ECE 646 Lecture 9 Required Reading W. Stallings, "Cryptography and Network-Security,”
Chapter 11 Cryptographic Hash Functions
Appendix 11A Mathematical Basis of Birthday Attack Hash functions & MACs Chapter 12 Message Authentication Codes
Recommended Reading
SHA-3 Project https://csrc.nist.gov/projects/hash-functions/sha-3-project
1 2
Digital Signature Hash function Alice Bob arbitrary length Message Signature Message Signature m message Hash Hash function function hash h Hash value 1 function Hash value yes no Hash value 2 Public key Public key h(m) hash value algorithm algorithm
fixed length Alice’s private key Alice’s public key 3 4
1 Vocabulary Hash functions Basic requirements hash function hash value 1. Public description, NO key message digest message digest hash total 2. Compression fingerprint arbitrary length input ® fixed length output
imprint 3. Ease of computation cryptographic checksum compressed encoding MDC, Message Digest Code
5 6
Hash functions Hash functions Security requirements Dependence between requirements It is computationally infeasible Given To Find 1. Preimage resistance 2nd preimage resistant y x, such that h(x) = y collision resistant 2. 2nd preimage resistance x’ ¹ x, such that x and y=h(x) h(x’) = h(x) = y
3. Collision resistance x’ ¹ x, such that h(x’) = h(x)
7 8
2 Hash functions Brute force attack against (unkeyed) One-Way Hash Function Given y
mi’ One-Way Collision-Resistant i=1..2n Hash Functions Hash Functions 2n messages with the contents required by the forger OWHF CRHF h
preimage resistance ? 2nd preimage resistance h(mi’) = y collision resistance n - bits
9 10
Creating multiple versions of Brute force attack against Yuval the required message Collision Resistant Hash Function
state thereby borrowed I confirm - that I received r messages r messages acceptable for the signer required by the forger $10,000 Mr. Kris from m m ’ ten thousand dollars Dr. Krzysztof i i=1..r j j=1..r
October 23, money h h Gaj on 2019. This 10 / 23 / sum of money
should returned Mr. h(mi) h(mj’) be to Gaj is required to given back Dr. n - bits n - bits 4th December by the day of 2019. h(mi) = h(mj’) fourth Dec.
11 12
3 Creating multiple versions of Message acceptable for the signer the required message
state thereby borrowed state thereby October 23, I that on 2019 I confirm - that I received confirm - 10 / 23 /
borrowed Mr. Kris paper $10,000 Mr. Kris I from a from received Dr. Krzysztof manuscript ten thousand dollars Dr. Krzysztof security of Electronic Voting. text on This October 23, money side-channel attacks for PQC. item Gaj on 2019. This 10 / 23 / sum of money should returned Mr. be to Gaj should returned Mr. is required to be to Gaj given back Dr. is required to given back Dr.
4th December 4th December by the day of 2019. by the day of 2019. fourth Dec. fourth Dec.
13 14
Birthday paradox Birthday paradox
How many students must be in a class so that How many students must be in a class so that there is a greater than 50% chance that there is a greater than 50% chance that
1. one of the students shares the teacher’s 1. one of the students shares the teacher’s birthday (up to the day and month)? birthday (day and month)? 2. any two of the students share the same ~ 366/2 = 183 birthday (up to the day and month)? 2. any two of the students share the same birthday (day and month)?
~Ö 366 » 19
15 16
4 Brute force attack against Brute force attack against Collision Resistant Hash Function Collision Resistant Hash Function Storage requirements Probability p that two different messages have the same hash value: J.J. Quisquater r2 p = 1 − exp − collision search algorithm ( 2n )
n/2 n/2 For r = 2n/2 p = 63% Number of operations: 2 Ö p/2 · 2 » 2.5 · 2 Storage: Negligible
17 18
Hash value size Hash function algorithms
One-Way Collision-Resistant Customized Based on Based on Older algorithms (currently insecure): (dedicated) block ciphers modular arithmetic n ³ 64 n ³ 128 MD2 MDC-2 MASH-1 Rivest 1988 8 bytes 16 bytes MDC-4 1988-1996 MD4 IBM, Brachtl, Meyer, Schilling, 1988 Old standards: Rivest 1990 n ³ 80 n ³ 160 10 bytes 20 bytes
MD5 SHA-0 RIPEMD NSA, 1992 Current standards (e.g., SHA-2, SHA-3): Rivest 1990 European RACE Integrity Primitives Evaluation Project, 1992 n = 128, 192, 256 n = 256, 384, 512 SHA-1 NSA, 1995 RIPEMD-160 16, 24, 32 bytes 32, 48, 64 bytes SHA-256, SHA-384, SHA-512 NSA, 2000 19 20
5 Attacks against dedicated hash functions What was discovered in 2004-2005? known by 2004 partially broken broken; MD2 MD4 Wang, Feng, Lai, Yu, Crypto 2004 (manually, without using a computer) broken, H. Dobbertin, 1995 MD4 (one hour on PC, 20 free bytes at the start of the message)
attack with broken; MD5 240 operations Wang, Feng, weakness Lai, Yu, broken; SHA-0 Crypto 2004 RIPEMD Crypto 2004 MD5 SHA-0 discovered, RIPEMD Wang, Feng, Lai, Yu 1995 NSA, reduced round attack with (manully, without partially broken, Crypto 2004 263 operations 1998 France version broken, SHA-1 using a computer) collisions for the (1 hr on a PC) Dobbertin 1995 Wang, Yin, RIPEMD-160 compression function, Yu, Aug 2005 Dobbertin, 1996 SHA-1 (10 hours on PC) RIPEMD-160 SHA-256, SHA-384, SHA-512
SHA-256, SHA-384, SHA-512 21 22
263 operations Recommendations of NIST (1) Schneier, 2005 In hardware: NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1 Feb 2005 Machine similar to the one used to break DES: The new attack is applicable primarily Cost = $50,000-$70,000 Time: 18 days to the use of hash functions in digital signatures. or Cost = $0.9-$1.26M Time: 24 hours In many cases applications of digital signatures introduce additional context information, In software: which may make attacks impracticle. Computer network similar to distributed.net used to break DES (~331,252 computers) : Other applications of hash functions, such as Message Authentication Codes (MACs), Cost = ~ $0 Time: 7 months are not threatened by the new attacks.
23 24
6 SHA-3 Contest Timeline Recommendations of NIST (2) 2007 • publication of requirements NIST was already earlier planning to withdraw SHA-1 • 29.X. 2007: request for candidates 2008 in favor of SHA-224, SHA-256, SHA-384 & SHA-512 • 31.X.2008: deadline for submitting candidates by 2010. • 9.XII.2008: announcement of 51 candidates accepted for Round 1 2009 • 25-28.II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium New implementations should use new hash functions. • 24.VII.2009: 14 Round 2 candidates announced 2010 • 23-24.VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA NIST encourages government agancies to develop plans • 9.XII.2010: 5 Round 3 candidates announced for gradually moving towards new hash functions, 2012 • 22-23.III.2012: 3rd SHA-3 Candidate Conference, Washington, D.C. taking into account the sensitivity of the systems • 2.X.2012: selection of the winner when setting the timetables. 2014: • 28.V.2014: draft version of the standard published 2015: • 5.VIII.2015: final version of the standard published
25 26
Number of Submissions Basic Requirements for a new hash function • Number of submissions received by NIST: • Must support hash values of 64 224, 256, 384 and 512 bits • Available worldwide without licensing fees • Number of submissions publicly available: • Secure over tens of years 56 • Suitable for use in - digital signatures FIPS 186 • Number of submissions qualified to the first round: - message authentication codes, HMAC, FIPS 198 51 - key agreement schemes, SP 800-56A - random number generators, SP 800-90 • At least the same security level as SHA-2 with increased efficiency
27 28
7 SHA-3 Contest: 2008-2012 FPGA Benchmarking of Round 2 Candidates
Altera Xilinx Technology Low-cost High- Low-cost High- Round 1 Round 2 Round 3 51 performance performance 14 candidates 5 1 Jul. 2009 Dec. 2010 Oct. 2012 90 nm CycloneDesigners: II Stratix II Spartan 3 Virtex 4 Oct. 2008 65 nm Cyclone III Stratix III Virtex 5 Hardware benchmarking
Designers:
Security Analysis & Software Benchmarking Marcin Ekawat Rogawski Homsirikamol (“Ice”)
29 30 29 30
ATHENa – Automated Tool for Hardware EvaluatioN ATHENa Inputs/Outputs
• Open-source configuration files • Written in Perl • Developed 2009-2012 testbench • Automated search for optimal synthesizable source § Options of tools files § Target frequency § Starting placement point • Supporting Xilinx ISE & Altera Quartus OR FPL Community Award 2010 result summary database entries Milan, Italy, Sep. 2010 (human-friendly) (machine- friendly)
Image of Athena Goddess courtesy of Carolyn Angus 31 32 31 32
8 ATHENa Database of Results ATHENa Gains
http://cryptography.gmu.edu/athenadb 3 Area 2.5 Thr 2 Thr/Area
1.5
1
0.5
0
Ratios of results obtained using ATHENa suggested options vs. default options of FPGA tools 33 34 33 34
ATHENa Gains Why ATHENa?
"The Greek goddess Athena was frequently called upon to settle disputes between the gods or various mortals. Athena Goddess of Wisdom was “working” with ATHENa… known for her superb logic and intellect. Her decisions were usually well-considered, highly ethical, and seldom motivated by self-interest.”
old days… from "Athena, Greek Goddess of Wisdom and Craftsmanship"
35 36 35 36
9 SHA-3 Round 2 Results: 14 candidates Research: Multiple Architectures Throughput Horizontal Folding • datapath width = state size Best: Fast & Small /2(h) • two clock cycles per one round/step Throughput
/2(h) Th x1 Worst: Slow & Big
Area Area A Throughput vs. Area: Normalized to Results for SHA-2 and Averaged over 7 FPGA Families Typically Throughput/Area ratio increases 37 38 37 38
Research: Design Space Exploration Research: Design Space Exploration
All Final SHA-3 Candidates (Keccak, SHA-2, JH, BLAKE, Groestl) Results for BLAKE & the old standard SHA-2 39 40 39 40
10 Research: FPGA vs. ASIC Research: FPGA vs. ASIC
• ASIC developed in collaboration ASIC Stratix III FPGA with ETH Zurich • standard-cell CMOS 65nm UMC process • 6 GMU implementations 6 ETH Zurich implementations • Taped-out in Oct. 2011, successfully tested in Feb. 2012 • Results reported at the 3rd SHA-3 Candidate Conference in Washington D.C. in Mar. 2012
41 42 41 42
Results Relative to SHA-2 Hash functions Applications (1) 1. Digital Signatures
Advantages 1. Shorter signature 2. Much faster computations 3. Larger resistance to manipulation (one block instead of several blocks of signature) 4. Resistance to the multiplicative attacks 0.25 0.35 0.50 0.79 1.00 1.41 2.00 2.83 4.00 5. Avoids problems with different sizes of the sender and the receiver moduli 43 43 44
11 Hash functions Hash functions Applications (2) Applications (3)
2. Fingerprint of a program or a document 3. Storing passwords (e.g., to detect a modification by a virus or an intruder) Instead of: password program ID, password hash System stores: hash safe place ID, hash(password) ? hash(password) fingerprint = original_fingerprint
45 46
UNIX password scheme Hash functions Applications (4) “00000000” 4. Fast encryption password DES salt PRNG
ID, salt, ki password DES salt hash(password, salt) mi ci . . . . k0 = hash(KAB || IV ) k0 = hash(KAB || IV) salt modifies the k1 = hash(KAB || k0) or k1 = hash(KAB || c0) password DES salt expansion function E ...... of DES kn = hash(KAB || kn-1) kn = hash(KAB || cn-1) hash(password, salt) 47 48
12 General scheme for constructing a secure hash function Merkle-Damgard Scheme Message m
Padding, appending bit length, M
M1 M2 . . . Mt
h(m) H0 H1 H2 Ht IV f f . . . g
compression output function transformation
49 50
Parameters of the Merkle-Damgard Scheme Sponge Scheme
Compression Mi function r In SHA-1 n=160 n n r=512 Hi-1 f Hi In SHA-256 n=256 Entire hash r=512
H0 = IV In SHA-512 H = f(H , M ) n=512 i i-1 i r=1024 h(m) = g(Ht)
51 52
13 Hash padding – SHA-1 & SHA-256 Hash padding – SHA-3 Candidates 64-bits BLAKE256D 1000 . . . 0001 len64 message 100000000000 length Grøstl D 1000 . . . 0000 #blocks length JH42D 1000 . . . 0001 len128 of the entire message in bits Keccak D 1000 . . . 0001 All zero padding: Correct padding: Skein D 0000 . . . 0000 X X X 0 0 0 0 0 X X X 0 0 1 0 0 SHA−2 (256) D 1000 . . . 0000 len64 X X X 0 0 0 0 0 X X X 1 0 0 0 0 Minimum D Data M Padding P Padding C Counter
53 54
Parameters of new hash functions Parameters of new hash functions Features affecting security and functionality Features affecting implementation speed SHA-1 SHA-256 SHA-384 SHA-512 SHA-1 SHA-256 SHA-384 SHA-512 Size of hash 160 256 384 512 value Message block 512 512 1024 1024 Complexity of 280 2128 2192 2256 size the birthday Number of 80 64 80 80 attack digest rounds Equivalently secure Skipjack AES-128 AES-192 AES-256 secret-key cipher Message size < 264 < 264 < 2128 < 2128 55 56
14 Hardware implementations Results of the prototype FPGA implementation GMU, 2002 Conceptual comparison Speed in hardware [Mbit/s] Speed 700 616 600 462 500
SHA-512, SHA-384 400 300 SHA-256 200 100 SHA-1 Area 0 SHA-1 SHA-512 Complexity 80 256 of the best attack 2 2 the same as Skipjack AES-256 57 58
Hash functions Hash functions 20 years ago Present Timeline
U.S. Government standards: U.S. Government standards: U.S. Government standards: II. 2003 SHA-1 FIPS 180 FIPS 180-2 SHA-1 SHA-1, SHA-256, 384, 512 FIPS 180-2 SHA-224, SHA-256, SHA-384, SHA-512 SHA-224 FIPS 180-2 Other popular hash functions: SHA-3 II. 2004 Contests: MD5, RIPEMD Other popular hash functions: I. 2000 XII. 2002 SHA-256, SHA-384, SHA-512, NESSIE Security status: Whirlpool – winner of NESSIE Whirlpool
VIII. 2004 MD4 broken (1995) Security status: Attacks: broken: SHA-1 replaced SHA-0 (1995) MD5 – collisions VIII. 1998 MD5 partially broken MD5 broken (1 hr on PC) MD4, MD5, SHA-0, for compression SHA-0 – attack RIPEMD (collisions in compression SHA-0 broken 61 function, with 2 operations II-VIII. 2005 function, 1996) RIPEMD broken 10 hrs on PC attack on SHA-1 (without a need for computer) 269®263 operations SHA-1 practically broken, best attack – 263 operations – 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 only 128 x more than breaking DES 59 60
15 Authentication MAC - Message Autentication Codes Alice Bob (keyed hash functions) Message MAC Message MAC arbitrary length m K KAB Secret key AB Secret key message algorithm algorithm Secret key Secret key of Alice and Bob secret key of Alice and Bob MAC MAC’ K function yes no MAC MAC
fixed length 61 62
MAC functions MAC functions Basic requirements Security requirements
1. Public description, SECRET key parameter Given zero or more pairs mi, MACK(mi) i = 1..k 2. Compression arbitrary length input ® fixed length output it is computationally impossible to find any new pair m’, MAC (m’) 3. Ease of computation K Such that
m’ ¹ mi i = 1..k
63 64
16 MAC functions CBC-MAC (1)
Security requirements m1 m2 mt
Ht-1 Resistance against 0 . . . . 1. Known-text attack E E E 2. Chosen-text attack Ht K K K 3. Adaptive chosen-text attack H1 H2 MAC FIPS-113 K’ D K E MAC 65 66
CBC-MAC (1) MAC functions
Based on H0 = IV = 0 Based on Based block Dedicated Hi = DESK(mi Å Hi-1) i = 1..t hash on stream ciphers functions ciphers
MAC(m) = Ht[1..32] or CBC-MAC HMAC CFB-MAC MAA CRC-MAC -1 MD5-MAC MAC(m) = EK(EK’ (Ht))[1..32] RIPE-MAC CMAC
67 68
17 CMAC RIPE-MAC
H0 = IV = 0
Hi = DESK(mi Å Hi-1) Å mi i = 1..t
-1 MAC(m) = EK(EK’ (Ht))[0..31]
K’ = K Å 0xf0f0…f0
69 70
HMAC HMAC Bellare, Canetti, Krawczyk, 1996 KEY Å Used in SSL and IPSec opad = ’ message m HMAC(m) = h(K Å ipad || h(K Å opad || m)) KEY
ipad, opad - constant padding strings of the length of the KEY message block size in the hash function h Å h • American standard ipad FIPS 198 ipad = repetitions of 0x36 = 00110110 = opad = repetitions of 0x5A = 01011010 KEY” • Arbitrary hash function and key size
h HMAC
71 72
18 Message Authentication Codes - MACs NESSIE: Winners of the contest: 2002 20 years ago Present Message Authentication Codes, MACs U.S. Government standards: U.S. Government standards:
MAC (DAC) based on DES HMAC – based on hash functions (since 1985) used in SSL and IPSec Security level Key size Output width
CMAC – block cipher mode high ³ 256 32×k (AES, Triple DES, Skipjack) normal ³ 128 32×k
Name Origin
Other MACs in use: Other MACs in use: 1. UMAC UC Davis 2. TTMAC K.U. Leuven RIPE-MAC3, CRC-MAC, MAA UMAC, TTMAC, EMAC – winners of the NESSIE contest 3. EMAC U. of Toronto 4. HMAC NIST & NSA
73 74
Message Authentication Codes Confidentiality & Authentication Timeline Authenticated Ciphers U.S. standards: MAC (DAC) FIPS 113 (based on DES) withdrawn in 2008 Bob Alice HMAC FIPS 198 (based on hash functions) CMAC SP 800-38C N Message N Ciphertext Tag III. 2002 V. 2005
K Contests: KAB Authenticated AB Authenticated Contest winners: Cipher Cipher NESSIE UMAC, TTMAC, EMAC Encryption Decryption
2002 RMAC – practical attack Attacks: against MAC proposed by NIST and based on Triple DES N Ciphertext Tag invalid or Message
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 KAB - Secret key of Alice and Bob N – Nonce or Initialization Vector 75 76
19 Confidentiality & Authentication Examples of Most Commonly Used Authenticated Ciphers Authenticated Ciphers
Enc Npub Nsec AD Message NpubNsec AD Ciphertext Tag • AES-GCM K KeyAB KKeyAB • AES-OCB3 Encryption Decryption • AES-OCB • AES-CCM or Enc • AES-EAX NpubNsec AD Ciphertext Tag Invalid Nsec AD Message
Npub - Public Message Number Nsec - Secret Message Number Enc Nsec - Encrypted Secret Message Number AD - Associated Data KAB - Secret key of Alice and Bob 77 78
Cryptographic Standard Contests
IX.1997 X.2000 AES 15 block ciphers ® 1 winner
NESSIE I.2000 XII.2002 CAESAR CRYPTREC XI.2004 IV.2008 Contest 34 stream 4 HW winners eSTREAM ciphers ® + 4 SW winners 2013-2019 X.2007 X.2012 51 hash functions ® 1 winner SHA-3 I.2013 II.2019 57 authenticated ciphers ® multiple winners CAESAR
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time
79 80
20 Evaluation of Candidates in Cryptographic Contests Evaluation Criteria
Completed 51 hash functions ® 1 winner X.2007 X.2012 In progress SHA-3 Security I.2013 II.2019 57 authenticated ciphers CAESAR ® multiple winners VIII.2018 TBD 56 Lightweight authenticated ciphers Software Efficiency Hardware Efficiency & hash functions Lightweight Cryptography µProcessors µControllers FPGAs ASICs
Flexibility Simplicity Licensing 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 Year
82 81 82
CAESAR Contest: 2015-2018 CAESAR Major Challenges
Fairness Number of Candidates Round 1 Round 2 Round 3 Round 4 57 Final 29 15 7 6 candidates Portfolio Jul. 2015 Aug. 2016 Mar. 2018 Feb. 2019 Mar. 2014 Hardware benchmarking
Security Analysis & Software Benchmarking
83 84 83 84
21 CAESAR Hardware API CAESAR Development Package
1. Minimum Compliance Criteria 3. Communication Protocol Universal Testbench (VHDL) • Encryption, decryption, key scheduling • Padding • Maximum size of message & AD • Permitted data port widths, etc.
2. Interface 4. Timing Characteristics
Code Common for All Candidates (VHDL)
Proposed by GMU in Feb. 2016, approved by the CAESAR Committee in May 2016 Test Vector Generator (Python) 85 86 85 86
VHDL/Verilog Code Submitters VHDL/Verilog Code Submitters
1. CCRG NTU (Nanyang Technological University) Singapore – “Ice” Homsirikamol Will Diehl ACORN, AEGIS, JAMBU, & MORUS AES-GCM, AEZ, Minalpher 2. CLOC-SILC Team, Japan – CLOC & SILC Ascon, Deoxys, OMD 3. Ketje-Keyak Team – Ketje & Keyak HS1-SIV, ICEPOLE, POET 4. Lab Hubert Curien, St. Etienne, France – ELmD & TriviA-ck Joltik, NORX, OCB, SCREAM 5. Axel Y. Poschmann and Marc Stöttinger – Deoxys & Joltik PAEQ, Pi-Cipher, STRIBOB 6. NEC Japan – AES-OTR 7. IAIK TU Graz, Austria – Ascon Ahmed Farnoud Mike X. 8. DS Radboud University Nijmegen, Netherlands – HS1-SIV Ferozpuri Farahmand Lyons 9. IIS ETH Zurich, Switzerland – NORX PRIMATEs- AES-COPA TriviA-ck 10.Pi-Cipher Team – Pi-Cipher GIBBON & CLOC 11.EmSec RUB, Germany – POET HANUMAN, 12.CG UCL, INRIA – SCREAM PAEQ 13.Shanghai Jiao Tong University, China – SHELL GMU alone, 19 Candidate Families + AES-GCM 13 Design Groups, 19 CAESAR Round 2 Candidates 87 88 87 88
22 CAESAR Contest: Impact Percentage of Candidates in Hardware
75 unique open-source designs Initial number Implemented Percentage Covering the majority of primary variants of of candidates in hardware 28 out of 29 Round 2 Candidate Families (all except Tiaoxin) AES 15 5 33.3% High-speed implementation of AES-GCM (baseline) eSTREAM 34 8 23.5% The biggest and the earliest hardware benchmarking effort in the history of cryptographic competitions SHA-3 51 14 27.5%
CAESAR 57 28 49.1%
89 90 89 90
CAESAR Contest: Results for Round 2 CAESAR Contest: Results for Round 2 Relative (w.r.t. AES-GCM) Throughput in Virtex 6 Relative (w.r.t. AES-GCM) Throughput/Area in Virtex 6
14-16x better than the E – Throughput for Encryption E – Throughput/Area for Encryption D – Throughput for Decryption Team D – Throughput/Area for Decryption current standard A – Throughput for Authentication Only Keccak A – Throughput/Area for Authentication Only Default: Throughput the same for all 3 operations Default: Throughput/Area the same for all 3 operations
Why the slowest?
Red – algorithms qualified to Round 3 Red – algorithms qualified to Round 3
Throughput of AES-GCM = 3239 Mbit/s 91 Throughput/Area of AES-GCM = 1.020 (Mbit/s)/LUTs 92 91 92
23 Side-Channel Analysis Resistance Side-Channel Analysis – Preliminary Results
Use Case: Lightweight applications Unprotected Lightweight Implementations (resource constrained environments) • critical: fits into small hardware area and/or small code for 8-bit CPUs Best: Fast Best: • desirable: ability to protect against & Small side-channel attacks (e.g., power attacks) ACORN JAMBU-SIMON
Will Diehl Worst: (co-advised with CLOC-AES Jens-Peter Kaps) t-test using low-cost Worst: Slow SILC-AES FOBOS environment & Big developed by CERG
93 x 94 93 94
Side-Channel Analysis – Preliminary Results Presentation of Prof. D. Bernstein at the Rump Session of the Fast Software Encryption conference, March 2018 Protected Lightweight Implementations On Average: Area: x2.7 Thr: x1.8 Thr/Area: x5.4 Best: ACORN JAMBU-SIMON
Worst: CLOC-TWINE CLOC-AES
95 95 96
24