EPCBC - A Block Cipher Suitable for Electronic Product Code ...
EPCBC - A Block Cipher Suitable for Electronic Product Code ...
EPCBC - A Block Cipher Suitable for Electronic Product Code ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4n-bit. Their key scheduling algorithms produce 4n-bit round keys from an 80-bit master key. In this<br />
paper, <strong>for</strong> ease of reference, we shall name the generalized PRESENT block cipher with block size n bits<br />
as “PR-n”.<br />
PRESENT only has 64-bit block size and this may not be suitable <strong>for</strong> applications which require<br />
lightweight encryption on a larger block size. One example is the upcoming <strong>Electronic</strong> <strong>Product</strong> <strong>Code</strong><br />
(EPC), which is thought to be a replacement <strong>for</strong> bar codes using low-cost passive RFID-tags, and in its<br />
smallest <strong>for</strong>m uses 96 bits as a unique identifier <strong>for</strong> any physical item [22]. A smaller block size of 64<br />
bits (e.g. PRESENT) requires two consecutive encryptions. On the other hand, the use of a larger block<br />
size of 128 bits (e.g. AES) results in a truncation to 96 bits which wastes internal state and ef<strong>for</strong>t. Our<br />
intention is thus to design a lightweight and efficient 96-bit block cipher <strong>for</strong> EPC encryption which has<br />
huge market implications, and at the same time improves previous analysis of PRESENT <strong>for</strong> increased<br />
confidence in security.<br />
We propose two variants of <strong>EPCBC</strong>: <strong>EPCBC</strong>(48,96) which has 48-bit block size and 96-bit key, and,<br />
<strong>EPCBC</strong>(96,96) which has 96-bit block size and 96-bit key. <strong>EPCBC</strong>(48,96) uses the PR-48 design <strong>for</strong><br />
the main cipher structure and <strong>for</strong> the key schedule, it uses an 8-round variant-Feistel structure with 4round<br />
PR-48 as the nonlinear function. <strong>EPCBC</strong>(96,96) uses the PR-96 design both <strong>for</strong> the main cipher<br />
structure and the key schedule.<br />
The security of <strong>EPCBC</strong>(96,96) against DC and LC relies on that of PR-96 cipher structure. The DC<br />
and LC bounds can easily be inferred from that of PRESENT [10], because the results of PRESENT<br />
applies to PR-n <strong>for</strong> any n ≥ 64. Our contribution <strong>for</strong> the analysis of <strong>EPCBC</strong>(96,96) is that we improve<br />
on the bounds of [10]. This allows us to deduce DC and LC bounds of <strong>EPCBC</strong>(96,96) which are tighter<br />
than the bounds obtained by applying the results of [10].<br />
However, in proving the security of <strong>EPCBC</strong>(48,96) against DC and LC, the DC and LC bounds<br />
cannot be inferred from that of PRESENT [10] because the block size n = 48 is less than 64. There<strong>for</strong>e,<br />
we prove new DC/LC bounds <strong>for</strong> PR-n when n < 64. Using these new bounds, we are able to prove the<br />
resistance of <strong>EPCBC</strong>(48,96) against DC and LC.<br />
A recent class of powerful attacks against block ciphers are related-key differential attacks [5,6,4,21]<br />
which can break well established standards such as AES-128 and KASUMI. Although the practicality of<br />
these attacks is arguable (due to the difficulty in obtaining related keys), resistance against related-key<br />
differential attack is especially relevant when these block ciphers are used as hash functions in Davies-<br />
Meyer mode (e.g. see [9] and Section 2 of this paper). This is an important issue, since many designer<br />
of RFID security protocols assume a lightweight hash function to be available on the tag [1,26,35]. Our<br />
customized key schedule design ensures many active S-boxes in the key schedule when there is a nonzero<br />
key differential. Consequently and in contrast to PRESENT, we are able to prove resistance against<br />
related-key differential attacks <strong>for</strong> both versions of <strong>EPCBC</strong>, which enables a secure usage of <strong>EPCBC</strong> in<br />
Davies-Meyer mode as a lightweight hash functions.<br />
Further, we show that <strong>EPCBC</strong> is resistant against currently best known integral cryptanalysis, statistical<br />
saturation attack, slide attack, algebraic attack and the latest higher-order differential cryptanalysis<br />
from FSE 2011 [11].<br />
On top of this, <strong>EPCBC</strong> per<strong>for</strong>ms well with respect to lightweight applications. In fact, <strong>EPCBC</strong>(48,96)<br />
has a slightly smaller area footprint than PRESENT-80, while at the same time offering a slightly<br />
higher speed, resulting in a 20% higher figure of merit (FOM). Our power estimates of 2.21 µW <strong>for</strong><br />
<strong>EPCBC</strong>(48,96) and 3.63 µW <strong>for</strong> <strong>EPCBC</strong>(96,96) (at 1.8V and 100 KHz) indicate how well <strong>EPCBC</strong> is<br />
suited <strong>for</strong> ultra-constrained applications, such as passive RFID tags. As another contribution, we present<br />
an optimized hardware implementation of PRESENT-80 that is both smaller and faster than previously<br />
published results.<br />
The remainder of this paper is organized as follows: in Section 2 we briefly recall the <strong>Electronic</strong><br />
product code be<strong>for</strong>e we propose two variants of EPBC in Section 3. Then we improve existing and prove<br />
new bounds <strong>for</strong> generalized PR-n in Section 4, which we will use <strong>for</strong> the security analysis of <strong>EPCBC</strong> in