1 / 26

Energy-efficient cryptography: application of KATAN

Energy-efficient cryptography: application of KATAN. Sergey Panasenko serg@panasenko.ru, www.panasenko.ru Sergey Smagin serg@ochacovo.ru ANCUD Ltd. www.ancud.ru. 2. Introduction. Cryptographic primitives become more complex and heavyweight;

mya
Télécharger la présentation

Energy-efficient cryptography: application of KATAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Energy-efficient cryptography: application of KATAN Sergey Panasenko serg@panasenko.ru, www.panasenko.ru Sergey Smagin serg@ochacovo.ru ANCUD Ltd. www.ancud.ru

  2. 2 Introduction Cryptographic primitives become more complex and heavyweight; avalanche increase in amounts of processed data; information technologies widely penetrate into people’s activity. Essential increase in expenses of energy and resources for cryptographic transformations.

  3. Introduction 3 But let’s answer some questions. • Is the maximum level of security really required? • Are all data equal in value? • Is it always required to use modern heavy and strong cryptoprimitives? Answer: “NO”

  4. Introduction 4 Approach 1. Lightweight cryptography: finding a compromise between low resource requirements, performance and strength of cryptographic primitives. [A. Poschmann. Lightweight Cryptography from an Engineers Perspective (ECC 2007).] Security system should be adequate to a value of protected data.

  5. Introduction 5 Approach 2. Recycling of cryptoprimitives: reusing existing cryptographic primitives or their elements while developing new cryptoprimitives. [J. Troutman and V. Rijmen. Green Cryptography: Cleaner Engineering Through Recycling. 2009.] One cryptoprimitive can be used as a base for several various cryptographic functions.

  6. Introduction 6 Let’s combine: • lightweight cryptography and • recycling of cryptoprimitives. Energy-efficient cryptosystem.

  7. KATAN block cipher 7 • Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48 / KATAN64); • key length: 80 bits; • 254 rounds; • also KTANTAN32 / KTANTAN48 / KTANTAN64 with extremely simplified key schedule. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.]

  8. KATAN block cipher 8 Round structure

  9. KATAN block cipher 9 Based on shift registers – easy hardware implementation; simple feedback functions; small data blocks; small internal state. Extremely low resource requirements.

  10. Recycling KATAN 10

  11. Hash function 11 Main requirements: • should be based on block cipher; • hashing add-on over block cipher should be as light as possible.

  12. Hash function 12 Examples of hash functions with thin hashing layer over internal block cipher among participants of the SHA-3 contest: • Skein; • JH; • ECHO; • SHAvite-3; • CRUNCH.

  13. Hash function 13 CRUNCH versions: • main version that uses the classical Merkle-Damgård construction; • strengthened version based on the double-pipe Merkle-Damgård construction. [J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. Treger, E. Volte. CRUNCH. Specification. 2008.]

  14. Hash function 14 Double-pipe Merkle-Damgård construction

  15. Hash function 15 Compression function of the strengthened version of CRUNCH [E. Volte. CRUNCH. A SHA-3 Candidate. 2009.]

  16. Hash function 16 Compression function based on KATAN64

  17. Hash function 17 Note 1: CRUNCH hash function is susceptible to the length-extension attack. [M. Çoban, 2009 (available at http://ehash.iaik.tugraz.at).] Finalization procedure f(HN) or f(HN, H’N) required.

  18. Hash function 18 Note 2: Ways to use KATAN’s secret key in the hash function: • for keyed hashing where the internal key can be used instead of schemes with an external key; • as an additional parameter for hashing (salt); • can be constant if no salt or keyed hash required; • as an alternative pipe for chaining variables.

  19. PRNG & stream cipher 19 PRNG & stream cipher add-ons over the cryptographic kernel should be as lightweight as possible; block cipher modes of operation can be used (e. g. recommended by NIST [NIST Special Publication 800-38A. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. National Institute of Standards and Technology, U. S. Department of Commerce. 2001.])

  20. PRNG & stream cipher 20 Let’s consider the counter (CTR) mode: • extremely simple: Oi = EK(Ctri) Ci = Pi XOR Oi • can be used directly as a pseudo random numbers generator. CTR is an “energy-efficient mode”.

  21. PRNG & stream cipher 21 CTR advantages: • encryption and decryption procedures in the CTR mode are equivalent; • it is not necessary to pad processed data to be a multiple of the block size; • all data blocks are independent – random access to data is easy; • the encrypting sequence can be precalculated.

  22. PRNG & stream cipher 22 Limitations (K – Ctri pairs must be unique) [H. Lipmaa, P. Rogaway, D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption. 2000.]

  23. PRNG & stream cipher 23 Limitations for KATAN-based PRNG [NIST Special Publication 800-90. Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised). 2007.]

  24. Future work 24 Specifying the parameters of proposed hash function template; hardware simulation; cryptanalysis of the resulting hash function; its benchmarking.

  25. Conclusion 25 Number of additional GE for hash function & PRNG / stream cipher can be estimated as 800–1000. I.e. no more than 2000-2200 with KATAN itself. [C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.] Comparable to most of well-known lightweight block ciphers.

  26. Thank you! Sergey Panasenko serg@panasenko.ru, www.panasenko.ru Sergey Smagin serg@ochacovo.ru ANCUD Ltd. www.ancud.ru

More Related