Simon and Speck: Block Ciphers for Internet of Things

Simon and Speck: Block Ciphers for Internet of Things

Simon and Speck: Block Ciphers for the Internet of Things∗ Ray Beaulieu Douglas Shors Jason Smith Stefan Treatman-Clark Bryan Weeks Louis Wingers National Security Agency 9800 Savage Road, Fort Meade, MD, 20755, USA [email protected], {djshors, jksmit3, sgtreat, beweeks, lrwinge}@tycho.ncsc.mil 9 July 2015 Abstract application (e.g., with hard-wired key or for IC print­ ing), or designing specifically for low-latency appli­ The U.S. National Security Agency (NSA) developed the Simon and Speck families of cations, and so on. lightweight block ciphers as an aid for securing We would argue that what’s needed in the Internet applications in very constrained environments of Things (IoT) era is not more Kirtland’s warblers where AES may not be suitable. This paper sum­ and koalas, as wonderful as such animals may be, marizes the algorithms, their design rationale, but crows and coyotes. An animal that eats only eu­ along with current cryptanalysis and implemen­ calyptus leaves, even if it outcompetes the koala, will tation results. never become widely distributed. Similarly, a block cipher highly optimized for performance on a partic­ 1 Introduction ular microcontroller will likely be outcompeted on other platforms, and could be of very limited utility Biologists make a distinction between specialist in 15 years when its target platform is obsolete. species, which occupy narrow ecological niches, and generalists, which can survive in a broader variety of Of course it’s hard to get a handle on block cipher environmental conditions. Specialists include Kirt­ performance on devices that don’t yet exist. But what land’s warbler, a bird that only nests in 5–20 year-old we can do is strive for simplicity, by designing algo­ jack pine forests, and the koala, which feeds (almost) rithms around very basic operations that are certain exclusively on eucalyptus leaves. Generalists such as to be supported by any future device capable of com­ the American crow and the coyote are able to adapt to putation. Simon and Speck aim to be the sort of gener­ a variety of different environments. In a stable world, alist block ciphers that we think will be required for it’s a good strategy to specialize, but when conditions future applications in the IoT era. change rapidly, specialists don’t always fare so well. It would be unsatisfactory if we had to defer any The new age of pervasive computing is nothing discussion of performance because we’re waiting for if not rapidly changing. And yet, in the world of the arrival of future devices. But we can measure per­ lightweight cryptography, specialists abound. Of formance on current platforms, and in this paper we course there are important research challenges as­ demonstrate the sort of performance that is achieved sociated with optimizing performance on particular by Simon and Speck on a broad range of existing soft­ platforms, and the direction taken by many in the ware and hardware platforms. We emphasize, how­ field has been to take on such challenges, generally ever, that the main point is not the performance of quite successfully. This can involve optimizing with Simon and Speck with respect to other algorithms on respect to the instruction set for a certain microcon­ any particular platform. Rather, it’s that by limiting troller, or designing algorithms for a particular ASIC the operations we rely on to a small list that works well in hardware and software, we obtain algorithms ∗This paper was accepted for the NIST Lightweight Cryptog­ raphy Workshop, 20-21 July 2015. that are likely to perform well just about anywhere. 1 2 AES and Lightweight Cryptography supporting software implementations, but these algo­ rithms retain a bias toward hardware performance. Before focusing our discussion on Simon and Speck, We believe a lightweight block cipher should be we’d like to better establish the state of play. In par­ “light” on a wide range of hardware- and software- ticular, we note that quite a lot of effort has gone into based devices, including ASICs, FPGAs, and 4-, 8-, reshaping the current go-to block cipher, AES, into a 16-, and 32-bit microcontrollers. Moreover, as noted solution for lightweight applications. Indeed, great in [11], many of these devices will interact with a strides have been made in this direction in the past 15 backend server, so a lightweight block cipher should years or so. ASIC implementations of AES-128 have also perform well on 64-bit processors. been developed with an area of just 2400 gate equiv­ It seems clear to us that there is a need for flexible alents (GE) [41] and fast software implementations secure block ciphers, i.e., ones which can perform are available for 8-bit [44] and 16-bit [21] microcon­ well on all of these platforms. Our aim, with the trollers. design of Simon and Speck, is to make this sort of However, there are limits as to how far these types block cipher available for future use. of adaptations can be pushed. They tend to fall short of what is required for today’s most constrained envi­ 3 The Simon and Speck Block Ciphers ronments, and surely won’t meet tomorrow’s needs. For example, the consensus has long been that a bud­ In 2011, prompted by potential U.S. government re­ get of 2000 GE is all the chip area that might reason­ quirements for lightweight ciphers (e.g., SCADA and ably be allocated for security on the most constrained logistics applications) and the concerns with existing RFID tags [36], and this is well out of reach for AES cryptographic solutions which we’ve noted above, implementations. On microcontrollers, AES imple­ we began work on the Simon and Speck block cipher mentations can be very fast but they also tend to be families on behalf of the Research Directorate of the large and complex. Implementations that decrease U.S. National Security Agency (NSA). size or complexity certainly exist, but small imple­ Because our customers will rely on commercial mentations tend to be complex (and slow), while sim­ devices, we determined that the only realistic way to ple implementations tend to be large (and slow). make the algorithms available would be to put them One further point about AES: not every application in the public domain. Furthermore, because cost will requires the same high level of security that AES is be such an important driver in this area—a fraction of designed to provide. When resources are scarce, it a penny per device may make the difference between doesn’t always make sense to lavish them on an algo­ whether a cryptographic solution is viable or not—we rithm providing 128 (or 192 or 256) bits of security were motivated to make Simon and Speck as simple, when 96 might suffice. In addition, the AES block size flexible, and lightweight as we could. Our hope was of 128 bits is not always optimal. An RFID authen­ that their availability would make it possible to raise tication protocol may only ask that 64-bit quantities the security bar for future IoT devices. be encrypted, and demanding 128 bits of state when The development process culminated in the publi­ only 64 are necessary can amount to a significant cation of the algorithm specifics in June 2013 [9]. Prior waste of chip area. to this, Simon and Speck were analyzed by NSA crypt- These are the principal reasons for the develop­ analysts and found to have security commensurate ment of new lightweight block ciphers, and many with their key lengths; i.e., no weaknesses were found. new algorithms have been proposed. Since the limi­ Perhaps more importantly, the algorithms have been tations of AES are more apparent in hardware than pretty heavily scrutinized by the international cryp­ in software, most of the best efforts to date have fo­ tographic community for the last two years (see, e.g., cused on this aspect of the problem. This work has [2], [3], [5], [4], [1], [6], [15], [16], [20], [27], [29], [37], produced designs including PRESENT [17], KATAN [47], [51], [53], [56], [59], [62], [60], [30], [7], [25], [42], [22], and Piccolo [52], each of which has a very small [24]). Table 1 summarizes the cryptanalytic results as hardware footprint. But none was meant to provide of this writing that attack the most rounds of Simon high performance on constrained software-based de­ and Speck. (We note that the recent paper [7] pur­ vices, e.g., 8-and 16-bit microcontrollers. The design­ ports to attack 24 rounds of Simon 32/64. The author ers of LED [35] and TWINE [57] are more intent on informs us that this paper is currently under revision, 2 size alg rounds ref they may still be useful for certain highly constrained applications where nothing better is possible. total attacked 32/64 Simon 32 23 (72%) [24] block size key sizes Speck 22 14 (64%) [29] 32 64 48/72 Simon 36 24 (67%) [24] 48 72, 96 Speck 22 14 (64%) [29] 64 96, 128 48/96 Simon 36 25 (69%) [24] 96 96, 144 Speck 23 15 (65%) [29] 128 128, 192, 256 64/96 Simon 42 30 (71%) [24] Speck 26 18 (69%) [29] Table 2: Simon and Speck parameters. 64/128 Simon 44 31 (70%) [24] Speck 27 19 (70%) [29] The desire for flexibility through simplicity moti­ 96/96 Simon 52 37 (71%) [61, 24] vated us to limit the operations used within Simon Speck 28 16 (57%) [29] and Speck to the following short list: 96/144 Simon 54 38 (70%) [24] • modular addition and subtraction, + and , Speck 29 17 (59%) [29] − • bitwise XOR, , ⊕ 128/128 Simon 68 49 (72%) [61, 24] • bitwise AND, &, Speck 32 17 (53%) [29] • left circular shift, S j , by j bits, and 128/192 Simon 69 51 (74%) [24] j • right circular shift, S− , by j bits.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us