1. KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke Universiteit Leuven, ESAT/SCD-COSIC (2) Département d'Informatique, École normale supérieure February 5, 2010BCRYPT workshop

2. Outline Motivation ◦ Why do we fight for a single gate? ◦ What are the options so far? ◦ Design Goals Design Rationale ◦ Memory Issues ◦ Control part ◦ Possible Speed-Ups Implementation Results Conclusion BCRYPT workshop

3. Why do we fight for a single gate? BCRYPT workshop Wireless Sensor Networks ◦ Environmental and Health Monitoring ◦ Wearable Computing ◦ Military Surveillance, etc. Pervasive Computing ◦ Healthcare ◦ Ambient Intelligence Embedded Devices It’s a challenge!

4. What are the options so far? BCRYPT workshop Stream ciphers ◦ To ensure security, the internal state must be twice the size of the key. ◦ No good methodology on how to design these. Use the standardized block cipher: AES ◦ The smallest implementation consumes 3.1 Kgates. ◦ Recent attacks in the related-key model. Other block ciphers? ◦ HIGHT, mCrypton, DESL, PRESENT,… ◦ Can we do better/different?

5. Light-Weight Block Ciphers – an Overview BCRYPT workshop slide credit: Matt Robshaw

6. Design Goals BCRYPT workshop Secure block cipher ◦ Address Differential/Linear cryptanalysis, Related-Key/Slide attacks, Related-Key differentials, Algebraic attacks. Efficient block cipher ◦ Small foot-print, Low power consumption, Reasonable performance (+ possible speed-ups). Application driven ◦ Does an RFID tag always need to support a key agility? ◦ Some low-end devices have one key throughout their life cycle. ◦ Some of them encrypt very little data. ◦ Why wasting precious gates if not really necessary?

7. The KATAN/KTANTAN Block Ciphers BCRYPT workshop Block ciphers based on Trivium (its 2 register version – Bivium). Block size: 32/48/64 bits. Key size: 80 bits. Share the same number of rounds – 254. KATAN and KTANTAN are the same up to the key schedule. In KTANTAN, the key is fixed and cannot be changed!

8. Block Cipher – HW perspective BCRYPT workshop Block size Key size MemoryDatapath + Control “redundant” logic

9. Design Rationale – Memory Issues (1) BCRYPT workshop The more compact the cipher is, a larger ratio of the area is dedicated for storing the intermediate values and key bits. Difference not only in basic gate technology, but also in the size of a single bit representation.

10. Design Rationale – Memory Issues (2) BCRYPT workshop The gate count (GE) DOES depend on the library and tools that are used during the synthesis. Example: ◦ PRESENT[20] contains 1,000 GE in 0.35 µ m technology – 53,974 µ m 2. ◦ PRESENT[20] contains 1,169 GE in 0.25 µ m technology – 32,987 µ m 2. ◦ PRESENT[20] contains 1,075 GE in 0.18 µ m technology – 10,403 µ m 2. Comparison is fair ONLY if the SAME library, the SAME tools and the SAME setup are used.

11. Design Rationale – A Story of a Single Bit BCRYPT workshop Assume we have a parallel load of the key and the plaintext. A single Flip-Flop has no relevance – MUXes need to be used. 2to1 MUX + FF = Scan FF: Beneficial both for area and power. DQ CK 0 1 SEL clock A_init A[i-1] start A[i] MUX2 7.25 ~ 13.75 GE DQ CK TD SEL A[i] A_init A[i-1] start clock ≡ 6.25 ~ 11.75 GE A_init 5 ~ 7.75 GE (64 + 80 + 8) × 6.25 = 950 GE

12. Basic Building Block – Bivium BCRYPT workshop IR stands for Irregular update Rule. Two round functions – IR decides which one to use. Prevents any slide attack and increases diffusion.

13. Design Rationale – Control Part BCRYPT workshop How to control such a simple construction? We basically need a counter only. Can it be simpler than that? Let the LFSR that is in charge of IR play the role of a counter.

14. BCRYPT workshop KATAN32 – Control Part 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 1-bit ready IR

15. BCRYPT workshop IR L1L1 L2L2 K 79 K 78 KATAN32 – Round Function K 6059494812110 … 79781 ……… 1413121110987654321016151817 1211109876543210 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 1-bit KATAN48(64) – Very similar structure, but clocked 2(3) times per round!

16. BCRYPT workshop IR L1L1 L2L2 KTANTAN32 – Round Function 1413121110987654321016151817 1211109876543210 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T KbKb KaKa K 79 K 64 K 15 K0K0 ……… T7T7 T0T0 … KaKa KbKb 1-bit 16to1 4to1

17. Differences between various KATAN/KTANTAN ciphers BCRYPT workshop The plaintext/ciphertext size. The lengths of L 1 and L 2. The tap positions. The number of times the nonlinear functions are used in each round. KATAN and KTANTAN are same up to the key schedule.

18. Implementation Results BCRYPT workshop All designs are synthesized with Synopsys Design Vision version Y-2006.06, using UMC 0.13 µ m Low-Leakage CMOS library. * A throughput is estimated for frequency of 100 kHz. 1027 GE

19. Can we go more compact? BCRYPT workshop Yes – applies to KATAN48, KATAN64, KTANTAN48 and KTANTAN64. Use clock gating – The speed drops down 2-3 times. The trick is to “clock” controlling LFSR every two (three) clock cycles. The improvement is rather insignificant: ◦ 27 GE for KATAN64, 11 GE for KATAN48. ◦ 4 GE for KTANTAN64, 17 GE for KTANTAN48.

20. Can we go even more compact? BCRYPT workshop Probably! The speed drops down significantly. Serialize the inputs: ◦ But, we still need a fully autonomous cipher. ◦ Additional logic (counter and FSM) are needed in order to control the serialized inputs. Or try to reuse an LFSR for counting again… Combine it with clock gating. Regarding energy consumption – BAD solution. Worth trying if the compact design is an ultimate goal!

21. Design Rationale – Memory Issues (3) BCRYPT workshop KATAN32 has only 7.5% of “redundant” logic.* * not including controlling LFSR

22. Possible Speed-Ups BCRYPT workshop 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 2X 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 3X 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T

23. BCRYPT workshop IR L1L1 L2L2 K 79 K 78 KATAN32 – Round Function K 6059494812110 … 79781 ……… 1413121110987654321016151817 1211109876543210 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 0 T 1-bit 2X (3X)

24. How fast can KATAN/KTANTAN run? BCRYPT workshop Optimized for speed, using UMC 0.13 µ m High-Speed CMOS library, KATAN64 runs up to 1.88 Gbps.

25. Power Consumption BCRYPT workshop Synthesis results only! Estimated with Synopsys Design Vision version Y-2006.06, using UMC 0.13 µ m Low-Leakage CMOS library. Too optimistic?

26. Security Targets BCRYPT workshop

27. Security – Differential Cryptanalysis BCRYPT workshop

28. Security – Linear Cryptanalysis BCRYPT workshop

29. Security – Slide/Related-Key Attacks BCRYPT workshop

30. Other Attacks? BCRYPT workshop More details in the paper: ◦ Related-Key differential attack. ◦ Cube and Algebraic attack.

31. Conclusion KATAN & KTANTAN – Efficient, hardware oriented block ciphers based on Trivium. Key size: 80 bits; Block size: 32/48/64 bits; Key agility is optional. KTANTAN32 consumes only 462 GE (1848 µm 2 ). KATAN32 has only 7.5% of “redundant” logic. KATAN64 has a throughput of 1.88 Gbps. BCRYPT workshop

32. Thank you! http://www.cs.technion.ac.il/~orrd/KATAN/

33. Key Schedule – KTANTAN BCRYPT workshop

34. Security – Related Key Differentials (1) BCRYPT workshop

35. Security – Related Key Differentials (2) BCRYPT workshop

36. Trade-Offs

37. Non-Linear Functions BCRYPT workshop

38. Key Schedule – KATAN BCRYPT workshop

39. What does KATAN/KTANTAN mean? BCRYPT workshop – Small – Tiny

40. References (1) BCRYPT workshop

41. References (2) BCRYPT workshop

42. References (3) BCRYPT workshop

43. DESL[19]

44. PRESENT[20]

45. PRESENT[4]