DOCSLIB.ORG

Information Processing Information Processing Research ↔ Practice

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Information Processing Information Processing Research ↔ Practice Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Information processing http://www.ecrypt.eu.org the Internet of things, ubiquitous computing, Lightweight Crypto pervasive computing, ambient intelligence (1012) An Overview Internet and mobile (109) PCs and LANs (107) Bart Preneel COSIC, K.U.Leuven, Belgium mainframe 5 Bart.Preneel(at)esat.kuleuven.be (10 ) http://homes.esat.kuleuven.be/~preneel mechanical April 2010 4 (10 ) 2 1 2 Information processing Research ↔ Practice DES, RSA, DH, CBC-MAC Everything is always HARDWARE Provable security (PKC), 70 connected everywhere Limited (govt+financial sector) ZK, ElGamal, ECC, stream DES, 3DES ciphers 80 Quantum crypto MD4, MD5 SOFTWARE 90 Provable security (SKC) GSM, PGP Key escrow C libraries (RSA, DH) SSL/TLS, IPsec, SSH, S/MIME Quantum cryptanalysis Java crypto libraries How to use RSA? WLAN Continuum between software Alternatives to RSA and hardware PKI EVERYWHERE ASIC (microcode) – FPGA – AES Trusted computing, DRM, fully programmable ID-Based Crypto 3GPP, RFID, sensor nodes … processor 3 4 Implementations in embedded systems Lightweight crypto design • Overall protocol crucial Confidentiality Integrity Protocol: Wireless authentication protocol Identification • Security architecture: SK-PK, central-distributed SIM design Cipher Design, • Relative cost of Biometrics Algorithm: Embedded fingerprint matching algorithms, crypto algorithms Java computation/communication/storage JCA Architecture: Co-design, HW/SW, SOC JVMKVM • Architectural decisions CPU Crypto Micro-Architecture: co-processor design –area MEM Vcc – clock frequency D Q CLK Circuit: Circuit techniques to combat side – power consumption and energy channel analysis attacks • Flexibility can be sacrificed Technology aware solutions? • Side channel attacks Slide credit: Prof. Ingrid Verbauwhede 5 6 1 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Challenges for crypto Outline • security for 50-100 years • authenticated encryption of Terabit/s •Context networks • Block ciphers • ultra-low power/footprint • Stream ciphers performance • Hash functions • MAC algorithms secure software and hardware • Public-key cryptography implementations • Secure implementations • RFID protocols algorithm agility cost security 7 8 Block cipher Block ciphers P1 P2 P3 64-bit block 128-bit block 3-DES (112-168) AES (128-192-256) IDEA (128) CAMELLIA MISTY1 (128) block block block RC6 KASUMI (128 in 3G, 64 in 2G) CLEFIA cipher cipher cipher HIGHT (128) PRESENT (80-128) TEA (128) 56 bits: 4 seconds with M$ 5 mCRYPTON (128) 80 bits: 2 year with M$ 5 KATAN (80) C1 C2 C3 128 bits: 256 billion years with B$ 5 • larger data units: 64…128 bits Symmetric key lengths •memoryless insecure? secure • repeat simple operation (round) many times 0 50 80 128 9 10 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) extremely vulnerable to • FIPS 197 published on December 2001after 4-year open a related key attack competition • single DES abandoned (56 bit) – other standards: ISO, IETF, IEEE 802.11,… • double DES not good enough (72 bit) • fast adoption in the market • 2-key triple DES: until 2009 (80 bit) – except for financial sector • 3-key triple DES: until 2030 (100 bit) – NIST validation list: 1267 implementations • http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html • 2003: AES-128 also for classified information and AES- 192/-256 for secret and top secret information! Clear DES DES-1 DES %^C& • security: text @&^( – algebraic attacks of [Courtois+02] not effective – side channel attacks: cache attacks on unprotected implementations 1 23 [Shamir ’07] AES may well be the last block cipher 11 12 2 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • HW: 43 Gbit/s in 130 nm CMOS [‘05] secret plaintext plaintext plaintext • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s round round. round . bitsliced [Käsper-Schwabe’09] . round . round Key (128) . round round Key (192) . • HW: most compact: 3600 gates Key (256) Key Schedule Key . Key Schedule Key round . – PRESENT: 1029, KATAN: 1054, CLEFIA: 4950 Key Schedule Key round Light weight key schedule, in particular for the 256-bit version 13 14 AES-256 security What is a related key attack? • Attacker chooses plaintexts and key difference C • Exhaustive key search on AES-256 takes 2256 encryptions • Attacker gets ciphertexts –264: 10 minutes with $ 5M • Task: find the key 80 –2 : 2 year with $ 5M C –2120 : 1 billion years with $ 5B plaintext2 • [Biryukov-Khovratovich’09] related key attack on AES-256 plaintext1 – requires 2119 encryptions with 4 related keys, – data & time complexity 2119 << 2256 round round • Why does it work? Very lightweight key schedule round round round round Key (256) . Key (256) . • Is AES-256 broken? . Schedule Key No, only an academic “weakness” that is easy to fix Schedule Key round round • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction ciphertext1 ciphertext2 15 16 AES-256 Should I worry about a related key attack? [Biryukov-Khovratovich’09] • Very hard in practice (except some old US banking [Biryukov-Dunkelman-Keller-Khovratovich-Shamir’09] schemes) Related key • If you are vulnerable to a related key attack, you are attack: 4 keys, making very bad implementation mistakes data & time plaintext complexity • This is a very powerful attack 119 << 256 2 2 model: if an opponent can zeroize (= AND 0) 224 key bits round of his choice (rather than ⊕ C) round he can find the key in a few round seconds for any cipher with a h Key (256) . 256-bit key . Key Schedule Key round • If you are worried, hashing the key is an easy fix ciphertext Slide credit: Orr Dunkelman 17 18 3 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Keeloq [Smit+/-’85] KATAN/KTANTAN aka the M$10 cipher [De Cannière-Dunkelman-Knežević’09] http://www.cs.technion.ac.il/~orrd/KATAN/ • block length: 32, 48, 64 • block length: 32 • key length: 64 • key length: 64 • rounds: 254 • rounds: 528 19 20 Low cost hardware Throughput/Area Low cost hw: throughput versus area [Bogdanov+08,Sugawara+08] (bps/GE) @ 100KHz 100 KHz clock (technology in 10 nm) 200 600 180 mCRYPTON-96 (13) 160 ) 500 140 120 Kbps 400 100 ( (9) 80 CLEFIA 60 300 40 hput g PRESENT-128 (18) HIGHT (25) 20 200 0 PRES-80 mCRYPT HIGHT 3-DES AES-128 TEA (18) TDEA (9) ON-96 TEA KATAN CLEFIA AES-128 MISTY1 (18) Throu 100 PRES-128 KATAN (18) 128-bit block AES (35) AES (13) Warning: this is not a “fair” comparison 0 • Technologies range from 90nm-350nm 0 1000 2000 3000 4000 5000 6000 • Power consumption could be real problem PRESENT-80 (18) Gate equivalents 21 22 Stream ciphers Block ciphers: conclusions • historically very important (compact) • Several mature block ciphers available – LFSR-based: A5/1, E0 – practical attacks known • Security well understood – in particular against statistical attacks (differential, – software-oriented: RC4 – serious weaknesses linear) and structural attacks – block cipher in CTR or OFB (slower) • More work: • today: – algebraic attacks – related key attacks – many broken schemes – understanding of structural tradeoffs – lack of standards and open solutions • What are the limitations for lightweight block – standards: SNOW2.0, SNOW3G, MUGI, Rabbit, ciphers? DECIM, K2,.. 23 24 4 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Moore’s Law: computation/storage 2000-2020 Open competition for stream ciphers Storage: Gigabyte/s http://www.ecrypt.eu.org Ethernet: speed in Gbps Microprocessor performance: Gflops/s 1000000 • run by ECRYPT 100000 – high performance in software (32/64-bit): 128-bit key – low-gate count hardware (< 1000 gates): 80-bit key 10000 – variants: authenticated encryption 1000 • 29 April 2005: 33 submissions 100 • Many broken in first year 10 • End of competition: April 2008 1 2000 2002 2004 2006 2008 2010 2012 20142016 25 26 Trivium The eSTREAM Portfolio Apr. 2008 (Rev1 Sept. 2008) in alphabetical order Software Hardware HC-128 F-FCSR-H Rabbit Grain v1 Salsa20/12 MICKEY v2 Sosemanuk Trivium 3-10 cycles per byte 1500..3000 gates 27 28 Performance reference data Cube attack [Dinur-Shamir’08] (Pentium M 1.70GHz Model 6/9/5) • Exploits low degree equations in stream cipher encryption speed (cycles/byte) • Can break certain ciphers which could not be 120 broken before 100 • …Media hype and controversy 80 – Relation to higher order attacks (Lai) and AIDA 60 key setup (cycles) (algebraic IV differential attack) (Vielhaber) 40 35000 20 30000 25000 0 •Trivium: RC4 HC-128 DES 3-DES AES 20000 – key setup can be broken if number of rounds is 15000 reduced from 1024 to 793 (Aida) or 767 (cube) 10000 – attack can probably be further improved 5000 – solution: increase number of rounds to 2048 0 RC4 HC- DES 3-DES AES 128 29 30 5 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Low cost hw: throughput versus area Stream ciphers: conclusions 100 KHz clock (technology in 10 nm) 900 GRAIN[8] (13) Trivium[8](13) ) 800 Enocoro-80[8](18) 700 • Substantial progress made in last 5 years – concrete designs Kbps 600 ( mCRYPTON-96 (13) 500 – data-time-memory tradeoffs • 80-bit security implies 160-bit memory hput hput 400 CLEFIA (9) g 300 (seems to be a lower bound) PRESENT-128 (18) 200 HIGHT (25) • Many designs still “at the edge” (quite risky) (13) Trivium(13) Throu GRAIN 100 TDEA (9) KATAN (18) TEA (18) AES (35) AES (13) • Expect further progress 0 MISTY1 (18) 0 1000 2000 3000 4000 5000 6000 PRESENT-80 (18) Gate equivalents 31 32 Hash functions The complexity of collision attacks • MDC (manipulation • collision resistance Brute force: 4 million PCs or US$ 100K hardware (1 year) detection code) • preimage resistance • Protect short hash value 90 nd rather than long text •2 preimage 80 resistance 70 MD4 60 MD5 This is an input to a crypto- 50 SHA-0 graphic hash function.
Load more

Recommended publications
  • LNCS 9065, Pp
    Combined Cache Timing Attacks and Template Attacks on Stream Cipher MUGI Shaoyu Du1,4, , Zhenqi Li1, Bin Zhang1,2, and Dongdai Lin3 1 Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, China 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 4 University of Chinese Academy of Sciences, Beijing, China du [email protected] Abstract. The stream cipher MUGI was proposed by Hitachi, Ltd. in 2002 and it was specified as ISO/IEC 18033-4 for keystream genera- tion. Assuming that noise-free cache timing measurements are possible, we give the cryptanalysis of MUGI under the cache attack model. Our simulation results show that we can reduce the computation complexity of recovering all the 1216-bits internal state of MUGI to about O(276) when it is implemented in processors with 64-byte cache line. The at- tack reveals some new inherent weaknesses of MUGI’s structure. The weaknesses can also be used to conduct a noiseless template attack of O(260.51 ) computation complexity to restore the state of MUGI. And then combining these two attacks we can conduct a key-recovery attack on MUGI with about O(230) computation complexity. To the best of our knowledge, it is the first time that the analysis of cache timing attacks and template attacks are applied to full version of MUGI and that these two classes of attacks are combined to attack some cipher.
    [Show full text]
  • (SMC) MODULE of RC4 STREAM CIPHER ALGORITHM for Wi-Fi ENCRYPTION
    InternationalINTERNATIONAL Journal of Electronics and JOURNAL Communication OF Engineering ELECTRONICS & Technology (IJECET),AND ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) ISSN 0976 – 6464(Print) IJECET ISSN 0976 – 6472(Online) Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME: http://www.iaeme.com/IJECET.asp © I A E M E Journal Impact Factor (2015): 7.9817 (Calculated by GISI) www.jifactor.com VHDL MODELING OF THE SRAM MODULE AND STATE MACHINE CONTROLLER (SMC) MODULE OF RC4 STREAM CIPHER ALGORITHM FOR Wi-Fi ENCRYPTION Dr.A.M. Bhavikatti 1 Mallikarjun.Mugali 2 1,2Dept of CSE, BKIT, Bhalki, Karnataka State, India ABSTRACT In this paper, VHDL modeling of the SRAM module and State Machine Controller (SMC) module of RC4 stream cipher algorithm for Wi-Fi encryption is proposed. Various individual modules of Wi-Fi security have been designed, verified functionally using VHDL-simulator. In cryptography RC4 is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output key stream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP . Many stream ciphers are based on linear feedback shift registers (LFSRs), which, while efficient in hardware, are less so in software.
    [Show full text]
  • Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond
    This may be the author’s version of a work that was submitted/accepted for publication in the following source: Henricksen, Matthew& Dawson, Edward (2006) Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond. Lecture Notes in Computer Science, 4058, Article number: AISP52-63. This file was downloaded from: https://eprints.qut.edu.au/24788/ c Consult author(s) regarding copyright matters This work is covered by copyright. Unless the document is being made available under a Creative Commons Licence, you must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the docu- ment is available under a Creative Commons License (or other specified license) then refer to the Licence for details of permitted re-use. It is a condition of access that users recog- nise and abide by the legal requirements associated with these rights. If you believe that this work infringes copyright please provide details by email to [email protected] Notice: Please note that this document may not be the Version of Record (i.e. published version) of the work. Author manuscript versions (as Sub- mitted for peer review or as Accepted for publication after peer review) can be identified by an absence of publisher branding and/or typeset appear- ance. If there is any doubt, please refer to the published source. https://doi.org/10.1007/11780656_5 Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond Matt Henricksen and Ed Dawson Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia.
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]
  • Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander
    Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander 2006 Link to publication Citation for published version (APA): Maximov, A. (2006). Some Words on Cryptanalysis of Stream Ciphers. Department of Information Technology, Lund Univeristy. Total number of authors: 1 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Some Words on Cryptanalysis of Stream Ciphers Alexander Maximov Ph.D. Thesis, June 16, 2006 Alexander Maximov Department of Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: [email protected] http://www.it.lth.se/ ISBN: 91-7167-039-4 ISRN: LUTEDX/TEIT-06/1035-SE c Alexander Maximov, 2006 Abstract n the world of cryptography, stream ciphers are known as primitives used Ito ensure privacy over a communication channel.
    [Show full text]
  • New Developments in Cryptology Outline Outline Block Ciphers AES
    New Developments in Cryptography March 2012 Bart Preneel Outline New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure principles Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2012 • 6. Cryptography best practices © Bart Preneel. All rights reserved 1 2 Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block • Modes of operation and authenticated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits •memoryless • Concluding remarks • repeat simple operation (round) many times 3 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key 1 23 1 New Developments in Cryptography March 2012 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html round round.
    [Show full text]
  • Cryptanalysis of the A5/1 Stream Cipher
    Cryptanalysis of the A5/1 Stream Cipher A thesis submitted to Indian Institute of Science Education and Research Pune in partial fulfillment of the requirements for the BS-MS Dual Degree Programme Thesis Supervisor: Ayan Mahalanobis by Jay Jitesh Shah April, 2012 Indian Institute of Science Education and Research Pune Sai Trinity Building, Pashan, Pune India 411021 This is to certify that this thesis entitled "Cryptanalysis of the A5/1 Stream Cipher" submitted towards the partial fulfillment of the BS-MS dual degree programme at the Indian Institute of Science Education and Research Pune, represents work carried out by Jay Jitesh Shah under the supervision of Ayan Mahalanobis. Jay Jitesh Shah Thesis committee: Ayan Mahalanobis Amit Kalele A. Raghuram Coordinator of Mathematics Dedicated to my parents, Madhvi Shah and Jitesh Shah. Acknowledgments I would like to take this opportunity to thank everyone who helped me directly or indirectly for the success of this dissertation. First and foremost, I would like to thank my family for their unconditional love and blessings. Any success I may achieve is directly traceable to their support of my interests and devotion to my development. This dissertation could not have been written without the guidance of my mentor, Dr. Ayan Mahalanobis, who spent hours advising me and encouraged me throughout this project inspite of innumerable difficulties faced. He never accepted anything less than my best. I am greatly indebted to him for his patience and enthusiasm. It is my privilege to thank Prof. J¨orgKeller for giving me an opportunity to work under his guidance at the FernUniversit¨atin Hagen, Germany in the summer of 2011.
    [Show full text]
  • Golden Fish an Intelligent Stream Cipher Fuse Memory Modules
    Golden Fish: An Intelligent Stream Cipher Fuse Memory Modules Lan Luo 1,2,QiongHai Dai 1,ZhiGuang Qin 2 ,ChunXiang Xu 2 1Broadband Networks & Digital Media Lab School of Information Science & Technology Automation Dep. Tsinghua University ,BeiJing, China,100084 2 School of Computer Science and Technology University of Electronic Science Technology of China, ChengDu, China, 610054 E-mail: [email protected] Abstract Furthermore, we can intelligent design the ciphers according to different network environments [4-5]. In In this paper, we use a high-order iterated function order to demonstrate our approach, we construct a generated by block cipher as the nonlinear filter to simple synchronous stream cipher, which provides a improve the security of stream cipher. Moreover, by significant flexibility for hardware implementations, combining the published rounds function in block with many desirable cryptographic advantages. The cipher and OFB as the nonlinear functional mode with security of the encryption and decryption are based on an extra memory module, we enable to control the the computational complexity, which is demonstrated nonlinear complexity of the design. This new approach by AES and NESSIE competition recently, where all fuses the block cipher operation mode with two the finalists fall into the category “no attack or memory modules in one stream cipher. The security of weakness demonstrated”, in which people can go for this design is proven by the both periodic and the simplest, and most elegant design comparing an nonlinear evaluation. The periods of this structure is more complicate and non-transparent one. To guaranteed by the traditional Linear Feedback Shift implement the idea above, we take output feedback Register design and the security of nonlinear mode (OFB) of the block cipher as the nonlinear filter characteristic is demonstrated by block cipher in stream cipher design.
    [Show full text]
  • Analysis of the Non-Linear Part of Mugi
    Analysis of the Non-linear Part of Mugi Alex Biryukov1, and Adi Shamir2 1 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium http://www.esat.kuleuven.ac.be/∼abiryuko/ 2 Department of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel [email protected] Abstract. This paper presents the results of a preliminary analysis of the stream cipher Mugi. We study the nonlinear component of this cipher and identify several potential weaknesses in its design. While we can not break the full Mugi design, we show that it is extremely sensitive to small variations. For example, it is possible to recover the full 1216-bit state of the cipher and the original 128-bit secret key using just 56 words of known stream and in 214 steps of analysis if the cipher outputs any state word which is different than the one used in the actual design. If the linear part is eliminated from the design, then the secret non- linear 192-bit state can be recovered given only three output words and in just 232 steps. If it is kept in the design but in a simplified form, then the scheme can be broken by an attack which is slightly faster than exhaustive search. Keywords: Cryptanalysis, Stream ciphers, Mugi. 1 Introduction Mugi is a fast 128-bit key stream cipher [4] designed for efficient software and hardware implementations (achieves speeds which are 2-3 times faster than Rijndael in hardware and slightly faster in software). The cipher was selected for standardization by the Japanese government project CRYPTREC and is also one of the two proposed ISO stream cipher standards.
    [Show full text]
  • Specification Ver
    MUGI Pseudorandom Number Generator Specification Ver. 1.2 Hitachi, Ltd. 2001. 12. 18 Copyright c 2001 Hitachi, Ltd. All rights reserved. MUGI SpecificationHitachi, Ltd. Contents 1 Introduction 1 2 Design Rationale 1 2.1 Panama-like keystream generator . ............... 2 2.2 Selectionof components ..................... 3 3 Preliminaries 4 3.1 Notations . .......................... 4 3.2 Data Structure .......................... 4 3.3 Finite Field GF(28)........................ 4 3.3.1 Data Expression ..................... 4 3.3.2 Addition .......................... 5 3.3.3 Multiplication ....................... 5 3.3.4 Inverse . .......................... 6 4 Specification 6 4.1 Outline ............................... 6 4.2Input................................ 7 4.3 Internal State . .......................... 7 4.3.1 State . .......................... 7 4.3.2 Buffer . .......................... 7 4.4 Update Function ......................... 8 4.4.1 Rho . .......................... 8 4.4.2 Lambda .......................... 9 4.5 Initialization . .......................... 9 4.6 Random Number Generation ................... 10 4.7 Components . .......................... 10 4.7.1 S-box . .......................... 11 4.7.2 Matrix . .......................... 11 4.7.3 F-function ......................... 12 4.7.4 Constants ......................... 13 5 Usage Notes 13 5.1 How to Use Keys and Initial Vectors .............. 13 5.2 Encryption and Decryption ................... 13 AS-box 15 B The multiplication table for 0x02 · x 16 C Test Vector 17 Copyright c 2001 Hitachi, Ltd. All rights reserved. MUGI SpecificationHitachi, Ltd. 1 Introduction This documentation gives a description of MUGI pseudorandom number generator. MUGI has two independent parameters. One is 128-bit secret key, and another is 128-bit initial vector. The initial vector can be public. The document is organized as follows: In Section 2 we show the de- sign rationale of MUGI. Next we give some notations and some fundamental knowledges inSection3.
    [Show full text]
  • New Developments in Cryptology
    New developments in cryptology Prof. Bart Preneel COSIC Bart.Preneel(at)esatDOTkuleuven.be http://homes.esat.kuleuven.be/~preneel February 2011 © Bart Preneel. All rights reserved1 Outline • 1. Cryptology: concepts and algorithms • 2. Cryptology: protocols • 3. Public-Key Infrastructure principles • 4. Networking protocols • 5. New developments in cryptology • 6. Cryptography best practices • 7. Hash functions 2 Outline • Block ciphers/stream ciphers/MAC algorithms • Modes of operation and authenticated encryption • How to encrypt using RSA • Algorithm: secure design and implementation • Obfuscation • SPAM fighting 3 Block ciphers P1 P2 P3 block block block cipher cipher cipher C1 C2 C3 • larger data units: 64…128 bits • memoryless • repeat simple operation (round) many times Block ciphers: Keeloq • Microchip Inc algorithm, designed in the 1980s • Allegedly used in large % of the cars for car locks, car alarms • Block cipher with 32-bit blocks, 64-bit keys and 528 simple rounds • Leaked on the internet early 2007 5 Block ciphers: Keeloq (2) [Bogdanov07] Car key = Master key + Car ID [Biham-Dunkelman-Indesteeghe-Keller-Preneel07]: – 1 hour access to token + 2 days of calculation [Eisenbarth-Kasper-Moradi-Paar-Salmasizadeh-Manzuri ShalmaniPaar 08] – Side channel attack allows to recover master key in hopping mode in 2011 cryptographers will drive expensive cars 6 3-DES: NIST Spec. Pub. 800-67 (May 2004) • Single DES abandoned • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) Highly vulnerable to a related key attack Clear DES DES-1 DES %^C& text @&^( 1 2 3 AES (2001) S S S S S S S S S S S S S S S S round round MSixColumns S S S MSixColumns S S S MSixColumns S S S MSixColumns S S S round • Block length: 128 bits .
    [Show full text]