A survey on lightweight block ciphers for low-resource devices

Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy in both the software and the hardware case. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (NIST...) and international (ISO/IEC...) standards are listed. We identified several trends in the design of lightweight algorithms, such as the designers’ preference for ARX-based and bitsliced-S-Box-based designs or simpler key schedules. We also discuss more general trade-offs facing the authors of such algorithms and suggest a clearer distinction between two subsets of lightweight cryptography. The first, ultra-lightweight cryptography, deals with primitives fulfilling a unique purpose while satisfying specific and narrow constraints. The second is ubiquitous cryptography and it encompasses more versatile algorithms both in terms of functionality and in terms of implementation trade-offs.

/pdf/state-of-the-art-in-lightweight-symmetric-cryptography-iwr0aicdkf.pdf

State of the Art in Lightweight Symmetric Cryptography

Impossible differential cryptanalysis has shown to be a very powerful form of cryptanalysis against block ciphers. These attacks, even if extensively used, remain not fully understood because of their high technicality. Indeed, numerous are the applications where mistakes have been discovered or where the attacks lack optimality. This paper aims in a first step at formalizing and improving this type of attacks and in a second step at applying our work to block ciphers based on the Feistel construction. In this context, we derive generic complexity analysis formulas for mounting such attacks and develop new ideas for optimizing impossible differential cryptanalysis. These ideas include for example the testing of parts of the internal state for reducing the number of involved key bits. We also develop in a more general way the concept of using multiple differential paths, an idea introduced before in a more restrained context. These advances lead to the improvement of previous attacks against well known ciphers such as CLEFIA-128 and Camellia, while also to new attacks against 23-round LBlock and all members of the Simon family.

/pdf/scrutinizing-and-improving-impossible-differential-attacks-5aukigi9sa.pdf

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon

/pdf/scrutinizing-and-improving-impossible-differential-attacks-zrkoz5x75b.pdf

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version)

For security applications in wireless sensor networks (WSNs), choosing best algorithms in terms of energy-efficiency and of small memory requirements is a real challenge because the sensor networks must be autonomous. In [17, 35], the authors have benchmarked on a dedicated platform some block-ciphers and have deduced the best candidates to use in the context of small embedded platforms. This article proposes to study on a dedicated platform of sensors most of the recent lightweight block ciphers as well as some conventional block ciphers. First, we describe the design of the chosen block ciphers with a security summary and we then present some implementation tests performed on our platform.

/pdf/survey-and-benchmark-of-lightweight-block-ciphers-for-103jazhj1o.pdf

Survey and Benchmark of Lightweight Block Ciphers for Wireless Sensor Networks.

Camellia, a 128---bit block cipher which has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this paper, using the redundancy in the key schedule and accelerating the filtration of wrong pairs, we present a new impossible differential attack to reduced---round Camellia. By this attack 12---round Camellia---128 without FL/FL ? 1 functions and whitening is breakable with a total complexity of about 2116.6 encryptions and 2116.3 chosen plaintexts. In terms of the numbers of the attacked rounds, our attack is better than any previously known attack on Camellia---128.

/pdf/new-results-on-impossible-differential-cryptanalysis-of-54u6fow7j9.pdf

New Results on Impossible Differential Cryptanalysis of Reduced---Round Camellia---128

mCrypton is a 64-bit lightweight block cipher designed for use in low-cost and resource-constrained applications such as RFID tags and sensors in wireless sensor networks. In this paper, we investigate the strength of this cipher against related-key impossible differential cryptanalysis. First, we construct two 6-round related-key impossible differentials for mCrypton-96 and mCrypton-128. Then, using these distinguishers, we present 9-round related-key impossible differential attacks on these two versions. The attack on mCrypton-96 requires 259.9 chosen plaintexts, and has a time complexity of about 274.9 encryptions. The data and time complexities for the attack on mCrypton-128 are 259.7 chosen plaintexts and 266.7 encryptions, respectively. Copyright © 2011 John Wiley & Sons, Ltd.

Cryptanalysis of mCrypton—A lightweight block cipher for security of RFID tags and sensors

CLEFIA, a new 128-bit block cipher proposed by Sony Corporation, is increasingly attracting cryptanalysts’ attention. In this paper, we present two new impossible differential attacks on 13 rounds of CLEFIA-128. The proposed attacks utilize a variety of previously known techniques, in particular the hash table technique and redundancy in the key schedule of this block cipher. The first attack does not consider the whitening layers of CLEFIA, requires 2109.5 chosen plaintexts, and has a running time equivalent to about 2112.9 encryptions. The second attack preserves the whitening layers, requires 2117.8 chosen plaintexts, and has a total time complexity equivalent to about 2121.2 encryptions.

Impossible Differential Attacks on 13-Round CLEFIA-128

PRESENT and MIBS are two lightweight block ciphers that are suitable for low resource devices such as radio-frequency identification tags. In this paper, we present the first biclique cryptanalysis of MIBS block cipher and a new biclique cryptanalysis of PRESENT block cipher. These attacks are performed on full-round MIBS-80 and full-round PRESENT-80. Using matching without matrix technique in the attack on MIBS and choosing a sub-key space of an internal round for key division eventuate to reduce the security of this cipher by 1bit, while the data complexity of attack is 252 chosen plaintext. The attack on PRESENT-80 has a data complexity of at most 222 chosen plaintext and computational complexity of 279.34 encryption that both complexities are lower than of other cryptanalyses of full-round PRESENT-80 so far. Also, in this paper, we use early abort technique to efficiently filter out wrong keys in matching phase of biclique attack of PRESENT-80. Copyright © 2015 John Wiley & Sons, Ltd.

https://onlinelibrary.wiley.com/doi/pdf/10.1002/sec.1375

Biclique cryptanalysis of MIBS-80 and PRESENT-80 block ciphers

Camellia, a 128-bit block cipher that has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this study, the authors present a new impossible differential attack on a reduced version of Camellia-256 without FL / FL -1 functions and whitening. First, the authors introduce a new extension of the hash table technique and then exploit it to attack 16 rounds of Camellia-256. When, in an impossible differential attack, the size of the target subkey space is large and the filtration, in the initial steps of the attack, is performed slowly, the extended hash table technique will be very useful. The proposed attack on Camellia-256 requires 2 124.1 known plaintexts and has a running time equivalent to about 2 249.3 encryptions. In terms of the number of attacked rounds, our result is the best published attack on Camellia-256.

Mohsen Shakiba

Papers

New Results on Impossible Differential Cryptanalysis of Reduced---Round Camellia---128

Cryptanalysis of mCrypton—A lightweight block cipher for security of RFID tags and sensors

Impossible Differential Attacks on 13-Round CLEFIA-128

Biclique cryptanalysis of MIBS-80 and PRESENT-80 block ciphers

Impossible differential cryptanalysis of reduced-round Camellia-256