Малоресурсная криптография - Сергей Мартыненко

Computer Systems and Networks Department

The need for lightweight cryptography

The upcoming era of pervasive computing

will be characterized by many smart devices that

– because of the tight cost constraints inherent

in mass deployments – have very limited

resources in terms of memory, computing

power, and battery supply.

Christof Paar, Axel Poschmann

Slide 2


The need for lightweight cryptography

Areas benefiting from lightweight cryptography:

■ RFID (radio frequency identification)

■ Electronic (biometric) passport;

■ SCADA (supervisory control and data acquisition);

■ Implantable medical devices;

■ Modern automobiles;

■ The “internet of things”

Slide 3


RFID

Radio-frequency identification (RFID) is the wireless use of electromagnetic fields to transfer data, for the purposes of automatically identifying and tracking tags attached to objects. The tags contain electronically stored information

The RFID world market is estimated to surpass US$20 billion by 2014

Since RFID tags can be attached to cash, clothing, possessions, or even implanted within people, the possibility of reading personally-linked information without consent has raised serious privacy concerns.

Slide 4


SCADA (supervisory control and data acquisition)

SCADA communications must be protected. As sensing is increasingly done via battery-operated, wireless devices, the cryptography should have a small footprint.

In 2012, the NIST called for: “Research in lightweight, low-power cryptography, enabling encryption for millions of smart meters and other devices for Smart Grid with limited computational power”

Slide 5


E-passport and ID cards

ePassport is a combined paper and electronic passport that contains biometric information (Fingerprint, iris and face) that can be used to authenticate the identity of travelers. It uses contactless smart card technology, including computer chip and antenna.

Slide 6


Implantable medical devices

A lot of modern implantable medical devices like Deep Brain Neurostimulators, Insulin pump, Gastric Stimulator, Foot Drop implants, Cardiac Defibrillators and many other devices need from time to time communicate with some medical networks

Slide 7


Internet of things

Internet of Things is connecting any device which has the capability of switching on and off to the internet. When you say ‘any device’ , it largely means any device like cellphones, coffee makers, headphones, lamps, doors, windows and almost anything you can think of. Gartner, the analysis firm puts forward that by the year 2020 there will be as many as twenty six billion devices connected to the internet. Thus, IoT is a giant connection of things via internet. This is more or less a relationship between things.

A world where physical objects are seamlessly integrated

into the information network, and where the physical

objects can become active participants in information

processes. Services are available to interact with these

“smart objects” over the Internet, query and change their

state and any information associated with them, taking into

account security and privacy issues.

IoT Defenition SAP Research

Slide 8


Main Restriction in Lightweight Cryptography

■ Power consumptions

■ Chip size

■ Size of program code

■ Size of Random Access Memory(RAM)

■ Time for program execution

■ Width of communication channel

Slide 9


What is Lightweight Cryptography?

Lightweight Cryptography is the collection of cryptographic primitives, techniques and ciphers that can be implemented in highly resource-constrained mobile devices. Such devices harvest energy for all their functions, communicates over band limited channels and every gate used for security is considered an additional cost that must be carefully utilized. In the lightweight context, designer has to analyze the computational complexity of the algorithm, with respect to the demands on the hardware and other limitations of the device. There are both a direction and constraining challenge in these limitations that guide the development of cryptography.

Mathieu David. “Lightweight Cryptography for Passive RFID Tags. 2011

Slide 10


Design trade-off

Slide 11


Design criteria

Taking into account restrictions stated above we can formulate follow basic criteria:

■ Ultra-small hardware implementation

■ Multiple block and key sizes for good application fit

■ Easy implementation

■ High-speed, low-memory software implementations

■ Flexible implementation

■ Security is determined by key size.

Slide 12


Approaches

There are three main approaches to the construction of lightweight crypto primitives:

1. Minimization and optimization of well-known and proven algorithms

2. Modification of well-known primitives for highly resource-constrained requirements

3. Design new crypto primitives which were originally optimized for low cost hardware implementation.

Slide 13


Metrics

Area: Area requirements are usually measured in 2m , but this value depends

on the fabrication technology and the standard cell library. In order to compare the area requirements independently it is common to state the area as gate equivalents [GE]. One GE is equivalent to the area which is required by the two-input NAND gate with the lowest driving strength of the appropriate

technology. The area in GE is derived by dividing the area in 2m by the area

of a two-input NAND gate. Cycles: Number of clock cycles to compute and read out the result. Time: The required amount of time for a certain operation can be calculated by

dividing the amount of cycles by the operating frequency freq

cyclest .

Throughput: The rate at which new output is produced with respect to time. The number of output bits is divided by the time, i.e. by the needed cycles and multiplied by the operating frequency. It is expressed in bits per second [bps].

Slide 14


Metrics(continuation)

Power: The power consumption is estimated on the gate level by Synopsys PowerCompiler. It is provided in micro Watt [μW]. Note that power estimations on the transistor level are more accurate, but this would also require further design steps in the design flow, e.g. the place&route step. Energy: The energy consumption denotes the power consumption over a certain time period. It can be calculated by multiplying the power consumption with the required time of the operation. For the efficiency of a cryptographic algorithm it might be interesting also to know the energy consumption per output bit. The energy consumption is provided in micro Joule [μJ] or micro Joule per bit [μJ/bit], respectively. Current: The power consumption divided by the typical core voltage of the library. Efficiency: The throughput to area ratio is used as a measure of hardware efficiency. The hardware efficiency is calculated by dividing the area

requirements by the throughput, i.e. throughput

areaeff , and is expressed in gate

equivalents per bits per second

bps

GE .

Slide 15


Lightweight Cryptography

Slide 16


Security for Block Ciphers

Slide 17


Parameters of hardware realization

Slide 18


Block Ciphers(PRESENT)

PRESENT(ISO/IEC 29192-2:2012) is a new ultra lightweight block cipher algorithm, developed by the Orange Labs, Ruhr University Bochum and the Technical University of Denmark. It is one of the most compact encryption methods ever designed and is 2.5 times smaller than AES. PRESENT is a classical example of SP-network and consist of 31 rounds. The block length is 64 bits and 2 key lengths of 80 and 128 bits are supported.

Each round consist of XOR-operation with round key Ki consist of 64 bits then go through 16 similar 4bits S-blocks and then go through permutation level.

Slide 19


Block Ciphers(PRESENT)

Authors of ciphers recommend 80-bit key length that guarantee more then adequate level of security for the low-security applications typically required in tag-based deployment.

Slide 20


Block Ciphers(CLEFIA)

CLEFIA(ISO/IEC 29192-2:2012) is a proprietary block cipher algorithm, developed

by Sony. The block size is 128 bits and the key size can be 128 bit, 192 bit or 256 bit. It is intended to be used in DRM systems. Based on the classical “Feistel network” structure.

Slide 21


Stream Ciphers(Trivium)

Trivium(ISO/IEC 29192-3) is a synchronous stream cipher designed to provide a

flexible trade-off between speed and gate count in hardware, and reasonably efficient software implementation. It generates up to 264 bits of output from an 80-bit key and an 80-bit IV(Initial Vector).

Slide 22


Stream Ciphers(Enocoro)

Enocoro(ISO/IEC 29192-3) is a synchronous stream cipher designed by Hitachi

Corp. There are two possible variants with 80-bit security and 128-bit security. In the standard included second version of 128-bit security Encoro-128v2.

Key length for such realization is 128-bit, IV -64-bit. Output is 1 byte per round and up to 264bytes for each key and IV

Slide 23


Symmetric Lightweight Cryptography

Slide 24


Lightweight Hash functions

Lightweight hash function are lightweight cryptographic primitives.

The NIST provides figures for hardware implementation of the SHA-3 finalists aimed at optimizing the area. For a 0.09 µm technology, the best they can achieve is 9,200 GE for Grøstl; Keccak (the winner of the competition) requiring at least 15,200 GE. These are way too much for, say, RFID tags. That is why lightweight hash functions have been proposed.

ARMADILLO2 is a multi-purprose primitive intended to be used as a FIL-MAC (application I), for hashing and digital signatures (application II) and as a PRNG and PRF (application III). It has been broken by Naya-Plasencia and Peyrin who managed to find collisions when it is used as a hash function in very small time

DM-PRESENT is simply a Merkle-Damgård scheme where the compression function is the block cipher PRESENT in Davies-Meyer mode. DM-PRESENT-80 is based on PRESENT-80 and DM-PRESENT-128 on PRESENT-128. Such hash functions will only be of use in applications that require the one-way property and 64-bit security.

GLUON is a T-sponge, meaning that it is a sponge with a non-injective update function. The said function is based on the software oriented stream-ciphers X-FCSR-v2 and F-FCSR-H-v3. The update function of GLUON-64 is many to one and has a behavior which is very different from that of a random function.

Slide 25


Lightweight Hash functions(continuation)

Photon is a P-Sponge based on an AES-like permutation. The throughput figures given correspond to throughput when outputting long messages as these are the ones usually given. However, the figures for shorter messages are smaller (i.e. better) for PHOTON. The design of the permutation used to update the sponge is close to the LED cipher.

QUARK is a P-Sponge with a hardware oriented permutation inspired by the lightweight block ciphers KTANTAN and KATAN and the hardware oriented stream cipher Grain. The smallest version (136 bits long digest) is called U-QUARK, the middle one (176 bits long digest) D-QUARK and the longest (256 bits long digest) S-QUARK. A modified version of C-QUARK ca be used as an authenticated encryption scheme.

SPN-Hash. The main interest of this hash function is its provable security against differential collision attacks. It is a JH-like structure using, as its name indicates, a permutation based on SPN. The structure of the SPN is based on that of the AES. The padding used is the same as in a strengthened Merkle-Damgård: the length of the message is appended to the last block.

SPONGENT can be seen as a P-Sponge where the permutation is a modified version of the block cipher PRESENT. These primitives actually have several designers in common. The number of rounds of the PRESENT-like permutation ranges from 45 for SPONGENT-80 to 140 for SPONGENT-256. There is no attack on SPONGENT to the best of our knowledge except for linear distinguishers for reduced-round versions

Slide 26


Lightweight Public-key Cryptography

In 2006 Girault, Poupard and Stern proposed an “On the Fly Authentication and

Signature Scheme Based on Groups of Unknown Order”. Crypto-GPS is standardized within the international standard ISO/IEC 9798-5.

Crypto-GPS offers a variety of parameters for different security-performance trade-offs. Though there are variants of the crypto-GPS scheme that are based on RSA-like moduli, better to use variant with elliptic curve operations, because it allows smaller keys.

Slide 27


Lightweight Public-key Cryptography

Slide 28


Conclusions

The upraise of lightweight devices, such as RFID tags, has created new security and privacy challenges. Since these devices are so ubiquitous and communication goes unnoticed they can easily be abused.

Lightweight cryptographic primitives should...– Have a short internal state (to lower area)– Have a short processing time (to lower energy)– Have a short output (to lower communication overhead)

Symmetric crypto with less than 1000 gates is feasible

– Cost is then dominated by memory– Software: RAM usage is critical

Lightweight hash function from 7000 to 2000 GE is feasible

– Collision resistance is then dominated by size

Lightweight public-key crypto with less than 10000 GE is feasible

–

Slide 29

Малоресурсная криптография - Сергей Мартыненко

Technology