information processing researchpreneel/preneel_symmetric_mitacs10v1.pdf · java crypto libraries...
TRANSCRIPT
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
1
1
Symmetric cryptography: challenges and perspectives
Bart PreneelCOSIC, K.U.Leuven, Belgium
Bart.Preneel(at)esat.kuleuven.behttp://homes.esat.kuleuven.be/~preneel
MITACS, June 2010
http://www.ecrypt.eu.org
2
Information processing
2
mechanical (104)
mainframe (105)
PCs and LANs (107)
Internet and mobile (109)
the Internet of things, ubiquitous computing, pervasive computing, ambient intelligence (1012)
3
Information processing
Continuum between software and hardwareASIC (microcode) – FPGA –
fully programmable processor
Everything is always connected everywhere
4
Research ↔ Practice
HARDWARELimited (govt+financial sector)DES, 3DES
DES, RSA, DH, CBC-MACProvable security (PKC), ZK, ElGamal, ECC, stream ciphers Quantum cryptoMD4, MD5 Provable security (SKC)Key escrowQuantum cryptanalysisHow to use RSA? Alternatives to RSAPKIAES ID-Based Crypto
70
80
90SOFTWAREGSM, PGPC libraries (RSA, DH)SSL/TLS, IPsec, SSH, S/MIMEJava crypto librariesWLAN
EVERYWHERETrusted computing, DRM,
3GPP, RFID, sensor nodes …
5
Implementations in embedded systems
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCAJava
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPUMEM
JCAJava
KVM
CLK
Protocol: Wireless authentication protocol design
Algorithm: Embedded fingerprint matchingalgorithms, crypto algorithms
Architecture: Co-design, HW/SW, SOC
Circuit: Circuit techniques to combat sidechannel analysis attacks
Micro-Architecture: co-processor design
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Slide credit: Prof. Ingrid Verbauwhede
Technology aware solutions?
6
Challenges for crypto• security for 50-100 years• authenticated encryption of Terabit/s
networks• ultra-low power/footprint
secure software and hardware implementations
algorithm agility
performance
cost security
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
2
7
Outline
• Context• Block ciphers• Stream ciphers• (Hash functions)• MAC algorithms• Secure implementations
8
Block cipher
• larger data units: 64…128 bits• memoryless• repeat simple operation (round) many times
block cipher
P1
C1
block cipher
P2
C2
block cipher
P3
C3
9
Cryptanalysis of block cipherskey length k bits; block length n bits
• exhaustive key search – 2k encryptions, k/n known plaintexts
• tabulation attack– collect large number of plaintext ciphertext pairs
• code book attack– encrypt 1 plaintext under all 2k keys and store the result in a very
large table– one key can now be find in constant time (table look-up)
• time-memory trade-off– k/n chosen plaintexts– 2k encryptions (precomputation)and 22k/3 encryptions memory– on-line: 22k/3 encryptions
10
Block ciphers
3-DES (112-168)IDEA (128)MISTY1 (128)KASUMI (128 in 3G, 64 in 2G)HIGHT (128)PRESENT (80-128)TEA (128)mCRYPTON (128)KATAN (80)
insecure secure?0 50 80 128
Symmetric key lengths
AES (128-192-256)CAMELLIARC6CLEFIA
64-bit block 128-bit block
56 bits: 4 seconds with $5M80 bits: 2 year with $5M 128 bits: 256 billion years with $5B
11
3-DES: NIST Spec. Pub. 800-67(May 2004)
• single DES abandoned (56 bit)• double DES not good enough (72 bit)• 2-key triple DES: until 2009 (80 bit)• 3-key triple DES: until 2030 (100 bit)
DES Clear text
DES-1 DES
1 2 3
%^C&@&^(
extremely vulnerable to a related key attack
12
AES (2001)• FIPS 197 published on December 2001after 4-year open
competition– other standards: ISO, IETF, IEEE 802.11,…
• fast adoption in the market– except for financial sector– NIST validation list: 1393 implementations
• http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html
• 2003: AES-128 also for classified information and AES-192/-256 for secret and top secret information!
• security: – algebraic attacks of [Courtois+02] not effective– side channel attacks: cache attacks on unprotected implementations
[Shamir ’07] AES may well be the last block cipher
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
3
13
AES implementations: efficient/compact
• HW: 43 Gbit/s in 130 nm CMOS [‘05]• Intel: new AES instruction in Westmere processors
0.75 cycles/byte [’09-’10]• SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s
bitsliced [Käsper-Schwabe’09]
• HW: most compact: 3600 gates– PRESENT: 1029, KATAN: 1054, CLEFIA: 4950
14
AES variants (2001)• AES-128• 10 rounds • sensitive
lightweight key schedule, in particular for the 256-bit version
Key
Sch
edul
e
round
.....round
plaintext
Key
(128
)
Key
Sch
edul
e .....
round
plaintext
Key
(192
)
Key
Sch
edul
e
round
.....
round
round
round
plaintext
Key
(256
)
round
round.....
• AES-192• 12 rounds • classified
• AES-256• 14 rounds
• secret/top secret
15
What is a related key attack?• attacker chooses plaintexts and key difference C• attacker gets ciphertexts• task: find the key
Key
Sch
edul
e
round
.....
round
round
round
plaintext1
Key
(256
)
Key
Sch
edul
e
round
.....
round
round
round
plaintext2
Key
(256
)
C
ciphertext2ciphertext1
16
AES-256[Biryukov-Khovratovich’09]
[Biryukov-Dunkelman-Keller-Khovratovich-Shamir’09]
Slide credit: Orr Dunkelman
Related key attack: 4 keys, data & time complexity 2119 << 2256
KASUMI A5/3 4 related keys, 226 plaintexts, 230 bytes mem. 232 time
17
Should I worry about a related key attack?• very hard in practice (except for control vector and some
old US banking schemes)• if you are vulnerable to a related key attack, you are
making very bad implementation mistakes
Key
Sch
edul
e
round
.....
round
round
round
plaintext
Key
(256
)
ciphertext
h
• this is a very powerful attack model: if an opponent can zeroize (= AND 0) 224 key bits of his choice (rather than ⊕ C)he can find the key in a few seconds for any cipher with a 256-bit key
• if you are worried, hashing the key is an easy fix
18
Keeloq [Smit+/-’85]aka the M$10 cipher
• block length: 32 • key length: 64• rounds: 528
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
4
19
KATAN/KTANTAN[De Cannière-Dunkelman-Knežević’09]
http://www.cs.technion.ac.il/~orrd/KATAN/
• block length: 32, 48, 64• key length: 64• rounds: 254
20
Low cost hardware[Bogdanov+08,Sugawara+08]
020406080
100120140160180200
PRES-80 mCRYPTON-96
HIGHT 3-DES AES-128
warning: this is not a “fair” comparison• technologies range from 90nm-350nm• power consumption or energy could be real problem
Throughput/Area (bps/GE) @ 100KHz
KATANTEAPRES-128
128-bit block
CLEFIA AES-128
21
Low cost hw: throughput versus area
0
100
200
300
400
500
600
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Thro
ughp
ut (K
bps)
100 KHz clock
AES (13)AES (35)
mCRYPTON-96 (13)
PRESENT-128 (18) HIGHT (25)
PRESENT-80 (18)
TEA (18)
(technology in 10 nm)
MISTY1 (18)
CLEFIA (9)
KATAN (18)
TDEA (9)
22
How NOT to use a block cipher: ECB mode
block cipher
P1
C1
block cipher
P2
C2
block cipher
P3
C3
23
An example plaintext
24
Encrypted with substitution and transposition cipher
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
5
25
Encrypted with AES in ECB and CBC mode
26
How to use a block cipher: CBC mode
AES
IV
P1
C1
AES AES
P2 P3
C2 C3
need random and secret IV
27
CBC mode decryption
AES-1
IV
P1
C1
P2 P3
C2 C3
AES-1 AES-1
28
Secure encryption• definition of security
– security assumption– security goal – capability of opponent
• assumption: secure block cipher (= pseudo-random permutation)
• security goal: can’t distinguish ciphertext from random string (IND-ROR = indistinguishability of real or random)
• capability of an opponent: ciphertext only, chosen plaintext, chosen ciphertext, adaptive chosen ciphertext
29
[Bellare+97] CBC is IND-ROR secure against chosen plaintext attack
• consider the block cipher AES with a block length of n bits; denote the advantage to distinguish it from a pseudo-random permutation with AdvAES/PRP
• consider an adversary who can ask q chosen plaintext queries to a CBC encryptionAdvENC/CBC ≤ 2 AdvAES/PRP + (q2/2)2-n + (q2-q)2-n
reduction is tight as long as q2/2 « 2n or q « 2n/2
30
CBC and the birthday paradox (1)• matching lower bound:
– collision Ci = Cj implies Ci-1 ⊕ Pi = C j-1 ⊕ Pj– collision expected after q =2n/2 blocks
– DES (n = 64) 232 blocks or 32 Gigabyte– AES (n = 128) 264 blocks
AES
IV
P1
C1
AES AES
Pi-1 Pi
Ci-1 Ci
AES
Pj-1
Cj-1
AES AES
Pj P3
Cj C3
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
6
31
CBC and the birthday paradox (2)• the ciphertext blocks Ci are random n-bit
strings or S = 2n
• if we collect r = √2n = 2n/2 ciphertext blocks, we will have a high probability there exist two identical ciphertext blocks, that is, there exist indices i and j such that Ci=Cj
32
CBC (in-)security• CBC is very easy to distinguish (thus weak) under a
chosen ciphertext attack:– decrypting C || C || C yields P’ || P || P
AES-1
IVP’
C
P P
C C
AES-1 AES-1
J.P. Degabriele and K.G. Paterson, Attacking the IPsec Standards in Encryption-only Configurations, IEEE Symposium on Privacy and Security, 2007B. Canvel, A.P. Hiltgen, S. Vaudenay and M. Vuagnoux, Password Interception in a SSL/TLS Channel, CRYPTO 2003, LNCS 2729.
33
Layersapplications
protocols
primitives
algorithms
Proofs: link security at different levels in a quantitative way
L.R. Knudsen: "If it is provably secure, it is probably not"
assumptions
34
Limitations of provable security• adversary needs to respect restrictions (of course)
– chosen ciphertext versus chosen plaintext– blockwise adaptive attackers
• assumptions need to be valid (of course)– DES is not an ideal cipher
• [DESK’(X’)]’ = DESK(X)– DESX = K1 ⊕ DESK(X ⊕ K2) has some “strange”
properties under related key attacks– do one-way functions exist? (best known result is
functions that are a factor 2 harder to invert than to compute)
• proof needs to be correct/complete (of course)• implementation needs to be correct (of course)
35
Limitations of provable security• multiple instances often not addressed• assume specific computational models (Turing
machines, RAM model) but other models may be more relevant– full cost– quantum computers
• provable security may overemphasize one aspect of security
• still, provable security can help to– gain confidence by understanding– compare schemes when deciding on industry
standards
3636
CounTer Mode (CTR) Ci = Pi ⊕ EK(CTRi-), CTRi ++
state initialized with random IV, or CTR0 = IV
CiPi
AES
CTRin
PiCi
AES
CTRin
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
7
37
Block ciphers: conclusions
• several mature block ciphers available• security well understood
– modes of operation– security against statistical attacks (differential,
linear) and structural attacks• more work:
– algebraic attacks– related key attacks– understanding of structural tradeoffs
• what are the limitations for lightweight block ciphers?
38
Model of a practical stream cipher
C
“looks”random
output function
IV
P
next state
function
K
initial state
output function
IV
P
next state
function
K
initial state
39
Moore’s Law: computation/storage 2000-2020
Microprocessor performance: Gflops/sEthernet: speed in GbpsStorage: Gigabyte/s
1000000
1
10
100
1000
10000
100000
20042006
20082010
20122014
20162000
2002
40
Stream ciphers
• historically very important (compact)– LFSR-based: A5/1, E0 – practical attacks known– software-oriented: RC4 – serious weaknesses– block cipher in CTR or OFB (slower)
• today: – many broken schemes– lack of standards and open solutions– standards: SNOW2.0, SNOW3G, MUGI, Rabbit,
DECIM, K2,..
41
A5/1 stream cipher (GSM)
Clock control: registers agreeing with majority are clocked (2 or 3)
018
21
22
0
0
• exhaustive key search: 264 (or rather 254)• search 2 smallest registers: 243 values – a few steps to verify
a guess• [BB05]: 10 minutes on a PC with 3-4 minutes of ciphertext only
42
Bluetooth stream cipher
• brute force: 2128 steps• [Lu+05] 24 known bits of 224 frames, 238 computations, 233 memory
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
8
43
A simple cipher: RC4 (1987)
• designed by Ron Rivest (MIT)• leaked in 1994• S[0..255]: secret table derived from user key K
for i=0 to 255 S[i]:=i
j:=0
for i=0 to 255
j:=(j + S[i] + K[i]) mod 256
swap S[i] and S[j]
i:=0, j:=0
44
A simple cipher: RC4 (1987)Generate key stream which is added to plaintexti:=i+1j:=(j + S[i]) mod 256swap S[i] and S[j]t:=(S[i] + S[j]) mod 256output S[t]
000
205
001
092
002
013 ...
093
033
094
162
095
079 ...
254
099
255
143
i
j
t
162 92
45
RC4: weaknesses
• was used with 40-bit key – US export restrictions until Q4/2000
• best known general shortcut attack: 2300
• weak keys and key setup (shuffle theory)• some statistical deviations
– e.g., 2nd output byte is biased– solution: drop first 256 bytes of output
• problem with resynchronization modes (WEP)
46
Cryptanalysis of stream cipherskey size k bits, internal memory m bits
• exhaustive key search: 2k encryptions• time-memory trade-off: s =min(m,k)
– time T, memory M, data D, precomputation P – Babbage-Golic
• T * M=2s, D=T and P=M– Biryukov-Shamir
• T * M² * D² = 22s, T>D² and P=2s/D
• solution: larger key and/or larger IV
47
Time-memory-data trade-offs: 128 bit keyExample: Dk=240, T=280, M=248, P=288
log Timelog Memorylog Precomputation
48
Open competition for stream ciphers http://www.ecrypt.eu.org
• run by ECRYPT– high performance in software (32/64-bit): 128-bit key– low-gate count hardware (< 1000 gates): 80-bit key– variants: authenticated encryption
• 29 April 2005: 33 submissions• Many broken in first year• End of competition: April 2008
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
9
49
The eSTREAM PortfolioApr. 2008 (Rev1 Sept. 2008)
TriviumSosemanuk
MICKEY v2Salsa20/12
Grain v1Rabbit
F-FCSR-HHC-128
HardwareSoftware
in alphabetical order
3-10 cycles per byte 1500..3000 gates
50
Performance reference data (Pentium M 1.70GHz Model 6/9/5)
020406080
100120
RC4 HC-128 DES 3-DES AES
05000
100001500020000250003000035000
RC4 HC-128
DES 3-DES AES
encryption speed (cycles/byte)
key setup (cycles)
51
Low cost hw: throughput versus area
0100200300400500600700800900
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Thro
ughp
ut (K
bps)
100 KHz clock
AES (13)AES (35)
mCRYPTON-96 (13)
PRESENT-128 (18) HIGHT (25)
PRESENT-80 (18)
TEA (18)
(technology in 10 nm)
MISTY1 (18)
CLEFIA (9)
KATAN (18)TDEA (9)GRAIN (13) Trivium(13)
GRAIN[8] (13) Trivium[8](13)
Enocoro-80[8](18)
52
Stream ciphers: conclusions
• substantial progress made in last 5 years– concrete designs– data-time-memory tradeoffs
• 80-bit security implies 160-bit memory (seems to be a lower bound)
• many designs still “at the edge” (quite risky)• expect further progress
53
Outline
• Context• Block ciphers• Stream ciphers• (Hash functions)• MAC algorithms• Secure implementations
54
Hash functions
• collision resistance• preimage resistance• 2nd preimage
resistance
This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).
1A3FD4128A198FB3CA345932
• MDC (manipulationdetection code)
• Protect short hash valuerather than long text
h
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
10
55
MAC Algorithms
• CBC-MAC: EMAC and CMAC• HMAC• GCM and GMAC• Authenticated encryption
56
CBC-MAC based on AES (LMAC)
AES
P1
C1
AES AES
P2 P3
C2C3
select leftmost 64 bits
security level against forgery: 264 text/MAC pairs
NIST prefers CMAC: requires only 1 block cipher key
57
HMAC based on MDx, SHA
f1
f2
xK2
K1
2126 CP33 of 6464MD5
2154.9 CP43 of 8080SHA-12109 CP8080SHA(-0)
251 CP & 2100 time (RK)6464MD5
288 CP & 295 time 4848MD4Data complexityRounds in f2Rounds in f1
• Widely used in SSL/TLS/IPsec
• Attacks not yet dramatic
• NMAC weaker than HMAC
58
GMAC: polynomial authentication code (NIST SP 800-38D 2007 + 3GSM)
• keys K1, K2 ∈ GF(2128)• input x: x1, x2, . . . , xt, with xi ∈ GF(2128)
g(x) = K1+ Σi=1t xi • (K2)i
• in practice: compute K1 = AESK(n) (CTR mode)
• properties:– lightweight and/or fast in software and hardware
(support from Intel/AMD)– not very robust w.r.t. nonce reuse, truncation, MAC
verifications, due to reuse of K2 (not in 3GSM!)– versions over GF(p) (e.g. Poly1305-AES) seem more
robust
59
UMAC RFC 4418 (2006)
• key K, k1, k2 .., k256 ∈ GF(232) (1024 bytes)• input x: x1, x2, . . . , x256, with xi ∈ GF(232)• g(x) = prfK(h(x))
• h(x) = ( Σi=1512 (x2i-1 + k2i-1) mod 232 . (x2i + k2i) mod 232 )mod 264
• properties– software performance: 1-2 cycles/byte– forgery probability: 1/230 (provable lower bound)– [Handschuh-Preneel08] full key recovery with 240
verification queries
60
Authenticated encryption• default modes: ECB/CBC/CFB/OFB and CTR• needed for network security, but only fully understood
by crypto community around 2000 (too late)• standards:
– CCM: CTR + CBC-MAC [NIST SP 800-38C]– GCM: CTR + GMAC [NIST SP 800-38D]
• both are suboptimal • IAPM• XECB• OCB
• GCM• CCM• EAX
patented
issues:• associated data• parallelizable• on-line• provable security
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
11
61
MAC algorithms: conclusions
• can get better performance than encryption• EMAC or OMAC (CBC-MAC) seems fine• widely used choices lack robustness
• modes for authenticated encryption today well understood but not yet widely deployed
62
Outline
• Context• Block ciphers• Stream ciphers• (Hash functions)• MAC algorithms• Secure implementations
63
Models and reality
64
Implementations: side channel attacks
First round of DES
ExpansionRSA
65
Implementation attacks
• measure: time, power, electromagnetic radiation, sound
• introduce faults (even in CPUs – bug attacks)• combine with statistical analysis and
cryptanalysis• software: API attacks
• major impact on implementation cost
Sun Tzu, The Art of War: In war, avoid what is strong and attack what is weak
L.R. Knudsen: "It is not cryptanalysis, it is vandalism"66
• active versus passive – active: perturbate and conclude– passive: observe and infer
• invasive versus non-invasive– invasive: open package and contact chip– semi-invasive: open package, no contact– non-invasive: no modification
• side channel: passive and non-invasive– very difficult to detect– often cheap to set-up – often: need lots of measurements automation
• circuit modification: active and invasive– expensive to detect invasion (chip might be without power)– very expensive equipment and expertise required
Classification of Physical Attacks
active passive
Non-Invasive
Invasive
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
12
67
Power or EM attack
Main PCrun the Acquisition
software
Server
store the filesand run the Treatment
software
Cardreader
Card extentionGCR
Oscilloscope
files transfer
command emission
Arm scoperetrieve file
Current waveformacquisition
Scope triggeron IO
Protection box
R
68
Key value : 2E C6 91 5B F9 4A
A simple attack on RSA
2
0010
E
1 1 10
C
1 100
6
0 1 10
9
100 1
1
000 1
5
0 10 1
B
10 1 1
F
1 1 1
9
100 1
4
0 100
A
10 10
69
semi-invasive: exploit faulty behavior provokedby physical stress applied to the device
Active attacks (semi invasive) fault injection
[www.new-wave.com]
– laser fault injection allows to target a relatively small surface area of the target device
– laser pulse frequency ~ 50Hz– fully automated scan of chip
surface–once you have a weak spot:
perturbate and exploit
70
Timing attacks on AES software implementations
• variable execution time typically associated with “if then else”, rotations, multiplications
• due to cache effects, several fast software implementations can be broken– e.g., AES in Open SSL: 65 milliseconds
• fixes: – implementations: first version 2/3 times slower,
today even faster than original ones– special cache for crypto algorithms– hardware crypto
• cache attacks apply to any cryptographic algorithm that uses tables
71
Cryptology + side channels
Clear text
CRYPTOBOX
CRYPTOBOX
Clear text
%^C&@&^(
%^C&@&^(
Alice Bob
Eve
72
Challenges for crypto• security for 50-100 years• authenticated encryption of Terabit/s
networks• ultra-low power/footprint
secure software and hardware implementations
algorithm agility
performance
cost security
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
13
73
The power challenge: AES-128 speed/power for various platforms (Joule/Gb)
CMOS FPGA PIII C - Emb.Sparc
Java-Emb.Spar
speed power power/speed
1 Gbit/s
1 Mbit/s
1 Kbit/s
mWatt
Watt
106
103
1
74
demand in applications
maturity
low
low
high
high
block ciphers
hash functions
stream ciphers
public key operations
sophisticated protocols
simple protocols
MAC
75
http://www.ecrypt.eu.org/lightweight/
76
Conclusions• major challenges remain in cryptographic
algorithm design• pushing the limits requires specific solutions
– high end: parallelism– low end: RFID, sensor nodes, co-processor for 8-bit
CPU,…• symmetric crypto with < 1500 gates is feasible
– cost is then dominated by memory (2 to 8 gates per bit)– energy consumption may be high– software: RAM usage is critical
• challenges for implementers: upgrading algorithms and implementation attacks