Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lilliput-AE: a New Lightweight Authenticated Encryption Block Cipher for IoT

83124b745752d1a1b0ca2eee1af0bd48?s=47 Alexis DUQUE
October 29, 2019

Lilliput-AE: a New Lightweight Authenticated Encryption Block Cipher for IoT

Lilliput-AE is a candidate to the new upcoming NIST Lightweight Cryptographic Standardization Process, that has serious advantages from security and performance point of view. Lilliput-AE performs very well on software on 8-bit (e.g., ATMega 128) and 16-bit (e.g., MSP430) platforms since it has comparable or smaller execution time than the two final members of CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) lightweight portfolio: ASCON and ACORN.

This talk will introduce Lilliput-AE design and performances. We will show that Lilliput-AE is well suited for IoT devices and constrained environments.


Alexis DUQUE

October 29, 2019


  1. Lilliput-AE A Lightweight Authenticated Block Cipher Alexis Duque @alexis0duque

  2. Who Am I? Alexis DUQUE Director of Research & Development

    • @alexis0duque • alexisduque • alexisd@rtone.fr • alexisduque.me • https://goo.gl/oNUWu6
  3. R&D Project PACLIDO A Collaborative R&D project on IoT Security

    paclido.fr / @fui_paclido
  4. Goals • Design a lightweight authenticated encryption cipher for IoT

    • Use cases in smart home, smart city, smart factory • BLE, Zigbee, LoRa, LoraWAN, VLC • AVR (8bits), MSP (16bits), Cortex-M (32bits), Cortex-A (64bits) • Participate to the NIST LWC Competition
  5. NIST LWC Competition National Institute of Standards and Technology (NIST)

    ”Because the majority of current cryptographic algorithms were designed for desktop/server environments, many of these algorithms do not fit into the constrained resources.” • March 2017: NIST announces that it has decided to create a portfolio of lightweight algorithms. • August 2018: Call for algorithms. • March 2019: Deadline for packages submissions. • November 4-5, 2019: NIST Lightweight Cryptography Workshop https://csrc.nist.gov/projects/lightweight-cryptography
  6. NIST Call Requirements • Better performance in constrained environments (hardware

    and software) compared to current NIST standards • Authenticated Encryption • Efficient preprocessing of a key: computation time and memory footprint • Countermeasures against various side-channel attack.
  7. NIST Evaluation Criteria • Security evaluation of the algorithms against

    known attacks (e.g., differential cryptanalysis) • Side Channel and Fault Attack Resistance • Cost metrics (e.g., area, memory, energy consumption) and performance metrics (e.g., latency, throughput, power consumption)
  8. Lilliput-AE Tweakable Block Cipher • The encryption uses a tweakable

    block cipher as internal primitive and has an authenticated encryption mode built on top of it. ➔ each tweak T gives a different permutation ➔ T is public M E K T E K M C C Block Cipher Tweakable Block Cipher
  9. Lilliput-AE Tweakable Block Cipher • 2 authenticated encryption modes: Lilliput-I

    and Lilliput-II – Lilliput-I: nonce-respecting mode ΘCB3 – Lilliput-II: nonce-misuse resistant mode SCT-2 [1] T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended Generalized Feistel Networks Using Matrix Representation to Propose a New Lightweight Block Cipher: Lilliput,” IEEE Trans. Comput., vol. 65, no. 7, 2016.
  10. Performances on 8bits MCU

  11. Performances on 32bits MCU

  12. Thanks! ... more at paclido.fr/lilliput-ae alexisd@rtone.fr A. Adomnicai, T. Berger,

    C. Clavier, J.Francq, P. Huynh, V. Lallemand, K. Le Gouguec, M. Minier, L. Reynaud, G. Thomas
  13. None