260 likes | 435 Views
Energy-efficient cryptography: application of KATAN. Sergey Panasenko serg@panasenko.ru, www.panasenko.ru Sergey Smagin serg@ochacovo.ru ANCUD Ltd. www.ancud.ru. 2. Introduction. Cryptographic primitives become more complex and heavyweight;
E N D
Energy-efficient cryptography: application of KATAN Sergey Panasenko serg@panasenko.ru, www.panasenko.ru Sergey Smagin serg@ochacovo.ru ANCUD Ltd. www.ancud.ru
2 Introduction Cryptographic primitives become more complex and heavyweight; avalanche increase in amounts of processed data; information technologies widely penetrate into people’s activity. Essential increase in expenses of energy and resources for cryptographic transformations.
Introduction 3 But let’s answer some questions. • Is the maximum level of security really required? • Are all data equal in value? • Is it always required to use modern heavy and strong cryptoprimitives? Answer: “NO”
Introduction 4 Approach 1. Lightweight cryptography: finding a compromise between low resource requirements, performance and strength of cryptographic primitives. [A. Poschmann. Lightweight Cryptography from an Engineers Perspective (ECC 2007).] Security system should be adequate to a value of protected data.
Introduction 5 Approach 2. Recycling of cryptoprimitives: reusing existing cryptographic primitives or their elements while developing new cryptoprimitives. [J. Troutman and V. Rijmen. Green Cryptography: Cleaner Engineering Through Recycling. 2009.] One cryptoprimitive can be used as a base for several various cryptographic functions.
Introduction 6 Let’s combine: • lightweight cryptography and • recycling of cryptoprimitives. Energy-efficient cryptosystem.
KATAN block cipher 7 • Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48 / KATAN64); • key length: 80 bits; • 254 rounds; • also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.]
KATAN block cipher 8 Round structure
KATAN block cipher 9 Based on shift registers – easy hardware implementation; simple feedback functions; small data blocks; small internal state. Extremely low resource requirements.
Hash function 11 Main requirements: • should be based on block cipher; • hashing add-on over block cipher should be as light as possible.
Hash function 12 Examples of hash functions with thin hashing layer over internal block cipher among participants of the SHA-3 contest: • Skein; • JH; • ECHO; • SHAvite-3; • CRUNCH.
Hash function 13 CRUNCH versions: • main version that uses the classical Merkle-Damgård construction; • strengthened version based on the double-pipe Merkle-Damgård construction. [J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. Treger, E. Volte. CRUNCH. Specification. 2008.]
Hash function 14 Double-pipe Merkle-Damgård construction
Hash function 15 Compression function of the strengthened version of CRUNCH [E. Volte. CRUNCH. A SHA-3 Candidate. 2009.]
Hash function 16 Compression function based on KATAN64
Hash function 17 Note 1: CRUNCH hash function is susceptible to the length-extension attack. [M. Çoban, 2009 (available at http://ehash.iaik.tugraz.at).] Finalization procedure f(HN) or f(HN, H’N) required.
Hash function 18 Note 2: Ways to use KATAN’s secret key in the hash function: • for keyed hashing where the internal key can be used instead of schemes with an external key; • as an additional parameter for hashing (salt); • can be constant if no salt or keyed hash required; • as an alternative pipe for chaining variables.
PRNG & stream cipher 19 PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight as possible; block cipher modes of operation can be used (e. g. recommended by NIST [NIST Special Publication 800-38A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce. 2001.])
PRNG & stream cipher 20 Let’s consider the counter (CTR) mode: • extremely simple: Oi = EK(Ctri) Ci = Pi XOR Oi • can be used directly as a pseudo random numbers generator. CTR is an “energy-efficient mode”.
PRNG & stream cipher 21 CTR advantages: • encryption and decryption procedures in the CTR mode are equivalent; • it is not necessary to pad processed data to be a multiple of the block size; • all data blocks are independent – random access to data is easy; • the encrypting sequence can be precalculated.
PRNG & stream cipher 22 Limitations (K – Ctri pairs must be unique) [H. Lipmaa, P. Rogaway, D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption. 2000.]
PRNG & stream cipher 23 Limitations for KATAN-based PRNG [NIST Special Publication 800-90. Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised). 2007.]
Future work 24 Specifying the parameters of proposed hash function template; hardware simulation; cryptanalysis of the resulting hash function; its benchmarking.
Conclusion 25 Number of additional GE for hash function & PRNG / stream cipher can be estimated as 800–1000. I.e. no more than 2000-2200 with KATAN itself. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.] Comparable to most of well-known lightweight block ciphers.
Thank you! Sergey Panasenko serg@panasenko.ru, www.panasenko.ru Sergey Smagin serg@ochacovo.ru ANCUD Ltd. www.ancud.ru