LIGHTWEIGHT CRYPTOGRAPHYShivam SinghM.Tech. Cyber Security

Contents..1. What is lightweight cryptography?

2. Lightweight cryptographic mechanisms

3. Lightweight cryptography loungea) Lightweight block ciphers

b) Lightweight hash functions

c) Lightweight stream ciphers

d) Lightweight one-pass authenticated ciphers

4. Software implementation

WHAT IS LIGHTWEIGHT CRYPTOGRAPHY? Lightweight cryptography has been a very important for the last few years, driven by the

lack of primitives capable to run on devices with very low computing power.

We can think for instance of RFID tags, sensors in wireless sensor network or, more generally, small internet-enabled appliances expected to flood the markets as the Internet of Things (IoT) arises.

At the core of lightweight cryptography is a trade-off between Lightweightness and security.

Many cryptographers have addressed these issues by suggesting lightweight stream ciphers, block ciphers, hash function and recently one-pass authenticated encryption.

Lightweight Cryptographic MechanismsEmbedded devices often have inherent limitations in terms of processing power, memory, storage and energy. The cryptographic functionality that ESs utilize to provide tamper resistant hardware and software security functions has direct impact on the system’s:

• Size: Memory elements constitute a significant part of the module’s surface.• Cost: Directly linked to the surface of the component. • Speed: Optimized code provides results faster. • Power Consumption: The quicker a set of instructions is executed, the quicker the

module can return to an idle state or be put in sleep mode where power consumption is minimal.

LIGHTWEIGHT CRYPTOGRAPHY LOUNGE Lightweight Block Ciphers

Lightweight Hash Functions

Lightweight Stream Ciphers

Lightweight One-pass Authenticated Ciphers

Lightweight Block Ciphers Desirable Properties:

The aim of a block cipher is to provide a keyed pseudo-random permutation which is then used as the building block of more complex protocols. For instance, coupled with a proper Mode of operation, they can be used to encrypt data. A "good" block cipher must be fast and secure, i.e. it must be impossible for an adversary with realistic computing power to retrieve the key used even if she has access to a black-box capable of encrypting and decrypting the plaintext of her choice (security against chosen-ciphertext attack).

Design Principles:There are two families of designs for block ciphers: Substitution-Permutation Networks and Feistel Networks. There are also specific constraints when designing lightweight block ciphers. First of all, memory is very expensive so that implementing S-boxes as look-up table can lead to a large hardware footprint. That is why these ciphers usually have no S-box at all (SIMON) or very small ones, only 4x4 (PRESENT).

Cost of Implementing Decryption:Implementing decryption alongside encryption should lead to an increase of the area necessary as it requires its own logic. However, depending on the mode of operation of the cipher, it may be possible to ignore the decryption algorithm: for instance, in the case of OFB, decryption is useless. Another way of reducing the additional cost is to build algorithms such that encryption and decryption are very similar. A first approach is to use involutions as components, for instance in KLEIN. The whole structure can be exploited to have involution related properties, for instance α-reflexivity in the case of PRINCE or differentiate encryption from decryption simply by a variation in the key-schedule (Feistel networks, mCrypton).

Fixed key?• The designers of symmetric block ciphers have different approaches regarding related

key attacks. The use-case of lightweight cryptography can lead to opposite views concerning the necessity of counter-measure to prevent such attacks.• Because the key is likely to be "burnt" in the device, i.e. that it will not be possible to change

it, there is no point in worrying about related key attacks: the probability for an attacker to obtain several devices keyed with appropriately related keys is too small to be of any importance.

• However, such block ciphers are very likely to be used to build compression functions for hash function with a Merkle-Damgård structure. In this context, resilience against related key attacks is much more important.

Lightweight Hash Functions Desirable Properties:

Here, "impossible" means "impossible for an adversary having some reasonable computing power" where "reasonable" is actually a complex concept. Consider a hash function H; we want it to be (at least):

1. Collision resistant: it is "impossible" to find x and y such that H(x)=H(y).2. Preimage resistant: given a digest d, it is "impossible" to find x such that H(x)=d.3. Second preimage resistant: given y, it is "impossible" to find x≠y such that H(x)=H(y).

SpongeThe sponge construction is a method to build a hash function from a publicly known unkeyed permutation (P-Sponge) or random function (T-Sponge). It was introduced by Bertoni et al., the Keccak team, in 2007. Sponges can also be used to provided stream ciphers or even authenticated encryption, see the duplex construction

P-Sponge and T-Sponge:P(ermutation)-Sponge and T(ransformative)-Sponge are sponge models using respectively a random permutation and a random function to update their internal state. In the paper in which the sponge functions were introduced, it was shown that sponges with capacity c, rate r and digest size n absorbing messages of length m<2c/2 are such that different attacks require the following number of calls to the update function.

Case Preimage Second Pre-image Collision Cycle findingT-Sponge min(n, c+r) min(n, c-log2(m)) min(n, c)/2 (c+r)/2

P-Sponge c-1 min(n, c/2) min(n, c)/2 c+r

Lightweight Stream Ciphers Description and Desirable Properties:

• Given a key K and an initialization vector IV, a stream cipher generates a keystream, i.e. a stream of bits which are simply xored with the plaintext to generate the ciphertext. Such ciphers are called synchronous if the keystream is independent of the ciphertext or asynchronous if it does. Asynchronous ciphers can be used for authenticated encryption.

• The IV is known by the attacker and may also be controlled by her. It must "impossible" to retrieve the key even if large parts of the keystream are available. Furthermore, if the cipher is based on an internal state updated every time a part of the keystrem is generated (most stream ciphers correspond to this description), then the internal state must be large enough to prevent so-called Time-Memory-Data Trade-off based attacks. For instance, A5/1 is vulnerable to such an attack.

Possible Components:A simple way to build a stream cipher is to use a regular block cipher in counter-mode. However, the most common method to initialize an internal state of n bits using the key and initialization vector and then repeat the following:

1. Generates b bits of keystream using the content of the internal state.2. Apply a function to update the internal state.

A possible method to build an internal state easy to update is to use so-called Feedback Shift Registers (FSR). These are arrays of words which, at each round, are updated as follows:

3. The content of some fixed cells (the taps) is used to compute a new word w.4. The content of the array is shifted to the left so its last element is discarded.5. w is inserted in the first cell.

If the function used to compute w is linear, we have a Linear FSR or LFSR. Otherwise, we have a Non-linear FSR or NFSR. The Feedback with Carry Shift Register used by the FCSR-based stream-ciphers is another such construction. The words can be bits (most of the cases) but it is not necessary.

Lightweight Authenticated Encryption Description:

The aim is to provide simultaneously encryption and authentication in one primitive and in one pass. Authentication allows communicating entities to ensure that their communication has not been modified or tampered with. This verification is based on the computation of a so-called tag associated to the transmitted data which cannot be generated in reasonable time unless a secret is known.

The generation of the tag can be done separately from the encryption but the primitives listed on this page perform both operations at the same time.

Stream-Cipher BasedOne possible way to achieve this is to use a special stream-cipher like PHELIX which uses the plaintext to update its internal state. The MAC can then be derived from the internal state of the stream-cipher once encryption is finished.

Duplexed Sponge:The duplexed sponge is based on the use of a sponge as a stream-cipher in the way described above, i.e. by incorporating blocks of plain text in the computation of the internal state. This structure is best described by a figure (on the right, taken from the original paper): σi corresponds to the ith block of plain text, Zi to the ith block of cipher text, r to the rate of the sponge, c to its capacity and f to its update function.

The duplexed sponge is actually a construction with broader applications than just authenticated encryption. When used for this purpose, the construction is called Sponge Wrap.

This construction can also be further specialized as has been suggested by Andreeva et al. (APE construction) and can be lightweight as long, of course, as the permutation used is.

SOFTWARE IMPLEMENTATION Fair Evaluation of Lightweight Cryptographic Systems (FELICS)

Block ciphers brief results

Block ciphers detailed results

Stream ciphers brief results

Stream ciphers detailed results

FELICS Cipher performance evaluation on different platforms and usually in different

conditions. The results obtained on different devices and in different measurement conditions are then used to compare the new cipher with previous ones. The conclusions are not accurate and do not inspire confidence because it is hard to correctly evaluate different ciphers if comparative implementations are not available.

Benchmarking tool is open and flexible in various aspects:1. It is possible to upload new ciphers so that the designers get consistent and detailed feedback

on how their cipher compares with the state-of-the-art.

2. The tool is developed from the ground up with the goal of supporting a wide range of embedded platforms through both cycle-accurate instruction set simulation and actual measurements on prototyping boards.

3. The tool is also open with respect to the evaluation metrics. Currently, it can evaluate execution time, RAM footprint, and binary code size.

4. It can easily accommodate new usage/evaluation scenarios.

Some Other Results.. Block ciphers brief results

Block ciphers detailed results

Stream ciphers brief results

Stream ciphers detailed results

Note: These are the Hyperlinks to see the results..

Thank You..

spu15cs21@policeuniversity.ac.in