Paper 2020/608

Low-latency Meets Low-area: An Improved Bit-Sliding Technique for AES, SKINNY and GIFT

Fatih Balli and Andrea Caforio and Subhadeep Banik

Abstract

The bit-sliding work of Jean et al. (CHES 2017) showed that the smallest-size circuit for SPN based blockciphers such as AES, SKINNY and, PRESENT can be achieved via bit-serial implementations. Their technique decreases the bitsize of the datapath, and it naturally leads to significant loss in latency (as well as the maximum throughput). Their designs complete a single round of the encryption in 168, 168 (for 128-bit blocks), 68 clock cycles (for 64-bit block) respectively. A follow-up work by Banik et al. (FSE 2020) introduced the swap-and-rotate technique that both eliminates this loss in latency and achieves even smaller footprint. In the paper, we extend these results on bit-serial implementations all the way to three authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of swap-and-rotate technique. Our blockcipher implementations have the most efficient round operations in the sense that a round function of a $n$-bit blockcipher is computed in exactly $n$ clock cycles. This leads to implementations that are similar in size to the state-of-the-art, but have much lower latency (savings up to 20 percent). Though these results are promising, blockciphers themselves are not end-user primitives, as they need to used together with a mode of operation. Hence, in the second part of the paper, we use our blockciphers in bit-serial implementations for three active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus and SAEAES. We provide the smallest blockcipher-based authenticated encryption circuits known in the literature so far.