DOCSLIB.ORG

Cryptography in Python Hashes, ECC and ECDSA, Eth Keys Library ECDSA in Python: Generate / Load Keys

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptography in Python Hashes, ECC and ECDSA, Eth Keys Library ECDSA in Python: Generate / Load Keys Table of Contents Welcome 1.1 Preface 1.2 Cryptography - Overview 1.3 Hash Functions 1.4 Crypto Hashes and Collisions 1.4.1 Hash Functions: Applications 1.4.2 Secure Hash Algorithms 1.4.3 Hash Functions - Examples 1.4.4 Exercises: Calculate Hashes 1.4.5 Proof-of-Work Hash Functions 1.4.6 MAC and Key Derivation 1.5 HMAC and Key Derivation 1.5.1 HMAC Calculation - Examples 1.5.2 Exercises: Calculate HMAC 1.5.3 KDF: Deriving Key from Password 1.5.4 PBKDF2 1.5.5 Modern Key Derivation Functions 1.5.6 Scrypt 1.5.7 Bcrypt 1.5.8 Linux crypt() 1.5.9 Argon2 1.5.10 Password Encryption 1.5.11 Exercises: Password Encryption 1.5.12 Secure Random Generators 1.6 Pseudo-Random Numbers - Examples 1.6.1 Secure Random Generators (CSPRNG) 1.6.2 Exercises: Pseudo-Random Generator 1.6.3 Key Exchange and DHKE 1.7 Diffie–Hellman Key Exchange 1.7.1 DHKE - Examples 1.7.2 Exercises: DHKE Key Exchange 1.7.3 Encryption: Symmetric and Asymmetric 1.8 Symmetric Key Ciphers 1.9 Cipher Block Modes 1.9.1 Popular Symmetric Algorithms 1.9.2 The AES Cipher - Concepts 1.9.3 AES Encrypt / Decrypt - Examples 1.9.4 Ethereum Wallet Encryption 1.9.5 2 Exercises: AES Encrypt / Decrypt 1.9.6 ChaCha20-Poly1305 1.9.7 Exercises: ChaCha20-Poly1305 1.9.8 Asymmetric Key Ciphers 1.10 The RSA Cryptosystem - Concepts 1.10.1 RSA Encrypt / Decrypt - Examples 1.10.2 Exercises: RSA Encrypt / Decrypt 1.10.3 Elliptic Curve Cryptography (ECC) 1.10.4 ECDH Key Exchange 1.10.5 ECDH Key Exchange - Examples 1.10.6 Exercises: ECDH Key Exchange 1.10.7 ECC Encryption / Decryption 1.10.8 ECIES Hybrid Encryption Scheme 1.10.9 ECIES Encryption - Example 1.10.10 Exercises: ECIES Encrypt / Decrypt 1.10.11 Digital Signatures 1.11 RSA Signatures 1.11.1 RSA: Sign / Verify - Examples 1.11.2 Exercises: RSA Sign and Verify 1.11.3 ECDSA: Elliptic Curve Signatures 1.11.4 ECDSA: Sign / Verify - Examples 1.11.5 Exercises: ECDSA Sign and Verify 1.11.6 EdDSA and Ed25519 1.11.7 EdDSA: Sign / Verify - Examples 1.11.8 Exercises: EdDSA Sign and Verify 1.11.9 Quantum-Safe Cryptography 1.12 Quantum-Safe Signatures - Example 1.12.1 More Cryptographic Concepts 1.13 Digital Certificates - Example 1.13.1 TLS - Example 1.13.2 One-Time Passwords (OTP) - Example 1.13.3 Crypto Libraries for Developers 1.14 JavaScript Crypto Libraries 1.14.1 Python Crypto Libraries 1.14.2 C# Crypto Libraries 1.14.3 Java Crypto Libraries 1.14.4 Conclusion 1.15 3 4 Welcome Practical Cryptography for Developers - Free Book A modern practical book about cryptography for developers with code examples, covering core concepts like: hashes (like SHA-3 and BLAKE2), MAC codes (like HMAC and GMAC), key derivation functions (like Scrypt, Argon2), key agreement protocols (like DHKE, ECDH), symmetric ciphers (like AES and ChaCha20, cipher block modes, authenticated encryption, AEAD, AES-GCM, ChaCha20-Poly1305), asymmetric ciphers and public-key cryptosystems (RSA, ECC, ECIES), elliptic curve cryptography (ECC, secp256k1, curve25519), digital signatures (ECDSA and EdDSA), secure random numbers (PRNG, CSRNG) and quantum-safe cryptography, along with crypto libraries and developer tools, with a lots of code examples in Python and other languages. Author: Svetlin Nakov, PhD - http://www.nakov.com This book is free and open-source, published under the MIT license. Official GitHub repo: https://github.com/nakov/practical-cryptography-for-developers-book. Sofia, November 2018 Summary Welcome Preface Cryptography - Overview Hash Functions Crypto Hashes and Collisions Hash Functions: Applications Secure Hash Algorithms Hash Functions - Examples Exercises: Calculate Hashes Proof-of-Work Hash Functions MAC and Key Derivation HMAC and Key Derivation HMAC Calculation - Examples Exercises: Calculate HMAC KDF: Deriving Key from Password PBKDF2 Modern Key Derivation Functions Scrypt Bcrypt Linux crypt() Argon2 Password Encryption Exercises: Password Encryption Secure Random Generators Pseudo-Random Numbers - Examples Secure Random Generators (CSPRNG) Exercises: Pseudo-Random Generator Key Exchange and DHKE Diffie–Hellman Key Exchange DHKE - Examples Exercises: DHKE Key Exchange Encryption: Symmetric and Asymmetric 5 Welcome Symmetric Key Ciphers Cipher Block Modes Popular Symmetric Algorithms The AES Cipher - Concepts AES Encrypt / Decrypt - Examples Ethereum Wallet Encryption Exercises: AES Encrypt / Decrypt ChaCha20-Poly1305 Exercises: ChaCha20-Poly1305 Asymmetric Key Ciphers The RSA Cryptosystem - Concepts RSA Encrypt / Decrypt - Examples Exercises: RSA Encrypt / Decrypt Elliptic Curve Cryptography (ECC) ECDH Key Exchange ECDH Key Exchange - Examples Exercises: ECDH Key Exchange ECC Encryption / Decryption ECIES Hybrid Encryption Scheme ECIES Encryption - Example Exercises: ECIES Encrypt / Decrypt Digital Signatures RSA Signatures RSA: Sign / Verify - Examples Exercises: RSA Sign and Verify ECDSA: Elliptic Curve Signatures ECDSA: Sign / Verify - Examples Exercises: ECDSA Sign and Verify EdDSA and Ed25519 EdDSA: Sign / Verify - Examples Exercises: EdDSA Sign and Verify Quantum-Safe Cryptography Quantum-Safe Signatures - Example More Cryptographic Concepts Digital Certificates - Example TLS - Example One-Time Passwords (OTP) - Example Crypto Libraries for Developers JavaScript Crypto Libraries Python Crypto Libraries C# Crypto Libraries Java Crypto Libraries Conclusion Tags: cryptography, free, book, Nakov, Svetlin Nakov, hashes, hash function, SHA-256, SHA3, BLAKE2, RIPEMD, MAC, message authentication code, HMAC, KDF, key derivation, key derivation function, PBKDF2, Scrypt, Bcrypt, Argon2, password hashing, random generator, pseudo-random numbers, CSPRNG, secure random generator, key exchange, key agreement, Diffie-Hellman, DHKE, ECDH, symmetric ciphers, asymmetric ciphers, public key cryptosystems, symmetric cryptography, AES, Rijndael, cipher block mode, AES-CTR, AES-GCM, ChaCha20- Poly1305, authenticated encryption, encryption scheme, public key cryptography, RSA, ECC, elliptic curves, secp256k1, curve25519, EC points, EC domain parameters, ECDH key agreement, asymmetric encryption scheme, 6 Welcome hybrid encryption, ECIES, digital signature, RSA signature, DSA, ECDSA, EdDSA, ElGammal signature, Schnorr signature, quantum-safe cryptography, digital certificates, TLS, OAuth, multi-factor authentication, crypto libraries, Python cryptography, JavaScript cryptography, C# cryptography, Java cryptography, C++ cryptography, PHP cryptography. 7 Preface Preface ... Most books about cryptography are written either in too academic style with a lot of theory, like http://cacr.uwaterloo.ca/hac. ... Others are too old: ... ... Others are not bad, but not free: https://leanpub.com/crypto https://www.amazon.com/Cryptography-Developers-Tom-St-Denis/dp/1597491047 Crypto libraries come with limited and not consistently organized documentation, e.g. the Crypto++ Wiki https://www.cryptopp.com/wiki/Main_page. ... Now I am happy to publish a developer-friendly practical cryptography book. It holds just what developers need to know in order to use cryptography in their every day work. It does not cover the internals of the algortithms and how to design symmetric ciphers or authentication algorithms. It covers the basic understanding of the core cryptographic concepts and how to use them: libraries, tools, code examples. ... The book author Svetlin Nakov is involved with applied cryptography from 2005, when he published the book "Java for Digitally Signing Documents of the Web" (in Bulgarian), following his master thesis on a similar topic. ... It is not required to be strong mathematician to understand the cryptographic concepts from developer perspective. This book will teach you the basic concepts is almost math-free style. 8 Cryptography - Overview Overview of Modern Cryptography Cryptography has evolved from its first attempts (thousands years ago), through the first successful cryptographic algorithms for developers (like the now retired MD5 and DES) to modern crypto algorithms (like SHA-3, Argon2 and ChaCha20). Let's first introduce very shortly the basic cryptography concepts, that developers should know, like cryptographic hash functions (SHA-256, SHA3, RIPEMD and others), HMAC (hashed message authentication code), password to key derivation functions (like Scrypt), the Diffie-Hellman key-exchange protocol, symmetric key encryption schemes (like the AES cipher with CBC and CTR block modes) and asymmetric key encryption schemes with public and private keys (like the RSA cipher and elliptic curves-based cryptography / ECC, the secp256k1 curve and the Ed25519 cryptosystem), digital signatures and ECDSA, as well as the concept of entropy and secure random number generation and quantum-safe cryptography. Encrypt / Decrypt Message - Live Demo As a simple example, we shall demonstrate message encryption + decryption using the AES encryption algorithm. Play with this online tool: https://aesencryption.net. We shall learn later that behind this simple AES encryption, there are many algorithms and settings hidden inside, like password to key-derivation function and its parameters, block cipher mode, cipher initial vector, message authentication code and others. 9 Cryptography - Overview What is Cryptography? Cryptography is the science of providing security and protection of information. It is used everywhere in our digital world: when you open a Web site, send an email or connect to the WiFi network. What's why developers should have at least basic understanding of cryptography and how to use crypto algorithms and crypto libraries, to understand hashing, symmetric and asymmetric ciphers
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy
    Kernel Crypto API Cryptographic Module version 1.0 FIPS 140-2 Non-Proprietary Security Policy Version 1.3 Last update: 2020-03-02 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2020 Canonical Ltd. / atsec information security This document can be reproduced and distributed only whole and intact, including this copyright notice. Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Cryptographic Module Specification ..................................................................................................... 5 1.1. Module Overview ..................................................................................................................................... 5 1.2. Modes of Operation ................................................................................................................................. 9 2. Cryptographic Module Ports and Interfaces ........................................................................................ 10 3. Roles, Services and Authentication ..................................................................................................... 11 3.1. Roles .......................................................................................................................................................11 3.2. Services ...................................................................................................................................................11
    [Show full text]
  • Argon and Argon2
    Argon and Argon2 Designers: Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich University of Luxembourg, Luxembourg [email protected], [email protected], [email protected] https://www.cryptolux.org/index.php/Password https://github.com/khovratovich/Argon https://github.com/khovratovich/Argon2 Version 1.1 of Argon Version 1.0 of Argon2 31th January, 2015 Contents 1 Introduction 3 2 Argon 5 2.1 Specification . 5 2.1.1 Input . 5 2.1.2 SubGroups . 6 2.1.3 ShuffleSlices . 7 2.2 Recommended parameters . 8 2.3 Security claims . 8 2.4 Features . 9 2.4.1 Main features . 9 2.4.2 Server relief . 10 2.4.3 Client-independent update . 10 2.4.4 Possible future extensions . 10 2.5 Security analysis . 10 2.5.1 Avalanche properties . 10 2.5.2 Invariants . 11 2.5.3 Collision and preimage attacks . 11 2.5.4 Tradeoff attacks . 11 2.6 Design rationale . 14 2.6.1 SubGroups . 14 2.6.2 ShuffleSlices . 16 2.6.3 Permutation ...................................... 16 2.6.4 No weakness,F no patents . 16 2.7 Tweaks . 17 2.8 Efficiency analysis . 17 2.8.1 Modern x86/x64 architecture . 17 2.8.2 Older CPU . 17 2.8.3 Other architectures . 17 3 Argon2 19 3.1 Specification . 19 3.1.1 Inputs . 19 3.1.2 Operation . 20 3.1.3 Indexing . 20 3.1.4 Compression function G ................................. 21 3.2 Features . 22 3.2.1 Available features . 22 3.2.2 Server relief . 23 3.2.3 Client-independent update .
    [Show full text]
  • PHC: Status Quo
    PHC: status quo JP Aumasson @veorq / http://aumasson.jp academic background principal cryptographer at Kudelski Security, .ch applied crypto research and outreach BLAKE, BLAKE2, SipHash, NORX Crypto Coding Standard Password Hashing Competition Open Crypto Audit Project board member do you use passwords? this talk might interest you! Oct 2013 "hash" = 3DES-ECB( static key, password ) users' hint made the guess game easy... (credit Jeremi Gosney / Stricture Group) May 2014; "encrypted passwords" (?) last week that's only the reported/published cases Lesson if Adobe, eBay, and Avast fail to protect their users' passwords, what about others? users using "weak passwords"? ITsec people using "weak defenses"? developers using "weak hashes"? cryptographers, who never bothered? agenda 1. how (not) to protect passwords 2. the Password Hashing Competition (PHC) 3. the 24-2 PHC candidates 4. next steps, and how to contribute WARNING this is NOT about bikeshed topics as: password policies password managers password-strength meters will-technology-X-replace-passwords? 1. how (not) to protect passwords solution of the 60's store "password" or the modern alternative: obviously a bad idea (assuming the server and its DB are compromised) solution of the early 70's store hash("password") "one-way": can't be efficiently inverted vulnerable to: ● efficient dictionary attacks and bruteforce ● time-memory tradeoffs (rainbow tables, etc.) solution of the late 70's store hash("password", salt) "one-way": can't be efficiently inverted immune to time-memory tradeoffs vulnerable to: ● dictionary attacks and bruteforce (but has to be repeated for different hashes) solution of the 2000's store hash("password", salt, cost) "one-way": can't be efficiently inverted immune to time-memory tradeoffs inefficient dictionary attacks and bruteforce main ideas: ● be "slow" ● especially on attackers' hardware (GPU, FPGA) => exploit fast CPU memory access/writes PBKDF2 (Kaliski, 2000) NIST and PKCS standard in Truecrypt, iOS, etc.
    [Show full text]
  • Correlation Power Attack on a Message Authentication Code Based on SM3∗
    930 Yuan et al. / Front Inform Technol Electron Eng 2019 20(7):930-945 Frontiers of Information Technology & Electronic Engineering www.jzus.zju.edu.cn; engineering.cae.cn; www.springerlink.com ISSN 2095-9184 (print); ISSN 2095-9230 (online) E-mail: [email protected] Correlation power attack on a message authentication code based on SM3∗ Ye YUAN†1,2,Kai-geQU†‡1,2,Li-jiWU†‡1,2,Jia-weiMA3, Xiang-min ZHANG†1,2 1Institute of Microelectronics, Tsinghua University, Beijing 100084, China 2National Laboratory for Information Science and Technology, Tsinghua University, Beijing 100084, China 3State Key Laboratory of Cryptography, Beijing 100094, China †E-mail: [email protected]; [email protected]; [email protected]; [email protected] Received May 19, 2018; Revision accepted July 30, 2018; Crosschecked July 12, 2019 Abstract: Hash-based message authentication code (HMAC) is widely used in authentication and message integrity. As a Chinese hash algorithm, the SM3 algorithm is gradually winning domestic market value in China. The side channel security of HMAC based on SM3 (HMAC-SM3) is still to be evaluated, especially in hardware implementa- tion, where only intermediate values stored in registers have apparent Hamming distance leakage. In addition, the algorithm structure of SM3 determines the difficulty in HMAC-SM3 side channel analysis. In this paper, a skillful bit-wise chosen-plaintext correlation power attack procedure is proposed for HMAC-SM3 hardware implementation. Real attack experiments on a field programmable gate array (FPGA) board have been performed. Experimental results show that we can recover the key from the hypothesis space of 2256 based on the proposed procedure.
    [Show full text]
  • Modern Password Security for System Designers What to Consider When Building a Password-Based Authentication System
    Modern password security for system designers What to consider when building a password-based authentication system By Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects This whitepaper describes and models modern password guidance and recommendations for the designers and engineers who create secure online applications. A related whitepaper, Password security ​ for users, offers guidance for end users. This whitepaper covers the wide range of options to consider ​ when building a password-based authentication system. It also establishes a set of user-focused recommendations for password policies and storage, including the balance of password strength and usability. The technology world has been trying to improve on the password since the early days of computing. Shared-knowledge authentication is problematic because information can fall into the wrong hands or be forgotten. The problem is magnified by systems that don't support real-world secure use cases and by the frequent decision of users to take shortcuts. According to a 2019 Yubico/Ponemon study, 69 percent of respondents admit to sharing passwords with ​ ​ their colleagues to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and personal accounts. Furthermore, two-factor authentication is not widely used, even though it adds protection beyond a username and password. Of the respondents, 67 percent don’t use any form of two-factor authentication in their personal life, and 55 percent don’t use it at work. Password systems often allow, or even encourage, users to use insecure passwords. Systems that allow only single-factor credentials and that implement ineffective security policies add to the problem.
    [Show full text]
  • Authentication Requirements in Cryptography
    Authentication Requirements In Cryptography Autolytic Micah scurrying narcotically and numerically, she perdures her contractility denigrate fustily. Utilitarian Thibaud attempt questioningly. Deviate and bleached Christie still carry-ons his Leonids sullenly. In the session key above are equivalent aes encrypt sensitive, requirements in authentication ciphersuite or on various vendors who the phy layer to the recipient passes the ciphertext Message authentication with fancy key implies message integrity. The requirements be considered as generic in the sense that they are ss technologies. Any inner authentication method employed authentication from the combine to the authentication server. The preceding paragraphs have endeavoured to present the complete set of concepts in a logical sequence of development. Chapter 11 Message Authentication Codes The luncheon of. MAC even to get obtain the confidentially part. AAA connection rm authentication the peers, as well as additional information about authenticators, roaming agreements, network policies and other network information. Since X509 is based on cross key cryptography the maintain of DOA used. Most often referred to hash functions has available protocols that it harder for vehicular networks. AWS KMS also lets you use all or part of the encryption context as the condition for a permission in a policy or grant. To authority confirms that authentication as a bad decision. This can be done by using it to support the secure transmission of a new secret key from the originator to the other party. There still appear to be many engineering details that have to be worked out before such a machine could be built. Most toward the web pages on the Internet require no authentication or authorization Encryption Encryption involves the crest of transforming data.
    [Show full text]
  • Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption
    S S symmetry Article Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption Rafael Álvarez 1,* , Alicia Andrade 2 and Antonio Zamora 3 1 Departamento de Ciencia de la Computación e Inteligencia Artificial (DCCIA), Universidad de Alicante, 03690 Alicante, Spain 2 Fac. Ingeniería, Ciencias Físicas y Matemática, Universidad Central, Quito 170129, Ecuador; [email protected] 3 Departamento de Ciencia de la Computación e Inteligencia Artificial (DCCIA), Universidad de Alicante, 03690 Alicante, Spain; [email protected] * Correspondence: [email protected] Received: 2 November 2018; Accepted: 22 November 2018; Published: 3 December 2018 Abstract: Password-based key derivation functions (PBKDFs) are commonly used to transform user passwords into keys for symmetric encryption, as well as for user authentication, password hashing, and preventing attacks based on custom hardware. We propose two optimized alternatives that enhance the performance of a previously published PBKDF. This design is based on (1) employing a symmetric cipher, the Advanced Encryption Standard (AES), as a pseudo-random generator and (2) taking advantage of the support for the hardware acceleration for AES that is available on many common platforms in order to mitigate common attacks to password-based user authentication systems. We also analyze their security characteristics, establishing that they are equivalent to the security of the core primitive (AES), and we compare their performance with well-known PBKDF algorithms, such as Scrypt and Argon2, with favorable results. Keywords: symmetric; encryption; password; hash; cryptography; PBKDF 1. Introduction Key derivation functions are employed to obtain one or more keys from a master secret. This is especially useful in the case of user passwords, which can be of arbitrary length and are unsuitable to be used directly as fixed-size cipher keys, so, there must be a process for converting passwords into secret keys.
    [Show full text]
  • Características Y Aplicaciones De Las Funciones Resumen Criptográficas En La Gestión De Contraseñas
    Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas Alicia Lorena Andrade Bazurto Instituto Universitario de Investigación en Informática Escuela Politécnica Superior Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas ALICIA LORENA ANDRADE BAZURTO Tesis presentada para aspirar al grado de DOCTORA POR LA UNIVERSIDAD DE ALICANTE DOCTORADO EN INFORMÁTICA Dirigida por: Dr. Rafael I. Álvarez Sánchez Alicante, julio 2019 Índice Índice de tablas .................................................................................................................. vii Índice de figuras ................................................................................................................. ix Agradecimiento .................................................................................................................. xi Resumen .......................................................................................................................... xiii Resum ............................................................................................................................... xv Abstract ........................................................................................................................... xvii 1 Introducción .................................................................................................................. 1 1.1 Objetivos ...............................................................................................................4
    [Show full text]
  • The Missing Difference Problem, and Its Applications to Counter Mode
    The Missing Difference Problem, and its Applications to Counter Mode Encryption? Ga¨etanLeurent and Ferdinand Sibleyras Inria, France fgaetan.leurent,[email protected] Abstract. The counter mode (CTR) is a simple, efficient and widely used encryption mode using a block cipher. It comes with a security proof that guarantees no attacks up to the birthday bound (i.e. as long as the number of encrypted blocks σ satisfies σ 2n=2), and a matching attack that can distinguish plaintext/ciphertext pairs from random using about 2n=2 blocks of data. The main goal of this paper is to study attacks against the counter mode beyond this simple distinguisher. We focus on message recovery attacks, with realistic assumptions about the capabilities of an adversary, and evaluate the full time complexity of the attacks rather than just the query complexity. Our main result is an attack to recover a block of message with complexity O~(2n=2). This shows that the actual security of CTR is similar to that of CBC, where collision attacks are well known to reveal information about the message. To achieve this result, we study a simple algorithmic problem related to the security of the CTR mode: the missing difference problem. We give efficient algorithms for this problem in two practically relevant cases: where the missing difference is known to be in some linear subspace, and when the amount of data is higher than strictly required. As a further application, we show that the second algorithm can also be used to break some polynomial MACs such as GMAC and Poly1305, with a universal forgery attack with complexity O~(22n=3).
    [Show full text]
  • On the Design and Performance of Chinese OSCCA-Approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping He† and Dragos Ilie‡ Dept
    On the Design and Performance of Chinese OSCCA-approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping Hey and Dragos Iliez Dept. of Computer Science Blekinge Institute of Technology (BTH), Karlskrona, Sweden ∗[email protected], yping95 @hotmail.com, [email protected] Abstract—SM2, SM3, and SM4 are cryptographic standards in transit and at rest [4]. The law, which came into effect authorized to be used in China. To comply with Chinese cryp- on January 1, 2020, divides encryption into three different tography laws, standard cryptographic algorithms in products categories: core, ordinary and commercial. targeting the Chinese market may need to be replaced with the algorithms mentioned above. It is important to know beforehand Core and ordinary encryption are used for protecting if the replaced algorithms impact performance. Bad performance China’s state secrets at different classification levels. Both may degrade user experience and increase future system costs. We present a performance study of the standard cryptographic core and ordinary encryption are considered state secrets and algorithms (RSA, ECDSA, SHA-256, and AES-128) and corre- thus are strictly regulated by the SCA. It is therefore likely sponding Chinese cryptographic algorithms. that these types of encryption will be based on the national Our results indicate that the digital signature algorithms algorithms mentioned above, so that SCA can exercise full SM2 and ECDSA have similar design and also similar perfor- control over standards and implementations. mance. SM2 and RSA have fundamentally different designs. SM2 performs better than RSA when generating keys and Commercial encryption is used to protect information that signatures. Hash algorithms SM3 and SHA-256 have many design similarities, but SHA-256 performs slightly better than SM3.
    [Show full text]
  • On Comparing Side‑Channel Properties of AES and Chacha20 on Microcontrollers
    This document is downloaded from DR‑NTU (https://dr.ntu.edu.sg) Nanyang Technological University, Singapore. On comparing side‑channel properties of AES and ChaCha20 on microcontrollers Najm, Zakaria; Jap, Dirmanto; Jungk, Bernhard; Picek, Stjepan; Bhasin, Shivam 2018 Najm, Z., Jap, D., Jungk, B., Picek, S., & Bhasin, S. (2018). On comparing side‑channel properties of AES and ChaCha20 on microcontrollers. 2018 IEEE Asia Pacific Conference on Circuits and Systems (APCCAS). doi:10.1109/APCCAS.2018.8605653 https://hdl.handle.net/10356/104628 https://doi.org/10.1109/APCCAS.2018.8605653 © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. The published version is available at: https://doi.org/10.1109/APCCAS.2018.8605653 Downloaded on 30 Sep 2021 18:00:37 SGT On Comparing Side-channel Properties of AES and ChaCha20 on Microcontrollers Zakaria Najm1,2, Dirmanto Jap1, Bernhard Jungk3, Stjepan Picek2, and Shivam Bhasin1 1Temasek Laboratories, Nanyang Technological University, Singapore 2Delft University of Technology, Delft, The Netherlands 3Independent Researcher fzakaria.najm,djap,[email protected], bernhard@projectstarfire.de, [email protected] Abstract—Side-channel attacks are a real threat to many secure When considering countermeasures, it is also the nonlinear systems. In this paper, we consider two ciphers used in the operation which is expensive to implement protected against automotive industry – AES and ChaCha20 and we evaluate their side-channel attacks, unlike other linear components of the resistance against side-channel attacks.
    [Show full text]