WARP : Revisiting GFN for Lightweight 128-Bit Block Cipher

Abstract

In this article, we present WARP, a lightweight 128-bit block cipher with a 128-bit key. It aims at small-footprint circuit in the field of 128-bit block ciphers, possibly for a unified encryption and decryption functionality. The overall structure of WARP is a variant of 32-nibble Type-2 Generalized Feistel Network (GFN), with a permutation over nibbles designed to optimize the security and efficiency. We conduct a thorough security analysis and report comprehensive hardware and software implementation results. Our hardware results show that WARP is the smallest 128-bit block cipher for most of typical hardware implementation strategies. A serialized circuit of WARP achieves around 800 Gate Equivalents (GEs), which is much smaller than previous state-of-the-art implementations of lightweight 128-bit ciphers (they need more than 1, 000 GEs). While our primary metric is hardware size, WARP also enjoys several other features, most notably low energy consumption. This is somewhat surprising, since GFN generally needs more rounds than substitution permutation network (SPN), and thus GFN has been considered to be less advantageous in this regard. We show a multi-round implementation of WARP is quite low-energy. Moreover, WARP also performs well on software: our SIMD implementation is quite competitive to known hardware-oriented 128-bit lightweight ciphers for long input, and even much better for small inputs due to the small number of parallel blocks. On 8-bit microcontrollers, the results of our assembly implementations show that WARP is flexible to achieve various performance characteristics.

Appendices

A Test Vector

Table 6 shows the test vectors of WARP.

Table 6. Test vectors.

B Security Evaluation

In this section, we provide the security evaluations of WARP against differential, linear, integral, impossible differential, invariant and meet-in-the-middle attacks.

1.1 B.1 Differential/Linear Attack

Differential cryptanalsis [21] and linear cryptanalsis [48] are among the most powerful techniques available for block ciphers. To evaluate the security against differential and linear attacks, we compute the lower bound for the number of differentially and linearly active S-boxes with a MILP-aided automatic search method, which was proposed by Mouha et al. [51]. We use Gurobi [41] as the solver and search for all nibble-wise truncated differential and linear characteristics.

Table 7 shows the minimum number of differentially and linearly active S-boxes for up to 19 rounds in the single-key setting, where \(AS_D\) and \(AS_L\) denote the number of differentially and linearly active S-boxes, respectively. It can be observed from Table 7 that WARP has more than 64 active S-boxes after 19 rounds. Since the maximum differential probability and absolute linear bias of the S-box of WARP are both \(2^{-2}\) and the nibble-wise full diffusion requires 10 rounds, even with a 19-round differential distinguisher, we expect that an effective key-recovery attack cannot reach up to \(19+12=31\) rounds. In a word, the full-round WARP is secure against differential and linear attacks.

Table 7. The lower bound for the number of differentially and linearly active S-boxes in the single-key setting.

1.2 B.2 Impossible Differential Attack

Generally, an impossible differential attack [20] is one of the most powerful attacks against Feistel-type ciphers. The impossible differential attack exploits a pair of input-output difference denoted by \(\varDelta _{in}\) and \(\varDelta _{out}\) such that \(\varDelta _{in}\) will never reach \(\varDelta _{out}\) after several rounds.

As mentioned in Sect. 3, WARP achieves the full diffusion after 10 rounds at both the encryption and decryption sides in nibble-wise. Based on a more detailed investigation, we found that the full diffusion requires 12 rounds at both the encryption and decryption sides in bit-wise. Hence, there should be no probability-1 bit-wise impossible differential over 24 rounds.

In order to obtain the longest impossible differential distinguisher, we utilize an impossible differential search tool based on MILP designed by Sasaki and Todo [56]. Specifically, we evaluate the search space such that the plaintext difference and ciphertext difference activate only one bit, respectively. To model the propagation of differences through the 4-bit S-box, we take into account the differential distribution table for the 4-bit S-box. Based on the method as proposed in [59], it can be modeled with the linear inequalities.

As a result, we find the following 21-round impossible differential distinguisher.

According to Boura et al.’s work [27] in ASIACRYPT 2014 and the corresponding interpretation [33] by Derbez in FSE 2016, when extending the 21-round impossible differential distinguisher for 10 rounds, the required time complexity of the key-recovery attack is almost close to a pure exhaustive key search. Therefore, we do not expect an effective key-recovery attack on up to 32 rounds of WARP by using this 21-round impossible differential distinguisher. In a word, we expect that the full-round WARP is secure against the impossible differential attack.

1.3 B.3 Integral Attack

The integral attack was first proposed by Daemen et al. [30] and it was later formalized to the integral property by Knudsen and Wagner [45]. We define the four states for a set of \(2^n\) n-bit cell: A: if \(\forall i, j\) \(i \ne j \Leftrightarrow x_i \ne x_j\), C: if \(\forall i, j\) \(i \ne j \Leftrightarrow x_i = x_j\), B: \(\bigoplus ^{2^n -1}_i x_i \), and U: Other. The integral attack was further generalized to the division property by Todo [62], which can exploit the hidden feature between A and B states.

To evaluate the nibble-based division property, we use a MILP-aided automatic search method proposed by Xiang et al. [65], which enables us to efficiently explore the propagation of the division property. Specifically, we evaluate all the cases where 1, 2, 3 nibbles out of 32 nibbles are C and the others are all \(\mathbf{A}\) in plaintexts. Thus, we need to evaluate \(2^{23.2} \left( = \left( {\begin{array}{c}32\\ 1\end{array}}\right) + \left( {\begin{array}{c}32\\ 2\end{array}}\right) + \left( {\begin{array}{c}32\\ 3\end{array}}\right) \right) \) nibble-wise patterns.

In this way, we find the following 20-round integral distinguisher.

$$\begin{aligned} (\mathbf{AAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAA}) \nonumber \\ \xrightarrow {20~\mathrm{rounds}} (\mathbf{UU UB UB UU UU UU UU UB UU UU UU UU UU UU UB UU}) \nonumber \end{aligned}$$

However, due to the high data complexity of this integral distinguisher, one can extend only 1 round to achieve a key-recovery attack and its time complexity is almost close to an exhaustive key search. One may find an integral distinguisher by using a lower data complexity, but the number of rounds will be reduced. Considering that the nibble-wise full diffusion requires 10 rounds and that a common integral distinguisher covering larger rounds always requires a higher data complexity, we expect that the full-round WARP is secure against integral attacks.

1.4 B.4 Meet-in-the Middle Attack

We evaluate the security against the meet-in-the-middle attack following the method appeared in the self-evaluation of MIDORI [3] and CRAFT [15]. The 10-round full diffusion property guarantees that any inserted key-bit non-linearly affects all branches after the 10 rounds in the forward and the backward directions, respectively. Thus, the possible number of rounds used for the partial matching (PM) [55] is estimated as 19 \(( = (10 - 1) + (10 - 1) + 1)\). The condition for the initial structure (IS) [55] is that key differential trails in the forward direction and those in the backward direction do not share active non-linear components. For WARP, since any key differential affects all 16 S-boxes after at least 10 rounds in the forward and the backward directions, there is no such differential which shares active S-box in more than 10 rounds. Thus, the number of rounds used for IS is upper bounded by 9. Assuming that the splice-and-cut technique allows an attacker to add more 3 rounds in the worst case, at most 32-round (19 + 10 + 3) MitM attack may be feasible. However, because of the iterated key insertions of \(K_0\) and \(K_1\) for every two round, we consider that it is difficult to mount a 32-round attack on WARP.

1.5 B.5 Invariant Subspace Attack

We use LFSR-based round constants in each round. Following the notions presented in [12], we first tried to find the smallest L-invariant subspace that contains all roundkey differences. Here, L denotes the transformation that describes the linear layer in WARP. Since WARP adds two key halves in an alternating fashion, the master keys repeat every other round, the set of roundkey differences in the even/odd rounds are given by

where is the 128-bit vector defined as \((0^4\,\Vert \,RC_0^r\,\Vert \,0^4\,\Vert \,RC_1^r\,\Vert \,0^{112})\). Denoting \(D=D_{even}\cup D_{odd}\), we try to find \(W_L(D)\), which denotes the smallest L-invariant subspace containing D. We found that \(W_L(D)\) is a subspace of dimension 124, which does not automatically guarantee resistance to subspace attacks. As the invariant attack applies only if there is a non-trivial invariant g for the S-box layer such that \(W_L (D) \subset LS(g)\), where LS(g) is the subspace of all linear structures of the function g. We ran Algorithm 1 of [12] on \(Z=W_L(D)\) first to see if S(Z) hits all the cosets of Z. Experimentally we found that it does indeed, leading us to conclude that g is the constant function which guarantees security against subspace attacks.

C32-Branch Permutations with 9-Round Full Diffusion [34]

Table 8 shows four equivalent classes of 32-branch permutations of \(\pi '_{0}(x)\), \(\pi '_{1}(x)\), \(\pi '_{2}(x)\), and \(\pi '_{3}(x)\) achieving 9-round full diffusion found by Derbez et al. [34].

Table 9 is a comparison of lower bounds on the number of active S-boxes for WARP and four permutations by our MILP-based Active S-boxes counting. As shown in Table 9, the number of active S-boxes of \(\pi '_{0}(x)\), \(\pi '_{1}(x)\), \(\pi '_{2}(x)\), and \(\pi '_{3}(x)\) grows much slower than WARP. Specifically, \(\pi '_{0}(x)\), \(\pi '_{1}(x)\) and \(\pi '_{2}(x)\), \(\pi '_{3}(x)\) require at least 32 and 48 rounds for achieving AS-box of \({\ge } 64\), respectively.

Table 8. Four equivalent classes of 32-branch permutations with 9-round full diffusion [34].

Table 9. Lower bounds on the number of Active S-boxes for WARP and four permutations of \(\pi '_{0}(x)\), \(\pi '_{1}(x)\), \(\pi '_{2}(x)\), and \(\pi '_{3}(x)\)

D More Details About Hardware Implementations

1.1 D.1 Bit Serial Architecture

The nibble serial architecture can be converted to a bit serial architecture, with some simple circuit-level transformations. The first is explained in Fig. 8. Any nibblewise scan flip-flop can be serialized as shown in Fig. 8, so that only one scan flip-flop per nibble is utilized. Whereas in the nibble serial architecture, the circuit can transfer one of the 2 nibble signals in one clock cycle, the same can be done over 4 cycles in the bit-serial architecture. Thus the bit-serial circuit can perform the same set of round operations in \(48\times 4=192\) cycles, in 3 sets of 64 cycle operations as in the nibble serial circuit. We save \(18\times 3=54\) scan flip-flops in the bit-serial architecture, and also 4-bit xor gates and multiplexers can be replaced with corresponding single bit gates.

Fig. 8.

Nibble to bit serial transformations

1.2 D.2 Unified Circuit for Encryption and Decryption

Implementing the functionalities of encryption and decryption (ED) on the same circuit can be beneficial in some instances. Various modes of operations like CBC, XTS, OCB and COLM [1], that use block ciphers as the underlying primitive, require access to both its encryption and decryption functionalities. Thus it is useful to have an implementation that achieves both functionalities of a block cipher with minimal overhead. There are several features in the Feistel network structure, that make it easier to construct the ED architecture. Some of them are as follows:

1. 1.

   SPN structures generally require involutive S-boxes to ensure efficient ED implementation [3, 15]. If not, they require the circuits for the forward and inverse S-box to be implemented together, which increases area [7]. However the inverse round function in Feistel networks can be described with the forward S-box only. This gives us more freedom to search for S-boxes with lightweight characteristics.

2. 2.

   Some SPN block ciphers, e.g., [15] require the decryption key to be equal to \(L\cdot K\), where L denotes the matrix that forms the linear layer of the cipher. Thus additional circuit for matrix multiplication is required. Also a multiplexer is required to filter these keys for encryption/decryption. In the architecture for WARP, this is not necessary.

3. 3.

   Let \(F_K\) denote the function that performs S-box function and the roundkey addition on the left branch. Then by slight abuse of notation we can write the round function as

   $$\begin{aligned} Y_a= P(F_K(X_a))\oplus (X_b\lll 6), Y_b=X_a \end{aligned}$$

   (1)

   where P is the function that performs the nibblewise shuffle of the left branch by moving the i-th nibble to \(\uppi [i]\). Then it is easy to see that the inverse round function is \(X_a=Y_b, X_b=( P(F_K(Y_b))\oplus (Y_a))\ggg 6\). However we do omit the left-right swap in the last round, and as a result, decryption can be computed by iterating the following round function 40 times, followed by a “swapless” final round:

   $$\begin{aligned} X_a=( P(F_K(Y_a))\oplus (Y_b))\ggg 6, X_b=Y_a. \end{aligned}$$

   (2)

   Equations (1) and (2) are similar except that in encryption, the right branch is left rotated by 6 nibbles before addition, whereas in decryption, rotation done is after xoring left and right branches, this time by 6 nibbles towards the right. Since WARP uses each half of the master key in alternate rounds for key addition, it has been designed to have odd number of rounds. This means the first and last round encryption keys are the same, which implies that the encryption and decryption uses the left and right halves of the key in the same order.

Thus the only real overhead in the ED circuit for WARP is to accommodate left and right rotation by six nibbles in different times of the decryption cycle, and arrange for round constants to be generated in the reverse direction, which only requires some strategically placed multiplexers to accommodate the timing of these operations in the decryption cycle.

In essence, one approach would be to not rotate the right branch during cycles 0 to 15, and do rotation only during cycles 31 to 47 when the xoring of right and left branches has been completed. However, this approach is slightly problematic to adopt, as cycles 31 to 47 are used to not only swap left and right branches but also to apply \(\uppi ^{-1}\) to the left branch as it is being moved to bottom rows of flip-flops. In such a situation the bottom rows cannot accommodate two different types of permutation operations at the same time.

As a result, we need to exercise some fine-grained control over the ED circuit. For decryption, we rotate the right branch by 10 nibbles left in cycles 0–15 (same as 6 nibbles right rotation), although this rotation is not required as per Eq. (2). Thus to maintain functionality, in cycles 16–31, we drive nibbles out through register 11 to do xor between left and right branches (this was done through flip-flop 17 during encryption). After xor, the incoming nibbles are driven in through flip-flop 12 (this was done through 00 during encryption). This method has the added advantage that after round 31, the flip-flops \(17-00\) already contain \(( P(F_K(Y_a))\oplus (Y_b))\ggg 6\). This allows us to have the decryption operations in cycles 32–47 exactly the same in encryption.

For completeness, we discuss two more issues. First, for decryption we choose, cycles 0 and 1 for round constant addition, as this operation has to precede the non-linear operations. To rotate left by 10 nibbles, we need to freeze rotation for 6 cycles. Like in encryption, we divide the bottom row into groups of 6, 6, 2, 2 flip-flops and do internal rotation in these for 6 cycles. To accommodate this operation we need to replace 3 normal flip-flop nibbles with scan flip-flop nibbles.

1.3 D.3 Threshold Implementations

The s-box belongs to the cubic class \(\mathcal {C}_{266}\) as per the classification in [22] and as such it can be decomposed into 2 quadratic s-boxes \(F~\circ ~ G\), where

$$\begin{aligned} G=&~[\texttt {0, f, 6, 1, 3, 8, d, e, 4, b, 2, 5, 7, c, 9, a}],\\ F=&~[\texttt {c, 3, 1, e, 8, 5, d, 0, b, 4, 6, 9, 2, f, 7, a}] \end{aligned}$$

Since a minimum of \(d+1\) shares are required to implement the 1st order threshold implementation (TI) of a degree d s-box, we can thus implement a 3 share 1st-order TI in the manner shown in [54]. The idea is to implement the TI of G and F separated by a register bank in between, which suppresses the glitches produced by the TI of G.

Fig. 9.

Sketch of the 3 share nibble serial architecture for WARP

Since the s-box has degree 3, a straightforward 4-share TI can also be implemented using a direct sharing approach. With regards to circuit architecture, the 4 share versions would only consist of 4 copies of the unshared circuit combined through a shared s-box. The 3-share circuit is slightly complicated owing to the fact that the shared G, F functions have to be executed one after the other. We implemented it in the manner shown in Fig. 9. In the unprotected circuit described earlier, the S-box layer is computed in cycles 16 to 31. And so in the shared circuit, we implement the shared function G in cycles 15 to 30 and the shared function F in cycles 16 to 31. However this creates another problem, as the entire left branch is overwritten by the output of the shared G layer before being fed back into register 20. Since the current left branch is required to serve the role of the right branch in the subsequent round, we need to invert the G layer before we proceed to the next round. This is done by implementing a shared implementation of the quadratic s-box \(G^{-1}\) between registers 20 and 21, which is operated from cycles 17 to 32.

Table 10. Comparison of performance metrics for serial implementations synthesized with STM 90 nm Standard cell library. (RB denotes round based circuit, 3s, 4s denotes circuits with 3, 4 shares respectively) *Synthesized with the UMC 180 nm process/Power at 100 KHz. **Synthesized with the IBM 130 nm process/power at 100 KHz

Table 10 shows the performance results for the 3-share and 4-share implementations of WARP. The smallest 3-share implementation stands at 1964 GE which is smaller than known implementations of SKINNY and PRESENT (although these are computed at different level of serialization).

E More Details of Software Implementations

1.1 E.1 Details of Software Implementations on 8-Bit AVR

Our implementations of WARP on 8-bit AVR are in assembly and compiled using AVR macro assembler 2.2.7 in Atmel Studio 7.0. All implementations use the LBlock-type structure (see Fig. 4). Detailed implementation choices are: 1) One-round or two-round unrolling: combining two rounds save the shuffle operation between left and right branches, trading ROM for CPU cycles; 2) One-S-box or two-S-box: combining two S-boxes can reduce times of memory accesses, trading ROM or RAM for CPU cycles; 3) Storing the LUT of the S-box in RAM or ROM. Table 11 presents the results and comparisons.

Table 11. Software performance of WARP on 8-bit AVR.

The target device is ATmega128; The scenario is encryption/decryption of 128 bytes of data in CBC mode [35]. For ROM, that consumed by the main function for initializing data and calling the enc/dec functions are subtracted. For RAM, that required for storing the data to be processed, the master key, and the initialization vector are subtracted. WARP [1R] is for the one-round-based implementation storing the LUT of two-S-box in ROM. WARP [2R] is for the two-round-unrolled implementation storing the LUT of two-S-box in RAM. Results of other ciphers are from https://www.cryptolux.org/index.php/FELICS_Block_Ciphers_Brief_Results.

1.2 E.2 Details of Software Implementations on x64 CPUs

Similar to TWINE [61], WARP can be transformed into an equivalent form, in which only half branches go through a nibble shuffle per round. Accordingly, our SIMD implementations use this equivalent form. Besides, to take advantage of the pipelined execution unit on modern CPUs, we provide additional options on parallelism besides the double-block using 256-bit registers – compute each atomic step on quadruple/octuple data blocks. Our benchmark results of WARP, together with that of SIMON and SKINNY, are reported in Fig. 10.

Fig. 10.

Software performance of WARP, SIMON and SKINNY on the same processor.