Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lilliput-AE: a New Lightweight Authenticated Encryption Block Cipher for IoT

Alexis DUQUE
October 29, 2019

Lilliput-AE: a New Lightweight Authenticated Encryption Block Cipher for IoT

Lilliput-AE is a candidate to the new upcoming NIST Lightweight Cryptographic Standardization Process, that has serious advantages from security and performance point of view. Lilliput-AE performs very well on software on 8-bit (e.g., ATMega 128) and 16-bit (e.g., MSP430) platforms since it has comparable or smaller execution time than the two final members of CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) lightweight portfolio: ASCON and ACORN.

This talk will introduce Lilliput-AE design and performances. We will show that Lilliput-AE is well suited for IoT devices and constrained environments.

Alexis DUQUE

October 29, 2019

More Decks by Alexis DUQUE

Other Decks in Research


  1. Who Am I? Alexis DUQUE Director of Research & Development

    • @alexis0duque • alexisduque • [email protected] • alexisduque.me • https://goo.gl/oNUWu6
  2. Goals • Design a lightweight authenticated encryption cipher for IoT

    • Use cases in smart home, smart city, smart factory • BLE, Zigbee, LoRa, LoraWAN, VLC • AVR (8bits), MSP (16bits), Cortex-M (32bits), Cortex-A (64bits) • Participate to the NIST LWC Competition
  3. NIST LWC Competition National Institute of Standards and Technology (NIST)

    ”Because the majority of current cryptographic algorithms were designed for desktop/server environments, many of these algorithms do not fit into the constrained resources.” • March 2017: NIST announces that it has decided to create a portfolio of lightweight algorithms. • August 2018: Call for algorithms. • March 2019: Deadline for packages submissions. • November 4-5, 2019: NIST Lightweight Cryptography Workshop https://csrc.nist.gov/projects/lightweight-cryptography
  4. NIST Call Requirements • Better performance in constrained environments (hardware

    and software) compared to current NIST standards • Authenticated Encryption • Efficient preprocessing of a key: computation time and memory footprint • Countermeasures against various side-channel attack.
  5. NIST Evaluation Criteria • Security evaluation of the algorithms against

    known attacks (e.g., differential cryptanalysis) • Side Channel and Fault Attack Resistance • Cost metrics (e.g., area, memory, energy consumption) and performance metrics (e.g., latency, throughput, power consumption)
  6. Lilliput-AE Tweakable Block Cipher • The encryption uses a tweakable

    block cipher as internal primitive and has an authenticated encryption mode built on top of it. ➔ each tweak T gives a different permutation ➔ T is public M E K T E K M C C Block Cipher Tweakable Block Cipher
  7. Lilliput-AE Tweakable Block Cipher • 2 authenticated encryption modes: Lilliput-I

    and Lilliput-II – Lilliput-I: nonce-respecting mode ΘCB3 – Lilliput-II: nonce-misuse resistant mode SCT-2 [1] T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended Generalized Feistel Networks Using Matrix Representation to Propose a New Lightweight Block Cipher: Lilliput,” IEEE Trans. Comput., vol. 65, no. 7, 2016.
  8. Thanks! ... more at paclido.fr/lilliput-ae [email protected] A. Adomnicai, T. Berger,

    C. Clavier, J.Francq, P. Huynh, V. Lallemand, K. Le Gouguec, M. Minier, L. Reynaud, G. Thomas