DOCSLIB.ORG

CRYPTREC Report 2001

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CRYPTREC Report 2001 CRYPTREC 2001 CRYPTREC Report 2001 March 2002 Information-technology Promotion Agency, Japan Telecommunications Advancement Organization of Japan CRYPTREC 2001 Contents Introduction 1 On the CRYPTREC Evaluation Committee Report 3 Note on the use of this report 7 1 Overview of Cryptographic Technique Evaluation 8 1.1 Evaluation Organs and Schedule ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・8 1.2 How cryptography evaluation was carried out. ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・12 1.3 Terminology ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・13 1.4 Evaluation Committee Members ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・14 2 Evaluation of public key cryptographic techniques 17 2.1 Target of Evaluation and Evaluation Method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・17 2.1.1 Evaluated Cryptographic Techniques ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・17 2.1.2 Evaluation Policy・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・17 2.1.3 Evaluation Method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・19 2.2 Evaluation result ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・21 2.2.1 Outline of evaluation result ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・21 2.2.2 General Evaluation of the Difficulty of Arithmetic Problems・・・・・・・・・・・・・・・・・23 2.2.3 Overall Judgment of Cryptographic Techniques that were the Target of Detailed Evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・23 2.2.4 Overall Judgment of Cryptographic Techniques under Observation ・・・・・・・・・・・26 2.2.5 Overall Judgment of Cryptosystems that were Targets of Screening Evaluations in 2001 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・27 2.3 Evaluation of the Difficulty of Arithmetic Problems ・・・・・・・・・・・・・・・・・・・・・・・・・・28 2.3.1 Factorization Problem ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・28 2.3.2 Discrete Logarithm Problem ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・32 2.3.3 Elliptic Curve Discrete Logarithm Problem ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・36 2.4 Evaluation of Individual Ciphers ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・40 2.4.1 DSA ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・40 2.4.2 ECDSA ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・43 2.4.3 ESIGN Signature・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・49 2.4.4 RSA (RSA-OAEP, RSA-PSS, RSA signatures) ・・・・・・・・・・・・・・・・・・・・・・・・・・・58 2.4.5 EPOC-2 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・67 i CRYPTREC 2001 2.5 Evaluation of Cryptographic Techniques under Observation ・・・・・・・・・・・・・・・・・・・・71 2.5.1 ECIES in SEC1 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・71 2.5.2 ECDH in SEC1 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・74 2.5.3 DH ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・76 2.6 Evaluation of Cryptosystems that are the Target of Screening Evaluation・・・・・・・・・・78 2.6.1 OK-ECDSA・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・78 2.6.2 NTRU ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・80 2.6.3 HIME(R) ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・81 2.6.4 OK-ECDH・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・83 2.6.5 PSEC-KEM ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・85 3 Evaluation of symmetric-key cryptographic techniques 87 3.1 Evaluation method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・87 3.1.1 Evaluation method of symmetric -key ciphers・・・・・・・・・・・・・・・・・・・・・・・・・・・・・87 3.2 Overall evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・94 3.2.1 64-bit block ciphers・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・94 3.2.2 Overall security evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・96 3.2.3 128-bit block ciphers・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・104 3.2.4 Overall security evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・107 3.2.5 Stream cipher ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ 116 3.3 Evaluation of ciphers targeted for detailed evaluation (individual ciphers)・・・・・・・・ 119 3.3.1 CIPHERUNICORN-E・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ 119 3.3.2 Advanced Encryption Standard (AES) ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・126 3.3.3 CIPHERUNICORN-A・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・133 3.3.4 SEED ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・142 3.3.5 MULTI-S01 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・149 3.4 Evaluation of Ciphers under Monitoring ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・161 3.4.1 Hierocrypt-L1 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・161 3.4.2 MISTY1 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・167 3.4.3 Triple DES ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・173 3.4.4 Camellia・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・174 3.4.5 Heirocrypt-3・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・180 3.4.6 RC6 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・186 3.4.7 SC2000 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・190 ii CRYPTREC 2001 3.5 Evaluation of Ciphers Selected for Screening Evaluation ・・・・・・・・・・・・・・・・・・・・・196 3.5.1 MUGI・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・196 3.5.1 A Comments of Evaluators (Unmodified Excerpts) ・・・・・・・・・・・・・・・・・・・・・・・198 4 Hash-Function Evaluation 200 4.1 Evaluation Method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・200 4.1.1 How to Evaluate Harsh Functions ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・200 4.2 General Evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・200 4.2.1 Hash-Function Evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・200 4.3 Detailed (Individual) Evaluation of Cryptograph ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・201 4.3.1 draft SHA-256/384/512 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・201 4.4 Monitoring Process Evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・212 4.4.1 RIPEMD-160・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・212 4.4.2 SHA-1 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・217 5 Evaluation of Pseudorandom Number Generation System 218 5.1 Evaluation Method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・218 5.1.1 Method for Evaluating Pseudorandom Number Generation ・・・・・・・・・・・・・・・・・218 5.2 Overall Evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・218 5.2.1 Pseudorandom Number Generation System ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・218 5.3 Evaluation of the Ciphers under Monitoring ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・220 5.3.1 PRNG Based on SHA-1 ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・220 5.4 Evaluation of Ciphers to be Screening-Evaluated ・・・・・・・・・・・・・・・・・・・・・・・・・・・227 5.4.1 TAO TIME・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・227 6. Evaluation of SSL-protocol cryptographic techniques 229 6.1 Overall evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・229 6.1.1 Purpose ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・229 6.1.2 Target and scope of the investigation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・229 6.1.3 Method・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・230 6.1.4 Result ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・230 6.1.5 SSL/TLS application and considerations of actual use・・・・・・・・・・・・・・・・・・・・・232 6.2 Implementation of SSL/TLS protocol and evaluation of operation ・・・・・・・・・・・・・・233 6.2.1 Security associated with cryptosystem ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・233 6.2.2 Security associated with protocol mechanism・・・・・・・・・・・・・・・・・・・・・・・・・・・・234 iii CRYPTREC 2001 6.2.3 Security on implementation・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・234 6.2.4 Security in operation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・234 6.2.5 Comparison of SSL/TLS ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・235 6.2.6 Expansion work of TLS・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・235 6.2.7 General descriptions ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・235 6.3 Evaluation of cryptographic technique used in SSL/TLS・・・・・・・・・・・・・・・・・・・・・・236 6.3.1 Investigation on vulnerability in key sharing and electronic signature schemes using RSA (1024 and 2048) ・・・・・・・・・・・・・・・・・・236 6.3.2 DES (40-/56 bit-key DES, 168bit-key Triple DES) ・・・・・・・・・・・・・・・・・・・・・・・241 6.3.3 RC2 (40,128)・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・246 6.3.4 RC4 (40, 128) and Arcfour (128) ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・248 7 Intellectual Property Information, Licensing Policy and Reference List of Cryptosystem Scheduled to be Evaluated in 2002 251 7.1 Cryptosystem in Monitoring State ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・251 7.1.1 Public -Key Cryptosystem ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・251 7.1.2 Common Key Cryptographic Technique・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・255 7.2 Candidates of Cryptosystems to be Evaluated in Detail in 2002 ・・・・・・・・・・・・・・・・267 7.2.1 Public Key Cryptographic Techniques ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・267 7.2.2 Common Key Cryptographic Techniques ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・272 8 Cryptographic Techniques Evaluated 274 iv CRYPTREC 2001 Introduction This report summarizes the evaluation work done in 2001 by the CRYPTREC Evaluation Committee. This committee has been actively undertaking evaluation of cryptographic techniques as part of the CRYPTREC Project for the list-up of cryptographic techniques useful for the Japanese e-Government whose foundation is to be established by the year 2003. Construction of the Japanese e-Government has been under way in recent years to establish a system for electronic administrative procedures such as applications, notifications and government procurement. Use of a cryptographic technique is indispensable for higher-level security of the e-Government services. Various cryptographic techniques have been developed in the
Load more

Recommended publications
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Security Evaluation of Stream Cipher Enocoro-128V2
    Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of Stream Cipher Enocoro-128v2. CRYPTREC Technical Report. Total number of authors: 2 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Security Evaluation of Stream Cipher Enocoro-128v2 Martin Hell and Thomas Johansson Abstract. This report presents a security evaluation of the Enocoro- 128v2 stream cipher. Enocoro-128v2 was proposed in 2010 and is a mem- ber of the Enocoro family of stream ciphers. This evaluation examines several different attacks applied to the Enocoro-128v2 design. No attack better than exhaustive key search has been found.
    [Show full text]
  • Cache-Timing Attack Against Aes Crypto System - Countermeasures Review
    Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Cache-timing attack against aes crypto system - countermeasures review Yaseen H. Taha University of Khartoum Settana M. Abdulh University of Khartoum Naila A. Sadalla University of Khartoum Huwaida Elshoush University of Khartoum Follow this and additional works at: https://ro.ecu.edu.au/ism Part of the Information Security Commons DOI: 10.4225/75/57b65fd1343d3 12th Australian Information Security Management Conference. Held on the 1-3 December, 2014 at Edith Cowan University, Joondalup Campus, Perth, Western Australia. This Conference Proceeding is posted at Research Online. https://ro.ecu.edu.au/ism/166 CACHE-TIMING ATTACK AGAINST AES CRYPTO SYSTEM - COUNTERMEASURES REVIEW Yaseen.H.Taha, Settana.M.Abdulh, Naila.A.Sadalla, Huwaida Elshoush University of Khartoum, Sudan [email protected], [email protected], [email protected], [email protected] Abstract Side channel attacks are based on side channel information, which is information that is leaked from encryption systems. Implementing side channel attacks is possible if and only if an attacker has access to a cryptosystem (victim) or can interact with cryptosystem remotely to compute time statistics of information that collected from targeted system. Cache timing attack is a special type of side channel attack. Here, timing information caused by cache effect is collected and analyzed by an attacker to guess sensitive information such as encryption key or plaintext. Cache timing attack against AES was known theoretically until Bernstein carry out a real implementation of the attack. Fortunately, this attack can be a success only by exploiting bad implementation in software or hardware, not for algorithm structure weaknesses, and that means attack could be prevented if proper implementation has been used.
    [Show full text]
  • Advanced Encryption Standard (Aes) Modes of Operation
    ADVANCED ENCRYPTION STANDARD (AES) MODES OF OPERATION 1 Arya Rohan Under the guidance of Dr. Edward Schneider University of Maryland, College Park MISSION: TO SIMULATE BLOCK CIPHER MODES OF OPERATION FOR AES IN MATLAB Simulation of the AES (Rijndael Algorithm) in MATLAB for 128 bit key-length. Simulation of the five block cipher modes of operation for AES as per FIPS publication. Comparison of the five modes based on Avalanche Effect. Future Work 2 OUTLINE A brief history of AES Galois Field Theory De-Ciphering the Algorithm-ENCRYPTION De-Ciphering the Algorithm-DECRYPTION Block Cipher Modes of Operation Avalanche Effect Simulation in MATLAB Conclusion & Future Work References 3 A BRIEF HISTORY OF AES 4 In January 1997, researchers world-over were invited by NIST to submit proposals for a new standard to be called Advanced Encryption Standard (AES). From 15 serious proposals, the Rijndael algorithm proposed by Vincent Rijmen and Joan Daemen, two Belgian cryptographers won the contest. The Rijndael algorithm supported plaintext sizes of 128, 192 and 256 bits, as well as, key-lengths of 128, 192 and 256 bits. The Rijndael algorithm is based on the Galois field theory and hence it gives the algorithm provable 5 security properties. GALOIS FIELD 6 GALOIS FIELD - GROUP Group/Albelian Group: A group G or {G, .} is a set of elements with a binary operation denoted by . , that associates to each ordered pair (a, b) of elements in G an element (a . b) such that the following properties are obeyed: Closure: If a & b belong to G, then a . b also belongs to G.
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Block Ciphers
    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
    [Show full text]
  • Constructing Low-Weight Dth-Order Correlation-Immune Boolean Functions Through the Fourier-Hadamard Transform Claude Carlet and Xi Chen*
    1 Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform Claude Carlet and Xi Chen* Abstract The correlation immunity of Boolean functions is a property related to cryptography, to error correcting codes, to orthogonal arrays (in combinatorics, which was also a domain of interest of S. Golomb) and in a slightly looser way to sequences. Correlation-immune Boolean functions (in short, CI functions) have the property of keeping the same output distribution when some input variables are fixed. They have been widely used as combiners in stream ciphers to allow resistance to the Siegenthaler correlation attack. Very recently, a new use of CI functions has appeared in the framework of side channel attacks (SCA). To reduce the cost overhead of counter-measures to SCA, CI functions need to have low Hamming weights. This actually poses new challenges since the known constructions which are based on properties of the Walsh-Hadamard transform, do not allow to build unbalanced CI functions. In this paper, we propose constructions of low-weight dth-order CI functions based on the Fourier- Hadamard transform, while the known constructions of resilient functions are based on the Walsh-Hadamard transform. We first prove a simple but powerful result, which makes that one only need to consider the case where d is odd in further research. Then we investigate how constructing low Hamming weight CI functions through the Fourier-Hadamard transform (which behaves well with respect to the multiplication of Boolean functions). We use the characterization of CI functions by the Fourier-Hadamard transform and introduce a related general construction of CI functions by multiplication.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • GCM) for Confidentiality And
    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
    [Show full text]
  • Block Cipher Modes
    Block Cipher Modes Data and Information Management: ELEN 3015 School of Electrical and Information Engineering, University of the Witwatersrand March 25, 2010 Overview Motivation for Cryptographic Modes Electronic Codebook Mode (ECB) Cipher Block Chaining (CBC) Cipher Feedback Mode (CFB) Output Feedback Mode (OFB) 1. Cryptographic Modes Problem: With block ciphers, same plaintext block always enciphers to the same ciphertext block under the same key 1. Cryptographic Modes Solution: Cryptographic mode: • block cipher • feedback • simple operations Simple operations, as the security lies in the cipher. 1. Cryptographic Modes 1.1 Considerations • The mode should not compromise security of cipher • Mode should conceal patterns in plaintext • Some random starting point is needed • Difficult to manipulate the plaintext by changing ciphertext • Requires multiple messages to be encrypted with same key • No significant impact on efficiency of cipher • Ciphertext same size as plaintext • Fault tolerance - recover from errors 2. Electronic Codebook Mode Uses the block cipher without modifications Same plaintext block encrypts to same ciphertext under same key Each plaintext block is encrypted independently of other plaintext blocks. Corrupted bits only affects one block Dropped/inserted bits cause sync errors ! all subsequent blocks decipher incorrectly 2. Electronic Codebook Mode 2.1 Advantages ECB exhibits `random access property' because plaintext blocks are encrypted independently • Encryption and decryption can be done in any order • Beneficial for databases, records can be added, deleted, modified, encrypted and deleted independently of other records Parallel implementation • Different blocks can simultaneously be decrypted on separate processors Many messages can be encrypted with the same key, since each block is independent. 2.
    [Show full text]
  • Fair and Efficient Hardware Benchmarking of Candidates In
    Fair and Efficient Hardware Benchmarking of Candidates in Cryptographic Contests Kris Gaj CERG George Mason University Partially supported by NSF under grant no. 1314540 Designs & results for this talk contributed by “Ice” Homsirikamol Farnoud Farahmand Ahmed Ferozpuri Will Diehl Marcin Rogawski Panasayya Yalla Cryptographic Standard Contests IX.1997 X.2000 AES 15 block ciphers → 1 winner NESSIE I.2000 XII.2002 CRYPTREC XI.2004 IV.2008 34 stream 4 HW winners eSTREAM ciphers → + 4 SW winners X.2007 X.2012 51 hash functions → 1 winner SHA-3 I.2013 TBD 57 authenticated ciphers → multiple winners CAESAR 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time Evaluation Criteria in Cryptographic Contests Security Software Efficiency Hardware Efficiency µProcessors µControllers FPGAs ASICs Flexibility Simplicity Licensing 4 AES Contest 1997-2000 Final Round Speed in FPGAs Votes at the AES 3 conference GMU results Hardware results matter! 5 Throughput vs. Area Normalized to Results for SHA-256 and Averaged over 11 FPGA Families – 256-bit variants Overall Normalized Throughput Early Leader Overall Normalized Area 6 SHA-3 finalists in high-performance FPGA families 0.25 0.35 0.50 0.79 1.00 1.41 2.00 2.83 4.00 7 FPGA Evaluations – From AES to SHA-3 AES eSTREAM SHA-3 Design Primary optimization Throughput Area Throughput/ target Throughput/ Area Area Multiple architectures No Yes Yes Embedded resources No No Yes Benchmarking Multiple FPGA families No No Yes Specialized tools No No Yes Experimental results No No Yes Reproducibility Availability
    [Show full text]
  • On the NIST Lightweight Cryptography Standardization
    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
    [Show full text]