The Design Space of Lightweight Cryptography

For constrained devices, standard cryptographic algorithms can be too big, too slow or too energy-consuming. The area of lightweight cryptography studies new algorithms to overcome these problems. In this paper, we will focus on symmetric-key encryption, authentication and hashing. Instead of providing a full overview of this area of research, we will highlight three interesting topics. Firstly, we will explore the generic security of lightweight constructions. In particular, we will discuss considerations for key, block and tag sizes, and explore the topic of instantiating a pseudorandom permutation (PRP) with a non-ideal block cipher construction. This is inspired by the increasing prevalence of lightweight designs that are not secure against related-key attacks, such as PRINCE, PRIDE or Chaskey. Secondly, we explore the efficiency of cryptographic primitives. In particular, we investigate the impact on efficiency when the input size of a primitive doubles. Lastly, we provide some considerations for cryptographic design. We observe that applications do not always use cryptographic algorithms as they were intended, which negatively impacts the security and/or efficiency of the resulting implementations.

[1]  Martin Feldhofer,et al.  A Case Against Currently Used Hash Functions in RFID Protocols , 2006, OTM Workshops.

[2]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[3]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[4]  Andrey Bogdanov,et al.  SPONGENT: The Design Space of Lightweight Cryptographic Hashing , 2011, IEEE Transactions on Computers.

[5]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[6]  Watanabe Dai,et al.  On the status of techniques and standardization regarding lightweight cryptography -- ISO/IEC JTC1/SC27/WG2 status report , 2014 .

[7]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[8]  Daniel Augot,et al.  Direct Construction of Recursive MDS Diffusion Layers Using Shortened BCH Codes , 2014, FSE.

[9]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[10]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[11]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[12]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption , 2016 .

[13]  Thomas Peyrin,et al.  Improved Rebound Attack on the Finalist Grøstl , 2012, FSE.

[14]  Wenling Wu,et al.  Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions , 2012, Selected Areas in Cryptography.

[15]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[16]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[17]  Eli Biham,et al.  New Data-Efficient Attacks on Reduced-Round IDEA , 2011, IACR Cryptol. ePrint Arch..

[18]  Mahdi Sajadieh,et al.  Efficient Recursive Diffusion Layers for Block Ciphers and Hash Functions , 2013, Journal of Cryptology.

[19]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[20]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[21]  Elizabeth L. Wilmer,et al.  Markov Chains and Mixing Times , 2008 .

[22]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[23]  Karsten Nohl Attacking phone privacy , 2010 .

[24]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[25]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[26]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[27]  Eli Biham,et al.  How to Forge DES-Encrypted Messages in $2^{28}$ Steps , 1996 .

[28]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[29]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[30]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[31]  Jiazhe Chen,et al.  Partial-Collision Attack on the Round-Reduced Compression Function of Skein-256 , 2013, FSE.

[32]  Alex Biryukov,et al.  Data Encryption Standard (DES) , 2005, Encyclopedia of Cryptography and Security.

[33]  Frédérique E. Oggier,et al.  Lightweight MDS Involution Matrices , 2015, FSE.

[34]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[35]  Mridul Nandi,et al.  A Simple and Unified Method of Proving Indistinguishability , 2006, INDOCRYPT.

[36]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[37]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[38]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[39]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[40]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[41]  Jovan Dj. Golic,et al.  Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[42]  S. Babbage Improved “exhaustive search” attacks on stream ciphers , 1995 .

[43]  Thierry P. Berger,et al.  Construction of Recursive MDS Diffusion Layers from Gabidulin Codes , 2013, INDOCRYPT.

[44]  Mahdi Sajadieh,et al.  Recursive Diffusion Layers for Block Ciphers and Hash Functions , 2012, FSE.

[45]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[46]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[47]  Anne Canteaut Fast software encryption : 19th international workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012 : revised selected papers , 2012 .

[48]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[49]  J. Golic,et al.  Cryptanalysis of Alleged A 5 Stream Cipher , 2000 .

[50]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[51]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[52]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[53]  William C. Barker,et al.  TECHNOLOGY ADMINISTRATION , 2004 .

[54]  Damian Vizár,et al.  Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[55]  Erik Poll,et al.  A Comparison of Time-Memory Trade-Off Attacks on Stream Ciphers , 2013, AFRICACRYPT.

[56]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[57]  David Pointcheval,et al.  Advances in Cryptology – EUROCRYPT 2012 , 2012, Lecture Notes in Computer Science.

[58]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[59]  Xuejia Lai,et al.  Improved zero-sum distinguisher for full round Keccak-f permutation , 2011, IACR Cryptol. ePrint Arch..

[60]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[61]  Daniel Augot,et al.  Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions , 2013, 2013 IEEE International Symposium on Information Theory.

[62]  Bart Preneel,et al.  Hash Functions Based on Three Permutations: A Generic Security Analysis , 2012, IACR Cryptol. ePrint Arch..

[63]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[64]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[65]  Jan Camenisch,et al.  Advances in cryptology - EUROCRYPT 2004 : International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004 : proceedings , 2004 .

[66]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[67]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[68]  渡辺 大,et al.  On the status of techniques and standardization regarding lightweight cryptography : ISO/IEC JTC1/SC27/WG2 status report (情報通信システムセキュリティ) , 2014 .

[69]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.