CRYPTREC Report 2000 (Provisional Translation)
CRYPTREC 2000
CRYPTREC Report 2000 (Provisional Translation)
March 2001 Information Technology Promotion Agency, Japan The Security Center
CRYPTREC 2000
Index
Introduction ...... 1 On the CRYPTREC Evaluation Committee Report...... 3 Information for Readers of This Report...... 6 1. Overview of Cryptographic Technique Evaluation...... 7 2. Solicited Cryptographic Techniques ...... 14 2.1 Categories of Solicited Cryptographic Technique...... 14 2.2 Public-key cryptography...... 16 2.2.1 Public-Key Cryptosystem for Confidentiality ...... 16 2.2.2 Public-Key Cryptosystem implementing Signature Function...... 18 2.2.3 Public-Key Cryptosystem Implementing Authentication Function ...... 19 2.2.4 Public-Key Cryptosystem Implementing Key Sharing Function ...... 21 2.3 Symmetric Cipher Technology ...... 23 2.3.1 Block Ciphers...... 23 2.3.2 Stream Ciphers ...... 25 2.4 Hash Functions...... 26 2.5 Pseudo-random Number Generating Scheme...... 26 3. Overview of Cryptographic Technique Evaluation...... 27 3.1 Purpose of the Evaluation...... 27 3.2 Screening Evaluation and Detailed Evaluation ...... 28 3.3 Evaluation Criteria for Asymmetric Cryptographic Schemes...... 29 3.3.1 Security Evaluation Criteria...... 29 3.3.2 Evaluation of Software Implementation...... 30 3.4 Evaluation Criteria for Symmetric Cryptographic Schemes ...... 31 3.4.1 Security Evaluation Criteria...... 31 3.4.2 Evaluation of Software Implementation...... 36 3.4.3 Evaluation of Hardware Implementation ...... 38 3.5 Evaluation Method of Hash Functions ...... 38 3.6 Evaluation Method of Pseudo-random Number Generating Techniques...... 39
4. Evaluation of Public Key Cryptography...... 40 4.1 General Comments...... …….. 40 4.1.1 List of Public Key Cryptographic Techniques as Targets of Detailed Evaluation...... 40 4.1.2 General Comments on Public Key Cryptographic Techniques...... 41
4.2 Evaluation Classified by Function...... 48 4.2.1 Signature...... …48
i CRYPTREC 2000
4.2.2 Confidentiality...... 51 4.2.3 Key Sharing...... 61 4.3 Evaluation Based on Security Evidence...... 67 4.3.1 Integer Factoring Problem...... 67 4.3.2 Discrete Logarithm Problem...... …...... 73 4.3.3 Elliptic Curve Discrete Logarithm Problem...... …...... 82 4.4 Evaluation of Individual Cryptosystems...... …...... 88 4.4.1 ACE Sign...... …...... 88 4.4.2 ESIGN-Signature...... …...... ….91 4.4.3 RSA-PSS...... 98 4.4.4 DSA...... 102 4.4.5 ECDSA in SEC1...... 104 4.4.6 MY-ELLTY ECMR-160/192/OEF-h...... 112
4.4.7 EPOC-1...... 123 4.4.8 EPOC-2...... 130 4.4.9 EPOC-3...... …..136 4.4.10 HIME-1...... 142 4.4.11 HIME-2...... 154 4.4.12 RSA-OAEP...... 166 4.4.13 ACE Encrypt...... 172 4.4.14 ECAES in SEC1...... 176 4.4.15 PSEC-1...... 185 4.4.16 PSEC-2...... 191 4.4.17 PSEC-3...... 196 4.4.18 DH...... 202 4.4.19 ECDHS in SEC1...... 205 4.4.20 ECMQVS in SEC1...... 212 4.4.21 HDEF-ECDH...... 220 5. Evaluation of Symmetric Ciphers...... 229 5.1 Evaluation by Encryption Type...... 229 5.1.1 64-bit Block Ciphers...... 229 5.1.2 128-bit Block Ciphers...... 241 5.1.3 Stream Ciphers...... 254 5.2 Individual Cipher Evaluation...... 257
5.2.1 CIPHERUNICORN-E...... 257 5.2.2 FEAL-NX...... 265
ii CRYPTREC 2000
5.2.3 Hierocrypt-L1...... 273 5.2.4 MISTY1...... 280 5.2.5 Tripe DES...... 287 5.2.6 Camellia...... 294 5.2.7 CIPHERUNICORN-A...... 301 5.2.8 Hierocrypt-3...... 309 5.2.9 MARS...... 315 5.2.10 RC6...... 318 5.2.11 SC2000...... 324 5.2.12 Rijndael...... 331 5.2.13 MULTI-SOl...... 339 5.2.14 TOYOCRYPT-HS1...... 344 6. Hash-Function Evaluation...... 350
6.1 Evaluation by Type...... 350 6.2 Individual Evaluation...... 351 6.2.1 MD5...... 351 6.2.2 RIPEMD-160...... 354 6.2.3 SHA-1...... 359 7. Evaluation of Pseudorandom Number Generation Methods...... 361 7.1 Evaluation by Type...... 361 7.2 Individual Evaluation...... …362 7.2.1 TOYOCRYPT-HR1...... 362 7.2.2 PRNG based on SHA-1...... 367 8. Other...... …...... 375 8.1 Cryptographic Techniques Evaluated...... …...... 375 8.2 Trend Toward Cipher Standardization...... …...... 381 8.2.1 About DES/AES...... …...... 381 8.2.2 About the NESSIE Project...... …...... 384 8.2.3 About ISO/IEC JTC1/SC27/WG2...... …...... 387 8.2.4 About IEEE...... …...... 389 8.2.5 About IETF...... …...... 389
iii CRYPTREC 2000
Introduction
Japan's e-Government, a millennium project destined to make the nation's administrative infrastructure the world's most electronically advanced, is set for inauguration by fiscal year 2003. Its goal is the computerization of the nation's administrative procedures such as applications, notifications and government procurements with an aim toward establishing more efficient and cost-saving government systems. In order to build the e-Government's functions correctly, the use of cryptographic techniques will be required in various aspects. Today, the majority of cryptographic techniques, which algorithms are open to public, depend upon computational intractability. Because of this, the security margin of current cryptographic techniques decrease unavoidably year by year as increase in computing power. Additionally, new methods and techniques to attack cryptographic schemes may appear unexpectedly. These new methods may make it appear that the indecipherability of a particular cryptography could not be as reliable as was believed to be. Furthermore, when observed from a practical point of view, those items that should be taken into consideration when selecting reliable cryptographic schemes include all aspects of cryptographic programming -- including processing speed and total program size, as well as security. Unfortunately, Japan's experience in making a systematic evaluation of various cryptographic techniques is quite limited. Because of this, the Ministry of Economy, Trade and Industry (formerly the Ministry of International Trade and Industry), being expected to play role of a leader ministry in constructing the e-Government, decided that a list of cryptographic techniques available for use by the e-Government should be prepared. The task of evaluating existing cryptographic techniques has been entrusted to the Information Technology Promotion Agency, Japan (IPA). In order to carry out the Japanese first cryptography evaluation project with our nations best and brightest cryptographic technique researchers, IPA organized the CRYPTREC Evaluation Committee (CRYPTREC), which is consisted of Japanese top specialists in cryptography and cryptographic security techniques. The CRYPTREC chaired by Professor Hideki Imai of Tokyo University, conducted an intensive evaluation program for a period of near twelve months. The Committee involved representatives of Ministries and they attended as observers: The Ministry of Economy, Trade and Industry; the Ministry of Public Management; Home Affairs; Posts and Telecommunications (formerly the Management and Coordination Agency and the Ministry of Posts and Telecommunications) and the Defense Agency were involved from the onset; later the Cabinet Secretariat; the National Police Agency; the Ministry of Justice; and the Department of Treasury joined. The project have become almost the government wide effort. Turning our eyes to advancements in the world of cryptographic techniques We can find the Advanced
iv CRYPTREC 2000
Encryption Standard (AES) program which will replace the Data Encryption Standard (DES) algorithm as the United State's next-generation federal standard. In Europe, a similar work, the New European Schemes for Signature, Integrity and Encryption (NESSIE) project, is underway. Additionally ISO/IEC set about to establish international standard criteria for cryptgraphic technology. Because of the world conditions described above, our systematic evaluation of various cryptographic techniques was epoch-making in its own right, and I believe that because of our efforts, Japan has made a considerable contribution to the advancement of cryptographic techniques. I expect, with great satisfaction, that this report will provide a helpful guideline toward ensuring that our forthcoming e-Government rests on a strong and solid foundation and truly hope that this report has provided sufficient policy and information on which we can base the successful management of future electronic commerce. In conclusion, I wish to express my deepest thanks and gratitude to Professor Hideki Imai, Committee Chairman, for his unceasing and untiring efforts and dedication to the furtherance of the CRYPTREC Evaluation Committee’s (CRYPTREC’s) efforts over the past 12 months. I would also like to express my sincere thanks to Professor Shigeo Tsujii, Committee’s Senior Advisor, for stating his opinions from a higher and broader viewpoint. Sincere thanks are also extended to subcommittee chairmen Professor Toshinobu Kaneko and Professor Tsutomu Matsumoto for their diligent efforts and unceasing enthusiasm. To all other committee members and government participants, please accept my most sincere gratitude for your positive and informative contributions.
March 2001 Masahiko Kobayashi General Manager The Security Center Information Technology Promotion Agency, Japan
2 CRYPTREC 2000
On the CRYPTREC Evaluation Committee Report
This report contains the results of the activities of the CRYPTREC Evaluation Committee (CRYPTREC) obtained over a 12-month period. This committee was formed for the purpose of evaluating cryptographic techniques that might possibly be available for use in the area of the electronic government (e-government). It should be noted that it was extremely difficult to evaluate properly and objectively such a large number of cryptographic techniques in such a short period of time. However, because all committee members were solemnly aware that this evaluation project was and is indispensable -- not only to the nation's e-government, but also to the future development of Japan's 21st century networking capability -- the project achieved great success and made history in the area of cryptology in Japan. This success was obtained through the consistent devoted cooperation and collaboration of all parties concerned. I believe that this report contains the essential information we have been seeking concerning the evaluation of cryptographic techniques currently available for the e-government. I sincerely hope that this report is utilized directly as an efficient means of successfully creating e-governments at various levels across our country in the very near future. Prior to the start of the activities of the CRYPTREC, in fiscal year 1999, two study groups were created: “Investigation and Research Group on Information Security Standard (Criteria) for Government Procurement” (proposed by Mr. Atsuhiro Yamagishi) via the Information Technology Promotion Agency, Japan (IPA), and “Study Group on Promotion and Advancement of Cryptographic Communications” (chaired by Professor Shigeo Tsujii of Chuo University) via the Ministry of Posts and Telecommunications. In their reports, both groups stated that a governmental evaluation of cryptographic techniques was required. One of the common points, stated emphatically in both reports, stressed that the existing cryptographic techniques (on which information security is based) required objective verification --especially in terms of security -- from a technical and highly professional viewpoint. In response to these proposed reports, the consulting committee of the above-mentioned Investigation and Research Group of the IPA was dissolved in May 2000. It was followed by the establishment of the CRYPTREC, the secretariat of which is the IPA Security Center, as a project sponsored by the Ministry of International Trade and Industry (the now Ministry of Economy, Trade and Industry). This committee comprised of specialists who were equipped with the academic background and highly developed specialized knowledge of cryptography and cryptographic security techniques, and was tasked with the responsibility of evaluating cryptographic techniques in terms of security and efficiency. It is assumed that the e-government for the network society will be based on an open network. In this open network, all that essentially matters is the strategy in which the security of information handled is maintained. Viewed from this context, it is indisputable that information security technology is a primary technological factor that will support the e-government and that cryptographic techniques will form the framework for this technology. Accordingly, one of the most essential tasks aimed at the furtherance of
3 CRYPTREC 2000
creating the e-government in today's network society is the evaluation of cryptographic techniques. It should be especially noted, as far as evaluation of security of cryptographic techniques is concerned, that meaningful results will not be obtained unless cryptographic algorithms are made open to the public. Moreover, even if cryptographic algorithms are open, with no attack techniques surfacing over a certain period, it does not necessarily mean that the security is guaranteed. And yet, an explicit description of security levels is indispensable to the successful creation of the e-government. Moreover, according to “Guidelines for Cryptography Policy” recommended by the OECD council, an independent evaluation of cryptographic techniques to be used for the e-government, on which public welfare is to be based, is naturally the solemn duty of those government organizations responsible for implementing the e-government systems. Thus, the role of the CRYPTREC established to share this duty of the government organizations is extremely heavy. However, the technological levels available for cryptography evaluation at this present time are not satisfactory at all. This makes it very hard to fully evaluate the security of cryptographic algorithms. And security of cryptographic algorithms is not something guaranteed for future years. To take a concrete example, we will consider the concept of “verifiable security”. At the current technological levels, verifiable security implies a security level approved based on a certain assumption. It is certainly one important property to be considered when security is assessed. Even if, however, verifiable security is proved to a certain system, it does not necessarily mean that the system is really secure. Only qualified and experienced experts can be trusted to make a proper determination of the security offered by cryptographic algorithms and, of course, only after careful examination. Those different experts may have different opinions, but in many cases, those experts who are on the first line of cryptographic techniques, taking an active part on international stages, share common concerns and a mutual understanding of the issues involved. It was these common concerns and agreed upon understandings that were, to the greatest degree possible, gathered together to form the basis for this report. However, when a consensus in agreement could not be reached on a certain point, the committee worked to ensure that sufficient discussions were conducted from all possible angles and then biased the conclusion toward the safer side, or the more exacting side in terms of evaluation. This was considered unavoidable if the committee was to fulfill its mandate for evaluating cryptographic techniques that were actually to be used for the e-government. This report contains the best possible evaluation results of cryptographic techniques available for the e-government at this present time, and therefore, I believe, will play an indispensable role in the implementation of the e-government in the future. However, this is only the beginning. This cryptographic technique evaluation project, which followed the example of the United States AES Project in evaluating proposed/submitted cryptographic techniques in accordance with evaluation criteria, was the first one aiming to define standard cryptographic algorithms for use within the Japanese government. Everything that has been learned from the fruitful results of this project indicates that there is still a great deal of work to be done. The project was carried out in a single year, which is an exceptionally short period for evaluation -- even if it is based on currently existing evaluation techniques. Therefore, most probably there
4 CRYPTREC 2000
are some shortcomings in this evaluation report. Correcting those shortcomings is one of the prime imperatives of the committee for the coming future, as well as striving hard to keep abreast of advancements in the rapidly evolving world of cryptographic technology. Cryptographic techniques are sure to herald great advancements, and the security levels of current cryptographic systems will be subject to drastic change. With this in mind, I hope this cryptography research and evaluation project will continue for a meaningful period of time. I also hope that an organization dedicated specifically to the ongoing evaluation of cryptographic techniques will be established and I strongly hope that the activities of the CRYPTREC will provide the foundation of that organization. I am pleased to note that we were able to gather together so many of Japan's most influential cryptography researchers to take part in the CRYPTREC and its two subcommittees: the Symmetric-Key Cryptography Subcommittee, and the Public-Key Cryptography Subcommittee. Despite the pressures of his or her public duties, each committee member worked diligently to find the time necessary to participate in the activities of the CRYPTREC, willingly embracing and discharging the duties and responsibilities as a committee member. Furthermore, I would like to express my special thanks to Professor Toshinobu Kaneko of Science University of Tokyo and Professor Tsutomu Matsumoto of Yokohama National University, the subcommittee chairpersons, for their fruitful collaboration aimed at incorporating the whole evaluation activities into this report. Of course, I also wish to thank all the committee members for sharing their knowledge and experience in order to help advance the activities of this project, taking full advantage of the researchers' network. Included among the committee and the subcommittee members were the designers of the cryptographic algorithms under evaluation. This was an unavoidable situation when choosing members with talents considered indispensable to this project from the extremely limited number of cryptography researchers in our country. Let me express again my thanks and sincere appreciation to these committee members who worked openly and collaborated freely toward the shared goals of the project, without allowing their viewpoints to be in any way biased by their personal interests. In conclusion, I wish to express my deepest thanks to all the parties involved in this project, the first Japanese cryptographic evaluation project, for their cooperation in approaching the project from the standpoint of their career.
March 2001
Hideki Imai
Chairperson The CRYPTREC Evaluation Committee
5 CRYPTREC 2000
Information for Readers of This Report
This information contained in this report assumes that readers will possess basic and general knowledge of information security. Concerning e-Governance, for instance, it is assumed that readers will be engaged in business activities related to cipher, specifically as is used in such systems for electronic governance, including digital signatures and GPKI. However, as regards to the description of individual cryptography evaluation results, It is desirable that it be read by persons who possess a solid fundamental amount of knowledge of cryptographic techniques. Chapters 1 through 3 provide an overview of this cryptography evaluation project and the evaluation criteria used for cryptographic techniques. Chapters 4 through 7 briefly summarize the evaluation results of each cryptographic technique. Chapter 4 describes public-key cryptography. Chapter 5 describes symmetric ciphers of block ciphers and stream ciphers. Chapter 6 describes Hash functions, and Chapter 7 describes pseudo-random number generators. Chapter 8 briefly describes a worldwide trend towards cryptography standardization and is provided as reference information.
This cryptography evaluation is product of efforts by the CRYPTREC Evaluation Committee, which is composed of Japan's foremost cryptography experts. However, due to the rapidly evolving nature of cryptographic techniques, it cannot be assumed that this conclusions of this security evaluation will remain valid. Thus, it is indispensable that such evaluations continue for a meaningful period of time into the future. This cryptography evaluation was conducted in accordance with evaluation criteria submitted in response to a call for submissions for cryptographic techniques in June 2000. Therefore, it is probable that some of the cryptographic techniques will differ from those utilized for the same named product versions or from those proposed to other organizations, including ISO/IEC. For this cryptography evaluation, the scope of proposals was limited to cryptographic techniques whose specifications had been disclosed to the public, thus allowing contributors to obtain information concerning the specifications of cryptographic techniques under evaluation from applicants’ Web sites. Please be informed that this Committee is by no means responsible for any inadequacies, incompleteness etc., of the information provided. In implementing cryptographic techniques submitted for this cryptography evaluation, the recommended and utilized methodology was to obtain advice from experts with “special knowledge” of the cryptographic technique in question, or to use “cryptography tools (libraries)" prepared by experts skilled in cryptographic techniques.
For further information, please contact the Security Center. Any opinions and/or comments are welcome. Fax: +81-3-5978-7510E-mail: crypt[email protected]
6 CRYPTREC 2000
1. Overview of Cryptographic Technique Evaluation For the creation of an e-Government, the infrastructure of which is to be prepared and built by the fiscal year 2003, it is important to secure a common base for security. Especially, cryptographic techniques, a set of IT security measures deemed indispensable to digital authentication as well as to securing stealth and preventing falsification of digitized information, are vital to the infrastructure and security of the e-Government. This report was prepared through a technical and professional evaluation of such functions of cryptographic techniques as security and implementation, which were assumed to be available for application to and use by the e-Government of Japan, and for promoting the appropriate use of cryptographic techniques. It is expected that this report will be fully taken advantage of, as a reference material for electronic governance-related procurement actions, electric signature laws and GPKI (Government Public Key Infrastructure) activities. Among important new activities in the world of cryptographic techniques, are a work plan of ISO/IEC to develop international standard criteria for cryptographic algorithms, the New European Schemes for Signature, Integrity and Encryption (NESSIE) project in Europe, and the Advanced Encryption Standard (AES) program to replace the Data Encryption Standard (DES) algorithm as the standard cryptographic algorithm. This project, conducted under the auspices of the Ministry of Economy, Trade and Industry, is an important part of the “Information Security Policy Promotion Program. This program is the Ministry of Economy, Trade and Industry’s contribution toward Secured Infrastructure of e-Government,” which was adopted by the Ministry of Economy, Trade and Industry In April 2000. For fiscal year 2000, the evaluation of cryptographic techniques was conducted by the “CRYPTREC Evaluation Committee (CRYPTREC)," a body consisting of Japan's top specialists in cryptography and cryptographic technology, and organized for the evaluation of cryptographic techniques. The results of this evaluation is based on discussions and examinations held in the committee. A call was issued for submissions for cryptographic techniques that could be applied in building systems within the e-Government, the infrastructure of which is scheduled to be created by fiscal year 2003. Valid cryptographic techniques that should be evaluated by the Committee were listed. This report contains the results of the detailed evaluation of 35 cryptographic techniques (27 submitted and 8 non-submitted). Submissions for proposed cryptographic techniques were open from June 13, 2000 through July 14, 2000, under the categories of public-key cryptosystems, symmetric ciphers, Hash functions and pseudo-random number generators. A total of forty-eight (48) cryptographic techniques were submitted. An evaluation subcommittee of the CRYPTREC Evaluation Committee was organized to discuss and examine methods of, and criteria for, evaluation. Two other evaluation subcommittees, the Public-Key Cryptography Subcommittee and the Symmetric-Key Cryptography Subcommittee were organized as
7 CRYPTREC 2000
well. The former discussed and examined the methods and results of evaluation of public-key cryptosystems, and the latter discussed and examined the methods and results of an evaluation of symmetric ciphers, Hash functions, and pseudo-random number generators. These Subcommittees relied on advice and guidance from the CRYPTREC Evaluation Committee. The cryptography evaluation was conducted in two phases -- screening and detailed. The screening evaluation was conducted from July through September 2000. The detailed evaluation was conducted from October through March 2001.
Table 1 Schedule for Evaluation Year 2000 Year 2001 June July August Sep-te Octo- No-ve De-ce Janu-a Feb-r March April mber ber m-ber m-ber ry uary Submitting proposals for cryptographic techniques Screening evaluation Detailed evaluation Announcement of ☆ evaluation results
The result of the cryptographic techniques evaluated in the detailed evaluation period was summarized into this Evaluation Report and is based on the results of external evaluations by external evaluators, domestic and foreign academic journals and software implementation evaluations. As a PR event, a cryptographic technique symposium was held on October 20, 2000, to ensure that the activities of this cryptographic technique evaluation process could be fully understood by both domestic and international cryptography engineers and users In addition, along with the publication of this report, a debrief session, the Cryptography Evaluation Meeting (tentative), will be held to ascertain the effectiveness of the evaluation of cryptographic techniques discuss future improvements.
8 CRYPTREC 2000
CRYPTREC Evaluation Committee Committee members (titles, etc. as of the end of March 2001)
Chairman Hideki Imai Professor, Institute of Industrial Science, University of Tokyo Committee Naoyuki Iwashita Manager, Research DivisionⅡ, Institute for Monetary and member Economic Studies, Bank of Japan Committee Eiji Okamoto Professor, Department of Information Science, Faculty of member Science, Toho University Committee Tatsuaki Okamoto Fellow, NTT Information Sharing Platform Laboratories, member Nippon Telegraph and Telephone Corporation Committee Toshinobu Kaneko Professor, Department of Electrical Engineering Faculty of member Science and Technology, Science University of Tokyo Committee Kouichi Sakurai Assistant Professor, Kyushu University , Faculty of Information member Science and Electrical Engineering Committee Ryoichi Sasaki Senior Chief Researcher, Systems Development Laboratory, member Hitachi, Ltd. Committee Shigeo TSUJII Professor, Dep. of Information Systems Engineering, Faclty of member Science and Engineering,Chuo University Committee Kenji Naemura Professor, Politics Media Graduate Course, Keio University member Graduate School Committee Mitsuru Matsui Team leader, Information Security Department, Information member Technology R&D Center, Mitsubishi Electric Corporation Committee Tsutomu Matsumoto Professor, Faculty of Engineering, Yokohama National member University
(Observers) Kazuo Sunaga Cabinet Counselor, Information Security Measures Promotion Office, Cabinet Secretariat Kazuyuki Takeichi Section Chief, Technological Measures Section, Info-Communications Bureau, National Police Agency Akihiko Nakajima Section Chief, Command Communications Division, Operations Bureau, Japan Defense Agency Kuniomi Takamori Director for Planning, Government Information Planning Division, Administrative Management Bureau, Ministry of Public Management, Home Affairs, Post and Telecommunications Taku Kiyasu Director of Standardization Division, Information and Communications Policy Bureau, Ministry of Public Management, Home Affairs, Posts and Telecommunications Shingo Omori Director-General, Communications System Department, Communications Research Laboratory, Ministry of Public Management, Home Affairs, Posts and Telecommunications Hiroshi Goto Section Chief, Commercial Affairs Section, Civil Affairs Bureau, Ministry of Justice Satoru Nakada General Manager, Councilors’ Office, Minister's Secretariat, Ministry of Finance Yoshitaka Toui Director, Office of IT Security Policy, Business Affairs and Information Policy Bureau, Ministry of Economy, Trade and Industry
9 CRYPTREC 2000
Isao Hatta General Manager, General Manager, Information Electricity Standards Promotion Office, Industrial Technology Environment Bureau, Ministry of Economy, Trade and Industry Kazuhito Omaki Director, Computer Science Division, Electrotechnical Laboratory, National Institute of Advanced Industrial Science and Technology, Ministry of Economy, Trade and Industry
10 CRYPTREC 2000
Committee members of the Public-Key Cryptography Subcommittee (titles, etc. as of the end of March 2001)
Chairman Tsutomu Matsumoto Professor, Faculty of Engineering, Yokohama National University Committee Seigo Arita Assistant Manager, Security Technology Group, Internet member Systems Research Laboratories, NEC Corporation Committee Jun Kogure Senior Researcher, Secure Computing Lab., Computer Systems member Laboratories, FUJITSU LABORATORIES LTD. Committee Yasuyuki Sakai Information Security Department, Information Technology member R&D Center, Mitsubishi Electric Corporation Committee Hiroki Shizuya Professor, Education Center for Information Processing, member Tohoku University Committee Atsushi Shimbo Research Scientist, Computer and Network Systems member Laboratory, Corporate Research and Development Center, Toshiba Corporation Committee Masashi Takahashi Security Systems Research Center, Hitachi, Ltd., Systems member Development Laboratory Committee JinHui Chao Professor, Dept. of Electrical, Electronic and Communication member Engineering, Faculty of Science and Engineering, Chuo University Committee Atsushi Fujioka Senior Research Scientist, Information Security Project, NTT member Information Sharing Laboratories, Nippon Telegraph and Telephone Corporation Committee Natsume Matsuzaki Multimedia Development Center, Matsushita Electric Industrial member Co., Ltd. Committee Atsuko Miyaji Associate Professor, School of Information Science, Japan member Advanced Institute of Science and Technology
Committee members of the Symmetric-Key Cryptography Subcommittee (titles, etc. as of the end of March 2001)
Chairman Toshinobu Kaneko Professor, Department of Electrical Engineering Faculty of Science and Technology, Science University of Tokyo Committee Kiyomichi Araki Professor, Department of Electrical and Electronics member Engineering, Science and Engineering Graduate School, Tokyo Institute of Technology Committee Toru Koda Professor, Kyushu University , Faculty of Information Science member and Electrical Engineering Committee Shinichi Kawamura Senior Research Scientist, Computer & Network Systems member Laboratory, Corporate Research and Development Center, Toshiba Corporation Committee Masayuki Kanda Research Engeneer, Information Security Project, NTT member Information Sharing Platform Laboratories, Nippon Telegraph and Telephone Corporation Committee Kazukuni Kobara Research Associate, Institute of Industrial Science, University member of Tokyo
11 CRYPTREC 2000
Committee Kouichi Sakurai Assistant Professor, Kyushu University , Faculty of member Information Science and Electrical Engineering Committee Takeshi Shimoyama Secure Computing Lab., Computer Systems Laboratories, member FUJITSU LABORATORIES LTD. Committee Kazuo Takaragi Chief Researcher & Manager, Security Systems Research member Center, Systems Development Research Laboratory, Hitachi, Ltd. Committee Makoto Tatebayashi Chief Engineer, Multimedia Development Center, Matsushita member Electric Industrial Co., Ltd. Committee Yukiyasu Tsunoo Principal Researcher, Security Technology Group, Internet member Systems Research Laboratories, NEC Corporation Committee Toshio Tokita Information Security Department, Information Technology R member & D Center, Mitsubishi Electric Corporation Committee Masakatsu Morii Professor, Intelligence Information Engineering Division, member Engineering Department, University of Tokushima
12 CRYPTREC 2000
Observers of the Public-Key Cryptography Subcommittee and the Symmetric-Key Cryptography Subcommittee (titles, etc. as of the end of March 2001)
Masahiro Masuga Command Communications Division, Operations Bureau, Japan Defense Agency Noriyasu Matsui Command Communications Division, Operations Bureau, Japan Defense Agency Hidetaka Imazumi Government Information Systems Planning Division, Administrative Management Bureau, Ministry of Public Management, Home Affairs, Posts and Telecommunications Takeshi Tandai Standardization Division, Information and Communications Policy Bureau, Ministry of Public Management, Home Affairs, Posts and Telecommunications Kiyoharu Imai Standardization Division, Information and Communications Policy Bureau, Ministry of Public Management, Home Affairs, Posts and Telecommunications Akihiro Yamamura Emergency Traffic Research Office, Communications System Division, Communications Research Laboratory, Ministry of Public Management, Home Affairs, Posts and Telecommunications Atsushi Kuwabara Information Security Policy Planning Office, Information-technology Promotion Division, Information Industries Bureau, Ministry of International Trade and Industry Mondo Yamamoto Office of IT Security Policy, Business Affairs Policy Planning Bureau, Ministry of Economy, Trade and Industry Yuji Tanabe Office of IT Security Policy, Business Affairs Policy Planning Bureau, Ministry of Economy, Trade and Industry Shinji Ishii Office of IT Security Policy, Business Affairs Policy Planning Bureau, Ministry of Economy, Trade and Industry Yoshiyuki Hirano Information Electricity Standardization Promotion Office, Standardization Division, Industries Engineering Environment Bureau, Ministry of Economy, Trade and Industry Hajime Watanabe Computer Science Division, Electrotechnical Laboratory, National Institute of Advanced Industrial Science and Technology, Ministry of Economy, Trade and Industry Kazumaro Aoki Research Planning Division, Research Planning Administration Department, Telecommunications Advancement Organization of Japan
(Secretariat) Cryptographic Techniques Research Office Security Center Information Technology Promotion Agency, Japan
13 CRYPTREC 2000
2. Solicited Cryptographic Techniques 2.1 Categories of Solicited Cryptographic Technique Cryptographic technology has a long history. In terms of cipher used in e-Government, it refers to modern cryptographic techniques whose research activities expanded rapidly in the latter half of 1970's. One of the most distinctive features of modern cryptographic techniques is that procedures for encryption and decryption are widely available to the public. Modern cryptographic techniques are broadly classed as symmetric ciphers, represented by DES (Data Encryption Standard) which was opened to the public in 1976, and public-key cryptosystems, represented by the RSA cipher scheme proposed by Rivest-Shamir-Adleman. These two types of ciphers support three security functions: confidentiality, signature, and authentication. Symmetric ciphers are mainly used for confidentiality while public-key cryptosystems are chiefly used for signature and authentication. Both of these ciphers are usually used in a system so that their features can be each be the complementary half of an integral whole. For instance, when both the transmitter and the receiver share a secret key (symmetric-key) in symmetric cipher, the key sharing function of public-key cryptography is used. When a digital signature is created in public-key cryptography, the digital signature created after the plaintext is processed with cryptographic Hash function(s). A pseudo-random number generating scheme is required for generating key pairs of public-key cryptography (public- private key pairs), secret keys (symmetric-keys), or key seeds. This pseudo-random number generating scheme is required for many public-key cryptographys as a random number source when functions of confidentiality and signature require implementation. Symmetric ciphers are divided into block ciphers and stream ciphers based on their data processing structure. Block ciphers process data one block at a time, while stream ciphers process data bit by bit in a stream. Figure 2.1.1 shows a classification of solicited cryptographic techniques.
14 CRYPTREC 2000
Confidentiality
Signature Public-Key Systems rporpi Techniques Cryptographic Authentication
Key Sharing
Block Ciphers Symmetric Ciphers Stream Ciphers
Hash Functions
Pseudo-Random Number Generating Schemes
Figure 2.1.1 Classification of Solicited Cryptographic Techniques
15 CRYPTREC 2000
2.2 Public-key cryptography When evaluated from the viewpoint of information security, public-key cryptographys are broadly classed as integer factoring problems, discrete logarithm problems and discrete logarithm problems on elliptic curves. In terms of function, they are classed as signature, confidentiality, key sharing, and authentication. In this cryptography evaluation, solicited cryptographic techniques, classed by function (a combination of a cryptographic scheme and primitive/ auxiliary function), were evaluated. Here, a cryptographic scheme refers to an algorithm used to stimulate its functions using cryptographic primitives and auxiliary functions (cipher auxiliary functions). It consists of requirements for cryptographic primitives, requirements for auxiliary functions, and a description of the algorithm. A cryptographic primitive refers to a cryptographic primitive algorithm that offers security based on security proof, including integer factoring problems, discrete logarithm problems, and discrete logarithm problems on elliptic curves. An auxiliary function refers to a factor, including Hash functions, random numbers (pseudo-random numbers) required, besides the cryptographic primitive, for a cryptographic scheme to perform its function.
2.2.1 Public-Key Cryptosystem for Confidentiality The Confidentiality function helps the transmitter and the receiver to share arbitrary information between them in secrecy. Confidentiality for a huge amount of data is usually implemented by using symmetric ciphers. Public-key cryptography is occasionally used for the cryptographic communication of small amounts of information. The procedure is shown below.
[Transmitter A] [Receiver B]
B’s "public-key" B’s "secret key"
Communications channel
Public-key Public-key Information cryptography cryptography Information (encryption) (decryption)
Figure 2.2.1 Example of Confidentiality Function Using Public-Key Cryptography
16 CRYPTREC 2000
Step 1: The receiver B generates a public-private key pair and discloses the public key. Step 2: The transmitter A obtains the receiver B’s public-key, encrypts information (plaintext) to be transmitted using B’s public-key, and transmits it to the receiver B. Step 3: The receiver B receives information (plaintext) by decrypting the received ciphertext using his private key.
17 CRYPTREC 2000
2.2.2 Public-Key Cryptosystem Implementing Signature Function The signature function helps to confirm the validity of digital information. Validity of digital information refers both to the function used to confirm who has created the signature and to the function used to confirm whether or not there has been tampering with the digital information itself. The outline of the procedure is shown below.
[Signature sighed by A] [Signature verified by B] Communications channel
Digital Verification Generation Verification document result
Verification and decryption key (A’s "public-key")
Signature generation key (A’s "secret key") Decryption Digital document
Figure 2.2.2 Example of Signature Function Using Public-Key Cryptography Techniques
Step 1: A generates a public-private key pair and discloses the public key. Step 2: A prepares a digital document with a signature using a private key. Step 3: A transmits the digital document with a signature to B. Step 4: B decrypts the digital document and obtains the verification result by processing the digital document with a signature using A’s public key.
18 CRYPTREC 2000
2.2.3 Public-Key Cryptosystem Implementing Authentication Function The authentication function is used to confirm the validity of the other party to be authenticated. This function can be implemented using symmetric ciphers, but public-key cryptosystem are occasionally used to avoid complexity of the key control. Authentication of the other party using a public-key cryptosystem refers to use of a technology that helps to prove the presence of a secret key (private key) corresponding to a public key by transmitting and receiving information between the party to authenticated and the party performing validation. This is done in accordance with a pre-defined procedure (authentication protocol), utilizing public-key signature function cryptosystem technology or public-key confidentiality function cryptosystem technology, and by utilizing the secret key held secretly by the other party to be and the public-key used for verification. An authentication function sample using public-key cryptography techniques is shown in Figure 2.2.3.
[Party performing validation] [The party to be authenticated]
Randomly generated data
" Secret-key" of the party to be authenticated Communications channel
Public-Key Public-Key Matching Cryptosystem Cryptosystem
OK/NG "Public-key" of the
party to be authenticated Figure 2.2.3 Example of Authentication Function Using Public-Key Cryptosystem (2-move type)
Step 1: The party to be authenticated generates a public-private key pair, and the public key is exposed to the public. Step 2: The party performing validation transmits arbitrary information generated by a random number generator to the other party to be authenticated. Step 3: The other party to be authenticated generates the ciphertext of the transmitted information (signature) by using the secret key of the party to be authenticated. Step 4: The ciphertext is transmitted to the party performing validation.
19 CRYPTREC 2000
Step 5: The party performing validation obtains the plaintext by decrypting the transmitted ciphertext using the public-key of the other party to be authenticated. Step 6: The received plaintext and the generated digest are compared for authentication purposes. If they match, the party to be authenticated is considered to be “valid." If not, the party to be authenticated is considered to be "invalid."
20 CRYPTREC 2000
2.2.4 Public-Key Cryptosystem Implementing Key Sharing Function Key sharing/distribution refers to a scheme under which “key” information is shared/distributed between the transmitter and the receiver at the time symmetric cipher technology is used. Public-key cryptosystem technology is mainly used for large-scale systems multiple users. Key sharing based on public-key cryptosystem technology is also implemented using public-key cryptosystem with the confidentiality function described above. The following is a procedure used for the D/H key sharing key sharing mechanism, proposed by Diffie and Hellman.
[User A] [User B]
Random number XA is generated. Random number XB is generated. Communications channel
User B’s public-key information User A’s public-key information
is operated, and the result Y is is operated, and the result Y is A B transmitted to User B. transmitted to User A.
Key information is generated Key information is generated
(shared), using Y and X (shared), using Y and X B A. A B.
Figure 2.2.4: Example of the Key Sharing Mechanism Using Public-Key Cryptography (DH type)
Step 1: Information for public distribution to be shared by the whole system is generated and distributed to each user. (In the D/H key sharing mechanism, prime number p and primitive root α are disclosed to each user.)
Step 2: User A generates a random number XA. (XA is specified as User's A’ secret key.)
Step 3: User A’s public-key YA is generated from the random number XA and the disclosed information shared by the system.
X A (In the D/H key sharing mechanism, YA = α mod p is generated as User A's public key.) Step 4: User B generates a random number XB. (XB is specified as User's B’ secret key.)
Step 5: User A's public-key YB is generated from the random number XB and the disclosed information shared by the system.
X B (In the D/H key sharing mechanism, YB = α mod p is generated as User B's public
21 CRYPTREC 2000
key.) Step 6: User A and user B exchange public-key YA and public-key YB between the two. Step 7: Shared key K is generated from the secret keys and received public-keys. (In the D/H key sharing mechanism, User A and user B calculate
X A X A X B X B X B X A K = ()YB mod p = α mod p and K = (YA ) mod p = α mod p
respectively, and the result K is specified as the shared key.)
22 CRYPTREC 2000
2.3 Symmetric Cipher Technology 2.3.1 Block Ciphers A block cipher breaks the plaintext into blocks of the same size for encryption. For many block ciphers, the block size is 64 bits or 128 bits. A 64 bit block cipher is divided into blocks with a size of 64 bits. A 128 bit block cipher is divided into blocks with a size of 128 bits. A block cipher consists of a data randomizing part and key scheduling part (See Figure 2.3.1).
Plaintext (64 bit or 128 bit)
Key scheduling part
Extended Data randomizing key part Secret-key
Ciphertext (64 bit or 128 bit)
Figure 2.3.1 Simplified Diagram of a Block Cipher
As seen in the result of the DES-Challenge Ⅲ contest, the current state of processing performance and the speed of computer evolution had to be taken into consideration. Block ciphers with secret keys of 128 bits or longer were solicited for the year 2000 evaluation. The key scheduling part generates an expansion key from the secret key used in data randomizing part. Plaintext is converted into ciphertext based on the expansion key, which is input into the data randomizing part. In decryption, ciphertext is transformed into plaintext by using the same key as used in encryption. Feistel Structure and SPN Structure are typical of data randomizing part (See Figure 2.3.2).
23 CRYPTREC 2000
S layer F
function P layer
S layer
F Extended key P layer function
F S layer function
Round function
(i) Feistel Structure (ii) SPN Structure
Figure 2.3.2 Typical Structures of Data Randomizing Part
In Feistel Structure the input is divided into two parts. One part, which is input into F function, repeats the structure influencing the other part. This F Function is composed of non-linear functions, including S-box. In SPN Structure the input is not divided. It repeats round functions composed of S Layer (non-linear) and P Layer (linear). The number of this repetition inside F functions or round functions is called “number of rounds.” In addition, Feistel Structure is extended into various types, as shown in Figure 2.3.3 (i) and Figure 2.3.3 (ii). Here, just for convenience, these are named transformed Feistel structures. Block ciphers have some modes of operation. The one shown in Figure 2.3.1 is called ECB Mode.
24 CRYPTREC 2000
F F F function function function
F F function function
F function
F F function function F function
(i) (ii) Figure 2.3.3 Sample of Transformed Feistel Structures
2.3.2 Stream Ciphers A stream cipher, unlike a block cipher which operates on blocks of data, operates on plaintext sequences, usually bits. (An encryption method that works with continuous streams of input rather than fixed blocks.) Ciphertext sequences are obtained by logically adding key sequences exclusively to plaintext sequences (Figure 2.3.4).
Secret-key
Key sequence generator
Key sequence
Plaintext sequence Ciphertext sequence
Figure 2.3.4 Sample of Stream Cipher Structures
25 CRYPTREC 2000
Various structures are available for Stream, and therefore, unlike block ciphers, stream ciphers have no such typical structure. During the decryption process, plaintext sequences are obtained by logically adding key sequences exclusively to ciphertext sequences. Various structures are available for Stream, and therefore, unlike block ciphers, stream ciphers have no such typical structure. During the decryption process, plaintext sequences are obtained by logically adding key sequences exclusively to ciphertext sequences.
2.4 Hash Functions Hash functions for cipher were also solicited for the year 2000 evaluation, with the assumption that password authentication, digital signature, and message authentication were used. Therefore, the performance required of cryptographic Hash functions are unidirectionality and no collision. Unidirectionality refers to a property that makes it impossible for input to be computed from output. Collision refers to a property that outputs the same hash value against two different inputs. Due to the same factors as taken into consideration for block ciphers, stream ciphers with hash values of 128 bits or longer were solicited for the year 2000 evaluation.
2.5 Pseudo-random Number Generating Scheme A pseudo-random number generating scheme is assumed to be used for generating cryptographic keys and key seeds. A pseudo-random number generating scheme, although it is similar to true number generating scheme in terms of property, provides such poor uniformity that sufficiently large random numbers cannot be expected for this type of usage, when it uses, for instance, the user's keyboard input interval time. Pseudo-random number generating schemes, solicited for the year 2000 evaluation, were expected to produce a sufficient amount of random numbers required to meet the above-mentioned needs, with a sufficiently low probability of generating specific numbers, and with a uniform distribution of random numbers. In addition, since it is required for cipher usage, it requires the ability to generate high quality random numbers that will make it almost impossible to forecast through quantitative calculation. Lastly, any physical random numbers that require use of special equipment was disqualified from submitting a proposal for cryptographic techniques.
26 CRYPTREC 2000
3. Overview of Cryptographic Technique Evaluation 3.1 Purpose of the Evaluation The proposed cryptographic technologies were evaluated from security and implementation aspects. Evaluation on implementation was addressed from software (SW) implementation and hardware (HW) implementation viewpoints. Evaluation of proposed cryptographic schemes was based on the results of evaluation conducted at two different stages. The first stage of design evaluation contained verification of security attestation and validity of assumption. The second stage of implementation evaluation contained an evaluation of countermeasures against various attacks that might be expected after designing work. Unfortunately, for both stages of the security evaluation, design evaluation and attack evaluation, statistical and quantitative evaluation is insufficient. That is, evaluation from a viewpoint of cryptographic analysis technology is indispensable as well. Analysis and design of a cryptographic scheme are the two sides of the same coin. In other words, in the evaluation of cryptographic strength, some conditions for decipherment (use environment, attacker’s calculation etc.) are assumed. Under this assumption, the calculational loads required to identify an employed cryptographic key by utilizing the information quantity required (the amount of plaintext or ciphertext required to be collected) and the information actually collected, is shown by decrypting through an adequate decrypting technique. Cryptographic strength is typically evaluated by utilizing information quantity and information actually collected. As a matter of fact, the number of cryptographic analysis applied for evaluation should not be limited to a single technique; that is, evaluation utilizing more than one cryptographic analysis techniques is indispensable. Evaluation standards vary in accordance with environments in which the cryptographic techniques are used and conditions under which cryptographic techniques are applied. Therefore, a security evaluation should be performed based on more than one decrypting technique. When using the evaluated cryptographic techniques, an "overall judgment" should be made, taking into consideration various factors, such as the system’s information security policy, environments in which cryptographic techniques are used, and conditions under which cryptographic techniques are to be applied. Figure 3.1 shows how cryptographic analysis techniques, cryptographic design technique and safe ciphers are related to each other.
Secure cryptographic systems
Cryptographic Cryptanalytic design methodology techniques
Figure 3.1 Safe ciphers and Design/Analysis Techniques
27 CRYPTREC 2000
In addition, in terms of security evaluation, a systematic evaluation of security should also be included with the evaluation results shown in this report. Systematic evaluations are to be performed based on the ISO/IEC 15408 Common Evaluation Criteria (CC=Common Criteria), etc. In addition, cryptographic techniques implemented on a real system need further evaluation. Furthermore, in terms of evaluation on implementation viewpoints, implementation characteristics should be taken into account, based on the security policy of the applied system.
3.2 Screening Evaluation and Detailed Evaluation Evaluation was conducted in two phases: screening and detailed. (i) Screening Evaluation During the screening evaluation, a decision was made the proposed cryptographic techniques met the criteria indicating the need for more detailed evaluation, based on the submitted documents. The items examined in the screening evaluation were as follows: ・ A check was performed to confirm that each required item of information needed for the detailed evaluation (presence of description, logical consistency/self-sufficiency in submitted documents) had been provided. ・ An examination was performed to determine if there were any shortcomings (of decipherment techniques, etc.) that could easily found in the submitted documents. ・ The proposed cryptographic technique specifications were examined to confirm whether the Self-Evaluation information was sufficient and valid (whether or not it was adequate). (ii) Detailed Evaluation Detailed evaluation included evaluation of security and of implementation (software implementation and hardware implementation). The security evaluation performed had two phases; a integrated evaluation of existing cryptographic analysis techniques (attack methods), which was conducted by external cipher experts both in Japan and abroad, and a check for the existence of shortcomings (of decipherment methods) peculiar to the proposed cryptographic techniques. In the software implementation evaluation, speed was evaluated utilizing sample codes implemented by submitters on a unified platform. For hardware evaluation, cipher implementation researchers in Japan were asked to estimate the number of gates and the processing speed on the assumption that hardware was to be implemented in the process of FPGA1 or GA2.
1 FPGA: an abbreviation of Field Programmable Gate Array 2 GA: an abbreviation of Gate Array For the platform used in this Project, GA of nearly 0.3μm was assumed.
28 CRYPTREC 2000
3.3 Evaluation Criteria for Asymmetric Cryptographic Schemes 3.3.1 Security Evaluation Criteria Submitted cryptographic schemes, in a broader definition of the expression (hereinafter named Cryptographic Scheme3), included procedures (cipher protocol) which could be used to implement one for confidentiality, authentication, signature, or key sharing. It was then evaluated in terms of security, based on the assumption that a basic cryptographic algorithm meeting the requirements for specified cryptographic scheme (hereinafter named Cryptographic Primitive4) and its auxiliary function(s) existed. The cryptographic primitive(s) and auxiliary function(s) used in the proposed sample implementation were evaluated to determine if they were appropriate and valid for the specified requirements. In addition, recommended parameters and primitives were evaluated to determine whether they were vulnerable to the most likely forms of attack. (a) Security evaluation items for cryptographic schemes The most likely forms of attack against the proposed cryptographic scheme were selected, and the behavior of the cryptographic scheme when varying the methods and goals of the attacks against it was evaluated in terms of security. For each combination of the methods and attack goals, the security of the scheme was evaluated from aspects such as, if it had a proof of security, if it could be considered to be heuristically secure, and so on. Attack methods used included active attacks, passive attacks, and other attacks Goals of attacks: influence on the security function to be implemented (confidentiality, authentication, signature, or key sharing) (b) Security evaluation items for cryptographic primitives For each cryptographic primitive, the security against well-known attacks, based on integer factoring problems, discrete logarithm problems, elliptic curve discrete logarithm problems as security proof, was evaluated. (i) Evaluation items for primitive cipher based on integer factoring problems Computational strength against well-known attacks and other attacks particular to the primitive (ii) Evaluation items for cryptographic primitives based on discrete logarithm problems on finite fields Computational resistance against well-known attacks and other attacks particular to the primitive (iii) Evaluation items for cryptographic primitives based on discrete logarithm problems on elliptic curves Computational resistance against well-known attacks and other forms of attack particular to the primitive
3 Cryptographic scheme: a cryptographic scheme in a broader definition of the scheme, which includes a procedure (cipher protocol) used to implement such function as signature, key sharing and so forth. 4 Cryptographic Primitive: a basic cryptographic algorithm that provides information security functions
29 CRYPTREC 2000
(iv) Evaluation items for cryptographic primitives based on other security proofs Well-known attacks against security proofs and other forms of attack particular to the primitive
3.3.2 Evaluation of Software Implementation For the year 2000, software implementation evaluation was performed, based on the actual code(s) prepared by applicants to confirm whether or not the main program for implementation was valid . In terms of security, evaluation was conducted based on the strength of RSA (cipher based on integer factoring problems) 1024 bits or longer. Software evaluation items were as follows: ・ Submitted cryptographic techniques specifications (In order to determine whether the proposed technological information was accurate and sufficient enough for third parties to implement the software) ・ Executability evaluation on the specified platform (No special hardware or huge amounts of memory should be required) ・ Evaluation of resource use quantity, including processing speed and memory, on the specified platform
Platform Specified: CPU : PentiumIII (650MHz) OS : Windows98 SE Memory installed : 64MB Compiler : Visual C++ Ver.6.0 SP3
30 CRYPTREC 2000
3.4 Evaluation Criteria for Symmetric Cryptographic Schemes 3.4.1 Security Evaluation Criteria The security evaluation criteria consists of security in information quantity and security in computational complexity. Information security based on the information theory was developed by Shannon. The amount of a key should be more than that of a plaintext in order to satisfy the requirements. This is not realistic in an operational sense. Security of symmetric ciphers is shown in terms of computational security, not in terms of information theory. Computational security refers to the degree of computational difficulty of “guessing correctly” what the secret key is. However, there is no such absolute evaluation method by which computational security is explicitly shown. Accordingly, actual attacks are attempted, and security is evaluated in terms of cost (amounts of calculation required, of data, and of memory), which is required for the attacks. Since actual attacks should be performed, it should be assumed that cryptographic algorithms are publicly known and available to the public. Under the conditions available to attackers, attack methods are generally classified as follows: ・Ciphertext only attacks Attacks where only ciphertext is available ・Known plaintext attacks Attacks where ciphertext corresponding plaintext is available Attackers attempt penetration using plaintext-ciphertext pairs somehow. ・Chosen-plaintext attacks Attacks where plaintext arbitrarily selected by attackers and ciphertext corresponding to it are available Plaintext ciphertext pairs propitious for attackers are available, since attackers may have access to cipher generators Difficulty varied in attacks, though it depends on the information available to attackers. Chosen-plaintext attacks are the most advantageous, known plaintext attacks the second most advantageous, and ciphertext only attacks the least advantageous to attackers. If a cryptographic scheme can be attacked by ciphertext only attacks, nobody will believe that the scheme provides sufficient security. The attacks described above have a condition that plaintext corresponding to a sufficient amount of ciphertext is well-known. If attackers have an infinite comptation time, an exhaustive search will eventually yield the secret key. From an academic viewpoint, it is assumed that an attack will be successful if the cost required for the attack is less than that required for exhaustive search. To put it concretely, if an attack method by which a cipher using k bits can be attacked at less cost, the cipher is insufficiently secure. Taking into account present day trends, such as DES-Challenge Ⅲ (a DES code-breaking contest held in January 1999; in which the user key (56 bits) was decrypted in about 22 hours) and rapid advancements in processing speed, it is estimated that the cost of nearly 264 is allowed.
31 CRYPTREC 2000
Therefore, even no problems exist for practical purposes even if it is possible to attempt an attack with a
k 64 cost of less than 2 (> 2 ), the situation as described above suggests that it should not be relied upon for a long period of time. Roughly speaking, attack methods can be broken down into two types -- general-purpose attacks applicable to ciphers included in the same category and specific attacks aimed at individual ciphers. For proposed ciphers belonging to the same category, two different evaluations were conducted: lateral and individual. In the lateral evaluation, general-purpose attacks were applied and attempted by the same evaluator against ciphers belonging to the category. In the individual evaluation, attacks were attempted to locate weak points peculiar to each proposed cipher. The results of these evaluations were briefly summarized into an inclusive report. Symmetric ciphers provide 64 bit block ciphers, 128 bit block ciphers, and stream ciphers. Refer to Section 5.1.1 for detailed information on 64 bit block ciphers. Refer to Section 5.1.2 for detailed information on evaluation of security concerning 128 bit block ciphers. Refer to Section 5.1.3 for detailed information on evaluation of security concerning stream ciphers.
(1) Block ciphers In evaluation of block ciphers for the year 2000, strength against general-purpose attacks was evaluated on the following items: ・Differential cryptanalysis ・Linear cryptanalysis ・Higher order differential cryptanalysis In addition, avalanche evaluation, where statistical properties of output were evaluated, was conducted.
Differential cryptanalysis and linear cryptanalysis Differential cryptanalysis was proposed by Biham and Shamir in 1990. Differential cryptanalysis, the first attack on DES, is a general-purpose attack technique that is applicable to the whole block cipher. It is one of the chosen-plaintext attacks applicable to two pairs of plaintexts and ciphertext when there is a correlation between the difference in the plaintexts and that in the ciphertexts. Linear cryptanalysis was proposed by Matsui of Mitsubishi Electric Corporation in 1993. Linear cryptanalysis, proposed as an attack on DES like differential cryptanalysis, is a general-purpose attack technique that is applicable to the whole block cipher. It is one of the most well-known plaintext attacks, and is applicable when there is a correlation between exclusive-OR of specific input bits and that of output bits. Resistance against these attacks is given in maximum differential probability and maximum linear probability. Security is assured when these probabilities remain small. It is difficult, however, to obtain true values of maximum differential probability and maximum linear probability. Thus, in their place,
32 CRYPTREC 2000
maximum differential characteristics probability and maximum linear differential characteristics probability are sometimes used. These values are estimated by the following: 1. By obtaining the upper bound of probability through evaluation of each component 2. By obtaining probability through computer search
Provable security against differential cryptanalysis and linear cryptanalysis attacks Some of the submitted cryptographic schemes attempted to show that they had a provable security against differential cryptanalysis and linear cryptanalysis attacks. In 1992 Nyberg mathematically proved that when F function’s maximum differential probability against a block cipher of Feistel structure is p, the maximum differential probability of the entire block cipher is 2p2 or less, if a minimum of four rounds is provided. Later, Nyberg’s mathematical proof was unified as a provable security measure against differential cryptanalysis and the linear cryptanalysis attacks, with a similar index as that given to linear attacks. Nyberg’s mathematical proof was developed by Matsui and Aoki into a higher level of discussion and is now a technique in which security can be mathematically proved. It should be noted, however, that this is a provable security that is only valid for differential cryptanalysis and linear cryptanalysis attacks.
Higher order differential cryptanalysis attack A Higher order differential attack, proposed by Lai in 1994, was employed by Knudsen and Jakobsen in an attack against the KN cryptographic scheme of experimental block ciphers. The higher order differential value of output is one of applicable chosen-plaintext attacks when it is to be a constant independent from plaintext fixed values and expanded keys. The KN cryptographic scheme has a provable security against the above-mentioned differential/linear cryptanalysis attacks. It has been proposed that it is possible to attack the KN cryptographic scheme by using higher order differential cryptanalysis, since the algebraic degree of its F function is small. The effect of an attack depends on the number of rounds used. The smaller the number is, the less the cost. On the other hand, the algebraic degree of output depends on what bit of plaintext is to be selected as variable. Thus, the minimum number of rounds required for an attack depends on how the variable bit is selected. At this date, however, there is no best selection method. For a cryptographic scheme of N bit I/O, the algebraic degree of output does not exceed N even if all input bits are to be variables. In general, however, It is assured that a cryptographic scheme has a proof of security when a formal algebraic degree of output block larger than N.
Evaluation of avalanche property Evaluation of avalanche property refers to an evaluation used to check how often differentials appear by output bit location when specific differential values are given to output; thus, describing the behavior at each output bit position. This evaluation method not only treats a cryptographic algorithm as a black
33 CRYPTREC 2000
box, but also digitizes the evaluation, thus enabling an integrated comparison of cryptographic algorithms. Targeted items of the evaluation of avalanche property were encryption processing including key scheduling part, and input/output in a single key scheduling part and a single round function. Appearance frequencies of differentials, diffusion of differentials, correlation coefficients where differentials appear, items of effective key size were examined. In general it may be said that all symmetric ciphers are composed of the following: ・Round function ・Data randomizing part ・Key scheduling part Accordingly, the following items were evaluated in the evaluation of avalanche property: (1) Single round function (2) Data randomizing part (3) Single key scheduling part The following items were evaluated, based on these evaluation results: (4) The entire encryption processing including the key scheduling part
Evaluation items The following items of Avalanche evaluation were examined and evaluated: (1) AVA : Difference in frequencies whose output differential values are to (appearance frequency of be 0 and 1. In the year 2000 evaluation, input differential was differentials) ⊿X. Hamming weights of key differential ⊿K, m=1, 2 were also evaluated and examined. (2) AVD : Average value of Hamming weights of output differential (diffusion value of differentials) values (3) CC : Correlation coefficient of output differential values at ith bit (correlation coefficient where position and jth bit position differentials appear) (4) UKV (effective key quantity) : Ratio of evaluation values, which satisfy relative standard values, to AVA, where key differential value of Hamming weight 1 is given
Constituent elements of symmetric ciphers and targeted statistical properties of the whole system are broadly classed as follows: ・Correlation of input and output ・Correlation of key and output
Techniques for statistical authorization The pseudo-random number generating function must be implemented for such statistical data
34 CRYPTREC 2000
authorization. In addition, it is necessary to generate random number series by using the pseudo-random number generating function. Authorization is conducted after these obtained data are collected and analyzed. ・It is assumed that there is no statistical bias if the worst deflection rate of AVA is below the relative standard value ・The closer to AVD n/2 is, the less the statistical bias is (output data length n). ・The absolute value of CC is 1 or less, where it is assumed that the closer to 0 it is, the stronger its independence is. ・Key data lengths closer to UKV are preferable.
(2) Stream Ciphers A stream cipher, in general, specifies output from a pseudo-random number generator as a key sequence, the initial value of which is then specified as a secret key. In this report, the following items of evaluation, described in FIPS-140-1/2, were chosen and employed in order to evaluate statistical properties of output sequences: ・Long periodicity ・Linear complexity ・Frequency of 0/1, etc. ・Monobit test ・Poker test ・Runs test ・Long run test These items were evaluated solely for further examination and scrutiny of statistical properties. High marks of evaluation on statistical properties do not necessarily mean that the actual cryptographic scheme is sufficiently secure. Thus, resistance against general purpose attacks, including Divide-and-Conquer Attack and Correlation Attack, were evaluated, using the same general criteria that Individual evaluations were performed for block ciphers.
35 CRYPTREC 2000
3.4.2 Evaluation of Software Implementation Cryptographic schemes should be evaluated, not only in terms of security, but also in terms of implementation, taking into account how they are actually to be employed. Requirements for the implementation of cryptographic schemes in the designed e-Government are still unknown at this point in time. For software implementation evaluation, the following three environments have been assumed: the PC environment that is seemingly most commonly used at the time of evaluation, a server environment which is the most widespread present, and a high-end environment in which high performance is actually implemented. All submitted cryptographic schemes were evaluated taking into consideration the most commonly used PC environment at present, because it can be assumed that it will be the environment in which any one selected cryptographic scheme will be implemented. To further demonstrate the capability of each cryptographic scheme design, one of the other two environments was selected by the applicant as a location for further evaluation. Taking a realistic point of view, we are fully aware that evaluation of the submitted cryptographic schemes in low-specification environment should also have been done. However, the extremely limited period of time available time for evaluation forced us defer this evaluation technique. In addition, Hash functions and pseudo-random number generating schemes were not examined in the software evaluation. A proposed cryptographic scheme program was applied to a real system or an application by the applicant. The evaluation was carried out in the presence of the committee member(s). Evaluation was performed, using the same hardware and evaluation programs, under the most impartial conditions possible. Moreover, there may be minor variations in evaluation values according to documents you refer to. Some of the evaluation values may be different from those provided in this report, depending on the actual evaluation program(s) and/or evaluation environment(s) employed. It is also possible that, even if the same hardware and evaluation program are used, evaluation results may greatly vary depending on the operating system and resident programs. Accordingly, please note that the numerical values shown in this Report may not be achieved in subsequent reevaluations. Additionally, please note that this evaluation of software implementation also aimed at comparing trends in processing speed implemented by the submitted cryptographic schemes. The hardware environment used for this evaluation of software implementation was as follows:
1. PC environment CPU : Pentium III (650MHz) OS : Windows98 SE Memory installed : 64MB Compiler : Visual C++ Ver6.0 SP3
2. Server environment
36 CRYPTREC 2000
CPU : Ultra SPARC Ⅱi (400MHz) OS : Solaris 7 Memory installed : 256MB Compiler : Forte C 6
3. High-end environment CPU : Alpha21264 (463MHz) OS : Tru64 UNIX V5.1 Memory installed : 512MB Compiler : DEC C
Concerning block ciphers, the following two items were evaluated: 1. Data randomizing part 2. Key scheduling part plus data randomizing part The data randomizing part was evaluated, based on the complexity which is independent from an operational frequency of the CPU (for 64 bit block ciphers, for instance, by counting the cycle of the CPU required to convert 64 plaintexts into ciphertexts). For 128 bit block ciphers, it was evaluated by counting the cycle of the CPU required to convert 128 bit plaintexts into ciphertexts. This evaluation was done by specifying keys to 1MB plaintexts (ciphertexts) to be encrypted (decrypted). Therefore, the amount of calculation required for the setup of keys could be ignored. For one evaluation event, 1MB encryption (decryption) was repeated 128 times, through which the maximum speed and the average values were collected. Each evaluation was repeated three times. For evaluation of the key scheduling part plus the data randomizing part, keys were set up each time a block cipher was encrypted (decrypted). The other evaluation conditions were the same as those for the evaluation of the data randomizing part. However, the value obtained by subtracting from this value the value specified in the data randomizing part described above may sometimes be different from the one specified in the key scheduling part, depending on the implementation method. For evaluation of stream ciphers, evaluation was only performed on the data randomizing part, assuming that no key setup is required. We are aware that, in terms of software implementation, some stream ciphers were not evaluated sufficiently, due to the use of the same evaluation program(s) as employed for 64 bit block ciphers. In terms of usage, stream ciphers are more software-oriented than block ciphers. Therefore, evaluation of stream ciphers should be performed primarily from software implementation point of view, rather than from hardware implementation point of view. Thus, the evaluation of software implementation for stream ciphers aimed to confirming whether performance meeting the minimum requirements of usage could be achieved under the targeted software implementation.
37 CRYPTREC 2000
3.4.3 Evaluation of hardware implementation In this project, evaluation of hardware implementation was performed for the submitted symmetric ciphers, with a view to confirming their “usability. Depending on the process employed (Field Programmable Gate-Array, Gate Array), evaluation items were varied, including processing speed and resource use quantity (the amount of use cell in the case of Field Programmable Gate-Array, the number of used gates in the case of Gate Array, etc.). In this project, the evaluation of hardware implementation was performed, based on the hardware implementation information (results) described in the documents submitted by the applicant. Only verification for information validity regarding processing speed and resource consumption described in the submitted documents was conducted, based on the submitted simulation evaluation results. Here, “usability” refers to a state of condition where a submitted cryptographic technique is not merely a theory, but it can actually be implemented, with functions being available for implementation, in accordance with the applied categories.
[Evaluation method of block ciphers] Targeted devices for evaluation of block ciphers included ASIC library of 0.25 – 0.35μm, Verilog-HDL as design description language, and Design Compile for circuit synthesis. In this project, moreover, for the evaluation of hardware implementation, Triple DES (3-Key), a cryptographic technique that needs further evaluation, was examined as an indicator of relative evaluation. However, it should be limited to use as a guideline pertaining to running speed, gate size, etc, due to differences in implementation architectures and optimized conditions. In addition, while its utility depends largely on the person’s experience in implementation, in almost all cases, some improvement in performance (processing speed, miniaturization) can be expected during actual implementation. [Evaluation method of stream ciphers] Hardware implementation of stream ciphers was evaluated on Altera Corp’s FPGA Compiler, in a simulation of programs prepared in C Programming Language describing the circuit by a Verilog-HDL simulator. Evaluation was conducted giving a higher priority to processing-speed-oriented design conditions, under which an appropriate scale of circuit was implemented. The development environment used for the evaluation of hardware implementation is shown below: ・ModelSim VHDL/Verilog Version 5.4e (Model Technology) ・Synplify (Synplicity Inc.) 3.5 Evaluation Method of Hash Functions A hash function is a function taking an n-bit input and producing an m-bit output (n>m). Functions required of a hash function are “onewayness” and “no collision.” Onewayness refers to a property that makes it impossible for inputs to be computed from an output. Collision refers to a property that outputs
38 CRYPTREC 2000
the same hash value against two different inputs. A hash function takes an n-bit input and produces an m-bit output, where n is larger than m. Thus, theoretically, no collision is impossible. The input is larger than the output. Complete collisionlessness is impossible. Accordingly, if no collision is found in an actual calculation of a hash function, it is assumed that the function has no collision. There was no hash function proposed for the year 2000 evaluation project. Techniques that are currently in widespread use were evaluated in terms of security, based on documents currently available.
3.6 Evaluation Method of Pseudo-random Number Generating Techniques The usage of pseudo-random number generating schemes described here is different from that of stream ciphers. A pseudo-random number generating scheme is used to generate random numbers utilized for generating cryptographic keys or key seeds. Cryptographic strength is required of a pseudo-random number, the nature of which is similar to that of a true random number. During the security evaluation, the evaluation items of FIPS-140-1/2 etc., employed for the evaluation of the above-mentioned pseudo-random number generator for stream ciphers, were also employed here to evaluate random numbers which had been output. ・Long periodicity ・Linear complexity ・Frequency of 0/1, etc. ・Monobit test ・Poker test ・Runs test ・Long run test A pseudo-random number generator is used for generating ciphers, and it is impossible to forecast what will be output. Therefore, it must have input space sufficiently larger than the output space.
4. Evaluation of Public Key Cryptography
4.1 General Comments
4.1.1 List of Public Key Cryptographic Techniques as Targets of Detailed Evaluation
39 CRYPTREC 2000
By function and security, the public key cryptographic techniques for which a detailed evaluation was performed can be classified as shown below.
Function Security Signature Confidentiality Key Sharing Basis Integer Factoring ACE Sign EPOC-1 ;Notes3 ESIGN-signature EPOC-2 ;Notes3 RSA-PSS EPOC-3 ;Notes3 HIME-1 ;Notes4 HIME-2 RSA-OAEP Discrete Logarithm DSA ACE Encrypt DH
Elliptic Curve ECDSA in SEC1 ECAES in SEC1 ECDHS in SEC1 Discrete Logarithm MY-ELLTY ECMR-160/192/OEF-h PSEC-1 ;Notes3 ECMQVS in SEC1 PSEC-2 ;Notes3 HDEF-ECDH PSEC-3 ;Notes3
Notes:
(1) Although a scheme named "ESIGN-identification" was entered in the "Authentication" function category, it had no description as an authentication protocol. Moreover, since it was the same, except for its name, as ESIGN-signature, which was entered in the "Signature" function category, the Committee merged it into ESIGN-signatures.
(2) MY-ELLTY ECMR-160/192/OEF-h was entered as three different items: MY-ELLTY ECMR-160-h, MY-ELLTY ECMR-192-h, and MY-ELLTY ECMR-OEF-h. However, since the three were considered one and the same as a signature scheme, only using different fields, the Committee evaluated them as a single entry.
(3) EPOC-1, EPOC-2, and EPOC-3 were entered as a cryptographic group named EPOC, and PSEC-1 PSEC-2, and PSEC-3 as a cryptographic group named PSEC. However, since they were mutually different techniques, the Committee divided them as mentioned above.
(4) HIME-1 was entered in the "Key Sharing" function category. Its cryptographic scheme is for one entity to send the other entity a key to be shared after encrypting it by a public key cryptographic technique. Since this use can be applied to all cryptographic schemes classified into the "Key Sharing" function category, the Committee shifted HIME-1 to the "Confidentiality" function category. That is, only the part in which both entities are involved for key generation was left in the "Key Sharing" function category.
This report describes individual public key cryptographic schemes in the following order (see the above table): signature - integer factoring, signature - discrete logarithm, signature - elliptic curve discrete logarithm, confidentiality - integer factoring, confidentiality - discrete logarithm,
40 CRYPTREC 2000
confidentiality - elliptic curve discrete logarithm, key sharing - discrete logarithm, and key sharing - elliptic curve discrete logarithm. In each section, they are arranged in alphabetical order.
4.1.2 General Comments on Public Key Cryptographic Techniques Software implementability evaluation has confirmed that all the public key cryptographic techniques evaluated in detail in this project have generally acceptable processing performance with respect to implementability. This section summarizes the results of evaluation, with emphasis on security, of the individual cryptographic techniques in this project, describing the results separately with respect to the signature, confidentiality, and key sharing functions. In cases where security issues contrary to the arguments made by the proposers of cryptographic techniques were pointed out, if no final conclusion was reached in this project, it is clearly mentioned to that effect. As for such matters, it is desirable to continue to evaluate them in subsequent projects or elsewhere. A basic feature required of the cryptographic technologies used for Electronic Government would be that a specifically defined cryptosystem, including the method of specifying parameters, can widely achieve a consensus that it is secure at the present time and that the risk of becoming immediately unsecure is small. Such a consensus would be based partly on the empirical knowledge that the cryptosystem has been used widely without any significant security problems. At the same time, using the concept of "provable security" would be effective in minimizing ambiguities in security evaluation. It should be noted, however, that this concept does not mean that a particular cryptosystem has been proven to be secure. In this section, the expression "provable security under a set of assumptions" refers to the following situation: That is, the expression that a certain public key cryptosystem has provable security means that if there should be a method of attacking the cryptosystem or its idealized cryptosystem, thus threatening the security that the cryptosystem is intended to provide, it can be strictly proved that under a certain assumption, a method of solving another mathematical problem with less complexity can be derived. An idealized cryptosystem of a cryptosystem is a virtual cryptosystem identical to the original cryptosystem, except that an auxiliary function (such as a hash function) used in the cryptographic scheme is replaced by a virtual one (such as a random function). The expression "under a set of assumptions" is used to mean that the reliability of the security of a cryptosystem varies depending on differences in the target of attack (whether the cryptosystem itself or an idealized cryptosystem), the type of mathematical problem, the degree of computational complexity, the type of security in question, the type of attacking method, preconditions, and so forth. As long as the proof of provable security is correct, the fact that the cryptosystem has provable security cannot be reversed later. However, since the estimated computational complexity of a mathematical problem can vary depending on theoretical progress or changes in the technical environment, a cryptosystem that has provable security under a set of assumptions that holds at the
41 CRYPTREC 2000
present time can become an unsecure cryptosystem in the future. Besides, it may be discovered in the future that there is a significant security gap between the cryptosystem and its idealized cryptosystem. Meanwhile, the fact that it is not proved at the present time that a cryptosystem has provable security does not mean that the cryptosystem is not secure. The reason is that there can be cases in which the security of a cryptosystem that has been widely used without any significant security problems cannot be proved in terms of provable security with proving techniques available at the present time. It is considered that methods for building cryptosystems achieving provable security are being established for signature and confidentiality cryptography, but not for key sharing cryptographic techniques. Schemes for Signatures (1)ACE Sign Particular problems on security of ACE Sign have not been pointed out. ACE Sign has certain provable security under a set of assumptions. A little bit stronger mathematical assumption is required, the proof of the provable security of the scheme does not need any idealized auxiliary function, while other digital signature schemes require an idealized function. Moreover, the sizes of a prime factor p and modulus n should satisfy the following conditions: 1024 ≤ |n| ≤ 16384, and |p| ≥ 512. Furthermore, the form of the prime factor is restricted. And yet, its specification only uses MARS for a symmetric key cipher employed as an auxiliary function. Note that this submitter announced a digital signature algorithm whose name is the same of this submission and differs from this submission. (2)ESIGN-signature Serious problems on security of firstly proposed ESIGN using small exponents have been dispelled. ESIGN-signature has certain provable security under a set of assumptions. To satisfy the assumptions, it is important to select appropriate parameters carefully. Since the form of the modulus is different from those in textbook RSA signature and RSA-PSS schemes, it is not clear whether or not this scheme achieves the same security when one selects the size recommended in those schemes for the modulus. The security of this scheme depends on the difficulty of the approximate e-th root assumption. In this assumption, the sizes of n and e are essential for difficulty. Since there exists a difference of condition for these sizes in submitted documents: e ≥ 5 (conditions in Specification), e ≥ 8, |p| = |q| ≥ 320, |n| ≥ 960 (recommended sizes in Specification), e ≥ 1024, |p| = |q| = 384, |n| = 1152 (adopted sizes in Software Implementation), e ≥ 8, |n| ≥ 1024 (recommended sizes in the Draft Guidelines for Authorizing Special Certification Businesses based on the Law of Electronic Signatures and Certification Businesses), it is necessary to select those sizes after due consideration. (3)RSA-PSS Particular problems on security of RSA-PSS have not been pointed out. RSA-PSS has certain provable security under a set of assumptions whereas the textbook RSA signature scheme is not known to have.
42 CRYPTREC 2000
To ensure the assumptions, the user is advised to select appropriate parameters. (4)DSA For DSA defined in FIPS 186-2, particular problems on security have not been pointed out. The user is advised to select appropriate parameters to make the underlying discrete logarithm problem hard. We should note that its security is bounded above because the size of number of modulus is restricted between 512 and 1024. It has not been verified that DSA attains certain provable security. It is reported that the method of generating random numbers described in FIPS 186-2 Appendix 3 is unreliable. More analyses are desirable. (5)ECDSA in SEC1 Particular problems on security of ECDSA in SEC1 have not been pointed out. It is guaranteed that no known attack is effective against the curves, given in SEC2, recommended for the use in ECDSA in SEC1. The Koblitz curves are included in SEC2 because fast group operation can be implemented. However, the class of Koblitz curves is restricted and so a specific attack against them may appear. It has not been verified that ECDSA in SEC1 attains some level of provable security, however, it has been reported that ECDSA in SEC1 is provably secure under a set of assumptions in a certain recent paper. We did not come to an agreement on the validity of the paper and the practical effectiveness of the proof method, and hence, more analyses are desirable. (6)MY-ELLTY ECMR-160/192/OEF-h MY-ELLTY ECMR-160/192/OEF-h is existentially forgeable spending 2^40 (or 2^48) complexity by the attack based on the birthday paradox, because the size of the hash value used in it is too short. We cannot say that it has no problems on security. Thus, we cannot recommend it for a digital signature algorithm if the signatures produced by it are required to be alive for long term. Moreover, we do not confirm at present that it has a provable security, since its proof for a provable security in this submission document has an error. Schemes for Confidentiality (7)EPOC-1 Except for the following issues of EPOC-1 no problems on security have been pointed out. EPOC-1 has certain provable security under a set of assumptions. To satisfy the assumptions, it is important to select appropriate parameters carefully. Since the form of the modulus is different from that in RSA scheme, it is not clear whether or not this scheme achieves the same security when one selects the size recommended in RSA scheme for the modulus. It is also pointed out that more conditions for parameters are needed to achieve the enough security. But that appropriateness has not been confirmed in the committee. Hence more consideration is needed to clear the condition for selecting parameters. (8)EPOC-2 Except for the following issues of EPOC-2 no problems on security have been pointed out. EPOC-2 has certain provable security under a set of assumptions. To satisfy the assumptions, it is important to
43 CRYPTREC 2000
select appropriate parameters carefully. Since the form of the modulus is different from that in RSA scheme, it is not clear whether or not this scheme achieves the same security when one selects the size recommended in RSA scheme for the modulus. It is also pointed out that the recommended sizes for parameters the applicant asserted are not sufficient and more conditions are needed to achieve the enough security. But that appropriateness has not been confirmed in the committee. Hence more consideration is needed to clear the condition for selecting parameters. (9)EPOC-3 Except for the following issues of EPOC-3 no problems on security have been pointed out. EPOC-3 has certain provable security under a set of assumptions. To satisfy the assumptions, it is important to select appropriate parameters carefully. Since the form of the modulus is different from that in RSA scheme, it is not clear whether or not this scheme achieves the same security when one selects the size recommended in RSA scheme for the modulus. It is also pointed out that the recommended sizes for parameters the applicant asserted are not sufficient and more conditions are needed to achieve the enough security. Furthermore, it is pointed out that the gap-factoring assumption on which the security of this scheme depends is relatively new notion and the difficulty of this problem is not clear. But that appropriateness has not been confirmed in the committee. Hence more consideration is needed to clear the condition for selecting parameters. (10)HIME-1 The description of Specification is ambiguous. For this reason, it is impossible to implement this scheme properly. It has not been confirmed that this scheme has provable security since there are some mistakes in the proof of security. Since the form of the modulus is different from that in RSA scheme, it is not clear whether or not this scheme achieves the same security when one selects the size recommended in RSA scheme for the modulus. It is necessary to take care of Elliptic Curve Method (ECM) since there are some cases in selecting parameters that it is more effective for cryptanalysis than Number Field Sieve Method (NFS). (11)HIME-2 The description of Specification is ambiguous. For this reason, it is impossible to implement this scheme properly. It has not been confirmed that this scheme has provable security since there are some mistakes in the proof of security. Since the form of the modulus is different from that in RSA scheme, it is not clear whether or not this scheme achieves the same security when one selects the size recommended in RSA scheme for the modulus. It is necessary to take care of Elliptic Curve Method (ECM) since there are some cases in selecting parameters that it is more effective for cryptanalysis than Number Field Sieve Method (NFS). (12)RSA-OAEP Particular problems on security of RSA-OAEP have not been pointed out. RSA-OAEP has certain provable security under a set of assumptions. To ensure the assumptions, the user is advised to select appropriate parameters. It is reported that RSA-OAEP is semantic secure (equivalently
44 CRYPTREC 2000
non-malleable) against an adaptive chosen ciphertext attack under a set of assumptions. (13)ACE Encrypt Particular problems on security of ACE Encrypt have not been pointed out. ACE Encrypt has certain provable security under a set of assumptions. A little bit stronger mathematical assumption is required, but it can be proved that has provable security condition without replacing an auxiliary function with an ideal one, while other encryption algorithm requires an ideal function. Moreover, the sizes of modulus p and parameter q should satisfy the following conditions: 1024 ≤ |n| ≤ 16384, and |q| = 256. Furthermore, the form of the prime factor is restricted. And yet, its specification only uses MARS for a symmetric key cipher employed as an auxiliary function. Note that this submitter announced a digital signature algorithm whose name is the same of this submission and differs from this submission. (14)ECAES in SEC1 Particular problems on security of ECAES in SEC1 have not been pointed out. ECAES in SEC1 has certain provable security under a set of assumptions. It is guaranteed that no known attack is effective against the curves given in SEC2. The Koblitz curves are included in SEC2 because fast group operation can be implemented. However, the class of Koblitz curves is restricted and so a specific attack against them may appear. (15)PSEC-1 It is pointed out that there exist some problems in primitive encryption function and the provable security of this scheme has not been confirmed. And it is also pointed out that different conditions from those the applicant asserted are needed to prove the security. If these are correct, the size of message for an encryption is markedly restricted. But that appropriateness has not been confirmed in the committee. Hence more consideration is needed to clear the condition for selecting parameters. (16)PSEC-2 Except for the following issues of PSEC-2 no problems on security have been pointed out. PSEC-2 has certain provable security under a set of assumptions. It is pointed out that the recommended sizes for parameters the applicant asserted are not sufficient and different conditions are needed to achieve the enough security. But that appropriateness has not been confirmed in the committee. Hence more consideration is needed to clear the condition for selecting parameters. (17)PSEC-3 Except for the following issues of PSEC-3 no problems on security have been pointed out. PSEC-3 has certain provable security under a set of assumptions. It is pointed out that the recommended sizes for parameters the applicant asserted are not sufficient and more consideration for sizes of parameters is needed to achieve the enough security. It is also pointed out that more operation must be added to decryption algorithm. Furthermore, it is pointed out that the elliptic curve gap-DH assumption on which the security of this scheme depends is relatively new notion and the difficulty of this problem is not clear. But that appropriateness has not been confirmed in the committee. Hence more
45 CRYPTREC 2000
consideration is needed to clear the condition for selecting parameters. Schemes for Key Sharing (18)DH There are numerous variations to the Diffie-Hellman scheme, and hence, each protocol (e.g. RFC2631, ISO/IS11770-3, Oakley, PGP) has to be evaluated respectively. However this year we evaluated only the basic primitive of DH. Particular problems on security of DH with respect to passive attacks, where adversaries do not affect the protocol, have not been pointed out. However, the user is advised to ensure at least the followings against active attacks (adversaries affect the protocol). A. Employ a method to authenticate the relationship between the entities and their keys. B. A public key should be discarded after each communication when DH is employed as a session key agreement scheme. C. A key derivation function should be used to make the established key indistinguishable from a random number. (19)ECDHS in SEC1 Particular problems on security of ECDHS in SEC1with respect to passive attacks, where adversaries do not affect the protocol, have not been pointed out. However, the user is advised to ensure at least the followings against active attacks (adversaries affect the protocol). A. Employ a method to authenticate the relationship between the entities and their keys. B. A public key should be discarded after each communication when ECDHS in SEC1 is employed as a session key agreement scheme. It is guaranteed that no known attack is effective against the curves given in SEC2. The Koblitz curves are included in SEC2 because fast group operation can be implemented. However, the class of Koblitz curves is restricted and so a specific attack against them may appear. (20)ECMQVS in SEC1 Particular problems on security of ECMQVS in SEC1with respect to passive attacks, where adversaries do not affect the protocol, have not been pointed out. However, the user is advised to ensure at least the followings against active attacks (adversaries affect the protocol). A. Employ a method to authenticate the relationship between the entities and their keys. B. A public key should be discarded after each communication when ECMQVS in SEC1 is employed as a session key agreement scheme. It is guaranteed that no known attack is effective against the curves given in SEC2. The Koblitz curves are included in SEC2 because fast group operation can be implemented. However, the class of Koblitz curves is restricted and so a specific attack against them may appear. (21)HDEF-ECDH The proposal consists of the basic elliptic curve DH scheme (each entity uses the same elliptic curve) and a variant (each entity uses a distinct elliptic curve). The proposal puts emphasis on the method of generating elliptic curve parameters.
46 CRYPTREC 2000
The evaluation on the basic scheme is same as that on (18) DH. Particular problems on security of HDEF-ECDH with respect to passive attacks, where adversaries do not affect the protocol, have not been pointed out. However, the user is advised to ensure at least the followings against active attacks (adversaries affect the protocol). A. Employ a method to authenticate the relationship between the entities and their keys. B. A public key should be discarded after each communication when HEDF-ECDH is employed as a session key agreement scheme. C. A key derivation function should be used to make the established key indistinguishable from a random number. We did not come to an agreement whether or not the variant is more secure than the basic scheme as the submitter claims. More analyses are desirable. It is guaranteed that no known attack is effective against the curves employed in HDEF-ECDH, however, the class of the elliptic curves is restricted and so a specific attack against them may appear.
47 CRYPTREC 2000
4.2 Evaluation Classified by Function
4.2.1 Signature
【Results of Software Implementation of Public Key Cryptosystems for Signature Use】 Of those public key cryptographic techniques for signature use that were evaluated in detail, the following three entries were evaluated for software implementability: (1) ESIGN-signature
(2) ECDSA in SEC1
(3) MY-ELLTY ECMR-160/192/OEF-h
With respect to RSA-PSS and DSA, which are two public key cryptographic techniques for signature use that were submitted for detailed evaluation, the Committee judged that it was not necessary to evaluate them for software implementability partly because they should be evaluated in other respects and partly because they had already been implemented widely. With respect to ACE Sign, its specifications were modified after it was entered for evaluation. Therefore, the Committee did not evaluate the software implementability corresponding to the techniques described in the initially submitted documents. The above three schemes whose software implementability was evaluated are considered to be at implementable levels. The proposers of these three schemes were requested to select implementation parameters in such a way that security is equal to or higher than that of a 1,024-bit RSA cryptosystem. Approximate execution speeds (measured) of key generation, signature generation, and signature verification, are shown below together with estimated code sizes.
48 CRYPTREC 2000
[Characteristics and Measurement Parameters]
Implementation Parameter Scheme Measured Security Evidence Other and Character ESIGN-signature Integer factoring problem Composite number size: Security parameter of ESIGN is 10 bits. (IF) 384 bits × 3 = 1,152 bits It is programmed in C as described in its specification. Nothing special is done to increase speed or save memory. MY-ELLTY ECDLP 192-bit prime Equivalent to RSA 1,536 Security has been verified against the ECMR-192-h field bits MOV reduction, FR reduction, and SSSA attacks (criteria cleared). MY-ELLTY OEF Equivalent to RSA 1,024 Fixed parameter. Binary incorporation. ECMR-OEF-h bits Binary incorporation of preliminary MY-ELLTY 160-bit prime Equivalent to RSA 1,024 computing results. Refer to table. ECMR-160-h field bits ECDSA in SEC1 160-bit prime Equivalent to RSA 1,024 • Since the two coefficients of an field bits elliptic curve are related to each other by the output of SHA-1 (which 163-bit field cannot be controlled), free selection is with randomly verifiable. characteristi • As required by the X9.62 c 2 specification, the SHA-1 input value is also described as part of the parameter.
[Key Pair Generation Speed (Approximate)]
Scheme Measured Average Remarks Execution Time ESIGN-signature Prime number generation and random number generation are not 50.8 ms included. The length of composite numbers is 384 bits × 3 = 1,152. Measured value, including random number generation and prime 452.8 ms number generation. MY-ELLTY ECMR -192-h 0.8 ms Random number generation is included. Actual use requires replacement of the random number generation MY-ELLTY ECMR -OEF-h 0.7 ms mechanism, hence a change in the time. MY-ELLTY ECMR -160-h 0.7 ms ECDSA in ECDSA 1.9 ms Key pair generation. SEC1 160-bit prime Key pair verification. The verification is not required when the key field 5.8 ms pair has been generated by the user. ECDSA 3.2 ms Key pair generation. 163-bit field Key pair verification. The verification is not required when the key with 8.0 ms characteristic 2 pair has been generated by the user.
49 CRYPTREC 2000
[Signature Generation Speed (Approximate)]
Average Auxiliary Scheme Measured Remarks Execution Time Function ESIGN-Signature 9.2 ms SHA-1 Size of data to be signed: 31 KB 49.1 ms Size of data to be signed: 178 KB MY-ELLTY ECMR-192-h 2.0 ms SHA-1 Size of data to be signed: 31 KB Random number generation is 9.2 ms Size of data to be signed: 178 KB included. SHA-1 MY-ELLTY ECMR-OEF-h 1.9 ms Size of data to be signed: 31 KB is used as an auxiliary function. 9.6 ms Size of data to be signed: 178 KB SHA-1 processing time increases in MY-ELLTY ECMR-160-h 1.9 ms Size of data to be signed: 31 KB proportion to file 9.7 ms Size of data to be signed: 178 KB length. ECDSA ECDSA 3.7 ms SHA-1 Size of data to be signed: 31 KB in SEC1 160-bit prime field 11.1 ms Size of data to be signed: 178 KB ECDSA 5.0 ms Size of data to be signed: 31 KB 163-bit field with characteristic 2 13.1 ms Size of data to be signed: 178 KB
[Signature Verification Speed (Approximate)]
Scheme Measured Average Execution Time Remarks ESIGN-Signature 6.6 ms Size of data to be signed: 31 KB 44.3 ms Size of data to be signed: 178 KB MY-ELLTY ECMR-192-h 5.4 ms Size of data to be signed: 31 KB Although it is designed in such a 12.8 ms Size of data to be signed: 178 KB way that the MY-ELLTY ECMR-OEF-h 4.4 ms Size of data to be signed: 31 KB validity of verification will 11.9 ms Size of data to be signed: 178 KB be checked, the result is not output MY-ELLTY ECMR-160-h 4.3 ms Size of data to be signed: 31 KB in the 11.9 ms Size of data to be signed: 178 KB implementation this time. ECDSA 160-bit prime field 9.7 ms Size of data to be signed: 31 KB in SEC1 17.2 ms Size of data to be signed: 178 KB 163-bit field with 13.6 ms Size of data to be signed: 31 KB characteristic 2 21.4 ms Size of data to be signed: 178 KB
50 CRYPTREC 2000
4.2.2 Confidentiality
In the category of confidentiality, seven entries were submitted for evaluation: EPOC, HIME-1, HIME-2, RSA-OAEP, ACE Encrypt, ECAES in SEC1, and PSEC. However, since EPOC and PSEC are cryptographic groups, each of which have three schemes, 11 schemes were actually evaluated. The table on the following page summarizes the characteristics and security of each scheme. Characteristics • The functions of the schemes were classified from the viewpoint mentioned below. The schemes can be classified into three categories: those in which the length of plaintext that can be encrypted in a single scheme operation is limited (L1), those in which there is no such limitation (L2), and a subclass of L2 where key distribution phase and encrypted communication phase can be divided (L3). In L1, the schemes are primarily designed with consideration for the distribution of secret keys used for symmetric cryptosystems and MAC functions. The schemes in L2 and L3 are hybrids between public key cryptography and symmetric cryptography. These schemes are designed with consideration for general encrypted communication (with message authentication functions) as well.
• With respect to effective plaintext length, ciphertext length, public key length, and secret key length, the table lists the typical parameter sizes, based on those recommended in the specifications, that are considered to provide the strength equivalent to that of RSA 1,024 bits. For those schemes with no parameter sizes expressly recommended, the parameter sizes used in the descriptions of implementability in their specifications were regarded as recommended values. In addition, the following points were considered for as unified comparison as possible: