Lilliput-AE: a New Lightweight Authenticated Encryption Block Cipher for IoT

Transcript

1. Lilliput-AE A Lightweight Authenticated Block Cipher Alexis Duque @alexis0duque

2. Who Am I? Alexis DUQUE Director of Research & Development

   • @alexis0duque • alexisduque • [email protected] • alexisduque.me • https://goo.gl/oNUWu6

3. R&D Project PACLIDO A Collaborative R&D project on IoT Security

   paclido.fr / @fui_paclido

4. Goals • Design a lightweight authenticated encryption cipher for IoT

   • Use cases in smart home, smart city, smart factory • BLE, Zigbee, LoRa, LoraWAN, VLC • AVR (8bits), MSP (16bits), Cortex-M (32bits), Cortex-A (64bits) • Participate to the NIST LWC Competition

5. NIST LWC Competition National Institute of Standards and Technology (NIST)

   ”Because the majority of current cryptographic algorithms were designed for desktop/server environments, many of these algorithms do not fit into the constrained resources.” • March 2017: NIST announces that it has decided to create a portfolio of lightweight algorithms. • August 2018: Call for algorithms. • March 2019: Deadline for packages submissions. • November 4-5, 2019: NIST Lightweight Cryptography Workshop https://csrc.nist.gov/projects/lightweight-cryptography

6. NIST Call Requirements • Better performance in constrained environments (hardware

   and software) compared to current NIST standards • Authenticated Encryption • Efficient preprocessing of a key: computation time and memory footprint • Countermeasures against various side-channel attack.

7. NIST Evaluation Criteria • Security evaluation of the algorithms against

   known attacks (e.g., differential cryptanalysis) • Side Channel and Fault Attack Resistance • Cost metrics (e.g., area, memory, energy consumption) and performance metrics (e.g., latency, throughput, power consumption)

8. Lilliput-AE Tweakable Block Cipher • The encryption uses a tweakable

   block cipher as internal primitive and has an authenticated encryption mode built on top of it. ➔ each tweak T gives a different permutation ➔ T is public M E K T E K M C C Block Cipher Tweakable Block Cipher

9. Lilliput-AE Tweakable Block Cipher • 2 authenticated encryption modes: Lilliput-I

   and Lilliput-II – Lilliput-I: nonce-respecting mode ΘCB3 – Lilliput-II: nonce-misuse resistant mode SCT-2 [1] T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended Generalized Feistel Networks Using Matrix Representation to Propose a New Lightweight Block Cipher: Lilliput,” IEEE Trans. Comput., vol. 65, no. 7, 2016.

10. Performances on 8bits MCU

11. Performances on 32bits MCU

12. Thanks! ... more at paclido.fr/lilliput-ae [email protected] A. Adomnicai, T. Berger,

    C. Clavier, J.Francq, P. Huynh, V. Lallemand, K. Le Gouguec, M. Minier, L. Reynaud, G. Thomas
13. None