Transcript Исторический обзор - эволюция алгоритма

Energy-efficient cryptography:
application of KATAN
Sergey Panasenko
[email protected], www.panasenko.ru
Sergey Smagin
[email protected]
ANCUD Ltd.
www.ancud.ru
2
Introduction
• Cryptographic primitives become more complex
and heavyweight;
• avalanche increase in amounts of processed data;
• information technologies widely penetrate into
people’s activity.
Essential increase in expenses of energy and
resources for cryptographic transformations.
3
Introduction
But let’s answer some questions.
• Is the maximum level of security really required?
• Are all data equal in value?
• Is it always required to use modern heavy and
strong cryptoprimitives?
Answer: “NO”
4
Introduction
Approach 1.
Lightweight cryptography: finding a compromise
between low resource requirements, performance
and strength of cryptographic primitives.
[A. Poschmann. Lightweight Cryptography from an Engineers Perspective
(ECC 2007).]
Security system should be adequate to a value of
protected data.
5
Introduction
Approach 2.
Recycling of cryptoprimitives: reusing existing
cryptographic primitives or their elements while
developing new cryptoprimitives.
[J. Troutman and V. Rijmen. Green Cryptography: Cleaner Engineering
Through Recycling. 2009.]
One cryptoprimitive can be used as a base for
several various cryptographic functions.
6
Introduction
Let’s combine:
• lightweight cryptography
and
• recycling of cryptoprimitives.
Energy-efficient cryptosystem.
7
KATAN block cipher
• Block size: 32 / 48 / 64 bits (KATAN32 / KATAN48
/ KATAN64);
• key length: 80 bits;
• 254 rounds;
• also KTANTAN32 / KTANTAN48 / KTANTAN64 with
extremely simplified key schedule.
[C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A
Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.]
8
KATAN block cipher
Round
structure
Shift register L1
˄
˄
+
Subkey bits
IR
+
˄
+
+
+
˄
Shift register L2
+
9
KATAN block cipher
• Based on shift registers – easy hardware
implementation;
• simple feedback functions;
• small data blocks;
• small internal state.
Extremely low resource requirements.
10
Recycling KATAN
Block cipher
PRNG /
Stream cipher
Cryptographic
kernel
Hash function
11
Hash function
Main requirements:
• should be based on block cipher;
• hashing add-on over block cipher should be as
light as possible.
12
Hash function
Examples of hash functions with thin hashing layer
over internal block cipher among participants of the
SHA-3 contest:
• Skein;
• JH;
• ECHO;
• SHAvite-3;
• CRUNCH.
13
Hash function
CRUNCH versions:
• main version that uses the classical MerkleDamgård construction;
• strengthened version based on the double-pipe
Merkle-Damgård construction.
[J. Patarin, L. Goubin, M. Ivascot, W. Jalby, O. Ly, V. Nachef, J. Treger, E.
Volte. CRUNCH. Specification. 2008.]
14
Hash function
Double-pipe Merkle-Damgård construction
IV
M1
M2
...
MN
Compression
function
Compression
function
...
Compression
function
H1
H2
H'1
H'2
HN
15
Hash function
Compression function of the strengthened version of
CRUNCH [E. Volte. CRUNCH. A SHA-3 Candidate. 2009.]
Hi
Mi
Mi
Internal
block cipher 1
Internal
block cipher 2
+
Hi+1
H'i+1
H'i
16
Hash function
Compression function based on KATAN64
Hi
M'i
M''i
KATAN
KATAN
+
Hi+1
H'i+1
H'i
17
Hash function
Note 1:
CRUNCH hash function is susceptible to the lengthextension attack.
[M. Çoban, 2009 (available at http://ehash.iaik.tugraz.at).]
Finalization procedure f(HN) or f(HN, H’N) required.
18
Hash function
Note 2:
Ways to use KATAN’s secret key in the hash
function:
• for keyed hashing where the internal key can be
used instead of schemes with an external key;
• as an additional parameter for hashing (salt);
• can be constant if no salt or keyed hash required;
• as an alternative pipe for chaining variables.
19
PRNG & stream cipher
• PRNG & stream cipher add-ons over the
cryptographic kernel should be as lightweight as
possible;
• block cipher modes of operation can be used (e.
g. recommended by NIST [NIST Special Publication 800-38A.
Recommendation for Block Cipher Modes of Operation. Methods and
Techniques. National Institute of Standards and Technology, U. S.
Department of Commerce. 2001.])
20
PRNG & stream cipher
Let’s consider the counter (CTR) mode:
• extremely simple:
Oi = EK(Ctri)
Ci = Pi XOR Oi
• can be used directly as a pseudo random numbers
generator.
CTR is an “energy-efficient mode”.
21
PRNG & stream cipher
CTR advantages:
• encryption and decryption procedures in the CTR
mode are equivalent;
• it is not necessary to pad processed data to be a
multiple of the block size;
• all data blocks are independent – random access
to data is easy;
• the encrypting sequence can be precalculated.
22
PRNG & stream cipher
Limitations (K – Ctri pairs must be unique)
[H. Lipmaa, P.
Rogaway, D. Wagner. Comments to NIST concerning AES Modes of
Operations: CTR-Mode Encryption. 2000.]
KATAN32
KATAN48
KATAN64
Maximum number
of blocks
216
224
232
Maximum number
of bytes
218
226.5
235
23
PRNG & stream cipher
Limitations for KATAN-based PRNG
[NIST Special
Publication 800-90. Recommendation for Random Number Generation
Using Deterministic Random Bit Generators (Revised). 2007.]
KATAN32
KATAN48
KATAN64
Seed length, bits
112
128
144
Max. number of
bits per request
29
211
213
Reseed interval,
bits
212
218
224
24
Future work
• Specifying the parameters of proposed hash
function template;
• hardware simulation;
• cryptanalysis of the resulting hash function;
• its benchmarking.
25
Conclusion
Number of additional GE for hash function & PRNG /
stream cipher can be estimated as 800–1000. I.e.
no more than 2000-2200 with KATAN itself.
[C. De Cannière, O. Dunkelman, M. Knežević. KATAN & KTANTAN – A
Family of Small and Efficient Hardware-Oriented Block Ciphers. CHES’09.]
Comparable to most of well-known lightweight block
ciphers.
Thank you!
Sergey Panasenko
[email protected], www.panasenko.ru
Sergey Smagin
[email protected]
ANCUD Ltd.
www.ancud.ru