THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10–11, 1999 Efficient Block Ciphers for Smartcards Joan Daemen Proton World International Vincent Rijmen K.U. Leuven © 1999 by The USENIX Association All Rights Reserved Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org Ecient Blo ck Ciphers for Smartcards Joan Daemen Proton World Int'l Zweefvliegtuigstraat 10 B-1130 Brussel, Belgium [email protected] Vincent Rijmen K.U.Leuven, Dept. ESAT Kard. Mercierlaan 94 B-3001 Heverlee, Belgium [email protected] e April 1, 1999 Abstract designed and published: Square [1]. Currently, the Square family consists of three ciphers: Square, with a blo ck length We present a family of blo ck ciphers that and a key length of 128 bits; BKSQ with a can b e implemented very eciently on cheap blo ck length of 96 bits and a variable key Smartcard pro cessors. The ciphers use a length 96, 144 or 192 bits; and Rijndael very small amount of RAM and a reasonable with a variable blo ck length and key length amountofROM. Both cipher execution and b oth can b e indep endently sp eci ed at 128, key setup/key change are very fast. The ci- 192 or 256 bits. The three ciphers are de- phers resist theoretical and practical cryptan- signed to b e secure against all known crypto- alytic attacks and in their design timing and graphic attacks. For a treatment of crypto- power analysis attacks have b een taken into graphic security and the design rationale we account. refer to [1,2,3]. This pap er treats implemen- tation asp ects and in particular those sp eci c for Smartcards. 1 Intro duction In Section 2 we present the common ci- pher structure of the Square family. Section 3 discusses the implementation of the ciphers In many applications Smartcards are used on typical Smartcard pro cessors. Section 4 as p ortable secure devices. For their secu- treats the features of the presented ciphers rity the applications make use of MAC gener- to thwart attacks that exploit typical weak- ation/veri cation and encryption/decryption nesses of cipher implementations on Smart- using a blo ck cipher. We present a family of cards. Section 5 lists concrete p erformance blo ck ciphers that are suited for this purp ose. gures. Additionally, all these ciphers can be used as ecient one-way function and the variants with blo ck size of 196 bits or higher are ef- cient compression function to form an iter- ated cryptographic hash function. The fam- ily is named after its rst member that was F.W.O. Postdo ctoral researcher, sp onsored by the Fund for Scienti c Research - Flanders Belgium. be done by using op erations like 32-bit ro- 2 Cipher structure tations, multiplications, ..., but the use of these op erations complicates Smartcard im- plementations. In the Square family, the dif- A Square cipher is an iterated blo ck cipher: fusion step can b e describ ed as a matrix mul- it consists of the rep eated application of a tiplication cf. Section 3. The co ecients of round transformation that is parameterized the multiplication matrix have b een selected by a round key. The round keys are derived carefully to provide di usion that is optimal from the cipher key by means of a key sched- in a very de nite, mathematical sense, while ule. The blo ck length is indicated by n, the at the same time allowing very ecient imple- cipher key length by m and the number of mentation on standard Smartcard pro cessors. rounds by r . 2.2 The key schedule 2.1 The round transformation The round keys have length n and r +1 The round transformation is comp osed round keys are required: one for every round of four invertible uniform transformations, and a nal key addition. The key schedule called steps. These steps can be describ ed can b e thought to o ccur in two phases. most easily by thinking of the input as a rect- angular byte array. The dimensions of this byte arrayvary for the di erentmembers of Generation of the expanded key: The the family, and dep end on the blo ck size. The expanded key is initialized by taking four steps are describ ed as follows cf. Fig- the m-bit cipher key. It is expanded by ure 1. iteratively attaching m-bit blo cks that are computed from the previously at- tached blo ckby means of an LFSR-like The di usion step: Every byte is replaced computation. This is rep eated until the by a linear combination of the bytes expanded key has length nr +1. within the same column. The bytes are considered as elements in the eld Extraction of round keys: Round key i is 8 GF2 . taken from the expanded key by taking The disp ersion step: A p ermutation of the i-th n-bit blo ck. the bytes over di erent columns. This is done by shifting the rows of the byte ar- The LFSR computations in the key expan- rayover di erent amounts, or by a trans- sion ensure that any pair of di erent cipher p osition of the byte array for Square. keys result in a pair of expanded keys with The nonlinear step: A substitution of the a large Hamming di erence. The addition of round constants removes symmetry between bytes by means of a nonlinear lo okup ta- the rounds. This is necessary in order to ble. provide resistance against related-key attacks The round key addition: The bytes are and attacks where the cipher key is known, EXORed with an n-bit round key. e.g., if the cipher is used as the compression function of a hash function. The choice for the op erations in the dif- ferent steps has b een in uenced by our wish to make the cipher eciently implementable 3 Sp eci c Smartcard implemen- on Smartcards. The key addition, the disp er- tation asp ects sion and the nonlinear step all can b e imple- mented using op erations on individual bytes, the natural \unit" on an 8-bit pro cessor. In In this section we discuss the implementa- the di usion step, inter-byte di usion has to tion of the cipher on 8-bit pro cessors with a be realised. On a 32-bit pro cessor, this can - Di usion step - - a c S [a] S [b] S [c] S [d] b d Nonlinear step - g e S [e] S [f ] S [g ] S [h] f h j S [i] S [j ] S [k ] S [l ] i k l a c a c b d b d Disp ersion step - g g e e f f h h j j i i k l k l Figure 1: Graphical illustration of some basic op erations of the Square ciphers. limited amount of RAM and ROM available, lo cation. i.e., typical Smartcard pro cessors. Implementing the di usion step is less straightforward. It takes the computation of additions and multiplication in the eld 3.1 The round transformation 8 GF2 . Addition over this eld corresp onds to the readily available EXOR instruction. The multiplication factors are the elements The round transformation can be imple- 8 of GF2 represented bybyte values 1, 2 and mented by serially p erforming the di erent 3. The multiplication by these factors can b e steps. done as follows: The nonlinear step consists of a table 8 lo okup op eration that is the same for all 1 is the identity in GF2 andmultipli- input bytes. The 256-byte lo okup table is cation by it do es not require any compu- hard-co ded in the cipher program and the ta- tation at all. ble lo okup can be implemented with a sim- ple load accumulator instruction in indexed Multiplication by 2 in the nite eld mo de. The round key addition is imple- could b e implemented as a left shift, fol- mented with the EXOR instruction. The byte lowed by a reduction. However, the exe- disp ersion step do es not take dedicated in- cution time and/or the p ower consump- structions but is emb o died in the wayinput tion pattern of a reduction dep end on the bytes are loaded and stored in the preced- value of the op erand. If the MSB of the ing/succeeding steps. These three steps can op erand is 1, the reduction takes place, be implemented in the following way: the if 0, the reduction can b e skipp ed. This byte is loaded into the index register, an in- can b e done in constant time by execut- dexed load accumulator instruction is per- ing dummy instructions e.g., NOP in formed, the round key byte is EXORed and the case the reduction is skipp ed. How- the accumulator is stored to the hard co ded ever, this gives rise to two di erent se- 3.2 The inverse round transforma- quences of op erations. The op eration tion can be implemented with a xed series of instructions by implementing the mul- tiplication by 2 as a table lo okup with a dedicated lo okup table 2mult[], that is de ned as The Square ciphers do not have the Feis- tel structure, like e.g.