Lightweight Cryptography: from Smallest to Fastest
Miroslav Knežević NXP Semiconductors July 21, 2015
LCW2015, NIST Gaithersburg, USA Trade-offs in HW
Performance Silicon area
2. July 22, 2015 Trade-offs in HW
Energy
Power
Performance Silicon area
3. July 22, 2015 Trade-offs in Crypto HW
Energy
Security Power
Performance Silicon area
4. July 22, 2015 Trade-offs in Crypto HW
Security analysis Verification Energy Security Max Design Power costs Average IP quality
Design time Performance Silicon area Customer requirements
Documentation
5. July 22, 2015 Designing the Smallest Block Cipher
Silicon area
6. July 22, 2015 NAND gate
• Smallest logic gate with two inputs.
• GE (gate equivalence) = physical area of a single NAND gate.
• (Ab)used for comparing HW designs across different CMOS technologies.
• When comparing lightweight crypto algorithms NEVER trust GE!
7. July 22, 2015 XOR gate
2-3 GE
8. July 22, 2015 Modern Lightweight Ciphers
< 1000 GE
9. July 22, 2015 AES (128-bit key, ENC only)
2500 GE
10. July 22, 2015 Block Cipher – HW Perspective
Minimize!
Round function Key size ≥ 80 bits + Memory Key schedule + Control logic Block size ≥ 32 bits
11. July 22, 2015 KATAN – The Smallest Block Cipher
KATAN32 = 462 GE
12. July 22, 2015 KATAN – The Smallest Block Cipher
Only 508 bits of expanded key!
KATAN32 = 315 GE + 508 bits of ROM
13. July 22, 2015 How does KATAN compare to the competition?
It’s (one of) the smallest known cipher(s): < 500 GE
But it’s not very fast: 254 clock cycles
Still scalable: 3 times faster for negligible area overhead
14. July 22, 2015 Fine, but let’s really compare it to others!
LED KATAN 180nm UMC130 Synopsys Synopsys Piccolo ≥ 700 GE PRESENT ≥ 460 GE 130nm UMC180 Synopsys IHP250 ≥ 700 GE AMIS350 Synopsys ~1kGE
KLEIN TSMC180 Synopsys ≥ 1.3 kGE SIMON SPECK IBM130 IBM130 Synopsys Synopsys ≥ 520 GE 15. July 22, 2015 ≥ 580 GE Memory Elements in different CMOS Technologies 16 . July July 22, 2015 NXP 90NM NXP
<5 UMC 130NM UMC AREA OF SCAN OF AREA
6.25 UMC 180NM UMC - FF [GE] FF
6.67 NANGATE 45NM NANGATE
7.67 SPONGENT SPONGENT in different CMOS Technologies 17 . July July 22, 2015 VERSION 1 VERSION 521 738 759 868 VERSION 2 VERSION 737 1060 1103 1256 AREA AREA VERSION 3 VERSION 918 1329
1367 [GE] 1571 VERSION 4 VERSION 1192 1728 1768 2071 u p to70%difference! VERSION 5 VERSION 1340 1950 2012 2323 How can we do a fair comparison?
Difficult in practice. But why not using an open-core library at least?
http://www.nangate.com/
18. July 22, 2015 Trade-offs in Crypto HW
Energy
Security Power
Performance Silicon area
19. July 22, 2015 Designing the Fastest Block Cipher
Performance
20. July 22, 2015 Latency vs Throughput
12
Serial 9 3 processing
6
Latency = 15 s Throughput = 0.067 beer/s
21. July 22, 2015 Latency vs Throughput
12
Parallel 9 3 processing!
6
Latency = 15 s Throughput = 0.2 beer/s
22. July 22, 2015 Latency vs Throughput
12
9 3 Pipelining!
6
Latency = 15 s Throughput = 0.2 beer/s
23. July 22, 2015 Latency vs Throughput
12
9 3 Unrolling!
6
bottom-up! Latency = 5 s Throughput = 0.2 beer/s
24. July 22, 2015 Latency of Existing Ciphers – Is Lightweight = “Light + Wait”?
BLOCK-SIZE KEY-SIZE S-BOX P-LAYER K-SCHEDULE
AES 128 128 8 MDS LIGHT
NOEKOEN 128 128 4 BINARY NO
MINI-AES 64 64 4 MDS LIGHT
MCRYPTON 64 64, 96, 128 4 BINARY LIGHT
BIT PRESENT 64 80, 128 4 PERMUTATION LIGHT
KLEIN 64 64, 80, 96 4 MDS LIGHT
LED 64 64, 128 4 MDS NO
25. July 22, 2015 Number of Rounds vs Key Size
26. July 22, 2015 Unrolled HW Architectures
27. July 22, 2015 Results Results 28 . July July 22, 2015
17.8 20.2
15.3 16.4 – Latency 20.3 21.4
25.3 26.4
31.2 32.8
46.6 [NS] LATENCY
48.2 1-cycle
9.8 10.8 2-cycle 9.8 10.8
9.8 11
9.9 12
14.8 17
15.5 17.4
14.8 16.4
14.7 16.6 Results Results 29 . July July 22, 2015
366.6 191.8
48.2 24.9 – Area 63.7 32.6
79.9 41.3
128.7 63.5
193.1 AREA [ AREA
96 1-cycle
41.3 20.9 KGE 2-cycle 40.4 21.1 ]
41.4 21
40 22
102.5 49.6
49.5 27.1
72.3 37.6
73.8 37.1 Low Latency Encryption S-box
• Use small S-boxes (e.g. 5-bit, 4-bit, 3-bit)
• Almost everything follows the normal distribution. So does the S-box!
choose me!
slide credit:
30. July 22, 2015 Gregor Leander Low Latency Encryption Number of Rounds
Minimize!
31. July 22, 2015 Low Latency Encryption Round Complexity
• Not too low complexity.
• Reduce the number of rounds at the cost of (slightly) heavier round.
32. July 22, 2015 Low Latency Encryption Key Schedule
• Number of rounds should be independent of the key schedule.
• Use constant addition instead of a key schedule (if possible).
33. July 22, 2015 Low Latency Encryption Encryption vs Decryption
• Use involution where possible: 푓 푓 푥 = 푥.
• Make Encryption and Decryption procedures similar.
• BUT: think application oriented – sometimes it is beneficial to have asymmetric constructions.
34. July 22, 2015 Low Latency Encryption Meet PRINCE
훼-reflection property:
35. July 22, 2015 Low Latency Encryption Meet PRINCE
LATENCY [NS]
46.6
31.2
25.3
20.3
17.8
15.5
15.3
14.8 14.8
14.7
9.9
9.8 9.8 9.8 8
36. July 22, 2015 Low Latency Encryption Meet PRINCE
AREA [KGE]
366.6
193.1
128.7
102.5
79.9
73.8
72.3
63.7
49.5
48.2
41.4
41.3
40.4
40 17
37. July 22, 2015 Trade-offs in Crypto HW
Energy
Security Power
Performance Silicon area
38. July 22, 2015 Power vs Energy
Energy
Power
39. July 22, 2015 Power vs Energy
Energy =
Power = 12
9 3
6
40. July 22, 2015 Every mW matters!
Total number of mobile devices in 2015 = 8.6 billion* Average (regular) power consumption of a smartphone = 160 mW**
Total energy spent = €2.5 billion*** a year!
* Mobile Statistics Report 2014-2018, The Radicati Group Inc.
** An Analysis of Power Consumption in a Smartphone, A Carroll, G Heiser, USENIX 2010.
*** average electricity price in 2014 in EU was €0.208 per kWh.
41. July 22, 2015 Reducing Power Consumption
푃푡표푡 = 푃푠푤𝑖푡푐ℎ𝑖푛푔 + 푃푙푒푎푘푎푔푒
2 푃푠푤𝑖푡푐ℎ𝑖푛푔 ≈ 퐶푒푓푓 ∙ 푉퐷퐷∙ 푓푐푙푘∙ 푠푤
• Reduce circuit area (e.g. serializing): 퐶푒푓푓 ↓
• Reduce switching activity (e.g. clock gating): 푠푤 ↓
• Move to smaller CMOS technologies: 퐶푒푓푓 ↓, 푉퐷퐷 ↓, but 푃푙푒푎푘푎푔푒 ↑
• Reduce the operating clock frequency: 푓푐푙푘 ↓
42. July 22, 2015 Known Throughput Optimization Techniques and their Impact* on Power and Energy
serialization parallelism unrolling pipelining Power
Energy
* in the context of symmetric block cipher design
43. July 22, 2015 Trade-offs in Crypto HW
Energy
Security Power
Performance Silicon area
44. July 22, 2015 Designing the Most Secure Block Cipher :)
Security Power
45. July 22, 2015 Designing the Most Secure Block Cipher :)
Cryptanalysis
Side Channel Fault Attacks Analysis
46. July 22, 2015 Designing the Most Secure Block Cipher :)
templates DFA Side Channel Fault Attacks DPA Analysis safe-error attacks CPA
SPA
47. July 22, 2015 Challenges with SCA Countermeasures
INCOMPLETE MODELS
Circuit Adversary 1st vs higher models models order DPA
48. July 22, 2015 Challenges with FA Countermeasures
LACK OF CREATIVITY
Redundant Dummy Light executions operations sensors
49. July 22, 2015 THANK YOU!
Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES
50. July 22, 2015