Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs CHES 2011 Nara, Japan Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Outline Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Current picture of lightweight primitives - graphically GE TRIVIUM 2500 AES S-QUARK DESXL PHOTON-256/32/32 2000 Th. optimum DESL D-QUARK PHOTON-224/32/32 KLEIN-96 1500 KLEIN-80 PRESENT-128 U-QUARK GRAIN PHOTON-160/36/36 KLEIN-64 PHOTON-128/16/16 KATAN-64 1000 PRESENT-80 PHOTON-80/20/16 KTANTAN64 PRINTcipher-96 500 KTANTAN32 PRINTcipher-48 internal memory 64 128 192 256 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Current picture of lightweight block ciphers - graphically GE 2500 AES DESXL 2000 Th. optimum DESL KLEIN-96 1500 KLEIN-80 PRESENT-128/PICCOLO-128 KLEIN-64 KATAN-64 1000 PRESENT-80/PICCOLO-80 KTANTAN64 PRINTcipher-96 500 KTANTAN32 PRINTcipher-48 internal memory 64 128 192 256 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Lightweight block ciphers are too provocative ? • ARMADILLO: key-recovery attacks [A+-2011] • HIGHT: related-key attacks [K+-2010] • Hummingbird-1: practical related-IV attacks [S-2011] • KTANTAN: practical related-key attacks [A-2011]˚ • PRINTcipher: large weak-keys classes [AJ-2011]˚ PRESENT is still unbroken. Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Light Encryption Device We propose a new 64-bit block cipher LED: • as small as PRESENT • faster than PRESENT in software (and slower in hardware) • significant security margin • can take any key size from 64 to 128 bits • key can be directly hardwired (without any modification) • provable resistance to classical differential and linear attacks ... • ... both in the single-key and related-key models Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Outline Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results A single round of LED AddConstants SubCells ShiftRows MixColumnsSerial S S S S S S S S 4 cells S S S S S S S S 4 cells 4 bits The 64-bit round function is an SP-network: • AddConstants: xor round-dependent constants to the two first columns • SubCells: apply the PRESENT 4-bit Sbox to each cell • ShiftRows: rotate the i-th line by i positions to the left • MixColumnsSerial: apply the special MDS matrix to each columns independently Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 0 0 1 0 0 ··· 0 0 0 0 1 B C B 0 0 1 0 ··· 0 0 0 0 C B C B . C B C B . C B . C A = B C B 0 0 0 0 ··· 0 1 0 0 C B C B C B 0 0 0 0 ··· 0 0 1 0 C B C B C @ 0 0 0 0 ··· 0 0 0 1 A Z0 Z1 Z2 Z3 ··· Zd−4 Zd−3 Zd−2 Zd−1 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 0 1 0 1 0 1 0 0 ··· 0 0 0 0 v0 B C B C B 0 0 1 0 ··· 0 0 0 0 C B v1 C B C B C B . C B . C B C B C B . C B . C B . C B . C B C · B C = B 0 0 0 0 ··· 0 1 0 0 C B v C B C B d−4 C B C B C B 0 0 0 0 ··· 0 0 1 0 C B v C B C B d−3 C B C B C @ 0 0 0 0 ··· 0 0 0 1 A @ vd−2 A Z0 Z1 Z2 Z3 ··· Zd−4 Zd−3 Zd−2 Zd−1 vd−1 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 0 1 0 1 0 1 0100 ··· 0000 v0 v1 B C B C B C B 0 0 1 0 ··· 0 0 0 0 C B v1 C B C B C B C B C B . C B . C B . C B C B C B C B . C B . C B . C B . C B . C B . C B C · B C = B C B 0 0 0 0 ··· 0 1 0 0 C B v C B C B C B d−4 C B C B C B C B C B 0 0 0 0 ··· 0 0 1 0 C B v C B C B C B d−3 C B C B C B C B C @ 0 0 0 0 ··· 0 0 0 1 A @ vd−2 A @ A Z0 Z1 Z2 Z3 ··· Zd−4 Zd−3 Zd−2 Zd−1 vd−1 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 0 1 0 1 0 1 0 1 0 0 ··· 0 0 0 0 v0 v1 B C B C B C B 0010 ··· 0000 C B v1 C B v2 C B C B C B C B . C B . C B . C B C B C B C B . C B . C B . C B . C B . C B . C B C · B C = B C B 0 0 0 0 ··· 0 1 0 0 C B v C B C B C B d−4 C B C B C B C B C B 0 0 0 0 ··· 0 0 1 0 C B v C B C B C B d−3 C B C B C B C B C @ 0 0 0 0 ··· 0 0 0 1 A @ vd−2 A @ A Z0 Z1 Z2 Z3 ··· Zd−4 Zd−3 Zd−2 Zd−1 vd−1 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active. We use the same trick as in PHOTON (CRYPTO 2011): implement an MDS matrix that can be efficiently computed in a serial way. We keep the same good diffusion properties and good software performances as the classical MDS constructions, but the hardware is improved since no additional memory cell is needed (for both ciphering and deciphering). 0 1 0 1 0 1 0 1 0 0 ··· 0 0 0 0 v0 v1 B C B C B C B 0 0 1 0 ··· 0 0 0 0 C B v1 C B v2 C B C B C B C B . C B . C B . C B C B C B C B . C B . C B . C B . C B . C B . C B C · B C = B C B 0000 ··· 0100 C B v C B v C B C B d−4 C B d−3 C B C B C B C B 0 0 0 0 ··· 0 0 1 0 C B v C B C B C B d−3 C B C B C B C B C @ 0 0 0 0 ··· 0 0 0 1 A @ vd−2 A @ A Z0 Z1 Z2 Z3 ··· Zd−4 Zd−3 Zd−2 Zd−1 vd−1 Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results Efficient Serially Computable MDS Matrices MDS Matrices (“Maximum Distance Separable”) have excellent diffusion properties: for a d-cell vector, we are ensured that at least d + 1 input / output cells will be active.