Ruhr-Universität Bochum zur Navigation zum Inhalt Startseite der RUB pix
 
 

pix
 
Das Siegel
pix
Topbild
Home
About
Contact

Conferences
Show (Calendar)

Implementations
Show

Papers
Show
Submit

Links
Show
pix www.lightweightcrypto.org
Your ressource for everything related to efficient cryptography
 
 
 
Home > Papers (Show)
pix Possible filter:  ASIC lightweight crypto Assembly

A Survey of Lightweight-Cryptography Implementations
Author: T. Eisenbarth, S. Kumar, L. Uhsadel, C. Paar, A. Poschmann
Description:
The tight cost and implementation constraints of high-volume products, including secure RFID tags and smart cards, require specialized cryptographic implementations. The authors review recent developments in this area for symmetric and asymmetric ciphers, targeting embedded hardware and software. In this article, we present a selection of recently published lightweight-cryptography implementations and compare them to state-of-the-art results in their field.
Related Tags: ASIC, lightweight, crypto
go to paper open in new window/tab
Comparison of Innovative Signature Algorithms for WSNs
Author: B. Driessen, A. Poschmann, C. Paar
Description:
For many foreseen applications of Wireless Sensor Networks (WSN) - for example monitoring the structural health of a bridge â?? message integrity is a crucial requirement. Usually, security services such as message integrity are realized by symmetric cryptography only, because asymmetric cryptography is often stated as impracticable for WSN. However, the proposed solutions for symmetric key establishment introduce a significant computation, storage, and most important-communication overhead. Digital signatures and key-exchange based on asymmetric algorithms would be very valuable though. In the literature nearly only RSA and ECC are implemented and compared for sensor nodes, though there exist a variety of innovative asymmetric algorithms. To close this gap, we investigated the efficiency and suitability of digital signature algorithms based on innovative asymmetric primitives for WSN.We chose XTR-DSA and NTRUSign and implemented both (as well as ECDSA) for MICAz motes.
Related Tags: ASIC
go to paper open in new window/tab
Performance Analysis of Contemporary Light-Weight Block Ciphers on 8-bit Microcontrollers
Author: S. Rinne, T. Eisenbarth, C. Paar
Description:
This work presents a performance analysis of software implementations of ciphers that are specially designed for the domain of ubiquitous computing. The analysis focuses on the special properties of embedded devices that need to be taken into account like cost (given by memory consumption) and energy requirements. The discussed ciphers include DESL, HIGHT, SEA, and TEA/XTEA. Assembler implementations of the ciphers for an 8-bit AVR microcontroller platform were analyzed and compared with a byte-oriented AES implementation. While all ciphers fail to outperform AES on the discussed 8-bit platform, TEA/XTEA and SEA at least consume significantly less memory than the AES.
Related Tags: VHDL, lightweight, Assembly, ASIC
go to paper open in new window/tab
Efficient Implementation of Stream Ciphers on Embedded 8-bit Microcontrollers
Author: G. Meiser
Description:
This work is motivated by the question of how efficient modern stream ciphers in the focus of eSTREAM Profile I (Phase 2) can be implemented on small embedded microcontrollers. In response to this question, we present the first implementation results for Dragon, HC-128, LEX, Salsa20 and Sosemanuk on 8-bit microcontrollers. For the evaluation process, we follow a two-stage approach and compare with efficient AES implementations. First, the C code implementation provided by the designers was ported to an 8-bit AVR microcontroller and the suitability of Dragon, HC-128, LEX, Salsa20 and Sosemanuk for the use in embedded systems was assessed. In the second stage we implemented Dragon, LEX, Salsa20 and Sosemanuk in Assembly to tap the full potential of an embedded implementation. Our efficiency metrics are performance of keystream generation, key setup, and IV setup, and memory usage in flash and SRAM, since microcontrollers are usually strongly constrained in memory resources. Regarding encryption speed, all stream ciphers turned out to outperform AES. In terms of memory needs, Salsa20 and LEX are almost as compact as AES. When considering a time-memory tradeoff metric, LEX and Salsa20 yield significantly better results than AES.
Related Tags: embedded
go to paper open in new window/tab
Sidechannel Resistant Lightweight ASIC Implementations of DES and AES
Author: A. Poschmann
Description:
In this thesis, we investigate a new lightweight cipher based on DESX. We investigate the design criteria of DES presented in [Cop94] and derive stronger design criteria. We show that S-boxes, which satisfy our new design criteria are more resistant against both differential and linear cryptanalysis. Our new cipher DLX is similar to DES or DESX, respectively, except for the f-function. DES uses eight different S-boxes, whereas our cipher only repeatedly uses one improved S-box (eight times). The implementation results show that our new cipher DLX requires less chip size, less energy, and is more secure against both differential and linear cryptanalysis. We also show that DLX requires 40% less chip size, 85% less clock cycles, and consumes only about 10% of the energy than the best AES implementation with regard to RFIDs needs [FDW04]. In this thesis we also investigate side channel attacks on AES. We present a size- optimised VHDL design of the AES and its results for a standard cell implementation. We show, that this ASIC can easily be broken with a simple power analysis (SPA).
Related Tags: S-box, ASIC, VHDL, lightweight, crypto, embedded
go to paper open in new window/tab
Elliptic Curve Cryptography for Constrained Devices
Author: S. Kumar
Description:
There is a re-emerging demand for low-end devices such as 8-bit processors, driven by needs for pervasive applications like sensor networks and RF-ID tags. Security in pervasive applications, however, has been a major concern for their widespread acceptance. Public-key cryptosystems (PKC) like RSA and DSA generally involve computation-intensive arithmetic operations with operand sizes of 1024 - 2048 bits, making them impractical on such constrained devices. Elliptic Curve Cryptography (ECC) which has emerged as a viable alternative is a favored public-key cryptosystem for embedded systems due to its small key size, smaller operand length, and comparably low arithmetic requirements. However, implementing full-size, standardized ECC on 8-bit processors is still a major challenge and normally considered to be impracticable for small devices which are constrained in memory and computational power. The thesis at hand is a step towards showing the practicability of PKC and in particular ECC on constrained devices. We leverage the exibility that ECC provides with the different choices for parameters and algorithms at different hierarchies of the implementation. First a secure key exchange using PKC on a low-end wireless device with the computational power of a widely used 8-bit 8051 processor is presented. An Elliptic Curve Diffie-Hellman (ECDH) protocol is implemented over 131-bit Optimal Extension Field (OEF) purely in software. A secure end-to-end connection in an acceptable time of 3 seconds is shown to be possible on such constrained devices without requiring a cryptographic coprocessor. We also investigate the potential of software/hardware co-design for architectural enhancements including instruction set extensions for low-level arithmetic used in ECC, most notably to speed-up multiplication in the nite elds. We show that a standard compliant 163-bit point multiplication can be computed in 0.113 sec on an 8-bit AVR micro-controller running at 4 Mhz (a typical representative for a low-cost pervasive pro- cessor) with minimal additional hardware extensions. Our design not only accelerates the computation by a factor of more than 30 compared to a software-only solution, it also reduces the code-size and data-RAM. Two new custom instructions for the MIPS 32-bit processor architecture are also proposed to accelerate the reduction modulo a pseudo Mersenne prime. We also show that the efficiency of multiplication in an OEF can be improved by a modified multiply and accumulate unit with a wider accumula- tor. The proposed architectural enhancements achieve a speed-up factor of 1.8 on the MIPS processor. iii In addition, different architectural enhancements and optimal digit-size choices for the Least Signicant Digit (LSD) multiplier for binary elds are presented. The two different architectures, the Double Accumulator Multiplier (DAM) and N-Accumulator Multiplier (NAM) are both faster compared to traditional LSD multipliers. Later, an area/time efficient ECC processor architecture (for the OEFs of size 169, 289 and 361 bits) which performs all nite eld arithmetic operations in the discrete Fourier domain is described. We show that a small optimized implementation of ECC processor with 24k equivalent gates on a 0.35um CMOS process can be realized for 169-bit curve using the novel multiplier design. Finally we also present a highly area optimized ASIC implementation of the ECC processor for various standard compliant binary curves ranging from 133 ¡ 193 bits. An area between 10k and 18k gates on a 0.35um CMOS process is possible for the different curves which makes the design very attractive for enabling ECC in constrained devices.
Related Tags: crypto
go to paper open in new window/tab
Enabling Full-Size Public-Key Algorithms on 8-bit Sensor Nodes
Author: L. Uhsadel, A. Poschmann, C. Paar
Description:
In this article we present the fastest known implementation of a modular multiplication for a 160-bit standard compliant elliptic curve (secp160r1) for 8-bit micro controller which are typically used in WSNs. The major part (77%) of the processing time for an elliptic curve operation such as ECDSA or EC Diffie-Hellman is spent on modular multiplication. We present an optimized arithmetic algorithm which signicantly speed up ECC schemes. The reduced processing time also yields a signicantly lower energy consumption of ECC schemes. With our implementation results we can show that a 160-bit modular multiplication can be performed in 0.39 ms on an 8-bit AVR processor clocked at 7.37 MHz. This brings the vision of asymmetric cryptography in the eld of WSNs with all its benets for key-distribution and authentication a step closer to reality.
Related Tags: lightweight, Assembly, crypto, embedded
go to paper open in new window/tab
A Family of Light-Weight Block Ciphers Based on DES Suited for RFID Applications
Author: A. Poschmann, G. Leander, K. Schramm, C. Paar
Description:
We propose a new block cipher, DESL (DES Lightweight extension), which is strong, compact and efficient. Due to its low chip size constraints DESL is especially suited for RFID (Radio Frequency Identification) devices. Our proposed DESL is based on the classical DES (Data Encryption Standard) design, however, unlike DES it uses a single Sbox repeated eight times. This approach makes it possible to considerably decrease chip size requirements. The S-box has been highly optimized in such a way that DESL resists common attacks, i.e. linear and differential cryptanalysis, and the Davies-Murphy-attack. Therefore DESL achieves a security level, which is appropriate for many applications. Furthermore, we propose a lightweight implementation of DESL, which requires 49% less chip size, 85% less clock cycles and 90% less energy than the best AES implementations with regard to RFID applications. Compared to the smallest DES implementation published until now, our DESL design requires 38% less transistors. As a results, our 0.18 pm DESL implementation requires a chip size of 7392 transistors (1848 gate equivalences) and is capable to encrypt a 64-bit plaintext in 144 clock cycles. When clocked at 100 kHz, it draws an average current of only 0.89 uA. These hardware figures are in the range of the best eSTREAM candidates, comprising DESL as a new alternative for stream ciphers. Keywords: RFID, DES, DESL, lightweight cryptography, S-box design criteria
Related Tags: S-box, lightweight
go to paper open in new window/tab
Are standards compliant elliptic curve cryptosystems feasible on RFID?
Author: S. Kumar, C. Paar
Description:
With elliptic curve cryptography emerging as a serious al- ternative, the desired level of security can be attained with signi¯cantly smaller key sizes. This makes ECC very attractive for small-footprint de- vices with limited computational capability, memory and low-bandwidth network connections. However ECC is still considered to be impracticable for very low-end constrained devices like sensor networks and RFID tags. We present a stand-alone highly area optimized ECC processor design for standards compliant binary field curves. We use the fast squarer implementation to construct an addition chain that allows inversion to be computed efficiently. Hence, we propose an affine co-ordinate ASIC im- plementation of the ECC processor using a modified Montgomery point multiplication method for binary curves ranging from 113-193 bits. An area between 10k and 18k gates on a 0.35um CMOS process is possi- ble for the different curves which makes the design very attractive for enabling ECC in constrained devices.
Related Tags: crypto
go to paper open in new window/tab
New Lightweight Crypto Algorithms for RFID
Author: G. Leander, C. Paar, A. Poschmann, K. Schramm
Description:
The authors propose a new block cipher, DESL (DES lightweight extension), which is strong, compact and efficient. Due to its low area constraints DESL is especially suited for RFID (radiofrequency identification) devices. DESL is based on the classical DES (data encryption standard) design, however, unlike DES it uses a single S-box repeated eight times. This approach makes it possible to considerably decrease chip size requirements. The S-box has been highly optimized in such a way that DESL resists common attacks, i.e., linear and differential cryptanalysis, and the Davies-Murphy-attack. Therefore DESL achieves a security level which is appropriate for many applications. Furthermore, we propose a light-weight implementation of DESL which requires 45% less chip size and 86% less clock cycles than the best AES implementations with regard to RFID applications. Compared to the smallest DES implementation published, our DESL design requires 38% less transistors. Our 0.18mum DESL implementation requires a chip size of 7392 transistors (1848 gate equivalences) and is capable to encrypt a 64-bit plaintext in 144 clock cycles. When clocked at 100 kHz, it draws an average current of only 0.89muA. These hardware figures are in the range of the best eSTREAM streamcipher candidates, comprising DESL as a new alternative for ultra low-cost encryption.
Related Tags: S-box, ASIC, VHDL, lightweight, crypto
go to paper open in new window/tab
Security for 1000 Gate Equivalents
Author: C. Rolfes, A. Poschmann, C. Paar
Description:
Product piracy and counterfeiting is a market with an annual turnover of hundreds of billions of US-Dollars. The application of RFID-tags is discussed widely to cope with this problem. A major obstacle for a mass deployment of RFID-tags, beside the harsh requirements on power consumption, are fabrication costs. In hardware fabrication costs are proportional to the required area. In this paper we present three different architectures of the present algorithm. Our implementation of the serialized architecture requires only 1000 GE. To the best of our knowledge this is the smallest hardware implementation of a cryptographic algorithm with a moderate security level.
Related Tags: crypto, Assembly
go to paper open in new window/tab
Hardware Optimierte Lightweight Block-Chiffren für RFID- und Sensor-Systeme
Author: A. Poschmann, C. Paar
Description:
In diesem Artikel wird ein Überblick über leichtgewichtige Kryptographie (lightweight Cryptography) gegeben. Weiterhin werden die beiden neuen auf Hardware optimierten Chiffren DESL und PRESENT näher vorgestellt. Der anschließende Vergleich der Implementierungsergebnisse mit anderen kürzlich vorgeschlagenen Blockchiffren wie mCrypton, HIGHT oder CLEFIA zeigt, dass DESL und PRESENT weniger Chipfläche verbrauchen. Ebenfalls können beide Algorithmen überraschenderweise sogar mit kürzlich ver¨offentlichten, auf Hardware optimierten Stromchiffren (Trivium und Grain) konkurrieren.
Related Tags: lightweight, VHDL, ASIC
go to paper open in new window/tab
PRESENT: An Ultra-Lightweight Block Cipher
Author: A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe
Description:
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
Related Tags: lightweight
go to paper open in new window/tab
An Efficient General Purpose Elliptic Curve Cryptography Module for Ubiquitous Sensor Networks
Author: L. Uhsadel, A. Poschmann, and C. Paar
Description:
In this article we present the fastest known implementation of a modular multiplication for a 160-bit standard compliant elliptic curve (secp160r1) for 8-bit micro-controller which are typically used in ubiquitous sensor networks (USN). The major part (77%) of the processing time for an elliptic curve operation such as ECDSA or EC Diffie-Hellman is spent on modular multiplication. We present an optimized arithmetic algorithm which significantly speeds up ECC schemes. The reduced processing time also yields a significantly lower energy consumption of ECC schemes. We show that a 160-bit modular multiplication can be performed in 0.37 ms on an 8-bit AVR processor clocked at 8 MHz. This brings the vision of asymmetric cryptography in the field of USNs with all its benefits for key-distribution and authentication a step closer to reality.
Related Tags: ASIC, VHDL, Assembly, crypto
go to paper open in new window/tab
New Lightweight Crypto Algorithms for RFID
Author: G. Leander, C. Paar, A. Poschmann, K. Schramm
Description:
The authors propose a new block cipher, DESL (DES lightweight extension), which is strong, compact and efficient. Due to its low area constraints DESL is especially suited for RFID (radiofrequency identification) devices. DESL is based on the classical DES (data encryption standard) design, however, unlike DES it uses a single S-box repeated eight times. This approach makes it possible to considerably decrease chip size requirements. The S-box has been highly optimized in such a way that DESL resists common attacks, i.e., linear and differential cryptanalysis, and the Davies-Murphy-attack. Therefore DESL achieves a security level which is appropriate for many applications. Furthermore, we propose a light-weight implementation of DESL which requires 45% less chip size and 86% less clock cycles than the best AES implementations with regard to RFID applications. Compared to the smallest DES implementation published, our DESL design requires 38% less transistors. Our 0.18mum DESL implementation requires a chip size of 7392 transistors (1848 gate equivalences) and is capable to encrypt a 64-bit plaintext in 144 clock cycles. When clocked at 100 kHz, it draws an average current of only 0.89muA. These hardware figures are in the range of the best eSTREAM streamcipher candidates, comprising DESL as a new alternative for ultra low-cost encryption
Related Tags: lightweight
go to paper open in new window/tab
New Lightweight DES Variants
Author: G. Leander, C. Paar, A. Poschmann, K. Schramm
Description:
In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box repeated eight times. On this account we adapt well-known DES S-box design criteria, such that they can be applied to the special case of a single S-box. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the Davies-Murphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultra-constrained devices such as RFID tags.
Related Tags: lightweight
go to paper open in new window/tab
Authentication in Ad-hoc and Sensor Networks
Author: A. Weimerskirch
Description:
In the near future microprocessors will be found almost everywhere from cellular phones to washing machines and cars. Once these are connected via a (wireless) communication channel to each other and possibly to already existing static computers this could form an extremely dynamic wireless network which may not have access to an infrastructure or centralized administration. Such a network is often referred to as ad-hoc network. It is particularly useful where a reliable fixed or mobile infrastructure is not available – e.g., after a natural disaster – or too expensive. If the network consists of very small computing devices that are able to sensor their environment, such a network is called a sensor network. As ad-hoc and sensor networks become more a part of everyday life, they could become a threat if security is not considered before deployment. For instance, ad-hoc networks might be used to increase vehicle traffic safety. However, if there are any security vulnerabilities, this technology might be open to attackers and thus endanger passengers. Authentication in ad-hoc networks is a core requirement for secure protocols and secure applications of ad-hoc networks. Thus authentication in ad-hoc networks is the focus of this work. The security issues for ad-hoc networks and sensor networks are different than those for fixed networks. This is due to system constraints in mobile devices, frequent topology changes in the network, and the weak physical security of low-power devices. Moreover in sensor networks, the sensors are exposed to physical attacks such as power analysis and probing. Consequently, protocols need to be designed that are robust against a set of malicious devices as well as compromised secrets. The main goals and achievements of this thesis are as follows: (1) to give an overview of authentication schemes and analyze how well they are suited to ad-hoc networks; (2) to analyze how well digital signature schemes can be used in ad-hoc networks and to compare signature schemes for this purpose; (3) to propose two new extremely efficient authentication schemes for pairwise authentication that mainly use symmetric cryptographic primitives providing a basic form of authentication in sensor networks and certified identification in ad-hoc networks; and (4) an application of authentication providing component identification. Such component identification can be used as a countermeasure to faked components, e.g., for components of automobiles. As a result of this thesis, we recommend the following: First, protocols should be based as much as possible on an approach where trust associations are established to the local one-hop neighborhood only to avoid broadcast authentication schemes; and second, to design protocols that reduce the amount of asymmetric cryptography to a minimum. The protocols proposed in this thesis are a first step to achieve these goals.
Related Tags: Assembly, ASIC, VHDL
go to paper open in new window/tab
Efficient Embedded Implementation of Security Solutions for ad-hoc Networks
Author: B. Driessen
Description:
For many foreseen applications of "wireless sensor networks" (WSN) message integrity is a crucial requirement. Usually, in the area of WSN security services, such as message integrity, are realized by symmetric cryptography only, because asymmetric cryptography is considered as too demanding for typical WSN devices. However, the proposed solutions for symmetric key establishment introduce a significant computation, storage, and – most important – communication overhead. Digital signatures and key-exchange protocols based on asymmetric algorithms would be very valuable though. In the literature usually only RSA and ECC are implemented and compared for sensor nodes, though there exist a variety of innovative asymmetric algorithms. To close this gap, we investigated the efficiency and suitability of digital signature algorithms based on innovative asymmetric primitives for WSN. We chose XTR-DSA and NTRUSign and implemented both (as well as ECDSA) for MICAz motes. We have decomposed the schemes into layers and show where optimizations can be applied reasonably. Furthermore, we have analyzed, evaluated, and tweaked several algorithms with respect to execution time and memory requirements. We have benchmarked most of the implemented algorithms and give detailed information on precomputation overheads and required RAM and ROM memory. Finally, we have performed a comparative analysis of all three schemes with respect to their suitability for WSNs. We found that, while implemented in pure NesC code, NTRUSign is the winner for being 34% faster in signature generation and 95% faster in signature verification – compared to the de-facto standard ECDSA. To the best of our knowledge, this thesis presents the fastest implementations of signature schemes for WSNs, while using novel modifications of well-known algorithms. Our implementation of ECDSA seems to be the fastest available for MICAz hardware and the ATMega128L micro-processor. Even our implementation of XTR-DSA performs better than comparable ECDSA implementations. We presume that we present the first detailed approach to implementing XTR-DSA and NTRUSign on constrained hardware.
Related Tags: ASIC, Assembly, embedded
go to paper open in new window/tab
Comparison of Low-Power Public Key Cryptography on MICAz 8-Bit Micro Controller
Author: L. Uhsadel
Description:
The terms ubiquitous and pervasive computing designate the penetration of our ev- eryday life with intelligent devices. These tiny, constrained, and battery powered nodes are used to build WSNs that may process sensitive data. Therefore security as well as low energy consumption are crucial in this field. Since runtime scales with energy consumption efficient implementation is necessary at all costs. We will show by comparing of different implementations of asymmetric algorithms that ECC is a good choice in this case, as it allows shorter key length with adequate security level and furthermore can be efficiently implemented. We will provide mathematical background as well as algorithms for an efficient implementation. Subsequently we will present the fastest known implementation of a 160-bit multiplication, which is the core operation of the prime field of the standardized elliptic curve secp160r1. Even though the implementation is highly optimized for speed, the code-size of 5.4 KB and RAM requirements of 112 B are acceptable. The high efficient prime field is implemented in assembly and available on request. It is thought to be the base for high efficient curve implementations. A curve with basic optimizations is written in C and can also be reused. The 160-bit multiplication has a runtime of 0.39ms and requires with our C implementation of the curve 1.151s for a point multiplication. This could be optimized to approximately 0.76s for one point multiplication in combination with a highly efficient elliptic curve. Furthermore this would allow the execution of an ECDSA signature in less than one second without pre-calculation.
Related Tags: lightweight, crypto, embedded
go to paper open in new window/tab
New Lightweight DES Variants
Author: G. Leander, C. Paar, A. Poschmann, K. Schramm
Description:
In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box rep eated eight times. On this account we adapt well-known DES S-box design criteria, such that they can be applied to the special case of a single S-box. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the Davies-Murphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultra-constrained devices such as RFID tags.
Related Tags: S-box, lightweight, crypto
go to paper open in new window/tab

 
 
Sunday, 23. July 2017 06:42:30 PM - www.lightweightcrypto.org