[Cryptography] Gates are cheap. Should cipher design change?

james hughes hughejp at me.com
Tue Mar 29 02:06:55 EDT 2016


> On Mar 28, 2016, at 1:22 PM, Jerry Leichter <leichter at lrw.com> wrote:
> 
>>> What would a modern cipher designed for efficient hardware
>>> implementation look like? Is it just DES with more rounds and a bigger
>>> block size? How about mixing up different cipher principles in one
>>> cipher? So start with a Feistel, then an S-box, then...
>> 
>> Look at Simon and Speck
>> 	https://eprint.iacr.org/2013/404.pdf <https://eprint.iacr.org/2013/404.pdf>Simon and Speck specifically deal with the question of *expensive* gates:  

That’s what the author’s claims, yes.

> They are for low-end, cheap devices.  Just the opposite of what the OP brought up.

That’s also what the author’s claim, but both have 128 bit block and 256 bit keys, the same parameters of the heaviest AES. There have been no papers suggesting that it is not as secure as AES. So it’s a single algorithm that can be used for trivial or serious cryptography.

> Suppose you had a budget of a million gates and wanted to design a cipher that made full use of them.  What would you do?

I would not design a new just because I have a lot of gates. You should 1) choose an algorithm that you have confidence in being secure. 2) Implement it in a way that is correct and 3)make it fast. 

I would completely unroll Simpn and implement it in clockless hardware. The value of Simon is that there is no ALU or carry chain. Only requiring and, xor and shift. A hallway conversation with a cryptographer at Galios.com said it was possible with their hardware synthesis methodology.

In addition, the original thought was about a "modern cipher”. There are three such reasons I believe Simon meets this criteria. 1) Many would consider a cipher that is relatively trivial to analyze for security would be an advancement over many other ciphers. Algorithms with “expensive” gates (I read as complicated primitives) are harder to analyze. 2) S-Boxes have a significant amount of “magic” in the choice of the S-Box. An algorithm with S-Boxes has similarity to DES (not a modern cipher unless 1974 was the beginning of the “Modern” era). The choice of the S-Boxes was the number one worry about DES which was never proven to have or not have a flaw. 3) Another definition of Modern would be newer. Simon meets all three of these criteria.

Frankly, I don’t want this to devolve into a religious arguments, Simon is my current fav. We can drop it at that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160328/17098c5b/attachment.html>


More information about the cryptography mailing list