I-PRESENT TM : An Involutive Lightweight Block Cipher

This paper proposes a new involutive light-weight block cipher for resource-constraint environments called I-PRESENT TM . The design is based on the Present block cipher which is included in the ISO/IEC 29192 standard on lightweight cryptography. The advantage of I-PRESENT TM is that the cipher is involutive such that the encryption circuit is identical to decryption. This is an advantage for environments which require the implementation of both circuits. The area requirement of I-PRESENT TM compares reasonably well with other similar ciphers such as PRINCE.


Introduction
In recent years, there is a steady rise in the research into lightweight cryptography, i.e. cryptography suitable for implementation in resource-constrained environments.The constraints on the resources include compact implementation area, small memory and low power consumption in devices such as RFID tags and wireless sensor nodes.The need arises because traditional cryptography cannot fit into these environments due to the relatively high implementation costs.
In this paper, the focus is on lightweight block ciphers.There are numerous existing proposals which include PRESENT [1], the KATAN and KTANTAN families [2], LBlock [3], LED [4], PRINCE [5], and the Simon and Speck families [6], the last of which was proposed by the United States National Security Agency (NSA).They were developed to address the need for dedicated ciphers to be used in resource-constrained environments for which the general purpose Advanced Encryption Standard (AES) block cipher [7] was unsuitable.With the exception of PRINCE, all of these ciphers require different circuits for encryption and decryption.Therefore, two circuits have to be implemented in order to perform these operations which add to the implementation cost.Our cipher proposed in this paper, on the other hand, requires only a single circuit to perform these operations.
As recognition for the need for interoperability, the block ciphers PRESENT and CLEFIA [8] have been included in the ISO/IEC 29192 standard on lightweight cryptography.The standard specifies the minimum security level at 80 bits (i.e. the key size).To be included in this standard, the hardware and software implementation properties of the cipher should have advantage over existing ISO standards such as ISO/IEC 18033 (encryption algorithms), ISO/IEC 9798 (entity authentication) and ISO/IEC 11770 (key management).
In this paper, we propose a new lightweight block cipher.Our cipher, called I-PRESENT TM , is an involution in the sense that the encryption and decryption circuits are identical.This translates into a smaller implementation cost compared to other existing lightweight block ciphers which require separate circuits to perform encryption and decryption.Our cipher is based on present and the involutive part is inspired by PRINCE.To the best of our knowledge, the only other involutive lightweight block ciphers proposed are LBlock and PRINCE.
This paper is organized as follows.In Section 2, we give a description of our cipher.The design rationale is explained in Section 3 and Section 4 outlines the security analysis on the cipher.The implementation analysis is presented in Section 5. A summary and the conclusion for the paper are given in Section 6.

Description of I-PRESENT TM
I-PRESENT TM accepts a 64-bit plaintext block and master key lengths of 80 and 128 bits.These variants are denoted as I-PRESENT-80 and I-PRESENT-128, respectively.The master key is used by the key scheduling algorithm (key schedule) as input to produce a set of thirty 64-bit round subkeys.The ciphertext block is generated after applying a round function 15 times to the plaintext block, followed by an involutive function and another 15 applications of the inverse round function.In total, the number of rounds for the cipher is 30.

Encryption
The encryption function takes as input a 64-bit plaintext state and a set of thirty-two 64-bit round subkeys.The values for subkey are produced by the key schedule which will be described later in Section 2.4.Encryption proceeds by iterating a round function 15 times which consists of a key mixing transformation MixKey, a nonlinear transformation STrans and a bit permutation PTrans.This is followed by the application of a function Invo and iterating the inverse round function 15 times to state.The current value of state is output as the ciphertext.This process is given in Listing 1.1 and illustrated in

Decryption
The decryption function takes as input a 64-bit ciphertext state and a set of thirty 64-bit round subkeys subkey.The values for subkey are produced by the key schedule which will be described later in Section 2.4.Decryption is identical to encryption, i.e. the same as Listing 1.1, except that the round subkeys are used in the reverse order.Therefore, subkey [0] in decryption is subkey [31] in encryption, subkey [1] in decryption is subkey [30] in encryption and so on.

Round Function Transformations
This section describes the transformations used in the round function of I-PRESENT TM .
The Function MixKey.MixKey takes the current value of state and XOR its value with the value of the current round subkey.
The Functions STrans and STransInv.STrans and STransInv both divide the input state into sixteen 4-bit words and applies a 4 × 4 s-box simultaneously to each word.A 4 × 4 s-box is a nonlinear function that maps a 4-bit input to a 4-bit output.
The mapping of the s-box used in I-PRESENT TM is given in Table 1 where the values given are in hexadecimal.The s-box s is used in STrans and its inverse, s −1 is used in decryption.A 4-bit input x = 1 to an s-box s would give an output of s(1) = 6.If x = 6 is used as input to its inverse s −1 , then the output is s −1 (6) = 1.
The Functions PTrans and PTransInv.The function PTrans performs a bit permutation on its 64-bit input state and updates the value of the state with the permuted value.Let 63 62 0 ...

X x x x
= and 63 62 0 ... Y y y y = denote the 64-bit input and output state of PTrans, respectively where bit number 63 is the leftmost bit of the state, bit 62 is the second leftmost bit of the state and so on.The permutation in PTrans can be described by Table 2.
Table 1.The s-box s and its inverse s −1 used in I-PRESENT TM .
The permutation states that the bit in position i is moved to position P(i).For instance, bit x 0 is unchanged and bit x 1 is moved to position 16 and the output state Y is updated as follows.
The Function Invo.Invo divides the 64-bit input state into sixteen 4-bit words and applies a 4 × 4 s-box sˆ simultaneously to each word.The mapping for sˆ is given in Table 3.

Key Schedule
I-PRESENT TM supports two key sizes: 80 and 128 bits.The key schedule for these key lengths is the same as used in PRESENT.For completeness, we include the description of the key schedules in this section.
80-bit Key.The 80-bit key is stored in register K and represented as k 79 k 78 ...k 0 .The subkey for round i, i.e.K i = κ 63 κ 62 ...κ 0 is derived from the 64 left-most bit of the current register K: In the first round, subkey K 0 is derived directly from the 64 left-most bit of the master key.After this key is extracted, the current register K = k 79 k 78 ...k 0 is updated as follows where the value i is initialized to 1, i.e. i = 1. 1 where the mapping for s is given in Table 1. 3 where the mapping for s is given in Table 1.
3) XOR bits k 67 k 66 k 65 k 64 k 63 with a round counter i where the right-most bit is the least significant bit:

The Nonlinear Layers
The basis of the construction of the s-box of I-PRESENT TM is the same as P's s-box [1].One of the main criteria in the design of PRESENT's s-box is that there is no 1-bit input difference that results in a 1-bit output difference.This is to prevent the propagation of trivial differential trails due to the use of a bit permutation.Other sboxes that have this criterion are the eight s-boxes of the block cipher Serpent [9].The involutive s-box used in the function Invo is the same s-box used in the block cipher Noekeon [10].According to Liu et al. [11], there always exists a 1-bit input difference which results in a 1-bit output difference for a 4 × 4 involutive s-box.As a consequence, it does not meet the criteria for the I-PRESENT TM 's s-box.However, since this s-box is proposed to be used only in the middle of the cipher, we expect the security of the new construction is similar if not superior to PRESENT.

The Permutation Layers
The bit permutation used in I-PRESENT TM is the same used in present.There is very little or no extra cost incurred when using bit permutation in hardware.However, higher cost will be incurred when implementing this operation in software.This is due to the extra operations (e.g.masking of bits, rotation) required to extract bits in specific positions in a word.The choice of bit permutation allows the designer of PRESENT to derive bounds on the resistance of the cipher against differential cryptanalysis (more in Section 4.1).I-PRESENT TM therefore inherits this property.

The Structure
I-PRESENT TM is an involutive cipher in the sense that the circuit for decryption is the same as for encryption.The only difference is the order of the round subkeys.The involutive part is inspired by the lightweight block cipher PRINCE [5].The main advantage of this design is that only a single circuit is required to be implemented in environments which require both encryption and decryption.This substantially reduces the implementation cost if compared to a cipher with different circuits to perform these operations.
Note that it is possible to implement only the encryption circuit of a cipher but allows for encryption and decryption of arbitrary messages.For instance, in the counter mode (CTR), only the encryption circuit of a cipher is required to perform encryption and decryption of messages.In other modes such as cipher block chaining (CBC), we require both encryption and decryption circuits to perform the same operations.
In essence, an involutive function I connects two (not necessarily be involution) functions F and F −1 (the inverse of F), i.e.F −1 ∘I ∘F.This differs to the strategy used by other involutive ciphers such as Noekeon [10], Khazad [12] and Anubis [13] where all its functions are required to be an involution.
As mentioned in Section 3.1, the use of a non-involutive s-box in the outer rounds allows a 1-bit input difference to trigger at least a 2-bit output difference.If we use an involutive s-box, it is possible for a 1-bit input difference to cause a 1 bit output difference [11].This is an advantage to an attacker since a differential trail involving a small number of active s-boxes may be constructed.

Cryptanalysis
This section presents the security evaluation of I-PRESENT TM .The two most important attacks that a cipher should resist is differential [14] [15] and linear cryptanalysis [16].

Differential and Linear Cryptanalysis
To gauge the resistant of I-PRESENT TM against differential cryptanalysis, we adopted the number of active s-boxes approach.This technique is used in many ciphers including the Advanced Encryption Standard (AES) [17] (Section 9) and CLEFIA, a cipher developed by Sony Corporation [18] (Section 2.1).
Let pˆ denote the probability of a differential trail and let N denote the block length of a cipher in bits.A key recovery attack requires roughly pˆ− 1 chosen plaintexts and should not exceed the plaintext space, i.e. pˆ− 1 < 2 N .Let p max denote the maximum differential probability of the s-box and n a denote the number of active s-boxes.In order to resist differential cryptanalysis, n a should be bounded by max 2 Based on the analysis done on PRESENT [1] (Theorem 1), it is known that any five-round differential trail has a minimum of 10 active s-boxes.The maximum differential probability of all I-PRESENT TM s-boxes is 2 −2 .For I-PRESENT TM , (2 −2 ) na < 2 −64 and so the cipher should have at least n a = 32 active s-boxes in a differential trail.
If we ignore the Invo function, the probability of a 20-round differential trail is bounded by (2 −2 ) 4×10 = 2 −80 .A key recovery attack is not possible since the required number of chosen plaintexts exceed the plaintext space, i.e. 2 80 > 2 64 .Since I-PRESENT TM has 30 rounds, we believe that the cipher provides ample protection against differential cryptanalysis.
Linear cryptanalysis is related to differential cryptanalysis [19] [20].According to Bogdanov and Shibutani [21], we can assume that the resistance of a cipher against both differential and linear cryptanalysis using the number of active s-boxes method to be the same.Therefore, based on our previous analysis on differential cryptanalysis, I-PRESENT TM is resistant to linear cryptanalysis.

Boomerang Cryptanalysis
In a nutshell, the boomerang attack [22] requires the construction of four differential trails.The cipher is considered as two halves where two differentials cover the upper half and the remaining two covers the lower half.Let p and q denote the probability of the differentials for the upper and lower halves, respectively.A valid distinguisher must satisfy (pq) 2 > 2 −N .

Integral Cryptanalysis
Traditionally, integral cryptanalysis [23] is not well-suited to be applied on bit-based block ciphers such as I-PRESENT TM and PRESENT.However, by carefully inspecting the propagation of the inputs, the attack is still possible to be applied [24].The best known integral attack on PRESENT is on 10 rounds [25] which is much less than the total number of rounds of present.Due to the similarity of I-PRESENT TM and PRESENT, we expect our cipher to be resistant to integral cryptanalysis.

Statistical Saturation
The statistical saturation attack exploits poor diffusion properties of a cipher [26].It fixes certain bits in the plaintext and the distribution of certain bits of the ciphertext is observed.If the distribution is non-uniform, then the cipher is vulnerable to this attack.The attack managed to break 24 rounds of PRESENT using about 2 60 chosen plaintexts and 2 28 operations.Since I-PRESENT TM uses the same diffusion as PRESENT, the same analysis can be similarly be applied to I-PRESENT TM .However, since our cipher employs the function Invo in the middle of the cipher, we believe it will provide resistance to this attack.

Implementation
Table 4 gives an estimate on the area requirement for I-PRESENT-80 TM in terms of the number of gate equivalents (GE).The estimation is based on the results obtained for PRESENT [1] (Section 6).The only major difference between the implementation of I-PRESENT TM and PRESENT is in the s-box layer.In I-PRESENT TM , we additionally use two 4 × 4 s-boxes 16 times.
Based on the estimation, one bit requires about 6 GE to store.The data and key state occupy 64 and 80 bits, respectively.This gives 384.39 GE and 480.49GE to the implementation cost.In PRESENT, the cost for a single 4 × 4 s-box is about 28.028125 GE.In I-PRESENT TM , we use three different s-boxes each repeated 16 times.Therefore, 28.028125 × 3 × 16 = 1345.35GE is required to implement the s-boxes.To obtain a more precise implementation result, specific hardware tools such as Mentor Graphics Modelsim and Synopsis Design Compiler can be used for simulation and synthesis, respectively.The estimation is part of the evaluation for a lightweight block cipher and is performed on existing ciphers such as PRESENT.
A comparison between the implementation of related lightweight block ciphers is given in Table 5.Note that although PRESENT requires 1570 GE in the 80-bit security level, the implementation is only for encrypt-only while our implementation is for both encryption and decryption.LBlock is included in the comparison since the cipher can also be considered as an involution.The implementation cost for LBlock [3] is lower compared to our cipher because LBlock employs the Feistel network [27] while ours is a substitution-permutation network (SPN) type of cipher.The cost to implement I-PRESENT TM is still reasonable since another SPN-type cipher, KLEIN [28], requires more physical space than ours.In the 128-bit key space, I-PRESENT TM requires much less GE compared to PRINCE [5].As mentioned earlier, the involution part of I-PRESENT TM is inspired by PRINCE and we managed to provide a lower implementation cost.KLEIN only supports key size up to 96 bits which require 2769 GE.Our cipher supports a stronger key size (128 bits) and requires 2783 GE which is very close to the 96-bit key KLEIN.The description of the block ciphers included in the comparison in Table 5 can be found in their respective references.The interested reader may refer to the related documents for a detailed description of the block ciphers.

Conclusions
In this paper, we propose a new 64-bit block involutive lightweight block cipher called I-PRESENT TM .The main advantage of the cipher is that encryption and decryption can be performed using the same circuit, thus providing savings on implementation.This differs to many other existing lightweight block ciphers which require separate circuits to perform encryption and decryption.This adds to the implementation cost of these ciphers.In terms of area requirements, our cipher compares reasonably well with other 80-bit key lightweight block ciphers.It even outperforms PRINCE in the 128-bit key space, in which the idea of the involution for I-PPRESENT TM is based on.
As future work, we may simulate and synthesize I-PRESENT TM using appropriate tools.Further cryptanalysis may also be performed using more sophisticated attack techniques.
value of i by one.The above steps are repeated until all round subkeys are derived, i.e. until K 31 is derived.
Rotate the register K by 53 bits to the left: Apply the s-box s' to the four left-most bit of the register K: and increment the value of i by one.The above steps are repeated until all round subkeys are derived, i.e. until K 31 is derived.128-bitKey.The 128-bit key is stored in register K and represented as k 127 k 126 ...k 0 .The subkey for round i, i.e.In the first round, subkey K 0 is derived directly from the 64 left-most bit of the master key.After this key is extracted, the current register Apply the s'-box s to the eight left-most bit of the register K: ) XOR bits k 19 k 18 k 17 k 16 k 15 with a roundcounter i where the right-most bit is the least significant bit:i K κ κ κ =is derived from the 64 left-most bit of the current register K:

Table 3 .
The s-box used in the function Invo.

Table 4 .
Area requirement for I-PRESENT TM .

Table 5 .
Comparison of existing implementation of related lightweight block ciphers.