PoS(ISCC 2017)039 to
currently the same of ed http://pos.sissa.it/ cipher, implementation of onstruct the it can save registers and about used a special method addingby one we counter to control the PrinceRound As a result, oung Backbone Teacher oung Backbone In this paper, we c , the Science and Technology Plan Plan Technology , the Science and more, used ) , the National, the Science Natural reference for further application of IOT ) is the first Industry university research project of
, ) and Y ) and ) Further , Hengyang Normal University, Hengyang Normal our research No.61572174 15C0203 , ( ( No. 14CXYY02 and can serve as a Her research interests include and embedded system ( . No.2016TP1020 ( ecturer, com . . Last but not least than original PRINCE on andFPGA the encryption with a fixed random mask qq @ M.S.,L -), 83 the anti power attacking ability of PRINCE. 2 (19 1
[email protected] 51674074 of Computer and Technology Science of Computer Science and Technology, Hengyang Normal University of and Technology, Computer Science Zou PRINCE algorithm on FPGA, encryption. operations into a module called PrinceRound, andmodule, while the same round operation runs repeatedly. reduce effectively amountthe of computation. the random mask to S-box. The experimental results show that the optimized PRINCE occupies area 9.8% fewer can run correctly. The algorithm PRINCE proposed insuitable ASIACRYPT for 2012the implementation is on aRFID Smart lightweight optimalCard implementation ofof PRINCE encryptionthe algorithm, andIoT. toIt's add astudied fixed randomto mask achieveenhance the
Zou Copyright owned by the author(s) under the terms of the Creative Commons Creative of by author(s)Copyright the terms the the under owned
This researchThis the by Research is supported Scientific Fund of Hunan Provincial Yi Foundation of China GrantFoundation under Project of Hunan Province University Normal HengYang 4.0). 4.0 International (CC BY-NC-ND License Attribution-NonCommercial-NoDerivatives information securityinformation 2 DepartmentEducation Grant with Normal Hengyang University ISCC 2017 ISCC December 2017 16-17 China Guangzhou, 1 E-mail: E-mail: Hengyang, 421002, China E-mail: Lang Li College China 421002, Hengyang, Yi Yi College Application and of Key Intelligent Information Processing Laboratory Provincial Hunan FPGA Optimal Implementation of PRINCE Implementation of against Optimal FPGA Attacks Analysis Power PoS(ISCC 2017)039 Yi Zou Yi are used as 0 1 k ⊕ 11 and k′ ⊕ RC 10 0 1 R k 4 F RC 9 E D 1 R k RC
5 D 8 1 R k RC E C 7 1 R k RC 0 B c 6 1 8 A R k RC ' 0 9 7 K ⊕ 1 - S 8 6 7 1 M 2 6 9 S PRINCEcore 5 C is the key for a 12-round block cipher referred to as 1 5 0 gainst Power Analysis Attacks Analysis Power gainst
1 k R k ⊕ RC A
1 4 A k ⊕ 4 1 i 3 2 m R k RC RC ⊕ 2 3 3 M 1 k R RC 1 F S respectively. 2 1 R 0 k B RC −1 1 1 R k RC X S(X) 0 RC ⊕ of PRINCE 1 k ⊕ PRINCEcore The structure of PRINCE ofThe structure ⊕ S-box of PRINCE of S-box S-box layer:The cipher uses a 4-bit denoteS-box whichthe isWe S-box given inTable.1. The 12-round process of PRINCEcore is depicted in Fig. 2. A typical round of PRINCE is a 64-bit block cipher with a 128-bit Thekey. key is split into two parts of 64 This paper is organized as follows: Section 2 briefly describes the PRINCE block cipher; It is very important to reduce area resources when the cipher is implemented on resource PRINCE is a novel lightweight block cipher which was proposed by Borgho in 2012[5]. It With the rapid development of the Internet of Things (IoT), great changes have taken place taken great have changes (IoT), Things Internet theofdevelopment of the rapid With Introduction 2.Description Table 1: Table Figure 2: Figure S S and its by and inverse Figure 1: Figure PRINCEcore consists of an S-box layer, a linear layer and an addition layer. The intermediate vector. 16-nibblea vector a represented 64-bitor state,by calledisusuallyresult computation (k0>>>1) (k0 >>63)||k1). During the encryption, the first two subkeys k whitening keys, while the third subkey k 1. isdemonstrated PRINCE structure The in Fig. of levelhigh PRINCEcore. finally the conclusion is presented in the last conclusion section. in the last finally is presented the bits each, k = k0||k1,and extended to 192 bits by the mapping (k0||k1)—> (k0||k0’||k1) := (k0|| ability of the cipher is correspondingly declining. So it is a very meaningful to find out how to run and less faster. resource occupy lightweightsecure, cipher more make the Section 3 elaborates on area optimization of PRINCE; in Section 4, resisting power analysis for PRINCE encryption algorithm is proposed; Section 5 discusses the experimental results, and block cipher which gives priority to latency with block length 64 Therebits are few research papersand about PRINCE cryptographic thealgorithms but there iskey no research 128 bits. power algorithm analysis. thePRINCE resisting ofcipher and about paper optimization constrained chips. At the same time, in order to obtain the area optimization, the anti attack in all aspects of people's lives inproposed to provide recentcipher blocks for resourceyears. constrained devices such Manyas RFID tags.Among lightweight blockCipher[1-4]. PRINT and ciphersKATAN,LED studiedPRESENT, are ciphers the best have been is optimized with respect to latency when implemented in hardware.This is the first lightweight FPGA Optimal Implementation ofPRINCE FPGA 1.
PoS(ISCC 2017)039 when Yi Zou Yi the result is
placed in the round operation The Verilog HDL code is given HDL Verilog The is xperiment E feasible to apply encryption into sensors and 3 xperiment E odules odules and gainst Power Analysis Attacks Analysis Power gainst
A
M Thus, it is Using this method, we only need to do 64*3 XOR on ound ound R epeated R s[48]^s[56]^s[60],s[49]^s[53]^s[61],s[50]^s[54]^s[58],s[55]^s[59]^s[63] effectively reducing the computational complexity. reducing the computational complexity. effectively Simulation module MatrixMutil results of same operation module of the PRINCE encryption }; input [0:63] state; input res; output[0:63] —————————————————————— tag=(r<=5)?1:0; assign In PrinceRound module, the operation order of the corresponding module was controlled The The simulation results of MatrixMutil by Modelsim 6.1f are as Modelsim MatrixMutil follows. 6.1f are as of simulationresultsby The assign res={ s[ 4]^s[8]^s[12],s[1]^s[ 9]^s[13],s[ 2]^s[ 6]^s[14],s[ 3]^s[ 7]^s[11], 3]^s[ 2]^s[ 6]^s[14],s[ 9]^s[13],s[ 4]^s[8]^s[12],s[1]^s[ res={ s[ assign ………… endmodule ——————————————————————————————————— ———————————————————————————————————— module MatrixMutil(res,state); In MatrixMutil, we found that according to the characteristics of the matrix, the element SubCell: including S-box replacement and reverse S-box replacement, through the control Prince algorithmofround completetransformationa wheel PrinceRound: which modules. The allmodule controls main Prince:The program MatrixMutil: the column vector of matrix multiplication (the intermediate state is the ShiftRow: including the row shift and reverse row shift, through the control signal to In the area optimization method, the PRINCE algorithm mainly has five modules: described follows. as described the encryption is running on hardware. nodes. other by the control signal, which can implement encryption/decryption operations within the module, and it can reduce the number of registers. The Verilog HDL code of main programming is Figure 3: Figure of Optimization 3.2 called PrinceRoundso as to realize the repeated calling. It can effectively reduce the area as follows. as 3.1 The Optimization of MatrixMutil and and The MatrixMutil Optimization of 3.1 on each line is a corresponding elementobtained byof adding thethese correspondingelements. column vector, MatrixMutil, signal to choose the corresponding results output; results asthecorresponding chooseto signal described follows: as described vector); column as output; results the corresponding choose FPGA Optimal Implementation ofPRINCE FPGA of PRINCE Verification Optimization and Area 3.The MatrixMutil,SubCell, ShiftRow, PrinceRound, and the main program Prince. Five modules are
PoS(ISCC 2017)039 Yi Zou Yi ciphertext as follows. as 818665aa0d02dfa ae25ad3ca8fa9ccf 9fb51935fc3df524 604ae6ca03c20ada 78a54cbe737bb7ef shown we also used the same test
and
, k1 ffffffffffffffff fedcba9876543210 0000000000000000 and fedcba9876543210, 0000000000000000 0000000000000000 0000000000000000 4 gainst Power Analysis Attacks Analysis Power gainst
he simulation results can be seen in Fig. 5, the plaintext A
t[3]=tag?tem[2]:state, T , the method of correct. themethod, optimization of is So k0 …… ffffffffffffffff 0000000000000000 0000000000000000 0000000000000000 0000000000000000 isae25ad3ca8fa9ccf. Simulation Results of MainSimulationProgramof Prince Results Simulation Results for the PRINCE Results Round SimulationModule for the Test Vector of PRINCE of Vector Test plaintext assign tem[2]= t[2] ^key tem[2]= t[2] ^RC[r]; assign SC(tem[3],t[3],tag); SubCell assign t[0]=tag? state:tem[1], t[0]=tag? assign result=tag?tem[3]:tem[0]; MM(tem[0],t[0]); MatrixMutil SR(tem[1],t[1],tag); ShiftRow ffffffffffffffff cnt <= cnt; cnt cnt+1: (cnt^10)? <= ? ready ) (cnt)res ( ?te:t_SC :res; ready <= 1:0; (cnt^10)? end The random mask is considered for the S-box transform and inverse S-box transform of The test vector in2 Table is the vector used in Paper [5] Owing to the method of continuous assignment and the clock signal controlled by the PR(t_res,res,key[64:127],cnt); PrinceRound ——————————————————————— The realization of the Prince master control program is to use the counter which controls —————————————————————— begin always @(posedge clk) ———————————————————————— Fig. roundshown are as 4. the for PRINCE resultsmodule Simulation
ciphertext 0123456789abcdef 0000000000000000 0000000000000000 0000000000000000 PRINCE encryption algorithm. Due to the special design of the PRINCE algorithm, it also values on the fifth group in Paper [5]. for input is 012345789abcdef, the key for input is the PRINCE for Analysis of Resisting4.Algorithm Power Figure 5: Figure Table 2: Table calculator to update, the encryption requires only 12 only requiresclock theencryption cycles. update, to calculator PrinceRound module to run transformation round 10 times. The code The is times. transformation 10 round runto PrinceRound module Figure 4: Figure Prince of Program Main 3.3 FPGA Optimal Implementation ofPRINCE FPGA
PoS(ISCC 2017)039 Yi Zou Yi we use a So
un-optimized PRINCE ,
Table Table 3 is the comparison of as follows: as shown respectively. respectively. 5 …}//the 5 rounds next a large amount of memory is needed. gainst Power Analysis Attacks Analysis Power gainst
A
…
// add mask // random );//compensation mask} again. The modified code is suitable for completely random mask, partial M_layer(state); M_layer(R); M_layer(state); M_layer(state); M_layer(R); M_layer(R); M_layer(state); for(;i<=10;i++){ M_layer(state); M_layer(R); M_layer(state); Add(state,key1); Add(state,RC[i]); ShiftRow(R); ShiftRow(state); SubCell(state,R); r_ShiftRow(state);r_ShiftRow(R); Add(state,R Add(state,R);
for(i=1;i<=5;i++){ Add(state,R);SubCell(state,R);Add(state,R);
runs S-box transform and inverse S-box transformation in the control section. In order n the above method, the optimized PRINCE algorithm Verification Result of PRINCE Random Mask Algorithm in VC Algorithm in Result PRINCE Mask of Random Verification added a random mask can verify that the random mask that is random correct. mask verifythe acan added
Algorithm 1:Add(state,key0); Add(state,key1); Add(state,RC[0]); Add(state,key1); 1:Add(state,key0); Algorithm to do a Among From Fig. 6, with the input of plaintext and key, the output of the PRINCE algorithm rea Comparison rea s —————————————————————————————————— —————————————————————————————————— —————————————————————————————————— A logic resource usage on usageFPGA. resource logic algorithm and the PRINCE random mask algorithm are run on FPGA, synthesized by ISE13.2 and downloaded on Xilinx Virtex-5 LX50T FPGA. The result algorithmof on isFPGA shown in theFig. 7. The result ofun-optimized optimized is shown in PRINCE Fig.8. The result of PRINCE random mask algorithm is shown in Fig. 9 Figure 6: Figure Analysis and on FPGA 5.Experiment 5.1 which state is XOR with a random array once, then after randomS-box array transform, the result XOR with a The isalgorithm mask, mask. fixed random random and FPGA Optimal Implementation ofPRINCE FPGA need to construct S-boxes with random mask, special way to avoid consuming more memory. Before the S-box transform, the intermediate
PoS(ISCC 2017)039 The Yi Zou Yi 5326 5417 5481 Flip Flops Flip
100.472, so 100.472, 109.939, 109.939, so by 9.8%. by 9.8%. LUT 5317 6382 5562 102.459, 102.459, so . . reduced . ) ) s s ) s p p p b b b 6 M M ( ( M ( gainst Power Analysis Attacks Analysis Power gainst
A
546.448 535.850 538.43 = = = 12 12 12 / 5433 5497 Slice 5342 / / 64 64 64 * * * 102.459 100.472 100.939 = = = t t t u u u p p p h h h g g g u u u o o o Comparison Results of PRINCE Random Mask Algorithm on FPGA Algorithm on Results PRINCE Mask of Random Results of the Un-optimized PRINCE Algorithmon FPGA theUn-optimized PRINCE of Results on FPGA Algorithm Result PRINCE Optimizedof r r r Comparison of Logic Resource Usage on ComparisonFPGA Logic Resource Usage of PRINCE h h h optimized he clock frequency of PRINCE random mask algorithm PRINCE of random is clock mask frequency he he clock frequency of un-optimized PRINCE algorithm isun-optimizedalgorithmof clock frequency PRINCE he T T T un-optimized T From the above results, we can see that the optimized PRINCE with less area and the T According to the compared data, the optimized PRINCE has advantages in area resource Throughput is equal System clock frequency * length of block / clock of encryption and Random Mask Speed added a fixed fixed value. a added encryption speed is faster, the throughput is increased by 1.5%, and it can be testified that we decryption. The length of cipher block is 64, and clock of encryption and decryption is 12. PRINCE isthe optimizedalgorithm of clock frequency consumption before optimization. The area resource The is area resource optimization. consumption before 5.2 Table 3: Table Figure 9: Figure Figure 8: Figure Figure 7: Figure FPGA Optimal Implementation ofPRINCE FPGA
PoS(ISCC 2017)039
Yi Zou Yi [J]. PRINTcipher: PRINTcipher: LNCS, LNCS, , [C].Telecom market,2013, [C].Telecom
PRINCE:A Low-latency Block PRINCE:A Anultra-lightweight block Anultra-lightweight [C]. Cryptographic Hardware[C]. Cryptographic and : Verilog HDL languageHDL and running Verilog attack. PRESENT KATAN and KTANTAN-A family of small and family of KTANTAN-A and KATAN 326-341. based on
. Research on the PRINCE Algebraic Attack Algebraic PRINCE on the Research 7 [C]. Asiacrypt 2012. LNCS, Vol. 7658, pp. 208-225. Vol. 2012. LNCS, Asiacrypt [C]. defending The LED block cipher shown that random mask added correctly, and the [C].Cryptographic Hardware[C].Cryptographic Embedded and Systems gainst Power Analysis Attacks Analysis Power gainst
A
have Side Channel Cube Attack on PRINCEAttack ChannelSide Cube Differential Fault analysis of PRINCE lightweight cryptographic analysis of PRINCE Fault lightweight Differential [C].CHES 2010, LNCS, Vol.6225, pp.16-32. Vol.6225, [C].CHES 2010, LNCS, . Knudsen L R Leander a1 Get Knudsen L , Cryptographic Hardware (CHES Embedded 2007), and Cryptographic Systems 2007 [J]. Computer Science,2017,44(6A):377-379. . he experimental results T [C] ZOU Yi, LI Lang, JIAO Ge. Lang, LI JIAO Yi, ZOU Lars Knudsen, Gregor Leander, Axel Poschmann and Matthew J. B. Robshaw. B. Robshaw. Axel Matthew and Poschmann J. Lars Knudsen, Leander, Gregor Kavun. Guneysu, Elif Bilge Tim Canteaut,Anne Julia Borgho, Chao. Cheng Lei,Sun Bing,Li al. et Ting, LI DU Lang, Guo-quan, ZENG Bogdanov A Bogdanov Canniere De,Dunkelman nezevic K O,and M. al. ,et A Poschmann T, PeyrinGuo J, his paper proposed a method based on area optimization for PRINCE, and realized the T MATHEMATICS IN PRACTICE AND THEORY,2015,45(5):153-159. AND IN PRACTICE MATHEMATICS algorithm Cipher for Pervasive Computing Applications PervasiveCipher for Computing 2:107-114. 2009,2009,LNCS, Vol.5747, pp.272-288. Vol.5747, 2009,2009,LNCS, Vol. 2011,LNCS, System(CHESEmbedded 2011). for Block IC-Printing Cipher A cipher pp.450-466 Vol.4727, block ciphers efficient hardwareoriented [7] [8] [5] [6] [3] [4] [1] [2] on FPGA. algorithm of resisting power analysis which is proposed in this paper added fixed random mask abilityitaof has certain Theoretically, value. References FPGA Optimal Implementation ofPRINCE FPGA 6. Conclusion algorithm of resisting power analysis for PRINCE