×

PIPO: a lightweight block cipher with efficient higher-order masking software implementations. (English) Zbl 07497442

Hong, Deukjo (ed.), Information security and cryptology – ICISC 2020. 23rd international conference, Seoul, South Korea, December 2–4, 2020. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 12593, 99-122 (2021).
Summary: In this paper, we introduce a new lightweight 64-bit block cipher PIPO (PIPO stands for “Plug-In” and “Plug-Out”, representing its use in side-channel protected and unprotected environments, respectively.) supporting a 128 or 256-bit key. It is a byte-oriented and bitsliced cipher that offers excellent performance in 8-bit AVR software implementations. In particular, PIPO allows for efficient higher-order masking implementations, since it uses a minimal number of nonlinear operations. Our implementations demonstrate that PIPO outperforms existing block ciphers (for the same block and key lengths) in both side-channel protected and unprotected environments, on an 8-bit AVR. Furthermore, PIPO records competitive round-based hardware implementations.
For the nonlinear layer of PIPO, we have developed a new lightweight 8-bit S-box that provides an efficient bitsliced implementation including only 11 nonlinear bitwise operations. Furthermore, its differential and linear branch numbers are both 3. This characteristic enables PIPO to thwart differential and linear attacks with fewer rounds. The security of PIPO has been scrutinized with regards to state-of-the-art cryptanalysis.
For the entire collection see [Zbl 1482.68025].

MSC:

68P25 Data encryption (aspects in computer science)
94A60 Cryptography
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Adomnicai, A., et al.: Lilliput-AE: a new lightweight tweakable block cipher for authenticated encryption with associated data. Submission to the NIST Lightweight Cryptography Standardization Process (2019)
[2] Albrecht, MR; Driessen, B.; Kavun, EB; Leander, G.; Paar, C.; Yalçın, T.; Garay, JA; Gennaro, R., Block ciphers – focus on the linear layer (feat. PRIDE), Advances in Cryptology - CRYPTO 2014, 57-76 (2014), Heidelberg: Springer, Heidelberg · Zbl 1317.94079 · doi:10.1007/978-3-662-44371-2_4
[3] Aoki, K.; Sasaki, Yu; Avanzi, RM; Keliher, L.; Sica, F., Preimage attacks on one-block MD4, 63-step MD5 and more, Selected Areas in Cryptography, 103-119 (2009), Heidelberg: Springer, Heidelberg · Zbl 1256.94040 · doi:10.1007/978-3-642-04159-4_7
[4] Atmel Corporation, ATmega128(L) Datasheet. www.microchip.com/wwwproducts/en/ATmega128. Accessed 23 Apr 2019
[5] Badel, S.; Mangard, S.; Standaert, F-X, ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware, Cryptographic Hardware and Embedded Systems, CHES 2010, 398-412 (2010), Heidelberg: Springer, Heidelberg · Zbl 1227.94027 · doi:10.1007/978-3-642-15031-9_27
[6] Barthe, G.; Dupressoir, F.; Faust, S.; Grégoire, B.; Standaert, F-X; Strub, P-Y; Coron, J-S; Nielsen, JB, Parallel implementations of masking schemes and the bounded moment leakage model, Advances in Cryptology - EUROCRYPT 2017, 535-566 (2017), Cham: Springer, Cham · Zbl 1411.94050 · doi:10.1007/978-3-319-56620-7_19
[7] Battistello, A.; Coron, J-S; Prouff, E.; Zeitoun, R.; Gierlichs, B.; Poschmann, AY, Horizontal side-channel attacks and countermeasures on the ISW masking scheme, Cryptographic Hardware and Embedded Systems - CHES 2016, 23-39 (2016), Heidelberg: Springer, Heidelberg · Zbl 1380.94071 · doi:10.1007/978-3-662-53140-2_2
[8] Banik, S.; Pandey, SK; Peyrin, T.; Sasaki, Yu; Sim, SM; Todo, Y.; Fischer, W.; Homma, N., GIFT: a small present, Cryptographic Hardware and Embedded Systems - CHES 2017, 321-345 (2017), Cham: Springer, Cham · Zbl 1450.94026 · doi:10.1007/978-3-319-66787-4_16
[9] Banik, S.; Iwata, T.; Cheon, JH, Midori: a block cipher for low energy, Advances in Cryptology - ASIACRYPT 2015, 411-436 (2015), Heidelberg: Springer, Heidelberg · Zbl 1382.94057 · doi:10.1007/978-3-662-48800-3_17
[10] Baysal, A.; Şahin, S.; Güneysu, T.; Leander, G.; Moradi, A., RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors, Lightweight Cryptography for Security and Privacy, 58-76 (2016), Cham: Springer, Cham · Zbl 1412.94153 · doi:10.1007/978-3-319-29078-2_4
[11] Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L.; Eisenbarth, T.; Öztürk, E., The Simon and Speck block ciphers on AVR 8-bit microcontrollers, Lightweight Cryptography for Security and Privacy, 3-20 (2015), Cham: Springer, Cham · Zbl 1382.94059 · doi:10.1007/978-3-319-16363-5_1
[12] Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers, Cryptology ePrint Archive (2013) · Zbl 1382.94059
[13] Beierle, C.; Leander, G.; Moradi, A.; Rasoolzadeh, S., CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks, IACR Trans. Symmetric Cryptol., 2019, 1, 5-45 (2019) · doi:10.46586/tosc.v2019.i1.5-45
[14] Beierle, C.; Robshaw, M.; Katz, J., The SKINNY family of block ciphers and its low-latency variant MANTIS, Advances in Cryptology - CRYPTO 2016, 123-153 (2016), Heidelberg: Springer, Heidelberg · Zbl 1372.94412 · doi:10.1007/978-3-662-53008-5_5
[15] Bilgin, B.; De Meyer, L.; Duval, S.; Levi, I.; Standaert, FX, Low AND depth and efficient inverses: a guide on s-boxes for low-latency masking, IACR Trans. Symmetric Cryptol., 2020, 1, 144-184 (2020) · doi:10.46586/tosc.v2020.i1.144-184
[16] Belaïd, S.; Benhamouda, F.; Passelègue, A.; Prouff, E.; Thillard, A.; Vergnaud, D.; Fischlin, M.; Coron, J-S, Randomness complexity of private circuits for multiplication, Advances in Cryptology - EUROCRYPT 2016, 616-648 (2016), Heidelberg: Springer, Heidelberg · Zbl 1371.94624 · doi:10.1007/978-3-662-49896-5_22
[17] Biham, E.; Biham, E., A fast new DES implementation in software, Fast Software Encryption, 260-272 (1997), Heidelberg: Springer, Heidelberg · Zbl 1385.94014 · doi:10.1007/BFb0052352
[18] Biham, E.; Biryukov, A.; Shamir, A.; Stern, J., Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials, Advances in Cryptology — EUROCRYPT ’99, 12-23 (1999), Heidelberg: Springer, Heidelberg · Zbl 0927.94013 · doi:10.1007/3-540-48910-X_2
[19] Biham, E.; Dunkelman, O.; Keller, N.; Pfitzmann, B., The rectangle attack — rectangling the serpent, Advances in Cryptology — EUROCRYPT 2001, 340-357 (2001), Heidelberg: Springer, Heidelberg · Zbl 0981.94017 · doi:10.1007/3-540-44987-6_21
[20] Biham, E.; Shamir, A.; Menezes, AJ; Vanstone, SA, Differential cryptanalysis of DES-like cryptosystems, Advances in Cryptology-CRYPT0’ 90, 2-21 (1991), Heidelberg: Springer, Heidelberg · Zbl 0787.94014 · doi:10.1007/3-540-38424-3_1
[21] Biryukov, A.; Wagner, D.; Preneel, B., Advanced slide attacks, Advances in Cryptology — EUROCRYPT 2000, 589-606 (2000), Heidelberg: Springer, Heidelberg · doi:10.1007/3-540-45539-6_41
[22] Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450-466. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2_31 · Zbl 1142.94334
[23] Boura, C.; Canteaut, A.; De Cannière, C.; Joux, A., Higher-order differential properties of Keccak and Luffa, Fast Software Encryption, 252-269 (2011), Heidelberg: Springer, Heidelberg · Zbl 1307.94040 · doi:10.1007/978-3-642-21702-9_15
[24] Borghoff, J.; Wang, X.; Sako, K., PRINCE - a low-latency block cipher for pervasive computing applications, Advances in Cryptology - ASIACRYPT 2012, 208-225 (2012), Heidelberg: Springer, Heidelberg · Zbl 1292.94035 · doi:10.1007/978-3-642-34961-4_14
[25] Collard, B.; Standaert, F-X; Fischlin, M., A statistical saturation attack against the block cipher PRESENT, Topics in Cryptology - CT-RSA 2009, 195-210 (2009), Heidelberg: Springer, Heidelberg · Zbl 1237.94056 · doi:10.1007/978-3-642-00862-7_13
[26] Dinu, D., Biryukov, A., Großschädl, J., Khovratovich, D., Corre, Y.L., Perrin, L.: FELICS-fair evaluation of lightweight cryptographic systems. In: NIST Workshop on Lightweight Cryptography (2015)
[27] Engels, S., Kavun, E.B., Paar, C., Yalçin, T., Mihajloska, H.: A non-linear/linear instruction set extension for lightweight ciphers. In: IEEE 21st Symposium on Computer Arithmetic, pp. 67-75 (2013)
[28] Gérard, B.; Grosso, V.; Naya-Plasencia, M.; Standaert, F-X; Bertoni, G.; Coron, J-S, Block ciphers that are easier to mask: how far can we go?, Cryptographic Hardware and Embedded Systems - CHES 2013, 383-399 (2013), Heidelberg: Springer, Heidelberg · Zbl 1353.94048 · doi:10.1007/978-3-642-40349-1_22
[29] Goudarzi, D.; Journault, A.; Rivain, M.; Standaert, F-X; Fan, J.; Gierlichs, B., Secure multiplication for bitslice higher-order masking: optimisation and comparison, Constructive Side-Channel Analysis and Secure Design, 3-22 (2018), Cham: Springer, Cham · Zbl 1450.94032 · doi:10.1007/978-3-319-89641-0_1
[30] Goudarzi, D.; Rivain, M.; Coron, J-S; Nielsen, JB, How fast can higher-order masking be in software?, Advances in Cryptology - EUROCRYPT 2017, 567-597 (2017), Cham: Springer, Cham · Zbl 1411.94062 · doi:10.1007/978-3-319-56620-7_20
[31] Grosso, V.; Leurent, G.; Standaert, F-X; Varıcı, K.; Cid, C.; Rechberger, C., LS-designs: bitslice encryption for efficient masked software implementations, Fast Software Encryption, 18-37 (2015), Heidelberg: Springer, Heidelberg · Zbl 1382.94111 · doi:10.1007/978-3-662-46706-0_2
[32] Guo, J.; Peyrin, T.; Poschmann, A.; Robshaw, M.; Preneel, B.; Takagi, T., The LED block cipher, Cryptographic Hardware and Embedded Systems - CHES 2011, 326-341 (2011), Heidelberg: Springer, Heidelberg · Zbl 1291.94092 · doi:10.1007/978-3-642-23951-9_22
[33] Hong, D.; Goubin, L.; Matsui, M., HIGHT: a new block cipher suitable for low-resource device, Cryptographic Hardware and Embedded Systems - CHES 2006, 46-59 (2006), Heidelberg: Springer, Heidelberg · Zbl 1307.94058 · doi:10.1007/11894063_4
[34] Journault, A.; Standaert, F-X; Fischer, W.; Homma, N., Very high order masking: efficient implementation and security evaluation, Cryptographic Hardware and Embedded Systems - CHES 2017, 623-643 (2017), Cham: Springer, Cham · Zbl 1450.94037 · doi:10.1007/978-3-319-66787-4_30
[35] Karpman, P., Grégoire, B.: The littlun s-box and the fly block cipher. In: Lightweight Cryptography Workshop (2016)
[36] Kim, J., Lee, C., Sung, J., Hong, S., Lee, S., Lim, J.: Seven new block cipher structures with provable security against differential cryptanalysis. IEICE Trans. 91-A(10), 3047-3058 (2008)
[37] Kocher, PC; Koblitz, N., Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems, Advances in Cryptology — CRYPTO ’96, 104-113 (1996), Heidelberg: Springer, Heidelberg · Zbl 1329.94070 · doi:10.1007/3-540-68697-5_9
[38] Leander, G.; Abdelraheem, MA; AlKhzaimi, H.; Zenner, E.; Rogaway, P., A cryptanalysis of PRINTcipher: the invariant subspace attack, Advances in Cryptology - CRYPTO 2011, 206-221 (2011), Heidelberg: Springer, Heidelberg · Zbl 1287.94080 · doi:10.1007/978-3-642-22792-9_12
[39] Leander, G.; Minaud, B.; Rønjom, S.; Oswald, E.; Fischlin, M., A generic approach to invariant subspace attacks: cryptanalysis of Robin, iSCREAM and Zorro, Advances in Cryptology - EUROCRYPT 2015, 254-283 (2015), Heidelberg: Springer, Heidelberg · Zbl 1370.94525 · doi:10.1007/978-3-662-46800-5_11
[40] Matsui, M.; Helleseth, T., Linear cryptanalysis method for DES cipher, Advances in Cryptology — EUROCRYPT ’93, 386-397 (1994), Heidelberg: Springer, Heidelberg · Zbl 0951.94519 · doi:10.1007/3-540-48285-7_33
[41] Matsui, M.; De Santis, A., On correlation between the order of S-boxes and the strength of DES, Advances in Cryptology — EUROCRYPT’94, 366-375 (1995), Heidelberg: Springer, Heidelberg · Zbl 0879.94024 · doi:10.1007/BFb0053451
[42] Sasaki, Yu; Aoki, K.; Joux, A., Finding preimages in full MD5 faster than exhaustive search, Advances in Cryptology - EUROCRYPT 2009, 134-152 (2009), Heidelberg: Springer, Heidelberg · Zbl 1239.94064 · doi:10.1007/978-3-642-01001-9_8
[43] Shibutani, K.; Isobe, T.; Hiwatari, H.; Mitsuda, A.; Akishita, T.; Shirai, T.; Preneel, B.; Takagi, T., Piccolo: an ultra-lightweight blockcipher, Cryptographic Hardware and Embedded Systems - CHES 2011, 342-357 (2011), Heidelberg: Springer, Heidelberg · Zbl 1291.94154 · doi:10.1007/978-3-642-23951-9_23
[44] Shirai, T.; Shibutani, K.; Akishita, T.; Moriai, S.; Iwata, T.; Biryukov, A., The 128-bit blockcipher CLEFIA (extended abstract), Fast Software Encryption, 181-195 (2007), Heidelberg: Springer, Heidelberg · Zbl 1186.94471 · doi:10.1007/978-3-540-74619-5_12
[45] Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack - practical attack on full SCREAM, iSCREAM, and Midori64. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 3-33. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53890-6_1 · Zbl 1380.94126
[46] Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156-170. Springer, Heidelberg (1999). doi:10.1007/3-540-48519-8_12 · Zbl 0942.94022
[47] Worthman, E.: ChaoLogix: integrated security. Semiconductor Eng. (2015)
[48] Z’aba, MR; Raddum, H.; Henricksen, M.; Dawson, E.; Nyberg, K., Bit-pattern based integral attack, Fast Software Encryption, 363-381 (2008), Heidelberg: Springer, Heidelberg · Zbl 1154.94443 · doi:10.1007/978-3-540-71039-4_23
[49] Zhang, W.; Bao, Z.; Lin, D.; Rijmen, V.; Yang, B.; Verbauwhede, I., RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms, Sci. China Inf. Sci., 58, 12, 1-15 (2015)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.