Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
1
Cryptographic Algorithms 
Research Challenges
Prof. Bart Preneel
COSIC, KU Leuven, Belgium
Bart.Preneel(at)esat.kuleuven.be
http://homes.esat.kuleuven.be/~preneel
November 2013
http://www.ecrypt.eu.org
2
3
Context
HARDWARE
Limited (govt+financial sector)
DES, 3DES
DES, RSA, DH, CBCMAC
Provable security (PKC),
ZK, ElGamal, ECC, stream
ciphers
MD4, MD5
Provable security (SKC)
Key escrow
How to use RSA?
Alternatives to RSA
PKI
AES
IDBased Crypto
70
80
90
SOFTWARE
GSM, PGP
C libraries (RSA, DH)
SSL/TLS, IPsec, SSH, S/MIME
Java crypto libraries
WLAN
EVERYWHERE
Trusted computing, DRM,
3GPP, RFID, sensor nodes
…
4
Challenges for crypto
• security for 50100 years
• authenticated encryption of Terabit/s networks
• ultralow footprint/power/energy
secure software and
hardware
implementations
algorithm agility
performance
cost security
5
How are our cryptosystems broken?
• Get the plaintext:
– encryption switched off
– go to the server (PRISM)
• Collect metadata (e.g. data retention)
• Ask for the key
• Substitute the public key (SSL/TLS or SSH
hijacking)
• Weak random number generators
• Side channel attacks
• Cryptanalysis
6
Outline
• Block ciphers
• Stream ciphers
• Hash functions
• Publickey cryptology
• Implementations issues
• Research challenges
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
7
AES (2001)
• FIPS 197 published on December 2001
– other standards: ISO, IETF, IEEE 802.11,…
• fast adoption in the market
– except for financial sector
– NIST validation list: 2662 implementations
• http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.h
tml
• 2003: AES128 also for classified information
and AES192/256 for secret and top secret
information!
[Shamir ’07] AES may well be the last block cipher
8
Block ciphers
3DES** (112168)
IDEA (128)
MISTY1 (128)
GOST* (256)
KASUMI** (1283G, 642G)
HIGHT** (128)
PRESENT (80128)
TEA (128)
mCrypton (96128)
KATAN64 (80)
KTANTAN64*
(80)
KLEIN* (6496128)
DESXL (144)
LED (64128)
PICCOLO (80128)
PRINCE (128)
insecure
secure
?
0
72
96 128
symmetric key lengths
AES (128192
256)
CAMELLIA
RC6
CLEFIA
64bit block
128bit block
56 bits: seconds with M$ 5
80 bits: 1 year with M$ 5
128 bits: 128 billion years with B$ 5
SEA (96)
PRINTcipher96
(160)
96bit block
9
Low cost hw: throughput versus area
[Bogdanov+08,Sugawara+08]
0
100
200
300
400
500
600
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Throu
g
hput
(
Kbps
)
AES
(13)
AES
(35)
mCRYPTON96/128
(13)
PRESENT128
(18)
HIGHT
(25)
TEA
(18)
(100 KHz clock, technology in multiples of 10 nm)
MISTY1
(18)
CLEFIA
(9)
KATAN
(18)
TDEA
(9)
SEA
(13)
GOST
(18)
KTANTAN
(18)
PRINTcipher96
(18)
PRESENT80
(18)
LED128
(18)
PICCOLO128
10
Block ciphers: conclusions
• several mature block ciphers available
• security well understood
– in particular against statistical attacks (differential,
linear) and structural attacks
• more work:
– key schedule and related key attacks
– algebraic attacks
– structural tradeoffs
• what are the limitations for lightweight ciphers?
– energy ↔power
– software ↔ hardware
– key schedule ↔hardcoded key
11
Authenticated encryption
• default modes: ECB/CBC/CFB/OFB and CTR
• needed for network security, but only fully understood
by crypto community around 2000 (too late)
• new standards:
– CCM: CTR + CBCMAC [NIST SP 80038C]
– GCM: CTR + GMAC [NIST SP 80038D]
• both are suboptimal: new ideas needed
• IAPM
• XECB
• OCB
• GCM
• CCM
• EAX
patented
goals:
• associated data
• parallelizable
• online
• provable security
12
• CBC with padding problematic for SSL/TLS and
SSH
• AESGCM: support by IETF, NIST, Cisco, Intel
• several technical problems – not robust
• faster scheme with better security: OCB
• patent problem
• CAESAR: open competition from 20132017 will
come up with better solutions
• http://competitions.cr.yp.to/caesar.html
Authenticated encryption
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
13
SelfSynchronising Stream Cipher (SSSC)
C
P
output
function
IV
next
state
function
K
state
init
P
output
function
IV
next
state
function
K
state
init
14
Stream ciphers
• historically very important (compact)
– LFSRbased: A5/1, E0 – practical attacks known
– softwareoriented: RC4 – serious weaknesses
– block cipher in CTR or OFB (slower)
• today:
– many broken schemes
– (too many?) standards: SNOW2.0, SNOW3G,
Enocoro, MUGI, Rabbit, DECIM, K2, ZUC,..
15
The eSTREAM Portfolio
September 2008
Software
Hardware
HC128 FFCSRH
Rabbit Grain v1
Salsa20/12 MICKEY v2
Sosemanuk Trivium
(In alphabetical order)
16
• recover 220 out of 256 bytes of plaintexts after
sending the same message 1 billion times
• some bytes can be recovered after “only” 16
million transmissions
• extensions can find more bytes
Cryptanalysis of RC4 in TLS and WPA
http://www.isg.rhul.ac.uk/tls/
[AlFardanBernsteinPatersonPoetteringSchuldt’13]
Related: Full Plaintext Recovery Attack on Broadcast RC4
[IsobeOhigashiWatanabeMorii ‘13]
17
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 1
18
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 2
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
19
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 3
20
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 4
21
Low cost hw: throughput versus area
[Bogdanov+08,Sugawara+08]
0
100
200
300
400
500
600
700
800
900
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Throu
g
hput
(
Kbps
)
AES
(13)
AES
(35)
mCRYPTON96/128
(13)
PRESENT128
(18)
HIGHT
(25)
TEA
(18)
(100 KHz clock, technology in multiples of 10 nm)
MISTY1
(18)
CLEFIA
(9)
KATAN
(18)
TDEA
(9)
SEA
(13)
GOST
(18)
KTANTAN
(18)
PRINTcipher96
(18)
PRESENT80
(18)
GRAIN[8]
(13)
Trivium[8]
(13)
Enocoro80[8]
(18)
GRAIN
(13)
Trivium
(13)
PICCOLO128
LED128
(18)
22
Stream ciphers: conclusions
• at first sight not competitive
• but 64bit block ciphers have 2
32
distinguishing
attacks, while for hardware stream ciphers
resistance up to 2
80
is required
• throughput for 20003000 gates is substantially
higher
• 80bit key has TMD tradeoff
– e.g.: decrypting 1 of 2
30
sequences requires 2
50
precomputation, 2
40
time and 2
30
memory
– secret IV for block cipher in CBC mode; larger IV for
stream cipher
• seem suitable for mobile/wireless data/video
23
Hash functions
This is an input to a crypto
graphic hash function. The input
is a very long string, that is
reduced by the hash function to a
string of fixed length. There are
additional security conditions: it
should be very hard to find an
input hashing to a given value (a
preimage) or to find two colliding
inputs (a collision).
1A3FD4128A198FB3CA345932
• aka MDC (manipulation detection code)
• protect short hash value rather than long text
h
24
24
24
Properties: bits and bytes
[
Watanabe’10]
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
25
Permutation (π) based: sponge (Keccak)
x
1
π
H1
0
H2
0
x
2
π
x
3
π
x
4
π
π
h1
π
h2
absorb
squeeze
…
if result has n bits, H1 has r bits (rate), H2 has c bits (capacity) and
the permutation π is “ideal” collisions min (2
c/2
, 2
n/2
)
2
nd
preimage min (2
c/2
, 2
n
)
preimage min (2
c
, 2
n
)
r
c
26
Keccak
permutation: 1600 bits
nominal version:
• 5x5 array of 64 bits
• 24 rounds of 5 steps
27
• flexible output length and tree structure (Sakura)
allowed by 2byte encoding
• six versions (n=output length, c = capacity; r = rate)
– n=224; c = 512; r = 1088 (68%)
– n=256; c = 512; r = 1088 (68%)
– n=384; c = 1024; r = 576 (36%)
– n=512; c = 1024; r = 576 (36%)
– n=xxx; c = 256; r = 1344 (84%) SHAKE256
– n=xxx; c = 512; r = 1088 (68%) SHAKE512
FIPS 202
28
Performance of hash functions  Bernstein
(
cycles/byte) Intel Core 2 Quad Q9550; 4 x 2833MHz (2008)
(estimated)
2001
29
Hash functions: conclusions
• cryptographic meltdown but fortunately
implications so far limited
• designers often too optimistic (usually need 2x
more rounds)
• other weaknesses have been identified in general
approach to construction hash functions
• SHA3 seems success; will coexist with SHA2
• lightweight hash functions under development
30
Outline
• Context
• Block ciphers
• Stream ciphers
• Hash functions
• Publickey cryptology
• Implementations issues
• Research challenges
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
31
Factorisation records (RSA)
2009: 768 bits or 232 digits
2012: 1061 bits or 320 digits (2
1061
1)
0
50
100
150
200
250
300
350
64 68 72 76 80 84 88 92 96 100 104 108 112
General
Special
1 digit ~3.3 bits
2000
512 bits
768 bits
1061 bits
2006
2012
32
Widely used publickey systems rely on 3
problems from algebraic number theory
• Integer factorization: RSA (n = p.q)
• Discrete LOGarithm: DiffieHellman, DSA: y = g
x
• Elliptic Curve Discrete LOGarithm, ECDSA: Q = x.P
• Not so likely that NSA can break some specific
ECC curves proposed by NIST
33
2013 breakthrough for
DLOG in group of
special form
34
Recent progress
L(0)
L(1)
(strong) exponential
polynomial (weak)
L(1/3) — 1984
Factoring and (NonECC) DLOG
stay here for 30 years
L(1/4) — DLOG special numbers (Joux Feb’13)
with restriction on the groups (Barbulescu et al. in Jun’13)
L(α)=exp((log
2
n)
α
(log
2
log
2
n)
1 α
)
L(α)=exp((log
2
n)
α
(log
2
log
2
n)
1 α
)
L(1) — best ECC
DLOG solvers
Public key crypto
security
L(1/2) — 1981
Factoring and DLOG
Special form DLOG record: 6168 bits
[Joux’13]
35
Quantum computers?
• exponential parallelism
• Shor 1994: perfect for
factoring
• but: can a quantum
computer be built?
n coupled quantum bits
2
n
degrees of freedom
!
36
If a large quantum computer
can be built...
• all schemes based on factoring (RSA) and
DLOG will be insecure
• same for elliptic curve cryptography
• symmetric key sizes: x2
• hash sizes: unchanged!
• alternatives: postquantumcrypto
– McEliece, NTRU,…
– so far it seems very hard to match performance of current
systems while keeping the security level against conventional
attacks
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
37
• 2001: 7bit quantum computer factors 15
• 2007: two new 7bit quantum computers
• 2012: 143 has been factored
• 2012: 10 to 15 years for a large quantum
computer
Quantum
Quantum Computing: An IBM Perspective
Steffen, M.; DiVincenzo, D. P.; Chow, J. M.; Theis, T. N.; Ketchen, M. B.
Quantum physics provides an intriguing basis for achieving computational
power to address certain categories of mathematical problems that are
completely intractable with machine computation as we know it today. We
present a brief overview of the current theoretical and experimental works in
the emerging field of quantum computing. The implementation of a functioning
quantum computer poses tremendous scientific and technological challenges,
but current rates of progress suggest that these challenges will be
substantively addressed over the next ten years.We provide a sketch of a
quantum computing system based on superconducting circuits, which are the
current focus of our research. A realistic vision emerges concerning the form
of a future scalable faulttolerant quantum computer.
38
Key lengths for confidentiality
http://www.ecrypt.eu.org
http://www.enisa.europa.eu/activities/identityandtrust/library/deliverables/algorithms
keysizesandparametersreport
duration symmetric RSA ECC
days/hours 50 512 100
5 years 73 1024 146
1020 years 103 2048 206
3050 years 141 4096 282
Assumptions: no quantum computers; no
breakthroughs; limited budget
39
Implementation attacks
• measure: time, power, electromagnetic radiation,
sound
• introduce faults (even in CPUs)
• combine with statistical analysis and cryptanalysis
• software: API attacks
• major impact on implementation cost
• theory: “leakage resilience”
Sun Tzu, The Art of War:
In war, avoid what is strong and attack what is weak
L.R. Knudsen: "It is not cryptanalysis, it is vandalism"
40
Implementations: side channel attacks
First round of DES
Expansion
RSA
41
Implementations in embedded systems
Cipher Design,
Biometrics
D
Q
Vcc
CPU
Crypto
MEM
JCA
Java
JVM
CLK
Identification
Confidentiality
Integrity
SIM
D
Q
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Protocol:Wireless authentication protocol
design
Algorithm:Embedded fingerprint matching
algorithms, crypto algorithms
Architecture:Codesign, HW/SW, SOC
Circuit:Circuit techniques to combat side
channel analysis attacks
MicroArchitecture:coprocessor design
Identification
Confidentiality
Integrity
Identification
Integrity
SIM
SIM
SIM
Slide credit: Prof. Ingrid Verbauwhede
Technology aware solutions?
42
Weaknesses of key generation
• Make sure that the key is generated using a
random number generator with trapdoor
Pseudo
random
number
generator
(PRNG)
seed
trapdoor allows to predict keys
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
43
Dual_EC_DRBG or Dual Elliptic Curve
Deterministic Random Bit Generator
• 1 of the 4 PRNGs in NIST SP 80090A
• draft Dec. 2005; published 2006; revised 2012
• warnings
• Dec 05: output not perfectly random
[Gjøsteen]
• Mar 06: backdoor if one fails to choose P and Q at
random but one chooses Q = d.P for a known d
[Brown]
• May 06: flaw
[SchoenmakersSidorenko]
Appendix: The security of Dual_EC_DRBG requires that the
points P and Q be properly generated. To avoid using
potentially weak points, the points specified in Appendix A.1
should be used.
44
Dual_EC_DRBG or Dual Elliptic Curve
Deterministic Random Bit Generator
• 10 Sept. 2013, NYT: "internal memos leaked by a former
NSA contractor suggest that the NSA generated one of the
random number generators used in a 2006 NIST standard
—called the Dual EC DRBG standard —which contains a
backdoor for the NSA."
• NSA Bullrun program:NSA has been actively working to
"Insert vulnerabilities into commercial encryption systems,
IT systems, networks, and endpoint communications
devices used by targets."
45
Dual_EC_DRBG or Dual Elliptic Curve
Deterministic Random Bit Generator
• 9 Sept. 2013: NIST “strongly recommends" against the
use of dual_EC_DRBG, as specified in the January 2012
version of SP 80090A.
• in light of community security concerns SP 80090A
reissued as draft standard, and reopening SP80090B/C
for public comment
Why was the slowest and least secure of the 4
PRNGs chosen as the default algorithm in BSAFE?
On 7 Feb 2001 Bleichenbacher of Bell Labs found an attack on
the PRNG building block of DSA (FIS 186). Coincidence?
46
More PRNG flaws
• 1996: Netscape SSL
[GoldbergWagner]
• 2008: Debian SSL
[Bello]
• 2012: wireless routers
[Heninger+], PGP/SSL [Lenstra+]
• 15 Aug. 2013: Android Java and OpenSSL PRNG
flaw led to theft of bitcoins
16 Sept. 2013 Factoring RSA keys from certified
smart cards: Coppersmith in the wild
[BernsteinChangChengChouHeningerLangevan Someren’13]
IACR Cryptology ePrint Archive 2013: 599
184 keys from Taiwan Citizen Digital Certificate cards
card + OS: EAL 4+; FIPS 1402 Level 2
47
Outline
• Context
• Block ciphers
• Stream ciphers
• Hash functions
• Publickey cryptology
• Implementations issues
• Research challenges
48
Challenges for crypto
• security for 50100 years
• authenticated encryption of Terabit/s networks
• ultralow footprint/power/energy
secure software and
hardware
implementations
algorithm agility
performance
cost security
Cryptographic Algoithms  Research Challenges
Bart Preneel
Balkancrypt, Sofia
49
Challenges for advanced crypto
• privacy enhancing technologies
• linking crypto with physical world
– biometrics, physically uncloneable functions
• (distributed) secure execution
• whitebox cryptography
• cryptography in the encrypted domain
– searching in encrypted databases – data mining on health
care date
– zero knowledge watermarking – intelligent media sharing
• perceptual hashing
• crypto for nanotechnology
Enter the password to open this PDF file:
File name:

File size:

Title:

Author:

Subject:

Keywords:

Creation Date:

Modification Date:

Creator:

PDF Producer:

PDF Version:

Page Count:

Preparing document for printing…
0%
Comments 0
Log in to post a comment