sign in sign up
<<
Home , Biclique attack, MISTY1, NOEKEON, NUSH, Outline of cryptography, Product cipher

8/30/2013

Outline • Block review Block Ciphers: Past and Present • Cryptographic events • Standardized block ciphers Mohammad Dakhilalian http://www.dakhilalian.iut.ac.ir • Lightweight block ciphers • On practical security of block ciphers Isfahan University of Technology (IUT) Electrical and Computer Engineering Department • Summary and System Security Research Laboratory (CSSRL)

ISCISC 2013

August 2013

8/30/2013 1/80 8/30/2013 2/80

Outline

• Block ciphers review Classical crypto : The earliest known use of cryptography is about 1900 BD • History of cryptography • Schemes of the block ciphers • Challenges & attacks Medieval crypto : 800-1800 AD • Standardized block ciphers • Cryptographic events

• Standardized block ciphers Crypto from 1800 to WWII • Lightweight block ciphers

• On practical security of block ciphers Modern crypto • Summary Crypto can be seen in everywhere

8/30/2013 3/80 8/30/2013 ISCISC 2013 4/80

1 8/30/2013

History of cryptography Symmetric ciphers

Information Theory(1948-9) "A Mathematical Theory of Communication“ "Communication Theory of Secrecy Systems“ Block ciphers Symmetric key ciphers • Diffusion Stream • Confusion • Product ciphers

Claude Elwood Shannon

8/30/2013 ISCISC 2013 5/80 8/30/2013 ISCISC 2013 6/80

Block ciphers schemes Evaluation of block ciphers x •Level of security

S •Ease of implementation(low-cost, low power) Security P •Performance(throughput) y

Low-cost SPN scheme Feistel scheme Lai-Massey scheme Throughput (AES, ) (DES, ) (IDEA ) Low-power

8/30/2013 ISCISC 2013 7/80 8/30/2013 ISCISC 2013 8/80

2 8/30/2013

When is a secure? Attacks efficiency

Answer : when these two black boxes are indistinguishable x •Data complexity •Memory complexity

k E π •Time (computation) complexity

π Ek(x) (x)

8/30/2013 ISCISC 2013 9/80 8/30/2013 ISCISC 2013 10/80

Kerckhoffs’ Principle

Types of cryptanalytic attacks: 1. -only The security of an system must depend 2. Known- only on the key , not on the secrecy of the algorithm . 3. Chosen-plaintext 4. Adaptive-chosen-plaintext attack 5. Chosen-ciphertext attack 6. Chose-key. 7. Rubber-hose

8/30/2013 ISCISC 2013 11/80 8/30/2013 ISCISC 2013 12/80

3 8/30/2013

Generic attacks Shortcut attacks • • Differential cryptanalysis • • Differential-Linear Cryptanalysis •Codebook attack • Impossible differential attack • •Exhaustive key search (brute force search) • Related key attack •Time memory data trade off • • Higher order differentials cryptanalysis • • Algebraic attack

8/30/2013 ISCISC 2013 13/80 8/30/2013 ISCISC 2013 14/80

Real and academic attacks Outline • Block ciphers review •Real attack: Block cipher can be broken in practice • Cryptographic events • Example: • AES • Brute force attack on DES • NESSIE • CRYPTREC •Academic attack: Block cipher behaves suboptimal • ECERYPT • Example: • Standardized block ciphers • on AES with a computational complexity of • Lightweight block ciphers On practical security of block ciphers • ٢.2126 • Summary

8/30/2013 ISCISC 2013 15/80 8/30/2013 ISCISC 2013 16/80

4 8/30/2013

AES ( 1997 –2000 ) Advanced Encryption Standard – By National Institute of Standards and Technology of the United States (NIST) AES competition

The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. Submitted Block ciphers AES finalists (in order of score) AES winner

• CAST-256 • Rijendael • Rijendael • AES finalists (in order of score) • CRYPTON • Serpent • Rijndael : 86 positive, 10 negative (the winner) • DEAL • • DFC • RC6 • Serpent : 59 positive, 7 negative • • MARS • Twofish : 31 positive, 21 negative • FROG • HPC On November 26, 2001, NIST announced that AES • RC6: 23 positive, 37 negative • LOKI97 was approved as FIPS PUB 197. • MARS : 13 positive, 84 negative • MAGENTA • MARS • RC6 • Rijendael • SAFER+ • Serpent • TwoFish

8/30/2013 ISCISC 2013 17/80 8/30/2013 ISCISC 2013 18/80

NESSIE Project (2000–2003) AES competition New European Schemes for Signatures, Integrity and Encryption

Submitted Block ciphers Finally selected algorithms

Algorithm Structure Block size Round # Year • 64-bit block ciphers • 160-bit block ciphers • CS-Cipher • SHACAL • MISTY1: Corp., Japan. Rijndael SPN 128 128-192-256 10-12-14 1998 • -L1, • Camellia : Nippon Telegraph and Telephone Corp., Japan (revised September 2001). • variable length block ciphers and Mitsubishi Electric Corp., Japan. SHACAL-2: Gemplus, France. Serpent SPN 128 128-192-256 32 1998 • IDEA • NUSH : 64, 128, and 256-bit • • Khazad • RC6: at least 128-bit • AES (Advanced Encryption Standard)* (USA FIPS 197). Twofish Feistel 128 128-192-256 16 1998 • MISTY1 • SAFER++ : 64 and 128-bit •

RC6 Feistel 128 128-192-256 20 1998 • 128-bit block ciphers • MARC Feistel 128 128-192-256 32 1998 • Camellia Submissions selected for 2nd Phase • • Hierocrypt-3 • Noekeon • IDEA , MISTY1, SAFER++ , RC6: no modifications • • Khazad • SC2000 • Camellia • SHACAL-1 and SHACAL-2

8/30/2013 ISCISC 2013 19/80 8/30/2013 20/80

5 8/30/2013

CRYPTREC ( 2000 – 2003 ) NESSIE Project ography Research and Evaluation Committees

The selected algorithms: Considered block ciphers Recommended techniques Not submitted to CRYPTREC Submitted to CRYPTREC • 64-bit block ciphers • CIPHERUNICORN-E Algorithm Round # Key size Block size Structure Year • 64-bit block ciphers • 64-bit block ciphers • Hierocrypt-L1 • DES • Hierocrypt-L1 • MISTY1 Misty1 8(recommended) 128 64 Feistel 1995 • Triple DES • MISTY1 • 3-key Triple DES • RC2 • CIPHERUNICORN-E Camellia 18 or 24 128,192,256 128 Feistel 2000 • 128-bit block ciphers • 128-bit block ciphers • 128-bit block ciphers AES 10,12,14 128,192,256 128 SPN 1998 • AES • Camellia • AES • SEED • CIPHERUNICORN-A • Camellia • Hierocrypt-3 • CIPHERUNICORN-A SHACAL2 64 128 to 512 256 Cryptographic Hash 2001 • RC6 (withdrawn) • Hierocrypt-3 function • SC2000 • SC2000

All six stream ciphers submitted to the NESSIE project were failed 128-bit block ciphers are preferred

8/30/2013 ISCISC 2013 21/80 8/30/2013 ISCISC 2013 22/80

ECRYPT ( 2004 – 2008 ) CRYPTREC recommended ciphers (latest report 2013) European Network of Excellence in Cryptology – Lead by Katholieke Universiteit Leuven (KUL)

Considered block ciphers • 64-bit block ciphers • DES (56-bit key length) • Widespread deployment, e.g. RFC 2406 (IPsec), RFC 2246 (TLS) 64-bit 3-key Triple DES NIST SP 800-67 Revision 1 (January 2012) • Key length inadequate for current use block cipher • 3DES (112-bit and 168-bit key length) • Widespread deployment, e.g. 112-bit 3DES widely used in financial applications, 168-bit 3DES featured within IPsec, SSL/TLS • For 168-bit key, the attack complexity can be reduced down to 2112 operations. 120-t t AES NIST FIPS PUB 197 • For 168-bit key, the attack complexity reduces to 2 operations if 2 plaintext/ciphertext pairs are available. 128-bit • Kasumi as a variant of MISTY-1 (128-bit key length) block cipher Camellia Algorithm specifications of 128-bits block cipher Camelia (2nd • Deployed by Universal Mobile Telecommunications System (UMTS) version: September 26, 2001) • No security issue • (32 to 448-bit key length) Stream • Popular in IPsec configurations. KCipher-2 KCipher-2 (February 1, 2010) cipher • No security issue • 128-bit block ciphers • AES (128-bit, 192-bit and 256-bit key length) • Widespread deployment, included in TLS, S/MIME, IPsec, IEEE 802.11i • No security issue • Camellia (If a backup algorithm is desired) 8/30/2013 ISCISC 2013 23/80 8/30/2013 ISCISC 2013 24/80

6 8/30/2013

ECRYPT II ( 2008 – 2013 ) European Network of Excellence in Cryptology – Lead by Katholieke Universiteit Leuven (KUL) Outline • Block ciphers review In August 2008 the network started another 4-year • Cryptographic events phase as ECRYPT II • Standardized block ciphers

The activities of the ECRYPT II Network of Excellence are organized into three virtual laboratories established as • Lightweight block ciphers follows: 1-Symmetric techniques virtual lab ( SymLab ) • On practical security of block biphers 2- Secure and efficient implementations virtual lab ( VAMPIRE ) 3-Multi-party and asymmetric algorithms virtual lab virtual lab (MAYA ) • Summary Each virtual lab within the ECRYPT Network of Excellence aims to promote and facilitate cryptographic research on a pan-European level.

8/30/2013 ISCISC 2013 25/80 8/30/2013 26/80

Standardized Block ciphers Standardized block ciphers

ISO/IEC JTC 1 is a Joint Technical Committee 1 of ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) which was formed in 1987. • Sufficient security • Its purpose as a technical committee is to develop, maintain, promote, and facilitate standards in the fields of IT and ICT • The general scope of ISO/IEC JTC 1 is "International standardization in the field of Information Technology “ • Efficient implementation on hardware or Software • The security of IT systems and information is one of the main scopes of ISO/IEC JTC 1 which is the working area of its • Extent of the application Sub Committee 27. • Positive comments The block cipher has been approved for use by the ISO/IEC JTC 1/SC 27 Information Technology - Security Techniques

• STANDARD ISO/IEC 18033-3:2010 - Encryption algorithms (standard has been reviewed and then confirmed in 2013

• 64-bit block ciphers • 128-bit block ciphers • TDEA • AES How a block cipher being standardized? • MISTY1 • Camellia • CAST-128 • SEED The question is "Who know?! " • HIGHT • STANDARD ISO/IEC 29192-2:2012 - Lightweight cryptography • PRESENT • CLEFIA

8/30/2013 ISCISC 2013 27/40 8/30/2013 ISCISC 2013 28/80

7 8/30/2013

Standardized block ciphers Standardized block ciphers

• GOST block cipher, developed in 1970, is a Soviet and Russian government standard symmetric key block cipher. • Encryption algorithms approved by NIST (National Institute of Standards and Technology of the United States), currently • AES • GOST was a Soviet alternative to the USA standard algorithm, DES; they are very similar in structure. • Triple DES (NIST SP 800-67 Revision 1, January 2012) • Design of GOST was top secret until 1990 and after the dissolution of the USSR, in 1994, it was declassified • (Last revision on May 9, 2002) and it was released to the public. • GOST has been submitted to ISO standardization in 2010. • Encryption algorithms approved by FIPS (Federal Information Processing Standards) • AES • DES • ARIA block cipher designed in 2003 by a large group of South Korean researchers, is selected by the Korean On May 19, 2005 FIPS 46-3 was withdrawn by NIST so Agency for Technology and Standards (KATS, KS X 1213) and Ministry of Knowledge Economy as a standard DES is is no longer approved for Federal use. cryptographic technique, in 2004.

• The name ARIA is taken from the initials of Academia, Research Institute and Agency, acknowledging the co- operative efforts of Korean researchers in designing ARIA. • Most operations that ARIA uses are simple, byte-oriented ones like XOR in order to be competent in performance in lightweight environments.

8/30/2013 ISCISC 2013 29/80 8/30/2013 ISCISC 2013 30/80

Standardized block ciphers Standardized block ciphers

• SEED is a Korean Government standard block cipher block cipher developed by the Korea Information Security Agency (KISA) and first published in 1998.

• It gained popularity in Korea because 40-bit SSL was not considered strong enough, so the Korea Information Security Agency developed its own standard. • It is used broadly throughout South Korean industry, but seldom found elsewhere. • SEED has been submitted to RFC in 2005 (RFC 4269).

GOST has a 64-bit block size and a key SEED has a nested feistel ARIA has a 128-bit block size length of 256 bits. GOST has a feistel structure. Its block & key with key size of 128, 192, or structure, but with addition modulo size are 128-bit. 256 bits and uses a SPN 32 2 for its round keys combination. structure based on AES

8/30/2013 ISCISC 2013 31/80 8/30/2013 ISCISC 2013 32/80

8 8/30/2013

Standardized block ciphers Outline • Block ciphers review • Cryptographic events

What's RFC ? • Standardized block ciphers A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and the Internet Society , the principal technical development and standards-setting bodies for the Internet. • Lightweight block ciphers • Challenges & general considerations • The IETF adopts some of the proposals published as RFCs as Internet standards , So RFC does not specify a standard by itself. • New approaches in lightweight block ciphers • As far as we now there is no RFC on block ciphers & their applications which is finally approved by IETF. • Hardware & Software implementation efforts • On practical security of block biphers • Summary

8/30/2013 ISCISC 2013 33/80 8/30/2013 34/80

Lightweight block ciphers Lightweight block ciphers design considerations

Small embedded devices (including smart cards, RFIDs, sensor nodes) are characterized by strong cost constraints. Security

ASIC Vs. Microcontroller

Number of gate-equivalents Usage of RAM & ROM (a unit of manufacturing-technology-independent Throughput complexity of digital electronic circuits) Low-cost Have software implementations Low-power Have very small hardware implementations (ASIC) on small, low-power microcontrollers, with minimal flash and SRAM usage

Lightweight ciphers are a solution to the security requirements of such devices

8/30/2013 ISCISC 2013 35/80 8/30/2013 ISCISC 2013 36/80

9 8/30/2013

Lightweight Crypto is under consideration by ECRYPT II Hardware implementation constraints and considerations

VAMPIRE SymLab • Using the same target technologies, and synthesis tools (Whenever possible). Latest report on July 2010 Final report on October 2012 (Hardware implementation & benchmarking) (Software implementation & benchmarking) • The throughput must be measured under a certain speed (frequency), usually set to 100kHz.

• The ultimate goal is to provide the smallest possible (in gate-equivalents) implementation of cipher . the goal is to extend the benchmarking of lightweight and standard ciphers, and to make their implementation available under an open-source license. One important consideration is the extent to which an algorithm can be serialized in hardware

8/30/2013 ISCISC 2013 37/80 8/30/2013 ISCISC 2013 38/80

Performance of the ASIC implementation reported by ECRYPT II Performance of the ASIC implementation - Area

The most compact ASIC implementation results reported until December 2010. 5000 4950 Block size Key size Area Speed Mean power Technology 4500 (bits) (bits) (#GE) (kbps@100 kHz) (µW) (µm) 4000 AES 128 128 3100 80.0 0.13 3500 CLEFIA 128 128 4950 355.6 0.09 3490 DES 64 56 2300 44.4 0.18 3000 3100 3048 DESXL 64 184 2168 44.4 1.6 0.18

HIGHT 64 128 3048 188.2 0.25 2500 2500 KASUMI 64 128 6000 ? 2300 2168 2000

KATAN 64 80 1054 25.1 0.555 0.13 Area (Gate-equivalents) 1848 KATAN 32 80 802 12.5 0.381 0.13 1500 KTANTAN 64 80 688 25.1 0.292 0.13 3 1000 KTANTAN 32 80 462 12.5 0.146 0.13 1054 1000 2 mCRYPTON 64 128 2500 492.3 0.13 688 1 500 449 PRESENT 64 80 1000 11.4 11.20 0.35 0 SEA 96 96 449 ? 3.218 0.13 AES DESXL HIGHT KATAN-64 mCRYPTON PRESENT XTEA DES DESL KTANTAN-64 CLEFIA SEA XTEA 64 128 3490 57.1 19.5 0.13

Throughputs have been measured with a clock speed of 100kHz

8/30/2013 ISCISC 2013 39/80 8/30/2013 ISCISC 2013 40/80

10 8/30/2013

Performance of the ASIC implementation - Throughput Performance of the ASIC implementation - Combined metric

550 1 1 500 2 2.051 492.3

450

400 2 1.5

350 355.6 300 3 250 1 0.964 Throughput (kbps) Throughput 3 200 Combined metric Combined (bps/GE) 188.2 2 150 0.5 0.570 0.561 100 0.372 0.375 80 0.32 0.301 50 57.1 0.255 44.4 44.4 44.4 ? 0.201 0.178 25.1 25.1 ? 0 11.4 0 AES DESXL HIGHT KATAN-64 mCRYPTON PRESENT XTEA DES DESL KTANTAN-64 CLEFIA SEA AES DESXL HIGHT KATAN-64 mCRYPTON PRESENT XTEA DES DESL KTANTAN-64 CLEFIA SEA

Combined metric shows a balance between speed and area. Note that a better combined score does not necessarily mean that its a better design

8/30/2013 ISCISC 2013 41/80 8/30/2013 ISCISC 2013 42/80

Performance of the ASIC implementation: Throughput Vs. Area Software implementation of lightweight block ciphers

Investigated Ciphers by the final report of SymLab

500 mCRYPTON

450 AES DESXL HIGHT IDEA KASUMI KATAN(TAN) mCrypton NOEKEON PRESENT SEA TEA

400 128 64 64 64 64 64 (32, 48) 64 128 64 96 64 128 (192,256) 184 128 128 128 80 96 (64, 128) 128 80 96 128 CLEFIA 350 For low-cost - A variant of - a variant - complex - derived - resembles - consists of - round - a - application, DES of the scheduling from MISTY1 that of a 12 AES-like function lightweig involves 300 the typical -The main generalized - composed - used as a stream round bases only ht no S- choice is to goal of the feistel of: XOR, cipher, transformatio on bit-wise version box! 250 support only developer network addition generator consisting of ns Boolean of SEA ? the key size of was a low - composed modulo 216 , in the UMTS, shift registers - only 96-bit operations SERPENT - serious 200 PICCOLO-128 HIGHT

Throughput (Kbps) Throughput 128 bits gate of: XOR, mod multiplicatio GSM, and and non- key length is and weakne 8 16 150 count in 2 , n modulo 2 GPRS mobile linear considered cyclic shifts ss to the KTANTAN-64 hardware additions, + 1 systems feedback - self-inverse related- KTANTAN-64 implementat rotations functions structure key 100 PRESENT AES GOST DESL DESXL XTEA ions attack 50 DES Why not XTEA 0 ? 0 1000 2000 3000 4000 5000 PRINT-96 LED-128 Area (number of Gate-equivalents)

8/30/2013 ISCISC 2013 43/80 8/30/2013 ISCISC 2013 44/80

11 8/30/2013

Software implementation constraints and considerations Performance of the software implementation – ROM & RAM usage

• The has to be written in assembly. Both encryption and decryption routines have to be implemented.

• The cipher has to be implemented in a low-cost way, minimizing the code size and the data-memory use.

• In order to minimize the data-memory use, the has to be computed "on-the-fly". The computation of the key schedule is always included in the algorithm evaluations.

• The target device is the 8-bit microcontroller ATtiny45 from the ATMEL AVR device family. The encryption 1 1 1 and decryption routines are called by a common interface. 3 2 1

The basic metrics considered for evaluation are: code size (ROM) , number of RAM words , cycle count in encryption and decryption (inversely proportional to throughput) and energy consumption .

8/30/2013 ISCISC 2013 45/80 8/30/2013 ISCISC 2013 46/80

Performance of the software implementation – ROM & RAM usage Performance of the software implementation – speed & energy

1 1 1 1 1 1 1 1 1 3 3 1 2 1 2

Energy consumption is about 0.4×10 -3 µj per cycle (for ATtiny45)

8/30/2013 ISCISC 2013 47/80 8/30/2013 ISCISC 2013 48/80

12 8/30/2013

Performance of the software implementation – speed & energy Performance of the software implementation – combined metric

1 1

1 1 1 1

Energy consumption is about 0.4×10 -3 µj per cycle (for ATtiny45)

8/30/2013 ISCISC 2013 49/80 8/30/2013 ISCISC 2013 50/80

Performance of the software implementation – combined metric Performance of the software implementation – combined metric

8/30/2013 ISCISC 2013 51/80 8/30/2013 ISCISC 2013 52/80

13 8/30/2013

Performance of the software implementation: speed Vs. memory ASIC & Software implementation – Throughput(speed) Vs. Cost

5 Software implementation 5 ASIC implementation x 10 x 10 9 9 500 mCRYPTON DESXL DESXL 8 450 8 KATAN 7 KATAN 400 7 CLEFIA 350 6

6 300 5 250 SEA 5 4 PICCOLO-128 SEA 200 HIGHT 4 (Kbps) Throughput 3 cycle count (encryption) count cycle 150 NOEKEON KTANTAN-64 2 HIGHT 3 100 KTANTAN-64 mCrypton

cycle count (encryption) count cycle PRESENT AES NOEKEON GOST DESL DESXL XTEA PRESENT KASUMI 50 1 TEA IDEA 2 HIGHT KLEIN AES mCrypton DES 0 PRESENT KASUMI 0 1 0 1000 2000 3000 4000 5000 0 200 400 600 800 1000 1200 1400 1600 1800 TEA IDEA code size KLEIN AES PRINT-96 LED-128 Area (number of Gate-equivalents) 0 0 200 400 600 800 1000 1200 1400 1600 1800 code size

8/30/2013 ISCISC 2013 53/80 8/30/2013 ISCISC 2013 54/80

Lightweight block cipher design considerations &

SIMON & SPECK families are the latest lightweight block ciphers which are delivered by the NSA researchers in June 2013 . • Have very small hardware implementations (ASIC) Their most notable feature is the flexibility • Have software implementations on small, low-power microcontrollers, with minimal flash and SRAM usage

• It should be flexible enough not just to be implemented efficiently on a variety of platforms , but also to allow for a variety of implementations on a single platform

8/30/2013 ISCISC 2013 55/40 8/30/2013 ISCISC 2013 56/40

14 8/30/2013

SIMON structure SIMON & SPECK performance comparison

5 Software implementation SIMON is great for hardware implementation ASIC implementation x 10 9 500 mCRYPTON DESXL 8 450 KATAN 400 7 CLEFIA 350 6

300 5 250 SEA 4 200 PICCOLO-128 HIGHT

Throughput (Kbps) Throughput 3

SIMON & SPECK 64/96 (encryption) count cycle 150 NOEKEON KTANTAN-64 2 HIGHT 100 KTANTAN-64 mCrypton PRESENT AES GOST XTEA PRESENT KASUMI DESL DESXL 1 IDEA 50 TEA KLEIN DES AES 0 0 0 1000 2000 3000 4000 5000 0 200 400 600 800 1000 1200 1400 1600 1800 PRINT-96 LED-128 Area (number of Gate-equivalents) SPECK 64/96 code size SIMON 64/96 SIMON 64/96: GE(838), Throughput (17.8 kbps) for 100kHz clock speed ROM(274), RAM(0), Throughput (540 kbps) = 2912 cycle on a 16MHz processor SPECK 64/96: GE(984), Throughput (14.5 kbps) for 100kHz clock speed ROM(182), RAM(0), Throughput (888 kbps) = 1771 cycle on a 16MHz processor

8/30/2013 ISCISC 2013 57/40 8/30/2013 ISCISC 2013 58/80

Throughput Vs. Cost - Software Vs. Hardware – what's important? Outline

5 ASIC implementation x 10 Software implementation 9 • Block ciphers review 500 mCRYPTON DESXL 8 450 KATAN • Cryptographic events 400 7 CLEFIA 350 6 • Standardized block ciphers

300 5 250 SEA • Lightweight block ciphers 4 200 PICCOLO-128 HIGHT Throughput (Kbps) Throughput 3 • On practical security of block ciphers

SIMON & SPECK 64/96 (encryption) count cycle 150 NOEKEON KTANTAN-64 2 HIGHT • Physical limitations 100 KTANTAN-64 mCrypton PRESENT AES GOST XTEA PRESENT KASUMI DESL DESXL 1 IDEA • 50 TEA KLEIN Security considerations in block ciphers design DES AES 0 0 0 1000 2000 3000 4000 5000 0 200 400 600 800 1000 1200 1400 1600 1800 • Summary PRINT-96 LED-128 Area (number of Gate-equivalents) SPECK 64/96 code size SIMON 64/96 Area is almost everything . Major part of cost is the cost of processor (rather than storage). However there is a serious trade-off between thus for a certain target a higher throughput seems more acceptable the Area and Throughput 8/30/2013 ISCISC 2013 59/80 8/30/2013 60/80

15 8/30/2013

Physical limitations Physical limitations

• An attacker has limited resources What are the physical limits of memory and computing? • Time • Money Suppose we able to make one bit memory by only one atom!!? • Or Estimated number of atoms in the Atoms • Memory(Bits) Earth • Computing power(MIPS) Entire observable universe Whole universe

8/30/2013 ISCISC 2013 61/80 8/30/2013 ISCISC 2013 62/80

Physical limitations Physical limitations An ultimate laptop!! Physical limits of computation An ultimate laptop!! Physical limits of computation Weight: 1KG, Volume: 1Liter Weight: 1KG, Volume: 1Liter Energy limits speed Energy limits speed

a system with average energy a system with average energy E can perform a maximum of speed of ultimate E can perform a maximum of speed of ultimate time-energy π ℏ laptop is limited by time-energy π ℏ laptop is limited by 2E / 50 168 2E / 50 168 Heisenberg uncertainty logical operations per second 5.42× 10 ≈ 2 Heisenberg uncertainty logical operations per second 5.42× 10 ≈ 2 logical operations logical operations E= mc 2 =8.98 × 10 16 per second. E= mc 2 =8.98 × 10 16 per second.

Entropy limits memory Entropy limits memory A typical state of the ≤ × 8 available memory space of ultimate ≤ × 8 available memory space of ultimate S2.04 10 joule / K laptop: ultimate laptop S2.04 10 joule / K laptop: looks like a plasma at a = 31 104 = 31 104 S Ik B ln 2 I≤2.13 × 10 ≈ 2 bit billion degrees Kelvin!!! S Ik B ln 2 I≤2.13 × 10 ≈ 2 bit

8/30/2013 ISCISC 2013 63/80 8/30/2013 ISCISC 2013 64/80

16 8/30/2013

Physical limitations Physical limitations

The physical limits of computing: The physical limits of computing:

Estimated Mass of the Kg Estimated Mass of the Kg Maximum Memory Operations/sec (bits) Earth Earth Entire observable universe Entire observable universe Whole universe Whole universe

8/30/2013 ISCISC 2013 65/80 8/30/2013 ISCISC 2013 66/80

Security considerations in block ciphers design Security considerations(Block size)

How to determine :

• Block size • Key size • Relation between key and block size • Number of rounds

8/30/2013 ISCISC 2013 67/80 8/30/2013 ISCISC 2013 68/80

17 8/30/2013

Security considerations(key size) Security considerations(key size) ECRYPT2(2012) recommends the following minimum key Attacker classification(ECRYP2 report): sizes to protect against different attackers:

Hacker: using a $0 budget and standard PC(s), or possibly a few $100 spent on FPGA hardware. Small organization: with a $10k budget and FPGA(s). Medium organization: $300k budget and FPGA and/or ASIC. Large organization: a $10M budget and FPGA/ASIC. Intelligence agency: $300M budget and ASIC. Only gives very basic protection (a few months)

8/30/2013 ISCISC 2013 69/80 8/30/2013 ISCISC 2013 70/80

Security considerations(key size) Security considerations(key size)

An 80-bit level appears to be the smallest Security levels- minimum level as with current knowledge, it Effective key size protects against the most reasonable and (ECRYPT II-2012 ) threatening attack (key-search)

ECRYPT II report(2012)

????

8/30/2013 ISCISC 2013 71/80 8/30/2013 ISCISC 2013 72/80

18 8/30/2013

Security considerations( relation between key and block size) Security considerations( relation between key and block size)

8/30/2013 ISCISC 2013 73/80 8/30/2013 ISCISC 2013 74/80

Security considerations(Number of rounds) Security considerations(number of rounds)

Knudsen (2000): Knudsen (2000): Algorithm Actual round Minimum rounds(Knudsen) DES 16 21 Blowfish 16 16 IDEA 8 8 LOKI'91 16 16 RC5 12 26 SAFER K 6 8 SKIPJACK 32 32 GOST 32 32 Serpent 32 32 Rijndael 10 16 Twofish 16 32

8/30/2013 ISCISC 2013 75/80 8/30/2013 ISCISC 2013 76/80

19 8/30/2013

Security considerations(number of rounds) Summary: • Block ciphers review History of cryptography, schemes of the block ciphers, challenges & attacks, standardized block ciphers . Note : There is no theory on the number of rounds but • Cryptographic events cryptographers give a guideline for the number of AES,NESSIE,CRYPTREC,ECERYPT rounds for block ciphers (based on the structures, • Standardized block ciphers design methods and the known attacks) • Lightweight block ciphers Challenges & general considerations, new approaches in lightweight block ciphers, hardware & Software implementation efforts • On practical security of block ciphers Physical limitations, security considerations in block ciphers design(k ey size, block size ,relation between key and block size, number of rounds 8/30/2013 ISCISC 2013 77/80 8/30/2013 78/80

Acknowledgements

Thanks to Mr. Shakiba for his help in Thank you preparing the presentation for your attention

8/30/2013 79/80 8/30/2013 80/80

20