DOCSLIB.ORG

VLSI Circuits for Cryptographic Authentication

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Research Collection Doctoral Thesis VLSI Circuits for Cryptographic Authentication Author(s): Henzen, Luca Publication Date: 2010 Permanent Link: https://doi.org/10.3929/ethz-a-006299208 Rights / License: In Copyright - Non-Commercial Use Permitted This page was generated automatically upon download from the ETH Zurich Research Collection. For more information please consult the Terms of use. ETH Library VLSI Circuits for Cryptographic Authentication Diss. ETH No. 19351 VLSI Circuits for Cryptographic Authentication A dissertation submitted to ETH ZURICH for the degree of Doctor of Sciences presented by LUCA HENZEN Dipl. El.-Ing. ETH (MSc ETH) born March 30th, 1982 citizen of Blatten VS, Switzerland accepted on the recommendation of Prof. Dr. Wolfgang Fichtner, examiner Prof. Dr. Willi Meier, co-examiner 2010 Abstract Nowadays, digital communication protocols rely on cryptographic mech- anisms to protect sensitive information from unauthorized access and modification. Cryptographic primitives, such as hash functions, block and stream ciphers, are key components of many information security applications, employed to provide privacy, authentication, and data integrity. Following the massive differentiation of modern commu- nication technologies, cryptography must be able to provide highly- efficient algorithms that combine strong security with optimal imple- mentability. It becomes therefore unlikely that a single cipher or hash function would be able to meet all the constraints imposed by the wide plethora of communication protocols. Researchers and designers are thus asked to develop application-specific algorithms that are jointly optimized for security and implementation performance. This thesis is concerned with the design of very large scale inte- gration (VLSI) circuits for cryptographic hash functions and block cipher authenticated encryption modes. We present two hash al- gorithms that have been submitted to the public hash competition organized by the U.S. National Institute of Standards and Technology (NIST). A complete design space exploration of their efficiency for application-specific integrated circuits (ASICs) is given. Due to our strong involvement in the competition, we further developed a uniform methodology for a fair comparison of the VLSI performance of the second round candidate algorithms. Our benchmarking framework is the result of three different research projects that culminated with the fabrication of three 0.18 µm and 90 nm ASICs, hosting the second round function cores. In the second part of this thesis, we investigate high-speed field- programmable gate array (FPGA) designs of the Advanced Encryp- tion Standard (AES) in the Galois/Counter Mode (GCM) of operation v vi for authenticated encryption. A multi-core AES-GCM architecture is optimized to fully support the recently-ratified IEEE 802.3ba Ethernet standard for 40G and 100G speeds. Moreover, a complete hardware platform for real-time 2G fibre channel (FC) encryption is described. Finally, after a brief introduction into low-cost hardware imple- mentations of lightweight cryptographic algorithms, we show the first FPGA-based implementation of specific cryptanalytic attacks on the stream cipher Grain-128 and we introduce the new hash function family Quark, tailored for resource-limited applications, such as em- bedded systems and portable devices. Sommario Molteplici protocolli di comunicazione digitale fanno affidamento su meccanismi crittografici per proteggere informazioni considerate riser- vate. Componenti crittografiche primarie, quali funzioni hash, cifrari a blocco e a flusso, sono al centro di svariate applicazioni di sicurezza informatica e sono utilizzate principalmente per assicurare la riser- vatezza, l’autenticit`a,e l’integrit`adei dati. A causa dell’eterogeneit`a che caratterizza le attuali tecnologie di comunicazione, la crittografia moderna deve cos`ıfornire algoritmi altamente performanti in grado di combinare al contempo sicurezza ed efficienza. Tuttavia, `eimpro- babile che un unico cifrario o un’unica funzione hash siano capaci di soddisfare tutte le limitazioni imposte dai sistemi di comunicazione attualmente utilizzati. Ricercatori e sviluppatori sono pertanto chia- mati a sviluppare nuovi algoritmi capaci ti ottimizzare unitamente aspetti di sicurezza e implementativi. Questa tesi `eprincipalmente incentrata sulla progettazione di cir- cuiti VLSI per funzioni hash e per cifrari a blocco configurati nella modalit`adi cifratura autenticata. Due algoritmi di hash, iscritti al- la competizione internazionale organizzata dall’istituto statunitense NIST, sono presentati nella prima parte. Una completa valutazione delle loro potenzialit`aimplementative su silicio `eriportata dettaglia- tamente. Grazie al nostro coinvolgimento nella competizione, abbiamo sviluppato un sistema di comparazione uniforme delle performance VLSI degli algoritmi promossi al secondo round. La nostra metodolo- gia `eil risultato di tre progetti di ricerca, nei quali le funzioni hash del secondo round sono state fabbricate in tre circuiti ASIC. La seconda parte di questa tesi si concentra sull’implementazione per dispositivi FPGA di architetture high-speed per l’algoritmo AES nella modalit`adi operazione GCM. I circuiti sviluppati si basano su un’architettura multi-core, offrendo una completa compatibilit`acon vii viii il nuovo standard IEEE 802.3ba per traffico Ethernet fino a 100 Gbit per secondo. Nella parte finale, dopo aver introdotto il concetto di “crittogra- fia leggera” (a basso costo implementativo), presentiamo la prima applicazione in FPGA di attacchi crittanalitici sul cifrario a flusso Grain-128. L’ultima sezione `ededicata alla descrizione di una nuova famiglia di funzione hash, chiamata Quark, particolarmente appeti- bile per applicazioni a basso costo quali sistemi embedded e dispositivi portatili. Contents 1 Introduction 1 1.1 Basic Concepts . .2 1.1.1 Communications Model . .2 1.1.2 Security Goals . .2 1.2 Cryptography in Hardware . .3 1.2.1 High-Speed Encryption . .4 1.2.2 Portable Devices . .4 1.2.3 Implementation Security . .5 1.3 Contributions of this Thesis . .6 1.4 Thesis Outline . .9 2 Fundamentals 11 2.1 Notation . 12 2.2 Symmetric-Key Cryptography . 12 2.2.1 Block Ciphers . 13 2.2.2 Stream Ciphers . 16 2.3 Cryptographic Hash Functions . 18 2.4 Authentication in Public-Key Cryptography . 20 2.5 Security of Cryptographic Functions . 21 2.6 Quantum Cryptography . 22 2.6.1 Quantum Key Distribution (QKD) . 23 2.6.2 The BB84 Protocol . 23 2.6.3 Authentication in Quantum Cryptography . 25 3 Cryptographic Hash Functions 27 3.1 Iterated Hash Functions . 28 3.1.1 The Merkle-Damg˚ardConstruction . 28 3.1.2 Hardware Specifications . 30 ix x CONTENTS 3.1.3 Design Strategies . 32 3.1.4 Recent Hash Constructions . 36 3.1.5 Block Cipher-based Constructions . 38 3.2 The SHA-3 Competition . 39 3.3 The Hash Function EnRUPT . 41 3.3.1 Specification of EnRUPT . 41 3.3.2 EnRUPT Architectures . 44 3.4 The Hash Function BLAKE . 46 3.4.1 Specification of BLAKE . 47 3.4.2 High-Speed Architectures . 51 3.4.3 Silicon Implementation of a Compact BLAKE- 32 Core . 59 3.5 Development of a Hardware Evaluation Method for the SHA-3 Candidates . 68 3.5.1 Evaluation Methodology . 69 3.5.2 Implementation . 77 3.5.3 Results . 80 3.5.4 Final Remarks . 88 4 High-Speed Authenticated Encryption 91 4.1 Background . 92 4.1.1 Different Classes . 92 4.1.2 Applications . 93 4.2 The Advanced Encryption Standard . 94 4.2.1 Algorithm Specifications . 95 4.2.2 Hardware Architectures . 96 4.3 The Galois/Counter Mode . 98 4.3.1 Algorithm Specifications . 100 4.4 FPGA Parallel-Pipelined AES-GCM Core for 100G Eth- ernet Applications . 103 4.4.1 Hardware Design . 103 4.4.2 Results and Comparison . 109 4.5 2G Fibre Channel Link Encryptor . 111 4.5.1 AES-GCM Hardware Architecture . 112 4.5.2 FPGA Implementation . 113 4.5.3 Frame Encryption . 115 4.5.4 Results and Discussion . 118 CONTENTS xi 5 Lightweight Hashing 121 5.1 Lightweight Cryptography Overview . 122 5.2 Cube Testers . 124 5.2.1 Theoretical Background . 125 5.2.2 Description of Grain-128 . 126 5.2.3 Software Implementation . 128 5.2.4 Hardware Implementation . 128 5.2.5 Experimental Results . 134 5.2.6 Conclusion . 135 5.3 The Quark Hash Function . 136 5.3.1 Description of the Quark hash family . 137 5.3.2 Hardware implementation . 140 5.3.3 Discussion . 142 6 Summary and Conclusion 147 6.1 Summary . 147 6.2 Conclusion . 150 A Hardware Architectures 153 List of Acronyms 157 List of Figures 161 List of Tables 163 Bibliography 165 1 Introduction It is assumed that the science of concealing the information has been introduced with the advent of writing. The earliest form of cryptogra- phy has been discovered in Egyptian stone inscriptions, while the first most famous cryptosystem was the substitution cipher of the Roman general Julius Caesar (see [1]). During World War II, the German army deployed the mechanical rotor machine “Enigma” to encrypt and decrypt their communications. The breaking of Enigma by the British Government was the first and most appealing example of the battle between codemakers and codebreakers. However, only the com- bination of the post-Shannon understanding and the drastic increase of computational power allowed the birth of modern cryptography, which can be identified with two major contributions. In 1970, the research efforts of Horst Feistel culminated with the development of the first widely used cipher approved by the U.S. Federal Government under the name of Data Encryption Standard (DES). Six years later, Whitfield Diffie and Martin Hellman introduced a new cryptographic scheme that was able to solve the crucial issue of the key distribution. Nowadays, military and government institutions, as well as industries 1 2 CHAPTER 1. INTRODUCTION and private persons employ cryptographic schemes to exchange sensi- tive information in digital form. 1.1 Basic Concepts Cryptology is the art of communicate in secure and usually secret form. It can be divided into the science of making codes and algorithms, i.e., cryptography, and the science of breaking codes or extracting the meaning, i.e., cryptanalysis.
Recommended publications
  • RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective

    RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective

    RESOURCE-EFFICIENT CRYPTOGRAPHY FOR UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr University Bochum, Germany by Elif Bilge Kavun Bochum, December 2014 Copyright © 2014 by Elif Bilge Kavun. All rights reserved. Printed in Germany. Anneme ve babama... Elif Bilge Kavun Place of birth: Izmir,˙ Turkey Author’s contact information: [email protected] www.emsec.rub.de/chair/ staff/elif bilge kavun Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Christian Rechberger Danmarks Tekniske Universitet, Denmark Thesis submitted: December 19, 2014 Thesis defense: February 6, 2015 v Abstract Technological advancements in the semiconductor industry over the last few decades made the mass production of very small-scale computing devices possible. Thanks to the compactness and mobility of these devices, they can be deployed “pervasively”, in other words, everywhere and anywhere – such as in smart homes, logistics, e-commerce, and medical technology. Em- bedding the small-scale devices into everyday objects pervasively also indicates the realization of the foreseen “ubiquitous computing” concept. However, ubiquitous computing and the mass deployment of the pervasive devices in turn brought some concerns – especially, security and privacy. Many people criticize the security and privacy management in the ubiquitous context. It is even believed that an inadequate level of security may be the greatest barrier to the long-term success of ubiquitous computing. For ubiquitous computing, the adversary model and the se- curity level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices.
  • SHA-3 Update

    SHA-3 Update

    SHA+3%update% %% % Quynh%Dang% Computer%Security%Division% ITL,%NIST% IETF%86% SHA-3 Competition 11/2/2007% SHA+3%CompeDDon%Began.% 10/2/2012% Keccak&announced&as&the&SHA13&winner.& IETF%86% Secure Hash Algorithms Outlook ► SHA-2 looks strong. ► We expect Keccak (SHA-3) to co-exist with SHA-2. ► Keccak complements SHA-2 in many ways. Keccak is good in different environments. Keccak is a sponge - a different design concept from SHA-2. IETF%86% Sponge Construction Sponge capacity corresponds to a security level: s = c/2. IETF%86% SHA-3 Selection ► We chose Keccak as the winner because of many different reasons and below are some of them: ► It has a high security margin. ► It received good amount of high-quality analyses. ► It has excellent hardware performance. ► It has good overall performance. ► It is very different from SHA-2. ► It provides a lot of flexibility. IETF%86% Keccak Features ► Keccak supports the same hash-output sizes as SHA-2 (i.e., SHA-224, -256, -384, -512). ► Keccak works fine with existing applications, such as DRBGs, KDFs, HMAC and digital signatures. ► Keccak offers flexibility in performance/security tradeoffs. ► Keccak supports tree hashing. ► Keccak supports variable-length output. IETF%86% Under Consideration for SHA-3 ► Support for variable-length hashes ► Considering options: ► One capacity: c = 512, with output size encoding, ► Two capacities: c = 256 and c = 512, with output size encoding, or ► Four capacities: c = 224, c = 256, c=384, and c = 512 without output size encoding (preferred by the Keccak team). ► Input format for SHA-3 hash function(s) will contain a padding scheme to support tree hashing in the future.
  • Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas

    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas

    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski ECE Department, George Mason University, Fairfax, VA 22030, U.S.A. {kgaj,ehomsiri,mrogawsk}@gmu.edu http://cryptography.gmu.edu Abstract. Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic stan- dards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and ac- ceptable for the majority of the cryptographic community. In this pa- per, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the de- velopment of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking. Keywords: benchmarking, hash functions, SHA-3, FPGA. 1 Introduction and Motivation Starting from the Advanced Encryption Standard (AES) contest organized by NIST in 1997-2000 [1], open contests have become a method of choice for select- ing cryptographic standards in the U.S. and over the world. The AES contest in the U.S. was followed by the NESSIE competition in Europe [2], CRYPTREC in Japan, and eSTREAM in Europe [3]. Four typical criteria taken into account in the evaluation of candidates are: security, performance in software, performance in hardware, and flexibility.
  • Lecture9.Pdf

    Lecture9.Pdf

    Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256
  • GCM) for Confidentiality And

    GCM) for Confidentiality And

    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
  • Sharing Resources Between AES and the SHA-3 Second Round

    Sharing Resources Between AES and the SHA-3 Second Round

    Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3 Candidates I Design strongly influenced by AES: Share the structure and have significant similarity in transformations, or even use AES as a subroutine I ECHO, Fugue, Grøstl, and SHAvite-3 I Benadjila et al. (ASIACRYPT 2009) studied useability of Intel’s AES instructions for AES-inspired candidates Conclusion: only ECHO and SHAvite-3, which use AES as a subroutine, benefit from the instructions I This is the first study of combining AES with the SHA-3 candidates on hardware (FPGA) The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Research Topics and Motivation Research Questions I What modifications are required to embed AES into the data path of the hash algorithm (or vice versa)? I How much resources can be shared (logic, registers, memory, . )? I What are the costs (area, delay, throughput, power consumption, . )? Applications I Any applications that require dedicated hardware implementations of a hash algorithm and a block cipher would benefit from reduced costs I Particularly important if resources are very limited The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Advanced Encryption Standard AES with a 128-bit key (AES-128) 8 I State: 4 × 4 bytes; each byte is an element of GF(2 ) I 10 rounds with four transformations Transformations I SubBytes: Bytes mapped
  • Rebound Attack

    Rebound Attack

    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
  • NIST SP 800-175B (DRAFT) Guideline for Using Crypto Standards: Cryptographic Mechanisms

    NIST SP 800-175B (DRAFT) Guideline for Using Crypto Standards: Cryptographic Mechanisms

    The attached DRAFT document (provided here for historical purposes) has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-175B Title: Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms Publication Date: 8/22/2016 • Final Publication: http://dx.doi.org/10.6028/NIST.SP.800-175B (which links to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175B.pdf). • Information on other NIST cybersecurity publications and programs can be found at: http://csrc.nist.gov/ The following information was posted with the attached DRAFT document: March 11, 2016 NIST Released Draft SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms NIST requests comments on Special Publication 800-175B,Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one’s own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST’s cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016. Comments may be sent to [email protected], with “Comments on SP 800-175B” as the subject.
  • Speeding up OMD Instantiations in Hardware

    Speeding up OMD Instantiations in Hardware

    Speeding Up OMD Instantiations in Hardware Diana Maimuţ1[0000−0002−9541−5705] and Alexandru Ştefan Mega1,2[0000−0002−9541−1114] 1 Advanced Technologies Institute 10 Dinu Vintilă, Bucharest, Romania {diana.maimut,ati}@dcti.ro 2 Politehnica University of Bucharest Bucharest, Romania [email protected] Abstract. Particular instantiations of the Offset Merkle Damgård au- thenticated encryption scheme (OMD) represent highly secure alterna- tives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding- up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD. Keywords: Authenticated encryption, pseudorandom function, compression function, provable security, FPGA, hardware optimization, nonce respecting ad- versaries. 1 Introduction Authenticated encryption (AE) primitives ensure both message confidentiality and authenticity. Initially, AE algorithms achieved confidentiality and integrity by combining two distinct cryptographic primitives (one for each of the two goals). Around two decades ago the perspective of having a unique primitive for confidentiality and integrity started to appear. Rogaway [16] extended AE schemes by adding a new type of input for associated data (AD) and, thus, AEAD (authenticated encryption with associated data) was the next step. Such a model is helpful in real world scenario in which part of the message (e.g. a header) needs only to be authenticated.
  • Cryptanalysis of Sfinks*

    Cryptanalysis of Sfinks*

    Cryptanalysis of Sfinks? Nicolas T. Courtois Axalto Smart Cards Crypto Research, 36-38 rue de la Princesse, BP 45, F-78430 Louveciennes Cedex, France, [email protected] Abstract. Sfinks is an LFSR-based stream cipher submitted to ECRYPT call for stream ciphers by Braeken, Lano, Preneel et al. The designers of Sfinks do not to include any protection against algebraic attacks. They rely on the so called “Algebraic Immunity”, that relates to the complexity of a simple algebraic attack, and ignores other algebraic attacks. As a result, Sfinks is insecure. Key Words: algebraic cryptanalysis, stream ciphers, nonlinear filters, Boolean functions, solving systems of multivariate equations, fast algebraic attacks on stream ciphers. 1 Introduction Sfinks is a new stream cipher that has been submitted in April 2005 to ECRYPT call for stream cipher proposals, by Braeken, Lano, Mentens, Preneel and Varbauwhede [6]. It is a hardware-oriented stream cipher with associated authentication method (Profile 2A in ECRYPT project). Sfinks is a very simple and elegant stream cipher, built following a very classical formula: a single maximum-period LFSR filtered by a Boolean function. Several large families of ciphers of this type (and even much more complex ones) have been in the recent years, quite badly broken by algebraic attacks, see for exemple [12, 13, 1, 14, 15, 2, 18]. Neverthe- less the specialists of these ciphers counter-attacked by defining and applying the concept of Algebraic Immunity [7] to claim that some designs are “secure”. Unfortunately, as we will see later, the notion of Algebraic Immunity protects against only one simple alge- braic attack and ignores other algebraic attacks.
  • NISTIR 7620 Status Report on the First Round of the SHA-3

    NISTIR 7620 Status Report on the First Round of the SHA-3

    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
  • Re-Visiting HAIFA and Why You Should Visit Too

    Re-Visiting HAIFA and Why You Should Visit Too

    Merkle-Damg˚ard HAIFA New Results Summary Re-Visiting HAIFA and why you should visit too Orr Dunkelman D´epartement d’Informatique Ecole´ Normale sup´erieure and France Telecom Chaire 3rd of June 2008 Joint work with Eli Biham, Charles Bouillaguet, Pierre-Alain Fouque, S´ebastian Zimmer. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 1/ 42 Merkle-Damg˚ard HAIFA New Results Summary Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 2/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 3/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Merkle-Damg˚ard Construction ◮ Presented by Merkle and Damg˚ard independently as an answer to the following problem: ◮ Given a compression function f : {0, 1}mc × {0, 1}n → {0, 1}mc , how would you ∗ m generate a hash function Hf : {0, 1} → {0, 1} .