190 likes | 325 Vues
A Ultra-Light Block Cipher KB1. Changhoon Lee Center for Information Security Technologies, Korea University. crypto77@cist.korea.ac.kr. Contents. Introduction Background Design Goals Description of Block Cipher KB1 Security Analysis Implementation Efficiency Conclusion.
E N D
A Ultra-Light Block Cipher KB1 Changhoon Lee Center for Information Security Technologies, Korea University. crypto77@cist.korea.ac.kr
Contents • Introduction • Background • Design Goals • Description of Block Cipher KB1 • Security Analysis • Implementation Efficiency • Conclusion
Introduction (1/2) • Background • The ubiquitous computing paradigm is being watched with interest. • Typical ubiquitous computing devices impose new constraints in block cipher design due to their size and shape. • Tiny processors embedded in ubiquitous computing devices have a miniature battery • The chip area required hardware implementation of a block cipher should be small enough. • In this environments, it is required low-power, low- cost and light-weight block ciphers.
Introduction (2/2) • There are few known ciphers which are suitable to these environments. • In order to prepare new computing paradigm in advance, we must develop new block cipher which are suitable to these environments • The block cipher KB1 is designed with above new constraints in ubiquitous computing environments in mind.
Design Goals • To design a block cipher with extreme efficiency in resource usage • and power consumption. • To come up with a block cipher optimized for resource-constrained applications. use the parameters of 64-bit block length and 128-bit key length • To achieve low complexity in hardware while providing sufficient security.
Algorithm Specifications (1/9) • KB1 • 64-bit block with a 128-bit key size by iterating a round function 32 times. • Initial Transformation, Round Transformation, Final Transformation IT Key Schedule Round 1 ……………….. Round 32 FT
P7 P6 P5 P4 P3 P2 P1 P0 MK3 MK2 MK1 MK0 X0,7 X0,6 X0,5 X0,4 X0,3 X0,2 X0,1 X0,0 Algorithm Specifications (2/9) • Initial Transformation • The Pi (i=0,2,4,6) bytes of plaintext are XORed (or added) with a part of the master key • |Pi|=8 bits and |MKi|=8 bits Round 1
Algorithm Specifications (3/9) • Round Transformation • Non-linear operation “+” mod 28 • eXclusive-OR operation • Diffusion functions F0 and F1 • F0(X)=(X<<<1)^(X<<<2)^(X<<<7), • F1(X)=(X<<<3)^(X<<<4)^(X<<<6), where |X|=8 bits
Xi-1,7 Xi-1,6 Xi-1,5 Xi-1,4 Xi-1,3 Xi-1,2 Xi-1,1 Xi-1,0 SK[4i- 1] SK[4i- 2] SK[4i- 4] SK[4i- 3] F0 F1 F0 F1 Xi,0 Xi,7 Xi,6 Xi,5 Xi,4 Xi,3 Xi,2 Xi,1 Algorithm Specifications (4/9) • The j-th input bytes Xi,j (j=0,2,4,6) of i-th round are updated by the input of (i-1)-th round, the round keys, and F functions. • The remaining input bytes Xi,j (j=1,3,5,7) of (i)-th round are transferred by the j-th input bytes Xi-1,j (j=0,2,4,6) of (i-1)-th round, respectively.
X32,7 X32,6 X32,5 X32,4 X32,3 X32,2 X32,1 X32,0 MK15 MK14 MK13 MK12 C7 C6 C5 C4 C3 C2 C1 C0 Algorithm Specifications (5/9) • Final Transformation • The j-th output bytes (j=1,3,5,7) of the 32-th round, (X32,j), are XORed (or added) with a part of the master key. Round 32
Algorithm Specifications (6/9) • Key Schedule • Two steps : Generating whitening keys, Generating round keys • Step 1 : Generating whitening keys. • The first 4 bytes of 128-bit master key MK=(MK0,…, MK16), (MK0, MK1, MK2, MK3 ), are used as the initial whitening keys. • The last 4 bytes of 128-bit master key, (MK12, MK13, MK14, MK15 ), are used as the final whitening keys.
g SK[2i] g SK[2i+1] Permutation Algorithm Specifications (7/9) • Step 2 : Generating round keys MK=MK15|| … || MK0 MK=MK15|| … || MK0 2i g SK[2i] 2i+1 g SK[2i+1] Permutation i = 0,…,63
i x y SK[j] z Algorithm Specifications (8/9) • “g” function : g(x,y,z,w)=((x+y) z)+ i • i : an internal state of LFSR h which is defined by the primitive polynomial x7+x3+1 over F2[x] • initial state 0 =(s6, s5, s4, s3, s2, s1, s0)=(1,0,1,1,0,1,0) • si+6=si+2 si-1 • i =(si+6, si+5, si+4, si+3, si+2, si+1, si)
Algorithm Specifications (9/9) • “” : A bit-permutation which has 64 cycles. [128] = { 62, 75, 72, 57, 94, 101, 108, 45, 18, 51, 46, 81, 36, 125, 122, 27, 42, 49, 26, 115, 0, 85, 58, 99, 88, 31, 106, 47, 40, 3, 14, 107, 76, 37, 56, 1, 98, 13, 110, 113, 8, 73, 120, 59, 52, 39, 30, 97, 68, 93, 92, 25, 80, 77, 6, 117, 86, 5, 10, 17, 38, 69, 112, 43, 24, 55, 4, 65, 124, 11, 84, 91, 20, 121, 70, 19, 118, 71, 100, 111, 96, 89, 74, 35, 48, 7, 32, 105, 102, 41, 50, 83, 34, 53, 60, 21, 114, 87, 126, 15, 12, 67, 78, 119, 66, 123, 2, 95, 28, 33, 82, 109, 22, 23, 64, 9, 104, 103, 44, 61, 54, 127, 116, 29, 90, 63, 16, 79};
Security Analysis • Strength against known attacks KB1 has sufficient resistances against known attacks
Implementation Efficiency • Hardware Effieciency • Efficiency in low-cost hardware implementation is one of main design objectives of KB1. • The following hardware implementation of KB1 means that it can be implemented using around 3K to 4K gates with high enough performances. < Hardware complexity of the KB1 processor >
Conclusion • Presented a 64-bit block cipher KB1 which has been designed for use in resource-constrained environments, such as tiny ubiquitous devices. • Introduced its security and efficiency. • Our hardware implementation of KB1 shows that it can be implemented using around 3K to 4K gates. • So, KB1 are well-suited for our targeted applications, such as RFID, any power/space-limited applications. In this talk,