EPCBC - A Block Cipher Suitable for Electronic Product Code ...
02.12.2012 Views
Share Embed Flag

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
www1.spms.ntu.edu.sg

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

xored to each round. There<strong>for</strong>e this boils down to the subkeys being cyclic with period t, in which case<br />

F consists of t rounds of the cipher. The adversary needs to find a slid pair (P0,C0) and (P1,C1) such<br />

that P0 = F(P1) and C0 = F(C1). Then with these chosen plaintexts, he only needs to attack t rounds<br />

instead of the entire cipher. In <strong>EPCBC</strong>, the key schedule is essentially a block cipher by itself where the<br />

input is the secret key and the output of each round is a subkey. So it is highly unlikely that the subkeys<br />

will be periodic to allow a slide attack. We have also added different round constants to each round to<br />

ensure that the subkeys do not repeat.<br />

Algebraic Attacks In 2002, it was claimed in [17] that the XSL method is able to break AES by<br />

expressing the cipher as a sparse system of quadratic equations and solving it. However in 2005, it was<br />

proven in [14] that the XSL attack does not work. Instead, practical results on algebraic cryptanalysis of<br />

block ciphers have been obtained by applying the Buchberger and F4 algorithms within MAGMA [39].<br />

There<strong>for</strong>e, the authors of PRESENT applied the F4 algorithm on MAGMA to solve a mini version of<br />

PRESENT [10]. They found that even when considering a system consisting of seven S-boxes, i.e. a block<br />

size of 28 bits, they were unable to obtain a solution in a reasonable time to even a two-round version<br />

of the reduced cipher. There<strong>for</strong>e they conclude that algebraic attacks are unlikely to pose a threat to<br />

PRESENT, which can be written as a system of 11067 quadratic equations in 4216 variables, arising<br />

from 527 S-boxes. The <strong>EPCBC</strong> cipher also uses the PRESENT S-box which can be described by 21<br />

quadratic equations in 8 input/output-bit variables over GF(2) [10]. There are 12×32+12×33 = 780<br />

S-boxes in <strong>EPCBC</strong>(48,96). Thus it can be expressed as a system of 780×21 = 16380 quadratic equations<br />

in 780×8 = 6240 variables. In a similar way, <strong>EPCBC</strong>(96,96) has 1560 S-boxes and it can be expressed<br />

as a system of 32760 quadratic equations in 12480 variables. Hence both versions of <strong>EPCBC</strong> result in<br />

a more complex system of quadratic equations than that of PRESENT. There<strong>for</strong>e we do not expect<br />

algebraic attacks to be a threat to <strong>EPCBC</strong> too.<br />

6 Implementation of <strong>EPCBC</strong><br />

To demonstrate the efficiency of our proposal we have implemented <strong>EPCBC</strong>(48,96) and <strong>EPCBC</strong>(96,96)<br />

in VHDL and used Synopsys DesignVision 2007.12 to synthesize them using the Virtual Silicon (VST)<br />

standard cell library UMCL18G212T3, which is based on the UMC L180 0.18µm 1P6M logic process<br />

and has a typical voltage of 1.8 Volt [45].<br />

Figure 1 depicts serialized hardware architectures <strong>for</strong> <strong>EPCBC</strong>(48,96) (top) and <strong>EPCBC</strong>(96,96) (bottom).<br />

Components that contain mainly sequential logic are presented in rectangles while purely combinational<br />

components are presented in ovals. Naturally the architecture of <strong>EPCBC</strong> is very similar to a<br />

serialized PRESENT architecture, as published previously e.g. in [44,43]. A significant difference is in<br />

the key schedule of <strong>EPCBC</strong>(48,96), as it does not per<strong>for</strong>m any operation on the left halve of the key<br />

(i.e. LKey) in every round. This allows to store LKey in the simplest flip-flops available (4.67 GE per<br />

bit) contrary to the State and RKey, which have to be stored in flip-flops with two inputs (6 GE).<br />

Another optimization is that every round requires only n/4 clock cycles, n being the block size, as<br />

compared to n/4+1 clock cycles e.g. [44,43]. This can be achieved by by simply wiring the S-box output<br />

directly as input to the Permutation layer, thus combining the execution of the S-box look-up of the last<br />

chunk of a round with the Permutation layer into one clock cycle. Note that this optimization can also be<br />

applied to PRESENT. Thus, a second contribution of this paper are optimized serialized PRESENT-80<br />

and PRESENT-128 implementations that requires only 516 and 528 clock cycles (compared to previously<br />

547 and 559, respectively [44]). Note that in order to apply this speed-up trick a second S-box has to be<br />

implemented (22.3 GE 3 ), while the MUX (11 GE) <strong>for</strong> the S-box input can be saved. In principal this<br />

would result in a 6 GE larger area requirement compared to the design strategy of [44]. However, since<br />

3 We hereby acknowledge the support of Dag Arne Osvik to derive a more compact S-box.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!