DOCSLIB.ORG

New Developments in Cryptology Outline Outline Block Ciphers AES

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
New Developments in Cryptology Outline Outline Block Ciphers AES New Developments in Cryptology March 2013 Bart Preneel Outline New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure fundamentals Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2013 • 6. Cryptography best practices © Bart Preneel. All rights reserved 1 2 Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block •Modes of operatio n and au the ntic ated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits • memoryless • Concluding remarks • repeat simple operation (round) many times 3 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key 1 23 1 New Developments in Cryptology March 2013 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html round round. round [‘05] dule ) . • HW: 43 Gbit/s in 130 nm CMOS ule le 8 . e . round . round • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] Key (12 Key . round round (192) Key . • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s bitsliced Key (256) Key Key Sch Key . [Käsper-Schwabe’09] Key Sched Key round . Key Schedu Key round • HW: most compact: 3600 gates Light weight key schedule, in particular for the 256-bit version – KATAN: 1054, PRESENT: 1570 AES: security AES-256 security • Exhaustive key search on AES-256 takes 2256 encryptions • cryptanalysis: no attack has been found that can –264: 10 minutes with $ 5M exploit this structure (in spite of the algebraic –280: 2 year with $ 5M “attack” [Courtois’02]) –2120 : 1 billion years with $ 5B • [Biryukov-Khovratovich’09] related key attack on AES-256 119 • implementation level attack – requires 2 encryptions with 4 related key s, – data & time complexity 2119 2256 – cache attack precluded by bitsliced implementations • Why does it work? Very lightweight key schedule or by special hardware support – fault attack requires special countermeasures • Is AES-256 broken? No, only an academic “weakness” that is easy to fix • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction What is a related key attack? Should I worry about a related key attack? • Attacker chooses plaintexts and key difference C • Very hard in practice (except some old US banking • Attacker gets ciphertexts schemes and IBM control vectors) • Task: find the key C • If you are vulnerable to a related key attack, you are making very bad implementation mistakes plaintext1 plaintext2 plaintext1 • This is a very powerful attack round round model: if an opponent can round zeroize 96 key bits of his round round round choice (rather than adding a round round round value), he can find the key in h Key (256) Key . Key (256) Key Key (256) Key . a few seconds . Key Schedule Key . Schedule Key Key Schedule Key round round round • If you are worried, hashing the key is an easy fix ciphertext1 ciphertext2 ciphertext1 2 New Developments in Cryptology March 2013 Bart Preneel Related key attacks on AES-256 and KASUMI KASUMI (2002) Security level in bits Exhaustive search AES [Biryukov- • Widely used in all 3G phones 300 Khovratovich’09] 4 related keys • Present in 40% of GSM phones but not 250 data & time yet used 200 comppylexity Ex haus tive searc h KASUMI 2119 2256 150 100 • Good news: related key attacks do not Practical [Dunkelman- 50 Keller-Shamir’10] apply in in the GSM or 3G context Related key 0 attack: 4 keys, 0 58 1014 15 226 data & 232 rounds time 2128 KASUMI New announcement: August 2011 [Dunkelman-Keller-Shamir’09] [Bogdanov-Khovratovich-Rechberger] • Practical related key attack announced in • No related keys (attack in 2005) December 2009 on the block cipher KASUMI used in 3GPP • For AES-128: with 288 plaintext/ciphertext pairs, – 4 re ltdklated keys, 226 dtdata, 230 btbytes o f memory, an d the effective key size can be reduced by 2 bits 232 time (AES-126) • It is not possible to carry out this attack in 3G • For AES-192: only 280 plaintext/ciphertext pairs (as related keys are not available) • For AES-256: only 240 plaintext/ciphertext pairs Very minor impact on security and very hard to extend Synchronous Stream Cipher (SSC) Stream ciphers IV state IV state init init • historically very important (compact) – LFSR-based: A5/1, A5/2, E0 – practical attacks K next K next known state state – software-oriented: RC4 – serious weaknesses function function – block cipher in CTR or OFB (slower) • today: output output – many broken schemes function “looks” function random – exception: SNOW2.0, MUGI P C P – lack of standards and open solutions 18 3 New Developments in Cryptology March 2013 Bart Preneel GSM GSM • A5/1 weak • growing number of open source tools to intercept: – [Barkan+03] requires seconds (software not available so requires GnuRAdio, Airprobe, OpenBTS math) • but needs more work (1-2 years?) – [Nohl10]: Kraken = 2 Terabyte of Rainbow tables http://reflextor.com/trac/a51 • A5/2 trivially weak (milliseconds) – withdrawn in 2007 (took 8 years) • A5/3 (= Kasumi) seems ok but slow adoption (even if in 1.2 billion out of 3 billion handsets) • Simpler attacks on GSM – eavesdrop after base station (always cleartext) – switch off encryption (can be detected) – SMS of death GSM International • China: • be careful when rolling out 2-factor – ZUC as 3rd algorithm in LTE (also SMII, SMIII) – National Cryptography Industry Standards Technical Committee authentication via SMS established on 19/10/2011 • war texting hacks on car systems and mod 231 1 215 217 221 220 12 8 S S S S S S S S S S S S S S S S SCADA systems [Black Hat, Aug’11] 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 X X X 0 X1 2 3 R1 R2 Every algorithm used in L L 1 2 China needs to be designed in China intercepting mobile phone traffic is illegal • US: NIST is very active in standardization Open competition for stream ciphers The eSTREAM Portfolio http://www.ecrypt.eu.org Apr. 2008 (Rev1 Sept. 2008) (in alphabetical order) • run by ECRYPT – high performance in software (32/64-bit): 128-bit key Software Hardware – low-gate count hardware (< 1000 gates): 80-bit key – variants: authenticated encryption HC-128 F-FCSR-H • April 2005: 33 submissions Rabbit Grain v1 • many broken in first year • April 2008: end of competition Salsa20/12 MICKEY v2 Sosemanuk Trivium 3-10 cycles per byte 1500..3000 gates 23 24 4 New Developments in Cryptology March 2013 Bart Preneel Performance reference data Rogue CA attack (Pentium M 1.70GHz Model 6/9/5) [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger ’08] request user cert; by special encryption speed (cycles/byte) Self-signed collision this results in a fake CA root key 120 cert (need to predict serial number 100 + validity period) 80 CA1 CA2 Rogue CA 60 key setup (cycles) 40 35000 impact: rogue CA that User1 User2 User x 20 30000 can issue certs that are 25000 0 trusted by all RC4 HC-128 DES 3-DES AES 20000 15000 browsers 10000 5000 0 6 CAs have issued certificates signed with MD5 in 2008: RC4 HC- DES 3-DES AES 128 Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), 26 26 25 TC TrustCenter AG, RSA Data Security, Verisign.co.jp Flame (successor of Stuxnet/Duqu) Malicious certificates • discovered in May 2012 by Cert in Iran • Aug’ 11 Diginotar: target Iranian opposition • targeted cyber espionage in Middle Eastern • May ‘12 Flame countries – June ’12: Microsoft no longer supports RSA keys shorter • vectors: LAN, USB, Bluetooth than 1024 bits (except if signed before 1/1/2010) • record audio, screenshots, keyboard activity and – NIST’s deadline is 31/12/2013 networ k tra ffic (i nc lu ding Skype ) • Sept. ‘12: Adobe problem • kill command to wipe out its traces (used on June 8 2012) TLS • advanced MD5 collision attack built-in to create fake certificate for Microsoft Enforced Licensing Intermediate PCA (Windows Update) • similar to but independent from rogue CA attack Ceci n’est pas un HSM Microsoft hired in 2004 the “MD5 removal person” Low cost hw: throughput versus area Hash functions [Bogdanov+08,Sugawara+08] (100 KHz clock, technology in multiples of 10 nm) 900 Protect short hash value rather • collision resistance GRAIN[8] (13) Trivium[8](13) than long text • preimage resistance ) 800 Enocoro-80[8](18) nd 700 •2 preimage resistance Kbps 600 ( mCRYPTON-96/128 (13) t u 500 CLEFIA (9) This is an input to a crypto- hp 400 graphic hash function. The input g PRESENT-128 (18) 300 is a very long string, that is PICCOLO-128 reduced by the hash function to a HIGHT (25) TDEA (9) string of fixed length.
Load more

Recommended publications
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective
    RESOURCE-EFFICIENT CRYPTOGRAPHY FOR UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr University Bochum, Germany by Elif Bilge Kavun Bochum, December 2014 Copyright © 2014 by Elif Bilge Kavun. All rights reserved. Printed in Germany. Anneme ve babama... Elif Bilge Kavun Place of birth: Izmir,˙ Turkey Author’s contact information: [email protected] www.emsec.rub.de/chair/ staff/elif bilge kavun Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Christian Rechberger Danmarks Tekniske Universitet, Denmark Thesis submitted: December 19, 2014 Thesis defense: February 6, 2015 v Abstract Technological advancements in the semiconductor industry over the last few decades made the mass production of very small-scale computing devices possible. Thanks to the compactness and mobility of these devices, they can be deployed “pervasively”, in other words, everywhere and anywhere – such as in smart homes, logistics, e-commerce, and medical technology. Em- bedding the small-scale devices into everyday objects pervasively also indicates the realization of the foreseen “ubiquitous computing” concept. However, ubiquitous computing and the mass deployment of the pervasive devices in turn brought some concerns – especially, security and privacy. Many people criticize the security and privacy management in the ubiquitous context. It is even believed that an inadequate level of security may be the greatest barrier to the long-term success of ubiquitous computing. For ubiquitous computing, the adversary model and the se- curity level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices.
    [Show full text]
  • Low-Latency Hardware Masking with Application to AES
    Low-Latency Hardware Masking with Application to AES Pascal Sasdrich, Begül Bilgin, Michael Hutter, and Mark E. Marson Rambus Cryptography Research, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States {psasdrich,bbilgin,mhutter,mmarson}@rambus.com Abstract. During the past two decades there has been a great deal of research published on masked hardware implementations of AES and other cryptographic primitives. Unfortunately, many hardware masking techniques can lead to increased latency compared to unprotected circuits for algorithms such as AES, due to the high-degree of nonlinear functions in their designs. In this paper, we present a hardware masking technique which does not increase the latency for such algorithms. It is based on the LUT-based Masked Dual-Rail with Pre-charge Logic (LMDPL) technique presented at CHES 2014. First, we show 1-glitch extended strong non- interference of a nonlinear LMDPL gadget under the 1-glitch extended probing model. We then use this knowledge to design an AES implementation which computes a full AES-128 operation in 10 cycles and a full AES-256 operation in 14 cycles. We perform practical side-channel analysis of our implementation using the Test Vector Leakage Assessment (TVLA) methodology and analyze univariate as well as bivariate t-statistics to demonstrate its DPA resistance level. Keywords: AES · Low-Latency Hardware · LMDPL · Masking · Secure Logic Styles · Differential Power Analysis · TVLA · Embedded Security 1 Introduction Masking countermeasures against side-channel analysis [KJJ99] have received a lot of attention over the last two decades. They are popular because they are relatively easy and inexpensive to implement, and their strengths and limitations are well understood using theoretical models and security proofs.
    [Show full text]
  • Investigating Profiled Side-Channel Attacks Against the DES Key
    IACR Transactions on Cryptographic Hardware and Embedded Systems ISSN 2569-2925, Vol. 2020, No. 3, pp. 22–72. DOI:10.13154/tches.v2020.i3.22-72 Investigating Profiled Side-Channel Attacks Against the DES Key Schedule Johann Heyszl1[0000−0002−8425−3114], Katja Miller1, Florian Unterstein1[0000−0002−8384−2021], Marc Schink1, Alexander Wagner1, Horst Gieser2, Sven Freud3, Tobias Damm3[0000−0003−3221−7207], Dominik Klein3[0000−0001−8174−7445] and Dennis Kügler3 1 Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany, [email protected] 2 Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Germany, [email protected] 3 Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany, [email protected] Abstract. Recent publications describe profiled single trace side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with surprisingly large, key-dependent variations of attack results, and individual cases with remaining key entropies as low as a few bits. Unfortunately, they leave important questions unanswered: Are the reported wide distributions of results plausible - can this be explained? Are the results device- specific or more generally applicable to other devices? What is the actual impact on the security of 3-key triple DES? We systematically answer those and several other questions by analyzing two commercial security controllers and a general purpose microcontroller. We observe a significant overall reduction and, importantly, also observe a large key-dependent variation in single DES key security levels, i.e.
    [Show full text]
  • Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation
    cryptography Article Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation Takeshi Sugawara Department of Informatics, The University of Electro-Communications, Tokyo 182-8585, Japan; [email protected] Received: 30 June 2020; Accepted: 5 August 2020; Published: 9 August 2020 Abstract: SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI. Keywords: threshold implementation; SAEAES; authenticated encryption, side-channel attack; changing of the guards; lightweight cryptography; implementation 1. Introduction There is an increasing demand for secure data communication between embedded devices in many areas, including automotive, industrial, and smart-home applications.
    [Show full text]
  • Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas
    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski ECE Department, George Mason University, Fairfax, VA 22030, U.S.A. {kgaj,ehomsiri,mrogawsk}@gmu.edu http://cryptography.gmu.edu Abstract. Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic stan- dards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and ac- ceptable for the majority of the cryptographic community. In this pa- per, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the de- velopment of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking. Keywords: benchmarking, hash functions, SHA-3, FPGA. 1 Introduction and Motivation Starting from the Advanced Encryption Standard (AES) contest organized by NIST in 1997-2000 [1], open contests have become a method of choice for select- ing cryptographic standards in the U.S. and over the world. The AES contest in the U.S. was followed by the NESSIE competition in Europe [2], CRYPTREC in Japan, and eSTREAM in Europe [3]. Four typical criteria taken into account in the evaluation of candidates are: security, performance in software, performance in hardware, and flexibility.
    [Show full text]
  • ASIC-Oriented Comparative Review of Hardware Security Algorithms for Internet of Things Applications Mohamed A
    ASIC-Oriented Comparative Review of Hardware Security Algorithms for Internet of Things Applications Mohamed A. Bahnasawi1, Khalid Ibrahim2, Ahmed Mohamed3, Mohamed Khalifa Mohamed4, Ahmed Moustafa5, Kareem Abdelmonem6, Yehea Ismail7, Hassan Mostafa8 1,3,5,6,8Electronics and Electrical Communications Engineering Department, Cairo University, Giza, Egypt 2Electronics Department, Faculty of Information Engineering and Technology, German University in Cairo, Cairo, Egypt 4Electrical, Electronics and Communications Engineering Department, Faculty of Engineering, Alexandria University, Egypt 7,8Center for Nanoelectronics and Devices, AUC and Zewail City of Science and Technology, New Cairo, Egypt {[email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected] } Abstract— Research into the security of the Internet of Applications have different requirements for the Things (IoT) needs to utilize particular algorithms that offer cryptographic algorithms that secure them, varying in the ultra-low power consumption and a long lifespan, along with throughput needed, the extent of immunity against attacks, other parameters such as strong immunity against attacks, power consumption, the area needed on-chip, etc. The lower chip area and acceptable throughput. This paper offers Internet of Things (IoT) focuses mainly on low-power an ASIC-oriented comparative review of the most popular and implementations of security algorithms. This is because powerful cryptographic algorithms worldwide, namely AES, most of them are related to autonomous applications or 3DES, Twofish and RSA. The ASIC implementations of those embedded systems applications (i.e. an ultra-thin sensor algorithms are analyzed by studying statistical data extracted system [2] embedded inside clothes or biomedical from the ASIC layouts of the algorithms and comparing them to determine the most suited algorithms for IoT hardware- applications).
    [Show full text]
  • Sharing Resources Between AES and the SHA-3 Second Round
    Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3 Candidates I Design strongly influenced by AES: Share the structure and have significant similarity in transformations, or even use AES as a subroutine I ECHO, Fugue, Grøstl, and SHAvite-3 I Benadjila et al. (ASIACRYPT 2009) studied useability of Intel’s AES instructions for AES-inspired candidates Conclusion: only ECHO and SHAvite-3, which use AES as a subroutine, benefit from the instructions I This is the first study of combining AES with the SHA-3 candidates on hardware (FPGA) The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Research Topics and Motivation Research Questions I What modifications are required to embed AES into the data path of the hash algorithm (or vice versa)? I How much resources can be shared (logic, registers, memory, . )? I What are the costs (area, delay, throughput, power consumption, . )? Applications I Any applications that require dedicated hardware implementations of a hash algorithm and a block cipher would benefit from reduced costs I Particularly important if resources are very limited The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Advanced Encryption Standard AES with a 128-bit key (AES-128) 8 I State: 4 × 4 bytes; each byte is an element of GF(2 ) I 10 rounds with four transformations Transformations I SubBytes: Bytes mapped
    [Show full text]
  • Development of the Advanced Encryption Standard
    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
    [Show full text]
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • AES) Is the Desirable Encryption Core for Any Practical Low-End Embedded
    CENTRE FOR NEWFOUNDLAND STUDIES TOTAL OF 10 PAGES ONLY MAY BE XEROXED (Without Author's Permission) COMPACT HARDWARE IMPLEMENTATION OF ADVANCED ENCRYPTION STANDARD WITH CONCURRENT ERROR DETECTION by Namin Yu A thesis submitted to the School of Graduate Studies in partial fulfillment of the requirements for the degree of Master Faculty of Engineering and Applied Science Memorial University of Newfoundland August 2005 St. John's Newfoundland Canada Abstract A compact, efficient and highly reliable implementation of the Advanced Encryption Standard (AES) is the desirable encryption core for any practical low-end embedded application. In this thesis we design and implement a compact hardware AES system with concurrent error detection. We investigate various architectures for compact AES implementations in 0.18 f!m CMOS technology. We first explore a new compact digital hardware implementation of the AES s-boxes applying the discovery of linear redundancy in the AES s-boxes. Although the new circuit has a small size, the speed of this implementation is also reduced. Encryption architectures without key scheduling that employ four s-boxes and only one s-box are implemented using the new AES s-boxes, as well as based on other compact s-box structures. The comparison of the implementations based on different architectures and s-box structures indicates that the implementation using four s-boxes 4 based on arithmetic operations in GF(2 ) has the best trade-off of area and speed. Therefore, using this s-box implementation, a complete encryption-decryption architecture with key scheduling employing the four s-box structure is implemented. In order to be adaptive to various practical applications, we optimize the implementation with the fours-box structure to support five different operation modes.
    [Show full text]
  • Motivation AES Throughput Advanced Encryption Standard
    Utilizing Hardware AES Encryption for WSNs by Felix Büsching, Andreas Figur, Dominik Schürmann, and Lars Wolf Technische Universität Braunschweig | Institute of Operating Systems and Computer Networks Felix Büsching | [email protected] | Phone +49 (0) 531 391-3289 Motivation Implementations Encryption is essential in many Wireless Sensor Network (WSN) appli- Four different AES algorithms were implemented for INGA Wireless cations. Several encryption frameworks exist which are mostly based Sensor Nodes. While the first algorithm (1) SW-AES-1 was realized for on software algorithms. However, nearly every up-to-date radio trans- Contiki in C in a straight forward way, the (2) SW-AES-2 implementa- ceiver chip is equipped with an integrated hardware encryption en- tion was improved by a static lookup table. gine. Here we show the benefits of utilizing an integrated hardware To compare our C implementations with a software reference, we uti- encryption engine in comparison to pure software-based solutions. lized (3) RijndaelFast, an optimized assembler implementation for the Atmel ATmega family. We see this external implementation as a the- oretical limit, knowing that this performance could never be reached when using an operating system like TinyOS or Contiki. Advanced Encryption Standard - AES Most of the currently available radio transmitters and have an integrat- ed hardware AES unit. These units can usually be addressed by special ▪ ... is a variant of Rijndael with a fixed block size of 128 bits. registers via SPI bus. When using an ▪ ... is based on a substitution-permutation network, which shall op- operating system like Contiki or Ti- erate fast in both software and hardware.
    [Show full text]