Presentation is loading. Please wait.

Presentation is loading. Please wait.

Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru.

Similar presentations


Presentation on theme: "Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru."— Presentation transcript:

1 Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru

2 Introduction Cryptographic primitives become more complex and heavyweight; Cryptographic primitives become more complex and heavyweight; avalanche increase in amounts of processed data; avalanche increase in amounts of processed data; information technologies widely penetrate into peoples activity. information technologies widely penetrate into peoples activity. Essential increase in expenses of energy and resources for cryptographic transformations. 2

3 Introduction But lets answer some questions. Is the maximum level of security really required? Is the maximum level of security really required? Are all data equal in value? Are all data equal in value? Is it always required to use modern heavy and strong cryptoprimitives? Is it always required to use modern heavy and strong cryptoprimitives? Answer: NO 3

4 Introduction Approach 1. Lightweight cryptography: finding a compromise between low resource requirements, performance and strength of cryptographic primitives. [A. Poschmann. Lightweight Cryptography from an Engineers Perspective (ECC 2007).] Security system should be adequate to a value of protected data. 4

5 Introduction Approach 2. Recycling of cryptoprimitives: reusing existing cryptographic primitives or their elements while developing new cryptoprimitives. [J. Troutman and V. Rijmen. Green Cryptography: Cleaner Engineering Through Recycling ] One cryptoprimitive can be used as a base for several various cryptographic functions. 5

6 Introduction Lets combine: lightweight cryptography lightweight cryptographyand recycling of cryptoprimitives. recycling of cryptoprimitives. Energy-efficient cryptosystem. 6

7 KATAN block cipher Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48 / KATAN64); Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48 / KATAN64); key length: 80 bits; key length: 80 bits; 254 rounds; 254 rounds; also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule. also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES09.] 7

8 KATAN block cipher Round structure 8

9 KATAN block cipher Based on shift registers – easy hardware implementation; Based on shift registers – easy hardware implementation; simple feedback functions; simple feedback functions; small data blocks; small data blocks; small internal state. small internal state. Extremely low resource requirements. 9

10 Recycling KATAN 10

11 Hash function Main requirements: should be based on block cipher; should be based on block cipher; hashing add-on over block cipher should be as light as possible. hashing add-on over block cipher should be as light as possible. 11

12 Hash function Examples of hash functions with thin hashing layer over internal block cipher among participants of the SHA-3 contest: Skein; Skein; JH; JH; ECHO; ECHO; SHAvite-3; SHAvite-3; CRUNCH. CRUNCH. 12

13 Hash function CRUNCH versions: main version that uses the classical Merkle- Damgård construction; main version that uses the classical Merkle- Damgård construction; strengthened version based on the double-pipe Merkle-Damgård construction. strengthened version based on the double-pipe Merkle-Damgård construction. [J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. Treger, E. Volte. CRUNCH. Specification ] 13

14 Hash function Double-pipe Merkle-Damgård construction 14

15 Hash function Compression function of the strengthened version of CRUNCH [E. Volte. CRUNCH. A SHA-3 Candidate ] 15

16 Hash function Compression function based on KATAN64 16

17 Hash function Note 1: CRUNCH hash function is susceptible to the length- extension attack. [M. Çoban, 2009 (available at Finalization procedure f(H N ) or f(H N, H N ) required. 17

18 Hash function Note 2: Ways to use KATANs secret key in the hash function: for keyed hashing where the internal key can be used instead of schemes with an external key; for keyed hashing where the internal key can be used instead of schemes with an external key; as an additional parameter for hashing (salt); as an additional parameter for hashing (salt); can be constant if no salt or keyed hash required; can be constant if no salt or keyed hash required; as an alternative pipe for chaining variables. as an alternative pipe for chaining variables. 18

19 PRNG & stream cipher PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight as possible; PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight as possible; block cipher modes of operation can be used (e. g. recommended by NIST [NIST Special Publication A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce ] ) block cipher modes of operation can be used (e. g. recommended by NIST [NIST Special Publication A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce ] ) 19

20 PRNG & stream cipher Lets consider the counter (CTR) mode: extremely simple: extremely simple: O i = E K (Ctr i ) C i = P i XOR O i can be used directly as a pseudo random numbers generator. can be used directly as a pseudo random numbers generator. CTR is an energy-efficient mode. 20

21 PRNG & stream cipher CTR advantages: encryption and decryption procedures in the CTR mode are equivalent; encryption and decryption procedures in the CTR mode are equivalent; it is not necessary to pad processed data to be a multiple of the block size; it is not necessary to pad processed data to be a multiple of the block size; all data blocks are independent – random access to data is easy; all data blocks are independent – random access to data is easy; the encrypting sequence can be precalculated. the encrypting sequence can be precalculated. 21

22 PRNG & stream cipher Limitations (K – Ctr i pairs must be unique) [H. Lipmaa, P. Rogaway, D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption ] KATAN32KATAN48KATAN64 Maximum number of blocks Maximum number of bytes

23 PRNG & stream cipher Limitations for KATAN-based PRNG [NIST Special Publication Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised) ] KATAN32KATAN48KATAN64 Seed length, bits Max. number of bits per request Reseed interval, bits

24 Future work Specifying the parameters of proposed hash function template; Specifying the parameters of proposed hash function template; hardware simulation; hardware simulation; cryptanalysis of the resulting hash function; cryptanalysis of the resulting hash function; its benchmarking. its benchmarking. 24

25 Conclusion Number of additional GE for hash function & PRNG / stream cipher can be estimated as 800–1000. I.e. no more than with KATAN itself. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES09.] Comparable to most of well-known lightweight block ciphers. 25

26 Thank you! Sergey Sergey ANCUD Ltd.www.ancud.ru


Download ppt "Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru."

Similar presentations


Ads by Google