Presentation is loading. Please wait.

Presentation is loading. Please wait.

Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru.

Published byAnastasia Harn Modified over 10 years ago

Similar presentations

Presentation on theme: "Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru."— Presentation transcript:

1 Energy-efficient cryptography: application of KATAN Sergey Panasenkoserg@panasenko.ru, www.panasenko.ru Sergey Smaginserg@ochacovo.ru ANCUD Ltd.www.ancud.ru

2 Introduction Cryptographic primitives become more complex and heavyweight; Cryptographic primitives become more complex and heavyweight; avalanche increase in amounts of processed data; avalanche increase in amounts of processed data; information technologies widely penetrate into peoples activity. information technologies widely penetrate into peoples activity. Essential increase in expenses of energy and resources for cryptographic transformations. 2

3 Introduction But lets answer some questions. Is the maximum level of security really required? Is the maximum level of security really required? Are all data equal in value? Are all data equal in value? Is it always required to use modern heavy and strong cryptoprimitives? Is it always required to use modern heavy and strong cryptoprimitives? Answer: NO 3

4 Introduction Approach 1. Lightweight cryptography: finding a compromise between low resource requirements, performance and strength of cryptographic primitives. [A. Poschmann. Lightweight Cryptography from an Engineers Perspective (ECC 2007).] Security system should be adequate to a value of protected data. 4

5 Introduction Approach 2. Recycling of cryptoprimitives: reusing existing cryptographic primitives or their elements while developing new cryptoprimitives. [J. Troutman and V. Rijmen. Green Cryptography: Cleaner Engineering Through Recycling. 2009.] One cryptoprimitive can be used as a base for several various cryptographic functions. 5

6 Introduction Lets combine: lightweight cryptography lightweight cryptographyand recycling of cryptoprimitives. recycling of cryptoprimitives. Energy-efficient cryptosystem. 6

7 KATAN block cipher Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48 / KATAN64); Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48 / KATAN64); key length: 80 bits; key length: 80 bits; 254 rounds; 254 rounds; also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule. also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES09.] 7

8 KATAN block cipher Round structure 8

9 KATAN block cipher Based on shift registers – easy hardware implementation; Based on shift registers – easy hardware implementation; simple feedback functions; simple feedback functions; small data blocks; small data blocks; small internal state. small internal state. Extremely low resource requirements. 9

10 Recycling KATAN 10

11 Hash function Main requirements: should be based on block cipher; should be based on block cipher; hashing add-on over block cipher should be as light as possible. hashing add-on over block cipher should be as light as possible. 11

12 Hash function Examples of hash functions with thin hashing layer over internal block cipher among participants of the SHA-3 contest: Skein; Skein; JH; JH; ECHO; ECHO; SHAvite-3; SHAvite-3; CRUNCH. CRUNCH. 12

13 Hash function CRUNCH versions: main version that uses the classical Merkle- Damgård construction; main version that uses the classical Merkle- Damgård construction; strengthened version based on the double-pipe Merkle-Damgård construction. strengthened version based on the double-pipe Merkle-Damgård construction. [J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. Treger, E. Volte. CRUNCH. Specification. 2008.] 13

14 Hash function Double-pipe Merkle-Damgård construction 14

15 Hash function Compression function of the strengthened version of CRUNCH [E. Volte. CRUNCH. A SHA-3 Candidate. 2009.] 15

16 Hash function Compression function based on KATAN64 16

17 Hash function Note 1: CRUNCH hash function is susceptible to the length- extension attack. [M. Çoban, 2009 (available at http://ehash.iaik.tugraz.at).] Finalization procedure f(H N ) or f(H N, H N ) required. 17

18 Hash function Note 2: Ways to use KATANs secret key in the hash function: for keyed hashing where the internal key can be used instead of schemes with an external key; for keyed hashing where the internal key can be used instead of schemes with an external key; as an additional parameter for hashing (salt); as an additional parameter for hashing (salt); can be constant if no salt or keyed hash required; can be constant if no salt or keyed hash required; as an alternative pipe for chaining variables. as an alternative pipe for chaining variables. 18

19 PRNG & stream cipher PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight as possible; PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight as possible; block cipher modes of operation can be used (e. g. recommended by NIST [NIST Special Publication 800-38A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce. 2001.] ) block cipher modes of operation can be used (e. g. recommended by NIST [NIST Special Publication 800-38A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce. 2001.] ) 19

20 PRNG & stream cipher Lets consider the counter (CTR) mode: extremely simple: extremely simple: O i = E K (Ctr i ) C i = P i XOR O i can be used directly as a pseudo random numbers generator. can be used directly as a pseudo random numbers generator. CTR is an energy-efficient mode. 20

21 PRNG & stream cipher CTR advantages: encryption and decryption procedures in the CTR mode are equivalent; encryption and decryption procedures in the CTR mode are equivalent; it is not necessary to pad processed data to be a multiple of the block size; it is not necessary to pad processed data to be a multiple of the block size; all data blocks are independent – random access to data is easy; all data blocks are independent – random access to data is easy; the encrypting sequence can be precalculated. the encrypting sequence can be precalculated. 21

22 PRNG & stream cipher Limitations (K – Ctr i pairs must be unique) [H. Lipmaa, P. Rogaway, D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption. 2000.] KATAN32KATAN48KATAN64 Maximum number of blocks 2 16 2 24 2 32 Maximum number of bytes 2 18 2 26.5 2 35 22

23 PRNG & stream cipher Limitations for KATAN-based PRNG [NIST Special Publication 800-90. Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised). 2007.] KATAN32KATAN48KATAN64 Seed length, bits112128144 Max. number of bits per request 2929 2 11 2 13 Reseed interval, bits 2 12 2 18 2 24 23

24 Future work Specifying the parameters of proposed hash function template; Specifying the parameters of proposed hash function template; hardware simulation; hardware simulation; cryptanalysis of the resulting hash function; cryptanalysis of the resulting hash function; its benchmarking. its benchmarking. 24

25 Conclusion Number of additional GE for hash function & PRNG / stream cipher can be estimated as 800–1000. I.e. no more than 2000-2200 with KATAN itself. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES09.] Comparable to most of well-known lightweight block ciphers. 25

26 Thank you! Sergey Panasenkoserg@panasenko.ru, www.panasenko.ru Sergey Smaginserg@ochacovo.ru ANCUD Ltd.www.ancud.ru

Download ppt "Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru."

Similar presentations

CLASSICAL ENCRYPTION TECHNIQUES

CLASSICAL ENCRYPTION TECHNIQUES
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Symmetric Encryption Prof. Ravi Sandhu.

Symmetric Encryption Prof. Ravi Sandhu.
Hashes and Message Digests

Hashes and Message Digests
We need a common denominator to add these fractions.

We need a common denominator to add these fractions.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.

Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions
Year 6 mental test 10 second questions

Year 6 mental test 10 second questions
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
1 Pretty Good Privacy (PGP) Security for Electronic Email.

1 Pretty Good Privacy (PGP) Security for Electronic .
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Similar presentations

Ads by Google