Академический Документы
Профессиональный Документы
Культура Документы
On
Lightweight Cryptography
If you want to keep information secret so you have two possible strategies for doing this: hide
the existence of the information, or make the information unintelligible. Cryptography is the
art and science of keeping information secure from unintended audiences, of encrypting it.
Conversely, cryptanalysis is the art and science of breaking encoded data. The branch of
mathematics encompassing both cryptography and cryptanalysis is cryptology. Cryptography
is used to provide secrecy and integrity to our data, and both authentication and anonymity to
our communications.
Information technologies widely penetrate into peoples day to day activities. This is one of
the main trend of present day society. An average mans life cannot be imagined without
various gadgets. A lot of households use devices with an embedded OS (operating system)
which can be connected to internet and can be united into a wireless network. People are
surrounded by a variety of sensors, terminals, readers etc. everywhere. Such expansion of
smart devices or technologies raises data security problems. However, now it is impossible to
suggest a cryptographic primitive that can be implemented in all types of target devices. We
can say that AES is a strong cryptographic algorithm with good performance. It is advisable
to use AES in high end devices, in a large variety of embedded systems and in some low end
devices, but it is impossible to use common cryptographic algorithm in specific devices with
low resources.
RFIDs
Wireless sensors
The criteria for designing the algorithms for use in devices with extremely low resources is
slightly different from the design criteria for the commonly used cryptographic algorithms.
This very specific field of modern cryptography is covered by - Lightweight Cryptography.
Every designer of lightweight cryptography has to cope with the trade-off between security,
costs, and performance. For block ciphers the key length provides a security-cost trade-off,
while the amount of rounds provides a security-performance trade-off and the hardware
architecture a cost-performance trade-off (see Figure 1). Usually, any two of the three design
goals security and low costs, security and performance, or low costs and performance can
be easily optimized, whereas it is very difficult to optimize all three design goals at the same
time. For example, a secure and high performance hardware implementation can be achieved
by a pipelined architecture which also incorporates many countermeasures against side-
channel attacks. The resulting design would have a high area requirement, which correlates
with high costs. On the other hand it is possible to design a secure and low-cost hardware
implementation with the drawback of limited performance.
Generally speaking, there are three approaches for providing cryptographic primitives for
extremely lightweight applications such as passive RFID tags:
3) Design new ciphers with the goal of having low hardware implementation costs.
We will scrutinize all three approaches. The problem with the first approach is that most
modern block ciphers were primarily designed with good software implementation properties
in mind, and not necessarily with hardware-friendly properties. This is the right approach for
todays block ciphers, because on the one hand the vast majority of algorithms run in
software on PCs or embedded devices, and on the other hand silicon area has become so
inexpensive that very high performance hardware implementations (achieved through large
chip area) are not a problem anymore. However, if the goal is to provide extremely low-cost
security on devices where both of those assumptions do not hold, it turns out that many mod-
ern block ciphers do not perform well for these scenarios.
The second approach is to have a well investigated cipher, the design of which was driven by
low hardware costs. A very well-known cipher to this respect is the Data Encryption
Standard, DES. DES was designed in the first half of the 1970s and the targeted
implementation platform was hardware. However, by todays standard, digital technology
was extremely limited in the early 1970s, i.e. a factor of 2 20 or 6 orders of magnitude less
powerful following Moores Law. Hence, virtually all components of DES were heavily
driven by low hardware complexity: exclusive bit-wise OR (XOR), bit permutation and small
S-boxes. We will follow the second approach by slightly modifying DES in order to gain
DESL. The obvious drawback of DES is that its key length is not adequate for many of
todays applications, but by applying key-whitening techniques the security level can be
increased.
Though the implementation results of DESL are encouraging, they also show optimization
potentials. Therefore, in order to further decrease the hardware area requirements, we will
also follow the third approach and design the ultra-lightweight cipher PRESENT
DES stands for Data Encryption Standard. DESL is based on the classical DES algorithm.
Unlike DES, DESL uses a single S-box instead of 8 S-boxes of DES. The design criteria of
the single DESL S-box makes DESL resistant to most common cryptanalytic attacks. This
allows to save a part of ROM for table storage.
DESXL is a lightweight version of the DESX algorithm which is one the most widely used
variant of the DES. In contrast to DES, DESX performs input and output data whitening with
the specific sub keys. Like DESL, DESXL uses the same single S-box instead of 8 DESX S-
boxes. Relatively low resource requirement of the DESX and DESXL are just the result of
eight fold reduction of ROM required for storing the table and this is the only point of
difference between DESX and DESXL.
2) CURUPIRA:-
Curupira is a variant of the family of algorithms using the Wide Trail strategy by Joan
Daemen. Other examples of such algorithms are AES, Anubis, and Khazad. Relatively low
resource requirements of Curupira are determined by the following set of factors:
The internal state of the algorithm is relatively small (96 bits; compared to 128 bits of AES
internal state for example);
The block size of Curupira is 96 bits; it accepts several fixed key lengths: 96, 144, or 192
bits. Data block is represented as a 3 X 4 byte array (the internal state of the algorithm); every
round of Curupira modifies the internal state by the following operations:
1) Nonlinear layer ; consists of the parallel application of the S () S-box to all bytes of the
state.
2) Permutation layer ; swaps each column of the state according to the predefined rule.
3) Linear diffusion layer ; performs multiplication of the state by the predefined matrix D.
4) Key addition layer (Kr); performs bitwise addition of an r-round key Kr.
The number of rounds is not determined strictly: the Algorithm defines the minimum and
maximum numbers of rounds for each allowed key length (from 10 rounds for a 96-bit key to
23 rounds for a 192-bit one). Input whitening is performed before the first round by addition
of a K0 sub key. The final round does not perform the operation.
KATAN is a family of block ciphers: KATAN32, KATAN48, and KATAN64. The number in
the algorithms name represents the block size of the algorithm in bits. All the ciphers use 80-
bit keys.
KTANTAN family also contains three algorithms with the same block sizes and key length.
KTANTAN is more compact in hardware it assumes that the key is burnt into the target
device and cannot be changed (also, the key schedule of KTANTAN is much simpler
compared to KATAN). Other procedures of KATAN and KTANTAN ciphers are equivalent.
The algorithms structure is based on the structure of stream cipher trivium (its variant with
two registers).
The size of the internal state is equivalent to the block size of the algorithm. Each of KATAN
algorithms loads a data block into two internal shift registers L1 and L2. It performs 254
rounds; each of them uses nonlinear functions which form the registers feedback (Figure 2).
The registers sizes and the specific bits used by the nonlinear feedback functions are fixed
for every KATAN and KTANTAN algorithm and determined in. One of the nonlinear
functions uses specific irregular value (IR) in addition to several registers bits. This value
depends on the rounds number.
KATAN48 and KATAN64 share the same nonlinear functions with KATAN32, but they use
other bits of the internal registers to form the feedback. KATAN48 and KATAN64 also use
the larger sizes of the registers in accordance to the block sizes. KATAN32 updates the
registers once per a round; KATAN48 and KATAN64 use the nonlinear functions two or three
times, correspondingly.
The key schedule of KATAN is based on the linear feedback shift register (LFSR). Another
LFSR is used for counting the rounds and to stop the encryption when required. The most
significant bit of the latter LFSR forms the above mentioned irregular value.
The resource requirements of KATAN and KTANTAN are extremely low because of the
following collection of factors:
1) They use the shift registers, which can be very easily implemented in hardware; the
feedback functions are also very simple, though they provide the required nonlinearity;
3) Their internal state is small and its size is equal to the block size (plus the LSFR for
counting the rounds);
4) PRESENT:-
The mixing transformation layer performs the predefined bit-level permutation. It is based on
the mixing transformation PRESENT is an example of a substitution-permutation network. It
performs 31 rounds on 64-bit data block and allows to use 80 or 128-bit keys.
Layer of DES and seems to be the simplest one to be realized. In software the P-layer can be
realized as bit operations or using the according P-box table.
Also PRESENT performs the output data whitening after the final round.
5) HUMMINGBIRD:-
Hummingbird encrypts 16-bit blocks of data using a 256-bit key. The underlying architecture
of Hummingbird is original and hybrid (with elements of block and stream ciphers).The
encryption procedure can be represented as a continuously working rotor-based machine.
Four identical internal block ciphers play a role of virtual rotors. They perform a set of
operations on short 16-bit data blocks.
The internal 16-bit block cipher E (): 4-roundSP-network with the key addition, S-box
application, and linear transformation layers; the final round of the internal block cipher is
shortened, but it contains the output whitening procedure;
16-bit LFSR.
Hummingbird actively uses 216 modulo addition to mix the internal state registers with the
data block to be processed. Alternatively, the high-level structure of the algorithm can be
presented as 4-round block cipher with the feedback operations, which allow to use internal
cipher blocks chaining as an additional advantage of the algorithms structure. Relatively low
resource requirements of Hummingbird can be achieved due to simple arithmetic and logic
operations and extremely short data blocks.
Figure 3: High Level Structure of Hummingbird
As stated above, the design goal of a lightweight algorithm is finding a compromise between
low resource requirements, performance, and cryptographic strength of the algorithm
(including secure use of the target device with the algorithm inside).
It can be supposed that the evolution of lightweight cryptography will be active in the nearest
future, because lightweight algorithms are highly required. Also we can suppose the
following trends in designing of lightweight algorithms:
Informally, a cryptographic hash function H takes an input of variable size and returns a hash
value of fixed length while satisfying the properties of preimage resistance, second preimage
resistance, and collision resistance. For a hash function with n-bit output, compromising
these should require 2n, 2n, and 2n=2 operations respectively. These properties make hash
functions very appealing in a range of protocols. For tag-based applications, the protocols in
question are often focused on authentication or on providing some form of anonymity and/or
privacy. However, some estimates suggest that no more than 2;000
GE are available for security in low-cost RFID tags but implementation results show that
the hash functions available are unsuitable in practice . When we consider what we need
from a hash function in an RFID tag-based application the following issues can be identified:
(1) In tag-based applications we are unlikely to hash large amounts of data. Most tag
protocols require that the hash function processes a challenge, an identifier, and/or perhaps a
counter. The typical input is usually much less than 256 bits.
(2) In many tag-based applications we do not need the property of collision resistance. Most
often the security of the protocol depends on the one-way property. In certain situations,
therefore, it is safe to use hash functions with smaller hash outputs.
(3) Applications will (typically) only require moderate security levels. Consequently 80-bit
security, or even less, may be adequate. This is also the position taken in the eSTREAM
project. An algorithm should be chosen according to the relevant security level and
in deployment, where success depends on every dollar and cent spent, there is no point
using extra space to get a 256-bit security level if 64-bit security is all that is required.
(4) While the physical space for an implementation is often the primary consideration, the
peak and average power consumption are also important. The time for a computation
will matter if we consider how a tag interacts with higher-level communication and
anticollisionprotocols.
(5) Some protocols use a hash function to build a message authentication code (MAC), often
by appealing to the HMAC construction. When used as a MAC a number of interesting
issues arise such as choosing an appropriate key length and understanding whether keys
will be changed, something that will almost certainly be impossible in most tag-enabled
applications. There might also be the possibility of side-channel analysis on the MAC.
However, such attacks will rarely be worthwhile for cheap tag-enabled applications and
we do not consider this issue further. Taking account of these considerations allows us
to make some pragmatic choices. There will be applications that just require one-
wayness and the application may only require 80-bit or 64-bit security. Note that
this is the view adopted by Shamir in the proposal SQUASH for use in RFID tags. For
other applications we might like to see 80-bit security against collision
attacks.