information processing researchpreneel/preneel_symmetric_mitacs10v1.pdf · java crypto libraries...

Symmetric cryptography: challenges and perspectives Bart Preneel

MITACS, Toronto, June 2010

1

1

Symmetric cryptography: challenges and perspectives

Bart PreneelCOSIC, K.U.Leuven, Belgium

Bart.Preneel(at)esat.kuleuven.behttp://homes.esat.kuleuven.be/~preneel

MITACS, June 2010

http://www.ecrypt.eu.org

2

Information processing

2

mechanical (104)

mainframe (105)

PCs and LANs (107)

Internet and mobile (109)

the Internet of things, ubiquitous computing, pervasive computing, ambient intelligence (1012)

3

Information processing

Continuum between software and hardwareASIC (microcode) – FPGA –

fully programmable processor

Everything is always connected everywhere

4

Research ↔ Practice

HARDWARELimited (govt+financial sector)DES, 3DES

DES, RSA, DH, CBC-MACProvable security (PKC), ZK, ElGamal, ECC, stream ciphers Quantum cryptoMD4, MD5 Provable security (SKC)Key escrowQuantum cryptanalysisHow to use RSA? Alternatives to RSAPKIAES ID-Based Crypto

70

80

90SOFTWAREGSM, PGPC libraries (RSA, DH)SSL/TLS, IPsec, SSH, S/MIMEJava crypto librariesWLAN

EVERYWHERETrusted computing, DRM,

3GPP, RFID, sensor nodes …

5

Implementations in embedded systems

Cipher Design,Biometrics

DQ

Vcc

CPUCrypto

MEM

JCAJava

JVM

CLK

Identification

ConfidentialityIntegrity

SIM

DQ

Vcc

CPUMEM

JCAJava

KVM

CLK

Protocol: Wireless authentication protocol design

Algorithm: Embedded fingerprint matchingalgorithms, crypto algorithms

Architecture: Co-design, HW/SW, SOC

Circuit: Circuit techniques to combat sidechannel analysis attacks

Micro-Architecture: co-processor design

Identification

ConfidentialityIntegrity

IdentificationIntegrity

SIMSIMSIM

Slide credit: Prof. Ingrid Verbauwhede

Technology aware solutions?

6

Challenges for crypto• security for 50-100 years• authenticated encryption of Terabit/s

networks• ultra-low power/footprint

secure software and hardware implementations

algorithm agility

performance

cost security



2

7

Outline

• Context• Block ciphers• Stream ciphers• (Hash functions)• MAC algorithms• Secure implementations

8

Block cipher

• larger data units: 64…128 bits• memoryless• repeat simple operation (round) many times

block cipher

P1

C1

block cipher

P2

C2

block cipher

P3

C3

9

Cryptanalysis of block cipherskey length k bits; block length n bits

• exhaustive key search – 2k encryptions, k/n known plaintexts

• tabulation attack– collect large number of plaintext ciphertext pairs

• code book attack– encrypt 1 plaintext under all 2k keys and store the result in a very

large table– one key can now be find in constant time (table look-up)

• time-memory trade-off– k/n chosen plaintexts– 2k encryptions (precomputation)and 22k/3 encryptions memory– on-line: 22k/3 encryptions

10

Block ciphers

3-DES (112-168)IDEA (128)MISTY1 (128)KASUMI (128 in 3G, 64 in 2G)HIGHT (128)PRESENT (80-128)TEA (128)mCRYPTON (128)KATAN (80)

insecure secure?0 50 80 128

Symmetric key lengths

AES (128-192-256)CAMELLIARC6CLEFIA

64-bit block 128-bit block

56 bits: 4 seconds with $5M80 bits: 2 year with $5M 128 bits: 256 billion years with $5B

11

3-DES: NIST Spec. Pub. 800-67(May 2004)

• single DES abandoned (56 bit)• double DES not good enough (72 bit)• 2-key triple DES: until 2009 (80 bit)• 3-key triple DES: until 2030 (100 bit)

DES Clear text

DES-1 DES

1 2 3

%^C&@&^(

extremely vulnerable to a related key attack

12

AES (2001)• FIPS 197 published on December 2001after 4-year open

competition– other standards: ISO, IETF, IEEE 802.11,…

• fast adoption in the market– except for financial sector– NIST validation list: 1393 implementations

• http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html

• 2003: AES-128 also for classified information and AES-192/-256 for secret and top secret information!

• security: – algebraic attacks of [Courtois+02] not effective– side channel attacks: cache attacks on unprotected implementations

[Shamir ’07] AES may well be the last block cipher



3

13

AES implementations: efficient/compact

• HW: 43 Gbit/s in 130 nm CMOS [‘05]• Intel: new AES instruction in Westmere processors

0.75 cycles/byte [’09-’10]• SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s

bitsliced [Käsper-Schwabe’09]

• HW: most compact: 3600 gates– PRESENT: 1029, KATAN: 1054, CLEFIA: 4950

14

AES variants (2001)• AES-128• 10 rounds • sensitive

lightweight key schedule, in particular for the 256-bit version

Key

Sch

edul

e

round

.....round

plaintext

Key

(128

)

Key

Sch

edul

e .....

round

plaintext

Key

(192

)

Key

Sch

edul

e

round

.....

round

round

round

plaintext

Key

(256

)

round

round.....

• AES-192• 12 rounds • classified

• AES-256• 14 rounds

• secret/top secret

15

What is a related key attack?• attacker chooses plaintexts and key difference C• attacker gets ciphertexts• task: find the key

Key

Sch

edul

e

round

.....

round

round

round

plaintext1

Key

(256

)

Key

Sch

edul

e

round

.....

round

round

round

plaintext2

Key

(256

)

C

ciphertext2ciphertext1

16

AES-256[Biryukov-Khovratovich’09]

[Biryukov-Dunkelman-Keller-Khovratovich-Shamir’09]

Slide credit: Orr Dunkelman

Related key attack: 4 keys, data & time complexity 2119 << 2256

KASUMI A5/3 4 related keys, 226 plaintexts, 230 bytes mem. 232 time

17

Should I worry about a related key attack?• very hard in practice (except for control vector and some

old US banking schemes)• if you are vulnerable to a related key attack, you are

making very bad implementation mistakes

Key

Sch

edul

e

round

.....

round

round

round

plaintext

Key

(256

)

ciphertext

h

• this is a very powerful attack model: if an opponent can zeroize (= AND 0) 224 key bits of his choice (rather than ⊕ C)he can find the key in a few seconds for any cipher with a 256-bit key

• if you are worried, hashing the key is an easy fix

18

Keeloq [Smit+/-’85]aka the M$10 cipher

• block length: 32 • key length: 64• rounds: 528



4

19

KATAN/KTANTAN[De Cannière-Dunkelman-Knežević’09]

http://www.cs.technion.ac.il/~orrd/KATAN/

• block length: 32, 48, 64• key length: 64• rounds: 254

20

Low cost hardware[Bogdanov+08,Sugawara+08]

020406080

100120140160180200

PRES-80 mCRYPTON-96

HIGHT 3-DES AES-128

warning: this is not a “fair” comparison• technologies range from 90nm-350nm• power consumption or energy could be real problem

Throughput/Area (bps/GE) @ 100KHz

KATANTEAPRES-128

128-bit block

CLEFIA AES-128

21

Low cost hw: throughput versus area

0

100

200

300

400

500

600

0 1000 2000 3000 4000 5000 6000

Gate equivalents

Thro

ughp

ut (K

bps)

100 KHz clock

AES (13)AES (35)

mCRYPTON-96 (13)

PRESENT-128 (18) HIGHT (25)

PRESENT-80 (18)

TEA (18)

(technology in 10 nm)

MISTY1 (18)

CLEFIA (9)

KATAN (18)

TDEA (9)

22

How NOT to use a block cipher: ECB mode

block cipher

P1

C1

block cipher

P2

C2

block cipher

P3

C3

23

An example plaintext

24

Encrypted with substitution and transposition cipher



5

25

Encrypted with AES in ECB and CBC mode

26

How to use a block cipher: CBC mode

AES

IV

P1

C1

AES AES

P2 P3

C2 C3

need random and secret IV

27

CBC mode decryption

AES-1

IV

P1

C1

P2 P3

C2 C3

AES-1 AES-1

28

Secure encryption• definition of security

– security assumption– security goal – capability of opponent

• assumption: secure block cipher (= pseudo-random permutation)

• security goal: can’t distinguish ciphertext from random string (IND-ROR = indistinguishability of real or random)

• capability of an opponent: ciphertext only, chosen plaintext, chosen ciphertext, adaptive chosen ciphertext

29

[Bellare+97] CBC is IND-ROR secure against chosen plaintext attack

• consider the block cipher AES with a block length of n bits; denote the advantage to distinguish it from a pseudo-random permutation with AdvAES/PRP

• consider an adversary who can ask q chosen plaintext queries to a CBC encryptionAdvENC/CBC ≤ 2 AdvAES/PRP + (q2/2)2-n + (q2-q)2-n

reduction is tight as long as q2/2 « 2n or q « 2n/2

30

CBC and the birthday paradox (1)• matching lower bound:

– collision Ci = Cj implies Ci-1 ⊕ Pi = C j-1 ⊕ Pj– collision expected after q =2n/2 blocks

– DES (n = 64) 232 blocks or 32 Gigabyte– AES (n = 128) 264 blocks

AES

IV

P1

C1

AES AES

Pi-1 Pi

Ci-1 Ci

AES

Pj-1

Cj-1

AES AES

Pj P3

Cj C3



6

31

CBC and the birthday paradox (2)• the ciphertext blocks Ci are random n-bit

strings or S = 2n

• if we collect r = √2n = 2n/2 ciphertext blocks, we will have a high probability there exist two identical ciphertext blocks, that is, there exist indices i and j such that Ci=Cj

32

CBC (in-)security• CBC is very easy to distinguish (thus weak) under a

chosen ciphertext attack:– decrypting C || C || C yields P’ || P || P

AES-1

IVP’

C

P P

C C

AES-1 AES-1

J.P. Degabriele and K.G. Paterson, Attacking the IPsec Standards in Encryption-only Configurations, IEEE Symposium on Privacy and Security, 2007B. Canvel, A.P. Hiltgen, S. Vaudenay and M. Vuagnoux, Password Interception in a SSL/TLS Channel, CRYPTO 2003, LNCS 2729.

33

Layersapplications

protocols

primitives

algorithms

Proofs: link security at different levels in a quantitative way

L.R. Knudsen: "If it is provably secure, it is probably not"

assumptions

34

Limitations of provable security• adversary needs to respect restrictions (of course)

– chosen ciphertext versus chosen plaintext– blockwise adaptive attackers

• assumptions need to be valid (of course)– DES is not an ideal cipher

• [DESK’(X’)]’ = DESK(X)– DESX = K1 ⊕ DESK(X ⊕ K2) has some “strange”

properties under related key attacks– do one-way functions exist? (best known result is

functions that are a factor 2 harder to invert than to compute)

• proof needs to be correct/complete (of course)• implementation needs to be correct (of course)

35

Limitations of provable security• multiple instances often not addressed• assume specific computational models (Turing

machines, RAM model) but other models may be more relevant– full cost– quantum computers

• provable security may overemphasize one aspect of security

• still, provable security can help to– gain confidence by understanding– compare schemes when deciding on industry

standards

3636

CounTer Mode (CTR) Ci = Pi ⊕ EK(CTRi-), CTRi ++

state initialized with random IV, or CTR0 = IV

CiPi

AES

CTRin

PiCi

AES

CTRin



7

37

Block ciphers: conclusions

• several mature block ciphers available• security well understood

– modes of operation– security against statistical attacks (differential,

linear) and structural attacks• more work:

– algebraic attacks– related key attacks– understanding of structural tradeoffs

• what are the limitations for lightweight block ciphers?

38

Model of a practical stream cipher

C

“looks”random

output function

IV

P

next state

function

K

initial state

output function

IV

P

next state

function

K

initial state

39

Moore’s Law: computation/storage 2000-2020

Microprocessor performance: Gflops/sEthernet: speed in GbpsStorage: Gigabyte/s

1000000

1

10

100

1000

10000

100000

20042006

20082010

20122014

20162000

2002

40

Stream ciphers

• historically very important (compact)– LFSR-based: A5/1, E0 – practical attacks known– software-oriented: RC4 – serious weaknesses– block cipher in CTR or OFB (slower)

• today: – many broken schemes– lack of standards and open solutions– standards: SNOW2.0, SNOW3G, MUGI, Rabbit,

DECIM, K2,..

41

A5/1 stream cipher (GSM)

Clock control: registers agreeing with majority are clocked (2 or 3)

018

21

22

0

0

• exhaustive key search: 264 (or rather 254)• search 2 smallest registers: 243 values – a few steps to verify

a guess• [BB05]: 10 minutes on a PC with 3-4 minutes of ciphertext only

42

Bluetooth stream cipher

• brute force: 2128 steps• [Lu+05] 24 known bits of 224 frames, 238 computations, 233 memory



8

43

A simple cipher: RC4 (1987)

• designed by Ron Rivest (MIT)• leaked in 1994• S[0..255]: secret table derived from user key K

for i=0 to 255 S[i]:=i

j:=0

for i=0 to 255

j:=(j + S[i] + K[i]) mod 256

swap S[i] and S[j]

i:=0, j:=0

44

A simple cipher: RC4 (1987)Generate key stream which is added to plaintexti:=i+1j:=(j + S[i]) mod 256swap S[i] and S[j]t:=(S[i] + S[j]) mod 256output S[t]

000

205

001

092

002

013 ...

093

033

094

162

095

079 ...

254

099

255

143

i

j

t

162 92

45

RC4: weaknesses

• was used with 40-bit key – US export restrictions until Q4/2000

• best known general shortcut attack: 2300

• weak keys and key setup (shuffle theory)• some statistical deviations

– e.g., 2nd output byte is biased– solution: drop first 256 bytes of output

• problem with resynchronization modes (WEP)

46

Cryptanalysis of stream cipherskey size k bits, internal memory m bits

• exhaustive key search: 2k encryptions• time-memory trade-off: s =min(m,k)

– time T, memory M, data D, precomputation P – Babbage-Golic

• T * M=2s, D=T and P=M– Biryukov-Shamir

• T * M² * D² = 22s, T>D² and P=2s/D

• solution: larger key and/or larger IV

47

Time-memory-data trade-offs: 128 bit keyExample: Dk=240, T=280, M=248, P=288

log Timelog Memorylog Precomputation

48

Open competition for stream ciphers http://www.ecrypt.eu.org

• run by ECRYPT– high performance in software (32/64-bit): 128-bit key– low-gate count hardware (< 1000 gates): 80-bit key– variants: authenticated encryption

• 29 April 2005: 33 submissions• Many broken in first year• End of competition: April 2008



9

49

The eSTREAM PortfolioApr. 2008 (Rev1 Sept. 2008)

TriviumSosemanuk

MICKEY v2Salsa20/12

Grain v1Rabbit

F-FCSR-HHC-128

HardwareSoftware

in alphabetical order

3-10 cycles per byte 1500..3000 gates

50

Performance reference data (Pentium M 1.70GHz Model 6/9/5)

020406080

100120

RC4 HC-128 DES 3-DES AES

05000

100001500020000250003000035000

RC4 HC-128

DES 3-DES AES

encryption speed (cycles/byte)

key setup (cycles)

51

Low cost hw: throughput versus area

0100200300400500600700800900

0 1000 2000 3000 4000 5000 6000

Gate equivalents

Thro

ughp

ut (K

bps)

100 KHz clock

AES (13)AES (35)

mCRYPTON-96 (13)

PRESENT-128 (18) HIGHT (25)

PRESENT-80 (18)

TEA (18)

(technology in 10 nm)

MISTY1 (18)

CLEFIA (9)

KATAN (18)TDEA (9)GRAIN (13) Trivium(13)

GRAIN[8] (13) Trivium[8](13)

Enocoro-80[8](18)

52

Stream ciphers: conclusions

• substantial progress made in last 5 years– concrete designs– data-time-memory tradeoffs

• 80-bit security implies 160-bit memory (seems to be a lower bound)

• many designs still “at the edge” (quite risky)• expect further progress

53

Outline


54

Hash functions

• collision resistance• preimage resistance• 2nd preimage

resistance

This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).

1A3FD4128A198FB3CA345932

• MDC (manipulationdetection code)

• Protect short hash valuerather than long text

h



10

55

MAC Algorithms

• CBC-MAC: EMAC and CMAC• HMAC• GCM and GMAC• Authenticated encryption

56

CBC-MAC based on AES (LMAC)

AES

P1

C1

AES AES

P2 P3

C2C3

select leftmost 64 bits

security level against forgery: 264 text/MAC pairs

NIST prefers CMAC: requires only 1 block cipher key

57

HMAC based on MDx, SHA

f1

f2

xK2

K1

2126 CP33 of 6464MD5

2154.9 CP43 of 8080SHA-12109 CP8080SHA(-0)

251 CP & 2100 time (RK)6464MD5

288 CP & 295 time 4848MD4Data complexityRounds in f2Rounds in f1

• Widely used in SSL/TLS/IPsec

• Attacks not yet dramatic

• NMAC weaker than HMAC

58

GMAC: polynomial authentication code (NIST SP 800-38D 2007 + 3GSM)

• keys K1, K2 ∈ GF(2128)• input x: x1, x2, . . . , xt, with xi ∈ GF(2128)

g(x) = K1+ Σi=1t xi • (K2)i

• in practice: compute K1 = AESK(n) (CTR mode)

• properties:– lightweight and/or fast in software and hardware

(support from Intel/AMD)– not very robust w.r.t. nonce reuse, truncation, MAC

verifications, due to reuse of K2 (not in 3GSM!)– versions over GF(p) (e.g. Poly1305-AES) seem more

robust

59

UMAC RFC 4418 (2006)

• key K, k1, k2 .., k256 ∈ GF(232) (1024 bytes)• input x: x1, x2, . . . , x256, with xi ∈ GF(232)• g(x) = prfK(h(x))

• h(x) = ( Σi=1512 (x2i-1 + k2i-1) mod 232 . (x2i + k2i) mod 232 )mod 264

• properties– software performance: 1-2 cycles/byte– forgery probability: 1/230 (provable lower bound)– [Handschuh-Preneel08] full key recovery with 240

verification queries

60

Authenticated encryption• default modes: ECB/CBC/CFB/OFB and CTR• needed for network security, but only fully understood

by crypto community around 2000 (too late)• standards:

– CCM: CTR + CBC-MAC [NIST SP 800-38C]– GCM: CTR + GMAC [NIST SP 800-38D]

• both are suboptimal • IAPM• XECB• OCB

• GCM• CCM• EAX

patented

issues:• associated data• parallelizable• on-line• provable security



11

61

MAC algorithms: conclusions

• can get better performance than encryption• EMAC or OMAC (CBC-MAC) seems fine• widely used choices lack robustness

• modes for authenticated encryption today well understood but not yet widely deployed

62

Outline


63

Models and reality

64

Implementations: side channel attacks

First round of DES

ExpansionRSA

65

Implementation attacks

• measure: time, power, electromagnetic radiation, sound

• introduce faults (even in CPUs – bug attacks)• combine with statistical analysis and

cryptanalysis• software: API attacks

• major impact on implementation cost

Sun Tzu, The Art of War: In war, avoid what is strong and attack what is weak

L.R. Knudsen: "It is not cryptanalysis, it is vandalism"66

• active versus passive – active: perturbate and conclude– passive: observe and infer

• invasive versus non-invasive– invasive: open package and contact chip– semi-invasive: open package, no contact– non-invasive: no modification

• side channel: passive and non-invasive– very difficult to detect– often cheap to set-up – often: need lots of measurements automation

• circuit modification: active and invasive– expensive to detect invasion (chip might be without power)– very expensive equipment and expertise required

Classification of Physical Attacks

active passive

Non-Invasive

Invasive



12

67

Power or EM attack

Main PCrun the Acquisition

software

Server

store the filesand run the Treatment

software

Cardreader

Card extentionGCR

Oscilloscope

files transfer

command emission

Arm scoperetrieve file

Current waveformacquisition

Scope triggeron IO

Protection box

R

68

Key value : 2E C6 91 5B F9 4A

A simple attack on RSA

2

0010

E

1 1 10

C

1 100

6

0 1 10

9

100 1

1

000 1

5

0 10 1

B

10 1 1

F

1 1 1

9

100 1

4

0 100

A

10 10

69

semi-invasive: exploit faulty behavior provokedby physical stress applied to the device

Active attacks (semi invasive) fault injection

[www.new-wave.com]

– laser fault injection allows to target a relatively small surface area of the target device

– laser pulse frequency ~ 50Hz– fully automated scan of chip

surface–once you have a weak spot:

perturbate and exploit

70

Timing attacks on AES software implementations

• variable execution time typically associated with “if then else”, rotations, multiplications

• due to cache effects, several fast software implementations can be broken– e.g., AES in Open SSL: 65 milliseconds

• fixes: – implementations: first version 2/3 times slower,

today even faster than original ones– special cache for crypto algorithms– hardware crypto

• cache attacks apply to any cryptographic algorithm that uses tables

71

Cryptology + side channels

Clear text

CRYPTOBOX

CRYPTOBOX

Clear text

%^C&@&^(

%^C&@&^(

Alice Bob

Eve

72

Challenges for crypto• security for 50-100 years• authenticated encryption of Terabit/s

networks• ultra-low power/footprint

secure software and hardware implementations

algorithm agility

performance

cost security



13

73

The power challenge: AES-128 speed/power for various platforms (Joule/Gb)

CMOS FPGA PIII C - Emb.Sparc

Java-Emb.Spar

speed power power/speed

1 Gbit/s

1 Mbit/s

1 Kbit/s

mWatt

Watt

106

103

1

74

demand in applications

maturity

low

low

high

high

block ciphers

hash functions

stream ciphers

public key operations

sophisticated protocols

simple protocols

MAC

75

http://www.ecrypt.eu.org/lightweight/

76

Conclusions• major challenges remain in cryptographic

algorithm design• pushing the limits requires specific solutions

– high end: parallelism– low end: RFID, sensor nodes, co-processor for 8-bit

CPU,…• symmetric crypto with < 1500 gates is feasible

– cost is then dominated by memory (2 to 8 gates per bit)– energy consumption may be high– software: RAM usage is critical

• challenges for implementers: upgrading algorithms and implementation attacks

information processing researchpreneel/preneel_symmetric_mitacs10v1.pdf · java crypto libraries...

Documents