RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms

WenTao Zhang, ZhenZhen Bao, DongDai Lin, Vincent Rijmen, BoHan Yang, Ingrid Verbauwhede
<span title="2015-11-19">2015</span> <i title="Springer Nature"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/ikvx2lmj7rew7jpw4lygqgjpby" style="color: black;">Science China Information Sciences</a> </i> &nbsp;
In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bit-slice techniques. RECTAN-GLE uses an SP-network. The substitution layer consists of 16 4 × 4 S-boxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTANGLE offers great performance in both hardware and software environment, which provides enough flexibility for different application
more &raquo; ... scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardware-friendly. For the 80-bit key version, a one-cycle-per-round parallel implementation only needs 1600 gates for a throughput of 246 Kbits/s at 100 kHz clock and an energy efficiency of 3.0 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bit-slice style. Using 128-bit SSE instructions, a bit-slice implementation of RECTANGLE reaches an average encryption speed of about 3.9 cycles/byte for messages around 3000 bytes. Last but not least, we propose new design criteria for the RECTANGLE S-box. Due to our careful selection of the S-box and the asymmetric design of the permutation layer, RECTANGLE achieves a very good security-performance tradeoff. Our extensive and deep security analysis shows that the highest number of rounds that we can attack, is 18 (out of 25). et al. RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Zhang W T, et al. Sci China Inf Sci December 2015 Vol. 58 122103:2 block ciphers, play an important role in the security of small embedded devices, the design of lightweight block ciphers has been a very active research topic over the last few years. In the literature, quite a few lightweight block ciphers with various design strategies have been proposed, such as DESL/DESX/DESXL [1], Hummingbird [2], KATAN/ KTANTAN [3], KLEIN [4], LBlock [5], LED [6], PICCOLO [7], PRESENT [8], SIMON and SPECK [9], TWINE [10] and so on. PRESENT was proposed at CHES'2007, and has attracted a lot of attention from cryptographic researchers due to its simplicity, impressive hardware performance and strong security. The design of PRESENT is extremely hardware-efficient, since it uses a bit permutation as its diffusion layer, which is a simple wiring in hardware implementation. In 2012, PRESENT was adopted as ISO/IEC lightweight cryptography standard. Many lightweight ciphers, including PRESENT, KATAN/KTANTAN and Hummingbird, succeed in achieving a low area in hardware but the software performance is not good. For example, the permutation layer of PRESENT is extremely low-cost in hardware, but it is the true performance bottleneck for many software implementations. However, high software performance is also needed from the same algorithm for many classical lightweight applications, as pointed out in [4, 6, 9, 11, 12] . Among the new proposals, some present weaknesses, including ARMODILLO-2, Hummingbird-1 and KTANTAN [13] [14] [15] . Furthermore, as pointed out in [6], designers of "second generation" lightweight ciphers can learn from the progress and the omissions of the "first generation" proposals. The S-box of PRESENT is mainly selected according to its hardware area instead of security of the underlying cipher. Hence, the S-box of PRESENT is "weak" with respect to cipher security. As pointed out in [16], the PRESENT S-box is among the 8 percent worst S-boxes with respect to clustering of one bit linear trails. Along with the strong symmetry of the PRESENT permutation layer, there are very serious clustering problems both for linear trails and differential trails [16] [17] [18] [19] [20] . We give more details in Section 3. As a result, for PRESENT, the best distinguisher so far can reach 24 rounds [18] , which can be used to mount a shortcut attack on 26-round PRESENT (out of 31). The bit-slice technique was introduced for speeding up the software speed of DES [21] , and was used in the design of the Serpent block cipher [22] . In a bit-slice implementation, one software logical instruction corresponds to simultaneous execution of n hardware logical gates, where n is the length of a subblock. JH [23], Keccak (SHA-3) [24], Noekeon [25] and Trivium [26] are 4 other primitives that can benefit from the bit-slice technique for their software performance. It is worth noticing that JH, Keccak, Noekeon, Serpent and Trivium not only perform well in hardware but also in software. Furthermore, a bit-slice implementation is safe against implementation attacks such as cache and timing attacks compared with a table-based implementation [27] . However, the main design goal of all the mentioned bit-sliced ciphers is not "lightweight", and there is plenty of room for improvement when it comes to a dedicated lightweight block cipher with bit-slice style. In this paper, we present a new lightweight block cipher RECTANGLE. The design of RECTANGLE makes use of the bit-slice technique in a lightweight manner, hence to achieve not only a very low cost in hardware but also a very competitive performance in software. As a result, RECTANGLE adopts the SP-network structure. The substitution layer (S-layer) consists of 16 4 × 4 S-boxes in parallel. The permutation layer (P-layer) is composed of 3 rotations. The following are 3 main advantages of RECTANGLE: 1. RECTANGLE is extremely hardware-friendly. The bit-sliced design principle of RECTANGLE allows for very efficient and flexible hardware implementations. For the 80-bit key version, using UMC 0.13 µm standard cell library at 100 kHz, our round-based implementation could obtain a throughput of 246 Kbits/s and an energy efficiency of 3.0 pJ/bit with only 1600 gates, and our serialized implementation could obtain a throughput of 14.0 Kbits/s and an energy efficiency of 32.05 pJ/bit with only 1111 gates. More details are given in Subsection 5.1. 2. Due to its bit-slice style, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers. On a 2.5GHz Intel(R) Core i5-2520M CPU, for one block data, our bit-slice implementation gives a speed of about 30.5 cycles/byte for encryption; with a parallel mode of operation, a bit-slice implementation of RECTANGLE reaches an average encryption speed of about 3.9 cycles/byte for messages around 3000 bytes, using Intel 128-bit SSE instructions. In addition, our Zhang W T, et al. Sci China Inf Sci
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/s11432-015-5459-7">doi:10.1007/s11432-015-5459-7</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/rni2w7bsufflhepqekyrsc557q">fatcat:rni2w7bsufflhepqekyrsc557q</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20210801213901/https://www.sciengine.com/doi/pdf/74f48fee434c4243833da1c4ef48a830" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/e6/16/e61657c83f17058e9318b4ccfeb642b4306d1ae0.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/s11432-015-5459-7"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> springer.com </button> </a>