CHAM: A Family of Lightweight Block Ciphers for Resource-Constrained Devices

Abstract

In this paper, we propose a family of lightweight block ciphers CHAM that has remarkable efficiency on resource-constrained devices. The family consists of three ciphers, CHAM-64/128, CHAM-128/128, and CHAM-128/256 which are of the generalized 4-branch Feistel structure based on ARX (Addition, Rotation, XOR) operations.

In hardware implementations, CHAM requires smaller areas (73% on average) than SIMON [8] through the use of a stateless-on-the-fly key schedule which does not require updating a key state. Regarding software performance, it achieves outstanding figures on typical IoT platforms in terms of the balanced performance metrics introduced in earlier works. It shows a level of performance competitive to SPECK [8] mainly due to small memory size required for round keys. According to our cryptanalysis results, CHAM is secure against known attacks.

Appendices

A Test Vectors

Test vectors are represented in hexadecimal with the prefix ‘0x’.

B Some Details About Software Implementation

1.1 B.1 Target Platforms

Atmega128 belongs to Atmel’s AVR microcontroller family with an 8-bit RISC architecture. It has 32 general-purpose registers and 133 instructions. It is equipped with 128 KBytes of flash and 4 KBytes of RAM. MSP430F1611, a microcontroller from Texas Instruments, adopts a 16-bit RISC architecture with 16 registers (12 of them are general-purpose registers) and 51 instructions, including the emulated ones. It has 48 KBytes of flash and 10 KBytes of RAM. The ARM Cortex-M3 is a 32-bit processor core based on the ARMv7-M architecture, with 12 general-purpose registers. The core is adopted in the Atmel SAM3X8E microcontroller installed on the well-known Arduino Due development board. SAM3X8E is equipped with 512 KBytes of flash and 96 KBytes of SRAM.

1.2 B.2 Implementating Bit-Wise Rotation

In ARX design like CHAM, rotations by certain bit sizes might be costly to implement on our 8 and 16-bit platforms. Efficient implementation of rotation is crucial to both high throughput and smaller memory. With this consideration, CHAM adopts \(\text {ROL}_{8}\), which can be performed for free on AVR platform.

The MSP430 provides a byte-swapping instruction, which is equivalent to \(\text {ROL}_{8}\) for a 16-bit word. It is slightly tricky for a 32-bit word on the MSP430. Similarly to [20], \(\text {ROL}_{8}\) can be carried out in seven instructions, as in Code 1 below.⁷ The code require an additional temporary register to hold a 16-bit data.

ARMv7-M provides a powerful instruction, barrel shifter, which can rotate a 32-bit word by any bit-size. Moreover, the instruction can perform a certain kind of operation additionally after the rotation. This fact gives rise to a good performance of CHAM-128/128. However, it appears that no single instruction of ARMv7-M can perform bit-wise rotation for a 16-bit word. This explains the relatively low performance of CHAM-64/128 on ARMv7-M, as can be seen in Tables 7 and 8.

1.3 B.3 Performance Metrics

Lightweight IoT devices are usually considered to have constrained resources. This is why throughput alone does not fully describe the performance of an algorithm. A smaller code size and less RAM usage are also important factors to consider. In [9], the authors argue the same context and introduce the metric of rank as an overall performance indicator. It is defined as

$$\text {rank} = (10^6/\text {cpb}) / (\text {ROM} + 2 \times \text {RAM}),$$

where cpb refers to the cycles per byte consumed for a task, and ROM and RAM are the byte sizes of the memory of each type. By definition, the larger rank is better. Note also that RAM is considered to be twice as costly as ROM.

The FOM (figure of merit) metric, defined recently in the FELICS [27], averages performances on AVR, MSP and ARM. For each implementation i on a device d, we measure memory usages \(v^{i,d}_\mathrm{ROM}\), \(v^{i,d}_\mathrm{RAM}\), and time cost \(v^{i,d}_\mathrm{cost}\). Among all the implementations of all the ciphers, the minimums of ROM, RAM and cost are also determined (possibly each from different implementations). Denote each minimum by \(m^d_\mathrm{ROM}\), \(m^d_\mathrm{RAM}\), and \(m^d_\mathrm{cost}\). Then, the performance parameter \(p_d\) for a cipher on a device d is defined by

$$ p_d = \min _{i}\left( v^{i,d}_\mathrm{ROM} / m^d_\mathrm{ROM} + v^{i,d}_\mathrm{RAM} / m^d_\mathrm{RAM} + v^{i,d}_\mathrm{cost} / m^d_\mathrm{cost} \right) . $$

Finally, the figure of merit for a cipher is defined by the average of three \(p_d\)’s,

$$ \text {FOM} = \left( p_\mathrm{AVR} + p_\mathrm{MSP} + p_\mathrm{ARM} \right) \times \tfrac{1}{3}. $$

The definition indicates the smaller FOM is better.⁸

1.4 B.4 Usage Scenarios

A block cipher suite usually consists of three distinctive algorithms: the key schedule, encryption and decryption. However, in lightweight applications, decryption tends to lose its role due to well-designed modes of operations for block ciphers. The combined performance of the key schedule and encryption is somewhat sensitive to their usage scenarios. For an easy comparison of our cipher with the results in the literature, we adopt two scenarios: simple encryption with a fixed key and data communication with variable keys.

Fixed-key scenario: In this scenario, a cipher is used for authenticating devices. There are no key schedules or decryption steps. Round keys are fixed in the device, i.e., specifically placed in the code area. Hence, their size is added to the code size. This scenario is used in Table 6.

Communication scenario: In this scenario, a cipher is assumed to be used for data communication. It is defined as Scenario 1 in the FELICS [26]. Originally, the scenario contains encryption, decryption together with their key schedules, where 128 bytes of data are encrypted and decrypted in the CBC mode. Since encryption part is more important for lightweight application, we define one-way communication scenario by omitting the decryption part, which is used in Table 7. The scenario in its original meaning is also used in Table 8.

C Cryptanalysis Results

1.1 C.1 Tables of characteristics for (RK) Differential, Linear, and (RK) Boomerang Cryptanalysis

Tables 10, 11, and 12 show characteristics for (RK) Differential, Linear, and (RK) Boomerang Cryptanalysis, respectively.

Table 10. The best (RK) differential characteristics found. Only the input and output differences are shown. We assume that every operation is independent. The subscript \(\mathtt {x}\) indicates a hexadecimal expression.

Table 11. The best linear approximations found. We assume that every operation is independent.

Table 12. Examples of the best (RK) boomerang characteristics that we found.

1.2 C.2 Impossible Differential Cryptanalysis and Zero-Correlation Linear Cryptanalysis

Impossible differential cryptanalysis [12] uses a differential characteristic that can never occur. A zero-correlation linear approximation [7] is the counter-part of the impossible differential characteristic in the linear cryptanalysis field. Examples of the best impossible differential characteristics and zero-correlation linear approximations as found here are given in Table 13.

Table 13. Examples of the best impossible differential characteristics and zero correlation linear approximations found here.

1.3 C.3 (RK) Differential-Linear Cryptanalysis

A (RK) differential-linear approximation [14] is constructed with a short (RK) differential characteristic and a short linear approximation. A (RK) differential-linear approximation which has a correlation of \(pc^2 > 2^{-n/2}\) can be used for a (RK) differential-linear attack, where p is the probability of the differential characteristic \(\phi \) and c is the correlation of the linear approximation \(\psi \). Examples showing how to build these (RK) differential-linear approximations are given in Table 14.

Table 14. Examples showing how to build the best (RK) differential-linear approximations found here.

1.4 C.4 Integral Cryptanalysis

Integral cryptanalysis [35] uses sets of chosen plaintexts of which a part is held constant and the other part varies through all possibilities. Considering ADD-balance [30], we found the following 16-round integral characteristic for all of our ciphers.

\(\mathcal {C}\), \(\mathcal {A}\), \(\mathcal {B}^+_{\lll l}\), \(\mathcal {U}\) represent a constant word, an active word, an ADD-balanced word when rotated to the right by l bits, and an unknown word, respectively. The above 16-round distinguisher means that if the first word of a plaintext is active, which takes all w-bit values at one time, and the other words of the plaintext are constants, then the first word of the output after 16 rounds is ADD-balanced when rotated to the right by 8 bits.

The bit-based division property [49] is an improvement of the division property [48] for non S-box-based ciphers. In [46], Sun et al. improved the integral cryptanalysis result of LEA slightly by applying the bit-based division property. Based on this result and owing to the similarity between LEA and our ciphers, we expect that the bit-based division property will not seriously improve our integral cryptanalysis.

1.5 C.5 Biclique Cryptanalysis

Wang et al. [51] showed that for variants of the Feistel structure, interleaving related-key differential trails cannot construct bicliques [5]. Hence, we consider the bicliques from independent related-key differentials, as our ciphers have a variant of the type-3 generalized Feistel structure. We calculate the total complexity \(C_{full}\) for a key recovery attack with independent bicliques using the following equation,

$$\begin{aligned} C_{\textit{f}ull} = 2^{k-2d}(C_{\textit{b}iclique} + C_{\textit{p}recomp} + C_{\textit{r}ecomp}), \end{aligned}$$

where \(C_{\textit{b}iclique}\), \(C_{\textit{p}recomp}\), and \(C_{\textit{r}ecomp}\) denote the complexities for building-biclique, pre-computation, and re-computation, respectively. Note that a trivial biclique for each cipher can be derived easily from related-key differentials. The specific complexities are shown in Table 15. The re-check complexity of a false positive is omitted in the above equation because it is negligible.

Table 15. Complexity of the biclique cryptanalysis for each parameter.

1.6 C.6 Rotational Cryptanalysis

The initial version of a rotational cryptanalysis [33] can be easily defended by constant-XOR’s. However, the recently proposed rotational-XOR cryptanalysis [2] can be well-applied to ARX ciphers with constant XOR’s. So, we carefully applied the rotational-XOR cryptanalysis to our algorithm and the results are shown in the Table 16. Characteristics are initial and final \(\delta \)’s. Refer to [2] for attack conditions and the definition of \(\delta \).

Table 16. The best rotational-XOR differential characteristics found.

1.7 C.7 Other Attacks

Applying round constants keeps our ciphers secure against slide attacks [18]. An algebraic attack [24] is not effective for our ciphers due to the high nonlinearity of such a case.