[Cryptography] Gates are cheap. Should cipher design change?

Phillip Hallam-Baker phill at hallambaker.com
Mon Mar 28 11:00:47 EDT 2016


Looking at the S-box discussion, I was reminded that DES was optimized
for hardware implementation. If you are doing crypto in hardware, an
S-Box is probably the most gate efficient way to do it.

There is a catch though. DES was also designed at a time when fitting
the encryptor on a chip would likely require an iterative approach in
most cases. So the 16 rounds of DES had to be essentially the same.

Today we have a very different situation. AES has found its way into
many crypto suites as a set of instructions for executing a round. And
that is to be expected in an era where one of the chief problem of CPU
design is to find a useful way to spend the available gates.

So now we have a cipher designed for efficient software implementation
being migrated into the hardware. Which sounds like a big deal except
that what is really happening is that the software has moved from
executable code to microcode.

What would a modern cipher designed for efficient hardware
implementation look like? Is it just DES with more rounds and a bigger
block size? How about mixing up different cipher principles in one
cipher? So start with a Feistel, then an S-box, then...

Another possibility to consider is what could we do if we mixed those
single instruction AES rounds with another cipher entirely.


More information about the cryptography mailing list