DOCSLIB.ORG

Block Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

8/30/2013 Outline • Block ciphers review Block Ciphers: Past and Present • Cryptographic events • Standardized block ciphers Mohammad Dakhilalian http://www.dakhilalian.iut.ac.ir • Lightweight block ciphers • On practical security of block ciphers Isfahan University of Technology (IUT) Electrical and Computer Engineering Department • Summary Cryptography and System Security Research Laboratory (CSSRL) ISCISC 2013 August 2013 8/30/2013 1/80 8/30/2013 2/80 Outline History of cryptography • Block ciphers review Classical crypto : The earliest known use of cryptography is about 1900 BD • History of cryptography • Schemes of the block ciphers • Challenges & attacks Medieval crypto : 800-1800 AD • Standardized block ciphers • Cryptographic events • Standardized block ciphers Crypto from 1800 to WWII • Lightweight block ciphers • On practical security of block ciphers Modern crypto • Summary Crypto can be seen in everywhere 8/30/2013 3/80 8/30/2013 ISCISC 2013 4/80 1 8/30/2013 History of cryptography Symmetric key ciphers Information Theory(1948-9) "A Mathematical Theory of Communication“ "Communication Theory of Secrecy Systems“ Block ciphers Symmetric key ciphers • Diffusion Stream • Confusion • Product cipher ciphers Claude Elwood Shannon 8/30/2013 ISCISC 2013 5/80 8/30/2013 ISCISC 2013 6/80 Block ciphers schemes Evaluation of block ciphers x •Level of security S •Ease of implementation(low-cost, low power) Security P •Performance(throughput) y Low-cost SPN scheme Feistel scheme Lai-Massey scheme Throughput (AES,SERPENT ) (DES, Camellia ) (IDEA ) Low-power 8/30/2013 ISCISC 2013 7/80 8/30/2013 ISCISC 2013 8/80 2 8/30/2013 When is a block cipher secure? Attacks efficiency Answer : when these two black boxes are indistinguishable x •Data complexity •Memory complexity k E π •Time (computation) complexity π Ek(x) (x) 8/30/2013 ISCISC 2013 9/80 8/30/2013 ISCISC 2013 10/80 Kerckhoffs’ Principle Cryptanalysis Types of cryptanalytic attacks: 1. Ciphertext-only The security of an encryption system must depend 2. Known-plaintext only on the key , not on the secrecy of the algorithm . 3. Chosen-plaintext 4. Adaptive-chosen-plaintext attack 5. Chosen-ciphertext attack 6. Chose-key. 7. Rubber-hose 8/30/2013 ISCISC 2013 11/80 8/30/2013 ISCISC 2013 12/80 3 8/30/2013 Generic attacks Shortcut attacks • Linear cryptanalysis • Differential cryptanalysis •Dictionary attack • Differential-Linear Cryptanalysis •Codebook attack • Impossible differential attack • Slide attack •Exhaustive key search (brute force search) • Related key attack •Time memory data trade off • Boomerang attack • Higher order differentials cryptanalysis • Interpolation attack • Algebraic attack 8/30/2013 ISCISC 2013 13/80 8/30/2013 ISCISC 2013 14/80 Real and academic attacks Outline • Block ciphers review •Real attack: Block cipher can be broken in practice • Cryptographic events • Example: • AES • Brute force attack on DES • NESSIE • CRYPTREC •Academic attack: Block cipher behaves suboptimal • ECERYPT • Example: • Standardized block ciphers • Biclique attack on AES with a computational complexity of • Lightweight block ciphers On practical security of block ciphers • ٢.2126 • Summary 8/30/2013 ISCISC 2013 15/80 8/30/2013 ISCISC 2013 16/80 4 8/30/2013 AES ( 1997 –2000 ) Advanced Encryption Standard – By National Institute of Standards and Technology of the United States (NIST) AES competition The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. Submitted Block ciphers AES finalists (in order of score) AES winner • CAST-256 • Rijendael • Rijendael • AES finalists (in order of score) • CRYPTON • Serpent • Rijndael : 86 positive, 10 negative (the winner) • DEAL • TwoFish • DFC • RC6 • Serpent : 59 positive, 7 negative • E2 • MARS • Twofish : 31 positive, 21 negative • FROG • HPC On November 26, 2001, NIST announced that AES • RC6: 23 positive, 37 negative • LOKI97 was approved as FIPS PUB 197. • MARS : 13 positive, 84 negative • MAGENTA • MARS • RC6 • Rijendael • SAFER+ • Serpent • TwoFish 8/30/2013 ISCISC 2013 17/80 8/30/2013 ISCISC 2013 18/80 NESSIE Project (2000–2003) AES competition New European Schemes for Signatures, Integrity and Encryption Submitted Block ciphers Finally selected algorithms Algorithm Structure Block size Key size Round # Year • 64-bit block ciphers • 160-bit block ciphers • CS-Cipher • SHACAL • MISTY1: Mitsubishi Electric Corp., Japan. Rijndael SPN 128 128-192-256 10-12-14 1998 • Hierocrypt-L1, • Camellia : Nippon Telegraph and Telephone Corp., Japan (revised September 2001). • variable length block ciphers and Mitsubishi Electric Corp., Japan. SHACAL-2: Gemplus, France. Serpent SPN 128 128-192-256 32 1998 • IDEA • NUSH : 64, 128, and 256-bit • • Khazad • RC6: at least 128-bit • AES (Advanced Encryption Standard)* (USA FIPS 197). Twofish Feistel 128 128-192-256 16 1998 • MISTY1 • SAFER++ : 64 and 128-bit • Nimbus RC6 Feistel 128 128-192-256 20 1998 • 128-bit block ciphers • Anubis MARC Feistel 128 128-192-256 32 1998 • Camellia Submissions selected for 2nd Phase • Grand Cru • Hierocrypt-3 • Noekeon • IDEA , MISTY1, SAFER++ , RC6: no modifications • Q • Khazad • SC2000 • Camellia • SHACAL-1 and SHACAL-2 8/30/2013 ISCISC 2013 19/80 8/30/2013 20/80 5 8/30/2013 CRYPTREC ( 2000 – 2003 ) NESSIE Project CRYPT ography Research and Evaluation Committees The selected algorithms: Considered block ciphers Recommended techniques Not submitted to CRYPTREC Submitted to CRYPTREC • 64-bit block ciphers • CIPHERUNICORN-E Algorithm Round # Key size Block size Structure Year • 64-bit block ciphers • 64-bit block ciphers • Hierocrypt-L1 • DES • Hierocrypt-L1 • MISTY1 Misty1 8(recommended) 128 64 Feistel 1995 • Triple DES • MISTY1 • 3-key Triple DES • RC2 • CIPHERUNICORN-E Camellia 18 or 24 128,192,256 128 Feistel 2000 • 128-bit block ciphers • 128-bit block ciphers • 128-bit block ciphers AES 10,12,14 128,192,256 128 SPN 1998 • AES • Camellia • AES • SEED • CIPHERUNICORN-A • Camellia • Hierocrypt-3 • CIPHERUNICORN-A SHACAL2 64 128 to 512 256 Cryptographic Hash 2001 • RC6 (withdrawn) • Hierocrypt-3 function • SC2000 • SC2000 All six stream ciphers submitted to the NESSIE project were failed 128-bit block ciphers are preferred 8/30/2013 ISCISC 2013 21/80 8/30/2013 ISCISC 2013 22/80 ECRYPT ( 2004 – 2008 ) CRYPTREC recommended ciphers (latest report 2013) European Network of Excellence in Cryptology – Lead by Katholieke Universiteit Leuven (KUL) Considered block ciphers • 64-bit block ciphers • DES (56-bit key length) • Widespread deployment, e.g. RFC 2406 (IPsec), RFC 2246 (TLS) 64-bit 3-key Triple DES NIST SP 800-67 Revision 1 (January 2012) • Key length inadequate for current use block cipher • 3DES (112-bit and 168-bit key length) • Widespread deployment, e.g. 112-bit 3DES widely used in financial applications, 168-bit 3DES featured within IPsec, SSL/TLS • For 168-bit key, the attack complexity can be reduced down to 2112 operations. 120-t t AES NIST FIPS PUB 197 • For 168-bit key, the attack complexity reduces to 2 operations if 2 plaintext/ciphertext pairs are available. 128-bit • Kasumi as a variant of MISTY-1 (128-bit key length) block cipher Camellia Algorithm specifications of 128-bits block cipher Camelia (2nd • Deployed by Universal Mobile Telecommunications System (UMTS) version: September 26, 2001) • No security issue • Blowfish (32 to 448-bit key length) Stream • Popular in IPsec configurations. KCipher-2 Stream Cipher KCipher-2 (February 1, 2010) cipher • No security issue • 128-bit block ciphers • AES (128-bit, 192-bit and 256-bit key length) • Widespread deployment, included in TLS, S/MIME, IPsec, IEEE 802.11i • No security issue • Camellia (If a backup algorithm is desired) 8/30/2013 ISCISC 2013 23/80 8/30/2013 ISCISC 2013 24/80 6 8/30/2013 ECRYPT II ( 2008 – 2013 ) European Network of Excellence in Cryptology – Lead by Katholieke Universiteit Leuven (KUL) Outline • Block ciphers review In August 2008 the network started another 4-year • Cryptographic events phase as ECRYPT II • Standardized block ciphers The activities of the ECRYPT II Network of Excellence are organized into three virtual laboratories established as • Lightweight block ciphers follows: 1-Symmetric techniques virtual lab ( SymLab ) • On practical security of block biphers 2- Secure and efficient implementations virtual lab ( VAMPIRE ) 3-Multi-party and asymmetric algorithms virtual lab virtual lab (MAYA ) • Summary Each virtual lab within the ECRYPT Network of Excellence aims to promote and facilitate cryptographic research on a pan-European level. 8/30/2013 ISCISC 2013 25/80 8/30/2013 26/80 Standardized Block ciphers Standardized block ciphers ISO/IEC JTC 1 is a Joint Technical Committee 1 of ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) which was formed in 1987. • Sufficient security • Its purpose as a technical committee is to develop, maintain, promote, and facilitate standards in the fields of IT and ICT • The general scope of ISO/IEC JTC 1 is "International standardization in the field of Information Technology “ • Efficient implementation on hardware or Software • The security of IT systems and information is one of the main scopes of ISO/IEC JTC 1 which is the working area of its • Extent of the application Sub Committee 27. • Positive comments The block cipher has been approved for use by the ISO/IEC JTC 1/SC 27 Information Technology - Security Techniques • STANDARD ISO/IEC 18033-3:2010 - Encryption algorithms (standard has been reviewed and then confirmed
Recommended publications
  • Vector Boolean Functions: Applications in Symmetric Cryptography

    Vector Boolean Functions: Applications in Symmetric Cryptography

    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
  • Integral Cryptanalysis on Full MISTY1⋆

    Integral Cryptanalysis on Full MISTY1⋆

    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
  • The First Biclique Cryptanalysis of Serpent-256

    The First Biclique Cryptanalysis of Serpent-256

    The First Biclique Cryptanalysis of Serpent-256 Gabriel C. de Carvalho1, Luis A. B. Kowada1 1Instituto de Computac¸ao˜ – Universidade Federal Fluminense (UFF) – Niteroi´ – RJ – Brazil Abstract. The Serpent cipher was one of the finalists of the AES process and as of today there is no method for finding the key with fewer attempts than that of an exhaustive search of all possible keys, even when using known or chosen plaintexts for an attack. This work presents the first two biclique attacks for the full-round Serpent-256. The first uses a dimension 4 biclique while the second uses a dimension 8 biclique. The one with lower dimension covers nearly 4 complete rounds of the cipher, which is the reason for the lower time complex- ity when compared with the other attack (which covers nearly 3 rounds of the cipher). On the other hand, the second attack needs a lot less pairs of plain- texts for it to be done. The attacks require 2255:21 and 2255:45 full computations of Serpent-256 using 288 and 260 chosen ciphertexts respectively with negligible memory. 1. Introduction The Serpent cipher is, along with MARS, RC6, Twofish and Rijindael, one of the AES process finalists [Nechvatal et al. 2001] and has not had, since its proposal, its full round versions attacked. It is a Substitution Permutation Network (SPN) with 32 rounds, 128 bit block size and accepts keys of sizes 128, 192 and 256 bits. Serpent has been targeted by several cryptanalysis [Kelsey et al. 2000, Biham et al. 2001b, Biham et al.
  • Reconsidering the Security Bound of AES-GCM-SIV

    Reconsidering the Security Bound of AES-GCM-SIV

    Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1Nagoya University, Japan 2ANSSI, France March 7, 2018 — FSE 2018 T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 1 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T.
  • Rc-6 Cryptosystem in Vhdl

    Rc-6 Cryptosystem in Vhdl

    RC-6 CRYPTOSYSTEM IN VHDL BY:- Deepak Singh Samant OBJECTIVE: TO IMPLEMENT A CRYPTOSYSTEM USING RIVEST CIPHER-6 (RC6) ALGORITHM IN VHDL(FPGA) What is CRYPTOLOGY? CRYPTOGRAPHY is the art and science of achieving security by encoding message to make them non-readable . CRYPTANALYSIS is the technique of decoding messages from a non-readable format back to readable format without knowing how they were initially converted from readable format to non-readable format. CRYPTOGRAPHY + = CRYPTOLOGY CRYPTANALYSIS Cryptography Overview: Comm. E(k) N/W D(k) Key Set K Key Set K Types Of Attacks: . General View: 1.Criminal Attack 2.Publicity Attack 3.Legal Attack .Technical View: oPassive Attacks oActive Attacks Release of message Interruption Traffic Attacks Modification Fabrication Symmetric key cryptography If same key is used for encryption and decryption,we call the mechanism as symmetric key cryptography. It has the key distribution problem. Symmetric key cryptography Algorithm DES IDEA RC4 RC5 BLOW AES FISH AES: US government wanted to standardize a cryptographic algorithm,which was to be used universally by them.It was to be called as the Advanced Encryption Standard(AES). Among various proposal submitted,only 5 were short listed: 1.Rijndael 3.Serpent 5.MARS 2.Twofish 4.RC6 LITERATURE SURVEY • Comparison: (1) MARS: Its throughput in the studies was generally low. Therefore, its efficiency (throughput/area) was uniformly less than the other finalists. (2) RC6 throughput is generally average. RC6 seems to perform relatively better in pipelined implementations, non-feedback mode (3) Rijndael: good performance in fully pipelined implementations. Efficiency is generally very good. 4) Serpent: feedback mode encryption.
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 –Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious Fifth Edition that they didn't care how often Mungo read their messages, so confident were they in the by William Stallings impenetrability of the code. —Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Modern Block Ciphers Block vs Stream Ciphers now look at modern block ciphers • block ciphers process messages in blocks, each one of the most widely used types of of which is then en/decrypted cryptographic algorithms • like a substitution on very big characters provide secrecy /hii/authentication services – 64‐bits or more focus on DES (Data Encryption Standard) • stream ciphers process messages a bit or byte at a time when en/decrypting to illustrate block cipher design principles • many current ciphers are block ciphers – better analysed – broader range of applications Block vs Stream Ciphers Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • bloc k cihiphers lklook like an extremely large substitution • would need table of 264 entries for a 64‐bit block • instead create from smaller building blocks • using idea of a product cipher 1 Claude
  • BOUNDARY LAYERS with FLOW REVERSAL John F. Nush

    BOUNDARY LAYERS with FLOW REVERSAL John F. Nush

    NASA CONTRACTOR REPORT FURTHER STUDIES OF UNSTEADY BOUNDARY LAYERS WITH FLOW REVERSAL John F. Nush Prepared by SYBUCON, INC. Atlanta, Ga. 303 39 for Ames Research Center TECH LIBRARY KAFB, NU NASA CR-2767 I I 4. Title nd Subtitle I 5. Report Date "Further Studies of Unsteady Boundary Layers with . December 1976 Flow Reversalll Organization 6. Performing Code 7. Author($) 8. Performing Orgnization Report No. John F. Nash 10. Work Unit No. 9. Performing Orpmization Nama and Address Sybucon, Inc. 11.Contract or GrantNo. 9 960) Perimeter Place,N.W. (Suite 2-8771 Atlanta, Georgia 30339 - NAS 13.Type of Report andPeriod Covered 12. Sponsoring myName md Address 6 Contractor Report- National Aeronautics Space Administration 14.Sponsorirg Aqmcy Code Washington, D. C. 20546 I 15.Supplementary Notas 16. Abstract Further computational experiments have been conducted to study the charac- teristics of flow reversal and separation in unsteady boundary layers. One set of calculations was performed using thefirst-order, time-dependent turbulent boundary-layer equations, and extended earlier work by Nash and Pate1 to a wider rangeof flows. Another set of calculations was performed for laminar flow using the time-dependent Navier-Stokesequati.ons. 1 The results of the calculations confirm previous conclusions concerning the existence of a regime of unseparated flow, containing an embedded regionof reversal, which is accessible to first-order boundary-layer theory.However certain doubts are caston the precise natureof the events which accompany the eventual breakdownof the theory due to singularity onset.The earlier view that the singularity appearsas the final event in a sequence involving rapid thickeningof the boundary layer and the formationof a localized region of steep gradients, is called into questionby the present results.
  • ("DSCC") Files This Complaint Seeking an Immediate Investigation by the 7

    ("DSCC") Files This Complaint Seeking an Immediate Investigation by the 7

    COMPLAINT BEFORE THE FEDERAL ELECTION CBHMISSIOAl INTRODUCTXON - 1 The Democratic Senatorial Campaign Committee ("DSCC") 7-_. J _j. c files this complaint seeking an immediate investigation by the 7 c; a > Federal Election Commission into the illegal spending A* practices of the National Republican Senatorial Campaign Committee (WRSCIt). As the public record shows, and an investigation will confirm, the NRSC and a series of ostensibly nonprofit, nonpartisan groups have undertaken a significant and sustained effort to funnel "soft money101 into federal elections in violation of the Federal Election Campaign Act of 1971, as amended or "the Act"), 2 U.S.C. 5s 431 et seq., and the Federal Election Commission (peFECt)Regulations, 11 C.F.R. 85 100.1 & sea. 'The term "aoft money" as ueed in this Complaint means funds,that would not be lawful for use in connection with any federal election (e.g., corporate or labor organization treasury funds, contributions in excess of the relevant contribution limit for federal elections). THE FACTS IN TBIS CABE On November 24, 1992, the state of Georgia held a unique runoff election for the office of United States Senator. Georgia law provided for a runoff if no candidate in the regularly scheduled November 3 general election received in excess of 50 percent of the vote. The 1992 runoff in Georg a was a hotly contested race between the Democratic incumbent Wyche Fowler, and his Republican opponent, Paul Coverdell. The Republicans presented this election as a %ust-win81 election. Exhibit 1. The Republicans were so intent on victory that Senator Dole announced he was willing to give up his seat on the Senate Agriculture Committee for Coverdell, if necessary.
  • A Preliminary Empirical Study to Compare MPI and Openmp ISI-TR-676

    A Preliminary Empirical Study to Compare MPI and Openmp ISI-TR-676

    A preliminary empirical study to compare MPI and OpenMP ISI-TR-676 Lorin Hochstein, Victor R. Basili December 2011 Abstract Context: The rise of multicore is bringing shared-memory parallelism to the masses. The community is struggling to identify which parallel models are most productive. Objective: Measure the effect of MPI and OpenMP models on programmer productivity. Design: One group of programmers solved the sharks and fishes problem using MPI and a second group solved the same problem using OpenMP, then each programmer switched models and solved the same problem again. The participants were graduate students in an HPC course. Measures: Development effort (hours), program correctness (grades), pro- gram performance (speedup versus serial implementation). Results: Mean OpenMP development time was 9.6 hours less than MPI (95% CI, 0.37 − 19 hours), a 43% reduction. No statistically significant difference was observed in assignment grades. MPI performance was better than OpenMP performance for 4 out of the 5 students that submitted correct implementations for both models. Conclusions: OpenMP solutions for this problem required less effort than MPI, but insufficient power to measure the effect on correctness. The perfor- mance data was insufficient to draw strong conclusions but suggests that unop- timized MPI programs perform better than unoptimized OpenMP programs, even with a similar parallelization strategy. Further studies are necessary to examine different programming problems, models, and levels of programmer experience. Chapter 1 INTRODUCTION In the high-performance computing community, the dominant parallel pro- gramming model today is MPI, with OpenMP as a distant but clear second place [1,2]. MPI’s advantage over OpenMP on distributed memory systems is well-known, and consequently MPI usage dominates in large-scale HPC sys- tems.
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
  • Cryptographic Sponge Functions

    Cryptographic Sponge Functions

    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
  • State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.