08-06-2013, 01:58 PM
WG2 - Lightweight Cryptographic Algorithms
cryptography.pdf (Size: 522.87 KB / Downloads: 35)
Security and Privacy
In this section we give an outline of the security and privacy needs encountered in systems
involving low cost pervasive devices with limited computation and communication resources,
typically RFID tags, and of the way these needs can be addressed using a lightweight cryptographic
protocol. We consider systems comprising two main components:
low cost devices with limited computation and communication capabilities comprising
at least an integrated circuit, for instance RFID tags or low cost smart cards.
an infrastructure, i.e. a device management system capable to communicate with the
light weight devices. In the case of an RFID system, the infrastructure consists of a
back end system connected to radio readers.
Security
Authentication, that addresses the security threat mentioned above (namely preventing the
cloning or impersonation of legitimate devices), probably represents the most exploited topic
in lightweight cryptography.
The following distinction can be made between identication and authentication: while a
protocol allowing a system to identify a device, but not to corroborate this identity and thus
resist cloning or impersonation attacks will be named an identication protocol, a protocol
allowing the system to both identify a device and corroborate this identity will be named
an authentication protocol or equivalently an authentication scheme. If an authentication
protocol additionally results in the corroboration by the device that the device counterpart
in the protocol is legitimate, we will call it a mutual authentication protocol. Ecient authentication
solutions are gradually emerging, even for the most constrained systems. A
rst possible approach is to use a block cipher in a traditional challenge-response protocol.
In order to take into account the strong limitation of computing resources in some devices
(3000 GE, or even less, is often considered as an upper complexity limit for typical low-cost
devices), dedicated lightweight block ciphers have been developed, e.g. DESXL, PRESENT,
and KATAN [81, 18, 25]. Such dedicated block ciphers represent an alternative to lightweight
implementations of a standard cipher such as AES [136]. Some stream ciphers with a very low
hardware footprint, e.g. Grain v1 or Trivium [53, 26] are also known to have the potential to
lead to extremely ecient authentication solutions.
Block Ciphers
Hardware performance gures for DES, DESXL, HIGHT and SEA were obtained at or calculated
for a frequency of 100KHz, unless stated otherwise. Please be aware that power gures
can not be compared adequately between dierent technologies.
AES
The block cipher Rijndael was designed by Daemen and Rijmen and standardized by NIST
in 2000 as the Advanced Encryption Standard (AES) [99]. In the meanwhile many low-cost
implementations of the smallest variant, AES-128 have been published which range down to
a size of only 3100 gate equivalents. These implementations show that AES-128 can also be
used as a secure and lightweight block cipher in many constraint environments.
Description of AES-128 The AES follows the wide-trail design strategy [32, 114] and
consists of a key schedule and state update transformation. In the following, we give a brief
description of only the smallest variant, AES-128. For a more detailed description of the AES
we refer to [99].
CLEFIA
CLEFIA was developed jointly by Sony and the University of Nagoya and rst published at
[120]. Similar to the AES it has a block length of 128 Bits and oers three dierent key
lengths: 128, 192 and 256 bits. CLEFIA uses a 4-branch and an 8-branch Type-2 generalized
Feistel network and depending on the key length it takes 18 (128 bits), 22 (192 bits), or 26
(256 bits) rounds to encrypt one block of data.
Best implementation results The designer of CLEFIA provides hardware implementation
gures for all key lengths in their paper [120]. Other implementations of CLEFIA
reported in [126] are optimized for high throughput. Though they achieve at their maximum
frequency a higher throughput per area rate, their area is always larger than the implementations
reported in [120]. Thus, at a xed frequency of 100 KHz their eciency is worse and
we did not include them in Table 2.1.