Modular Reduction Without Precomputational Phase
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block CiphersChristophe De Cannire1, Orr Dunkelman1,2, Miroslav Kneevi1
(1)Katholieke Universiteit Leuven, ESAT/SCD-COSIC(2)Dpartement d'Informatique, cole normale suprieure
September 8, 2009CHES 20091OutlineMotivationWhy do we fight for a single gate?What are the options so far?Design GoalsDesign RationaleMemory IssuesControl partPossible Speed-UpsImplementation ResultsConclusionCHES 200922
Why do we fight for a single gate?CHES 20093Wireless Sensor NetworksEnvironmental and Health MonitoringWearable ComputingMilitary Surveillance, etc.Pervasive ComputingHealthcareAmbient IntelligenceEmbedded DevicesIts a challenge!
What are the options so far?CHES 20094Stream ciphersTo ensure security, the internal state must be twice the size of the key.No good methodology on how to design these.Use the standardized block cipher: AESThe smallest implementation consumes 3.1 Kgates.Recent attacks in the related-key model.Other block ciphers?HIGHT, mCrypton, DESL, PRESENT,Can we do better/different?Design GoalsCHES 20095Secure block cipherAddress Differential/Linear cryptanalysis, Related-Key/Slide attacks, Related-Key differentials, Algebraic attacks.Efficient block cipherSmall foot-print, Low power consumption, Reasonable performance (+ possible speed-ups).Application drivenDoes an RFID tag always need to support a key agility?Some low-end devices have one key throughout their life cycle.Some of them encrypt very little data.Why wasting precious gates if not really necessary?The KATAN/KTANTAN Block CiphersCHES 20096Block ciphers based on Trivium (its 2 register version Bivium).
Block size: 32/48/64 bits.
Key size: 80 bits.
Share the same number of rounds 254.
KATAN and KTANTAN are the same up to the key schedule.
In KTANTAN, the key is fixed and cannot be changed!Block Cipher HW perspectiveCHES 20097Block size
Key size
MemoryDatapath + Controlredundant logicDesign Rationale Memory Issues (1)CHES 20098The more compact the cipher is, a larger ratio of the area is dedicated for storing the intermediate values and key bits.Difference not only in basic gate technology, but also in the size of a single bit representation.CipherBlock[bits]Key[bits]Technology[m]Size[GE]Memory[%]Memory/bit[GE]AES-128 [8]1281280.353400607.97AES-128 [10]1281280.133100485.8HIGHT [12]641280.25304849~7mCrypton [15]64640.132420265DES [19]64560.1823096312.19DESL [19]64560.1818487912.19PRESENT-80 [4]64800.181570556PRESENT-80 [20]64800.35100080 6Design Rationale Memory Issues (2)CHES 20099The gate count (GE) DOES depend on the library and tools that are used during the synthesis.
Example:PRESENT[20] contains 1,000 GE in 0.35 m technology 53,974 m2.PRESENT[20] contains 1,169 GE in 0.25 m technology 32,987 m2.PRESENT[20] contains 1,075 GE in 0.18 m technology 10,403 m2.
Comparison is fair ONLY if the SAME library and the SAME tools are used.
Design Rationale A Story of a Single BitCHES 200910Assume we have a parallel load of the key and the plaintext.A single Flip-Flop has no relevance MUXes need to be used.2to1 MUX + FF = Scan FF: Beneficial both for area and power.DQCK01SELclockA_initA[i-1]startA[i]MUX27.25 ~ 13.75 GEDQCKTDSELA[i]A_initA[i-1]startclock6.25 ~ 11.75 GEA_init5 ~ 7.75 GE(64 + 80 + 8) 6.25 = 950 GE Design Rationale Control PartCHES 200911How to control such a simple construction?
IR stands for Irregular update Rule.We basically need a counter only. Can it be simpler than that?Let the LFSR that is in charge of IR play the role of a counter.
CHES 200912KATAN32 Control Part76543210T1-bitreadyCHES 200913IRL1L2K79K78KATAN32 Round FunctionK6059494812110797811413121110987654321016151817121110987654321076543210T1-bitCHES 200914IRL1L2KTANTAN32 Round Function1413121110987654321016151817121110987654321076543210TKbKaK79K64K15K0T7T0KaKb1-bit16to116to116to116to116to14to14to1Implementation ResultsCHES 200915All designs are synthesized with Synopsys Design Vision version Y-2006.06, using UMC 0.13m Low-Leakage CMOS library.CipherBlock[bits]Key[bits]Memory/bit[GE]Throughput*[Kbps]Size[GE]KATAN3232806.1812.5802KATAN4848806.1918.8927KATAN6464806.1525.11054KTANTAN3232806.1012.5462KTANTAN4848806.1418.8588KTANTAN6464806.1725.1688* A throughput is estimated for frequency of 100 kHz.1027 GEDesign Rationale Memory Issues (3)CHES 200916CipherBlock[bits]Key[bits]Size[GE]Memory /bit[GE]Memory[GE][%]KATAN3232808026.1874292.5KATAN4848809276.1984290.8KATAN64648010546.1593588.7KTANTAN3232804626.1024452.8KTANTAN4848805886.1434458.5KTANTAN6464806886.1744464.5KATAN32 has only 7.5% of redundant logic.** not including controlling LFSRPossible Speed-UpsCHES 20091776543210T2X76543210T3X76543210TCHES 200918IRL1L2K79K78KATAN32 Round FunctionK6059494812110797811413121110987654321016151817121110987654321076543210T1-bit2X (3X)How fast can KATAN/KTANTAN run?CHES 200919Optimized for speed, using UMC 0.13m High-Speed CMOS library, KATAN64 runs up to 1.88 Gbps.CipherSize[GE]Frequency[GHz]Throughput[Mbps]KATAN329752.861071.4KATAN4812012.861611.4KATAN6413992.501882.5KTANTAN3213281.25468.7KTANTAN4816771.23696.3KTANTAN6415891.19896.4Power ConsumptionCHES 200920CipherSize[GE]Frequency[kHz]Power[nW]KATAN32802100381KATAN48927100439KATAN641054100555KTANTAN32462100146KTANTAN48588100234KTANTAN64688100292Synthesis results only!Estimated with Synopsys Design Vision version Y-2006.06, using UMC 0.13m Low-Leakage CMOS library. Too optimistic?Can we go more compact?CHES 200921Yes applies to KATAN48, KATAN64, KTANTAN48 and KTANTAN64.Use clock gating The speed drops down 2-3 times.
The trick is to clock controlling LFSR every two (three) clock cycles.
The improvement is rather insignificant:27 GE for KATAN64, 11 GE for KATAN48.4 GE for KTANTAN64, 17 GE for KTANTAN48.Can we go even more compact?CHES 200922Probably! The speed drops down significantly.Serialize the inputs:But, we still need a fully autonomous cipher.Additional logic (counter and FSM) are needed in order to control the serialized inputs. Or try to reuse an LFSR for counting againCombine it with clock gating.Worth trying if the compact design is an ultimate goal!ConclusionKATAN & KTANTAN Efficient, hardware oriented block ciphers based on Trivium.
Key size: 80 bits; Block size: 32/48/64 bits; Key agility is optional.
KTANTAN32 consumes only 462 GE (1848 m2).
KATAN32 has only 7.5% of redundant logic.
KATAN64 has a throughput of 1.88 Gbps.CHES 200923CHES 2009
24Thank you!
Trade-OffsCHES 200925
Non-Linear FunctionsCHES 200926
Key Schedule KTANTANCHES 200927
Key Schedule KATANCHES 200928
Security TargetsCHES 200929
Security Differential CryptanalysisCHES 200930
Security Linear CryptanalysisCHES 200931
Security Slide/Related-Key AttacksCHES 200932
Security Related Key Differentials (1)CHES 200933
Security Related Key Differentials (2)CHES 200934
What does KATAN/KTANTAN mean?CHES 200935
Small TinyReferences (1)CHES 200936
References (2)CHES 200937
References (3)CHES 200938
DESL[19]CHES 200939
PRESENT[20]CHES 200940
PRESENT[4]CHES 200941
