Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

1

Cryptographic Algorithms -

Research Challenges

Prof. Bart Preneel

COSIC, KU Leuven, Belgium

Bart.Preneel(at)esat.kuleuven.be

http://homes.esat.kuleuven.be/~preneel

November 2013

http://www.ecrypt.eu.org

2

3

Context

HARDWARE

Limited (govt+financial sector)

DES, 3DES

DES, RSA, DH, CBC-MAC

Provable security (PKC),

ZK, ElGamal, ECC, stream

ciphers

MD4, MD5

Provable security (SKC)

Key escrow

How to use RSA?

Alternatives to RSA

PKI

AES

ID-Based Crypto

70

80

90

SOFTWARE

GSM, PGP

C libraries (RSA, DH)

SSL/TLS, IPsec, SSH, S/MIME

Java crypto libraries

WLAN

EVERYWHERE

Trusted computing, DRM,

3GPP, RFID, sensor nodes

…

4

Challenges for crypto

• security for 50-100 years

• authenticated encryption of Terabit/s networks

• ultra-low footprint/power/energy

secure software and

hardware

implementations

algorithm agility

performance

cost security

5

How are our cryptosystems broken?

• Get the plaintext:

– encryption switched off

– go to the server (PRISM)

• Collect metadata (e.g. data retention)

• Ask for the key

• Substitute the public key (SSL/TLS or SSH

hijacking)

• Weak random number generators

• Side channel attacks

• Cryptanalysis

6

Outline

• Block ciphers

• Stream ciphers

• Hash functions

• Public-key cryptology

• Implementations issues

• Research challenges

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

7

AES (2001)

• FIPS 197 published on December 2001

– other standards: ISO, IETF, IEEE 802.11,…

• fast adoption in the market

– except for financial sector

– NIST validation list: 2662 implementations

• http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.h

tml

• 2003: AES-128 also for classified information

and AES-192/-256 for secret and top secret

information!

[Shamir ’07] AES may well be the last block cipher

8

Block ciphers

3-DES** (112-168)

IDEA (128)

MISTY1 (128)

GOST* (256)

KASUMI** (128-3G, 64-2G)

HIGHT** (128)

PRESENT (80-128)

TEA (128)

mCrypton (96-128)

KATAN64 (80)

KTANTAN64*

(80)

KLEIN* (64-96-128)

DESXL (144)

LED (64-128)

PICCOLO (80-128)

PRINCE (128)

insecure

secure

?

0

72

96 128

symmetric key lengths

AES (128-192-

256)

CAMELLIA

RC6

CLEFIA

64-bit block

128-bit block

56 bits: seconds with M$ 5

80 bits: 1 year with M$ 5

128 bits: 128 billion years with B$ 5

SEA (96)

PRINTcipher-96

(160)

96-bit block

9

Low cost hw: throughput versus area

[Bogdanov+08,Sugawara+08]

0

100

200

300

400

500

600

0 1000 2000 3000 4000 5000 6000

Gate equivalents

Throu

g

hput

(

Kbps

)

AES

(13)

AES

(35)

mCRYPTON-96/128

(13)

PRESENT-128

(18)

HIGHT

(25)

TEA

(18)

(100 KHz clock, technology in multiples of 10 nm)

MISTY1

(18)

CLEFIA

(9)

KATAN

(18)

TDEA

(9)

SEA

(13)

GOST

(18)

KTANTAN

(18)

PRINTcipher-96

(18)

PRESENT-80

(18)

LED-128

(18)

PICCOLO-128

10

Block ciphers: conclusions

• several mature block ciphers available

• security well understood

– in particular against statistical attacks (differential,

linear) and structural attacks

• more work:

– key schedule and related key attacks

– algebraic attacks

– structural tradeoffs

• what are the limitations for lightweight ciphers?

– energy ↔power

– software ↔ hardware

– key schedule ↔hardcoded key

11

Authenticated encryption

• default modes: ECB/CBC/CFB/OFB and CTR

• needed for network security, but only fully understood

by crypto community around 2000 (too late)

• new standards:

– CCM: CTR + CBC-MAC [NIST SP 800-38C]

– GCM: CTR + GMAC [NIST SP 800-38D]

• both are suboptimal: new ideas needed

• IAPM

• XECB

• OCB

• GCM

• CCM

• EAX

patented

goals:

• associated data

• parallelizable

• on-line

• provable security

12

• CBC with padding problematic for SSL/TLS and

SSH

• AES-GCM: support by IETF, NIST, Cisco, Intel

• several technical problems – not robust

• faster scheme with better security: OCB

• patent problem

• CAESAR: open competition from 2013-2017 will

come up with better solutions

• http://competitions.cr.yp.to/caesar.html

Authenticated encryption

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

13

Self-Synchronising Stream Cipher (SSSC)

C

P

output

function

IV

next

state

function

K

state

init

P

output

function

IV

next

state

function

K

state

init

14

Stream ciphers

• historically very important (compact)

– LFSR-based: A5/1, E0 – practical attacks known

– software-oriented: RC4 – serious weaknesses

– block cipher in CTR or OFB (slower)

• today:

– many broken schemes

– (too many?) standards: SNOW2.0, SNOW3G,

Enocoro, MUGI, Rabbit, DECIM, K2, ZUC,..

15

The eSTREAM Portfolio

September 2008

Software

Hardware

HC-128 F-FCSR-H

Rabbit Grain v1

Salsa20/12 MICKEY v2

Sosemanuk Trivium

(In alphabetical order)

16

• recover 220 out of 256 bytes of plaintexts after

sending the same message 1 billion times

• some bytes can be recovered after “only” 16

million transmissions

• extensions can find more bytes

Cryptanalysis of RC4 in TLS and WPA

http://www.isg.rhul.ac.uk/tls/

[AlFardan-Bernstein-Paterson-Poettering-Schuldt’13]

Related: Full Plaintext Recovery Attack on Broadcast RC4

[Isobe-Ohigashi-Watanabe-Morii ‘13]

17

RC4: weaknesses: bias in output bytes

[AlFardan+13] On the Security of RC4 in TLS

Byte 1

18

RC4: weaknesses: bias in output bytes

[AlFardan+13] On the Security of RC4 in TLS

Byte 2

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

19

RC4: weaknesses: bias in output bytes

[AlFardan+13] On the Security of RC4 in TLS

Byte 3

20

RC4: weaknesses: bias in output bytes

[AlFardan+13] On the Security of RC4 in TLS

Byte 4

21

Low cost hw: throughput versus area

[Bogdanov+08,Sugawara+08]

0

100

200

300

400

500

600

700

800

900

0 1000 2000 3000 4000 5000 6000

Gate equivalents

Throu

g

hput

(

Kbps

)

AES

(13)

AES

(35)

mCRYPTON-96/128

(13)

PRESENT-128

(18)

HIGHT

(25)

TEA

(18)

(100 KHz clock, technology in multiples of 10 nm)

MISTY1

(18)

CLEFIA

(9)

KATAN

(18)

TDEA

(9)

SEA

(13)

GOST

(18)

KTANTAN

(18)

PRINTcipher-96

(18)

PRESENT-80

(18)

GRAIN[8]

(13)

Trivium[8]

(13)

Enocoro-80[8]

(18)

GRAIN

(13)

Trivium

(13)

PICCOLO-128

LED-128

(18)

22

Stream ciphers: conclusions

• at first sight not competitive

• but 64-bit block ciphers have 2

32

distinguishing

attacks, while for hardware stream ciphers

resistance up to 2

80

is required

• throughput for 2000-3000 gates is substantially

higher

• 80-bit key has TMD trade-off

– e.g.: decrypting 1 of 2

30

sequences requires 2

50

precomputation, 2

40

time and 2

30

memory

– secret IV for block cipher in CBC mode; larger IV for

stream cipher

• seem suitable for mobile/wireless data/video

23

Hash functions

This is an input to a crypto-

graphic hash function. The input

is a very long string, that is

reduced by the hash function to a

string of fixed length. There are

additional security conditions: it

should be very hard to find an

input hashing to a given value (a

preimage) or to find two colliding

inputs (a collision).

1A3FD4128A198FB3CA345932

• aka MDC (manipulation detection code)

• protect short hash value rather than long text

h

24

24

24

Properties: bits and bytes

[

Watanabe’10]

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

25

Permutation (π) based: sponge (Keccak)

x

1

π

H1

0

H2

0

x

2

π

x

3

π

x

4

π

π

h1

π

h2

absorb

squeeze

…

if result has n bits, H1 has r bits (rate), H2 has c bits (capacity) and

the permutation π is “ideal” collisions min (2

c/2

, 2

n/2

)

2

nd

preimage min (2

c/2

, 2

n

)

preimage min (2

c

, 2

n

)

r

c

26

Keccak

permutation: 1600 bits

nominal version:

• 5x5 array of 64 bits

• 24 rounds of 5 steps

27

• flexible output length and tree structure (Sakura)

allowed by 2-byte encoding

• six versions (n=output length, c = capacity; r = rate)

– n=224; c = 512; r = 1088 (68%)

– n=256; c = 512; r = 1088 (68%)

– n=384; c = 1024; r = 576 (36%)

– n=512; c = 1024; r = 576 (36%)

– n=xxx; c = 256; r = 1344 (84%) SHAKE-256

– n=xxx; c = 512; r = 1088 (68%) SHAKE-512

FIPS 202

28

Performance of hash functions - Bernstein

(

cycles/byte) Intel Core 2 Quad Q9550; 4 x 2833MHz (2008)

(estimated)

2001

29

Hash functions: conclusions

• cryptographic meltdown but fortunately

implications so far limited

• designers often too optimistic (usually need 2x

more rounds)

• other weaknesses have been identified in general

approach to construction hash functions

• SHA-3 seems success; will co-exist with SHA-2

• lightweight hash functions under development

30

Outline

• Context

• Block ciphers

• Stream ciphers

• Hash functions

• Public-key cryptology

• Implementations issues

• Research challenges

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

31

Factorisation records (RSA)

2009: 768 bits or 232 digits

2012: 1061 bits or 320 digits (2

1061

-1)

0

50

100

150

200

250

300

350

64 68 72 76 80 84 88 92 96 100 104 108 112

General

Special

1 digit ~3.3 bits

2000

512 bits

768 bits

1061 bits

2006

2012

32

Widely used public-key systems rely on 3

problems from algebraic number theory

• Integer factorization: RSA (n = p.q)

• Discrete LOGarithm: Diffie-Hellman, DSA: y = g

x

• Elliptic Curve Discrete LOGarithm, ECDSA: Q = x.P

• Not so likely that NSA can break some specific

ECC curves proposed by NIST

33

2013 breakthrough for

DLOG in group of

special form

34

Recent progress

L(0)

L(1)

(strong) exponential

polynomial (weak)

L(1/3) — 1984

Factoring and (Non-ECC) DLOG

stay here for 30 years

L(1/4) — DLOG special numbers (Joux Feb’13)

with restriction on the groups (Barbulescu et al. in Jun’13)

L(α)=exp((log

2

n)

α

(log

2

log

2

n)

1- α

)

L(α)=exp((log

2

n)

α

(log

2

log

2

n)

1- α

)

L(1) — best ECC

DLOG solvers

Public key crypto

security

L(1/2) — 1981

Factoring and DLOG

Special form DLOG record: 6168 bits

[Joux’13]

35

Quantum computers?

• exponential parallelism

• Shor 1994: perfect for

factoring

• but: can a quantum

computer be built?

n coupled quantum bits

2

n

degrees of freedom

!

36

If a large quantum computer

can be built...

• all schemes based on factoring (RSA) and

DLOG will be insecure

• same for elliptic curve cryptography

• symmetric key sizes: x2

• hash sizes: unchanged!

• alternatives: postquantumcrypto

– McEliece, NTRU,…

– so far it seems very hard to match performance of current

systems while keeping the security level against conventional

attacks

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

37

• 2001: 7-bit quantum computer factors 15

• 2007: two new 7-bit quantum computers

• 2012: 143 has been factored

• 2012: 10 to 15 years for a large quantum

computer

Quantum

Quantum Computing: An IBM Perspective

Steffen, M.; DiVincenzo, D. P.; Chow, J. M.; Theis, T. N.; Ketchen, M. B.

Quantum physics provides an intriguing basis for achieving computational

power to address certain categories of mathematical problems that are

completely intractable with machine computation as we know it today. We

present a brief overview of the current theoretical and experimental works in

the emerging field of quantum computing. The implementation of a functioning

quantum computer poses tremendous scientific and technological challenges,

but current rates of progress suggest that these challenges will be

substantively addressed over the next ten years.We provide a sketch of a

quantum computing system based on superconducting circuits, which are the

current focus of our research. A realistic vision emerges concerning the form

of a future scalable fault-tolerant quantum computer.

38

Key lengths for confidentiality

http://www.ecrypt.eu.org

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-

key-sizes-and-parameters-report

duration symmetric RSA ECC

days/hours 50 512 100

5 years 73 1024 146

10-20 years 103 2048 206

30-50 years 141 4096 282

Assumptions: no quantum computers; no

breakthroughs; limited budget

39

Implementation attacks

• measure: time, power, electromagnetic radiation,

sound

• introduce faults (even in CPUs)

• combine with statistical analysis and cryptanalysis

• software: API attacks

• major impact on implementation cost

• theory: “leakage resilience”

Sun Tzu, The Art of War:

In war, avoid what is strong and attack what is weak

L.R. Knudsen: "It is not cryptanalysis, it is vandalism"

40

Implementations: side channel attacks

First round of DES

Expansion

RSA

41

Implementations in embedded systems

Cipher Design,

Biometrics

D

Q

Vcc

CPU

Crypto

MEM

JCA

Java

JVM

CLK

Identification

Confidentiality

Integrity

SIM

D

Q

Vcc

CPU

MEM

JCA

Java

KVM

CLK

Protocol:Wireless authentication protocol

design

Algorithm:Embedded fingerprint matching

algorithms, crypto algorithms

Architecture:Co-design, HW/SW, SOC

Circuit:Circuit techniques to combat side

channel analysis attacks

Micro-Architecture:co-processor design

Identification

Confidentiality

Integrity

Identification

Integrity

SIM

SIM

SIM

Slide credit: Prof. Ingrid Verbauwhede

Technology aware solutions?

42

Weaknesses of key generation

• Make sure that the key is generated using a

random number generator with trapdoor

Pseudo-

random

number

generator

(PRNG)

seed

trapdoor allows to predict keys

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

43

Dual_EC_DRBG or Dual Elliptic Curve

Deterministic Random Bit Generator

• 1 of the 4 PRNGs in NIST SP 800-90A

• draft Dec. 2005; published 2006; revised 2012

• warnings

• Dec 05: output not perfectly random

[Gjøsteen]

• Mar 06: backdoor if one fails to choose P and Q at

random but one chooses Q = d.P for a known d

[Brown]

• May 06: flaw

[Schoenmakers-Sidorenko]

Appendix: The security of Dual_EC_DRBG requires that the

points P and Q be properly generated. To avoid using

potentially weak points, the points specified in Appendix A.1

should be used.

44

Dual_EC_DRBG or Dual Elliptic Curve

Deterministic Random Bit Generator

• 10 Sept. 2013, NYT: "internal memos leaked by a former

NSA contractor suggest that the NSA generated one of the

random number generators used in a 2006 NIST standard

—called the Dual EC DRBG standard —which contains a

backdoor for the NSA."

• NSA Bullrun program:NSA has been actively working to

"Insert vulnerabilities into commercial encryption systems,

IT systems, networks, and endpoint communications

devices used by targets."

45

Dual_EC_DRBG or Dual Elliptic Curve

Deterministic Random Bit Generator

• 9 Sept. 2013: NIST “strongly recommends" against the

use of dual_EC_DRBG, as specified in the January 2012

version of SP 800-90A.

• in light of community security concerns SP 800-90A

reissued as draft standard, and re-opening SP800-90B/C

for public comment

Why was the slowest and least secure of the 4

PRNGs chosen as the default algorithm in BSAFE?

On 7 Feb 2001 Bleichenbacher of Bell Labs found an attack on

the PRNG building block of DSA (FIS 186). Coincidence?

46

More PRNG flaws

• 1996: Netscape SSL

[Goldberg-Wagner]

• 2008: Debian SSL

[Bello]

• 2012: wireless routers

[Heninger+], PGP/SSL [Lenstra+]

• 15 Aug. 2013: Android Java and OpenSSL PRNG

flaw led to theft of bitcoins

16 Sept. 2013 Factoring RSA keys from certified

smart cards: Coppersmith in the wild

[Bernstein-Chang-Cheng-Chou-Heninger-Lange-van Someren’13]

IACR Cryptology ePrint Archive 2013: 599

184 keys from Taiwan Citizen Digital Certificate cards

card + OS: EAL 4+; FIPS 140-2 Level 2

47

Outline

• Context

• Block ciphers

• Stream ciphers

• Hash functions

• Public-key cryptology

• Implementations issues

• Research challenges

48

Challenges for crypto

• security for 50-100 years

• authenticated encryption of Terabit/s networks

• ultra-low footprint/power/energy

secure software and

hardware

implementations

algorithm agility

performance

cost security

Cryptographic Algoithms - Research Challenges

Bart Preneel

Balkancrypt, Sofia

49

Challenges for advanced crypto

• privacy enhancing technologies

• linking crypto with physical world

– biometrics, physically uncloneable functions

• (distributed) secure execution

• whitebox cryptography

• cryptography in the encrypted domain

– searching in encrypted databases – data mining on health

care date

– zero knowledge watermarking – intelligent media sharing

• perceptual hashing

• crypto for nanotechnology

## Comments 0

Log in to post a comment