WARP: revisiting GFN for lightweight 128-bit block cipher. (English) Zbl 1485.94052

Dunkelman, Orr (ed.) et al., Selected areas in cryptography. 27th international conference, Halifax, NS, Canada (virtual event), October 21–23, 2020. Revised selected papers. Cham: Springer. Lect. Notes Comput. Sci. 12804, 535-564 (2021).
Summary: In this article, we present WARP, a lightweight 128-bit block cipher with a 128-bit key. It aims at small-footprint circuit in the field of 128-bit block ciphers, possibly for a unified encryption and decryption functionality. The overall structure of WARP is a variant of 32-nibble Type-2 Generalized Feistel Network (GFN), with a permutation over nibbles designed to optimize the security and efficiency. We conduct a thorough security analysis and report comprehensive hardware and software implementation results. Our hardware results show that WARP is the smallest 128-bit block cipher for most of typical hardware implementation strategies. A serialized circuit of WARP achieves around 800 Gate Equivalents (GEs), which is much smaller than previous state-of-the-art implementations of lightweight 128-bit ciphers (they need more than 1,000 GEs). While our primary metric is hardware size, WARP also enjoys several other features, most notably low energy consumption. This is somewhat surprising, since GFN generally needs more rounds than substitution permutation network (SPN), and thus GFN has been considered to be less advantageous in this regard. We show a multi-round implementation of WARP is quite low-energy. Moreover, WARP also performs well on software: our SIMD implementation is quite competitive to known hardware-oriented 128-bit lightweight ciphers for long input, and even much better for small inputs due to the small number of parallel blocks. On 8-bit microcontrollers, the results of our assembly implementations show that WARP is flexible to achieve various performance characteristics.
For the entire collection see [Zbl 1482.94005].


94A60 Cryptography
Full Text: DOI


[1] Andreeva, E., et al.: COLM v1. a CAESAR portfolio (2016)
[2] Avanzi, R., The QARMA block cipher family, IACR Trans. Symmetric Cryptol., 2017, 1, 4-44 (2017)
[3] Banik, S.; Iwata, T.; Cheon, JH, Midori: a block cipher for low energy, Advances in Cryptology - ASIACRYPT 2015, 411-436 (2015), Heidelberg: Springer, Heidelberg · Zbl 1382.94057
[4] Banik, S.; Bogdanov, A.; Luykx, A.; Tischhauser, E., SUNDAE: small universal deterministic authenticated encryption for the internet of things, IACR Trans. Symmetric Cryptol., 2018, 3, 1-35 (2018)
[5] Banik, S., et al.: SUNDAE-GIFT. A Submission to NIST Lightweight Cryptography Project (2019)
[6] Banik, S.; Bogdanov, A.; Regazzoni, F.; Dunkelman, O.; Keliher, L., Exploring energy efficiency of lightweight block ciphers, Selected Areas in Cryptography - SAC 2015, 178-194 (2016), Cham: Springer, Cham · Zbl 1396.94059
[7] Banik, S.; Bogdanov, A.; Regazzoni, F.; Dunkelman, O.; Sanadhya, SK, Atomic-AES: a compact implementation of the AES encryption/decryption core, Progress in Cryptology - INDOCRYPT 2016, 173-190 (2016), Cham: Springer, Cham · Zbl 1411.94049
[8] Banik, S., et al.: GIFT-COFB. A Submission to NIST Lightweight Cryptography Project (2019)
[9] Banik, S., Towards low energy stream ciphers, IACR Trans. Symmetric Cryptol., 2018, 2, 1-19 (2018)
[10] Banik, S.; Pandey, SK; Peyrin, T.; Sasaki, Y.; Sim, SM; Todo, Y.; Fischer, W.; Homma, N., GIFT: a small present, Cryptographic Hardware and Embedded Systems - CHES 2017, 321-345 (2017), Cham: Springer, Cham · Zbl 1450.94026
[11] Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, report 2013/404 (2013). http://eprint.iacr.org/2013/404 · Zbl 1382.94059
[12] Beierle, C.; Canteaut, A.; Leander, G.; Rotella, Y.; Katz, J.; Shacham, H., Proving resistance against invariant attacks: how to choose the round constants, Advances in Cryptology - CRYPTO 2017, 647-678 (2017), Cham: Springer, Cham · Zbl 1410.94045
[13] Beierle, C.; Robshaw, M.; Katz, J., The SKINNY family of block ciphers and its low-latency variant MANTIS, Advances in Cryptology - CRYPTO 2016, 123-153 (2016), Heidelberg: Springer, Heidelberg · Zbl 1372.94412
[14] Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. Cryptology ePrint Archive, report 2016/660 (2016). http://eprint.iacr.org/2016/660
[15] Beierle, C.; Leander, G.; Moradi, A.; Rasoolzadeh, S., CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks, IACR Trans. Symmetric Cryptol., 2019, 1, 5-45 (2019)
[16] Benadjila, R.; Guo, J.; Lomné, V.; Peyrin, T.; Lange, T.; Lauter, K.; Lisoněk, P., Implementing lightweight block ciphers on x86 architectures, Selected Areas in Cryptography - SAC 2013, 324-351 (2014), Heidelberg: Springer, Heidelberg · Zbl 1362.94019
[17] Berger, TP; Francq, J.; Minier, M.; Thomas, G., Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput, IEEE Trans. Comput., 65, 7, 2074-2089 (2016) · Zbl 1360.94296
[18] Berger, TP; Minier, M.; Thomas, G.; Lange, T.; Lauter, K.; Lisoněk, P., Extended generalized Feistel networks using matrix representation, Selected Areas in Cryptography - SAC 2013, 289-305 (2014), Heidelberg: Springer, Heidelberg · Zbl 1362.94020
[19] Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 456-467. ACM Press, October 2016
[20] Biham, E.; Biryukov, A.; Shamir, A.; Stern, J., Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, Advances in Cryptology—EUROCRYPT 1999, 12-23 (1999), Heidelberg: Springer, Heidelberg · Zbl 0927.94013
[21] Biham, E.; Shamir, A.; Brickell, EF, Differential cryptanalysis of the full 16-round DES, Advances in Cryptology—CRYPTO 1992, 487-496 (1993), Heidelberg: Springer, Heidelberg · Zbl 0809.94017
[22] Bilgin, B.; Nikova, S.; Nikov, V.; Rijmen, V.; Stütz, G.; Prouff, E.; Schaumont, P., Threshold implementations of all \(3 \times 3\) and \(4 \times 4 S\)-boxes, Cryptographic Hardware and Embedded Systems - CHES 2012, 76-91 (2012), Heidelberg: Springer, Heidelberg · Zbl 1366.94478
[23] Biryukov, A.; Derbez, P.; Perrin, L.; Leander, G., Differential analysis and meet-in-the-middle attack against round-reduced TWINE, Fast Software Encryption, 3-27 (2015), Heidelberg: Springer, Heidelberg · Zbl 1367.94300
[24] Biryukov, A.; Nikolić, I.; Moriai, S., Complementing Feistel ciphers, Fast Software Encryption, 3-18 (2014), Heidelberg: Springer, Heidelberg · Zbl 1321.94040
[25] Bogdanov, A.; Paillier, P.; Verbauwhede, I., PRESENT: an ultra-lightweight block cipher, Cryptographic Hardware and Embedded Systems - CHES 2007, 450-466 (2007), Heidelberg: Springer, Heidelberg · Zbl 1142.94334
[26] Borghoff, J.; Wang, X.; Sako, K., PRINCE - a low-latency block cipher for pervasive computing applications, Advances in Cryptology - ASIACRYPT 2012, 208-225 (2012), Heidelberg: Springer, Heidelberg · Zbl 1292.94035
[27] Boura, C.; Naya-Plasencia, M.; Suder, V.; Sarkar, P.; Iwata, T., Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon, Advances in Cryptology - ASIACRYPT 2014, 179-199 (2014), Heidelberg: Springer, Heidelberg · Zbl 1306.94035
[28] Cauchois, V.; Gomez, C.; Thomas, G., General diffusion analysis: how to find optimal permutations for generalized type-II Feistel schemes, IACR Trans. Symmetric Cryptol., 2019, 1, 264-301 (2019)
[29] Chakraborti, A.; Iwata, T.; Minematsu, K.; Nandi, M.; Fischer, W.; Homma, N., Blockcipher-based authenticated encryption: how small can we go?, Cryptographic Hardware and Embedded Systems - CHES 2017, 277-298 (2017), Cham: Springer, Cham · Zbl 1450.94050
[30] Daemen, J.; Knudsen, L.; Rijmen, V.; Biham, E., The block cipher Square, Fast Software Encryption, 149-165 (1997), Heidelberg: Springer, Heidelberg · Zbl 1385.94025
[31] Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: NOEKEON (2000). http://gro.noekeon.org/Noekeon-spec.pdf
[32] De Cannière, C.; Dunkelman, O.; Knežević, M.; Clavier, C.; Gaj, K., KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers, Cryptographic Hardware and Embedded Systems - CHES 2009, 272-288 (2009), Heidelberg: Springer, Heidelberg · Zbl 1290.94060
[33] Derbez, P.; Peyrin, T., Note on impossible differential attacks, Fast Software Encryption, 416-427 (2016), Heidelberg: Springer, Heidelberg · Zbl 1387.94079
[34] Derbez, P.; Fouque, P-A; Lambin, B.; Mollimard, V., Efficient search for optimal diffusion layers of generalized Feistel networks, IACR Trans. Symmetric Cryptol., 2019, 1, 218-240 (2019)
[35] Dinu, D.; Le Corre, Y.; Khovratovich, D.; Perrin, L.; Großschädl, J.; Biryukov, A., Triathlon of lightweight block ciphers for the internet of things, J. Cryptogr. Eng., 9, 3, 283-302 (2019)
[36] Grosso, V.; Leurent, G.; Standaert, F-X; Varıcı, K.; Cid, C.; Rechberger, C., LS-designs: bitslice encryption for efficient masked software implementations, Fast Software Encryption, 18-37 (2015), Heidelberg: Springer, Heidelberg · Zbl 1382.94111
[37] Guo, J.; Peyrin, T.; Poschmann, A.; Robshaw, M.; Preneel, B.; Takagi, T., The LED block cipher, Cryptographic Hardware and Embedded Systems - CHES 2011, 326-341 (2011), Heidelberg: Springer, Heidelberg · Zbl 1291.94092
[38] Gupta, KC; Pandey, SK; Venkateswarlu, A., Almost involutory recursive MDS diffusion layers, Des. Codes Cryptogr., 87, 2, 609-626 (2018) · Zbl 1421.94055
[39] Hong, D.; Goubin, L.; Matsui, M., HIGHT: a new block cipher suitable for low-resource device, Cryptographic Hardware and Embedded Systems - CHES 2006, 46-59 (2006), Heidelberg: Springer, Heidelberg · Zbl 1307.94058
[40] Standard for cryptographic protection of data on block-oriented storage devices
[41] Gurobi Optimization Inc.: Gurobi optimizer 6.5 (2015). http://www.gurobi.com/
[42] Iwata, T.; Minematsu, K.; Guo, J.; Morioka, S.; Cid, C.; Rechberger, C., CLOC: authenticated encryption for short input, Fast Software Encryption, 149-167 (2015), Heidelberg: Springer, Heidelberg · Zbl 1382.94121
[43] Jean, J.; Moradi, A.; Peyrin, T.; Sasdrich, P.; Fischer, W.; Homma, N., Bit-sliding: a generic technique for bit-serial implementations of SPN-based primitives, Cryptographic Hardware and Embedded Systems - CHES 2017, 687-707 (2017), Cham: Springer, Cham · Zbl 1446.94142
[44] Knudsen, L.; Leander, G.; Poschmann, A.; Robshaw, MJB; Mangard, S.; Standaert, F-X, PRINTcipher: a block cipher for IC-printing, Cryptographic Hardware and Embedded Systems, CHES 2010, 16-32 (2010), Heidelberg: Springer, Heidelberg · Zbl 1297.94080
[45] Knudsen, L.; Wagner, D.; Daemen, J.; Rijmen, V., Integral cryptanalysis, Fast Software Encryption, 112-127 (2002), Heidelberg: Springer, Heidelberg · Zbl 1045.94527
[46] Kölbl, S.: AVX implementation of the Skinny block cipher (2019). https://github.com/kste/skinny_avx
[47] Krovetz, T.; Rogaway, P.; Joux, A., The software performance of authenticated-encryption modes, Fast Software Encryption, 306-327 (2011), Heidelberg: Springer, Heidelberg · Zbl 1307.94119
[48] Matsui, M.; Helleseth, T., Linear cryptanalysis method for DES cipher, Advances in Cryptology—EUROCRYPT 1993, 386-397 (1994), Heidelberg: Springer, Heidelberg · Zbl 0951.94519
[49] Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Cryptol. 2016(2), 52-79 (2016). http://tosc.iacr.org/index.php/ToSC/article/view/565
[50] Moradi, A.; Poschmann, A.; Ling, S.; Paar, C.; Wang, H.; Paterson, KG, Pushing the limits: a very compact and a threshold implementation of AES, Advances in Cryptology - EUROCRYPT 2011, 69-88 (2011), Heidelberg: Springer, Heidelberg · Zbl 1281.94044
[51] Mouha, N.; Wang, Q.; Gu, D.; Preneel, B.; Wu, C-K; Yung, M.; Lin, D., Differential and linear cryptanalysis using mixed-integer linear programming, Information Security and Cryptology, 57-76 (2012), Heidelberg: Springer, Heidelberg · Zbl 1292.94118
[52] Naito, Y., Matsui, M., Sugawara, T., Suzuki, D.: SAEB: a lightweight blockcipher-based AEAD mode of operation. IACR TCHES 2018(2), 192-217 (2018). https://tches.iacr.org/index.php/TCHES/article/view/885
[53] Nyberg, K.; Kim, K.; Matsumoto, T., Generalized Feistel networks, Advances in Cryptology—ASIACRYPT 1996, 91-104 (1996), Heidelberg: Springer, Heidelberg · Zbl 1004.94531
[54] Poschmann, A.; Moradi, A.; Khoo, K.; Lim, C-W; Wang, H.; Ling, S., Side-channel resistant crypto for less than 2,300 GE, J. Cryptol., 24, 2, 322-345 (2011) · Zbl 1239.94063
[55] Sasaki, Yu; Aoki, K.; Joux, A., Finding preimages in full MD5 faster than exhaustive search, Advances in Cryptology - EUROCRYPT 2009, 134-152 (2009), Heidelberg: Springer, Heidelberg · Zbl 1239.94064
[56] Sasaki, Y.; Todo, Y.; Coron, J-S; Nielsen, JB, New impossible differential search tool from design and cryptanalysis aspects, Advances in Cryptology - EUROCRYPT 2017, 185-215 (2017), Cham: Springer, Cham · Zbl 1394.94941
[57] Shibutani, K.; Isobe, T.; Hiwatari, H.; Mitsuda, A.; Akishita, T.; Shirai, T.; Preneel, B.; Takagi, T., Piccolo: an ultra-lightweight blockcipher, Cryptographic Hardware and Embedded Systems - CHES 2011, 342-357 (2011), Heidelberg: Springer, Heidelberg · Zbl 1291.94154
[58] Shirai, T.; Shibutani, K.; Akishita, T.; Moriai, S.; Iwata, T.; Biryukov, A., The 128-bit blockcipher CLEFIA (extended abstract), Fast Software Encryption, 181-195 (2007), Heidelberg: Springer, Heidelberg · Zbl 1186.94471
[59] Sun, S.; Hu, L.; Wang, P.; Qiao, K.; Ma, X.; Song, L.; Sarkar, P.; Iwata, T., Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers, Advances in Cryptology - ASIACRYPT 2014, 158-178 (2014), Heidelberg: Springer, Heidelberg · Zbl 1306.94093
[60] Suzaki, T.; Minematsu, K.; Hong, S.; Iwata, T., Improving the generalized Feistel, Fast Software Encryption, 19-39 (2010), Heidelberg: Springer, Heidelberg · Zbl 1279.94117
[61] Suzaki, T.; Minematsu, K.; Morioka, S.; Kobayashi, E.; Knudsen, LR; Wu, H., TWINE: a lightweight block cipher for multiple platforms, Selected Areas in Cryptography, 339-354 (2013), Heidelberg: Springer, Heidelberg · Zbl 1327.94075
[62] Todo, Y.; Oswald, E.; Fischlin, M., Structural evaluation by generalized integral property, Advances in Cryptology - EUROCRYPT 2015, 287-314 (2015), Heidelberg: Springer, Heidelberg · Zbl 1370.94545
[63] Wingers, L.: SUPERCOP: SUPERCOP-20190110/crypto_stream/simon128128ctr/avx2 (2019). https://bench.cr.yp.to/supercop/supercop-20190110.tar.xz
[64] Wu, W.; Zhang, L.; Lopez, J.; Tsudik, G., LBlock: a lightweight block cipher, Applied Cryptography and Network Security, 327-344 (2011), Heidelberg: Springer, Heidelberg · Zbl 1250.94047
[65] Xiang, Z.; Zhang, W.; Bao, Z.; Lin, D.; Cheon, JH; Takagi, T., Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers, Advances in Cryptology - ASIACRYPT 2016, 648-678 (2016), Heidelberg: Springer, Heidelberg · Zbl 1404.94120
[66] Zheng, Y.; Matsumoto, T.; Imai, H.; Brassard, G., On the construction of block ciphers provably secure and not relying on any unproved hypotheses, Advances in Cryptology—CRYPTO 1989 Proceedings, 461-480 (1990), New York: Springer, New York · Zbl 0722.94020
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.