FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begül Bilgin, Andrey Bogdanov, Miroslav Knežević, Florian Mendel, and Qingju Wang DIAC 2013, Chicago 1
Side Channel Resistance 2
Side Channel Resistance The Game... 2
Side Channel Resistance The Game... Mathematically secure crypto algorithms 2
Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, 2
Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, Weak implementation 2
Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, Weak implementation 2
Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, Weak implementation Dependency between power consumption and intermediate value (depends on the key) 2
Side Channel Resistance 3
Side Channel Resistance x Change the key frequently 3
Side Channel Resistance x Change the key frequently x Equalize power consumption 3
Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption 3
Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking 3
Side Channel Resistance x Change the key frequently inp^m0 L out^m1 x Equalize power consumption m0 L m1 Randomize power consumption - Boolean masking 3
Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking 3
Side Channel Resistance x Change the key frequently inp^m0 S out^m1 x Equalize power consumption m0 S m1 Randomize power consumption - Boolean masking 3
Side Channel Resistance x Change the key frequently inp^m0 S out^m1 x Equalize power consumption m0 S m1 Randomize power consumption - Boolean masking - Multiplicative masking 3
Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking - Multiplicative masking 3
Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking - Multiplicative masking - Secret sharing e.g. Threshold Implementations [Nikova 11] 3
Side Channel Resistance x Change the key frequently inp^m0^m1 S out^m2^m3 x Equalize power consumption m0 S m2 Randomize power consumption - Boolean masking - Multiplicative masking m1 S m3 - Secret sharing e.g. Threshold Implementations [Nikova 11] 3
Side Channel Resistance 4
Side Channel Resistance Have the design 4
Side Channel Resistance Need efficient impl. Have the design 4
Side Channel Resistance Need efficient impl. Have the design Need secure impl. 4
Side Channel Resistance Need efficient impl. Have the design Need secure impl. 1 st Order Boolean Mask Multipl. Mask TI 2 nd Order SW?? Still efficient?? HW 4
Side Channel Resistance Need efficient impl. Have the design Need secure impl. 1 st Order Boolean Mask Multipl. Mask TI 2 nd Order SW Still efficient HW 5
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 6
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge 6
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed 6
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online 6
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass 6
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 6
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 7
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 8
Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 9
Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition 10
Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition 11
Design - Structure State SubBytes ShiftRows 0 1 2 7 MixColumns ConstantAddition 12
Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition Almost MDS branch number is 4 13
Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition 14
Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 15
Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 15
Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 15
Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 16
Design - S-boxes 17
Design - S-boxes Affine Equivalent to AB permutation with degree 2 17
Design - S-boxes Affine Equivalent to AB permutation with degree 2 Unshared S-box Shared S-box 25000 25000 # of S-boxes 20000 15000 10000 5000 20000 15000 10000 5000 0 0 45 50 55 60 65 70 75 80 # of GE (UMC 180nm) 85 90 95 100 105 135 145 155 165 175 185 195 205 215 225 235 245 255 17
Design - S-boxes Affine Equivalent to AB permutation with degree 2 Unshared S-box Shared S-box 25000 25000 # of S-boxes 20000 15000 10000 5000 20000 15000 10000 5000 0 0 45 50 55 60 65 70 75 80 # of GE (UMC 180nm) 85 90 95 100 105 135 145 155 165 175 185 195 205 215 225 235 245 255 18
Design - S-boxes Affine Equivalent to AB permutation with degree 2 Unshared S-box Shared S-box 25000 25000 # of S-boxes 20000 15000 10000 5000 20000 15000 10000 5000 0 0 45 50 55 60 65 70 75 80 # of GE (UMC 180nm) 85 90 95 100 105 135 145 155 165 175 185 195 205 215 225 235 245 255 Similar for APN 18
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 19
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 19
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 19
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 19
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 16 rounds: 2-4x(48+48) = 2-384 19
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 16 rounds: 2-4x(48+48) = 2-384 Impossible Differential 19
Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 16 rounds: 2-4x(48+48) = 2-384 Impossible Differential 9 rounds 19
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 20
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 22
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23
Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 24
Performance 15000 FIDES on Different Technologies 12000 Area in GE 9000 6000 3000 0 NXP 90nm NANGATE 45nm UMC 130nm FIDES-80-S FIDES-80-4S FIDES-80-R FIDES-80-T FIDES-96-S FIDES-96-4S FIDES-96-R FIDES-96-T 25
Performance 600 480 FIDES-80 FIDES-96 ALE AES-CCM ASC-1 A ASC-1 B c-quark KECCAK-200-MD Hummingbird2 Throughput (kb/s) 360 240 120 0 0 2000 4000 6000 8000 Area (GE) 26
Conclusion FIDES 27
Conclusion Lightweight AE - - less than 1500GE online, single-pass FIDES 27
Conclusion Lightweight AE - - less than 1500GE online, single-pass with Side Channel Resistance - TI less than 5000 GE FIDES 27
Conclusion Lightweight AE - - less than 1500GE online, single-pass with Side Channel Resistance - TI less than 5000 GE and 80-bit or 90-bit security FIDES - - AB and APN permutations almost MDS 27
THANK YOU! 28