DOCSLIB.ORG

Security of Authenticated Encryption Modes

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security of Authenticated Encryption Modes Security of Authenticated Encryption Modes Bart Mennink Radboud University (The Netherlands) COST Training School on Symmetric Cryptography and Blockchain February 22, 2018 1 / 57 −−−−−! −−−−− Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−! B 2 / 57 Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−!−−−−−! −−−−− B 2 / 57 Authentication • No outsider can manipulate data Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−!−−−−−! −−−−− B Encryption • No outsider can learn anything about data 2 / 57 Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−!−−−−−! −−−−− B Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data 2 / 57 CAESAR Competition 3 / 57 CAESAR Competition Competition for Authenticated Encryption: Security, Applicability, and Robustness Goal: portfolio of authenticated encryption schemes Mar 15, 2014: 57 rst round candidates Jul 7, 2015: 29.5 second round candidates Aug 15, 2016: 16 third round candidates ??: announcement of nalists ??: announcement of nal portfolio 4 / 57 • Nonce N randomizes the scheme Authenticated Encryption 4 AE k A, M AE C, T N • Ciphertext C encryption of message M • Tag T authenticates associated data A and message M 5 / 57 Authenticated Encryption 4 AE k A, M AE C, T N • Ciphertext C encryption of message M • Tag T authenticates associated data A and message M • Nonce N randomizes the scheme 5 / 57 • Correctness: ADk(N; A; AE k(N; A; M)) = M PSfrag replacements m t c E k E t Authenticated Decryption A, M5 AD Ne C, T AE k k M if T correct A, C, T AD otherwise (⊥ N • Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect 6 / 57 • Correctness: ADk(N; A; AE k(N; A; M)) = M PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k M if T correct A, C, T AD otherwise (⊥ N • Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect 6 / 57 PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k M if T correct A, C, T AD otherwise (⊥ N • Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect • Correctness: ADk(N; A; AE k(N; A; M)) = M 6 / 57 • Distinguisher D has query access to one of these ! unique nonce for each encryption query • D tries to determine which oracle it communicates with h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) 7 / 57 • D tries to determine which oracle it communicates with h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) • Distinguisher D has query access to one of these ! unique nonce for each encryption query 7 / 57 h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) • Distinguisher D has query access to one of these ! unique nonce for each encryption query • D tries to determine which oracle it communicates with 7 / 57 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) • Distinguisher D has query access to one of these ! unique nonce for each encryption query • D tries to determine which oracle it communicates with h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 7 / 57 100% Security is Impractical 8 / 57 Outline Generic Composition Link With Tweakable Blockciphers Tweakable Blockciphers Based on Masking Nonce-Reuse Conclusion 9 / 57 Outline Generic Composition Link With Tweakable Blockciphers Tweakable Blockciphers Based on Masking Nonce-Reuse Conclusion 10 / 57 • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack • Bellare and Namprempre (2000): 3 basic approaches 1 E&M MtE EtM m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Used in SSH • Used in TLS • Used in IPSec Generic Composition • Generic constructions for AE: • Enc + MAC = AE 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Mildly insecure • Most secure variant • Padding oracle • Ciphertext integrity attack Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • MACL(m) = mkt 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Most secure variant • Ciphertext integrity Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure MAC • L(m) = mkt • Padding oracle attack 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack 11 / 57 • Parallelizable • Evaluates E only (no E−1) • Provably secure (if E is PRP) • Very ecient in HW • Reasonably ecient in SW What happens if nonce is re-used? GCM for 96-bit nonce N 1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC C1 C2 Cm A GHASHL MAC T 12 / 57 What happens if nonce is re-used? GCM for 96-bit nonce N 1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW 12 / 57 GCM for 96-bit nonce N 1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW What happens if nonce is re-used? 12 / 57 • Inherits GCM features • Secure against nonce-reuse • Proof: Iwata and Seurin (2017) GCM-SIV 1 GCMSIV N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015) Ek KeyGen EK EK EK • MtE design C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free A GHASHL N EK MAC T 13 / 57 GCM-SIV 1 GCMSIV N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015) Ek KeyGen EK EK EK • MtE design C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free A GHASHL • Inherits GCM features N • Secure against nonce-reuse • Proof: Iwata and Seurin EK MAC (2017) T 13 / 57 Outline Generic Composition Link With Tweakable Blockciphers Tweakable Blockciphers Based on Masking Nonce-Reuse Conclusion 14 / 57 • Tweak: exibility to the cipher • Each tweak gives dierent permutation Tweakable Blockciphers 1 cipher k m E c 15 / 57 Tweakable Blockciphers 2 ciphertweakable k m E c t e • Tweak: exibility to the cipher • Each tweak gives dierent permutation 15 / 57 • D tries to determine which oracle it communicates with stprp h E ;E−1 i h π;π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee Tweakable Blockcipher Security 1 indistsimpletE Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e distinguisher D • Eek should look like random permutation for every t • Dierent tweaks −! pseudo-independent permutations 16 / 57 Tweakable Blockcipher Security 1 indistsimpletE Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e distinguisher D • Eek should look like random permutation for every t • Dierent tweaks −! pseudo-independent permutations • D tries to determine which oracle it communicates with stprp h E ;E−1 i h π;π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee 16 / 57 in CAESAR KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR rst round, second round, third round Tweakable Blockcipher Designs 3 ciphertweakable-black 1 tEE 2 tEP k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based 17 / 57 Tweakable Blockcipher Designs in CAESAR 3 ciphertweakable-black 1 tEE 2 tEP k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR rst round, second round, third round 17 / 57 • Internally based on tweakable blockcipher Ee • Tweak (N; tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak • Triangle inequality: ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee Example2 OCBgen Use in OCBx (1/2) A A A M M M M 1 2 a ⊕ i 1 2 d N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek C1 C2 Cd T • Generalized OCB by Rogaway et al.
Load more

Recommended publications
  • IMPLEMENTATION and BENCHMARKING of PADDING UNITS and HMAC for SHA-3 CANDIDATES in FPGAS and ASICS by Ambarish Vyas a Thesis Subm
    IMPLEMENTATION AND BENCHMARKING OF PADDING UNITS AND HMAC FOR SHA-3 CANDIDATES IN FPGAS AND ASICS by Ambarish Vyas A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Fulfillment of The Requirements for the Degree of Master of Science Computer Engineering Committee: Dr. Kris Gaj, Thesis Director Dr. Jens-Peter Kaps. Committee Member Dr. Bernd-Peter Paris. Committee Member Dr. Andre Manitius, Department Chair of Electrical and Computer Engineering Dr. Lloyd J. Griffiths. Dean, Volgenau School of Engineering Date: ---J d. / q /9- 0 II Fall Semester 2011 George Mason University Fairfax, VA Implementation and Benchmarking of Padding Units and HMAC for SHA-3 Candidates in FPGAs and ASICs A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science at George Mason University By Ambarish Vyas Bachelor of Science University of Pune, 2009 Director: Dr. Kris Gaj, Associate Professor Department of Electrical and Computer Engineering Fall Semester 2011 George Mason University Fairfax, VA Copyright c 2011 by Ambarish Vyas All Rights Reserved ii Acknowledgments I would like to use this oppurtunity to thank the people who have supported me throughout my thesis. First and foremost my advisor Dr.Kris Gaj, without his zeal, his motivation, his patience, his confidence in me, his humility, his diverse knowledge, and his great efforts this thesis wouldn't be possible. It is difficult to exaggerate my gratitude towards him. I also thank Ekawat Homsirikamol for his contributions to this project. He has significantly contributed to the designs and implementations of the architectures. Additionally, I am indebted to my student colleagues in CERG for providing a fun environment to learn and giving invaluable tips and support.
    [Show full text]
  • The Boomerang Attacks on the Round-Reduced Skein-512 *
    The Boomerang Attacks on the Round-Reduced Skein-512 ? Hongbo Yu1, Jiazhe Chen3, and Xiaoyun Wang2;3 1 Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China 2 Institute for Advanced Study, Tsinghua University, Beijing 100084, China fyuhongbo,[email protected] 3 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics, Shandong University, Jinan 250100, China [email protected] Abstract. The hash function Skein is one of the ¯ve ¯nalists of the NIST SHA-3 competition; it is based on the block cipher Three¯sh which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper studies the boomerang attacks on Skein-512. Boomerang distinguishers on the compression function reduced to 32 and 36 rounds are proposed, with complexities 2104:5 and 2454 respectively. Examples of the distinguishers on 28-round and 31- round are also given. In addition, the boomerang distinguishers are applicable to the key-recovery attacks on reduced Three¯sh-512. The complexities for key-recovery attacks reduced to 32-/33- /34-round are about 2181, 2305 and 2424. Because Laurent et al. [14] pointed out that the previous boomerang distinguishers for Three¯sh-512 are in fact not compatible, our attacks are the ¯rst valid boomerang attacks for the ¯nal round Skein-512. Key words: Hash function, Boomerang attack, Three¯sh, Skein 1 Introduction Cryptographic hash functions, which provide integrity, authentication and etc., are very impor- tant in modern cryptology. In 2005, as the most widely used hash functions MD5 and SHA-1 were broken by Wang et al.
    [Show full text]
  • An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage
    An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage Yan Yan1, Elisabeth Oswald1 and Srinivas Vivek2 1University of Klagenfurt, Klagenfurt, Austria 2IIIT Bangalore, India fyan.yan, [email protected], [email protected] Keywords: ARX construction, Side-channel analysis, Hamming weight, Chosen plaintext attack Abstract: In the last few years a new design paradigm, the so-called ARX (modular addition, rotation, exclusive-or) ciphers, have gained popularity in part because of their non-linear operation’s seemingly ‘inherent resilience’ against Differential Power Analysis (DPA) Attacks: the non-linear modular addition is not only known to be a poor target for DPA attacks, but also the computational complexity of DPA-style attacks grows exponentially with the operand size and thus DPA-style attacks quickly become practically infeasible. We however propose a novel DPA-style attack strategy that scales linearly with respect to the operand size in the chosen-message attack setting. 1 Introduction ever are different: they offer a potentially ‘high reso- lution’ for the adversary. In principle, under suitably Ciphers that base their round function on the sim- strong assumptions, adversaries can not only observe ple combination of modular addition, rotation, and leaks for all instructions that are executed on a proces- exclusive-or, (short ARX) have gained recent popu- sor, but indeed attribute leakage points (more or less larity for their lightweight implementations that are accurately) to instructions (Mangard et al., 2007). suitable for resource constrained devices. Some re- Achieving security in this scenario has proven to cent examples include Chacha20 (Nir and Langley, be extremely challenging, and countermeasures such 2015) and Salsa20 (Bernstein, 2008) family stream as masking (secret sharing) are well understood but ciphers, SHA-3 finalists BLAKE (Aumasson et al., costly (Schneider et al., 2015).
    [Show full text]
  • SHA-3 Conference, March 2012, Skein: More Than Just a Hash Function
    Skein More than just a hash function Third SHA-3 Candidate Conference 23 March 2012 Washington DC 1 Skein is Skein-512 • Confusion is common, partially our fault • Skein has two special-purpose siblings: – Skein-256 for extreme memory constraints – Skein-1024 for the ultra-high security margin • But for SHA-3, Skein is Skein-512 – One hash function for all output sizes 2 Skein Architecture • Mix function is 64-bit ARX • Permutation: relocation of eight 64-bit words • Threefish: tweakable block cipher – Mix + Permutation – Simple key schedule – 72 rounds, subkey injection every four rounds – Tweakable-cipher design key to speed, security • Skein chains Threefish with UBI chaining mode – Tweakable mode based on MMO – Provable properties – Every hashed block is unique • Variable size output means flexible to use! – One function for any size output 3 The Skein/Threefish Mix 4 Four Threefish Rounds 5 Skein and UBI chaining 6 Fastest in Software • 5.5 cycles/byte on 64-bit reference platform • 17.4 cycles/byte on 32-bit reference platform • 4.7 cycles/byte on Itanium • 15.2 cycles/byte on ARM Cortex A8 (ARMv7) – New numbers, best finalist on ARMv7 (iOS, Samsung, etc.) 7 Fast and Compact in Hardware • Fast – Skein-512 at 32 Gbit/s in 32 nm in 58 k gates – (57 Gbit/s if processing two messages in parallel) • To maximize hardware performance: – Use a fast adder, rely on simple control structure, and exploit Threefish's opportunities for pipelining – Do not trust your EDA tool to generate an efficient implementation • Compact design: – Small FPGA
    [Show full text]
  • Authenticated Encryption with Small Stretch (Or, How to Accelerate AERO) ⋆
    Authenticated Encryption with Small Stretch (or, How to Accelerate AERO) ? Kazuhiko Minematsu NEC Corporation, Japan [email protected] Abstract. Standard form of authenticated encryption (AE) requires the ciphertext to be expanded by the nonce and the authentication tag. These expansions can be problematic when messages are relatively short and communication cost is high. To overcome the problem we propose a new form of AE scheme, MiniAE, which expands the ciphertext only by the single variable integrating nonce and tag. An important feature of MiniAE is that it requires the receiver to be stateful not only for detecting replays but also for detecting forgery of any type. McGrew and Foley already proposed a scheme having this feature, called AERO, however, there is no formal security guarantee based on the provable security framework. We provide a provable security analysis for MiniAE, and show several provably-secure schemes using standard symmetric crypto primitives. This covers a generalization of AERO, hence our results imply a provable security of AERO. Moreover, one of our schemes has a similar structure as OCB mode of operation and enables rate-1 operation, i.e. only one blockcipher call to process one input block. This implies that the computation cost of MiniAE can be as small as encryption-only schemes. Keywords: Authenticated Encryption, Stateful Decryption, Provable Security, AERO, OCB 1 Introduction Authenticated encryption (AE) is a symmetric-key cryptographic function for communication which provides both confidentiality and integrity of messages. A standard form of AE requires the ciphertext to be expanded by the amount of nonce, a never-repeating value maintained by the sender, and the authentication tag.
    [Show full text]
  • Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 Family
    Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family Dmitry Khovratovich1 and Christian Rechberger2 and Alexandra Savelieva3 1Microsoft Research Redmond, USA 2DTU MAT, Denmark 3National Research University Higher School of Economics, Russia Abstract. We present the new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions. The new tool has proved to be widely applicable by inspiring many authors to publish new re- sults of the full versions of AES, KASUMI, IDEA, and Square. In this paper, we demonstrate how our concept results in the first cryptanalysis of the Skein hash function, and describe an attack on the SHA-2 hash function with more rounds than before. Keywords: SHA-2, SHA-256, SHA-512, Skein, SHA-3, hash function, meet-in-the-middle attack, splice-and-cut, preimage attack, initial structure, biclique. 1 Introduction The last years saw an exciting progress in preimage attacks on hash functions. In contrast to collision search [29, 26], where differential cryptanalysis has been in use since 90s, there had been no similarly powerful tool for preimages. The situation changed dramatically in 2008, when the so-called splice-and-cut framework has been applied to MD4 and MD5 [2, 24], and later to SHA-0/1/2 [1, 3], Tiger [10], and other primitives. Despite amazing results on MD5, the applications to SHA-x primitives seemed to be limited by the internal properties of the message schedule procedures. The only promising element, the so-called initial structure tool, remained very informal and complicated.
    [Show full text]
  • Darxplorer a Toolbox for Cryptanalysis and Cipher Designers
    DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 2 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 3 / 31 Introduction to Hash Functions Hash Functions A hash function H : f0; 1g∗ ! f0; 1gn is used to compute an n-bit fingerprint from an arbitrarily-sized input M 2 f0; 1g∗ Most of them are based on a compression function C : f0; 1gn × f0; 1gm ! f0; 1gn with fixed size input Computation: Hi := C(Hi−1;Mi) C C C H[0] H[1] . H[L-1] H[L] M[1] M[2] . M[L] Dennis Hoppe (BUW) DARXplorer 22nd April 2009 4 / 31 Introduction to Hash Functions { cont'd Compression Functions A crucial building block of iterated hash functions is the compression function C Designer often make use of block ciphers Which properties should be imposed on C to guarantee that the hash function satisfies certain properties? Theorem (Damg˚ard-Merkle) If the compression function C is collision-resistant, then the hash function H is collision-resistant as well. If the compression function C is preimage-resistant, then the hash function H is preimage-resistant as well.
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • High-Speed Hardware Implementations of BLAKE, Blue
    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].
    [Show full text]
  • An Efficient Parallel Algorithm for Skein Hash Functions
    AN EFFICIENT PARALLEL ALGORITHM FOR SKEIN HASH FUNCTIONS K´evin Atighehchi, Adriana Enache, Traian Muntean, Gabriel Risterucci ERISCS Research Group Universit´ede la M´editerran´ee Parc Scientifique de Luminy-Marseille, France email: [email protected] ABSTRACT by SHA-3: it may be parallelizable, more suitable for cer- Recently, cryptanalysts have found collisions on the MD4, tain classes of applications, more efficient to implement MD5, and SHA-0 algorithms; moreover, a method for find- on actual platforms, or may avoid some of the incidental ing SHA1 collisions with less than the expected calculus generic properties (such as length extension) of the Merkle- complexity has been published. The NIST [1] has thus de- Damgard construct ([10] [9]) that often results in insecure cided to develop a new hash algorithm, so called SHA-3, applications. which will be developed through a public competition [3]. This paper describes sequential and parallel algo- From the set of accepted proposals for the further steps of rithms for Skein cryptographic hash functions, and the the competition, we have decided to explore the design of analysis, testing and optimization thereof. Our approach an efficient parallel algorithm for the Skein [12] hash func- for parallelizing Skein uses the tree hash mode which cre- tion family. The main reason for designing such an algo- ates one virtual thread for each node of the tree, thus rithm is to obtain optimal performances when dealing with providing a generic method for fine-grain maximal paral- critical applications which require efficiently tuned imple- lelism. mentations on multi-core target processors. This prelimi- The paper is structured as following: Section 2 and nary work presents one of the first parallel implementation 3 give a brief description of Skein and a detailed descrip- and associated performance evaluation of Skein available tion of the associated Tree Mode, the Section 4 presents the in the literature.
    [Show full text]
  • Rotational Rebound Attacks on Reduced Skein
    Rotational Rebound Attacks on Reduced Skein Dmitry Khovratovich1;2, Ivica Nikoli´c1, and Christian Rechberger3 1: University of Luxembourg; 2: Microsoft Research Redmond, USA; 3: Katholieke Universiteit Leuven, ESAT/COSIC, and IBBT, Belgium [email protected], [email protected], [email protected] Abstract. In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different construc- tions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 com- pression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function. The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers. Keywords: Skein, SHA-3, hash function, compression function, cipher, rotational cryptanalysis, rebound attack, distinguisher. 1 Introduction Rotational cryptanalysis and the rebound attack proved to be very effective in the analysis of SHA-3 candidates and related primitives.
    [Show full text]
  • Authenticated Encryption on Fpgas from the Reconfigurable Part to the Static Part Karim Moussa Ali Abdellatif
    Authenticated Encryption on FPGAs from the Reconfigurable Part to the Static Part Karim Moussa Ali Abdellatif To cite this version: Karim Moussa Ali Abdellatif. Authenticated Encryption on FPGAs from the Reconfigurable Part to the Static Part. Other [cs.OH]. Université Pierre et Marie Curie - Paris VI, 2014. English. NNT : 2014PA066660. tel-01158431 HAL Id: tel-01158431 https://tel.archives-ouvertes.fr/tel-01158431 Submitted on 1 Jun 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THESE` DE DOCTORAT DE L'UNIVERSITE´ PIERRE ET MARIE CURIE Sp´ecialit´e:Informatique, T´el´ecommunication et Electronique´ Ecole´ Doctorale Informatique, T´el´ecommunication et Electronique´ Pr´esent´eepar: Karim Moussa Ali Abdellatif Pour obtenir le grade de Docteur de l'Universit´ePierre et Marie Curie CHIFFREMENT AUTHENTIFIE´ SUR FPGAs DE LA PARTIE RECONFIGURABLE A` LA PARTIE STATIC Soutenue le 07/10/2014 devant le jury compos´ede: M. Bruno Robisson ENSM.SE/CEA Rapporteur M. Lilian Bossuet Laboratoire Hubert Curien Rapporteur M. Jean-Claude Bajard LIP6 Examinateur M. Hayder Mrabet FLEXRAS Examinateur M. Olivier Lepape NanoXplore Examinateur M. Habib Mehrez LIP6 Directeur de th`ese Mme. Roselyne.Chotin-Avot LIP6 Encaderante de th`ese Ph.D.
    [Show full text]