Lightweight Cryptography:

from Smallest to Fastest

Miroslav Knežević

NXP Semiconductors

July 21, 2015

LCW2015, NIST Gaithersburg, USA

Trade-offs in HW

July 22, 20152.

Performance Silicon area

July 22, 20153.

Performance Silicon area

Power

Energy

Trade-offs in HW

Trade-offs in Crypto HW

July 22, 20154.

Security

Performance Silicon area

Power

Energy

July 22, 20155.

Security

Performance Silicon area

Power

Energy

Design

costs

Design

time

Max

Average

VerificationSecurity

analysis

Documentation

IP quality

Customer

requirements

Trade-offs in Crypto HW

July 22, 20156.

Silicon area

Designing the Smallest Block Cipher

• Smallest logic gate with two inputs.

• GE (gate equivalence) = physical area of a

single NAND gate.

• (Ab)used for comparing HW designs across

different CMOS technologies.

• When comparing lightweight crypto algorithms

NEVER trust GE!

July 22, 20157.

NAND gate

XOR gate

July 22, 20158.

2-3 GE

Modern Lightweight Ciphers

July 22, 20159.

< 1000 GE

AES (128-bit key, ENC only)

July 22, 201510.

2500 GE

Block Cipher – HW Perspective

July 22, 201511.

Memory

Key size ≥ 80 bits

Block size ≥ 32 bits

Round function

+

Key schedule

+

Control logic

Minimize!

KATAN – The Smallest Block Cipher

July 22, 201512.

KATAN32 = 462 GE

July 22, 201513.

KATAN32 = 315 GE + 508 bits of ROM

Only 508 bits of expanded key!

KATAN – The Smallest Block Cipher

How does KATAN compare to the competition?

July 22, 201514.

It’s (one of) the smallest known cipher(s): < 500 GE

But it’s not very fast: 254 clock cycles

Still scalable: 3 times faster for negligible area overhead

Fine, but let’s really compare it to others!

July 22, 201515.

SPECK

IBM130

Synopsys

≥ 580 GE

KLEIN

TSMC180

Synopsys

≥ 1.3 kGE

Piccolo

130nm

Synopsys

≥ 700 GE

LED

180nm

Synopsys

≥ 700 GE

KATAN

UMC130

Synopsys

≥ 460 GEPRESENT

UMC180

IHP250

AMIS350

Synopsys

~1kGE

SIMON

IBM130

Synopsys

≥ 520 GE

<5

6.2

5

6.6

7 7.6

7

NXP 90NM UMC 130NM UMC 180NM NANGATE 45NM

AREA OF SCAN-FF [GE]

Memory Elements in different CMOS Technologies

July 22, 201516.

52

1 73

7 91

8

1192

13

40

73

8

10

60 1

32

9

17

28 19

50

75

9

1103 1

36

7

17

68 20

12

86

8

12

56

15

71

20

71 2

32

3

VERSION 1 VERSION 2 VERSION 3 VERSION 4 VERSION 5

AREA [GE]

SPONGENT in different CMOS Technologies

July 22, 201517.

up to 70% difference!

How can we do a fair comparison?

July 22, 201518.

Difficult in practice.

But why not using an open-core library at least?

http://www.nangate.com/

July 22, 201519.

Security

Performance Silicon area

Power

Energy

Trade-offs in Crypto HW

Designing the Fastest Block Cipher

July 22, 201520.

Performance

Latency vs Throughput

July 22, 201521.

Latency = 15 s

Throughput = 0.067 beer/s

12

3

6

9Serial

processing

Latency vs Throughput

July 22, 201522.

Latency = 15 s

Throughput = 0.2 beer/s

12

3

6

9Parallel

processing!

Latency vs Throughput

July 22, 201523.

Latency = 15 s

Throughput = 0.2 beer/s

12

3

6

9Pipelining!

Latency vs Throughput

July 22, 201524.

Latency = 5 s

Throughput = 0.2 beer/s

12

3

6

9

bottom-up!

Unrolling!

128 128 8 MDS LIGHT

128 128 4 BINARY NO

64 64 4 MDS LIGHT

64 64, 96, 128 4 BINARY LIGHT

64 80, 128 4BIT

PERMUTATIONLIGHT

64 64, 80, 96 4 MDS LIGHT

64 64, 128 4 MDS NO

Latency of Existing Ciphers – Is Lightweight = “Light + Wait”?

July 22, 201525.

BLOCK-SIZE KEY-SIZE S-BOX P-LAYER K-SCHEDULE

MCRYPTON

AES

NOEKOEN

MINI-AES

PRESENT

KLEIN

LED

Number of Rounds vs Key Size

July 22, 201526.

Unrolled HW Architectures

July 22, 201527.

17.8

15.3 2

0.3 2

5.3

31.2

46.6

9.8

9.8

9.8

9.9

14.8

15.5

14.8

14.7

20.2

16.4 2

1.4 2

6.4

32.8

48.2

10.8

10.8

11 12

17 17.4

16.4

16.6

LATENCY [NS]

1-cycle 2-cycle

Results – Latency

July 22, 201528.

366.6

48.2 63.7 79.9

128.7

193.1

41.3

40.4

41.4

40

102.5

49.5 72.3

73.8

191.8

24.9

32.6

41.3 63.5 9

6

20.9

21.1

21

22

49.6

27.1

37.6

37.1

AREA [KGE]

1-cycle 2-cycle

Results – Area

July 22, 201529.

• Use small S-boxes (e.g. 5-bit, 4-bit, 3-bit)

• Almost everything follows the normal distribution. So does the S-box!

Low Latency Encryption

S-box

July 22, 201530.

slide credit:

Gregor Leander

choose me!

Low Latency Encryption

Number of Rounds

July 22, 201531.

Minimize!

• Not too low complexity.

• Reduce the number of rounds at the cost of (slightly) heavier round.

Low Latency Encryption

Round Complexity

July 22, 201532.

• Number of rounds should be independent of the key schedule.

• Use constant addition instead of a key schedule (if possible).

Low Latency Encryption

Key Schedule

July 22, 201533.

• Use involution where possible: 𝑓 𝑓 𝑥 = 𝑥.

• Make Encryption and Decryption procedures similar.

• BUT: think application oriented – sometimes it is beneficial to have

asymmetric constructions.

Low Latency Encryption

Encryption vs Decryption

July 22, 201534.

Low Latency Encryption

Meet PRINCE

July 22, 201535.

𝛼-reflection property:

Low Latency Encryption

Meet PRINCE

July 22, 201536.

17.8

15.3

20.3

25.3

31.2

46.6

9.8

9.8

9.8

9.9

14.8

15.5

14.8

14.7

8

LATENCY [NS]

Low Latency Encryption

Meet PRINCE

July 22, 201537.

366.6

48.2 63.7 79.9

128.7

193.1

41.3

40.4

41.4

40

102.5

49.5 7

2.3

73.8

17

AREA [KGE]

July 22, 201538.

Security

Performance Silicon area

Power

Energy

Trade-offs in Crypto HW

July 22, 201539.

Power

Energy

Power vs Energy

July 22, 201540.

Power

Energy

12

3

6

9

=

=

Power vs Energy

Every mW matters!

July 22, 201541.

Total number of mobile devices in 2015 = 8.6 billion*

Average (regular) power consumption of a smartphone = 160 mW**

Total energy spent = €2.5 billion*** a year!

*** average electricity price in 2014 in EU was €0.208 per kWh.

** An Analysis of Power Consumption in a Smartphone, A Carroll, G Heiser, USENIX 2010.

* Mobile Statistics Report 2014-2018, The Radicati Group Inc.

• Reduce circuit area (e.g. serializing): 𝐶𝑒𝑓𝑓 ↓

• Reduce switching activity (e.g. clock gating): 𝑠𝑤 ↓

• Move to smaller CMOS technologies: 𝐶𝑒𝑓𝑓 ↓, 𝑉𝐷𝐷 ↓, but 𝑃𝑙𝑒𝑎𝑘𝑎𝑔𝑒 ↑

• Reduce the operating clock frequency: 𝑓𝑐𝑙𝑘 ↓

Reducing Power Consumption

July 22, 201542.

𝑃𝑡𝑜𝑡 = 𝑃𝑠𝑤𝑖𝑡𝑐ℎ𝑖𝑛𝑔 + 𝑃𝑙𝑒𝑎𝑘𝑎𝑔𝑒

𝑃𝑠𝑤𝑖𝑡𝑐ℎ𝑖𝑛𝑔 ≈ 𝐶𝑒𝑓𝑓 ∙ 𝑉𝐷𝐷2 ∙ 𝑓𝑐𝑙𝑘∙ 𝑠𝑤

Known Throughput Optimization Techniques and

their Impact* on Power and Energy

July 22, 201543.

Power

Energy

serialization parallelism unrolling pipelining

* in the context of symmetric block cipher design

July 22, 201544.

Security

Performance Silicon area

Power

Energy

Trade-offs in Crypto HW

July 22, 201545.

SecurityPower

Designing the Most Secure Block Cipher

:)

July 22, 201546.

Cryptanalysis

Side Channel

AnalysisFault Attacks

Designing the Most Secure Block Cipher

:)

July 22, 201547.

Side Channel

AnalysisFault Attacks

Designing the Most Secure Block Cipher

:)

templates

DPA

CPA

SPA

safe-error

attacks

DFA

Challenges with SCA Countermeasures

July 22, 201548.

INCOMPLETE MODELS

Circuit

models

Adversary

models1st vs higher

order DPA

Challenges with FA Countermeasures

July 22, 201549.

LACK OF CREATIVITY

Redundant

executions

Dummy

operations

Light

sensors

THANK YOU!

July 22, 201550.

Thanks to the teams of

KATAN, SPONGENT, PRINCE, FIDES