VLSI Circuits for Cryptographic Authentication
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective
RESOURCE-EFFICIENT CRYPTOGRAPHY FOR UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr University Bochum, Germany by Elif Bilge Kavun Bochum, December 2014 Copyright © 2014 by Elif Bilge Kavun. All rights reserved. Printed in Germany. Anneme ve babama... Elif Bilge Kavun Place of birth: Izmir,˙ Turkey Author’s contact information: [email protected] www.emsec.rub.de/chair/ staff/elif bilge kavun Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Christian Rechberger Danmarks Tekniske Universitet, Denmark Thesis submitted: December 19, 2014 Thesis defense: February 6, 2015 v Abstract Technological advancements in the semiconductor industry over the last few decades made the mass production of very small-scale computing devices possible. Thanks to the compactness and mobility of these devices, they can be deployed “pervasively”, in other words, everywhere and anywhere – such as in smart homes, logistics, e-commerce, and medical technology. Em- bedding the small-scale devices into everyday objects pervasively also indicates the realization of the foreseen “ubiquitous computing” concept. However, ubiquitous computing and the mass deployment of the pervasive devices in turn brought some concerns – especially, security and privacy. Many people criticize the security and privacy management in the ubiquitous context. It is even believed that an inadequate level of security may be the greatest barrier to the long-term success of ubiquitous computing. For ubiquitous computing, the adversary model and the se- curity level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices. -
SHA-3 Update
SHA+3%update% %% % Quynh%Dang% Computer%Security%Division% ITL,%NIST% IETF%86% SHA-3 Competition 11/2/2007% SHA+3%CompeDDon%Began.% 10/2/2012% Keccak&announced&as&the&SHA13&winner.& IETF%86% Secure Hash Algorithms Outlook ► SHA-2 looks strong. ► We expect Keccak (SHA-3) to co-exist with SHA-2. ► Keccak complements SHA-2 in many ways. Keccak is good in different environments. Keccak is a sponge - a different design concept from SHA-2. IETF%86% Sponge Construction Sponge capacity corresponds to a security level: s = c/2. IETF%86% SHA-3 Selection ► We chose Keccak as the winner because of many different reasons and below are some of them: ► It has a high security margin. ► It received good amount of high-quality analyses. ► It has excellent hardware performance. ► It has good overall performance. ► It is very different from SHA-2. ► It provides a lot of flexibility. IETF%86% Keccak Features ► Keccak supports the same hash-output sizes as SHA-2 (i.e., SHA-224, -256, -384, -512). ► Keccak works fine with existing applications, such as DRBGs, KDFs, HMAC and digital signatures. ► Keccak offers flexibility in performance/security tradeoffs. ► Keccak supports tree hashing. ► Keccak supports variable-length output. IETF%86% Under Consideration for SHA-3 ► Support for variable-length hashes ► Considering options: ► One capacity: c = 512, with output size encoding, ► Two capacities: c = 256 and c = 512, with output size encoding, or ► Four capacities: c = 224, c = 256, c=384, and c = 512 without output size encoding (preferred by the Keccak team). ► Input format for SHA-3 hash function(s) will contain a padding scheme to support tree hashing in the future. -
Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas
Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski ECE Department, George Mason University, Fairfax, VA 22030, U.S.A. {kgaj,ehomsiri,mrogawsk}@gmu.edu http://cryptography.gmu.edu Abstract. Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic stan- dards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and ac- ceptable for the majority of the cryptographic community. In this pa- per, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the de- velopment of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking. Keywords: benchmarking, hash functions, SHA-3, FPGA. 1 Introduction and Motivation Starting from the Advanced Encryption Standard (AES) contest organized by NIST in 1997-2000 [1], open contests have become a method of choice for select- ing cryptographic standards in the U.S. and over the world. The AES contest in the U.S. was followed by the NESSIE competition in Europe [2], CRYPTREC in Japan, and eSTREAM in Europe [3]. Four typical criteria taken into account in the evaluation of candidates are: security, performance in software, performance in hardware, and flexibility. -
Lecture9.Pdf
Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256 -
GCM) for Confidentiality And
NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4 -
Sharing Resources Between AES and the SHA-3 Second Round
Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3 Candidates I Design strongly influenced by AES: Share the structure and have significant similarity in transformations, or even use AES as a subroutine I ECHO, Fugue, Grøstl, and SHAvite-3 I Benadjila et al. (ASIACRYPT 2009) studied useability of Intel’s AES instructions for AES-inspired candidates Conclusion: only ECHO and SHAvite-3, which use AES as a subroutine, benefit from the instructions I This is the first study of combining AES with the SHA-3 candidates on hardware (FPGA) The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Research Topics and Motivation Research Questions I What modifications are required to embed AES into the data path of the hash algorithm (or vice versa)? I How much resources can be shared (logic, registers, memory, . )? I What are the costs (area, delay, throughput, power consumption, . )? Applications I Any applications that require dedicated hardware implementations of a hash algorithm and a block cipher would benefit from reduced costs I Particularly important if resources are very limited The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Advanced Encryption Standard AES with a 128-bit key (AES-128) 8 I State: 4 × 4 bytes; each byte is an element of GF(2 ) I 10 rounds with four transformations Transformations I SubBytes: Bytes mapped -
Rebound Attack
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based -
NIST SP 800-175B (DRAFT) Guideline for Using Crypto Standards: Cryptographic Mechanisms
The attached DRAFT document (provided here for historical purposes) has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-175B Title: Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms Publication Date: 8/22/2016 • Final Publication: http://dx.doi.org/10.6028/NIST.SP.800-175B (which links to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175B.pdf). • Information on other NIST cybersecurity publications and programs can be found at: http://csrc.nist.gov/ The following information was posted with the attached DRAFT document: March 11, 2016 NIST Released Draft SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms NIST requests comments on Special Publication 800-175B,Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one’s own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST’s cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016. Comments may be sent to [email protected], with “Comments on SP 800-175B” as the subject. -
Speeding up OMD Instantiations in Hardware
Speeding Up OMD Instantiations in Hardware Diana Maimuţ1[0000−0002−9541−5705] and Alexandru Ştefan Mega1,2[0000−0002−9541−1114] 1 Advanced Technologies Institute 10 Dinu Vintilă, Bucharest, Romania {diana.maimut,ati}@dcti.ro 2 Politehnica University of Bucharest Bucharest, Romania [email protected] Abstract. Particular instantiations of the Offset Merkle Damgård au- thenticated encryption scheme (OMD) represent highly secure alterna- tives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding- up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD. Keywords: Authenticated encryption, pseudorandom function, compression function, provable security, FPGA, hardware optimization, nonce respecting ad- versaries. 1 Introduction Authenticated encryption (AE) primitives ensure both message confidentiality and authenticity. Initially, AE algorithms achieved confidentiality and integrity by combining two distinct cryptographic primitives (one for each of the two goals). Around two decades ago the perspective of having a unique primitive for confidentiality and integrity started to appear. Rogaway [16] extended AE schemes by adding a new type of input for associated data (AD) and, thus, AEAD (authenticated encryption with associated data) was the next step. Such a model is helpful in real world scenario in which part of the message (e.g. a header) needs only to be authenticated. -
Cryptanalysis of Sfinks*
Cryptanalysis of Sfinks? Nicolas T. Courtois Axalto Smart Cards Crypto Research, 36-38 rue de la Princesse, BP 45, F-78430 Louveciennes Cedex, France, [email protected] Abstract. Sfinks is an LFSR-based stream cipher submitted to ECRYPT call for stream ciphers by Braeken, Lano, Preneel et al. The designers of Sfinks do not to include any protection against algebraic attacks. They rely on the so called “Algebraic Immunity”, that relates to the complexity of a simple algebraic attack, and ignores other algebraic attacks. As a result, Sfinks is insecure. Key Words: algebraic cryptanalysis, stream ciphers, nonlinear filters, Boolean functions, solving systems of multivariate equations, fast algebraic attacks on stream ciphers. 1 Introduction Sfinks is a new stream cipher that has been submitted in April 2005 to ECRYPT call for stream cipher proposals, by Braeken, Lano, Mentens, Preneel and Varbauwhede [6]. It is a hardware-oriented stream cipher with associated authentication method (Profile 2A in ECRYPT project). Sfinks is a very simple and elegant stream cipher, built following a very classical formula: a single maximum-period LFSR filtered by a Boolean function. Several large families of ciphers of this type (and even much more complex ones) have been in the recent years, quite badly broken by algebraic attacks, see for exemple [12, 13, 1, 14, 15, 2, 18]. Neverthe- less the specialists of these ciphers counter-attacked by defining and applying the concept of Algebraic Immunity [7] to claim that some designs are “secure”. Unfortunately, as we will see later, the notion of Algebraic Immunity protects against only one simple alge- braic attack and ignores other algebraic attacks. -
NISTIR 7620 Status Report on the First Round of the SHA-3
NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. -
Re-Visiting HAIFA and Why You Should Visit Too
Merkle-Damg˚ard HAIFA New Results Summary Re-Visiting HAIFA and why you should visit too Orr Dunkelman D´epartement d’Informatique Ecole´ Normale sup´erieure and France Telecom Chaire 3rd of June 2008 Joint work with Eli Biham, Charles Bouillaguet, Pierre-Alain Fouque, S´ebastian Zimmer. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 1/ 42 Merkle-Damg˚ard HAIFA New Results Summary Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 2/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 3/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Merkle-Damg˚ard Construction ◮ Presented by Merkle and Damg˚ard independently as an answer to the following problem: ◮ Given a compression function f : {0, 1}mc × {0, 1}n → {0, 1}mc , how would you ∗ m generate a hash function Hf : {0, 1} → {0, 1} .