[Cryptography] Gates are cheap. Should cipher design change?

dj at deadhat.com dj at deadhat.com
Tue Mar 29 01:42:21 EDT 2016


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>> On Mar 28, 2016, at 8:00 AM, Phillip Hallam-Baker
>> <phill at hallambaker.com> wrote:
>>
>> What would a modern cipher designed for efficient hardware
>> implementation look like? Is it just DES with more rounds and a bigger
>> block size? How about mixing up different cipher principles in one
>> cipher? So start with a Feistel, then an S-box, then...
>>
>> Another possibility to consider is what could we do if we mixed those
>> single instruction AES rounds with another cipher entirely.
>
> Look at ARX constructions. Look at Threefish (part of Skein), the design
> of BLAKE, and others. Also, as Jim said, Simon and Speck. I really
> recommend the Skein paper, because we discuss precisely this. It was
> designed to run on a 64-bit CPU that has add, rotate, and xor.
>

Indeed look at Skein and Simon. Two prime examples of HW friendly crypto.
Simon scales from serial to highly parallel designs and is highly
unrollable.

Skein unrolls both width wise and depth wise so
area/speed/performance/power tradeoffs can be easily matched to the
application.

AES not so much. It has a large round function, a horrible number of
rounds for unrolling and has asymmetry in the key schedule and mix column
between encryption and decryption.

I've implemented all these things in RTL in various configurations. Skein
and Simon were the ones where the HW friendliness stood out.




More information about the cryptography mailing list