Presentation is loading. Please wait.

Presentation is loading. Please wait.

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.

Published byEvelyn Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke."— Presentation transcript:

1 KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke Universiteit Leuven, ESAT/SCD-COSIC (2) Département d'Informatique, École normale supérieure September 8, 2009CHES 2009

2 Outline Motivation ◦ Why do we fight for a single gate? ◦ What are the options so far? ◦ Design Goals Design Rationale ◦ Memory Issues ◦ Control part ◦ Possible Speed-Ups Implementation Results Conclusion CHES 20092

3 Why do we fight for a single gate? CHES 20093 Wireless Sensor Networks ◦ Environmental and Health Monitoring ◦ Wearable Computing ◦ Military Surveillance, etc. Pervasive Computing ◦ Healthcare ◦ Ambient Intelligence Embedded Devices It’s a challenge!

4 What are the options so far? CHES 20094 Stream ciphers ◦ To ensure security, the internal state must be twice the size of the key. ◦ No good methodology on how to design these. Use the standardized block cipher: AES ◦ The smallest implementation consumes 3.1 Kgates. ◦ Recent attacks in the related-key model. Other block ciphers? ◦ HIGHT, mCrypton, DESL, PRESENT,… ◦ Can we do better/different?

5 Design Goals CHES 20095 Secure block cipher ◦ Address Differential/Linear cryptanalysis, Related-Key/Slide attacks, Related-Key differentials, Algebraic attacks. Efficient block cipher ◦ Small foot-print, Low power consumption, Reasonable performance (+ possible speed-ups). Application driven ◦ Does an RFID tag always need to support a key agility? ◦ Some low-end devices have one key throughout their life cycle. ◦ Some of them encrypt very little data. ◦ Why wasting precious gates if not really necessary?

6 The KATAN/KTANTAN Block Ciphers CHES 20096 Block ciphers based on Trivium (its 2 register version – Bivium). Block size: 32/48/64 bits. Key size: 80 bits. Share the same number of rounds – 254. KATAN and KTANTAN are the same up to the key schedule. In KTANTAN, the key is fixed and cannot be changed!

7 Block Cipher – HW perspective CHES 20097 Block size Key size MemoryDatapath + Control “redundant” logic

8 Design Rationale – Memory Issues (1) CHES 20098 The more compact the cipher is, a larger ratio of the area is dedicated for storing the intermediate values and key bits. Difference not only in basic gate technology, but also in the size of a single bit representation.

9 Design Rationale – Memory Issues (2) CHES 20099 The gate count (GE) DOES depend on the library and tools that are used during the synthesis. Example: ◦ PRESENT[20] contains 1,000 GE in 0.35 µ m technology – 53,974 µ m 2. ◦ PRESENT[20] contains 1,169 GE in 0.25 µ m technology – 32,987 µ m 2. ◦ PRESENT[20] contains 1,075 GE in 0.18 µ m technology – 10,403 µ m 2. Comparison is fair ONLY if the SAME library and the SAME tools are used.

10 Design Rationale – A Story of a Single Bit CHES 200910 Assume we have a parallel load of the key and the plaintext. A single Flip-Flop has no relevance – MUXes need to be used. 2to1 MUX + FF = Scan FF: Beneficial both for area and power. DQ CK 0 1 SEL clock A_init A[i-1] start A[i] MUX2 7.25 ~ 13.75 GE DQ CK TD SEL A[i] A_init A[i-1] start clock ≡ 6.25 ~ 11.75 GE A_init 5 ~ 7.75 GE (64 + 80 + 8) × 6.25 = 950 GE

11 Design Rationale – Control Part CHES 200911 How to control such a simple construction? IR stands for Irregular update Rule. We basically need a counter only. Can it be simpler than that? Let the LFSR that is in charge of IR play the role of a counter.

12 CHES 200912 KATAN32 – Control Part 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 1-bit ready

13 CHES 200913 IR L1L1 L2L2 K 79 K 78 KATAN32 – Round Function K 6059494812110 … 79781 ……… 1413121110987654321016151817 1211109876543210 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 1-bit

14 CHES 200914 IR L1L1 L2L2 KTANTAN32 – Round Function 1413121110987654321016151817 1211109876543210 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T KbKb KaKa K 79 K 64 K 15 K0K0 ……… T7T7 T0T0 … KaKa KbKb 1-bit 16to1 4to1

15 Implementation Results CHES 200915 All designs are synthesized with Synopsys Design Vision version Y-2006.06, using UMC 0.13 µ m Low-Leakage CMOS library. * A throughput is estimated for frequency of 100 kHz. 1027 GE

16 Design Rationale – Memory Issues (3) CHES 200916 KATAN32 has only 7.5% of “redundant” logic.* * not including controlling LFSR

17 Possible Speed-Ups CHES 200917 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 2X 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 3X 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T

18 CHES 200918 IR L1L1 L2L2 K 79 K 78 KATAN32 – Round Function K 6059494812110 … 79781 ……… 1413121110987654321016151817 1211109876543210 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 1-bit 2X (3X)

19 How fast can KATAN/KTANTAN run? CHES 200919 Optimized for speed, using UMC 0.13 µ m High-Speed CMOS library, KATAN64 runs up to 1.88 Gbps.

20 Power Consumption CHES 200920 Synthesis results only! Estimated with Synopsys Design Vision version Y-2006.06, using UMC 0.13 µ m Low-Leakage CMOS library. Too optimistic?

21 Can we go more compact? CHES 200921 Yes – applies to KATAN48, KATAN64, KTANTAN48 and KTANTAN64. Use clock gating – The speed drops down 2-3 times. The trick is to “clock” controlling LFSR every two (three) clock cycles. The improvement is rather insignificant: ◦ 27 GE for KATAN64, 11 GE for KATAN48. ◦ 4 GE for KTANTAN64, 17 GE for KTANTAN48.

22 Can we go even more compact? CHES 200922 Probably! The speed drops down significantly. Serialize the inputs: ◦ But, we still need a fully autonomous cipher. ◦ Additional logic (counter and FSM) are needed in order to control the serialized inputs. Or try to reuse an LFSR for counting again… Combine it with clock gating. Worth trying if the compact design is an ultimate goal!

23 Conclusion KATAN & KTANTAN – Efficient, hardware oriented block ciphers based on Trivium. Key size: 80 bits; Block size: 32/48/64 bits; Key agility is optional. KTANTAN32 consumes only 462 GE (1848 µm 2 ). KATAN32 has only 7.5% of “redundant” logic. KATAN64 has a throughput of 1.88 Gbps. CHES 200923

24 CHES 200924 Thank you!

25 Trade-Offs CHES 200925

26 Non-Linear Functions CHES 200926

27 Key Schedule – KTANTAN CHES 200927

28 Key Schedule – KATAN CHES 200928

29 Security Targets CHES 200929

30 Security – Differential Cryptanalysis CHES 200930

31 Security – Linear Cryptanalysis CHES 200931

32 Security – Slide/Related-Key Attacks CHES 200932

33 Security – Related Key Differentials (1) CHES 200933

34 Security – Related Key Differentials (2) CHES 200934

35 What does KATAN/KTANTAN mean? CHES 200935 – Small – Tiny

36 References (1) CHES 200936

37 References (2) CHES 200937

38 References (3) CHES 200938

39 DESL[19] CHES 200939

40 PRESENT[20] CHES 200940

41 PRESENT[4] CHES 200941

Download ppt "KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke."

Similar presentations

Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.www.ancud.ru.

Energy-efficient cryptography: application of KATAN Sergey Sergey ANCUD Ltd.
Click to edit Master title style KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 1 Compact Implementations for RFID and Sensor Nodes L. Batina, K. Sakiyama and.

Click to edit Master title style KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 1 Compact Implementations for RFID and Sensor Nodes L. Batina, K. Sakiyama and.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
1/1/ /e/e eindhoven university of technology Microprocessor Design Course 5Z008 Dr.ir. A.C. (Ad) Verschueren Eindhoven University of Technology Section.

1/1/ /e/e eindhoven university of technology Microprocessor Design Course 5Z008 Dr.ir. A.C. (Ad) Verschueren Eindhoven University of Technology Section.
The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University, 2.2.2014.

The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University,
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
© Karen Miller, 2011 1 What do we want from our computers?  correct results we assume this feature, but consider... who defines what is correct?  fast.

© Karen Miller, What do we want from our computers?  correct results we assume this feature, but consider... who defines what is correct?  fast.
Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.

Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.
Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.

Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.
Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?

Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?
MOHD. YAMANI IDRIS/ NOORZAILY MOHAMED NOOR 1 Sequential Circuit: Register Introduction N-bit register contains n flip-flop and several logic gates and.

MOHD. YAMANI IDRIS/ NOORZAILY MOHAMED NOOR 1 Sequential Circuit: Register Introduction N-bit register contains n flip-flop and several logic gates and.
Design of a Reconfigurable Hardware For Efficient Implementation of Secret Key and Public Key Cryptography.

Design of a Reconfigurable Hardware For Efficient Implementation of Secret Key and Public Key Cryptography.
16/07/2015CSE1303 Part B lecture notes 1 Hardware Implementation Lecture B17 Lecture notes section B17.

16/07/2015CSE1303 Part B lecture notes 1 Hardware Implementation Lecture B17 Lecture notes section B17.
1 An Elliptic Curve Processor Suitable for RFID-Tags L. Batina 1, J. Guajardo 2, T. Kerins 2, N. Mentens 1, P. Tuyls 2 and I. Verbauwhede 1 Katholieke.

1 An Elliptic Curve Processor Suitable for RFID-Tags L. Batina 1, J. Guajardo 2, T. Kerins 2, N. Mentens 1, P. Tuyls 2 and I. Verbauwhede 1 Katholieke.
(6.1) Central Processing Unit Architecture  Architecture overview  Machine organization – von Neumann  Speeding up CPU operations – multiple registers.

(6.1) Central Processing Unit Architecture  Architecture overview  Machine organization – von Neumann  Speeding up CPU operations – multiple registers.
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.

CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
GPGPU platforms GP - General Purpose computation using GPU

GPGPU platforms GP - General Purpose computation using GPU

Similar presentations

Ads by Google