energy-efficient cryptography: application of katan sergey [email protected], sergey...
TRANSCRIPT
Energy-efficient cryptography: application
of KATAN
Sergey Panasenko [email protected], www.panasenko.ru
Sergey Smagin [email protected]
ANCUD Ltd. www.ancud.ru
IntroductionIntroduction
• Cryptographic primitives become more Cryptographic primitives become more complex and heavyweight;complex and heavyweight;• avalanche increase in amounts of avalanche increase in amounts of processed data;processed data;• information technologies widely penetrate information technologies widely penetrate into people’s activity.into people’s activity.
Essential increase in expenses of energy and Essential increase in expenses of energy and resources for cryptographic transformations.resources for cryptographic transformations.
2
IntroductionIntroduction
But let’s answer some questions.But let’s answer some questions.• Is the maximum level of security really Is the maximum level of security really required?required?• Are all data equal in value?Are all data equal in value?• Is it always required to use modern heavy Is it always required to use modern heavy and strong cryptoprimitives?and strong cryptoprimitives?
Answer: “NO”Answer: “NO”
3
IntroductionIntroduction
Approach 1.Approach 1.
Lightweight cryptography: finding a Lightweight cryptography: finding a compromise between low resource compromise between low resource requirements, performance and strength of requirements, performance and strength of cryptographic primitives.cryptographic primitives.[[A. Poschmann. Lightweight Cryptography from an Engineers A. Poschmann. Lightweight Cryptography from an Engineers Perspective (ECC 2007).Perspective (ECC 2007).]]
Security system should be adequate to a Security system should be adequate to a value of protected data.value of protected data.
4
IntroductionIntroduction
Approach 2.Approach 2.
Recycling of cryptoprimitives: reusing Recycling of cryptoprimitives: reusing existing cryptographic primitives or their existing cryptographic primitives or their elements while developing new elements while developing new cryptoprimitives.cryptoprimitives.[[J. Troutman and V. Rijmen. Green Cryptography: Cleaner J. Troutman and V. Rijmen. Green Cryptography: Cleaner Engineering Through Recycling. 2009.Engineering Through Recycling. 2009.]]
One cryptoprimitive can be used as a base for One cryptoprimitive can be used as a base for several various cryptographic functions.several various cryptographic functions.
5
IntroductionIntroduction
Let’s combine:Let’s combine:• lightweight cryptographylightweight cryptography
andand• recycling of cryptoprimitives.recycling of cryptoprimitives.
Energy-efficient cryptosystem.Energy-efficient cryptosystem.
6
KATAN block cipherKATAN block cipher
• Block size: 32 Block size: 32 / 48 / 64 / 48 / 64 bits (KATAN32 / bits (KATAN32 / KATAN48 / KATAN64);KATAN48 / KATAN64);• key length: 80 bits;key length: 80 bits;• 254 rounds;254 rounds;• also KTANTAN32 / KTANTAN48 / KTANTAN64 also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule.with extremely simplified key schedule.[[C. De Cannière, O. Dunkelman, M. Knežević. KATAN & C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.Block Ciphers. CHES’09.]]
7
KATAN block cipherKATAN block cipher
Shift register L1
+˄
+
+
+
+
+
Shift register L2
˄
˄
˄
IR Subkey bits
Round Round structurestructure
8
KATAN block cipherKATAN block cipher
• Based on shift registers – easy hardware Based on shift registers – easy hardware implementation;implementation;• simple feedback functions;simple feedback functions;• small data blocks;small data blocks;• small internal state.small internal state.
Extremely low resource requirements.Extremely low resource requirements.
9
Recycling KATANRecycling KATAN
Cryptographickernel
PRNG /Stream cipher
B lock cipher Hash function
10
Hash functionHash function
Main requirements:Main requirements:• should be based on block cipher;should be based on block cipher;• hashing add-on over block cipher should be hashing add-on over block cipher should be as light as possible.as light as possible.
11
Hash functionHash function
Examples of hash functions with thin hashing Examples of hash functions with thin hashing layer over internal block cipher among layer over internal block cipher among participants of the SHA-3 contest:participants of the SHA-3 contest:• Skein;Skein;• JH;JH;• ECHO;ECHO;• SHAvite-3;SHAvite-3;• CRUNCH.CRUNCH.
12
Hash functionHash function
CRUNCH versions:CRUNCH versions:• main version that uses the classical Merkle-main version that uses the classical Merkle-Damgård construction;Damgård construction;• strengthened version based on the double-strengthened version based on the double-pipe Merkle-Damgård construction.pipe Merkle-Damgård construction.[[J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. Treger, E. Volte. CRUNCH. Specification. 2008.Treger, E. Volte. CRUNCH. Specification. 2008.]]
13
Hash functionHash function
Double-pipe Merkle-Damgård constructionDouble-pipe Merkle-Damgård construction
Compressionfunction
IV
H '1
H 1
M 1 M 2
H'2
H 2
. . .
M N
HN
. . .
Compressionfunction
Compressionfunction
14
Hash functionHash function
Compression function of the strengthened Compression function of the strengthened version of CRUNCH version of CRUNCH [[E. Volte. CRUNCH. A SHA-3 E. Volte. CRUNCH. A SHA-3 Candidate. 2009.Candidate. 2009.]]
Internalblock cipher 1
H'iHi Mi Mi
Internalblock cipher 2
+
Hi+1 H'i+1
15
Hash functionHash function
Compression function based on KATAN64Compression function based on KATAN64
KATAN
H'iH i M ' i M '' i
KATAN
+
H i+1 H' i+1
16
Hash functionHash function
Note 1:Note 1:
CRUNCH hash function is susceptible to the CRUNCH hash function is susceptible to the length-extension attack.length-extension attack.[[M. Çoban, 2009 (available at http://ehash.iaik.tugraz.at).M. Çoban, 2009 (available at http://ehash.iaik.tugraz.at).]]
Finalization procedure f(HFinalization procedure f(HNN) or f(H) or f(HNN, H’, H’NN) ) required.required.
17
Hash functionHash function
Note 2:Note 2:
Ways to use KATAN’s secret key in the hash Ways to use KATAN’s secret key in the hash function:function:• for keyed hashing where the internal key for keyed hashing where the internal key can be used instead of schemes with an can be used instead of schemes with an external key;external key;• as an additional parameter for hashing as an additional parameter for hashing (salt);(salt);• can be constant if no salt or keyed hash can be constant if no salt or keyed hash required;required;• as an alternative pipe for chaining as an alternative pipe for chaining variables.variables.
18
PRNG & stream cipherPRNG & stream cipher
• PRNG & stream cipher add-ons over the PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight cryptographic kernel should be as lightweight as possible;as possible;• block cipher modes of operation can be block cipher modes of operation can be used (e. g. recommended by NIST used (e. g. recommended by NIST [[NIST Special NIST Special Publication 800-38A. Recommendation for Block Cipher Modes Publication 800-38A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce. Standards and Technology, U. S. Department of Commerce.
2001.2001.]]))
19
PRNG & stream cipherPRNG & stream cipher
Let’s consider the counter (CTR) mode:Let’s consider the counter (CTR) mode:• extremely simple:extremely simple:
OOii = E = EKK(Ctr(Ctrii))CCii = P = Pii XOR O XOR Oii
• can be used directly as a pseudo random can be used directly as a pseudo random numbers generator.numbers generator.
CTR is an “energy-efficient mode”.CTR is an “energy-efficient mode”.
20
PRNG & stream cipherPRNG & stream cipher
CTR advantages:CTR advantages:• encryption and decryption procedures in encryption and decryption procedures in the CTR mode are equivalent; the CTR mode are equivalent; • it is not necessary to pad processed data to it is not necessary to pad processed data to be a multiple of the block size;be a multiple of the block size;• all data blocks are independent – random all data blocks are independent – random access to data is easy;access to data is easy;• the encrypting sequence can be the encrypting sequence can be precalculated.precalculated.
21
PRNG & stream cipherPRNG & stream cipher
Limitations (K – CtrLimitations (K – Ctrii pairs must be unique) pairs must be unique) [[H. H. Lipmaa, P. Rogaway, D. Wagner. Comments to NIST concerning Lipmaa, P. Rogaway, D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption. 2000.AES Modes of Operations: CTR-Mode Encryption. 2000.]]
KATAN32 KATAN48 KATAN64
Maximum number of blocks
216 224 232
Maximum number of bytes
218 226.5 235
22
PRNG & stream cipherPRNG & stream cipher
Limitations for KATAN-based PRNG Limitations for KATAN-based PRNG [[NIST Special NIST Special Publication 800-90. Recommendation for Random Number Publication 800-90. Recommendation for Random Number Generation Using Deterministic Random Bit Generators Generation Using Deterministic Random Bit Generators (Revised). 2007.(Revised). 2007.]]
KATAN32 KATAN48 KATAN64
Seed length, bits 112 128 144
Max. number of bits per request
29 211 213
Reseed interval, bits
212 218 224
23
Future workFuture work
• Specifying the parameters of proposed hash Specifying the parameters of proposed hash function template;function template;• hardware simulation;hardware simulation;• cryptanalysis of the resulting hash function;cryptanalysis of the resulting hash function;• its benchmarking.its benchmarking.
24
ConclusionConclusion
Number of additional GE for hash function & Number of additional GE for hash function & PRNG / stream cipher can be estimated as PRNG / stream cipher can be estimated as 800–1000. I.e. no more than 2000-2200 with 800–1000. I.e. no more than 2000-2200 with KATAN itself.KATAN itself.[[C. De Cannière, O. Dunkelman, M. Knežević. KATAN & C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.Block Ciphers. CHES’09.]]
Comparable to most of well-known Comparable to most of well-known lightweight block ciphers.lightweight block ciphers.
25
Thank youThank you!!
Sergey Panasenko [email protected], www.panasenko.ru
Sergey Smagin [email protected]
ANCUD Ltd. www.ancud.ru