1 / 45

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers. Christophe De Cannière 1 , Orr Dunkelman 1,2 , Miroslav Kne žević 1 (1) Katholieke Universiteit Leuven , ESAT/SCD-COSIC (2) Département d'Informatique , École normale supérieure. BCRYPT workshop.

osman
Télécharger la présentation

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière1,Orr Dunkelman1,2, MiroslavKnežević1 (1)KatholiekeUniversiteit Leuven, ESAT/SCD-COSIC (2)Département d'Informatique, École normale supérieure BCRYPT workshop February 5, 2010

  2. Outline • Motivation • Why do we fight for a single gate? • What are the options so far? • Design Goals • Design Rationale • Memory Issues • Control part • Possible Speed-Ups • Implementation Results • Conclusion BCRYPT workshop

  3. Why do we fight for a single gate? BCRYPT workshop • Wireless Sensor Networks • Environmental and Health Monitoring • Wearable Computing • Military Surveillance, etc. • Pervasive Computing • Healthcare • Ambient Intelligence • Embedded Devices • It’s a challenge!

  4. What are the options so far? BCRYPT workshop • Stream ciphers • To ensure security, the internal state must be twice the size of the key. • No good methodology on how to design these. • Use the standardized block cipher: AES • The smallest implementation consumes 3.1 Kgates. • Recent attacks in the related-key model. • Other block ciphers? • HIGHT, mCrypton, DESL, PRESENT,… • Can we do better/different?

  5. Light-Weight Block Ciphers – an Overview slide credit: Matt Robshaw BCRYPT workshop

  6. Design Goals BCRYPT workshop • Secure block cipher • Address Differential/Linear cryptanalysis, Related-Key/Slide attacks, Related-Key differentials, Algebraic attacks. • Efficient block cipher • Small foot-print, Low power consumption, Reasonable performance (+ possible speed-ups). • Application driven • Does an RFID tag always need to support a key agility? • Some low-end devices have one key throughout their life cycle. • Some of them encrypt very little data. • Why wasting precious gates if not really necessary?

  7. The KATAN/KTANTAN Block Ciphers BCRYPT workshop Block ciphers based on Trivium (its 2 register version – Bivium). Block size: 32/48/64 bits. Key size: 80 bits. Share the same number of rounds – 254. KATAN and KTANTAN are the same up to the key schedule. In KTANTAN, the key is fixed and cannot be changed!

  8. Block Cipher – HW perspective Key size Block size Datapath + Control “redundant” logic Memory BCRYPT workshop

  9. Design Rationale – Memory Issues (1) BCRYPT workshop The more compact the cipher is, a larger ratio of the area is dedicated for storing the intermediate values and key bits. Difference not only in basic gate technology, but also in the size of a single bit representation.

  10. Design Rationale – Memory Issues (2) BCRYPT workshop • The gate count (GE) DOES depend on the library and tools that are used during the synthesis. • Example: • PRESENT[20] contains 1,000 GE in 0.35 µm technology – 53,974 µm2. • PRESENT[20] contains 1,169 GE in 0.25 µm technology – 32,987 µm2. • PRESENT[20] contains 1,075 GE in 0.18 µm technology – 10,403 µm2. • Comparison is fair ONLY if the SAME library, the SAME tools and the SAME setup are used.

  11. Design Rationale – A Story of a Single Bit D Q A_init A[i] TD A[i-1] SEL start CK clock 0 A_init ≡ A_init D Q MUX2 A[i] 1 A[i-1] start CK clock SEL 5 ~ 7.75 GE 7.25 ~ 13.75 GE 6.25 ~ 11.75 GE • (64 + 80 + 8) × 6.25 = 950 GE  BCRYPT workshop Assume we have a parallel load of the key and the plaintext. A single Flip-Flop has no relevance – MUXes need to be used. 2to1 MUX + FF = Scan FF: Beneficial both for area and power.

  12. Basic Building Block – Bivium • Two round functions – IR decides which one to use. • Prevents any slide attack and increases diffusion. BCRYPT workshop IR stands for Irregular update Rule.

  13. Design Rationale – Control Part • We basically need a counter only. Can it be simpler than that? • Let the LFSR that is in charge of IR play the role of a counter. BCRYPT workshop How to control such a simple construction?

  14. KATAN32 – Control Part 7 6 5 4 3 2 1 0 T 1-bit ready IR BCRYPT workshop

  15. KATAN32 – Round Function 7 6 5 4 3 2 1 0 T 1-bit IR 12 11 10 9 8 7 6 5 4 3 2 1 0 L1 K78 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 L2 K79 … 60 59 … 49 48 … 12 11 … 1 0 79 78 K KATAN48(64) – Very similar structure, but clocked 2(3) times per round! BCRYPT workshop

  16. KTANTAN32 – Round Function 7 6 5 4 3 2 1 0 T 1-bit IR 12 11 10 9 8 7 6 5 4 3 2 1 0 L1 Ka 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 L2 Kb T7 4to1 4to1 Ka … Kb 16to1 16to1 16to1 16to1 16to1 T0 BCRYPT workshop … … … K79 K64 K15 K0

  17. Differences between various KATAN/KTANTAN ciphers BCRYPT workshop The plaintext/ciphertext size. The lengths of L1 and L2. The tap positions. The number of times the nonlinear functions are used in each round. KATAN and KTANTAN are same up to the key schedule.

  18. Implementation Results * A throughput is estimated for frequency of 100 kHz. 1027 GE BCRYPT workshop All designs are synthesized with Synopsys Design Vision version Y-2006.06, using UMC 0.13µm Low-Leakage CMOS library.

  19. Can we go more compact? BCRYPT workshop • Yes – applies to KATAN48, KATAN64, KTANTAN48 and KTANTAN64. • Use clock gating – The speed drops down 2-3 times. • The trick is to “clock” controlling LFSR every two (three) clock cycles. • The improvement is rather insignificant: • 27 GE for KATAN64, 11 GE for KATAN48. • 4 GE for KTANTAN64, 17 GE for KTANTAN48.

  20. Can we go even more compact? BCRYPT workshop • Probably! The speed drops down significantly. • Serialize the inputs: • But, we still need a fully autonomous cipher. • Additional logic (counter and FSM) are needed in order to control the serialized inputs. Or try to reuse an LFSR for counting again… • Combine it with clock gating. • Regarding energy consumption – BAD solution. • Worth trying if the compact design is an ultimate goal!

  21. Design Rationale – Memory Issues (3) * not including controlling LFSR BCRYPT workshop KATAN32 has only 7.5% of “redundant” logic.*

  22. Possible Speed-Ups 7 6 5 4 3 2 1 0 T 7 6 5 4 3 2 1 0 T 2X 7 6 5 4 3 2 1 0 T 3X BCRYPT workshop

  23. KATAN32 – Round Function 2X (3X) 7 6 5 4 3 2 1 0 T 1-bit IR 12 11 10 9 8 7 6 5 4 3 2 1 0 L1 K78 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 L2 K79 … 60 59 … 49 48 … 12 11 … 1 0 79 78 K BCRYPT workshop

  24. How fast can KATAN/KTANTAN run? BCRYPT workshop Optimized for speed, using UMC 0.13µm High-Speed CMOS library, KATAN64 runs up to 1.88 Gbps.

  25. Power Consumption • Too optimistic? BCRYPT workshop Synthesis results only! Estimated with Synopsys Design Vision version Y-2006.06, using UMC 0.13µm Low-Leakage CMOS library.

  26. Security Targets BCRYPT workshop

  27. Security – Differential Cryptanalysis BCRYPT workshop

  28. Security – Linear Cryptanalysis BCRYPT workshop

  29. Security – Slide/Related-Key Attacks BCRYPT workshop

  30. Other Attacks? BCRYPT workshop • More details in the paper: • Related-Key differential attack. • Cube and Algebraic attack.

  31. Conclusion KATAN & KTANTAN – Efficient, hardware oriented block ciphers based on Trivium. Key size: 80 bits; Block size: 32/48/64 bits; Key agility is optional. KTANTAN32 consumes only 462 GE (1848 µm2). KATAN32 has only 7.5% of “redundant” logic. KATAN64 has a throughput of 1.88 Gbps. BCRYPT workshop

  32. Thank you! http://www.cs.technion.ac.il/~orrd/KATAN/ BCRYPT workshop

  33. Key Schedule – KTANTAN BCRYPT workshop

  34. Security – Related Key Differentials (1) BCRYPT workshop

  35. Security – Related Key Differentials (2) BCRYPT workshop

  36. Trade-Offs BCRYPT workshop

  37. Non-Linear Functions BCRYPT workshop

  38. Key Schedule – KATAN BCRYPT workshop

  39. What does KATAN/KTANTAN mean? – Small – Tiny BCRYPT workshop

  40. References (1) BCRYPT workshop

  41. References (2) BCRYPT workshop

  42. References (3) BCRYPT workshop

  43. DESL[19] BCRYPT workshop

  44. PRESENT[20] BCRYPT workshop

  45. PRESENT[4] BCRYPT workshop

More Related