Six shades lighter: a bit-serial implementation of the AES family

AbstractRecently, cryptographic literature has seen new block cipher designs such as , or that aim to be more lightweight than the current standard, i.e., . Even though family of block ciphers were designed two decades ago, they still remain as the de facto encryption standard, with being the most widely deployed variant. In this work, we revisit the combined one-in-all implementation of the family, namely both encryption and decryption of each as a single ASIC circuit. A preliminary version appeared in Africacrypt 2019 by Balli and Banik, where the authors design a byte-serial circuit with such functionality. We improve on their work by reducing the size of the compact circuit to 2268 GE through 1-bit-serial implementation, which achieves 38% reduction in area. We also report stand-alone bit-serial versions of the circuit, targeting only a subset of modes and versions, e.g., and . Our results imply that, in terms of area, and can easily compete with the larger members of recently designed family, e.g., , . Thus, our implementations can be used interchangeably inside authenticated encryption candidates such as , or in place of .

Download Full-text

The Area-Latency Symbiosis: Towards Improved Serial Encryption Circuits

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i1.239-278 ◽

2020 ◽

pp. 239-278

Author(s):

Fatih Balli ◽

Andrea Caforio ◽

Subhadeep Banik

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Significant Loss ◽

Authenticated Encryption ◽

End User ◽

Maximum Throughput ◽

Mode Of Operation ◽

Encryption Schemes ◽

Bit Serial

The bit-sliding paper of Jean et al. (CHES 2017) showed that the smallest-size circuit for SPN based block ciphers such as AES, SKINNY and PRESENT can be achieved via bit-serial implementations. Their technique decreases the bit size of the datapath and naturally leads to a significant loss in latency (as well as the maximum throughput). Their designs complete a single round of the encryption in 168 (resp. 68) clock cycles for 128 (resp. 64) bit blocks. A follow-up work by Banik et al. (FSE 2020) introduced the swap-and-rotate technique that both eliminates this loss in latency and achieves even smaller footprints.In this paper, we extend these results on bit-serial implementations all the way to four authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of the swap-and-rotate technique. Our block cipher implementations have the most efficient round operations in the sense that a round function of an n-bit block cipher is computed in exactly n clock cycles. This leads to implementations that are similar in size to the state of the art, but have much lower latency (savings up to 20 percent). We then extend our technique to 4- and 8-bit implementations. Although these results are promising, block ciphers themselves are not end-user primitives, as they need to be used in conjunction with a mode of operation. Hence, in the second part of the paper, we use our serial block ciphers to bootstrap four active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus, SAEAES and SKINNY-AEAD. In the wake of this effort, we provide the smallest block-cipher-based authenticated encryption circuits known in the literature so far.

Download Full-text

A New Block Cipher Based on Finite Automata Systems

International Journal on Perceptive and Cognitive Computing ◽

10.31436/ijpcc.v2i1.31 ◽

2016 ◽

Vol 2 (1) ◽

Author(s):

Gh Khaleel ◽

SHERZOD TURAEV ◽

M.I.M. Tamrin ◽

Imad F. Al-Shaikhli

Keyword(s):

Block Cipher ◽

Finite Automata ◽

Parallel Computations ◽

Block Ciphers ◽

Central Importance ◽

High Security ◽

Encryption And Decryption

The performance and security have central importance of cryptography field. Therefore, theneed to use block ciphers are become very important. This paper presents a new block cipher based on finiteautomata system. The proposed cryptosystem is executed based on parallel computations to reduce thedelay time. Moreover, to achieve high security, we use different machines (variant non-deterministicautomata accepters) as keys for encryption and decryption.

Download Full-text

Efficient Length Doubling From Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.253-270 ◽

2017 ◽

pp. 253-270 ◽

Cited By ~ 2

Author(s):

Yu Long Chen ◽

Atul Luykx ◽

Bart Mennink ◽

Bart Preneel

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Arbitrary Length ◽

Pseudorandom Permutation ◽

Cryptographic Primitive ◽

Length Data ◽

Tweakable Block Cipher ◽

Integral Data

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

Download Full-text

Computing Symmetric Block Cipher Using Linear Algebraic Equation

International Journal of Communication Networks and Security ◽

10.47893/ijcns.2011.1001 ◽

2011 ◽

pp. 7-11

Author(s):

Pradeep Kumar Mallick ◽

N.K. kamila ◽

S. Patnaik

Keyword(s):

Algebraic Equation ◽

Linear Algebraic Equation ◽

Block Cipher ◽

Block Ciphers ◽

Algebraic Equations ◽

Text File ◽

Linear Algebraic Equations ◽

Encryption And Decryption ◽

Current Algorithm ◽

Symmetric Block

In this paper, a pair of symmetric block ciphers has been developed for encryption and decryption of text file. The characters in the file are represented by the ASCII codes. A substitution table and a reverse substitution table are formed by using a key. The process of encryption and decryption is carried by using linear algebraic equations. However, the cryptanalysis has been discussed for establishing the strength of the algorithm. Result and analysis exhibits that the current algorithm works well and more secured to break the cipher.

Download Full-text

Improved Meet-in-the-Middle Attacks on Reduced-Round Kiasu-BC and Joltik-BC

The Computer Journal ◽

10.1093/comjnl/bxz059 ◽

2019 ◽

Vol 62 (12) ◽

pp. 1761-1776 ◽

Cited By ~ 1

Author(s):

Ya Liu ◽

Yifan Shi ◽

Dawu Gu ◽

Zhiqiang Zeng ◽

Fengyu Zhao ◽

...

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Authenticated Encryption ◽

Caesar Competition ◽

Encryption Algorithms ◽

Lightweight Block Cipher

Abstract Kiasu-BC and Joltik-BC are internal tweakable block ciphers of authenticated encryption algorithms Kiasu and Joltik submitted to the CAESAR competition. Kiasu-BC is a 128-bit block cipher, of which tweak and key sizes are 64 and 128 bits, respectively. Joltik-BC-128 is a 64-bit lightweight block cipher supporting 128 bits tweakey. Its designers recommended the key and tweak sizes are both 64 bits. In this paper, we propose improved meet-in-the-middle attacks on 8-round Kiasu-BC, 9-round and 10-round Joltik-BC-128 by exploiting properties of their structures and using precomputation tables and the differential enumeration. For Kiasu-BC, we build a 5-round distinguisher to attack 8-round Kiasu-BC with $2^{109}$ plaintext–tweaks, $2^{112.8}$ encrytions and $2^{92.91}$ blocks. Compared with previously best known cryptanalytic results on 8-round Kiasu-BC under chosen plaintext attacks, the data and time complexities are reduced by $2^{7}$ and $2^{3.2}$ times, respectively. For the recommended version of Joltik-BC-128, we construct a 6-round distinguisher to attack 9-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{56.6}$ encryptions and $2^{52.91}$ blocks, respectively. Compared with previously best known results, the data and time complexities are reduced by $2^7$ and $2^{5.1}$ times, respectively. In addition, we present a 6.5-round distinguisher to attack 10-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{101.4}$ encryptions and $2^{76.91}$ blocks.

Download Full-text

A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.73-107 ◽

2017 ◽

pp. 73-107 ◽

Cited By ~ 4

Author(s):

Carlos Cid ◽

Tao Huang ◽

Thomas Peyrin ◽

Yu Sasaki ◽

Ling Song

Keyword(s):

Linear Programming ◽

Mixed Integer Linear Programming ◽

Block Cipher ◽

Security Analysis ◽

Block Ciphers ◽

Mixed Integer ◽

Authenticated Encryption ◽

Search Tool ◽

Caesar Competition ◽

Milp Model

In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.

Download Full-text

SKINNY-AEAD and SKINNY-Hash

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.is1.88-131 ◽

2020 ◽

pp. 88-131 ◽

Cited By ~ 1

Author(s):

Christof Beierle ◽

Jérémy Jean ◽

Stefan Kölbl ◽

Gregor Leander ◽

Amir Moradi ◽

...

Keyword(s):

Internal State ◽

Block Ciphers ◽

Third Party ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

The Family ◽

Encryption Schemes ◽

Standardization Process

We present the family of authenticated encryption schemes SKINNY-AEAD and the family of hashing schemes SKINNY-Hash. All of the schemes employ a member of the SKINNY family of tweakable block ciphers, which was presented at CRYPTO 2016, as the underlying primitive. In particular, for authenticated encryption, we show how to instantiate members of SKINNY in the Deoxys-I-like ΘCB3 framework to fulfill the submission requirements of the NIST lightweight cryptography standardization process. For hashing, we use SKINNY to build a function with larger internal state and employ it in a sponge construction. To highlight the extensive amount of third-party analysis that SKINNY obtained since its publication, we briefly survey the existing cryptanalysis results for SKINNY-128-256 and SKINNY-128-384 as of February 2020. In the last part of the paper, we provide a variety of ASIC implementations of our schemes and propose new simple SKINNY-AEAD and SKINNY-Hash variants with a reduced number of rounds while maintaining a very comfortable security margin. https://csrc.nist.gov/Projects/Lightweight-Cryptography

Download Full-text

A novel cryptosystem based on abstract automata and Latin cubes

Studia Scientiarum Mathematicarum Hungarica ◽

10.1556/012.2015.52.2.1309 ◽

2015 ◽

Vol 52 (2) ◽

pp. 221-232

Author(s):

Pál Dömösi ◽

Géza Horváth

Keyword(s):

Block Cipher ◽

Finite Automata ◽

Theoretical Background ◽

Point Of View ◽

Theoretical Point ◽

Transition Matrices ◽

Encryption And Decryption ◽

Secret Keys ◽

Automata Network ◽

Fully Functioning

In this paper we introduce a novel block cipher based on the composition of abstract finite automata and Latin cubes. For information encryption and decryption the apparatus uses the same secret keys, which consist of key-automata based on composition of abstract finite automata such that the transition matrices of the component automata form Latin cubes. The aim of the paper is to show the essence of our algorithms not only for specialists working in compositions of abstract automata but also for all researchers interested in cryptosystems. Therefore, automata theoretical background of our results is not emphasized. The introduced cryptosystem is important also from a theoretical point of view, because it is the first fully functioning block cipher based on automata network.

Download Full-text

Comparing Performances of Cypress Block Cipher and Modern Lighweight Block Ciphers on Different Platforms

2019 IEEE International Scientific-Practical Conference Problems of Infocommunications, Science and Technology (PIC S&T) ◽

10.1109/picst47496.2019.9061521 ◽

2019 ◽

Author(s):

Mariia Rodinko ◽

Roman Oliynykov

Keyword(s):

Block Cipher ◽

Block Ciphers

Download Full-text

Efficient Implementation of PRESENT and GIFT on Quantum Computers

Applied Sciences ◽

10.3390/app11114776 ◽

2021 ◽

Vol 11 (11) ◽

pp. 4776

Author(s):

Kyungbae Jang ◽

Gyeongju Song ◽

Hyunjun Kim ◽

Hyeokdong Kwon ◽

Hyunji Kim ◽

...

Keyword(s):

Block Cipher ◽

Search Algorithm ◽

Block Ciphers ◽

Quantum Circuits ◽

Security Level ◽

Symmetric Key ◽

Grover Search ◽

Target Block ◽

Symmetric Key Cryptography ◽

Grover Search Algorithm

Grover search algorithm is the most representative quantum attack method that threatens the security of symmetric key cryptography. If the Grover search algorithm is applied to symmetric key cryptography, the security level of target symmetric key cryptography can be lowered from n-bit to n2-bit. When applying Grover’s search algorithm to the block cipher that is the target of potential quantum attacks, the target block cipher must be implemented as quantum circuits. Starting with the AES block cipher, a number of works have been conducted to optimize and implement target block ciphers into quantum circuits. Recently, many studies have been published to implement lightweight block ciphers as quantum circuits. In this paper, we present optimal quantum circuit designs of symmetric key cryptography, including PRESENT and GIFT block ciphers. The proposed method optimized PRESENT and GIFT block ciphers by minimizing qubits, quantum gates, and circuit depth. We compare proposed PRESENT and GIFT quantum circuits with other results of lightweight block cipher implementations in quantum circuits. Finally, quantum resources of PRESENT and GIFT block ciphers required for the oracle of the Grover search algorithm were estimated.

Download Full-text