DOCSLIB.ORG

Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols . ........ 19 2.5.1 Symmetric-KeyCryptography . .. 20 2.5.2 Public-KeyCryptography . 21 2.5.3 The Integer Factorisation Problem (IFP) . ....... 22 2.5.4 TheDiscreteLogarithmproblem(DLP) . .... 23 I 2.5.5 The Elliptic Curve Discrete Logarithm problem (ECDLP) ........ 23 2.5.6 DigitalSignatures .......... ........... ........ 24 2.5.7 CryptographicKeySizes . 25 2.6 HardwareOverview................................ 27 2.6.1 XilinxFPGA ................................ 28 2.6.2 MemoryandDSPBlocks ...... ........... ........ 29 2.6.3 FPGADesign................................ 30 2.7 Microblaze ..................................... 31 2.7.1 Microblaze Architecture & Implementation . ....... 31 2.7.2 FSLBus .................................. 33 2.8 HardwareArchitecture . ... 33 2.8.1 AdditionalHardware . 34 2.9 HardwareConstraints. ... 35 2.9.1 SideChannelAttacks. 36 2.9.2 Area,Speed,PowerandEnergy . 36 2.10 PerformanceMetrics . ... 38 2.11Conclusions.................................... 39 3 Elliptic Curve Cryptography 40 3.1 Introduction.................................... 40 3.2 DedicatedDoublingandAddition . ..... 43 3.2.1 AffineCoordinateSystem . 44 3.2.2 ProjectiveCoordinateSystem . ... 44 3.2.3 JacobianCoordinateSystem . .. 46 3.2.4 TwistedEdwardsCurves . 48 3.2.5 ExtendedTwistedEdwards. 50 3.2.6 DedicatedAlgorithmOverview . .. 51 3.3 EllipticCurveCryptographicProcessor . ......... 52 II 3.3.1 Control ................................... 52 3.3.2 ModularArithmetic ............................ 53 3.3.3 ModularMultiplication. .. 54 3.3.4 ModularInversion ............................. 56 3.3.5 SchedulingandEfficiency . 57 3.3.6 AlgorithmicCostofFieldOperations . ..... 61 3.3.7 AreaResults forDedicated Doublingand Addition . ........ 63 3.4 MeasuringthePowerDissipation. ...... 64 3.4.1 DedicatedDoublingandAdditionPower Results . ....... 67 3.4.2 Area-TimeandAreaEnergyProduct. ... 69 3.5 PowerAnalysisAttacks. ... 72 3.6 DummyArithmeticInstructions . ..... 73 3.7 UnifiedDoublingandAddition. .... 74 3.8 RegularScalarMultiplication. ....... 76 3.8.1 Co-ZArithmetic .............................. 78 3.8.2 CombinedDouble-AddOperation . .. 79 3.8.3 (X,Y)-onlyoperations . 79 3.9 AlgorithmicCostofSPASecureAlgorithms . ........ 82 3.10 Area and Power Results for SPA Secure Algorithms . .......... 83 3.10.1 Comparing Dedicated Addition & SPA Secure Algorithms........ 88 3.11 LargerKeyandFieldSizes . .... 89 3.12Conclusions.................................... 90 4 Hash Functions 92 4.1 Introduction.................................... 92 4.2 BackgroundtotheSHA-3HashFunctions . ...... 95 4.3 ImplementatingSHA-3HashFunctions . ...... 96 4.3.1 CubeHash.................................. 98 III 4.3.2 Shabal.................................... 100 4.4 SHA-3RoundTwoImplementations . .... 102 4.4.1 BLAKE................................... 102 4.4.2 Grøstl.................................... 103 4.4.3 JH...................................... 104 4.4.4 Keccak ................................... 106 4.4.5 Skein .................................... 107 4.5 HashInterface................................... 108 4.5.1 CommunicationsProtocol . 111 4.5.2 PaddingProtocol .............................. 112 4.6 RoundTwoResults ................................. 114 4.7 RoundThreeAnalysis .............................. 118 4.7.1 RoundThreeChanges ........ ........... ........ 118 4.7.2 ComparingDifferentRoundResults . .... 119 4.7.3 SHA-3PowerandEnergy . 120 4.8 ComparisonwithOtherWork. ... 123 4.8.1 ComparisonofRoundThreeResults. ... 126 4.9 Conclusions..................................... 130 5 Cryptographic Processor 132 5.1 Introduction.................................... 132 5.2 BackgroundtoSignatureAlgorithms. ....... 135 5.2.1 TheEllipticCurve DigitalSignatureAlgorithm . ......... 136 5.2.2 ECDSADomainParameters . 137 5.3 ImplementingECDSA ............................... 138 5.3.1 KeyPairGeneration ............................ 138 5.3.2 SignatureGeneration. 139 5.3.3 SignatureVerification. 139 IV 5.3.4 ECDSAImplementationOptions . 140 5.4 RandomKeyGeneration ........... ........... ....... 141 5.4.1 Entropy................................... 142 5.4.2 Fortuna ................................... 143 5.4.3 RandomNumberGeneratorBlock . 144 5.5 CryptoProcessorUsingMicroblaze . ...... 147 5.5.1 HashBlock................................. 147 5.5.2 EllipticCurveProcessorBlock. .... 150 5.5.3 CoordinateConversion . 150 5.6 ImplementingECCinSoftwareandCo-Design . ....... 153 5.6.1 DedicatedSoftwareResults . 154 5.6.2 InstructionSetExtensions . ... 155 5.7 ECDSADesign................................... 158 5.7.1 ECDSAResults............................... 160 5.8 ECDSAComparison ................................ 161 5.9 Conclusions..................................... 163 6 Conclusions 164 6.1 ContributionsofthisThesis. ...... 164 6.2 FutureResearchDirections . ..... 167 A Appendix - Elliptic Curve Cryptography 170 A.1 Double-and-AddAlgorithms . .... 170 A.2 EdwardsCurves................................... 173 A.3 Co-ZAlgorithms .................................. 175 A.4 Point Doubling Formulæ with Update in Homogeneous Coordinates.. 178 A.5 FullCoordinateRecovery. .... 180 A.6 PointDoublingandTriplingwithCo-ZUpdate . ........ 181 V A.7 FullPower,EnergyandTimingResults . ...... 182 B Appendix - Hash Functions 185 B.1 RoundTwoHashFunctionImplementationResults . ......... 185 B.2 RoundTwoHashFunctionResults . .... 187 B.3 RoundThreeFPGAPowerandTimingResults . ..... 193 VI List of Figures 1.1 Cost-Performance-Security Tradeoff . ......... 2 1.2 Hierarchical Model for Elliptic Curve Based Cryptography............ 4 2.1 PointOperationsonanEllipticCurve . ....... 18 2.2 MicroblazeProcessor. ... 32 2.3 SaseboGII ..................................... 34 2.4 MicroblazeDesignonXUPV5 . .. 35 2.5 SPAanalysisusingFPGA. .. 37 3.1 EllipticCurveProcessor . .... 53 3.2 ModularAdder-Subtracter . .... 54 3.3 ModularMultiplier ............................... .. 56 3.4 ClockCountforDedicatedDoublingandAddition . ......... 63 3.5 PowerWrapper ................................... 66 3.6 AveragePowerDissipation . .... 68 3.7 Area-TimeProduct ................................ 70 3.8 Area-EnergyProduct .. ........... ........... ...... .. 71 3.9 EstimatedDynamicVersusMeasuredResults . ........ 72 3.10 ClockCountforSPA Secure DoublingandAddition . ......... 84 3.11 AverageDynamicPower . .. 86 3.12 SPAResistantArea-TimeProduct . ...... 87 3.13 SPAResistantArea-EnergyProduct . ....... 87 VII 3.14 SPA Reistant Estimated Versus Measured Results . ........... 88 3.15 Area-Time Product: 192, 256 & 521 ........................ 90 4.1 GenericHashFunctionInternals . ...... 93 4.2 CubehashCompressionFunction. ..... 99 4.3 Shabal........................................ 100 4.4 BlakeArchitecture ............................... 103 4.5 GrøstlP/QPermutation . ... 104 4.6 JHArchitecture .................................. 105 4.7 Keccak f(1600) Architecture ............................ 107 4.8 SkeinArchitecture ............................... 108 4.9 HashWrapper.................................... 109 4.10PaddingBlock................................... 114 4.11 256-bitWrapperThroughput-Area . ....... 118 4.12 AveragePowerDissipationat25MHz . ...... 122 4.13 Area-EnergyProduct . ... 123 5.1 SecurityintheTCP/IPstack . .... 133 5.2 DigitalSignatureProcess . ..... 136 5.3 EllipticCurveDigitalSignatureAlgorithm. ........... 137 5.4 FortunaGenerator................................ 143 5.5 FortunaFlowDiagram . ........... ........... ....... 145 5.6 CryptographicProcessorusingMicroblaze . .......... 148 5.7 TimingDiagramforMicroblazeI/O . ..... 149 5.8 MicroblazewithHardwareMultiplier . ....... 156 5.9 MicroblazeSignaturePlatform . ...... 159 B.1 256-bitLong32-bitBusPaddingHardware . ....... 187 B.2 256-bitShort32-bitBusPaddingHardware . ........ 187 VIII B.3 512-bitLong32-bitBusPaddingHardware . ....... 188 B.4 512-bitShort32-bitBusPaddingHardware . ........ 188 B.5 256-bitLong32-bitBusPaddingSoftware
Load more

Recommended publications
  • Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor
    Hello, and welcome to this presentation of the STM32MP1 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 HASH1 is a secure peripheral (under ETZPC control through ETZPC_DECPROT0 bit 8) while HASH2 is a non secure peripheral. HASH1 instance can be allocated to: • The Arm® Cortex®-A7 secure core to be controlled in OP-TEE by the HASH OP-TEE driver or • The Arm® Cortex® -A7 non-secure core for using in Linux® with Linux Crypto framework HASH2 instance can be allocated to the Arm® Cortex®-M4 core to be controlled in the STM32Cube MPU Package using the STM32Cube HASH driver. HASH1 instance is used as boot device to support binary authentication. 3 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding.
    [Show full text]
  • Características Y Aplicaciones De Las Funciones Resumen Criptográficas En La Gestión De Contraseñas
    Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas Alicia Lorena Andrade Bazurto Instituto Universitario de Investigación en Informática Escuela Politécnica Superior Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas ALICIA LORENA ANDRADE BAZURTO Tesis presentada para aspirar al grado de DOCTORA POR LA UNIVERSIDAD DE ALICANTE DOCTORADO EN INFORMÁTICA Dirigida por: Dr. Rafael I. Álvarez Sánchez Alicante, julio 2019 Índice Índice de tablas .................................................................................................................. vii Índice de figuras ................................................................................................................. ix Agradecimiento .................................................................................................................. xi Resumen .......................................................................................................................... xiii Resum ............................................................................................................................... xv Abstract ........................................................................................................................... xvii 1 Introducción .................................................................................................................. 1 1.1 Objetivos ...............................................................................................................4
    [Show full text]
  • Recommendation for Applications Using Approved Hash Algorithms
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-107 Title: Recommendation for Applications Using Approved Hash Algorithms Publication Date(s): February 2009 Withdrawal Date: August 2012 Withdrawal Note: SP 800-107 is superseded in its entirety by the publication of SP 800-107 Revision 1 (August 2012). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-107 Revision 1 Title: Recommendation for Applications Using Approved Hash Algorithms Author(s): Quynh Dang Publication Date(s): August 2012 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.107r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-107 Rev. 1 (as of August 12, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϭϮ, 2015 NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department of Commerce Otto J. Wolff, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NIST SP 800-107 Abstract Cryptographic hash functions that compute a fixed- length message digest from arbitrary length messages are widely used for many purposes in information security. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3.
    [Show full text]
  • Rebound Attack
    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
    [Show full text]
  • The Hitchhiker's Guide to the SHA-3 Competition
    History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department 20 June, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 33 History First Second Third Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 33 History First Second Third History Sad Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 33 History First Second Third History Sad A(n Extremely) Short History of Hash Functions 1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ard present the Merkle-Damg˚ard hash function.
    [Show full text]
  • Tocubehash, Grøstl, Lane, Toshabal and Spectral Hash
    FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, Lane, Shabal and Spectral Hash Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan and William P. Marnane Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography & Department of Electrical & Electronic Engineering, University College Cork, Ireland. Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest Overview of the Hash Function Architectures UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest Overview of the Hash Function Architectures Hash Function Implementations CubeHash Grøstl Lane Shabal Spectral Hash UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function
    [Show full text]
  • An Efficient Hardware Architecture for Spectral Hash Algorithm
    An Efficient Hardware Architecture for Spectral Hash Algorithm Ray C.C. Cheung C¸etin Kaya Koc¸ Department of Electrical Engineering University of California Santa Barbara & University of California Los Angeles City University of Istanbul [email protected] [email protected] John D. Villasenor Department of Electrical Engineering University of California Los Angeles [email protected] Abstract “frequency domain techniques”) have recently been used in certain special applications in cryptography, including in The Spectral Hash algorithm is one of the Round 1 can- hash function computation [2, 3], modular arithmetic for the didates for the SHA-3 family, and is based on spectral arith- RSA cryptosystem [4], and finite field arithmetic for elliptic metic over a finite field, involving multidimensional dis- curve cryptography [5, 6, 7]. crete Fourier transformations over a finite field, data de- Cryptographic applications require exact arithmetic and pendent permutations, Rubic-type rotations, and affine and the underlying mathematical structures (groups, rings, and nonlinear functions. The underlying mathematical struc- fields) have finitely many elements. Typically, the finite tures and operations pose interesting and challenging tasks ring of integers modulo n, the finite field of p (where p is for computer architects and hardware designers to create a prime) or 2k elements are used, respectively represented k fast, efficient, and compact ASIC and FPGA realizations. as Zn, GF(p) and GF(2 ). Furthermore, in cryptographic In this paper, we present an efficient hardware architec- applications, the DFT computations are performed in a fi- ture for the full 512-bit hash computation using the spectral nite ring or finite field; this differs from many applications hash algorithm.
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • Kriptografske Tehničke Sigurnosne Mjere
    Sigurnost računalnih sustava Computer Systems Security Kriptografske tehničke sigurnosne mjere Marin Golub Sadržaj • Uvod: Jesu li i koliko su kriptoalgoritmi sigurni? • Napadi na simetrične i asimetrične kriptosustave • Asimetrični kriptosustavi – Kriptosustavi zasnovani na eliptičkim krivuljama • Funkcije za izračunavanje sažetka poruke – Napadi na funkcije za izračunavanje sažetka poruke – Elektronički vs. digitalni potpis – SHA-2 i SHA-3 • Kvantna kriptografija • Natječaji za nove kriptografske algoritme koji su u tijeku – Kriptografija prilagođena ugrađenim računalima (Lightweight Cryptography ) – Asimetrična kriptografija nakon kvantnih računala (Post-Quantum Cryptography ) SRS-Crypto-2/79 Osnovni pojmovi Kriptologija = kriptografija + kriptoanaliza Kriptografija • znanstvena disciplina (ili umjetnost?) sastavljanja poruka sa ciljem skrivanja sadržaja poruka Kriptoanaliza • znanstvena disciplina koja se bavi analizom skrivenih aspekata sustava i koristi se kako bi se ispitala (ili narušila) sigurnost kriptografskog sustava SRS-Crypto-3/79 Jesu li i koliko su kriptoalgoritmi sigurni? • Postoje specijalizirana računala za napad grubom silom na DES kriptosustav: COPACOBANA (A Cost-Optimized PArallel COde Breaker) • 12.12.2009. faktoriziran RSA-768 • na kvantnom računalu je riješen problem faktoriziranja velikih brojeva i problem diskretnog logaritma • 17.8.2004. - kineski i francuski znanstvenici su objavili članak pod naslovom: "Kolizija za hash funkcije: MD4, MD5, Haval-128 i RIPEMD" • 13.2.2005. - kineski znanstvenici: "Collision
    [Show full text]
  • Finding Bugs in Cryptographic Hash Function Implementations Nicky Mouha, Mohammad S Raunak, D
    1 Finding Bugs in Cryptographic Hash Function Implementations Nicky Mouha, Mohammad S Raunak, D. Richard Kuhn, and Raghu Kacker Abstract—Cryptographic hash functions are security-critical on the SHA-2 family, these hash functions are in the same algorithms with many practical applications, notably in digital general family, and could potentially be attacked with similar signatures. Developing an approach to test them can be par- techniques. ticularly diffcult, and bugs can remain unnoticed for many years. We revisit the NIST hash function competition, which was In 2007, the National Institute of Standards and Technology used to develop the SHA-3 standard, and apply a new testing (NIST) released a Call for Submissions [4] to develop the new strategy to all available reference implementations. Motivated SHA-3 standard through a public competition. The intention by the cryptographic properties that a hash function should was to specify an unclassifed, publicly disclosed algorithm, to satisfy, we develop four tests. The Bit-Contribution Test checks be available worldwide without royalties or other intellectual if changes in the message affect the hash value, and the Bit- Exclusion Test checks that changes beyond the last message bit property restrictions. To allow the direct substitution of the leave the hash value unchanged. We develop the Update Test SHA-2 family of algorithms, the SHA-3 submissions were to verify that messages are processed correctly in chunks, and required to provide the same four message digest lengths. then use combinatorial testing methods to reduce the test set size Chosen through a rigorous open process that spanned eight by several orders of magnitude while retaining the same fault- years, SHA-3 became the frst hash function standard that detection capability.
    [Show full text]
  • Grøstl – a SHA-3 Candidate
    Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl – a SHA-3 candidate Krystian Matusiewicz Wroclaw University of Technology CECC 2010, June 12, 2010 Krystian Matusiewicz Grøstl – a SHA-3 candidate 1 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Talk outline ◮ Cryptographic hash functions ◮ NIST SHA-3 Competition ◮ Grøstl Krystian Matusiewicz Grøstl – a SHA-3 candidate 2 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions Krystian Matusiewicz Grøstl – a SHA-3 candidate 3 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions: why? ◮ We want to have a short, fixed length “fingerprint” of any piece of data ◮ Different fingerprints – certainly different data ◮ Identical fingerprints – most likely the same data ◮ No one can get any information about the data from the fingerprint Krystian Matusiewicz Grøstl – a SHA-3 candidate 4 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage:
    [Show full text]
  • Secure Hash Algorithms
    Keywords: secure hash, 1-wire, i2c, iButton, parasitic power, security, sha1, sha2, sha3, sha256, sha3-256, authentication, intellectual property protection, puf, physically unclonable function, chipdna, eeprom, cloning, counterfeit, medical disposables APPLICATION NOTE 7015 BACK TO BASICS: SECURE HASH ALGORITHMS Abstract: This application note goes over the basics of Secure Hash Algorithms (SHA) and discusses the variants of the algorithm. It then briefly touches on how the algorithm is used for authentication, including the concept of a Hashed Message Authentication Code (HMAC). It concludes by looking at some of the Maxim secure authenticators that can be used to very easily deploy SHA algorithms for security applications. Introduction In this application note, we will discuss the Secure Hash Algorithms (SHA) that are widely used in symmetric key cryptography. The basic idea behind a SHA function is to take data of variable size and condense it into a fixed-size bit string output. This concept is called hashing. The SHA functions are a family of hashing algorithms that have been developed over time through oversight by the National Institute of Standards and Technology (NIST). The latest of these is the SHA-3 function. Maxim has a family of secure authenticator products that provide both SHA-2 and SHA-3 functions. Figure 1 shows the basic concept of secure hash generation. Figure 1. Secure hash generation, basic concept. SHA Characteristics The SHA functions have the following characteristics: They have variable input length and fixed output length. They are one-way functions. Figure 1 shows that it is infeasible to use the resultant hash value to regenerate the input text other than trying each possible input text.
    [Show full text]