Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Lightweight Cryptography:
from Smallest to Fastest
Miroslav Knežević
NXP Semiconductors
July 21, 2015
LCW2015, NIST Gaithersburg, USA
Trade-offs in HW
July 22, 20152.
Performance Silicon area
July 22, 20153.
Performance Silicon area
Power
Energy
Trade-offs in HW
Trade-offs in Crypto HW
July 22, 20154.
Security
Performance Silicon area
Power
Energy
July 22, 20155.
Security
Performance Silicon area
Power
Energy
Design
costs
Design
time
Max
Average
VerificationSecurity
analysis
Documentation
IP quality
Customer
requirements
Trade-offs in Crypto HW
July 22, 20156.
Silicon area
Designing the Smallest Block Cipher
• Smallest logic gate with two inputs.
• GE (gate equivalence) = physical area of a
single NAND gate.
• (Ab)used for comparing HW designs across
different CMOS technologies.
• When comparing lightweight crypto algorithms
NEVER trust GE!
July 22, 20157.
NAND gate
XOR gate
July 22, 20158.
2-3 GE
Modern Lightweight Ciphers
July 22, 20159.
< 1000 GE
AES (128-bit key, ENC only)
July 22, 201510.
2500 GE
Block Cipher – HW Perspective
July 22, 201511.
Memory
Key size ≥ 80 bits
Block size ≥ 32 bits
Round function
+
Key schedule
+
Control logic
Minimize!
KATAN – The Smallest Block Cipher
July 22, 201512.
KATAN32 = 462 GE
July 22, 201513.
KATAN32 = 315 GE + 508 bits of ROM
Only 508 bits of expanded key!
KATAN – The Smallest Block Cipher
How does KATAN compare to the competition?
July 22, 201514.
It’s (one of) the smallest known cipher(s): < 500 GE
But it’s not very fast: 254 clock cycles
Still scalable: 3 times faster for negligible area overhead
Fine, but let’s really compare it to others!
July 22, 201515.
SPECK
IBM130
Synopsys
≥ 580 GE
KLEIN
TSMC180
Synopsys
≥ 1.3 kGE
Piccolo
130nm
Synopsys
≥ 700 GE
LED
180nm
Synopsys
≥ 700 GE
KATAN
UMC130
Synopsys
≥ 460 GEPRESENT
UMC180
IHP250
AMIS350
Synopsys
~1kGE
SIMON
IBM130
Synopsys
≥ 520 GE
<5
6.2
5
6.6
7 7.6
7
NXP 90NM UMC 130NM UMC 180NM NANGATE 45NM
AREA OF SCAN-FF [GE]
Memory Elements in different CMOS Technologies
July 22, 201516.
52
1 73
7 91
8
1192
13
40
73
8
10
60 1
32
9
17
28 19
50
75
9
1103 1
36
7
17
68 20
12
86
8
12
56
15
71
20
71 2
32
3
VERSION 1 VERSION 2 VERSION 3 VERSION 4 VERSION 5
AREA [GE]
SPONGENT in different CMOS Technologies
July 22, 201517.
up to 70% difference!
How can we do a fair comparison?
July 22, 201518.
Difficult in practice.
But why not using an open-core library at least?
http://www.nangate.com/
July 22, 201519.
Security
Performance Silicon area
Power
Energy
Trade-offs in Crypto HW
Designing the Fastest Block Cipher
July 22, 201520.
Performance
Latency vs Throughput
July 22, 201521.
Latency = 15 s
Throughput = 0.067 beer/s
12
3
6
9Serial
processing
Latency vs Throughput
July 22, 201522.
Latency = 15 s
Throughput = 0.2 beer/s
12
3
6
9Parallel
processing!
Latency vs Throughput
July 22, 201523.
Latency = 15 s
Throughput = 0.2 beer/s
12
3
6
9Pipelining!
Latency vs Throughput
July 22, 201524.
Latency = 5 s
Throughput = 0.2 beer/s
12
3
6
9
bottom-up!
Unrolling!
128 128 8 MDS LIGHT
128 128 4 BINARY NO
64 64 4 MDS LIGHT
64 64, 96, 128 4 BINARY LIGHT
64 80, 128 4BIT
PERMUTATIONLIGHT
64 64, 80, 96 4 MDS LIGHT
64 64, 128 4 MDS NO
Latency of Existing Ciphers – Is Lightweight = “Light + Wait”?
July 22, 201525.
BLOCK-SIZE KEY-SIZE S-BOX P-LAYER K-SCHEDULE
MCRYPTON
AES
NOEKOEN
MINI-AES
PRESENT
KLEIN
LED
Number of Rounds vs Key Size
July 22, 201526.
Unrolled HW Architectures
July 22, 201527.
17.8
15.3 2
0.3 2
5.3
31.2
46.6
9.8
9.8
9.8
9.9
14.8
15.5
14.8
14.7
20.2
16.4 2
1.4 2
6.4
32.8
48.2
10.8
10.8
11 12
17 17.4
16.4
16.6
LATENCY [NS]
1-cycle 2-cycle
Results – Latency
July 22, 201528.
366.6
48.2 63.7 79.9
128.7
193.1
41.3
40.4
41.4
40
102.5
49.5 72.3
73.8
191.8
24.9
32.6
41.3 63.5 9
6
20.9
21.1
21
22
49.6
27.1
37.6
37.1
AREA [KGE]
1-cycle 2-cycle
Results – Area
July 22, 201529.
• Use small S-boxes (e.g. 5-bit, 4-bit, 3-bit)
• Almost everything follows the normal distribution. So does the S-box!
Low Latency Encryption
S-box
July 22, 201530.
slide credit:
Gregor Leander
choose me!
Low Latency Encryption
Number of Rounds
July 22, 201531.
Minimize!
• Not too low complexity.
• Reduce the number of rounds at the cost of (slightly) heavier round.
Low Latency Encryption
Round Complexity
July 22, 201532.
• Number of rounds should be independent of the key schedule.
• Use constant addition instead of a key schedule (if possible).
Low Latency Encryption
Key Schedule
July 22, 201533.
• Use involution where possible: 𝑓 𝑓 𝑥 = 𝑥.
• Make Encryption and Decryption procedures similar.
• BUT: think application oriented – sometimes it is beneficial to have
asymmetric constructions.
Low Latency Encryption
Encryption vs Decryption
July 22, 201534.
Low Latency Encryption
Meet PRINCE
July 22, 201535.
𝛼-reflection property:
Low Latency Encryption
Meet PRINCE
July 22, 201536.
17.8
15.3
20.3
25.3
31.2
46.6
9.8
9.8
9.8
9.9
14.8
15.5
14.8
14.7
8
LATENCY [NS]
Low Latency Encryption
Meet PRINCE
July 22, 201537.
366.6
48.2 63.7 79.9
128.7
193.1
41.3
40.4
41.4
40
102.5
49.5 7
2.3
73.8
17
AREA [KGE]
July 22, 201538.
Security
Performance Silicon area
Power
Energy
Trade-offs in Crypto HW
July 22, 201539.
Power
Energy
Power vs Energy
July 22, 201540.
Power
Energy
12
3
6
9
=
=
Power vs Energy
Every mW matters!
July 22, 201541.
Total number of mobile devices in 2015 = 8.6 billion*
Average (regular) power consumption of a smartphone = 160 mW**
Total energy spent = €2.5 billion*** a year!
*** average electricity price in 2014 in EU was €0.208 per kWh.
** An Analysis of Power Consumption in a Smartphone, A Carroll, G Heiser, USENIX 2010.
* Mobile Statistics Report 2014-2018, The Radicati Group Inc.
• Reduce circuit area (e.g. serializing): 𝐶𝑒𝑓𝑓 ↓
• Reduce switching activity (e.g. clock gating): 𝑠𝑤 ↓
• Move to smaller CMOS technologies: 𝐶𝑒𝑓𝑓 ↓, 𝑉𝐷𝐷 ↓, but 𝑃𝑙𝑒𝑎𝑘𝑎𝑔𝑒 ↑
• Reduce the operating clock frequency: 𝑓𝑐𝑙𝑘 ↓
Reducing Power Consumption
July 22, 201542.
𝑃𝑡𝑜𝑡 = 𝑃𝑠𝑤𝑖𝑡𝑐ℎ𝑖𝑛𝑔 + 𝑃𝑙𝑒𝑎𝑘𝑎𝑔𝑒
𝑃𝑠𝑤𝑖𝑡𝑐ℎ𝑖𝑛𝑔 ≈ 𝐶𝑒𝑓𝑓 ∙ 𝑉𝐷𝐷2 ∙ 𝑓𝑐𝑙𝑘∙ 𝑠𝑤
Known Throughput Optimization Techniques and
their Impact* on Power and Energy
July 22, 201543.
Power
Energy
serialization parallelism unrolling pipelining
* in the context of symmetric block cipher design
July 22, 201544.
Security
Performance Silicon area
Power
Energy
Trade-offs in Crypto HW
July 22, 201545.
SecurityPower
Designing the Most Secure Block Cipher
:)
July 22, 201546.
Cryptanalysis
Side Channel
AnalysisFault Attacks
Designing the Most Secure Block Cipher
:)
July 22, 201547.
Side Channel
AnalysisFault Attacks
Designing the Most Secure Block Cipher
:)
templates
DPA
CPA
SPA
safe-error
attacks
DFA
Challenges with SCA Countermeasures
July 22, 201548.
INCOMPLETE MODELS
Circuit
models
Adversary
models1st vs higher
order DPA
Challenges with FA Countermeasures
July 22, 201549.
LACK OF CREATIVITY
Redundant
executions
Dummy
operations
Light
sensors
THANK YOU!
July 22, 201550.
Thanks to the teams of
KATAN, SPONGENT, PRINCE, FIDES