[Cryptography] Gates are cheap. Should cipher design change?

Jerry Leichter leichter at lrw.com
Mon Mar 28 16:22:52 EDT 2016


>> What would a modern cipher designed for efficient hardware
>> implementation look like? Is it just DES with more rounds and a bigger
>> block size? How about mixing up different cipher principles in one
>> cipher? So start with a Feistel, then an S-box, then...
> 
> Look at Simon and Speck
> 	https://eprint.iacr.org/2013/404.pdf <https://eprint.iacr.org/2013/404.pdf>Simon and Speck specifically deal with the question of *expensive* gates:  They are for low-end, cheap devices.  Just the opposite of what the OP brought up.

Suppose we ignore those.  The linked paper indicates that the smallest known AES implementations require about 2500 gates.  Suppose you had a budget of a million gates and wanted to design a cipher that made full use of them.  What would you do?

One interesting issue this highlights is the difference between hardware and software implementation:  Given that many gates, you can build a very large S-box in hardware.  Software trying to implement such an algorithm would have significant problems avoiding various kinds of side-channel leaks via memory accesses.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160328/71e3275b/attachment.html>


More information about the cryptography mailing list