KATAN and KTANTAN — A Family of Small and Efficient Hardware-Oriented Block Ciphers

  • Christophe De Cannière
  • Orr Dunkelman
  • Miroslav Knežević
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


In this paper we propose a new family of very efficient hardware oriented block ciphers. The family contains six block ciphers divided into two flavors. All block ciphers share the 80-bit key size and security level. The first flavor, KATAN, is composed of three block ciphers, with 32, 48, or 64-bit block size. The second flavor, KTANTAN, contains the other three ciphers with the same block sizes, and is more compact in hardware, as the key is burnt into the device (and cannot be changed).

The smallest cipher of the entire family, KTANTAN32, can be implemented in 462 GE while achieving encryption speed of 12.5 KBit/sec (at 100 KHz). KTANTAN48, which is the version we recommend for RFID tags uses 588 GE, whereas KATAN64, the largest and most flexible candidate of the family, uses 1054 GE and has a throughput of 25.1 Kbit/sec (at 100 KHz).


Block Cipher Stream Cipher Round Function Algebraic Attack Linear Cryptanalysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology 7(4), 229–246 (1994)CrossRefzbMATHGoogle Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)CrossRefzbMATHGoogle Scholar
  3. 3.
    Biryukov, A., Wagner, D.: Slide Attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    De Canniére, C., Preneel, B.: Trivium Specifications, eSTREAM submission,
  7. 7.
    Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009); IACR ePrint report 2008/385CrossRefGoogle Scholar
  8. 8.
    Feldhofer, M., Wolfkerstorfer, J., Rijmen, V.: AES implementation on a grain of sand. In: IEE Proceedings of Information Security, vol. 152(1), pp. 13–20. IEE (2005)Google Scholar
  9. 9.
    Good, T., Benaissa, M.: Hardware results for selected stream cipher candidates. In: Preproceedings of SASC 2007, pp. 191–204 (2007)Google Scholar
  10. 10.
    Hämäläinen, P., Alho, T., Hännikäinen, M., Hämäläinen, T.D.: Design and Implementation of Low-Area and Low-Power AES Encryption Hardware Core. In: Ninth Euromicro Conference on Digital System Design: Architectures. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  11. 11.
    Hell, M., Johansson, T., Meier, W.: Grain — A Stream Cipher for Constrained Environments, eSTREAM submission,
  12. 12.
    Hong, D., Sung, J., Hong, S.H., Lim, J.-I., Lee, S.-J., Koo, B.-S., Lee, C.-H., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J.-S., Chee, S.: HIGHT: A New Block Cipher Suitable for Low-Resource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Indesteege, S., Keller, N., Dunkelman, O., Biham, E., Preneel, B.: A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Langford, S.K., Hellman, M.E.: Differential-Linear Cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994)Google Scholar
  15. 15.
    Lim, C.H., Korkishko, T.: mCrypton – A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Mentens, N., Genoe, J., Preneel, B., Verbauwhede, I.: A low-cost implementation of Trivium. In: Preproceedings of SASC 2008, pp. 197–204 (2008)Google Scholar
  17. 17.
    Microchip Technology Inc. KeeLoq® Authentication Products,
  18. 18.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  19. 19.
    Poschmann, A., Leander, G., Schramm, K., Paar, C.: New Light-Weight DES Variants Suited for RFID Applications. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Rolfes, C., Poschmann, A., Leander, G., Paar, C.: Ultra-lightweight implementations for smart devices – security for 1000 gate equivalents. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 89–103. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Christophe De Cannière
    • 1
  • Orr Dunkelman
    • 1
    • 2
  • Miroslav Knežević
    • 1
  1. 1.Department of Electrical Engineering ESAT/SCD-COSIC and Interdisciplinary Center for Broad Band TechnologiesKatholieke Universiteit LeuvenLeuven-HeverleeBelgium
  2. 2.Département d’Informatique, CNRS, INRIAÉcole Normale SupérieureParisFrance

Personalised recommendations