5 More about Block Ciphers

Block cipher mode of operation (2)History and standardization (3)Initialization vector (IV) (3)Padding (4)Common modes (4)Electronic codebook (ECB) (5)Cipher-block chaining (CBC) (7)Propagating cipher-block chaining (PCBC) (8)Cipher feedback (CFB) (9)Output feedback (OFB) (11)Counter (CTR) (12)Error propagation (14)Authenticated encryption (14)Other modes and other cryptographic primitives (15)References (15)Block cipher mode of operationAuthor:windwalkE_mail:windwalk@This article is about cryptography. For "method of operating", see modus operandi.In cryptography, a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity.[1] A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of bits called a block.[2] A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.[3][4][5]Most modes require a unique binary sequence, often called an initialization vector (IV), for each encryption operation. The IV has to be non-repeating and for some modes random as well. The initialization vector is used to ensure distinct ciphertexts are produced even when the same plaintext is encrypted multiple times independently with the same key.[6] Block ciphers have one or more block size(s), but during transformation the block size is always fixed. Block cipher modes operate on whole blocks and require that the last part of the data be padded to a full block if it is smaller than the current block size.[2] There are, however, modes that do not require padding because they effectively use a block cipher as a stream cipher.Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded integrity protection as an entirely separate cryptographic goal. Some modern modes of operation combine confidentiality and authenticity in an efficient way, and are known as authenticated encryption modes.[7]Contents1 History and standardization2 Initialization vector (IV)3 Padding4 Common modes4.1 Electronic codebook (ECB)4.2 Cipher-block chaining (CBC)4.3 Propagating cipher-block chaining (PCBC)4.4 Cipher feedback (CFB)4.5 Output feedback (OFB)4.6 Counter (CTR)5 Error propagation6 Authenticated encryption7 Other modes and other cryptographic primitives8 ReferencesHistory and standardizationThe earliest modes of operation, ECB, CBC, OFB, and CFB (see below for all), date back to 1981 and were specified in FIPS 81, DES Modes of Operation. In 2001, NIST revised its list of approved modes of operation by including AES as a block cipher and adding CTR mode in SP800-38A, Recommendation for Block Cipher Modes of Operation. Finally, in January, 2010, NIST added XTS-AES in SP800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. Other confidentiality modes exist which have not been approved by NIST. For example, CTS is ciphertext stealing mode and available in many popular cryptographic libraries.The block cipher modes ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality, but they do not protect against accidental modification or malicious tampering. Modification or tampering can be detected with a separate message authentication code such as CBC-MAC, or a digital signature. The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC. HMAC was approved in 2002 as FIPS 198, The Keyed-Hash Message Authentication Code (HMAC), CMAC was released in 2005 under SP800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, and GMAC was formalized in 2007 under SP800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC.After observing that compositing a confidentiality mode with an authenticity mode could be difficult and error prone, the cryptographic community began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive. The modes are referred to as authenticated encryption, AE or "authenc". Examples of authenc modes are CCM (SP800-38C), GCM (SP800-38D), CWC, EAX, IAPM, and OCB.Modes of operation are nowadays defined by a number of national and internationally recognized standards bodies. Notable standards organizations include NIST, ISO (with ISO/IEC 10116[5]), the IEC, the IEEE, the national ANSI, and the IETF.Initialization vector (IV)Main article: Initialization vectorAn initialization vector (IV) or starting variable (SV)[5] is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.[6]An initialization vector has different security requirements than a key, so the IV usually does notneed to be secret. However, in most cases, it is important that an initialization vector is never reused under the same key. For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages. For OFB and CTR, reusing an IV completely destroys security.[6] This can be seen because both modes effectively create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the password and IV only. Reusing a bitstream destroys security.[8] In CBC mode, the IV must, in addition, be unpredictable at encryption time; in particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before (this is known as the TLS CBC IV attack).[9]PaddingMain article: Padding (cryptography)A block cipher works on units of a fixed size (known as a block size), but messages come in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be padded before encryption. Several padding schemes exist. The simplest is to add null bytes to the plaintext to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is so, for example, if the plaintext is aC style string which contains no null bytes except at the end. Slightly more complex is the original DES method, which is to add a single one bit, followed by enough zero bits to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as ciphertext stealing or residual block termination, which do not cause any extra ciphertext, at the expense of some additional complexity. Schneier and Ferguson suggest two possibilities, both simple: append a byte with value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the last block with n bytes all with value n.CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since the modes work by XORing the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last keystream block, producing a final ciphertext block that is the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be the same size as the original plaintext data, and for applications that transmit data in streaming form where it is inconvenient to add padding bytes.Common modesMany modes of operation have been defined. Some of these are described below.Electronic codebook (ECB)ECBElectronic codebookEncryption parallelizable: YesDecryption parallelizable: YesThe simplest of the encryption modes is the electronic codebook (ECB) mode. The message is divided into blocks, and each block is encrypted separately.The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a bitmap image which uses large areas of uniform colour. While the colour of each individual pixel is encrypted, the overall image may still be discerned as the pattern of identically coloured pixels in the original remains in the encrypted version.Original imageEncrypted using ECB modeModes other than ECB result in pseudo-randomnessThe image on the right is how the image might appear encrypted with CBC, CTR or any of the other more secure modes—indistinguishable from random noise. Note that the random appearance of the image on the right does not ensure that the image has been securely encrypted; many kinds of insecure encryption have been developed which would produce output just as "random-looking".ECB mode can also make protocols without integrity protection even more susceptible to replay attacks, since each block gets decrypted in exactly the same way.Cipher-block chaining (CBC)CBCCipher-block chainingEncryption parallelizable: NoDecryption parallelizable: YesIBM invented the cipher-block chaining (CBC) mode of operation in 1976.[10] In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.If the first block has index 1, the mathematical formula for CBC encryption iswhile the mathematical formula for CBC decryption isCBC has been the most commonly used mode of operation. Its main drawbacks are thatencryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as ciphertext stealing. Note that a one-bit change in a plaintext or IV affects all following ciphertext blocks.Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because a plaintext block can be recovered from two adjacent blocks of ciphertext. As a consequence, decryption can be parallelized. Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact.Propagating cipher-block chaining (PCBC)PCBCPropagating cipher-block chainingEncryption parallelizable: NoDecryption parallelizable: NoThe propagating cipher-block chaining[11] or plaintext cipher-block chaining[12] mode was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, as well as when encrypting.Encryption and decryption algorithms are as follows:PCBC is used in Kerberos v4 and WASTE, most notably, but otherwise is not common. On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this does not affect the decryption of subsequent blocks.[13] For this reason, PCBC is not used in Kerberos v5.Cipher feedback (CFB)CFBCipher feedbackEncryption parallelizable: NoDecryption parallelizable: YesThe cipher feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. Operation is very similar; in particular, CFB decryption is almost identical to CBC encryption performed in reverse:This simplest way of using CFB described above is not any more self-synchronizing than other cipher modes like CBC. If a whole blocksize of ciphertext is lost both CBC and CFB will synchronize, but losing only a single byte or bit will permanently throw off decryption. To be able to synchronize after the loss of only a single byte or bit, a single byte or bit must be encrypted at a time. CFB can be used this way when combined with a shift register as the input for the block cipher.To use CFB to make a self-synchronizing stream cipher that will synchronize for any multiple of x bits lost, start by initializing a shift register the size of the block size with the initialization vector. This is encrypted with the block cipher, and the highest x bits of the result are XOR'ed with x bits of the plaintext to produce x bits of ciphertext. These x bits of output are shifted into the shift register, and the process repeats with the next x bits of plaintext. Decryption is similar, start with the initialization vector, encrypt, and XOR the high bits of the result with x bits of the ciphertext to produce x bits of plaintext. Then shift the x bits of the ciphertext into the shift register. This way of proceeding is known as CFB-8 or CFB-1 (according to the size of the shifting).[14]In notation, where Si is the ith state of the shift register, a << x is a shifted up x bits, head(a, x) is the x highest bits of a and n is number of bits of IV:If x bits are lost from the ciphertext, the cipher will output incorrect plaintext until the shift register once again equals a state it held while encrypting, at which point the cipher has resynchronized. This will result in at most one blocksize of output being garbled.Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized. When decrypting, a one-bit change in the ciphertext affects two plaintext blocks: a one-bit change in the corresponding plaintext block, and complete corruption of the following plaintext block. Later plaintext blocks are decrypted normally.CFB shares two advantages over CBC mode with the stream cipher modes OFB and CTR: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though ciphertext stealing can also be used to make padding unnecessary).Output feedback (OFB)OFBOutput feedbackEncryption parallelizable: NoDecryption parallelizable: NoThe output feedback (OFB) mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.Because of the symmetry of the XOR operation, encryption and decryption are exactly the same:Each output feedback block cipher operation depends on all previous ones, and so cannot be performed in parallel. However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel once the plaintext or ciphertext is available.It is possible to obtain an OFB mode keystream by using CBC mode with a constant string of zeroes as input. This can be useful, because it allows the usage of fast hardware implementations of CBC mode for OFB mode encryption.Using OFB mode with a partial block as feedback like CFB mode reduces the average cyclelength by a factor of or more. A mathematical model proposed by Davies and Parkin andsubstantiated by experimental results showed that only with full feedback an average cycle length near to the obtainable maximum can be achieved. For this reason, support for truncated feedback was removed from the specification of OFB.[15][16]Counter (CTR)CTRCounterEncryption parallelizable: YesDecryption parallelizable: YesNote: CTR mode (CM) is also known asinteger counter mode (ICM) and segmented integer counter (SIC) modeLike OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk."[17] By now, CTR mode is widely accepted, and problems resulting from the input function are recognized as a weakness of the underlying block cipher instead of the CTR mode.[18] Along with CBC, CTR mode is one of two block cipher modes recommended by Niels Ferguson and Bruce Schneier.[19]CTR mode has similar characteristics to OFB, but also allows a random access property during decryption. CTR mode is well suited to operate on a multi-processor machine where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.[20]Note that the nonce in this diagram is the same thing as the initialization vector (IV) in the other diagrams. The IV/nonce and the counter can be combined together using any lossless operation (concatenation, addition, or XOR) to produce the actual unique counter block for encryption.Error propagationBefore the widespread use of message authentication codes and authenticated encryption, it was common to discuss the "error propagation" properties as a selection criterion for a mode of operation. It might be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks.Some felt that such resilience was desirable in the face of random errors (e.g., line noise), while others argued that error correcting increased the scope for attackers to maliciously tamper with a message.However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected. If resistance to random error is desirable, error-correcting codes should be applied to the ciphertext before transmission.Authenticated encryptionMain article: Authenticated encryptionA number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive. Examples of such modes are XCBC,[21] IACBC, IAPM,[22] OCB, EAX, CWC, CCM, and GCM. Authenticated encryption modes are classified as single pass modes or double pass modes. Unfortunately for the cryptographic user community, many of the single pass authenticated encryption algorithms (such as OCB mode) are patent encumbered.In addition, some modes also allow for the authentication of unencrypted associated data, and these are called AEAD (Authenticated-Encryption with Associated-Data) schemes. For example, EAX mode is a double pass AEAD scheme while OCB mode is single pass.Other modes and other cryptographic primitivesMany more modes of operation for block ciphers have been suggested. Some have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and should never be used. Still others don't categorize as confidentiality, authenticity, or authenticated encryption - for example key feedback mode and Davies-Meyer hashing.NIST maintains a list of proposed modes for block ciphers at Modes Development.[14][23]Disk encryption often uses special purpose modes specifically designed for the application. Tweakable narrow-block encryption modes (LRW, XEX, and XTS) and wide-block encryption modes (CMC and EME) are designed to securely encrypt sectors of a disk. (See disk encryption theory)Block ciphers can also be used in other cryptographic protocols. They are generally used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically secure, care must be taken to build them correctly.There are several schemes which use a block cipher to build a cryptographic hash function. See one-way compression function for descriptions of several such methods.Cryptographically secure pseudorandom number generators (CSPRNGs) can also be built using block ciphers.Message authentication codes (MACs) are often built from block ciphers. CBC-MAC, OMAC and PMAC are examples.References^NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013). "Block cipher modes". Cryptographic Toolkit. NIST. Retrieved April 12, 2013.^ a bCryptography Engineering: Design Principles and Practical Applications. Ferguson, N., Schneier, B. and Kohno, T. Indianapolis: Wiley Publishing, Inc. 2010. pp. 63, 64. ISBN 978-0-470-47424-2.^NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013). "Proposed modes". Cryptographic Toolkit. NIST. Retrieved April 14, 2013.^Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone (1996). Handbook of Applied Cryptography. CRC Press. pp. 228–233. ISBN 0-8493-8523-7.^ a b cISO JTC 1/SC 27 (2006). "ISO/IEC 10116:2006 - Information technology -- Security techniques -- Modes of operation for an n-bit block cipher". ISO Standards catalogue.^ a b cKuo-Tsang Huang, Jung-Hui Chiu, and Sung-Shiou Shen (January 2013). "A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers". International Journal of Network Security & Its Applications (IJNSA) 5 (1): 19.^NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013). "Current modes". Cryptographic Toolkit. NIST. Retrieved April 12, 2013.^"Stream Cipher Reuse: A Graphic Example". Cryptosmith LLC. Retrieved 27 March 2013.^B. Moeller (May 20, 2004), Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures^William F. Ehrsam, Carl H. W. Meyer, John L. Smith, Walter L. Tuchman, "Message verificationand transmission error detection by block chaining", US Patent 4074066, 1976^http://www.iks-jena.de/mitarb/lutz/security/cryptfaq/q84.html^Kaufman, C.; Perlman, R.; Speciner, M. (2002). Network Security (2nd ed.). Upper Saddle River, NJ: Prentice Hall. p. 319. ISBN 0130460192.^Kohl, J. (1990). "The Use of Encryption in Kerberos for Network Authentication". Proceedings, Crypto '89. Berlin: Springer. ISBN 0387973176.^ a bNIST: Recommendation for Block Cipher Modes of Operation^Davies, D. W.; Parkin, G. I. P. (1983). "The average cycle size of the key stream in output feedback encipherment". Advances in Cryptology, Proceedings of CRYPTO 82. New York: Plenum Press. pp. 263–282. ISBN 0306413663.^http://www.crypto.rub.de/its_seminar_ws0809.html^Jueneman, Robert R. (1983). "Analysis of certain aspects of output feedback mode". Advances in Cryptology, Proceedings of CRYPTO 82. New York: Plenum Press. pp. 99–127. ISBN 0306413663.^Helger Lipmaa, Phillip Rogaway, and David Wagner. Comments to NIST concerning AES modes of operation: CTR-mode encryption. 2000^Niels Ferguson, Bruce Schneier, Tadayoshi Kohno, Cryptography Engineering, page 71, 2010^/crypto/co040601.htm^Virgil D. Gligor, Pompiliu Donescu, "Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes". Proc. Fast Software Encryption, 2001: 92-108.^Charanjit S. Jutla, "Encryption Modes with Almost Free Message Integrity", Proc. Eurocrypt 2001, LNCS 2045, May 2001.^NIST: Modes Development。

Cryptography is the practice and study of hiding information. In modern times, cryptography is considered a branch of both mathematics and computer science, and is affiliated closely with information theory，computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords，and electronic commerce, which all depend on cryptography.密码学是信息隐藏的实践与研究。

现代密码学被认为是数学和计算机科学的一个分支，它与信息论、计算机安全和工程密切相关。

密码技术被应用于技术先进的社会中，例如A TM卡、计算机密码和电子商务的安全，这些都依赖于密码学。

(1 )TerminologyUntil modem times, cryptography referred almost exclusively to encryption, the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext). Decryption is the reverse, moving from unintelligible ciphertext to plaintext. A cipher (or cypher) is a pair of algorithms which creates the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and, in each instance, by a key. This is a secret parameter (ideal以known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption, without additional procedures such as authentication or integrity checks.直到近代，加密提到几乎完全加密，普通的转换过程的信息（明文）到不知所云胡言乱语（即密文）。

2022年职业考证-软考-信息安全工程师考试全真模拟易错、难点剖析AB卷（带答案）一.综合题(共15题)1.单选题访问控制是对信息系统资源进行保护的重要措施，适当的访问控制能够阻止未经授权的用户有意或者无意地获取资源。

计算机系统中，访问控制的任务不包括（）。

问题1选项A.审计B.授权C.确定存取权限D.实施存取权限【答案】A【解析】本题考查访问控制方面的基础知识。

计算机系统安全机制的主要目的是访问控制，它包括三个任务：①授权:确定哪些主体有权访问哪些客体;②确定访问权限(读、写、执行、删除、追加等存取方式的组合);③实施访问权限。

答案选A。

2.单选题为了保护用户的隐私，需要了解用户所关注的隐私数据。

当前，个人隐私信息分为一般属性、标识属性和敏感属性，以下属于敏感属性的是（）。

问题1选项A.姓名B.年龄C.肖像D.财物收入【答案】D【解析】本题考查用户隐私方面的基础的知识。

敏感属性包括个人财产信息、个人健康生理信息、个人生物识别信息、个人身份信息、网络身份标识信息等。

答案选D。

3.单选题强制访问控制（MAC）可通过使用敏感标签对所有用户和资源强制执行安全策略。

MAC中用户访问信息的读写关系包括下读、上写、下写和上读四种，其中用户级别高于文件级别的读操作是（）。

问题1选项A.下读B.上写C.下写D.上读【答案】A【解析】本题考查强制访问控制相关知识。

强制访问控制（MAC）是指系统根据主体和客体的安全属性，以强制的方式控制主体对客体的访问，是一种不允许主体干涉的访问控制类型。

根据MAC的安全级别，用户与访问的信息的读写关系有四种：即：下读（read down）：用户级别高于文件级别的读操作。

上写（write up）：用户级别低于文件级别的写操作。

下写（write down）：用户级别高于文件级别的写操作。

上读（read up）：用户级别低于文件级别的读操作。

其中用户级别高于文件级别的读写操作是下读。

故本题选A。

流程密码第五章要点英文回答：Chapter 5: Block Ciphers and the Data Encryption Standard (DES)。

Block ciphers are symmetric key ciphers that operate on fixed-size blocks of data. The Data Encryption Standard (DES) is a classic example of a block cipher that was widely used for many years.Key Features of Block Ciphers:Block size: Block ciphers operate on blocks of data with a fixed size, typically 64 or 128 bits.Key: Block ciphers use a symmetric key known to both the sender and receiver.Encryption and Decryption: Encryption and decryptionprocesses involve transforming the input block using a series of mathematical operations guided by the key.Confusion and Diffusion: Block ciphers employ techniques called confusion and diffusion to make it difficult to derive the key or the plaintext from the ciphertext.The Data Encryption Standard (DES)。

LBlock:A Lightweight Block CipherWenling Wu and Lei ZhangState Key Laboratory of Information Security,Institute of Software,Chinese Academy of Sciences,Beijing100190,P.R.China{wwl,zhanglei}@Abstract.In this paper,we propose a new lightweight block ciphercalled LBlock.Similar to many other lightweight block ciphers,the blocksize of LBlock is64-bit and the key size is80-bit.Our security evaluationshows that LBlock can achieve enough security margin against knownattacks,such as differential cryptanalysis,linear cryptanalysis,impossi-ble differential cryptanalysis and related-key attacks etc.Furthermore,LBlock can be implemented efficiently not only in hardware environ-ments but also in software platforms such as8-bit microcontroller.Ourhardware implementation of LBlock requires about1320GE on0.18μmtechnology with a throughput of200Kbps at100KHz.The softwareimplementation of LBlock on8-bit microcontroller requires about3955clock cycles to encrypt a plaintext block.Keywords:Block cipher,Lightweight,Hardware efficiency,Design,Cryptanalysis.1IntroductionWith the development of electronic and communication applications,RFID tech-nology has been used in many aspects of life,such as access control,parking management,identification,goods tracking etc.In this kind of new cryptogra-phy environment,the applications of RFID technology and sensor networking both have similar features,such as weak computation ability,small storage space, and strict power constraints.Therefore,traditional block ciphers such as AES are not suitable for this kind of extremely constrained environment.Hence,in recent years,research on lightweight ciphers has received a lot of pared with traditional block ciphers,lightweight ciphers have the following three main properties.Firstly,applications for constrained devices are unlikely to require the encryption of large amounts of data,and hence there is no requirement of high throughput for lightweight ciphers.Secondly,in this cryptography environment, attackers are lack of data and computing ability,which means lightweight ciphers only need to achieve moderate stly,lightweight ciphers are usually implemented in hardware environment,and small part of them are also imple-mented on software platforms such as8-bit microcontroller.Therefore,hardware performance will be the primary consideration for lightweight ciphers.Hardware efficiency can be measured in many different ways:the length of the critical path, J.Lopez and G.Tsudik(Eds.):ACNS2011,LNCS6715,pp.327–344,2011.c Springer-Verlag Berlin Heidelberg2011328W.Wu and L.Zhanglatency,clock cycles,power consumption,throughput,area requirements,and so on.Among them area requirement is the most important parameter,since small area requirement can minimize both the cost and the power consumption effi-ciently.Therefore,it has become common to use the term hardware efficient as a synonym for small area requirements,and the area requirements are usually measured as gate equivalents(GE).At present,for the hardware implementation of lightweight cipher,area requirements are usually dominated by the registers storing the data state and the key,since registers typically consist offlipflops which have a rather high area and power demand.For example,when using the standard cell library it requires between6and12GE to store a single bit[26]. Therefore,in the design of lightweight block ciphers,64-bit block size and80-bit key size are popular parameters.While there is a growing requirement of ciphers suited for resource-constraint applications,a series of lightweight block ciphers have been proposed recently, e.g.PRESENT[9],HIGHT[14],mCrypton[21],DESL[19],CGEN[28],MIBS[15], KATAN&KTANTAN[10],TWIS[23],SEA[30]etc.All of these ciphers are de-signed and targeted specifically for extremely constrained environments such as RFID tags and sensor networks.Among them,PRESENT is supposed to be very competitive,since its hardware requirement is comparable with today’s leading compact stream ciphers,and it is called an ultra-lightweight block cipher.Since its publication,only a few cryptanalytic results have been proposed against PRESENT,including the related-key rectangle attack on17-round PRESENT in[24]and the side-channel attacks described in[27,35].HIGHT has a32-round generalized Feistel structure.Its main feature is the compact round function which contains no S-box and all the operations are simple computations such as XOR,rotation,and addition operating on8-bit input.In respect of crypt-analysis,a related-key attack on full-round HIGHT was presented in ICISC2010, and an impossible differential attack on26-round HIGHT were presented in[24]. mCrypton can be considered as a miniature of the block cipher Crypton[20],and a related-key rectangle attack on8-round mCrypton has been reported in[25]. DESL and DESXL are lightweight modified versions of the well-known DES,and they adopt only one single S-box in order to minimize the hardware implementa-tion.CGEN employs a compact round function called mixtable operation,and the main design strategies include using afixed and per-device seed key which reduces the key scheduling and the decryption operation is not needed either. MIBS is a32-round Feistel cipher,and its round function employs SP-network with XOR operations as diffusion layer,whose hardware requirements are more expensive than the bitwise permutation used in PRESENT etc.KATAN and KTANTAN are a family of lightweight block ciphers which contain six vari-ants altogether.The KATAN family of ciphers all employ the same components, whose design strategy exploits some features of stream cipher[11].Meet-in-the-middle attacks to the KTANTAN family with a key of80bits were presented in [36].TWIS is inspired from the existing block cipher CLEFIA[29].However,a differential distinguisher with probability1for full-round TWIS was presented in[31].SEA is a Feistel cipher with scalable block and key sizes,and its roundLBlock:A Lightweight Block Cipher 329function only consists of rotation,XOR,and a single 3-bit S-box operations.TEA [33]and XTEA [34]are lightweight block ciphers proposed several years earlier.In this paper we propose a new lightweight block cipher called LBlock.The design of its structure and components,such as S-box layer,P permutation layer etc,all represent the trade-offbetween security and performance.Our se-curity analysis shows that full-round LBlock can provide enough security margin against known cryptanalytic techniques,such as differential cryptanalysis,linear cryptanalysis,impossible differential cryptanalysis,related-key attack etc.Fur-thermore,the performance evaluation of LBlock shows that not only hardware efficiency but also software implementations on 8-bit/32-bit platforms are ultra lightweight.The rest of this paper is organized as follows.Sect.2presents the specification of LBlock.Sect.3introduces the design rationale briefly.Sect.4and Sect.5describe the security analysis and performance evaluation of LBlock respectively.Finally,Sect.6concludes the paper.2Specification of LBlockThe block length of LBlock is 64-bit,and the key length is 80-bit.It employs a variant Feistel structure and consists of 32rounds.The specification of LBlock consists of three parts:encryption algorithm,decryption algorithm and key scheduling.2.1NotationsIn the specification of LBlock,we use the following notations:−M :64-bit plaintext −C :64-bit ciphertext −K :80-bit master key −K i :32-bit round subkey −F :Round function −s :4×4S-box −S :S-box layer consists of eight s in parallel −P,P 1:Permutations operate on 32-bit − :Bitwise exclusive-OR operation−<<<8:8-bit left cyclic shift operation −>>>8:8-bit right cyclic shift operation −||:Concatenation of two binary strings −[i ]2:Binary form of an integer i 2.2Encryption AlgorithmThe encryption algorithm of LBlock consists of a 32-round iterative structure which is a variant of Feistel network.The encryption procedure is illustrated in Fig.1.Let M =X 1||X 0denote a 64-bit plaintext,and then the data processing procedure can be expressed as follows.330W.Wu and L.ZhangX 1X 0<<<8cc K 1E F E h h h h h h h h h@@@@@@@@@h h h h h h h h h@@@@@@@@@c <<<8c c c K 32E F E X 32X 33Fig.1.Encryption procedure of LBlock1.For i =2,3,...,33,doX i =F (X i −1,K i −1)⊕(X i −2<<<8)2.Output C =X 32||X 33as the 64-bit ciphertextSpecifically,the components used in each round are defined as follows.(1)Round function FThe round function F is defined as follows,where S and P denote the confu-sion and diffusion functions which will be defined later.F :{0,1}32×{0,1}32−→{0,1}32(X,K i )−→U =P (S (X ⊕K i ))Fig.2illustrates the structure of round function F in detail.(2)Confusion function SConfusion function S denotes the non-linear layer of round function F ,and it consists of eight 4-bit S-boxes s i in parallel.S :{0,1}32−→{0,1}32Y =Y 7||Y 6||Y 5||Y 4||Y 3||Y 2||Y 1||Y 0−→Z =Z 7||Z 6||Z 5||Z 4||Z 3||Z 2||Z 1||Z 0Z 7=s 7(Y 7),Z 6=s 6(Y 6),Z 5=s 5(Y 5),Z 4=s 4(Y 4),Z 3=s 3(Y 3),Z 2=s 2(Y 2),Z 1=s 1(Y 1),Z 0=s 0(Y 0).LBlock:A Lightweight Block Cipher 331XK ic 'c c c c c c c c s 7s 6s 5s 4s 3s 2s 1s 0 ¨¨¨r r r$$$$$$ ¨¨¨r r r $$$$$$c c c c c c c c Fig.2.Round function FThe contents of eight 4-bit S-boxes are listed in Table 1.(3)Diffusion function PDiffusion function P is defined as a permutation of eight 4-bit words,and it can be expressed as the following equations.P :{0,1}32−→{0,1}32Z =Z 7||Z 6||Z 5||Z 4||Z 3||Z 2||Z 1||Z 0−→U =U 7||U 6||U 5||U 4||U 3||U 2||U 1||U 0U 7=Z 6,U 6=Z 4,U 5=Z 7,U 4=Z 5,U 3=Z 2,U 2=Z 0,U 1=Z 3,U 0=Z 1.2.3Decryption AlgorithmThe decryption algorithm of LBlock is the inverse of encryption procedure,and it consists of a 32-round variant Feistel structure too.Let C =X 32||X 33denotes a 64-bit ciphertext,and then the decryption procedure can be expressed as follows.1.For j =31,30,...,0,doX j =(F (X j +1,K j +1)⊕X j +2)>>>82.Output M =X 1||X 0as the 64-bit plaintext.2.4Key SchedulingThe 80-bit master key K is stored in a key register and denoted as K =k 79k 78k 77k 76......k 1k 0.Output the leftmost 32bits of current content of register K as round subkey K 1,and then operate as follows:1.For i =1,2,...,31,update the key register K as follows:(a)K <<<29(b)[k 79k 78k 77k 76]=s 9[k 79k 78k 77k 76][k 75k 74k 73k 72]=s 8[k 75k 74k 73k 72](c)[k 50k 49k 48k 47k 46]⊕[i ]2332W.Wu and L.Zhang(d)Output the leftmost32bits of current content of register K as roundsubkey K i+1.where s8and s9are two4-bit S-boxes,and they are defined in Table1.Table1.Contents of the S-boxes used in LBlocks014,9,15,0,13,4,10,11,1,2,8,3,7,6,12,5s14,11,14,9,15,13,0,10,7,12,5,6,2,8,1,3s21,14,7,12,15,13,0,6,11,5,9,3,2,4,8,10s37,6,8,11,0,15,3,14,9,10,12,13,5,2,4,1s414,5,15,0,7,2,12,13,1,8,4,9,11,10,6,3s52,13,11,12,15,14,0,9,7,10,6,3,1,8,4,5s611,9,4,14,0,15,10,13,6,12,5,7,3,8,1,2s713,10,15,0,14,4,9,11,2,1,8,3,7,5,12,6s814,9,15,0,13,4,10,11,1,2,8,3,7,6,12,5s94,11,14,9,15,13,0,10,7,12,5,6,2,8,1,33Design Rationale3.1StructureThe structure of LBlock is a variant of Feistel network,and its design decisions contain a lot of considerations about security and efficient implementations(such as area,cost and performance etc.).In the aspect of implementation,the most important consideration is the area requirement when implemented in hardware. Therefore,we try to reduce the number of S-boxes used in each round and also min-imize the size of each S-box used.Hence a Feistel-type structure seems a proper choice.Furthermore,for all kinds of generalized Feistel structures which operate less bits in each round,to achieve enough security margin they must take more rounds iteration which will affect its performance(such as speed and throughput). Therefore,in each round of LBlock,we choose only half of the data to go through round function F,and the other half applies a simple rotation operation.In the diffusion layer,we also choose to use permutation which can be implemented with no cost in hardware.However,instead of the bitwise permutation usually used, we apply a4-bit word-wise permutation which can be implemented cheaply not only in hardware but also in software environments such as8-bit microprocessor platforms.For example,the word-wise permutation in round function F can be combined with the S-box layer to form8×8table lookups.Moreover,we specif-ically choose the rotation offsets of right half in each round as8bits which can be omitted in8-bit platform implementation.On the other hand,in the aspect of security requirement,we choose the word-wise permutation carefully so that the structure of LBlock satisfies that in both encryption and decryption directions it can achieve best diffusion[32]in8rounds.Furthermore,the number of differential and linear active S-boxes both increase quickly,and the following Table2lists the guaranteed number of active S-boxes before20rounds.LBlock:A Lightweight Block Cipher333 Table2.Guaranteed number of active S-boxes of LBlockRounds DS LS Rounds DS LS10011222221112242432213272743314303054515323266616353578817363681111183939914141941411018182044443.2Diffusion LayerThe diffusion permutation of LBlock consists of two parts,namely the word-wise permutation in round function which is denoted as P,and the rotation of right half data in each round which is denoted as P1.Both of these permutations can be implemented by wiring in hardware which needs no additional area cost. For software environments such as8-bit and32-bit microprocessor platforms, P can be combined with the S-box layer in round function as table lookups and P1(8-bit rotation)can be implemented quite easily.Therefore,the diffusion permutations of LBlock can be implemented efficiently both in hardware and in software environments.Furthermore,the combination of P and P1can guarantee the best diffusion rounds and the least number of active S-boxes of LBlock.For example,there already exist at least32active S-boxes for15-round LBlock.3.3S-Box LayerOn the pursuit of hardware efficiency,we use4×4S-boxes s:F42→F42in pared with the regular8×8S-box,small S-box has much more advantage when implemented in hardware.For example,to implement the S-box of AES in hardware more than200GE are needed.On the other hand,for the4×4S-boxes used in LBlock,all of them can be implemented in hardware with only about22GE.Furthermore,in the aspect of security,the S-boxes used in LBlock are carefully chosen so that they all fulfill the following conditions:no fix point,completed,best non linearity,best differential probability,and good algebraic order etc.3.4Key SchedulingSimilar to many other lightweight block ciphers,the key scheduling of LBlock is also designed in a stream cipher way.We only apply simple rotation and non-linear operations to generate the round subkeys.First of all,the operation of 29-bit left rotation can be implemented freely in hardware,and it can also break the4-bit word structure,which helps to improve the security of LBlock against334W.Wu and L.Zhangrelated-key attacks.Secondly,we choose to use two4×4S-boxes as the non-linear operation which represents a trade-offbetween security and stly, the exact values of rotation offset,constants and positions of constant addition are carefully chosen,so as to avoid weak relations between round subkeys.4Security Evaluation4.1Differential CryptanalysisFor differential cryptanalysis,we adopt an approach to count the number of ac-tive S-boxes of differential characteristics.This is a regular method to evaluate the security against differential attack,which were adopted by many other block ciphers,such as AES[12],Camellia[1]and CLEFIA[29]etc.We found the guaranteed number of differential active S-boxes of LBlock by computer pro-gram,and the results before20-round are listed in Table2.Considering that there are at least32active S-boxes for15-round LBlock and the best differential probabilities of s i are all equal to2−2,then the maximum probability of differ-ential characteristics for15-round LBlock satisfies DCP15rmax ≤232×(−2)=2−64.This means there is no useful15-round differential characteristic for LBlock, since the block length of LBlock is only64-bit.Therefore,we believe that the full32-round LBlock is secure against differential cryptanalysis.4.2Linear CryptanalysisWe also apply the method of counting active S-boxes for the evaluation of LBlock against linear cryptanalysis.Since there are at least32active S-boxes for15-round LBlock and the best linear bias of each s i is2−2,the maximum bias oflinear approximations for15-round LBlock satisfies LCP15rmax ≤232−1·232×(−2)=2−33.Therefore,according to the complexity estimation of linear cryptanalysis, we can conclude that it is difficult tofind useful15-round linear-hulls which can be used to distinguish LBlock from a random permutation.As a result,we believe that the full32-round LBlock has enough security margin against linear cryptanalysis.4.3Impossible Differential CryptanalysisImpossible differential attack[3]is one of the most powerful cryptanalytic tech-niques,and its applications to many block ciphers(such as Camellia and CLEFIA etc.)represent the best cryptanalytic results obtained so far.We search for the impossible differential characteristic of LBlock using the algorithm proposed by Kim et al.[16].The best distinguisher found is the following14-round impossible differential characteristic:(00000000,00α00000)14r→(0β000000,00000000),(1)whereα,β∈{0,1}4\{0}represent non-zero differences.Note that by changing the positions ofα,β,we can construct other14-round impossible differential characteristics in a similar way.LBlock:A Lightweight Block Cipher335 Based on the14-round impossible differential distinguishers,we can mount a key recovery attack on20-round LBlock.The attack procedure can be described as follows.1.Choose a set of212plaintexts to construct a structure,where the4-bit wordsX0,1,X0,3and X1,2take all possible values and all the other words take con-stants.Then each structure can generate about223plaintext pairs satisfying the input difference(ΔX1,ΔX0)=(00000∗00,0000∗0∗0).Choose251 different structures which can generate about274candidate plaintext pairs.2.For each corresponding ciphertext structure after20-round encryption,choose the pairs satisfying the output difference(ΔX21,ΔX20)=(∗∗00∗∗0∗,000∗0∗∗0),where∗denotes non-zero difference.After this test,there remains about274×2−32=242candidate pairs.3.For every guess of28-bit subkey K20,0,K20,1,K20,2,K20,4,K20,5,K20,6,K20,7,partially decrypt Round20to check if the pairs satisfying(ΔX20,ΔX19)= (000∗0∗∗0,00∗0000∗).After this test,there remains about242×2−12=230 pairs.4.For every guess of the16-bit subkey K19,0,K19,2,K19,3,K19,5,partially de-crypt Round19to check if the pairs satisfying(ΔX19,ΔX18)=(00∗0000∗,∗0000000).After this test,there remains230×2−8=222pairs.5.For every guess of the8-bit subkey K18,1,K18,7,partially decrypt Round18to check if the candidate pairs satisfying(ΔX18,ΔX17)=(∗0000000,0∗000000).After this test,there remains about222×2−4=218pairs.6.For every guess of the4-bit subkey K17,6,partially decrypt Round17to checkif the candidate pairs satisfying(ΔX17,ΔX16)=(0∗000000,00000000).After this test,there remains about218×2−4=214pairs.7.For every guess of the8-bit subkey K1,2,K1,7,partially encrypt Round1tocheck if the candidate pairs satisfying(ΔX2,ΔX1)=(00∗00000,00000∗00).After this test,there remains about214×2−4=210pairs.8.For every guess of the4-bit subkey K2,5,partially encrypt Round2to checkif the candidate pairs satisfying the following equation:(ΔX3,ΔX2)=(00000000,00∗00000).9.If there still remains a pair satisfying the impossible differential,then the68-bit subkey guessed must be wrong.Delete it from the candidate subkey table.If the table of candidate subkey is not empty after analyzing all the remaining pairs,output the subkey remained in table as correct subkey. For each of the candidate pair in Step8,the probability that it satisfies the filtering condition is about2−4.Therefore,for a wrong subkey guess,the prob-ability of its remaining after Step8is about(1−2−4)210≈2−95.Then we can expect that after all thesefiltering,there remains about268×2−95≈2−27wrong subkey guess,and only the correct subkey will be output.The data and time complexities of above attack can be estimated as follows. First of all,we choose251structures and the data complexity is251×212=263 chosen plaintexts.The time complexity is dominated by Step7to Step8,and336W.Wu and L.Zhangeach step needs about278S-box operations.Therefore,the time complexity of the attack is about2×2×278×18×120≈272.720-round encryptions.According to the complexities of impossible differential attack on20-round LBlock,we expect that the full32-round LBlock has enough security margin against this attack.4.4Integral AttackSince LBlock is a4-bit word oriented cipher,we also consider that integral attack[18]may be one of the most powerful attacks against LBlock.The best integral characteristic found is the15-round distinguisher.Table3illustrates one of the15-round integral distinguisher in detail,where C denotes a constant word,A denotes an active word and B denotes a balanced word respectively. Note that by changing the position of C in plaintext,we can obtain similar integral distinguishers easily.Based on the15-round integral distinguisher,we can mount a key recovery attack up to20-round LBlock.For simplicity,wefirst give the integral attack on 18-round LBlock,and the attack procedure is as follows.1.Choose a set of260plaintexts to construct a structure,where only4-bitword takes a constant and all the other words take all the possible values of{0,1}60.Obtain the corresponding ciphertext after18-round encryption.Count the number of value X18,6,X18,4,X18,1,X19,6,X19,0occurs,and dis-card the values which occur even times.2.Guess corresponding subkeys to decrypt the ciphertexts.(a)For every guess of the8-bit subkey(K18,1,K18,4),partially decryptRound18to compute X17,4=s4(X18,4⊕K18,4)⊕X19,6and X17,6= s1(X18,1⊕K18,1)⊕X19,0.Table3.15-Round integral distinguisher of LBlockRounds Integral characterisitcs0AAAC AAAA AAAA AAAA1AAAC ACAC AAAC AAAA2CCCC AAAC AAAC ACAC3ACAC CCCC CCCC AAAC4CCCC ACCC ACAC CCCC5ACCC CCCC CCCC ACCC6CCCC CCCC ACCC CCCC7CCCC CCAC CCCC CCCC8CCCC CCCA CCCC CCAC9CCCC AACC CCCC CCCA10CCCC AAAC CCCC AACC11CCAA ACAA CCCC AAAC12CAAB AAAA CCAA ACAA13B?AA BBAA CAAB AAAA14?B?B?B?B B?AA BBAA15?????????B?B?B?BLBlock:A Lightweight Block Cipher 337(b)For every guess of the 4-bit subkey K 17,4,partially decrypt Round 17tocompute X 16,4=s 4(X 17,4⊕K 17,4)⊕X 18,6.(c)For every guess of the 4-bit subkey K 16,4,partially decrypt Round 16tocompute X 15,4=s 4(X 16,4⊕K 16,4)⊕X 17,6.3.Check if the equation ⊕lX 15,4=0is satisfied,where l is the number of plain-texts.If the equation is satisfied,then X 15,4is a balance word.Otherwise,guess another subkey and repeat until we get the correct subkey.The complexity of this attack can be estimated as follows.Step 1needs about 260plaintexts which requires 260encryptions.For the five words counted in Step 1,there are at most 220values.Therefore,the time complexity of Step 1to Step 3are less than 220×216encryptions.For a wrong subkey guess,the probability that equation ⊕lX 15,4=0is satisfied is about 2−4.Therefore,to discard all the wrong 16-bit subkey guesses,we need about five plaintext structures.Therefore,the total data and time complexities of this attack are both 5×260.Moreover,we can mount an integral attack on 20-round LBlock based on the 15-round integral distinguisher.The attack procedure is similar with the attack on 18-round LBlock,and we add two additional rounds in the end.Therefore,12subkey words need to be guessed and the data and time complexities will increase to about 13×260≈263.7.4.5Related-Key AttacksRecently,the combination of related-key [2,17]and traditional cryptanalysis has become one of the most powerful attacks,and its application to some ciphers has improved the cryptanalytic results significantly [4,6,7,8,13].Therefore,we have studied the possible related-key differential characteristic of LBlock so as to evaluate the security of LBlock against related-key attacks.In order to get related-key differential characteristic with high probability,we have to control the number of active S-boxes.Therefore,we first choose the output differences of 10S-boxes (8S-boxes in round function and 2S-boxes in key scheduling)in Round i all have hamming weight less than 2.Then we search for the related-key differential before Round i in the decryption direction and after Round i in the encryption direction respectively,and count the total number of active S-boxes.The best related-key differential obtained so far is a 13-round distinguisher with 26active S-boxes,and its probability is (2−2)25·(2−3)=2−53.For the 14-round related-key differential obtained,there are 32active S-boxes and its probability is less than (2−2)31·(2−3)=2−65.Table 4illustrates the propagation of 14-round related-key differential of LBlock in detail.5Performance Evaluation5.1Hardware PerformanceWe implemented LBlock in VHDL and synthesized it on 0.18μm CMOS tech-nology to check for its hardware complexity.Figure 3in Appendix III shows338W.Wu and L.ZhangTable4.14-Round related-key differential characteristic of LBlock RoundsΔX LΔRKΔI SΔO PΔX R 101200101000000000120010120012100012221212022000010000000002200001200101000120010130000000102000000020000012000010002200001400000002000000000000000200000100000000015000000000000000800000008000002000000000260000000000000000000000000000000000000000700000000000000000000000000000000000000008000000000000040000000400000010000000000090000100000000000000010000000001000000000100000001000000000000000100000000200001000110010000200020000001200020101010000000010120101110000000000010111002100201000100002133100221000000000310022102010201201011100142101201304000000250120134120021231002210parison of lightweight block cipher implementationsAlgorithm Block Key Area Speed LogicSize Size#GE kbps@100KHz Process XTEA64128349057.10.13μmHIGHT641283048188.20.25μmmCrypton641282500492.30.13μm DES6456230044.40.18μmDESXL64184216844.40.18μmKATAN6480105425.10.13μmKTANTAN648068825.10.13μmPRESENT648015702000.18μmLBlock648013202000.18μmthe datapath of an parallelization implementation of LBlock,which performs one round in one clock cycle.In this optimized implementation,we use a64-bit width datapath and implement the eight S-boxes of round function in parallel. Then,to encrypt64-bit plaintext with an80-bit key occupies about1320GE and requires32clock cycles.Table5compares the hardware performances of LBlock with other lightweight block ciphers.Specifically,in the above implementation the area requirement is occupied by flip-flops for storing the key and the data state.To store the80-bit key requires about480GE and to store the64-bit data state requires two32-bit registers (denoted as memleft and memright)which are about384GE.For round function F,it is consisted of the following three parts.The KeyAddition is a32-bit XOR operation which requires about87GE.The S-box layer consists of eight4×4 S-boxes in parallel,which requires about21.84×8=174.8GE.The diffusion layer P can be implemented by simple wiring and costs no area.Then in the end of each round,another32-bit XOR operation of two halves is needed which。

Analysis of the Statistical Cipher FeedbackMode of Block CiphersHoward M.HeysAbstract—In this paper,we examine a recently proposed mode of operation for block ciphers which we refer to as statistical cipher feedback(SCFB)mode.SCFB mode configures the block cipher as a keystream generator for use in a stream cipher such that it has the property of statistical self-synchronization,thereby allowing the stream cipher to recover from bit slips in the communication channel.Statistical self-synchronization involves feeding back ciphertext to the input of the block cipher similar to the conventional cipher feedback(CFB)mode,except that the feedback only occurs when a special synchronization pattern is recognized in the ciphertext.In the paper,we examine the efficiency,resynchronization,and error propagation characteristics of SCFB and compare these to conventional modes such as CFB and output feedback(OFB).In particular,we study these characteristics of SCFB as a function of the synchronization pattern size.As well,we examine implementation issues of SCFB,focusing on the buffer requirements and resulting delay for a practical realization of the cipher.We conclude that SCFB mode can be used to provide practical,efficient, self-synchronizing implementations for stream ciphers.In particular,SCFB mode is best used in circumstances where slips are a concern and where implementation efficiency is a high priority in comparison to encryption latency.Index Terms—Cryptography,stream ciphers,block cipher modes,synchronization,error propagation.æ1I NTRODUCTIONI N this paper,we discuss a structure for self-synchronizing stream ciphers,recently proposed in[1].Stream ciphers are used to encrypt one symbol,typically one bit,at a time.They are usually used when error propagation must be minimized or when the communication channel suffers from periodic slips.The basic form of a stream cipher involves the generation of a keystream—a keyed, pseudorandom,unpredictable sequence of bits—that is XORed bit by bit with the plaintext to generate the ciphertext at the transmitter[2].At the receiver,the plaintext is recovered by generating the identical keystream such that it is exactly synchronized with the received ciphertext stream.Hence,the XOR of the keystream bits and received ciphertext bits produces the original plaintext bits.We shall concern ourselves with stream ciphers which are derived from block ciphers such as the Data Encryption Standard(DES)[3]and the Advanced Encryption Standard (AES)[4].Unlike stream ciphers,which conceptually operate on bits individually,block ciphers operate on a fixed size block of plaintext bits to produce a block of ciphertext bits.When configuring a block cipher for use as a stream cipher,the keystream is generated by the output of the block cipher.There are several conventional modes of operation of block ciphers that allow their use as stream ciphers including output feedback(OFB)mode and cipher feedback(CFB)mode[2].In this work,we focus on an unconventional mode which we shall refer to as statistical cipher feedback(SCFB)mode.SCFB mode has been proposed [1]to provide physical layer security for a SONET/SDH environment and is suitable for many other applications as well.It has the benefits of being self-synchronizing and yet being more efficient in its implementation than conven-tional cipher feedback mode.In this paper,the character-istics of SCFB mode are thoroughly examined and its merits are discussed.2B ACKGROUNDThere are several conventional block cipher modes of operation that may be applied to derive a stream cipher, each with its own advantages and disadvantages.We briefly review the important modes of output feedback and cipher feedback here.In our notation,we let B represent the block size in bits of the block cipher.For example,for DES, B¼64and,for AES,B¼128.Output feedback(OFB)mode,a standardized mode of operation for block ciphers such as DES[5],generates the keystream by directly feeding back the B-bit output of the block cipher to the input.An implementation of OFB is parameterized by j,1j B,where every block cipher operation produces j bits of keystream which can be XORed with j bits of plaintext to produce j bits of ciphertext.For efficiency purposes,it is convenient to let j¼B,thereby making use of all possible B output bits of the block cipher for every block cipher operation.This basic configuration is illustrated in Fig. 1.The primary advantage of output feedback mode is that error propagation is minimized.In fact,a single bit error in the ciphertext in the communica-tion channel results in only a single bit error in the recovered plaintext.The most significant disadvantage of OFB is that the system relies on the maintaining of synchronization between the transmitter and receiver.For example,if a slip.The author is with Electrical and Computer Engineering,Faculty ofEngineering and Applied Science,Memorial University of Newfoundland,St.John’s,NF,Canada A1B3X5.E-mail:howard@engr.mun.ca.Manuscript received10Aug.2001;revised26Feb.2002;accepted22Apr.2002.For information on obtaining reprints of this article,please send e-mail to:tc@,and reference IEEECS Log Number114746.0018-9340/03/$17.00ß2003IEEE Published by the IEEE Computer Societyoccurs(i.e.,one or more bits are eliminated from the received ciphertext stream),synchronization loss will occur between the transmitter and receiver and half the bits following the slip are expected to be in error until synchronization is recovered.Resynchronization can be achieved by periodically sending an initialization vector(IV) from the transmitter to the receiver through the signaling channel of the communication system.Obviously,the price of such a scheme involves extra messaging overhead and the associated delays while synchronizing.As well,the rate at which synchronization messages are sent must balance the overhead of sending such messages frequently with the penalty of losing synchronization for a long period of time should the messages be sent too infrequently.However, OFB(not considering the resynchronization messaging overhead)can be implemented as efficiently as straight block encryption by having B bits of keystream produced from one block cipher output.Cipher feedback(CFB)mode[5]allows for automatic resynchonization should slips occur in the communication channel and,hence,CFB stream ciphers fall into the category of self-synchronizing stream ciphers.There are several parameters that may be set for an implementation of CFB,however,a typical application would have the input to the block cipher driven by ciphertext data which is fedback into a shift register at the input of the block cipher in groups of m(B)bits at a time,as shown in Fig.2.The plaintext is encrypted by XORing m bits with m bits of the block cipher output.Since the input to the block cipher is being generated from the ciphertext,which is available to both ends of the communication,it is possible to recover from slips using CFB.For example,if any single or multiple bit slip occurs, the CFB cipher with m¼1can recover synchronization since the next B bits will be shifted into the register at the input to the block cipher and,at this point,the receiver will again be synchronized with the transmitter.Resynchroniza-tion therefore requires only B bits in CFB mode with m¼1.Unfortunately,the self-synchronization property achieved by the CFB mode is costly in terms of implemen-tation efficiency.For CFB with m¼1,only one keystream bit is generated from a B-bit block cipher output and,hence, the cipher is only capable of operating at1=B times the rate of block encryption and,consequently,can only be implemented at1=B times the best rate of OFB.This can be improved by increasing m,but,if m>1and a single bit slip occurs,the input to the block cipher at the receiver will become misaligned and resynchronization will not occur.In fact,slips must occur as multiples of m bits or resynchro-nization will not occur.Hence,usually for CFB mode,m¼1 is the desirable configuration.1Finally,it should be noted that the error propagation advantage of OFB is no longer applicable to CFB mode. This occurs because,at the receiver,a bit error must work its way through the shift register at the input to the block cipher.As a result,for CFB mode with m¼1,a single bit error in the communication channel will result in the corrupted bit plus the next B bits being randomly decrypted due to the receiver’s corrupted keystream.So, a bit error is expected to result,on average,in B=2þ1 errors in the recovered plaintext.3D ESCRIPTION OF SCFBIn[1],the concept of statistical self-synchronization is proposed as a mechanism to provide physical layer security for a SONET/SDH environment.2Operation of the mode is illustrated in Fig.3,where E represents the block cipher encryption operation with block size B and both the encryption and decryption of SCFB mode are illustrated. Essentially,the concept of statistical self-synchronization involves a hybrid of OFB3and CFB modes:The cipher operates in OFB mode,while scanning the ciphertext for a special sync pattern of n bits in length.When this pattern is recognized,the next B bits are stored for a new initialization vector(IV)and,after all B bits have been collected,the input register for the block cipher is loaded with the new IV. The cipher then proceeds in OFB mode until the next n bit sync pattern is received.During the collection of B bits for the new IV,the sync pattern scanning is turned off so that any n bits matching the sync pattern are ignored until the IV collection phase is complete.This process follows for both encryption and decryption and,since both the transmitterFig.1.OFBmode.Fig.2.CFB mode.1.There are cases where m>1makes sense.For example,CFB withm¼8can be used to encrypt an asynchronous communication link so thatan8-bit character can be encrypted with each block cipher output.Here,CFB mode is used to recover from losses of synchronization due toasynchronous characters being lost,as opposed to individual bit slips.2.This scheme appears to have also been invented earlier and is referredto in[6].3.SCFB can also be implemented as a hybrid of counter mode[2]andCFB mode.However,in this paper,we focus our description on the OFB-based configuration only.and receiver are examining the ciphertext,synchronization is achieved.To provide enough detail for precise clarity of the operation of SCFB mode,a pseudocode representation for encryption at the transmitter using SCFB is given in Fig.4.The sync pattern is given by Q 0...Q n À1and W 0...W n À1represents the window of n bits that is currently being compared to the sync pattern.In order for the algorithm,as presented,to work with the initialization of W 0...W n À1to all zeros,Q 0must be 1.The function E K ðÁÞrepresents theblock cipher encryption (using key K ).Z 0...Z B À1is used to collect the IV bits.The flags loading IV and new IV are used to indicate that IV is currently being collected (and sync pattern scanning is therefore suspended)and collec-tion of IV has just completed,respectively.Note that the initial block cipher input X 0...X B À1is given an initial value known to both the transmitter and receiver at the beginning of the communication.From the pseudocode,it may be seen that the encryption of a bit would encounter a significant delay whenever a new block encryption is required since E K can be expected to take much longer than any other operation in the algorithm.Hence,in practice,for an efficient synchronous system,an implementation would need a buffer in order to ensure that plaintext bits can be accepted at a uniform rate and ciphertext bits can be produced at a uniform rate at the output of the encryption process.Since both the transmitter and receiver are using recognized bits within the ciphertext as a cue to resynchro-nize the stream cipher,SCFB mode is capable of self-synchronization and will clearly perform better in an environment where slips occur than OFB mode.Also,although individual bit errors will typically only cause one bit error if the bit is not part of the sync pattern or the initialization vector,there is the possibility that a bit error will cause a synchronization to be missed,an incorrect IV to be used,or a false synchronization to be detected at the receiver.In these cases,a single bit error in the commu-nication channel will result in many bit errors at the output of the decryption as synchronization will be lost until the next sync pattern is properly detected.Hence,clearly,the error propagation characteristics of SCFB will be worse than OFB mode.It should be noted that a mode similar in nature to SCFB was recently proposed in [7]and is referred to as Optimized Cipher Feedback (OCFB).As in SCFB,OCFB uses recognition of a synchronization pattern in the ciphertext to resynchro-nize the states of the transmitter’s and receiver’s keystream generators.Hence,the characteristics of SCFB and OCFB are very similar and,in our work,we focus on SCFB.Although the SCFB mode was proposed in [1],the cipher characteristics were not fully examined.Notably,the effect of the sync pattern size on the cipher properties was not discussed.In the following sections,we shall consider theHEYS:ANALYSIS OF THE STATISTICAL CIPHER FEEDBACKMODE OF BLOCK CIPHERS 79Fig.3.SCFB mode.Fig.4.SCFB pseudocode.efficiency,resynchronization,and error propagation char-acteristics of SCFB and,in particular,make a comparison to other conventional cipher modes.Further,we shall discuss the implementation issues associated with a practical realization of the SCFB cipher mode and briefly comment on the security of the scheme in relation to the likelihood of the keystream repeating.4T HEORETICAL E FFICIENCYThe principal advantage of implementing SCFB versus conventional CFB is that the efficiency(and,hence,the potential speed)of the implementation can approach that of straight block encryption,depending on the sync pattern size.Letting D represent the number of bits transmitted,we can define the theoretical efficiency for a stream cipher based on a block cipher core as:¼limD!1D=BE f#block cipher operations for D bits g;ð1Þwhere E fÁg represents the expectation operator.The nu-merator represents the number of block cipher operations required for straight block encryption and the denominator represents the expected number of block cipher operations required in SCFB mode(or other mode of interest).Hence,the theoretical efficiency is essentially a measure of the rate at which the stream cipher can encrypt in comparison to block encryption.In reality,the theoretical efficiency represents an upper bound on the efficiency:As we shall see in Section7, real implementations place constraints on the system so that the practical efficiency(which we shall refer to as full-queue efficiency)is marginally smaller.For OFB mode,when all B bits are used in the XOR operation, ¼1and,for conventional CFB with m¼B, ¼1.However,if we are to be guaranteed to correct slips of any number of bits,conventional CFB must operate with m¼1and,in this case, ¼1=B(1.So,conventional CFB is very inefficient in comparison to block encryption.Consider now SCFB.We can assume that,for SCFB,the ciphertext bits transmitted in the communication channel can be categorized as illustrated in Fig.5,where it is clear that some bits belong to the sync pattern(n bits),some belong to the subsequent IV(B bits),and the remaining bits,which we shall refer to as the OFB block,occur between the end of the IV and the beginning of the next sync pattern.We shall refer to the set of bits from the beginning of the sync pattern to the beginning of the next sync pattern as a synchronization cycle and,hence,a synchronization cycle consists of nþBþk bits, where k is the size of the OFB block.The size k of the OFB block is variable and dependent on the position of the next sync pattern.Since we assume that the block cipher used in the SCFB configuration displays strong randomness properties(or else it would be insecure), k is a random variable with a probability distribution determined by assuming that each bit of ciphertext is equally likely to be a0or1and that each bit is independent. Strictly,the distribution of k is dependent on the sync pattern used(e.g.,11...11,or10...00,etc.).The value of k is determined by the process of taking samples of n bits and comparing each to the sync pattern where k is the number of samples taken before the sync pattern is found.Now,if we assume that each n-bit sample is independent,then the value of k follows the geometric distribution where the probability that the sync pattern occurs in a sample is1=2n.In this case,we have the probability distribution for k given byPðkÞ¼ð1À1=2nÞkÁ1=2n;ð2Þthe expected value of k given byE f k g¼2nÀ1;ð3Þand the second moment of k given byE f k2g¼22nþ1À3Á2nþ1:ð4ÞBased on the geometric distribution,we can define the average synchronization cycle size to be represented by", where"¼nþBþ2nÀ1:ð5ÞFor SCFB mode where k actually represents the size of the OFB block as determined by the next occurrence of the sync pattern,consecutive samples overlap in nÀ1bits and, hence,samples are not independent and k does not follow the geometric distribution exactly.However,we have verified experimentally that,for most sync patterns,the probability distribution of k can be approximated by the geometric distribution.We therefore use this distribution in our development and defer a more detailed discussion of the effect of the selection of the sync pattern on the distribution of k to the Appendix.Consider now the scenario for Fig.5where kþnþB is not a multiple of B.In this case,after the second IV is collected,the input register of the block cipher will be loaded and a new block cipher output will be produced after a block cipher operation that is used for encrypting only a subset of a full B-bit block of plaintext.For example, let kþnþB¼ Bþ ,where and are integers and <B.Hence,the block cipher must execute þ1block encryptions from the beginning of the OFB block to the end of the second IV,producingð þ1ÞB bits,to encrypt only Bþ plaintext bits(i.e.,only bits of the last block cipher output are used in the XOR).Therefore,in SCFB mode,the block cipher must be run at a rate slightly greater than for straight block encryption and a buffer must be used to accommodate scenarios where only partial outputs of the block cipher are used by the XOR operation.Using(1)as the basic definition,it is possible to define the theoretical efficiency of SCFB as¼E f sync cycle size g=BE f#block cipher operations per sync cycle g:ð6Þ80IEEE TRANSACTIONS ON COMPUTERS,VOL.52,NO.1,JANUARY2003Fig.5.Synchronization cycle.This leads to¼"=BP 1k ¼0P ðk ÞÁdðk þn þB Þ=B e:ð7ÞConsider now the computation of the denominator of (7).The expression for the denominator can be rewritten to bedenom ¼X 1k ¼0P ðk ÞÁk þnB$%þ1:ð8ÞFurther,considering the effect of the ceiling operator,it may be shown thatdenom ¼d A þd B þ1;ð9Þwhered A ¼X B Àn k ¼0P ðk Þð10Þandd B ¼X1j ¼2XjB Àn k ¼ðj À1ÞB Àn þ1j ÁP ðk Þ:ð11ÞRecall that P ðk Þis given by (2).Letting '¼ð1À1=2n Þandnoting that d A is represented by the sum of a geometric series,it is easily derived thatd A ¼1À'B Àn þ1:ð12ÞAs well,it can be shown thatd B ¼X 1j ¼2j Áð'ðj À1ÞB Àn þ1À'jB Àn þ1Þ¼ð1À'BÞ'ÀB Àn þ1X1j ¼2j'jB ¼ð1À'B Þ'ÀB Àn þ1'Bð1À'B Þ2À'B "#:ð13ÞNow,substituting for d A and d B leads to the denominator of (7)given bydenom ¼2þ'B Àn þ11À'B:ð14ÞFinally,the efficiency of SCFB mode can be straightfor-wardly computed from n and B using¼"=B 2þð1À1=2n Þ1Àð1À1=2n ÞB:ð15ÞWe have computed the theoretical efficiency for block sizes of 64,128,and 256bits and these are plotted in Fig.6as a function of the sync pattern size.It is obvious from the graph that,as n increases,the efficiency of the implementa-tion increases and,for large n ,the efficiency approaches 100percent,implying that the stream cipher can be run at a rate very nearly equivalent to the speed of block encryption.In fact,a cipher can be run at a rate approaching times the block encryption rate with a suitably large enough buffer to account for the scenario of several resynchronizations within a short time frame.This is discussed in detail in Section 7.Note that all efficiencies for SCFB mode are greater than 50percent.This occurs because at least one full block is used in each synchronization cycle since B bits are associated with the IV.For small values of n ,SCFB is significantly less efficient than straight block encryption.For example,for n ¼1,theHEYS:ANALYSISOF THE STATISTICAL CIPHER FEEDBACK MODE OF BLOCK CIPHERS 81Fig.6.Theoretical efficiency vs.sync pattern size.cipher is resynchronizing after an expected OFB block size of 1and,as a result,virtually every second block cipher output is used only for a small number of bits in the XOR operation. Hence,the efficiency is only about50percent.For conven-tional CFB mode with m¼1to accommodate sync recovery from a slip of any number of bits,the efficiency would be <2%and<1%for a block size of B¼64and B¼128, respectively.In contrast,for OFB mode,efficiencies are100 percent when all B bits of block cipher output are used in the keystream.Also from the graph,it is clear that SCFB mode applied to a block cipher with a large block size suffers in efficiency. For example,for n¼8,the theoretical efficiencies are91.1 percent,85.3percent,and78.1percent for64,128,and256 bit blocks,respectively.However,these efficiencies are still many times more than the conventional CFB mode and,in fact,the ratio of SCFB efficiency to conventional CFB efficiency increases as B increases.5R ESYNCHRONIZATIONA fundamental requirement of a self-synchronizing stream cipher is that resynchronization occurs quickly to minimize the corruption of data due to a sync lost condition. Conventional CFB mode with m¼1,for example,will synchronize within B bits of the end of a slip of one or more bits.Resynchronization delay for an OFB cipher relying on signaling messages to provide synchronization information will generally be very large since synchronization usually relies on a low rate signaling channel and synchronization messages are exchanged relatively infrequently.In this section,we examine the resynchronization properties of SCFB mode.We shall consider the metric of interest to be the synchronization recovery delay(SRD), defined as the expected number of bits following a sync loss due to a slip before synchronization is regained.It is important to note that,in our analysis,when we refer to the occurrence of a slip,we are referring to the position representing the termination of the bits lost in the slip. Hence,we consider SRD to represent the number of bits for which the receiver is out of sync following the termination of the slip.That is,SRD does not include the bits that are lost directly due to the slip and no explicit assumptions are made about the number of bits lost in the slip.In our work,we will present lower and upper bounds on SRD and experimental measurements of SRD for varying values of n.Our analysis shows that,except for very small sync pattern sizes(i.e.,n4),SRD is approximately2n,a value that can be significantly larger than SRD for CFB for large n.This fact encourages the use of modest size values of n in SCFB mode.5.1Lower Bound on SRDWe begin by considering a lower bound on the sync recovery delay.Assume that a slip randomly occurs such that there are no other slips in the synchronization cycle in which the slip terminates.The probability that the slip occurs within a synchronization cycle of size nþBþk is given byPÃðkÞ¼ðnþBþkÞÁPðkÞ";ð16Þwhere PðkÞand"are given by(2)and(5),respectively. Assuming that the receiver resynchronizes at the next sync pattern,i.e.,at the end of the next IV,it will take an average ofðnþBþkÞ=2þnþB bits to resynchronize.This is determined by the average position of a slip within the synchronization cycle plus the nþB bits required at the beginning of the next synchronization cycle to resynchro-nize.Now,if we consider the average over all synchroniza-tion cycle sizes,then the synchronization recovery delay is lower bounded as inSRD>X1k¼03ðnþBÞþk2ÁPÃðkÞ¼32ðnþBÞþ12X1k¼0ðnþBÞkPðkÞþk2PðkÞ"¼32ðnþBÞþ12"ðnþBÞE f k gþE f k2gÂÃ;ð17Þwhere E f k g and E f k2g are given by(3)and(4),respec-tively.For large n,the sync recovery delay lower bound of (17)is approximated by2n.Equation(17)represents a lower bound because it is possible that the position of the slip can result in scenarios which prevent resynchronization at the next sync pattern. For example,a slip could occur in such a way that the new sequence of ciphertext bits results in a false synchroniza-tion.It is possible for this to occur near the end of the OFB block so that the receiver will interpret the next valid sync pattern bits as part of the false IV and will ignore them.As a result,resynchronization will be delayed until the next sync pattern.For small OFB block sizes,this could even happen in a manner such that several proper sync patterns are misinterpreted as part of the initialization vectors of several false synchronizations.This phenomenon is particularly prevalent for small values of n since small OFB block sizes are much more likely.5.2Upper Bound on SRDNow,consider an upper bound on SRD.In our analysis,we consider two regions in which a slip may occur within a sync cycle of size nþBþk,as illustrated in Fig.5.If a slip occurs such that the first bit following the slip is not within nþB bits of the sync pattern for the next cycle,then synchronization is lost until the valid sync pattern is detected for the next cycle.The probability of a slip occurring in this region is k=ðnþBþkÞ.When a slip occurs within the last nþB bits of a sync cycle,one must consider the possibility that the resulting bit sequence at the receiver could result in a false synchronization.The probability of a slip occurring in this region is given by ðnþBÞ=ðnþBþkÞand,for simplicity,in deriving the upper bound for SRD,we shall assume that any such occurrence of a slip causes a false synchronization.Once a false synchronization has occurred,we assume that the next valid synchronization will be missed due to a portion of the valid sync pattern lying within the false IV.Subsequently, false synchronizations may occur at the receiver if the receiver misinterpretes a sync pattern appearing within an82IEEE TRANSACTIONS ON COMPUTERS,VOL.52,NO.1,JANUARY2003。

New Light-Weight Crypto Algorithms for RFID Axel Poschmann,Gregor Leander,Kai Schramm,and Christof PaarHorst G¨o rtz Institute for IT-Security,Ruhr-University Bochum,GermanyEmail:{poschmann,schramm,cpaar}@crypto.rub.de,****************.deAbstract—We propose a new block cipher,DESL(DES Lightweight extension),which is strong,compact and efficient1.Due to its low area constraints DESL is especially suited for RFID(Radio Frequency Iden-tification)devices.DESL is based on the classical DES(Data Encryption Standard)design,however,unlike DES it uses a single S-box repeated eight times.This approach makes it possible to considerably decrease chip size requirements.The S-box has been highly optimized in such a way that DESL resists common attacks,i.e.,linear and differential cryptanalysis, and the Davies-Murphy-attack.Therefore DESL achieves a security level which is appropriate for many applications.Furthermore,we propose a light-weight implementation of DESL which requires45%less chip size and86%less clock cycles than the best AES implementations with regard to RFID pared to the smallest DES implementation published,our DESL design requires38%less transistors.Our0.18µm DESL implementation requires a chip size of7392transistors(1848gate equivalences)and is capable to encrypt a64-bit plaintext in144clock cycles.When clocked at100kHz,it draws an average current of only 0.89µA.These hardwarefigures are in the range of the best eSTREAM streamcipher candidates,comprising DESL as a new alternative for ultra low-cost encryption.I.I NTRODUCTIONRFID(Radio Frequency Identification)tags have numer-ous applications,ranging from supply chain optimization to ehealth.Basically,RFID tags consist of a transponder and an antenna and are able to remotely send and receive data from an RFID host or reader device.In general,RFID tags can be divided into passive and active devices:active tags provide their own power supply(i.e.in form of a battery),whereas passive tags solely rely on the energy of the carrier signal transmitted by the reader device.Passive RFID devices are not only much less expensive,but also require less chip size and have a longer life cycle[1].Our proposed DESL algorithm and its low-power,size-optimized implementation aims at very constrained devices such as passive RFID tags.Providing cryptographic primitives (esp.encryption)at extremely low cost is of paramount im-portance for securing RFID applications.Thus far,there have been two approaches for providing cryptographic primitives for such situations:•Optimized low-cost implementations for standardized and trusted algorithms,which means in practice in essence block ciphers such as AES[2],see e.g.,[3].•Design new ciphers with the goal of having low hardware implementation costs2The best known light-weight AES implementation[3]re-quires3400gates and draws a maximum current of3.0µA 1Part of this work has already been presented at RFIDSec’06,a non-proceeding workshop.2see, e.g.,the profile2algorithms of the eStream project at /stream/@100kHz.This AES design is based on a byte-per-byte serialization,which only requires the implementation of a single S-box[4]and achieves one encryption within1032 clock cycles(=10.32ms@100kHz).Unfortunately,the ISO/IEC18000standard requires that the latency of a response of an RFID tag does not exceed320µs,which is why [3]proposes a slightly modified challenge-response protocol based on interleaving.The problem with this approach is that AES like most modern block ciphers was primarily designed with good software implementation properties in mind,and not necessarily with hardware-friendly properties.The only known cipher that was designed with a strong focus on low hardware costs is the Data Encryption Standard,DES[5].If we compare a standard,one-round implementation of AES and DES,the latter consumes about6%(!)of the logic resources of AES,while having a shorter critical path[6],[7].Therefore, we decided to follow the second approach and modify the hardware efficient and very well investigated cipher DES. The main design ideas of the new cipher family,which are either original DES efficiently implemented or a variant of DES,are:1)Use of a serial hardware architecture which reduces thegate complexity.2)Optionally apply key-whitening in order to render brute-force attacks impossible.3)Optionally replace the8original S-Boxes by a singleone which further reduces the gate complexity.If we make use of thefirst idea,we obtain a light-weight implementation of the original DES algorithm which consumes about35%less gates than the best known AES implementation[3].To our knowledge,this is the smallest reported DES implementation,trading area for throughput. The implementation requires also about86%fewer clock cycles for encrypting of one block than the serialized AES implementation in[3](1032cycles vs.144)which makes it easier to use in standardized RFID protocols.However,the security provided is limited by the56bit key.Brute forcing this key space takes a few months and hundreds of PCs in software, and only a few days with a special-purpose machine such as COPACOBANA[8].Hence,this implementation is only relevant for application where short-term security is needed,or where the values protected are relatively low.However,we can imagine that in certain low cost applications such a security level is adequate.In situation where a higher security level is needed key whitening,which we define here as follows:DESX k.k1.k2(x)=k2⊕DES k(k1⊕x),can be added to standard DES,yielding DESX.The bank of XOR gates increase the gate count by about14%3.The best known key search attack uses a time-memory trade-off and requires2120 time steps and264memory locations,which renders this attack entirely out of reach.The best known mathematical attack is linear cryptanalysis[9].LC requires about243chosen ciphertext blocks together with the corresponding plainttexts. At a clock speed of500kHz,our DESX implementation will take more than80years,so that analytical attacks do not pose a realistic threat.Please note that parallelization is only an option if devices with identical keys are available.In situations where extremely light-weight cryptography is needed,we can further decrease the gate complexity of DES by replacing the eight original S-Boxes by a single new one. This light-weight variant of DES is named DESL and has a brute-force resistance of256.In order to strengthen the cipher, key whitening can be applied yielding the ciphers DESXL.The crucial question is what the strength of DESL and DESXL is with respect to analytical attacks.We are fully aware that any changes to a cipher might open the door to new attacks,even if the changes have been done very carefully and checked against known attacks.Hence,we believe that DESL(or DESXL) should primarily not be viewed as competitors to AES,but should be used in applications where established algorithms are too costly.In such applications which have to trade security (really:trust in an algorithm)for cost,we argue that it is a cryptographically sounder approach to modestly modify a well studied cipher(in fact,the world’s best studied crypto algorithm),rather than designing a new algorithm altogether. II.L IGHTWEIGHT I MPLEMENTATION OF DES AND DESL In this section we present a size-optimized design of DES, which is smaller than any previous implementations of DES to our knowledge.A.Design Considerations and Implementation of DESThe overall architecture of our size-optimized DES imple-mentation is depicted in Figure1.Our design basically consists offive core modules:mem right,keyschedule,controller,and sbox.The controller module manages all control signals in the ASIC based on thefinite state machine depicted in Figure3.In the keyschedule module all DES round keys are generated.It is composed of a56-bit register,an input multiplexor,and an output multiplexor to select the right fraction of the roundkey.The memright module is similar to the memleft and mem left is modified by the inverse of the P permutation and stored in the registers 5Note that the design in a shift register manner in this module saves even more transistors(288,72GE)than in the memof the modules mem right in one cycle.Next, the output of the last register in memright and expanded to six bits. After an XOR operation with the appropriate block of the current round key,this expanded value is processed by the sbox module,which is selected by the count signal,provided by the controller module.Finally,the result is XORed with the output of the memleft module.This is repeated eight times,until all 32bit of the right half are processed.In our design,we applied the P permutation in each ninth clock cycle.Because the P−1permutation is applied before the left32-bit half L i is stored in the memleft and memleft is transformed by the P permutation and stored as the new content of the memright module is stored as the new content of the memleft and mem1457211811501094613123508151432121176913411049214871301012151511369615538411711220141013TABLE II MPROVED DESL S-BOXthese approaches,despite the fact that some of them have worse cryptographic properties than DES[16],just change the content and not the number of S-boxes.To the best of our knowledge,no DES variant has been proposed in the past which uses a single S-box,repeated eight times.Our work regarding a strengthened S-box is based on the original design criteria for DES as published by Copper-smith[17]and the work of Kim et al.[13]–[15]where several criteria for DES type S-boxes are presented to strengthen the resistance against differential and linear cryptanalysis,and the Davies-Murphy-Attack[18].The mathematical background of this part would go beyond the scope of this special session.Therefore we briefly list our conditions below:1:If two inputs to an S-box differ in theirfirst bit and are identical in their last two bits,the two outputs must not be the same.2:|S W b(a)|≤28for all a∈GF(2)6,b∈GF(2)4.3:S W b(a)≤4for all a∈GF(2)6,b∈GF(2)4with wt(a)=wt(b)=1.4:S Wb(a)≤16for all a∈GF(2)6,b∈GF(2)4with wt(a),wt(b)≤2.5:|S W b1(a)S W b2(a)|≤240for all a∈GF(2)6,b1,b2∈GF(2)4with wt(a)=1,wt(b1+b2)=1.6:S Wb(a)=0for a∈{(010000),(000010)},b∈GF(2)4 with wt(b)=1.7:|S W b1(000010)S W b2(000010)|=0for all b1,b2∈GF(2)4with wt(b1+b2)=1.8:S W(0100)(000100)=0S W b(a)denotes the Walsh-coefficient and wt(x)denotes the Hamming weight of x.We randomly generated S-boxes,which fulfill the original DES criteria(S-1),(S-3),(S-4),(S-5),(S-7) (see[17]),and the above listed conditions1to8.It can be shown,that S-boxes that fullfill these criteria are immune to linear and differential cryptanalysis,and the Davies-Murphy-Attack.Table I shows the S-box,which is used in DESL. C.Implementation of DESLThe main difference between DESL and DES lies in the f-function.We substituted the eight original DES S-boxes by a single but cryptographically stronger S-box,which is repeated eight times.Furthermore,we omitted the initial permutation (IP)and its inverse(IP−1),because they do not provide additional cryptographic strength,but at the same time require area for wiring.The design of our DESL algorithm is exactly the same as for the DES algorithm,except for the(IP)and (IP−1)wiring and the sbox module.The changed sbox modulecycles/Processrel.100kHzDESL10.89DES 1.25 1.19DESX 1.42–DESXL 1.17–340010320.352599–0.131294–0.133048340.25TABLE IIC OMPARISON OF EFFICIENT CIPHERS BASED ON GATE COUNT,CLOCKCYCLES,AND CURRENT CONSUMPTION implements only one S-box.As one can see in Figure2, this module neither needs the count control signal nor an output multiplexor,which saves another192transistors(48 GE).It takes144clock cycles to encrypt one64-bit block of plaintext.For one encryption at100kHz the average current consumption is0.89µA and the throughput reaches5.55KB/s. All results are summarized in Table II.III.R ESULTS AND C ONCLUSIONWe presented our implementation results of DES and DESL in Section II.Table II shows,that our DESL cipher needs 20%less transistors compared with our DES implementation and38%less transistors compared with the implementation in[6].This table also shows,that DESL uses25%less average current than DES.In comparison with the AES design in[3],our design needs45%less gate equivalents and86% less clock cycles as shown in Table II.Note that the AES design in[3]was implemented in a0.35µm standard cell technology,whereas our design was implemented in a0.18µm standard cell technology.Therefore a fair comparison is only possible with regard to the gate equivalences.Regarding area consumption,our DESL is competitive even to stream ciphers recently proposed within the eSTREAM project[19].More interesting,DESL would be the second smallest stream cipher in terms of gate count compared to all eSTREAM candidates (see Table II).Due to the low current consumption and the small chip size required for our DESL design,it is especially suited for resource limited applications,for example RFID tags and wireless sensor nodes.Finally,we can conclude,that DESL is more secure against linear and differential cryptanalysis and the Davies-Murphy attack,more size-optimized,and more power efficient than DES,which makes it especially suited for RFID applications. Furthermore,DESL is worth to be considered as an alternative for stream ciphers.IV.A CKNOWLEDGMENTSThe work presented in this paper was supported in part by the European Commission within the STREP UbiSec&Sens of the EU Framework Pro-gramme6for Research and Development(). The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements,either expressed or implied,of the UbiSec&Sens project or the European Commission.R EFERENCES[1]K.Finkenzeller,RFID-Handbook:Fundamentals and Applications inContactless Smart Cards and Identification.John Wiley and Sons, 2003.[2]“Advanced Encryption Standard(AES),”National Institute of Standardsand Technology(NIST),Federal Information Processing Standards (FIPS)Publication197,November2001.[3]M.Feldhofer,J.Wolkerstorfer,and V.Rijmen,“AES Implementationon a Grain of Sand,”Information Security,IEE Proceedings,vol.152, no.1,pp.13–20,2005.[4]J.Daemen and V.Rijmen,The Design of Rijndael.Springer Verlag,Berlin,2002.[5]“Data Encryption Standard(DES),”National Institute of Standards andTechnology(NIST),Federal Information Processing Standards(FIPS) Publication46-3,October1999.[6]I.Verbauwhede,F.Hoornaert,J.Vandewalle,and H.D.Man,“Securityand Performance Optimization of a New DES Data Encryption Chip,”IEEE Journal of Solid-State Circuits,vol.23,no.3,pp.647–656,1988.[7]K.T.Akashi Satoh,Sumio Morioka and S.Munetoh,“A Compact Rijn-dael Hardware Architecture with S-Box Optimization,”in ASIACRYPT 2001,ser.LNCS,vol.2248.Springer-Verlag,2001,pp.239–254.[8]S.Kumar,C.Paar,J.Pelzl,G.Pfeiffer,and M.Schimmler,“Breaking Ci-phers with COPACOBANA-A Cost-Optimized Parallel Code Breaker,”in Workshop on Cryptographic Hardware and Embedded Systems—CHES2006,Yokohama,Japan.Springer Verlag,2006.[9]M.Matsui,“Linear Cryptanalysis of DES Cipher,”in Advances inCryptology—EUROCRYPT’93,T.Hellenseth,Ed.,vol.LNCS0765.Berlin,Germany:Springer-Verlag,1994,pp.286–397.[10]“espresso,”available for download at/pubs/downloads/espresso/index.htm.[11]Biham and Biryukov,“How to Strengthen DES Using Existing Hard-ware,”in ASIACRYPT:Advances in Cryptology–ASIACRYPT:Interna-tional Conference on the Theory and Application of Cryptology.LNCS, Springer-Verlag,1994,available for download at / biham94how.html.[12] E.Biham and A.Shamir,“Differential Cryptanalysis of the Full16-Round DES,”in CRYPTO’92,1992,pp.487–496,available for down-load at /biham93differential.html.[13]K.Kim,S.Lee,S.Park,and D.Lee,“DES Can Be Immune to LinearCryptanalysis,”in Proceedings of the Workshop on Selected Areas in Cryptography SAC’94,May1994,pp.70–81,available for download at /kim94des.html.[14]——,“Securing DES S-boxes Against Three Robust Cryptanalysis,”in Proceedings of the Workshop on Selected Areas in Cryptography SAC’95,1995,pp.145–157,”available for download at citeseer.ist.psu.edu/kim95securing.html”.[15]K.Kim,S.Park,and S.Lee,“Reconstruction of s2-DES S-Boxes andtheir Immunity to Differential Cryptanalysis,”in Proceedings of1993 Korea-Japan Joint Workshop on Information Security and Cryptology (JW-ISC’93),October1993,available for download at citeseer.csail.mit.edu/kim93reconstruction.html.[16]L.R.Knudsen,“Iterative Characteristics of DES and s2-DES,”Advancesin Cryptology:Proceedings of CRYPTO’92,pp.497–511,1992. [17] D.Coppersmith,“The Data Encryption Standard(DES)and its StrengthAgainst Attacks,”IBM Journal of Research and Development,IBM Thomas J.Watson Research Center,Technical Report RC186131994, December1994.[18] D.Davies and S.Murphy,“Pairs and Triplets of DES S-Boxes,”Journalof Cryptology,vol.8,no.1,pp.1–25,1995.[Online].Available: /davies93pairs.html[19] F.K.Gurkaynak,“Hardware Evaluation of eSTREAM Candidate Algo-rithms,”available for download at http://asic.ethz.ch/estream/E.png. [20]T.Good and M.Benaissa,“Hardware Results for selected Stream CipherCandidates,”State of the Art of Stream Ciphers2007(SASC2007), Workshop Record,pp.191–204,February2007.[21] D.Hong,J.Sung,S.Hong,J.Lim,S.Lee,B.-S.Koo,C.Lee,D.Chang,J.Lee,K.Jeong,H.Kim,J.Kim,and S.Chee,“HIGHT:A New Block Cipher Suitable for Low-Resource Device,”in Cryptographic Hardware and Embedded Systems—CHES2006,ser.Lecture Notes in Computer Science,L.Goubin and M.Matsui,Eds.,vol.4249.Springer,2006, pp.46–59.。

网络安全期末复习题一、填空题：1、The three key objectives of computer security are confidentiality,，Integrity andAvailability （计算机安全的三个关键目标，保密性，完整性和可用性）2、Active Attack attempts to alter system resources or affect their operation.（主动攻击试图改变或影响其操作系统资源）3、Passive Attack attempts to learn or make use of information from the system but dose not affect system resources.（被动攻击试图学习或者从系统中而不影响系统资源利用信息。

）4、The process of attempting to discover the plaintext or key is known as cryptanalysis（试图发现明文或密钥的过程称为密码分析）5、0Two types of passive attacks are the release of message contents and traffic analysis.（被动攻击的两种类型是消息分析和流量分析）6、A symmetric encryption scheme has five ingredients ,they are plaintext , encryption algorithm, decryption algorithm , secret key and ciphertext .（对称加密方案有五种成分，它们是明文，加密算法，解密算法，密钥和密文）7、The two general approaches to attacking a cipher are cryptanalysis and brute-force attack。

电子商务一、电子商务的应用有以下三种类型1、企业内部电子商务，即企业内部之间，通过企业内部网（Intranet）的方式处理与交换商贸信息。

2、企业间的电子商务（简称为B—B模式，B2B），即企业与企业（Business—Business）之间，通过INTERNET或专用网方式进行电子商务活动。

3、企业与消费者之间的电子商务（简称为B—C模式，B2C），即企业通过INTERNET 为消费者提供一个新型的购物环境——网上商店，消费者通过网络在网上购物、在网上支付。

二、按商业活动运作方式可分成完全电子商务和不完全电子商务两类（1）完全电子商务：即可以完全通过电子商务方式实现和完成整个交易过程的交易。

（2）不完全电子商务：即指无法完全依靠电子商务方式实现和完成完整交易过程的交易，它需要依靠一些外部要素，如运输系统等来完成交易。

三、按电子商务应用服务的领域范围可分为四类，即企业对消费者、企业对企业、企业对政府机构、消费者对政府机构的电子商务。

（1）企业对消费者（也称商家对个人客户或商业机构对消费者即B to C）的电子商务商业机构对消费者的电子商务基本等同于电子零售商业。

目前，Internet上已遍布各种类型的商业中心，提供各种商品和服务，主要有鲜花、书籍、计算机、汽车等商品和服务。

（2）企业对企业（也称为商家对商家或商业机构对商业机构即B to B）的电子商务商业机构对商业机构的电子商务是指商业机构（或企业、公司）使用Internet或各种商务网络向供应商（企业或公司）订货和付款。

商业机构对商业机构的电子商务发展最快，已经有了多年的历史，特别是通过增值网络（V alue Added Network，V AN）上运行的电子数据交换（EDI），使企业对企业的电子商务得到了迅速扩大和推广。

公司之间可能使用网络进行订货和接受订货、合同等单证和付款。

（3）企业对政府机构的电子商务在企业——政府机构方面的电子商务可以覆盖公司与政府组织间的许多事务。