Презентация с форума http://hackit-ukraine.com/
Сергей Мартыненко
Ст.преп. кафедры комп. систем и сетей, ХАИ
Малоресурсная криптография
О спикере: Ст. преподаватель кафедры компьютерных сетей и систем. Опыт в области криптографической защиты информации и критических систем более 5 лет. Занимается защитой информации в малоресурсных системах.
1. Computer Systems and Networks Department
The need for lightweight cryptography
The upcoming era of pervasive computing
will be characterized by many smart devices that
– because of the tight cost constraints inherent
in mass deployments – have very limited
resources in terms of memory, computing
power, and battery supply.
Christof Paar, Axel Poschmann
Slide 2
2. Computer Systems and Networks Department
The need for lightweight cryptography
Areas benefiting from lightweight cryptography:
■ RFID (radio frequency identification)
■ Electronic (biometric) passport;
■ SCADA (supervisory control and data acquisition);
■ Implantable medical devices;
■ Modern automobiles;
■ The “internet of things”
Slide 3
3. Computer Systems and Networks Department
RFID
Radio-frequency identification (RFID) is
the wireless use of electromagnetic fields to
transfer data, for the purposes of
automatically identifying and tracking tags
attached to objects. The tags contain
electronically stored information
The RFID world market is estimated to
surpass US$20 billion by 2014
Since RFID tags can be attached to
cash, clothing, possessions, or even
implanted within people, the possibility of
reading personally-linked information
without consent has raised serious privacy
concerns.
Slide 4
4. Computer Systems and Networks Department
SCADA (supervisory control and data acquisition)
SCADA communications must
be protected. As sensing is
increasingly done via battery-
operated, wireless devices, the
cryptography should have a
small footprint.
In 2012, the NIST called for:
“Research in lightweight, low-
power cryptography, enabling
encryption for millions of
smart meters and other
devices for Smart Grid with
limited computational power”
Slide 5
5. Computer Systems and Networks Department
E-passport and ID cards
ePassport is a combined paper and
electronic passport that contains
biometric information (Fingerprint, iris and face)
that can be used to authenticate the identity of
travelers. It uses contactless smart
card technology, including computer chip and
antenna.
Slide 6
6. Computer Systems and Networks Department
Implantable medical devices
A lot of modern implantable medical devices like Deep Brain
Neurostimulators, Insulin pump, Gastric Stimulator, Foot Drop
implants, Cardiac Defibrillators and many other devices need from
time to time communicate with some medical networks
Slide 7
7. Computer Systems and Networks Department
Internet of things
Internet of Things is connecting any device
which has the capability of switching on
and off to the internet. When you say ‘any
device’ , it largely means any device like
cellphones, coffee makers, headphones,
lamps, doors, windows and almost
anything you can think of. Gartner, the
analysis firm puts forward that by the year
2020 there will be as many as twenty six
billion devices connected to the internet.
Thus, IoT is a giant connection of things via
internet. This is more or less a relationship
between things.
A world where physical objects are seamlessly integrated
into the information network, and where the physical
objects can become active participants in information
processes. Services are available to interact with these
“smart objects” over the Internet, query and change their
state and any information associated with them, taking into
account security and privacy issues.
IoT Defenition SAP Research
Slide 8
8. Computer Systems and Networks Department
Main Restriction in Lightweight Cryptography
■ Power consumptions
■ Chip size
■ Size of program code
■ Size of Random Access Memory(RAM)
■ Time for program execution
■ Width of communication channel
Slide 9
9. Computer Systems and Networks Department
What is Lightweight Cryptography?
Lightweight Cryptography is the collection of
cryptographic primitives, techniques and ciphers that
can be implemented in highly resource-constrained
mobile devices. Such devices harvest energy for all their
functions, communicates over band limited channels and
every gate used for security is considered an additional
cost that must be carefully utilized. In the lightweight
context, designer has to analyze the computational
complexity of the algorithm, with respect to the demands
on the hardware and other limitations of the device.
There are both a direction and constraining challenge in
these limitations that guide the development of
cryptography.
Mathieu David. “Lightweight Cryptography for Passive RFID Tags. 2011
Slide 10
11. Computer Systems and Networks Department
Design criteria
Taking into account restrictions stated above we can
formulate follow basic criteria:
■ Ultra-small hardware implementation
■ Multiple block and key sizes for good application fit
■ Easy implementation
■ High-speed, low-memory software implementations
■ Flexible implementation
■ Security is determined by key size.
Slide 12
12. Computer Systems and Networks Department
Approaches
There are three main approaches to the construction of
lightweight crypto primitives:
1. Minimization and optimization of well-known and
proven algorithms
2. Modification of well-known primitives for highly
resource-constrained requirements
3. Design new crypto primitives which were originally
optimized for low cost hardware implementation.
Slide 13
13. Computer Systems and Networks Department
Metrics
Area: Area requirements are usually measured in
2
m , but this value depends
on the fabrication technology and the standard cell library. In order to compare
the area requirements independently it is common to state the area as gate
equivalents [GE]. One GE is equivalent to the area which is required by the
two-input NAND gate with the lowest driving strength of the appropriate
technology. The area in GE is derived by dividing the area in
2
m by the area
of a two-input NAND gate.
Cycles: Number of clock cycles to compute and read out the result.
Time: The required amount of time for a certain operation can be calculated by
dividing the amount of cycles by the operating frequency
freq
cycles
t .
Throughput: The rate at which new output is produced with respect to time.
The number of output bits is divided by the time, i.e. by the needed cycles and
multiplied by the operating frequency. It is expressed in bits per second [bps].
Slide 14
14. Computer Systems and Networks Department
Metrics(continuation)
Power: The power consumption is estimated on the gate level by Synopsys
PowerCompiler. It is provided in micro Watt [μW]. Note that power estimations
on the transistor level are more accurate, but this would also require further
design steps in the design flow, e.g. the place&route step.
Energy: The energy consumption denotes the power consumption over a
certain time period. It can be calculated by multiplying the power consumption
with the required time of the operation. For the efficiency of a cryptographic
algorithm it might be interesting also to know the energy consumption per
output bit. The energy consumption is provided in micro Joule [μJ] or micro
Joule per bit [μJ/bit], respectively.
Current: The power consumption divided by the typical core voltage of the
library.
Efficiency: The throughput to area ratio is used as a measure of hardware
efficiency. The hardware efficiency is calculated by dividing the area
requirements by the throughput, i.e.
throughput
area
eff , and is expressed in gate
equivalents per bits per second
bps
GE
.
Slide 15
17. Computer Systems and Networks Department
Parameters of hardware realization
Slide 18
18. Computer Systems and Networks Department
Block Ciphers(PRESENT)
PRESENT(ISO/IEC 29192-2:2012) is a new ultra lightweight block cipher
algorithm, developed by the Orange Labs, Ruhr University Bochum and the
Technical University of Denmark. It is one of the most compact encryption
methods ever designed and is 2.5 times smaller than AES. PRESENT is a
classical example of SP-network and consist of 31 rounds. The block length
is 64 bits and 2 key lengths of 80 and 128 bits are supported.
Each round consist of XOR-operation with round key Ki consist of 64 bits then
go through 16 similar 4bits S-blocks and then go through permutation level.
Slide 19
19. Computer Systems and Networks Department
Block Ciphers(PRESENT)
Authors of ciphers recommend 80-bit key length that
guarantee more then adequate level of security for the
low-security applications typically required in tag-based
deployment.
Slide 20
20. Computer Systems and Networks Department
Block Ciphers(CLEFIA)
CLEFIA(ISO/IEC 29192-2:2012) is a proprietary block cipher algorithm, developed
by Sony. The block size is 128 bits and the key size can be 128 bit, 192 bit or 256 bit.
It is intended to be used in DRM systems. Based on the classical “Feistel network”
structure.
Slide 21
21. Computer Systems and Networks Department
Stream Ciphers(Trivium)
Trivium(ISO/IEC 29192-3) is a synchronous stream cipher designed to provide a
flexible trade-off between speed and gate count in hardware, and reasonably efficient
software implementation. It generates up to 264 bits of output from an 80-bit key and
an 80-bit IV(Initial Vector).
Slide 22
22. Computer Systems and Networks Department
Stream Ciphers(Enocoro)
Enocoro(ISO/IEC 29192-3) is a synchronous stream cipher designed by Hitachi
Corp. There are two possible variants with 80-bit security and 128-bit security. In the
standard included second version of 128-bit security Encoro-128v2.
Key length for such realization is 128-bit, IV -64-bit. Output is 1 byte per round and up
to 264bytes for each key and IV
Slide 23
23. Computer Systems and Networks Department
Symmetric Lightweight Cryptography
Slide 24
24. Computer Systems and Networks Department
Lightweight Hash functions
Lightweight hash function are lightweight cryptographic primitives.
The NIST provides figures for hardware implementation of the SHA-3 finalists aimed
at optimizing the area. For a 0.09 µm technology, the best they can achieve is 9,200
GE for Grøstl; Keccak (the winner of the competition) requiring at least 15,200 GE.
These are way too much for, say, RFID tags. That is why lightweight hash functions
have been proposed.
ARMADILLO2 is a multi-purprose primitive intended to be used as a FIL-MAC
(application I), for hashing and digital signatures (application II) and as a PRNG and
PRF (application III). It has been broken by Naya-Plasencia and Peyrin who managed
to find collisions when it is used as a hash function in very small time
DM-PRESENT is simply a Merkle-Damgård scheme where the compression function
is the block cipher PRESENT in Davies-Meyer mode. DM-PRESENT-80 is based on
PRESENT-80 and DM-PRESENT-128 on PRESENT-128. Such hash functions will
only be of use in applications that require the one-way property and 64-bit security.
GLUON is a T-sponge, meaning that it is a sponge with a non-injective update
function. The said function is based on the software oriented stream-ciphers X-FCSR-
v2 and F-FCSR-H-v3. The update function of GLUON-64 is many to one and has a
behavior which is very different from that of a random function.
Slide 25
25. Computer Systems and Networks Department
Lightweight Hash functions(continuation)
Photon is a P-Sponge based on an AES-like permutation. The throughput figures
given correspond to throughput when outputting long messages as these are the
ones usually given. However, the figures for shorter messages are smaller (i.e.
better) for PHOTON. The design of the permutation used to update the sponge is
close to the LED cipher.
QUARK is a P-Sponge with a hardware oriented permutation inspired by the
lightweight block ciphers KTANTAN and KATAN and the hardware oriented stream
cipher Grain. The smallest version (136 bits long digest) is called U-QUARK, the
middle one (176 bits long digest) D-QUARK and the longest (256 bits long digest) S-
QUARK. A modified version of C-QUARK ca be used as an authenticated encryption
scheme.
SPN-Hash. The main interest of this hash function is its provable security against
differential collision attacks. It is a JH-like structure using, as its name indicates, a
permutation based on SPN. The structure of the SPN is based on that of the AES.
The padding used is the same as in a strengthened Merkle-Damgård: the length of
the message is appended to the last block.
SPONGENT can be seen as a P-Sponge where the permutation is a modified version
of the block cipher PRESENT. These primitives actually have several designers in
common. The number of rounds of the PRESENT-like permutation ranges from 45 for
SPONGENT-80 to 140 for SPONGENT-256. There is no attack on SPONGENT to
the best of our knowledge except for linear distinguishers for reduced-round versions
Slide 26
26. Computer Systems and Networks Department
Lightweight Public-key Cryptography
In 2006 Girault, Poupard and Stern proposed an “On the Fly Authentication and
Signature Scheme Based on Groups of Unknown Order”. Crypto-GPS is standardized
within the international standard ISO/IEC 9798-5.
Crypto-GPS offers a variety of parameters for different security-performance trade-
offs. Though there are variants of the crypto-GPS scheme that are based on RSA-like
moduli, better to use variant with elliptic curve operations, because it allows smaller
keys.
Slide 27
27. Computer Systems and Networks Department
Lightweight Public-key Cryptography
Slide 28
28. Computer Systems and Networks Department
Conclusions
The upraise of lightweight devices, such as RFID tags, has created
new security and privacy challenges. Since these devices are so
ubiquitous and communication goes unnoticed they can easily be
abused.
Lightweight cryptographic primitives should...
– Have a short internal state (to lower area)
– Have a short processing time (to lower energy)
– Have a short output (to lower communication overhead)
Symmetric crypto with less than 1000 gates is feasible
– Cost is then dominated by memory
– Software: RAM usage is critical
Lightweight hash function from 7000 to 2000 GE is feasible
– Collision resistance is then dominated by size
Lightweight public-key crypto with less than 10000 GE is feasible
–
Slide 29