Cryptography Reference
In-Depth Information
pLayer
Just like DES, the mixing layer was chosen as a bit permutation, which
can be implemented extremely compactly in hardware. The bit permutation used in
PRESENT is given by Table 3.15. Bit
i
of
STATE
is moved to bit position
P
(
i
).
Table 3.15
The permutation layer of PRESENT
i
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
P
(
i
)
0
16
32
48
1
17
33
49
2
18
34
50
3
19
35
51
i
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
P
(
i
)
4
20
36
52
5
21
37
53
6
22
38
54
7
23
39
55
i
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
P
(
i
)
8
24
40
56
9
25
41
57
10
26
42
58
11
27
43
59
i
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
P
(
i
)
12
28
44
60
13
29
45
61
14
30
46
62
15
31
47
63
The bit permutation is quite regular and can in fact be expressed in the following
way:
P
(
i
)=
i
·
16
mod 63
,
i
∈{
0
,...,
62
}
63
,
i
= 63
.
Key Schedule
We describe in the following the key schedule for PRESENT with
an 80-bit key. Since the main applications of PRESENT are low-cost systems, this
key length is in most cases appropriate. (Details of the key schedule for PRESENT-
128 can be found in [29].) The user-supplied key is stored in a key register
K
and
is represented as
k
79
k
78
...
k
0
. At round
i
the 64-bit round key
K
i
=
κ
0
consists of the 64 leftmost bits of the current contents of register
K
. Thus at round
i
we have:
κ
63
κ
62
...
κ
0
=
k
79
k
78
...
k
16
The first subkey
K
1
is a direct copy of 64 bit of the user supplied key. For the fol-
lowing subkeys
K
2
,...,
K
32
the key register
K
=
k
79
k
78
...
k
0
is updated as follows:
1. [
k
79
k
78
...
k
1
k
0
]=[
k
18
k
17
...
k
20
k
19
]
2. [
k
79
k
78
k
77
k
76
]=
S
[
k
79
k
78
k
77
k
76
]
3. [
k
19
k
18
k
17
k
16
k
15
]=[
k
19
k
18
k
17
k
16
k
15
]
K
i
=
κ
63
κ
62
...
⊕
round
_
counter
Thus, the key schedule consists of three operations: (1) the key register is ro-
tated by 61 bit positions to the left, (2) the leftmost four bits are passed through
the PRESENT S-box, and (3) the
round_counter
value
i
is XORed with bits
k
19
k
18
k
17
k
16
k
15
of
K
, where the least significant bit of
round_counter
is on
the right. This counter is a simple integer which takes the values (00001
,
00010
,...
,
11111). Note that for the derivation of
K
2
the counter value 00001 is used; for
K
3
,
the counter value 00010; and so on.
Implementation
As a result of the aggressively hardware-optimized design of
PRESENT, its software performance is not very competitive relative to modern ci-
phers like AES. An optimized software implementation on a Pentium III CPU in
