The Present block cipher is a popular lightweight block cipher and an international standard for lightweight cryptography. The cipher is suited for hardware based implementations. It is carefully designed with chip area and power constraints in consideration. With the widespread use of IOT devices and low power electronic devices, the concern for security of data in these devices is paramount. AES is not suitable for these small devices because these devices cannot meet the computational requirements of AES.

The motivation of lightweight cryptography is to use less memory, less computing resources and less power supply without compromising the security of the resource-limited devices. Lightweight cryptographic ciphers are expected to be simple, fast and less resource demanding compared to conventional cryptography.

PRESENT is a block cipher based on a SP-network (Substitution - Permutation) and consists of 31 rounds. It encrypts 64-bit data blocks with a key length of 80 or 128 bits. The simpler architecture allows it to be flexible for constrained devices. It is used especially for applications with moderate security requirements such as in tag-based devices.

Figure 1: Overview of Present Cipher

Each round in Present cipher consists of 3 distinct functions performed in the following order:

1. addRoundKey()
The addRoundKey() function XORs the output of the previous round (the plaintext in the first round) with the round key for the current round, generated by the Key Schedule. Key scheduling is the process of generating intermediate keys from the master key. It is discussed in the next section.

For round i, round key is XORed with the data .



2. sBoxLayer()
The sBoxLayer() function divides the 64-bit data into 4-bit blocks (16 blocks) and passes them through 16 identical sBoxes. In the sBox a 4-bit block is substituted with one to one mapping from a fixed S-box to get 4-bit blocks each.

Table 1: S-box table

The S-box layer adds non-linearity in the Present cipher and provides confusion. Table 1 shows the S-box where each hexadecimal input (4-bit) has a unique hexadecimal mapping. Note that no mapping has input equal to the output and one bit difference in input never results in one bit output difference.

3. pLayer()
In the pLayer() function, the data is passed through the bit permutation where each bit is transposed to a fixed bit as shown in table 2.

Table 2: Permutation table

The substitution layer alone does not provide sufficient diffusion because 4 bits affect only 4 bits. Therefore, the cipher has the permutation layer which provides diffusion in the cipher such that the left most bit is mapped to itself, the right most bit does the same, but the remaining bits are mapped in different and distinct path or direction as in the figure 2.


Figure 2: SP Layers of Present

These layers are repeated for each of the rounds. Finally, when all 31 rounds are completed, the output is XORed with the round key for the purpose of key whitening.

Present cipher has provision for 80-bit and 128-bit cipher. Here, we shall discuss the key schedule for 80-bit Present cipher.

For each round a 64-bit round key is generated from the 80-bit master key. The 80-bit master key is stored in a key register as follows:

In every round, the round key is the leftmost 64 bits of this key register

i.e.

For the first round, we take 64 leftmost bits as the initial round key. The key register is updated in each round as follows:

i. The register is rotated by 61 bits to the left.



ii. Then, the leftmost four bits are passed through the Present S-BOX.



iii. Finally, the bits (19,18,17,16,15) are XORed with the round counter which represents the number of the current round.

Remark: The difference between 80 bits key and 128 bits key Present cipher in terms of key schedule, reside on the fact that we need two operations of S-BOX in 128 bits key instead of one S-box in the 80 bits key. The 128-bit key only increases the key space of the cipher but it needs a larger register to store the 128 bits key. The key schedule for 128-bit Present cipher is discussed in the original paper.

Encryption and decryption in Present have roughly the same physical requirements, with some basic differences regarding the structure of the algorithm.

First we have ciphertext as an input, then we proceed below steps:

InversePLayer : The inverse permutation layer. It reverses the bit permutations in the encryption.

InverseSBoxlayer : The state data is passed through an inverse S-box to reverse the S-box substitution done in the encryption.

AddRoundkey: The state bits is XORed to the round key similar to the encryption part.

At the end we get the plain text as an output. The key schedule for the decryption is the same as in the encryption.

Present cipher is built for very specific applications with moderate security requirements to be implemented in hardware. The targeted applications do not deal with large amounts of data and for some applications even the keys are fixed.

With the 80-bit keyspace and SP network base, the PRESENT algorithm is considered very secure withstanding the common differential, linear cryptanalysis attacks and other forms of attacks.

The Present cipher has been listed as ISO/IEC standard for lightweight block cipher (ISO/IEC 29192-2:2019) and ISO/IEC standard in the crypto suite of the air interface standards for radio frequency identification (RFID) devices (ISO/IEC 29167-11:2014).

It is used in low cost passive smart devices such as RFID tags, contactless smart cards which require small chip area (1570 GE for 80-bit key) and low power consumption (5 microwatts). It is also useful for active smart devices with high throughput requirements and energy constraints. Later some researchers have claimed to have a serialized implementation of Present cipher with just 1000GE to achieve even more area optimization for practical usage. The cipher has huge potential in many small IOT devices because of the flexibility it provides in gate area optimization, power consumption and throughput.

The 64-bit block cipher Present is very well suited to meet the security demands of the low cost resource limited computing devices. After its introduction in 2007, it has stood the test of time and does really well against known forms of attacks and is one of the standards for lightweight block cipher in hardware based solutions. The small gate area, low power consumption and high throughput make it a very tempting block cipher choice for any lightweight computing device.

1. A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin, and C. Vikkelsoe. Present: An ultra-lightweight block cipher. In Pascal Paillier and Ingrid Verbauwhede, editors, Cryptographic Hardware and Embedded Systems - CHES 2007, pages 450–466, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.

2. Daniel Dinu, Yann Le Corre, Dmitry Khovratovich, Léo Perrin, Johann Großschädl, and Alex Biryukov. Triathlon of lightweight block ciphers for the internet of things. Cryptology ePrint Archive, Paper 2015/209, 2015.

3. ISO. Iso/iec 29192-2:2019 information security — lightweight cryptography — part 2: Block ciphers, Nov 2019.

4. Iso/iec 29167-10:2017 information technology — automatic identification and data capture techniques — part 10: Crypto suite aes-128 security services for air interface communications, Oct 2017.

5. Carsten Rolfes, Axel Poschmann, Gregor Leander, and Christof Paar. Ultra-lightweight implementations for smart devices – security for 1000 gate equivalents. In Gilles Grimaud and François-Xavier Standaert, editors, Smart Card Research and Advanced Applications, pages 89–103, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg.

6. Anitha Kumari S and Dr. Mahalinga V Mandi. Implementation of present cipher on fpga for iot applications, Aug 2019.

Biplab Gautam, Fares Kechid

Disclaimer: This article is primarily based on the original PRESENT cipher paper by authors A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin, and C. Vikkelso published in the International Association for Cryptologic Research.

Me and Fares had an assignment during our first semester Master’s course to present on this lightweight cipher. This article is an attempt just to describe the Present cipher in simple words. We do not take credit for any of the work by the original authors. View our report here

Want to view the implementation code: Github custom implementation