Lilliput-AE: a New Lightweight Authenticated Encryption Block Cipher for IoT

Transcript

1. Lilliput-AE
   A Lightweight Authenticated Block Cipher
   Alexis Duque
   @alexis0duque
   

   View Slide

2. Who Am I?
   Alexis DUQUE
   Director of Research & Development
   • @alexis0duque
   • alexisduque
   • [email protected]
   • alexisduque.me
   • https://goo.gl/oNUWu6
   

   View Slide

3. R&D Project PACLIDO
   A Collaborative R&D project on IoT Security
   paclido.fr / @fui_paclido
   

   View Slide

4. Goals
   ● Design a lightweight authenticated encryption
   cipher for IoT
   ● Use cases in smart home, smart city, smart
   factory
   ● BLE, Zigbee, LoRa, LoraWAN, VLC
   ● AVR (8bits), MSP (16bits), Cortex-M (32bits),
   Cortex-A (64bits)
   ● Participate to the NIST LWC Competition
   

   View Slide

5. NIST LWC Competition
   National Institute of Standards and Technology (NIST)
   ”Because the majority of current cryptographic algorithms were
   designed for desktop/server environments, many of these algorithms
   do not fit into the constrained resources.”
   • March 2017: NIST announces that it has decided to create a
   portfolio of lightweight algorithms.
   • August 2018: Call for algorithms.
   • March 2019: Deadline for packages submissions.
   • November 4-5, 2019: NIST Lightweight Cryptography Workshop
   https://csrc.nist.gov/projects/lightweight-cryptography
   

   View Slide

6. NIST Call Requirements
   • Better performance in constrained environments
   (hardware and software) compared to current NIST
   standards
   • Authenticated Encryption
   • Efficient preprocessing of a key: computation time
   and memory footprint
   • Countermeasures against various side-channel
   attack.
   

   View Slide

7. NIST Evaluation Criteria
   • Security evaluation of the algorithms against known
   attacks (e.g., differential cryptanalysis)
   • Side Channel and Fault Attack Resistance
   • Cost metrics (e.g., area, memory, energy
   consumption) and performance metrics (e.g.,
   latency, throughput, power consumption)
   

   View Slide

8. Lilliput-AE Tweakable Block Cipher
   • The encryption uses a tweakable block cipher as
   internal primitive and has an authenticated
   encryption mode built on top of it.
   ➔ each tweak T gives a
   different permutation
   ➔ T is public
   M
   E
   K
   T
   E
   K
   M
   C
   C
   Block Cipher Tweakable Block Cipher
   

   View Slide

9. Lilliput-AE Tweakable Block Cipher
   • 2 authenticated encryption modes: Lilliput-I and Lilliput-II
   – Lilliput-I: nonce-respecting mode ΘCB3
   – Lilliput-II: nonce-misuse resistant mode SCT-2
   [1] T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended Generalized Feistel Networks Using Matrix Representation to Propose a
   New Lightweight Block Cipher: Lilliput,” IEEE Trans. Comput., vol. 65, no. 7, 2016.
   

   View Slide

10. Performances on 8bits MCU
    

    View Slide

11. Performances on 32bits MCU
    

    View Slide

12. Thanks!
    ... more at paclido.fr/lilliput-ae
    [email protected]
    A. Adomnicai, T. Berger, C. Clavier, J.Francq, P. Huynh, V. Lallemand, K. Le Gouguec,
    M. Minier, L. Reynaud, G. Thomas
    

    View Slide

13. View Slide