Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers
In CHES 2017, Jean et al. presented a paper on “Bit-Sliding” in which the authors proposed lightweight constructions for SPN based block ciphers like AES, PRESENT and SKINNY. The main idea behind these constructions was to reduce the length of the datapath to 1 bit and to reformulate the linear laye...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2020-05-01
|
| Series: | IACR Transactions on Symmetric Cryptology |
| Subjects: | |
| Online Access: | https://tosc.iacr.org/index.php/ToSC/article/view/8563 |
| _version_ | 1818772054530326528 |
|---|---|
| author | Subhadeep Banik Fatih Balli Francesco Regazzoni Serge Vaudenay |
| author_facet | Subhadeep Banik Fatih Balli Francesco Regazzoni Serge Vaudenay |
| author_sort | Subhadeep Banik |
| collection | DOAJ |
| description | In CHES 2017, Jean et al. presented a paper on “Bit-Sliding” in which the authors proposed lightweight constructions for SPN based block ciphers like AES, PRESENT and SKINNY. The main idea behind these constructions was to reduce the length of the datapath to 1 bit and to reformulate the linear layer for these ciphers so that they require fewer scan flip-flops (which have built-in multiplexer functionality and so larger in area as compared to a simple flip-flop). In this paper, we develop their idea even further in few separate directions.
First, we prove that given an arbitrary linear transformation, it is always possible to construct the linear layer using merely 2 scan flip-flops. This points to an optimistic venue to follow to gain further GE reductions, yet the straightforward application of the techniques in our proof to PRESENT and GIFT leads to inefficient implementations of the linear layer, as reducing ourselves to 2 scan flip-flops setting requires thousands of clock cycles and leads to very high latency.
Equipped with the well-established formalism on permutation groups, we explore whether we can reduce the number of clock cycles to a practical level, i.e. few hundreds, by adding few more pairs of scan flip flops. For PRESENT, we show that 4 (resp. 8, 12) scan flip-flops are sufficient to complete the permutation layer in 384 (resp. 256, 128) clock cycles. For GIFT, we show that 4 (resp. 8, 10) scan flip flops correspond to 320 (resp. 192, 128) clock cycles. Finally, in order to provide the best of the two worlds (i.e. circuit area and latency), we push our scan flip-flop choices even further to completely eliminate the latency incurred by the permutation layer, without compromising our stringent GE budget. We show that not only 12 scan flip flops are sufficient to execute PRESENT permutation in 64 clock cycles, but also the same scan flip flops can be used readily in a combined encryption decryption circuit. Our final design of PRESENT and GIFT beat the record of Jean et al. and Banik et al. in both latency and in circuit-size metric. We believe that the techniques presented in our work can also be used at choosing bit-sliding-friendly linear layer permutations for the future SPN-based designs. |
| first_indexed | 2024-12-18T10:03:15Z |
| format | Article |
| id | doaj.art-8bb310bd54704013a09eeda20ebf4aeb |
| institution | Directory Open Access Journal |
| issn | 2519-173X |
| language | English |
| last_indexed | 2024-12-18T10:03:15Z |
| publishDate | 2020-05-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | IACR Transactions on Symmetric Cryptology |
| spelling | doaj.art-8bb310bd54704013a09eeda20ebf4aeb2022-12-21T21:11:36ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2020-05-012020110.13154/tosc.v2020.i1.185-232Swap and Rotate: Lightweight Linear Layers for SPN-based BlockciphersSubhadeep Banik0Fatih Balli1Francesco Regazzoni2Serge Vaudenay3Security and Cryptography Laboratory (LASEC), École Polytechnique Fédérale de Lausanne, Lausanne, SwitzerlandSecurity and Cryptography Laboratory (LASEC), École Polytechnique Fédérale de Lausanne, Lausanne, SwitzerlandAdvanced Learning and Research Institute (ALaRI), University of Lugano, Lugano, SwitzerlandSecurity and Cryptography Laboratory (LASEC), École Polytechnique Fédérale de Lausanne, Lausanne, SwitzerlandIn CHES 2017, Jean et al. presented a paper on “Bit-Sliding” in which the authors proposed lightweight constructions for SPN based block ciphers like AES, PRESENT and SKINNY. The main idea behind these constructions was to reduce the length of the datapath to 1 bit and to reformulate the linear layer for these ciphers so that they require fewer scan flip-flops (which have built-in multiplexer functionality and so larger in area as compared to a simple flip-flop). In this paper, we develop their idea even further in few separate directions. First, we prove that given an arbitrary linear transformation, it is always possible to construct the linear layer using merely 2 scan flip-flops. This points to an optimistic venue to follow to gain further GE reductions, yet the straightforward application of the techniques in our proof to PRESENT and GIFT leads to inefficient implementations of the linear layer, as reducing ourselves to 2 scan flip-flops setting requires thousands of clock cycles and leads to very high latency. Equipped with the well-established formalism on permutation groups, we explore whether we can reduce the number of clock cycles to a practical level, i.e. few hundreds, by adding few more pairs of scan flip flops. For PRESENT, we show that 4 (resp. 8, 12) scan flip-flops are sufficient to complete the permutation layer in 384 (resp. 256, 128) clock cycles. For GIFT, we show that 4 (resp. 8, 10) scan flip flops correspond to 320 (resp. 192, 128) clock cycles. Finally, in order to provide the best of the two worlds (i.e. circuit area and latency), we push our scan flip-flop choices even further to completely eliminate the latency incurred by the permutation layer, without compromising our stringent GE budget. We show that not only 12 scan flip flops are sufficient to execute PRESENT permutation in 64 clock cycles, but also the same scan flip flops can be used readily in a combined encryption decryption circuit. Our final design of PRESENT and GIFT beat the record of Jean et al. and Banik et al. in both latency and in circuit-size metric. We believe that the techniques presented in our work can also be used at choosing bit-sliding-friendly linear layer permutations for the future SPN-based designs.https://tosc.iacr.org/index.php/ToSC/article/view/8563Lightweight circuitPRESENTGIFTFLIP |
| spellingShingle | Subhadeep Banik Fatih Balli Francesco Regazzoni Serge Vaudenay Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers IACR Transactions on Symmetric Cryptology Lightweight circuit PRESENT GIFT FLIP |
| title | Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers |
| title_full | Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers |
| title_fullStr | Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers |
| title_full_unstemmed | Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers |
| title_short | Swap and Rotate: Lightweight Linear Layers for SPN-based Blockciphers |
| title_sort | swap and rotate lightweight linear layers for spn based blockciphers |
| topic | Lightweight circuit PRESENT GIFT FLIP |
| url | https://tosc.iacr.org/index.php/ToSC/article/view/8563 |
| work_keys_str_mv | AT subhadeepbanik swapandrotatelightweightlinearlayersforspnbasedblockciphers AT fatihballi swapandrotatelightweightlinearlayersforspnbasedblockciphers AT francescoregazzoni swapandrotatelightweightlinearlayersforspnbasedblockciphers AT sergevaudenay swapandrotatelightweightlinearlayersforspnbasedblockciphers |