Cryptographic Algorithms - Research Challenges

globestupendousSecurity

Dec 3, 2013 (3 years and 7 months ago)

70 views

Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
1
Cryptographic Algorithms -
Research Challenges
Prof. Bart Preneel
COSIC, KU Leuven, Belgium
Bart.Preneel(at)esat.kuleuven.be
http://homes.esat.kuleuven.be/~preneel
November 2013
http://www.ecrypt.eu.org
2
3
Context
HARDWARE
Limited (govt+financial sector)
DES, 3DES
DES, RSA, DH, CBC-MAC
Provable security (PKC),
ZK, ElGamal, ECC, stream
ciphers
MD4, MD5
Provable security (SKC)
Key escrow
How to use RSA?
Alternatives to RSA
PKI
AES
ID-Based Crypto
70
80
90
SOFTWARE
GSM, PGP
C libraries (RSA, DH)
SSL/TLS, IPsec, SSH, S/MIME
Java crypto libraries
WLAN
EVERYWHERE
Trusted computing, DRM,
3GPP, RFID, sensor nodes

4
Challenges for crypto
• security for 50-100 years
• authenticated encryption of Terabit/s networks
• ultra-low footprint/power/energy
secure software and
hardware
implementations
algorithm agility
performance
cost security
5
How are our cryptosystems broken?
• Get the plaintext:
– encryption switched off
– go to the server (PRISM)
• Collect metadata (e.g. data retention)
• Ask for the key
• Substitute the public key (SSL/TLS or SSH
hijacking)
• Weak random number generators
• Side channel attacks
• Cryptanalysis
6
Outline
• Block ciphers
• Stream ciphers
• Hash functions
• Public-key cryptology
• Implementations issues
• Research challenges
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
7
AES (2001)
• FIPS 197 published on December 2001
– other standards: ISO, IETF, IEEE 802.11,…
• fast adoption in the market
– except for financial sector
– NIST validation list: 2662 implementations
• http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.h
tml
• 2003: AES-128 also for classified information
and AES-192/-256 for secret and top secret
information!
[Shamir ’07] AES may well be the last block cipher
8
Block ciphers
3-DES** (112-168)
IDEA (128)
MISTY1 (128)
GOST* (256)
KASUMI** (128-3G, 64-2G)
HIGHT** (128)
PRESENT (80-128)
TEA (128)
mCrypton (96-128)
KATAN64 (80)
KTANTAN64*
(80)
KLEIN* (64-96-128)
DESXL (144)
LED (64-128)
PICCOLO (80-128)
PRINCE (128)
insecure
secure
?
0
72
96 128
symmetric key lengths
AES (128-192-
256)
CAMELLIA
RC6
CLEFIA
64-bit block
128-bit block
56 bits: seconds with M$ 5
80 bits: 1 year with M$ 5
128 bits: 128 billion years with B$ 5
SEA (96)
PRINTcipher-96
(160)
96-bit block
9
Low cost hw: throughput versus area
[Bogdanov+08,Sugawara+08]
0
100
200
300
400
500
600
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Throu
g
hput
(
Kbps
)
AES
(13)
AES
(35)
mCRYPTON-96/128
(13)
PRESENT-128
(18)
HIGHT
(25)
TEA
(18)
(100 KHz clock, technology in multiples of 10 nm)
MISTY1
(18)
CLEFIA
(9)
KATAN
(18)
TDEA
(9)
SEA
(13)
GOST
(18)
KTANTAN
(18)
PRINTcipher-96
(18)
PRESENT-80
(18)
LED-128
(18)
PICCOLO-128
10
Block ciphers: conclusions
• several mature block ciphers available
• security well understood
– in particular against statistical attacks (differential,
linear) and structural attacks
• more work:
– key schedule and related key attacks
– algebraic attacks
– structural tradeoffs
• what are the limitations for lightweight ciphers?
– energy ↔power
– software ↔ hardware
– key schedule ↔hardcoded key
11
Authenticated encryption
• default modes: ECB/CBC/CFB/OFB and CTR
• needed for network security, but only fully understood
by crypto community around 2000 (too late)
• new standards:
– CCM: CTR + CBC-MAC [NIST SP 800-38C]
– GCM: CTR + GMAC [NIST SP 800-38D]
• both are suboptimal: new ideas needed
• IAPM
• XECB
• OCB
• GCM
• CCM
• EAX
patented
goals:
• associated data
• parallelizable
• on-line
• provable security
12
• CBC with padding problematic for SSL/TLS and
SSH
• AES-GCM: support by IETF, NIST, Cisco, Intel
• several technical problems – not robust
• faster scheme with better security: OCB
• patent problem
• CAESAR: open competition from 2013-2017 will
come up with better solutions
• http://competitions.cr.yp.to/caesar.html
Authenticated encryption
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
13
Self-Synchronising Stream Cipher (SSSC)
C
P
output
function
IV
next
state
function
K
state
init
P
output
function
IV
next
state
function
K
state
init
14
Stream ciphers
• historically very important (compact)
– LFSR-based: A5/1, E0 – practical attacks known
– software-oriented: RC4 – serious weaknesses
– block cipher in CTR or OFB (slower)
• today:
– many broken schemes
– (too many?) standards: SNOW2.0, SNOW3G,
Enocoro, MUGI, Rabbit, DECIM, K2, ZUC,..
15
The eSTREAM Portfolio
September 2008
Software
Hardware
HC-128 F-FCSR-H
Rabbit Grain v1
Salsa20/12 MICKEY v2
Sosemanuk Trivium
(In alphabetical order)
16
• recover 220 out of 256 bytes of plaintexts after
sending the same message 1 billion times
• some bytes can be recovered after “only” 16
million transmissions
• extensions can find more bytes
Cryptanalysis of RC4 in TLS and WPA
http://www.isg.rhul.ac.uk/tls/
[AlFardan-Bernstein-Paterson-Poettering-Schuldt’13]
Related: Full Plaintext Recovery Attack on Broadcast RC4
[Isobe-Ohigashi-Watanabe-Morii ‘13]
17
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 1
18
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 2
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
19
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 3
20
RC4: weaknesses: bias in output bytes
[AlFardan+13] On the Security of RC4 in TLS
Byte 4
21
Low cost hw: throughput versus area
[Bogdanov+08,Sugawara+08]
0
100
200
300
400
500
600
700
800
900
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Throu
g
hput
(
Kbps
)
AES
(13)
AES
(35)
mCRYPTON-96/128
(13)
PRESENT-128
(18)
HIGHT
(25)
TEA
(18)
(100 KHz clock, technology in multiples of 10 nm)
MISTY1
(18)
CLEFIA
(9)
KATAN
(18)
TDEA
(9)
SEA
(13)
GOST
(18)
KTANTAN
(18)
PRINTcipher-96
(18)
PRESENT-80
(18)
GRAIN[8]
(13)
Trivium[8]
(13)
Enocoro-80[8]
(18)
GRAIN
(13)
Trivium
(13)
PICCOLO-128
LED-128
(18)
22
Stream ciphers: conclusions
• at first sight not competitive
• but 64-bit block ciphers have 2
32
distinguishing
attacks, while for hardware stream ciphers
resistance up to 2
80
is required
• throughput for 2000-3000 gates is substantially
higher
• 80-bit key has TMD trade-off
– e.g.: decrypting 1 of 2
30
sequences requires 2
50
precomputation, 2
40
time and 2
30
memory
– secret IV for block cipher in CBC mode; larger IV for
stream cipher
• seem suitable for mobile/wireless data/video
23
Hash functions
This is an input to a crypto-
graphic hash function. The input
is a very long string, that is
reduced by the hash function to a
string of fixed length. There are
additional security conditions: it
should be very hard to find an
input hashing to a given value (a
preimage) or to find two colliding
inputs (a collision).
1A3FD4128A198FB3CA345932
• aka MDC (manipulation detection code)
• protect short hash value rather than long text
h
24
24
24
Properties: bits and bytes
[
Watanabe’10]
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
25
Permutation (π) based: sponge (Keccak)
x
1
π
H1
0
H2
0
x
2
π
x
3
π
x
4
π
π
h1
π
h2
absorb
squeeze

if result has n bits, H1 has r bits (rate), H2 has c bits (capacity) and
the permutation π is “ideal” collisions min (2
c/2
, 2
n/2
)
2
nd
preimage min (2
c/2
, 2
n
)
preimage min (2
c
, 2
n
)
r
c
26
Keccak
permutation: 1600 bits
nominal version:
• 5x5 array of 64 bits
• 24 rounds of 5 steps
27
• flexible output length and tree structure (Sakura)
allowed by 2-byte encoding
• six versions (n=output length, c = capacity; r = rate)
– n=224; c = 512; r = 1088 (68%)
– n=256; c = 512; r = 1088 (68%)
– n=384; c = 1024; r = 576 (36%)
– n=512; c = 1024; r = 576 (36%)
– n=xxx; c = 256; r = 1344 (84%) SHAKE-256
– n=xxx; c = 512; r = 1088 (68%) SHAKE-512
FIPS 202
28
Performance of hash functions - Bernstein
(
cycles/byte) Intel Core 2 Quad Q9550; 4 x 2833MHz (2008)
(estimated)
2001
29
Hash functions: conclusions
• cryptographic meltdown but fortunately
implications so far limited
• designers often too optimistic (usually need 2x
more rounds)
• other weaknesses have been identified in general
approach to construction hash functions
• SHA-3 seems success; will co-exist with SHA-2
• lightweight hash functions under development
30
Outline
• Context
• Block ciphers
• Stream ciphers
• Hash functions
• Public-key cryptology
• Implementations issues
• Research challenges
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
31
Factorisation records (RSA)
2009: 768 bits or 232 digits
2012: 1061 bits or 320 digits (2
1061
-1)
0
50
100
150
200
250
300
350
64 68 72 76 80 84 88 92 96 100 104 108 112
General
Special
1 digit ~3.3 bits
2000
512 bits
768 bits
1061 bits
2006
2012
32
Widely used public-key systems rely on 3
problems from algebraic number theory
• Integer factorization: RSA (n = p.q)
• Discrete LOGarithm: Diffie-Hellman, DSA: y = g
x
• Elliptic Curve Discrete LOGarithm, ECDSA: Q = x.P
• Not so likely that NSA can break some specific
ECC curves proposed by NIST
33
2013 breakthrough for
DLOG in group of
special form
34
Recent progress
L(0)
L(1)
(strong) exponential
polynomial (weak)
L(1/3) — 1984
Factoring and (Non-ECC) DLOG
stay here for 30 years
L(1/4) — DLOG special numbers (Joux Feb’13)
with restriction on the groups (Barbulescu et al. in Jun’13)
L(α)=exp((log
2
n)
α
(log
2
log
2
n)
1- α
)
L(α)=exp((log
2
n)
α
(log
2
log
2
n)
1- α
)
L(1) — best ECC
DLOG solvers
Public key crypto
security
L(1/2) — 1981
Factoring and DLOG
Special form DLOG record: 6168 bits
[Joux’13]
35
Quantum computers?
• exponential parallelism
• Shor 1994: perfect for
factoring
• but: can a quantum
computer be built?
n coupled quantum bits
2
n
degrees of freedom
!
36
If a large quantum computer
can be built...
• all schemes based on factoring (RSA) and
DLOG will be insecure
• same for elliptic curve cryptography
• symmetric key sizes: x2
• hash sizes: unchanged!
• alternatives: postquantumcrypto
– McEliece, NTRU,…
– so far it seems very hard to match performance of current
systems while keeping the security level against conventional
attacks
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
37
• 2001: 7-bit quantum computer factors 15
• 2007: two new 7-bit quantum computers
• 2012: 143 has been factored
• 2012: 10 to 15 years for a large quantum
computer
Quantum
Quantum Computing: An IBM Perspective
Steffen, M.; DiVincenzo, D. P.; Chow, J. M.; Theis, T. N.; Ketchen, M. B.
Quantum physics provides an intriguing basis for achieving computational
power to address certain categories of mathematical problems that are
completely intractable with machine computation as we know it today. We
present a brief overview of the current theoretical and experimental works in
the emerging field of quantum computing. The implementation of a functioning
quantum computer poses tremendous scientific and technological challenges,
but current rates of progress suggest that these challenges will be
substantively addressed over the next ten years.We provide a sketch of a
quantum computing system based on superconducting circuits, which are the
current focus of our research. A realistic vision emerges concerning the form
of a future scalable fault-tolerant quantum computer.
38
Key lengths for confidentiality
http://www.ecrypt.eu.org
http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-
key-sizes-and-parameters-report
duration symmetric RSA ECC
days/hours 50 512 100
5 years 73 1024 146
10-20 years 103 2048 206
30-50 years 141 4096 282
Assumptions: no quantum computers; no
breakthroughs; limited budget
39
Implementation attacks
• measure: time, power, electromagnetic radiation,
sound
• introduce faults (even in CPUs)
• combine with statistical analysis and cryptanalysis
• software: API attacks
• major impact on implementation cost
• theory: “leakage resilience”
Sun Tzu, The Art of War:
In war, avoid what is strong and attack what is weak
L.R. Knudsen: "It is not cryptanalysis, it is vandalism"
40
Implementations: side channel attacks
First round of DES
Expansion
RSA
41
Implementations in embedded systems
Cipher Design,
Biometrics
D
Q
Vcc
CPU
Crypto
MEM
JCA
Java
JVM
CLK
Identification
Confidentiality
Integrity
SIM
D
Q
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Protocol:Wireless authentication protocol
design
Algorithm:Embedded fingerprint matching
algorithms, crypto algorithms
Architecture:Co-design, HW/SW, SOC
Circuit:Circuit techniques to combat side
channel analysis attacks
Micro-Architecture:co-processor design
Identification
Confidentiality
Integrity
Identification
Integrity
SIM
SIM
SIM
Slide credit: Prof. Ingrid Verbauwhede
Technology aware solutions?
42
Weaknesses of key generation
• Make sure that the key is generated using a
random number generator with trapdoor
Pseudo-
random
number
generator
(PRNG)
seed
trapdoor allows to predict keys
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
43
Dual_EC_DRBG or Dual Elliptic Curve
Deterministic Random Bit Generator
• 1 of the 4 PRNGs in NIST SP 800-90A
• draft Dec. 2005; published 2006; revised 2012
• warnings
• Dec 05: output not perfectly random
[Gjøsteen]
• Mar 06: backdoor if one fails to choose P and Q at
random but one chooses Q = d.P for a known d
[Brown]
• May 06: flaw
[Schoenmakers-Sidorenko]
Appendix: The security of Dual_EC_DRBG requires that the
points P and Q be properly generated. To avoid using
potentially weak points, the points specified in Appendix A.1
should be used.
44
Dual_EC_DRBG or Dual Elliptic Curve
Deterministic Random Bit Generator
• 10 Sept. 2013, NYT: "internal memos leaked by a former
NSA contractor suggest that the NSA generated one of the
random number generators used in a 2006 NIST standard
—called the Dual EC DRBG standard —which contains a
backdoor for the NSA."
• NSA Bullrun program:NSA has been actively working to
"Insert vulnerabilities into commercial encryption systems,
IT systems, networks, and endpoint communications
devices used by targets."
45
Dual_EC_DRBG or Dual Elliptic Curve
Deterministic Random Bit Generator
• 9 Sept. 2013: NIST “strongly recommends" against the
use of dual_EC_DRBG, as specified in the January 2012
version of SP 800-90A.
• in light of community security concerns SP 800-90A
reissued as draft standard, and re-opening SP800-90B/C
for public comment
Why was the slowest and least secure of the 4
PRNGs chosen as the default algorithm in BSAFE?
On 7 Feb 2001 Bleichenbacher of Bell Labs found an attack on
the PRNG building block of DSA (FIS 186). Coincidence?
46
More PRNG flaws
• 1996: Netscape SSL
[Goldberg-Wagner]
• 2008: Debian SSL
[Bello]
• 2012: wireless routers
[Heninger+], PGP/SSL [Lenstra+]
• 15 Aug. 2013: Android Java and OpenSSL PRNG
flaw led to theft of bitcoins
16 Sept. 2013 Factoring RSA keys from certified
smart cards: Coppersmith in the wild
[Bernstein-Chang-Cheng-Chou-Heninger-Lange-van Someren’13]
IACR Cryptology ePrint Archive 2013: 599
184 keys from Taiwan Citizen Digital Certificate cards
card + OS: EAL 4+; FIPS 140-2 Level 2
47
Outline
• Context
• Block ciphers
• Stream ciphers
• Hash functions
• Public-key cryptology
• Implementations issues
• Research challenges
48
Challenges for crypto
• security for 50-100 years
• authenticated encryption of Terabit/s networks
• ultra-low footprint/power/energy
secure software and
hardware
implementations
algorithm agility
performance
cost security
Cryptographic Algoithms - Research Challenges
Bart Preneel
Balkancrypt, Sofia
49
Challenges for advanced crypto
• privacy enhancing technologies
• linking crypto with physical world
– biometrics, physically uncloneable functions
• (distributed) secure execution
• whitebox cryptography
• cryptography in the encrypted domain
– searching in encrypted databases – data mining on health
care date
– zero knowledge watermarking – intelligent media sharing
• perceptual hashing
• crypto for nanotechnology