e‖d‖f )

ANDK = (t‖u‖u‖t‖v)‖(x‖y‖y‖x‖z)

THENC = (g‖h‖h‖g‖i)‖(j‖k‖k‖j‖l)

This is independent of the number of rounds.

ITUbee

AES S-box

16-bit round constants

Outline

Motivation

ITUbee

Security Analysis

Performance Analysis

Conclusion

Security Analysis

Basic Differential and Linear Cryptanalysis

S-box and diffusion layer# of active S-boxes in one active round is at least 8# of active S-boxes in 3 rounds is at least 16Best differential probability for an S-box is 2−6

Differential effect:Best differential probability for an F function is at least 2−17

# of active F functions in 6 rounds is at least 8

Security Analysis (cont.)

Related Key Differential Cryptanalysis

Let only one half of master key have a difference# of active F functions in 2 rounds is at least 1# of active F functions in 10 rounds is at least 5Best differential probability for an F function is at least 2−17

Security Analysis (cont.)

Meet-in-the-Middle Type Attacks

Basic MITM: strong diffusion in two roundsBiclique: can be constructed at most on 2 roundsMulti Dimensional MITM: Block length and key size are same

Impossible Differential Cryptanalysis

Don’t have any impossible characteristics on more than 5rounds

Self-similarity Attacks: Slide, Reflection, Slidex

Round constants

Outline

Motivation

ITUbee

Security Analysis

Performance Analysis

Conclusion

Simulation Platform

AVR ATtiny45 microcontroller using the integrated developmentplatform Atmel Studio 6.

a 8-bit RISC (Reduced instruction set computing) basedmicrocontroller

Simple instructions

move data from memory to CPU registersEvaluate arithmetic operations for the data on the CPUregistersMove data from CPU registers to memory

Harvard architecture: the instruction and data memory areseparated.

4-kB Flash memory for the instructions.

256-byte static RAM for data.

Also we have simulated the same program on ATtiny128L onwhich Mica2 and Mica2Dot nodes based.

Implementation Details and Simulation Results

Details:

we stored the 8-bit S-box used in the cipher in the instructionmemory.

we used CPU registers for all internal variables and we didn’tuse any SRAM except for the plaintext/ciphertext and masterkey.

Results:

Clock cycle (energy) optimized implementation

716 bytes in program memory2607 clock cycles for one encryption

Memory optimized implementation

400 bytes in program memory3149 clock cycles for one encryption

Note that: the results are same for the microcontrollersATtniy45 and ATtiny128L

Performance Comparisons

Cipher Block size Key size Memory Clock cycles Clock cycles Cycle ×[bits] [bits] [bytes] per one enc. per one byte Memory

AES 1 128 128 1689 4557 284 479676

DESXL1 64 184 868 84602 10575 9179100

HIGHT1 64 128 434 19503 2437 1057658

IDEA1 64 128 1068 ≈ 8250 1031 1101108

KASUMI1 64 128 1288 11939 1492 1921696

KATAN1 64 80 356 72063 9007 3206492

KLEIN1 64 80 1286 6095 761 978646

mCrypton1 64 96 1104 16457 2057 2270928

NOEKEON1 128 128 396 23517 1469 581724

PRESEN1 64 80 1018 11342 1417 1442506

SEA1 96 96 450 41604 3467 1560150

TEA1 64 128 672 7408 926 622272ITUbee [this paper] 80 80 716 2607 261 186876cycle optimizedITUbee [this paper] 80 80 586 2937 294 172284memory optimized

1This results are taken from the Africacrypt 2012 paper by Eisenbarth et.al. Platform was ATtiny45.

Performance Comparisons

1689 284

868 10575

434 2437

1068 1031

1288 1492

356 9007

1286 761

1104 2057

396 1469

1018 1417

450 3467

672 926

716 261

586 294

AES

DESXL

HIGHT

IDEA

KASUMI

KATAN

KLEIN

mCrypton

NOEKEON PRESENT

SEA

TEA

ITUBEEITUBEE0

2000

4000

6000

8000

10000

12000

0 200 400 600 800 1000 1200 1400 1600 1800

# o

f cl

ock

cy

cle

s p

er

on

e b

yte

Memory [bytes]

Outline

Motivation

ITUbee

Security Analysis

Performance Analysis

Conclusion

Conclusion

A new software oriented lightweight block cipher

It has a Feistel Structure and no key schedule

There is another example of such a cipher: GOSTBut there is a related key attack on full GOST because of thisproperty.

To make the cipher stronger for related key attacks a newidea used: insert round keys between two F functions unlikeclassical Feistel ciphers

The number of clock cycles for an encryption is smaller thanmost of the ciphers

The storage requirement is also remarkable

Thank You

Questions?