^{TM}: An Involutive Lightweight Block Cipher

^{1}

^{*}

^{2}

^{*}

^{2}

^{*}

^{2}

^{*}

^{3}

^{*}

This paper proposes a new
involutive light-weight block cipher for resource-constraint environments
called I-PRESENT^{TM}. The design is based on the Present block cipher
which is included in the ISO/IEC 29192 standard on lightweight cryptography.
The advantage of I-PRESENT^{TM }is
that the cipher is involutive such that the encryption circuit is identical to
decryption. This is an advantage for environments which require the
implementation of both circuits. The area requirement of I-PRESENT^{TM }compares reasonably well with
other similar ciphers such as PRINCE.

In recent years, there is a steady rise in the research into lightweight cryptography, i.e. cryptography suitable for implementation in resource-constrained environments. The constraints on the resources include compact imple- mentation area, small memory and low power consumption in devices such as RFID tags and wireless sensor nodes. The need arises because traditional cryptography cannot fit into these environments due to the relatively high implementation costs.

In this paper, the focus is on lightweight block ciphers. There are numerous existing proposals which include PRESENT [

As recognition for the need for interoperability, the block ciphers PRESENT and CLEFIA [

In this paper, we propose a new lightweight block cipher. Our cipher, called I-PRESENT^{TM}, is an involution in the sense that the encryption and decryption circuits are identical. This translates into a smaller implementa- tion cost compared to other existing lightweight block ciphers which require separate circuits to perform encryp- tion and decryption. Our cipher is based on present and the involutive part is inspired by PRINCE. To the best of our knowledge, the only other involutive lightweight block ciphers proposed are LBlock and PRINCE.

This paper is organized as follows. In Section 2, we give a description of our cipher. The design rationale is explained in Section 3 and Section 4 outlines the security analysis on the cipher. The implementation analysis is presented in Section 5. A summary and the conclusion for the paper are given in Section 6.

I-PRESENT^{TM }accepts a 64-bit plaintext block and master key lengths of 80 and 128 bits. These variants are denoted as I-PRESENT-80 and I-PRESENT-128, respectively. The master key is used by the key scheduling algorithm (key schedule) as input to produce a set of thirty 64-bit round subkeys. The ciphertext block is gener- ated after applying a round function 15 times to the plaintext block, followed by an involutive function and another 15 applications of the inverse round function. In total, the number of rounds for the cipher is 30.

The encryption function takes as input a 64-bit plaintext state and a set of thirty-two 64-bit round subkeys. The values for subkey are produced by the key schedule which will be described later in Section 2.4. Encryption proceeds by iterating a round function 15 times which consists of a key mixing transformation MixKey, a non- linear transformation STrans and a bit permutation PTrans.

This is followed by the application of a function Invo and iterating the inverse round function 15 times to state. The current value of state is output as the ciphertext. This process is given in Listing 1.1 and illustrated in Fig- ure 1.

I-PRESENT^{TM }block cipher

The decryption function takes as input a 64-bit ciphertext state and a set of thirty 64-bit round subkeys subkey. The values for subkey are produced by the key schedule which will be described later in Section 2.4. Decryption is identical to encryption, i.e. the same as Listing 1.1, except that the round subkeys are used in the reverse order. Therefore, subkey [

This section describes the transformations used in the round function of I-PRESENT^{TM}.

The Function MixKey. MixKey takes the current value of state and XOR its value with the value of the cur- rent round subkey.

The Functions STrans and STransInv. STrans and STransInv both divide the input state into sixteen 4-bit words and applies a 4 × 4 s-box simultaneously to each word. A 4 × 4 s-box is a nonlinear function that maps a 4-bit input to a 4-bit output.

The mapping of the s-box used in I-PRESENT^{TM} is given in ^{−1} is used in decryption. A 4-bit input x = 1 to an s-box s would give an output of s(1) = 6. If x = 6 is used as input to its inverse s^{−1}, then the output is s^{−1}(6) = 1.

The Functions PTrans and PTransInv. The function PTrans performs a bit permutation on its 64-bit input state and updates the value of the state with the permuted value. Let

. The s-box s and its inverse s^{−1} used in I-PRESENT^{TM}

x | 0 1 2 3 4 5 6 7 8 9 A B C D E F |
---|---|

s^{′}(x) | D 6 1 F 4 8 B 5 0 3 A C 9 E 7 2 |

x | 0 1 2 3 4 5 6 7 8 9 A B C D E F |

s^{′}^{−1}(x) | 8 2 F 9 4 7 1 E 5 C A 6 B 0 D 3 |

. Permutation in PTrans

i | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
---|---|

P(i) | 0 16 32 48 1 17 33 49 2 18 34 50 3 19 35 51 |

i | 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |

P(i) | 4 20 36 52 5 21 37 53 6 22 38 54 7 23 39 55 |

i | 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |

P(i) | 8 24 40 56 9 25 41 57 10 26 42 58 11 27 43 59 |

i | 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |

P(i) | 12 28 44 60 13 29 45 61 14 30 46 62 15 31 47 63 |

The permutation states that the bit in position i is moved to position P(i). For instance, bit x_{0} is unchanged and bit x_{1} is moved to position 16 and the output state Y is updated as follows.

The Function Invo. Invo divides the 64-bit input state into sixteen 4-bit words and applies a 4 × 4 s-box sˆ si- multaneously to each word. The mapping for sˆ is given in

I-PRESENT^{TM} supports two key sizes: 80 and 128 bits. The key schedule for these key lengths is the same as used in PRESENT. For completeness, we include the description of the key schedules in this section.

80-bit Key. The 80-bit key is stored in register K and represented as k_{79}k_{78} ...k_{0}. The subkey for round i, i.e. K^{i} = κ_{63}κ_{62} ...κ_{0} is derived from the 64 left-most bit of the current register K:

In the first round, subkey K^{0} is derived directly from the 64 left-most bit of the master key. After this key is extracted, the current register K = k_{79}k_{78} ...k_{0} is updated as follows where the value i is initialized to 1, i.e. i = 1.

1) Rotate the register K by 53 bits to the left:

2)

3) Apply the s-box s' to the four left-most bit of the register K:

where the mapping for s is given in

4) XOR bits k_{19}k_{18}k_{17}k_{16}k_{15} with a roundcounter i where the right-most bit is the least significant bit:

5)

6) Extract the ith subkey as

The above steps are repeated until all round subkeys are derived, i.e. until K^{31} is derived.

128-bit Key. The 128-bit key is stored in register K and represented as k_{127}k_{126} ...k_{0}. The subkey for round i, i.e.

In the first round, subkey K^{0} is derived directly from the 64 left-most bit of the master key. After this key is extracted, the current register

1) Rotate the register K by 53 bits to the left:

2)

3) Apply the s'-box s^{ }to the eight left-most bit of the register K:

where the mapping for s is given in

4) XOR bits k_{67}k_{66}k_{65}k_{64}k_{63} with a round counter i where the right-most bit is the least significant bit:

5)

6) Extract the ith subkey as

The above steps are repeated until all round subkeys are derived, i.e. until K^{31} is derived.

. The s-box used in the function Invo

x | 0 1 2 3 4 5 6 7 8 9 A B C D E F |
---|---|

sˆ(x) | E A 2 C 4 8 F D 5 9 1 B 3 7 0 6 |

The basis of the construction of the s-box of I-PRESENT^{TM} is the same as P’s s-box [

The involutive s-box used in the function Invo is the same s-box used in the block cipher Noekeon [^{TM}’s s-box. However, since this s-box is proposed to be used only in the middle of the cipher, we expect the security of the new construction is similar if not superior to PRESENT.

The bit permutation used in I-PRESENT^{TM} is the same used in present. There is very little or no extra cost in- curred when using bit permutation in hardware. However, higher cost will be incurred when implementing this operation in software. This is due to the extra operations (e.g. masking of bits, rotation) required to extract bits in specific positions in a word. The choice of bit permutation allows the designer of PRESENT to derive bounds on the resistance of the cipher against differential cryptanalysis (more in Section 4.1). I-PRESENT^{TM} therefore inherits this property.

I-PRESENT^{TM} is an involutive cipher in the sense that the circuit for decryption is the same as for encryption. The only difference is the order of the round subkeys. The involutive part is inspired by the lightweight block cipher PRINCE [

Note that it is possible to implement only the encryption circuit of a cipher but allows for encryption and de- cryption of arbitrary messages. For instance, in the counter mode (CTR), only the encryption circuit of a cipher is required to perform encryption and decryption of messages. In other modes such as cipher block chaining (CBC), we require both encryption and decryption circuits to perform the same operations.

In essence, an involutive function I connects two (not necessarily be involution) functions F and F^{−1} (the in- verse of F), i.e. F^{−1}^{ }∘I ∘F. This differs to the strategy used by other involutive ciphers such as Noekeon [

As mentioned in Section 3.1, the use of a non-involutive s-box in the outer rounds allows a 1-bit input differ- ence to trigger at least a 2-bit output difference. If we use an involutive s-box, it is possible for a 1-bit input dif- ference to cause a 1 bit output difference [

This section presents the security evaluation of I-PRESENT^{TM}. The two most important attacks that a cipher should resist is differential [

To gauge the resistant of I-PRESENT^{TM} against differential cryptanalysis, we adopted the number of active s-boxes approach. This technique is used in many ciphers including the Advanced Encryption Standard (AES) [

Let pˆ denote the probability of a differential trail and let N denote the block length of a cipher in bits. A key recovery attack requires roughly pˆ^{−1} chosen plaintexts and should not exceed the plaintext space, i.e. pˆ^{−1} < 2^{N}. Let p_{max} denote the maximum differential probability of the s-box and n_{a} denote the number of active s-boxes. In order to resist differential cryptanalysis, n_{a} should be bounded by

Based on the analysis done on PRESENT [^{TM} s-boxes is 2^{−2}. For I-PRESENT^{TM}, (2^{−2})^{na} < 2^{−64} and so the cipher should have at least n_{a} = 32 active s-boxes in a differential trail.

If we ignore the Invo function, the probability of a 20-round differential trail is bounded by (2^{−2})^{4×10} = 2^{−80}. A key recovery attack is not possible since the required number of chosen plaintexts exceed the plaintext space, i.e. 2^{80} > 2^{64}. Since I-PRESENT^{TM} has 30 rounds, we believe that the cipher provides ample protection against dif- ferential cryptanalysis.

Linear cryptanalysis is related to differential cryptanalysis [^{TM} is resistant to linear cryptanalysis.

In a nutshell, the boomerang attack [^{2} > 2^{−N}.

A 10-round boomerang distinguisher can be constructed by using two 5-round differential trails. Each trail has probability p = q = (2^{−2})^{10} = 2^{−20}. So the total probability of this 10-round distinguisher is (2^{−20} × 2^{−20})^{2} = 2^{−80}. This is much lower than 2^{−64} and thus, the full-round I-PRESENT^{TM} is resistant to boomerang cryptanalysis.

Traditionally, integral cryptanalysis [^{TM} and PRESENT. However, by carefully inspecting the propagation of the inputs, the attack is still possible to be applied [^{TM} and PRESENT, we ex- pect our cipher to be resistant to integral cryptanalysis.

The statistical saturation attack exploits poor diffusion properties of a cipher [^{60} chosen plaintexts and 2^{28} operations. Since I-PRESENT^{TM} uses the same diffusion as PRESENT, the same analysis can be similarly be applied to I-PRESENT^{TM}. However, since our cipher employs the function Invo in the middle of the cipher, we believe it will provide resistance to this attack.

^{TM} in terms of the number of gate equiva- lents (GE). The estimation is based on the results obtained for PRESENT [^{TM} and PRESENT is in the s-box layer. In I-PRESENT^{TM}, we additionally use two 4 × 4 s-boxes 16 times.

Based on the estimation, one bit requires about 6 GE to store. The data and key state occupy 64 and 80 bits, respectively. This gives 384.39 GE and 480.49 GE to the implementation cost. In PRESENT, the cost for a sin- gle 4 × 4 s-box is about 28.028125 GE. In I-PRESENT^{TM}, we use three different s-boxes each repeated 16 times. Therefore, 28.028125 × 3 × 16 = 1345.35 GE is required to implement the s-boxes. To obtain a more precise implementation result, specific hardware tools such as Mentor Graphics Modelsim and Synopsis Design Com- piler can be used for simulation and synthesis, respectively. The estimation is part of the evaluation for a light- weight block cipher and is performed on existing ciphers such as PRESENT.

A comparison between the implementation of related lightweight block ciphers is given in

. Area requirement for I-PRESENT^{TM}

Module | GE | Module | GE |
---|---|---|---|

Data state (64 bits) | 384.39 | Key state | 480.49 |

s-box layer | 1345.35 | Key s-box | 28.03 |

Permutation layer | 0 | Key rotation | 0 |

Counter: state | 28.36 | Key counter-XOR | 13.35 |

Counter: combinatorial | 12.35 | Key XOR | 170.84 |

Other | 3.67 | ||

Total | 2466.86 |

. Comparison of existing implementation of related lightweight block ciphers

Cipher | Key Size | Block Size | Logic Process (µm) | GE |
---|---|---|---|---|

PRESENT-80 [1] | 80 | 64 | 0.18 | 1570 |

LBLOCK [3] | 80 | 64 | 0.18 | 1320 |

I-PRESENT-80 | 80 | 64 | 0.18 | 2467 |

KLEIN [28] | 80 | 64 | 0.18 | 2629 |

PRESENT-128 [1] | 128 | 64 | 0.18 | 1886 |

I-PRESENT-128 | 128 | 64 | 0.18 | 2783 |

PRINCE-128 [5] | 128 | 64 | 0.18 | 3491 |

cipher can also be considered as an involution. The implementation cost for LBlock [^{TM} is still reasonable since another SPN-type cipher, KLEIN [

In the 128-bit key space, I-PRESENT^{TM} requires much less GE compared to PRINCE [^{TM} is inspired by PRINCE and we managed to provide a lower imple- mentation cost. KLEIN only supports key size up to 96 bits which require 2769 GE. Our cipher supports a stronger key size (128 bits) and requires 2783 GE which is very close to the 96-bit key KLEIN. The description of the block ciphers included in the comparison in

In this paper, we propose a new 64-bit block involutive lightweight block cipher called I-PRESENT^{TM}. The main advantage of the cipher is that encryption and decryption can be performed using the same circuit, thus provides savings on implementation. This differs to many other existing lightweight block ciphers which require separate circuits to perform encryption and decryption. This adds to the implementation cost of these ciphers. In terms of area requirements, our cipher compares reasonably well with other 80-bit key lightweight block ciphers. It even outperforms PRINCE in the 128-bit key space, in which the idea of the involution for I-PPRESENT^{TM} is based on.

As future work, we may simulate and synthesize I-PRESENT^{TM} using appropriate tools. Further cryptanalysis may also be performed using more sophisticated attack techniques.

This work is a research collaboration with CoRE Expert System Sdn Bhd and it was sponsored by them and also Ministry of Education Malaysia, under Fundamental Research Grant Scheme 2014.