DOCSLIB.ORG

Compact Reconfigurable Architecture for Sosemanuk Stream Cipher

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

International Journal of Engineering and Advanced Technology (IJEAT) ISSN: 2249 – 8958, Volume-9 Issue-3, February, 2020 Compact Reconfigurable Architecture for Sosemanuk Stream Cipher Nagnath B. Hulle, Prathiba B, Sarika R Khope Sosemanuk is one of the finalists in Profile 1 (software) Abstract: Sosemanuk is word oriented synchronous stream ciphers selected for the eSTREAM Portfolio [2]. Looking at cipher capable to produce 32 bit ciphertext. It uses variable key current design platforms such as System on Chips (SoCs), it is from 128 bit to 256 bit and publically known Initialization Vector difficult to differentiate between hardware and software part (IV) of 128 bit. Sosemanuk is one of the finalists in Profile 1 of the eSTREAM Portfolio. This cipher targets to avoid structural of the system. These trends are increasing demand for properties of SNOW2.0 to improve its efficiency by reducing the hardware implementation of software based stream ciphers. internal state size. It also uses reduced round Serpent24 block Considering SOC design aspects proposed work considers cipher to provide secure and efficient key loading process. This hardware implementation of software based stream cipher paper presents compact architecture for Sosemanuk stream Sosemanuk [3]. cipher. The proposed architecture uses compact S-box This cipher is 32 bit word oriented synchronous stream architecture and compact modulo adders designed using CLA. The proposed compact S-box minimizes resources utilized without cipher designed by Come Berbain et al. [4] to use best affecting performance. Proposed modulo adder architecture properties of block and stream ciphers. It provides good minimizes resources used as compared to conventional CLA security by using combined effect of SNOW2.0 [5] stream implementation. The algorithm was designed by using VHDL cipher and Serpent block cipher [6]. Two versions of reduced language with CAD tool Xilinx ISE design suite 13.2 and round Serpent block ciphers are used in the design as implemented on Xilinx Virtex XC5VFX100E FPGA device. The proposed architecture achieved throughput of 4.281 Gbps at clock Serpent1 and Serpent24. Serpent1 is single round Serpent frequency of 133.788 MHz algorithm used at output stage during encryption and Keywords: Compact, FPGA, modulo adders, Stream Cipher, Serpent24 is 24 round Serpent algorithm used during Sosemanuk. initialization phase of Sosemanuk. This cipher uses variable key length between 128 bits to 256 bits [4]. I. INTRODUCTION Reconfigurable devices such as FPGAs are a highly New European Schemes for Signatures, Integrity and attractive option for a hardware implementation as they Encryption (NESSIE) project was started in the year 2000 to provide the flexibility of dynamic system evolution as well as identify new secure cryptographic algorithms [1]. During the the ability to easily implement a wide range of security algorithm selection process only block ciphers were functions/algorithms. It appears to be especially relevant to selected in its final portfolio. Attacks published on stream focus on high-throughput implementations for FPGA-based ciphers during this project were not practical and big question encryption [7]. rose on security of stream ciphers. The failure result of all 6 The paper is organized in following sections. Section II stream ciphers in NESSIE project evolved eSTREAM project describes the specifications and working of Sosemanuk coordinated by European Network of Excellence in stream cipher. Section III presents proposed architecture for Cryptology (ECRYPT). The project was started in year 2004 Sosemanuk stream cipher. The VLSI implementation, its to inspire new effective hardware as well as software based results are discussed in Section IV and Section V concludes stream cipher designs. This project was not a competition for the proposed work. deciding standards as in case of DES and AES, but the main focus of the project is to find auspicious stream ciphers. After II. SPECIFICATIONS AND WORKING OF rigorous security testing against various attacks, seven stream SOSEMANUK STREAM CIPHER cipher algorithms were announced in in final of eSTREAM Sosemanuk stream cipher consists of main three modules, project [2]. SNOW 2.0, Serpent24 and Serpent1 as shown in Figure 1. A. SNOW 2.0 Sosemanuk [4] uses SNOW 2.0 [5] by modifying in some Revised Manuscript Received on February 05, 2020. aspects for better security and improved performance. Linear *Corresponding Author Feedback Shift Register (LFSR) used in SNOW 2.0 consists Nagnath Bhagwat Hulle, Associate. Prof., G. H. Raisoni Institute of Engineering & Technology, Pune, India. of 16 stages each of 32 bit providing 512 bits of internal E-mail: [email protected] states. The aim of Sosemanuk is to provide 128 bit security, Prathiba B, Asst. Prof., G. H. Raisoni Institute of Engineering & Technology, Pune, India. E-mail: [email protected] Sarika R Khope, Asst. Prof., G. H. Raisoni Institute of Engineering & Technology, Pune, India. E-mail: [email protected] Published By: Retrieval Number: C5252029320/2020©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijeat.C5252.029320 607 & Sciences Publication Compact Reconfigurable Architecture for Sosemanuk Stream Cipher so shorter LFSR will do the task. LFSR with length of 8 will is bitwise XOR operation be vulnerable to guess and determine attack. Internal states M is 0x54655307 hexadecimal constant value. must be ≥ 384 bits to avoid above attack. Sufficient level of ⊞ integer addition over GF(232) security is achieved by using LFSR with 10 stages and two 32 <<< 7 is bitwise rotation of 32 bit value by 7 bit bit stages are used from Finite State Machine (FSM), as R1 B. Serpent1 and R2 as shown in Figure 2. This modification in the SNOW 2.0 provides requisite security with less hardware [4]. Serpent1 is single round Serpent block cipher without key Key IV addition and linear transformation. This algorithm takes four 32 bit inputs in bitslice mode and S-Box used in this algorithm 256 128 is S2 [2, 4]. Y_2_18 C. Serpent24 Y_0_18 Y_3_12 Y_3_18 Serpent24 Y_2_24 Y_0_12 Y_1_12 Y_2_12 Y_1_18 Y_1_24 Y_1_24 Y_3_24 Serpent24 is 24 round block cipher used for initializing S9_Init S8_Init S5_Init S4_Init S3_Init S1_Init LFSR, R1 and R2. This block cipher provides secure 384 bits internal states to Sosemanuk stream cipher. Architecture of S10_Init Serpent24 is as shown in Figure 3 and this architecture R1_Init SNOW 2.0 provides initial values to all internal states Sosemanuk [2, 4]. R2_Init IV (128 bit) Key (128 bit) Padding (128 bit) FSM Out S0 Out W-8 W-7 W-6 W-5 W-4 W-3 W-2 W-1 Serpent1 Round 0 K0 W0 W1 . Keystream 18 Y3 . 18 Y2 . 18 Wi (Wi - 8 Wi 5 Wi 3 Y1 Round 12 W98 18 W99 Figure 1. Sosemanuk Block Diagram Y0 Wi 1 i) 11 k0 18 Y3 k1 18 Y2 . 18 Round 18 . α -1 Y1 18 S-boxes . Y0 α . k98 k99 S9 S8 S7 S6 S5 S4 S3 S2 S1 S0 K23 k0 k1 k2 k3 Round 23 K1 . K24 . K23 24 K24 Y3 24 Y2 24 24 24 24 24 Y3 , Y2 , Y1 , Y0 MUX Y1 24 Y0 Figure 3. Serpent24 architecture Key stream Serpent1 Working of Sosemanuk stream cipher is divided into two phases, initialization phase and working phase. R1 Trans R2 1. Initialization phase During this phase 128 bit IV and 256 bit key are applied to the Serpent24 as shown in Figure 3. Serpent24 architecture is Figure 2. Sosemanuk architecture used for secure internal state generation. Complete working of The feedback polynomial used must be as light as possible Serpent is divided into two parts, round key generation and to have improved performance. Sosemanuk uses feedback round operations. polynomial given by equation (1) and it is lighter than Round key generation part takes 256 bit key and divides it feedback polynomial used 2.0 [4]. into eight initial words. Using initial eight words on equation (3), 100 sub words are produced. (x) x10 1 x 7 x 1 F [X ] 232 (1) Wi (Wi -8Wi 5Wi 3Wi 1 i) 11 This polynomial is primitive polynomial having maximal (3) sequence of (2320-1). Where, Φ is the fractional part of the golden ratio Finite State Machine (FSM) of Sosemanuk takes input ( 5 1) / 2 or 0x9e3779b9 in hexadecimal form. from S , S , S , R and R and delivers output FSM for t > 9 7 1 1t-1 2t-1 t These 100 sub words are applied over S-boxes [6] to 0 as given by equation (2). produce 100 sub keys. These keys are concatenated to FSMt = (R [S ⊞ R ] 2t 9 1t (2) produce 25 round keys. Where, During round operations each round of serpent24 is as shown in Figure 4 and performs three tasks, round key R1 [R2 ⊞ ((S ) or (S S ))] , selection of S t t1 1 1 7 1 addition, S-box implementation and linear transformation. or (S1 or S1 S7 ) is decided by is decided by select line Working of first 24 rounds is same but last round does not (LSB (R1t-1)) of the multiplexer. uses S-box and linear transformation. R 2t-1 = Trans (R 1t-1 ) Trans (R ) = (M * R ) mod 232 7 1t-1 1t-1 Published By: Retrieval Number: C5252029320/2020©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijeat.C5252.029320 608 & Sciences Publication International Journal of Engineering and Advanced Technology (IJEAT) ISSN: 2249 – 8958, Volume-9 Issue-3, February, 2020 First 24 rounds use respective round key to perform XOR 12 12 12 12 (S , S , S , S ) (Y ,Y ,Y ,Y ) operation with input data at each round. The result of XOR 7 8 9 10 3 2 1 0 operation is passed to S-boxes. The selection of S-box from 18 18 (S5 , S6 ) (Y1 ,Y3 ) S0 to S7 for each round is defined in [6] and these S-boxes are 24 24 24 24 implemented as lookup tables.
Recommended publications
  • GCM) for Confidentiality And

    GCM) for Confidentiality And

    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
  • Recommendation for Block Cipher Modes of Operation Methods

    Recommendation for Block Cipher Modes of Operation Methods

    NIST Special Publication 800-38A Recommendation for Block 2001 Edition Cipher Modes of Operation Methods and Techniques Morris Dworkin C O M P U T E R S E C U R I T Y ii C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2001 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director iii Reports on Information Security Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
  • Security in Wireless Sensor Networks Using Cryptographic Techniques

    Security in Wireless Sensor Networks Using Cryptographic Techniques

    American Journal of Engineering Research (AJER) 2014 American Journal of Engineering Research (AJER) e-ISSN : 2320-0847 p-ISSN : 2320-0936 Volume-03, Issue-01, pp-50-56 www.ajer.org Research Paper Open Access Security in Wireless Sensor Networks using Cryptographic Techniques Madhumita Panda Sambalpur University Institute of Information Technology(SUIIT)Burla, Sambalpur, Odisha, India. Abstract: -Wireless sensor networks consist of autonomous sensor nodes attached to one or more base stations.As Wireless sensor networks continues to grow,they become vulnerable to attacks and hence the need for effective security mechanisms.Identification of suitable cryptography for wireless sensor networks is an important challenge due to limitation of energy,computation capability and storage resources of the sensor nodes.Symmetric based cryptographic schemes donot scale well when the number of sensor nodes increases.Hence public key based schemes are widely used.We present here two public – key based algorithms, RSA and Elliptic Curve Cryptography (ECC) and found out that ECC have a significant advantage over RSA as it reduces the computation time and also the amount of data transmitted and stored. Keywords: -Wireless Sensor Network,Security, Cryptography, RSA,ECC. I. WIRELESS SENSOR NETWORK Sensor networks refer to a heterogeneous system combining tiny sensors and actuators with general- purpose computing elements. These networks will consist of hundreds or thousands of self-organizing, low- power, low-cost wireless nodes deployed to monitor and affect the environment [1]. Sensor networks are typically characterized by limited power supplies, low bandwidth, small memory sizes and limited energy. This leads to a very demanding environment to provide security.
  • Block Ciphers

    Block Ciphers

    BLOCK CIPHERS MTH 440 Block ciphers • Plaintext is divided into blocks of a given length and turned into output ciphertext blocks of the same length • Suppose you had a block cipher, E(x,k) where the input plaintext blocks,x, were of size 5-bits and a 4-bit key, k. • PT = 10100010101100101 (17 bits), “Pad” the PT so that its length is a multiple of 5 (we will just pad with 0’s – it doesn’t really matter) • PT = 10100010101100101000 • Break the PT into blocks of 5-bits each (x=x1x2x3x4) where each xi is 5 bits) • x1=10100, x2= 01010, x3=11001, x4=01000 • Ciphertext: c1c2c3c4 where • c1=E(x1,k1), c2=E(x2,k2), c3=E(x3,k3), c4=E(x4,k4) • (when I write the blocks next to each other I just mean concatentate them (not multiply) – we’ll do this instead of using the || notation when it is not confusing) • Note the keys might all be the same or all different What do the E’s look like? • If y = E(x,k) then we’ll assume that we can decipher to a unique output so there is some function, we’ll call it D, so that x = D(y,k) • We might define our cipher to be repeated applications of some function E either with the same or different keys, we call each of these applications “round” • For example we might have a “3 round” cipher: y Fk x E((() E E x, k1 , k 2)), k 3 • We would then decipher via 1 x Fk (,, y) D((() D D y, k3 k 2) k 1) S-boxes (Substitution boxes) • Sometimes the “functions” used in the ciphers are just defined by a look up table that are often referred to “S- boxes” •x1 x 2 x 3 S(x 1 x 2 x 3 ) Define a 4-bit function with a 3-bit key 000
  • Chapter 4 Symmetric Encryption

    Chapter 4 Symmetric Encryption

    Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are privacy and authenticity of the communicated data. The present chapter looks at privacy, Chapter ?? looks at authenticity, and Chapter ?? looks at providing both together. Chapters ?? and ?? describe tools we shall use here. 4.1 Symmetric encryption schemes The primitive we will consider is called an encryption scheme. Such a scheme speci¯es an encryption algorithm, which tells the sender how to process the plaintext using the key, thereby producing the ciphertext that is actually transmitted. An encryption scheme also speci¯es a decryption algorithm, which tells the receiver how to retrieve the original plaintext from the transmission while possibly performing some veri¯cation, too. Finally, there is a key-generation algorithm, which produces a key that the parties need to share. The formal description follows. De¯nition 4.1 A symmetric encryption scheme SE = (K; E; D) consists of three algorithms, as follows: ² The randomized key generation algorithm K returns a string K. We let Keys(SE) denote the set of all strings that have non-zero probability of be- ing output by K. The members of this set are called keys. We write K Ã$ K for the operation of executing K and letting K denote the key returned. ² The encryption algorithm E takes a key K 2 Keys(SE) and a plaintext M 2 f0; 1g¤ to return a ciphertext C 2 f0; 1g¤ [ f?g.
  • Improved Correlation Attacks on SOSEMANUK and SOBER-128

    Improved Correlation Attacks on SOSEMANUK and SOBER-128

    Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35 SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric` Lauradoux, Marine Minier, Thomas Pornin and Herve` Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35 SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35 SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s0,..., s9 (320 bits) −1 st+10 = st+9 ⊕ α st+3 ⊕ αst, t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R1 and R2 R1t+1 = R2t ¢ (rtst+9 ⊕ st+2) R2t+1 = Trans(R1t) ft = (st+9 ¢ R1t) ⊕ R2t where rt denotes the least significant bit of R1t. F 3. The trans function Trans on 232 : 32 Trans(R1t) = (R1t × 0x54655307 mod 2 )≪7 4. The output of the FSM : (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 5 / 35 SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent1 and there are too many unknown bits...”.
  • Public Evaluation Report UEA2/UIA2

    Public Evaluation Report UEA2/UIA2

    ETSI/SAGE Version: 2.0 Technical report Date: 9th September, 2011 Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 1 of 43 Document 4: Design and Evaluation report. Version 2.0 Document History 0.1 20th June 2010 First draft of main technical text 1.0 11th August 2010 First public release 1.1 11th August 2010 A few typos corrected and text improved 1.2 4th January 2011 A modification of ZUC and 128-EIA3 and text improved 1.3 18th January 2011 Further text improvements including better reference to different historic versions of the algorithms 1.4 1st July 2011 Add a new section on timing attacks 2.0 9th September 2011 Final deliverable LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 2 of 43 Document 4: Design and Evaluation report. Version 2.0 Reference Keywords 3GPP, security, SAGE, algorithm ETSI Secretariat Postal address F-06921 Sophia Antipolis Cedex - FRANCE Office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 X.400 c= fr; a=atlas; p=etsi; s=secretariat Internet [email protected] http://www.etsi.fr Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
  • A New Stream Cipher HC-256

    A New Stream Cipher HC-256

    A New Stream Cipher HC-256 Hongjun Wu Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 [email protected] Abstract. Stream cipher HC-256 is proposed in this paper. It generates keystream from a 256-bit secret key and a 256-bit initialization vector. HC-256 consists of two secret tables, each one with 1024 32-bit elements. The two tables are used as S-Box alternatively. At each step one element of a table is updated and one 32-bit output is generated. The encryption speed of the C implementation of HC-256 is about 1.9 bit per clock cycle (4.2 clock cycle per byte) on the Intel Pentium 4 processor. 1 Introduction Stream ciphers are used for shared-key encryption. The modern software efficient stream ciphers can run 4-to-5 times faster than block ciphers. However, very few efficient and secure stream ciphers have been published. Even the most widely used stream cipher RC4 [25] has several weaknesses [14, 16, 22, 9, 10, 17, 21]. In the recent NESSIE project all the six stream cipher submissions cannot meet the stringent security requirements [23]. In this paper we aim to design a very simple, secure, software-efficient and freely-available stream cipher. HC-256 is the stream cipher we proposed in this paper. It consists of two secret tables, each one with 1024 32-bit elements. At each step we update one element of a table with non-linear feedback function. Every 2048 steps all the elements of the two tables are updated.
  • Enhancing Hierocrypt-3 Performance by Modifying Its S- Box and Modes of Operations

    Enhancing Hierocrypt-3 Performance by Modifying Its S- Box and Modes of Operations

    Journal of Communications Vol. 15, No. 12, December 2020 Enhancing Hierocrypt-3 Performance by Modifying Its S- Box and Modes of Operations Wageda I. El Sobky1, Ahmed R. Mahmoud1, Ashraf S. Mohra1, and T. El-Garf 2 1 Benha Faculty of Engineering, Benha University, Egypt 2 Higher Technological Institute 10th Ramadan, Egypt Email: [email protected]; [email protected]; Abstract—Human relationships rely on trust, which is the The Substitution box (S-Box) is the unique nonlinear reason that the authentication and related digital signatures are operation in block cipher, and it determines the cipher the most complex and confusing areas of cryptography. The performance [3]. The stronger S-Box, the stronger and Massage Authentication Codes (MACs) could be built from more secure algorithm. By selecting a strong S-Box, the cryptographic hash functions or block cipher modes of nonlinearity and complexity of these algorithms increases operations. Substitution-Box (S-Box) is the unique nonlinear operation in block ciphers, and it determines the cipher and the overall performance is modified [4]. This change performance. The stronger S-Box, the stronger and more secure will be seen here on the Hierocrypt-3 [5] as an example the algorithm. This paper focuses on the security considerations of block ciphers. for MACs using block cipher modes of operations with the The S-Box construction is a major issue from initial Hierocrypt-3 block cipher. the Hierocrypt-3 could be considered days in cryptology [6]-[8]. Use of Irreducible as a week cipher. It could be enhanced by changing its S-Box Polynomials to construct S-Boxes had already been with a new one that has better performance against algebraic adopted by crypto community [9].
  • Bahles of Cryptographic Algorithms

    Bahles of Cryptographic Algorithms

    Ba#les of Cryptographic Algorithms: From AES to CAESAR in Soware & Hardware Kris Gaj George Mason University Collaborators Joint 3-year project (2010-2013) on benchmarking cryptographic algorithms in software and hardware sponsored by software FPGAs FPGAs/ASICs ASICs Daniel J. Bernstein, Jens-Peter Kaps Patrick Leyla University of Illinois George Mason Schaumont Nazhand-Ali at Chicago University Virginia Tech Virginia Tech CERG @ GMU hp://cryptography.gmu.edu/ 10 PhD students 4 MS students co-advised by Kris Gaj & Jens-Peter Kaps Outline • Introduction & motivation • Cryptographic standard contests Ø AES Ø eSTREAM Ø SHA-3 Ø CAESAR • Progress in evaluation methods • Benchmarking tools • Open problems Cryptography is everywhere We trust it because of standards Buying a book on-line Withdrawing cash from ATM Teleconferencing Backing up files over Intranets on remote server Cryptographic Standards Before 1997 Secret-Key Block Ciphers 1977 1999 2005 IBM DES – Data Encryption Standard & NSA Triple DES Hash Functions 1993 1995 2003 NSA SHA-1–Secure Hash Algorithm SHA SHA-2 1970 1980 1990 2000 2010 time Cryptographic Standard Contests IX.1997 X.2000 AES 15 block ciphers → 1 winner NESSIE I.2000 XII.2002 CRYPTREC XI.2004 V.2008 34 stream 4 HW winners eSTREAM ciphers → + 4 SW winners XI.2007 X.2012 51 hash functions → 1 winner SHA-3 IV.2013 XII.2017 57 authenticated ciphers → multiple winners CAESAR 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time Why a Contest for a Cryptographic Standard? • Avoid back-door theories • Speed-up
  • Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

    Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

    Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract. In this paper, we present a correlation attack on Sosemanuk with complexity less than 2150. Sosemanuk is a software oriented stream cipher proposed by Berbain et al. to the eSTREAM call for stream ci- pher and has been selected in the ¯nal portfolio. Sosemanuk consists of a linear feedback shift register(LFSR) of ten 32-bit words and a ¯nite state machine(FSM) of two 32-bit words. By combining linear approximation relations regarding the FSM update function, the FSM output function and the keystream output function, it is possible to derive linear approx- imation relations with correlation ¡2¡21:41 involving only the keystream words and the LFSR initial state. Using such linear approximation rela- tions, we mount a correlation attack with complexity 2147:88 and success probability 99% to recover the initial internal state of 384 bits. We also mount a correlation attack on SNOW 2.0 with complexity 2204:38. Keywords: stream cipher, Sosemanuk, SNOW 2.0, correlation attack, linear mask 1 Introduction Sosemanuk[3] is a software oriented stream cipher proposed by Berbain et al. to the eSTREAM call for stream cipher and has been selected in the ¯nal portfolio. The merits of Sosemanuk has been recognized as its considerable security margin and moderate performance[2]. Sosemanuk is based on the stream cipher SNOW 2.0[11] and the block cipher Serpent[1]. Though SNOW 2.0 is a highly reputed stream cipher, it is vulnerable to linear distinguishing attacks using linear masks[14, 15].
  • Efficient Implementation of Stream Ciphers on Embedded Processors

    Efficient Implementation of Stream Ciphers on Embedded Processors

    Efficient Implementation of Stream Ciphers on Embedded Processors Gordon Meiser 07.05.2007 Master Thesis Ruhr-University Bochum (Germany) Chair for Communication Security Prof. Dr.-Ing. Christof Paar Co-Advised by Kerstin Lemke-Rust and Thomas Eisenbarth “They who would give up an essential liberty for temporary security, deserve neither liberty or security.”(Benjamin Franklin, 1706-1790) iii STATEMENT / ERKLÄRUNG I hereby declare, that the work presented in this thesis is my own work and that to the best of my knowledge it is original, except where indicated by references to other authors. Hiermit versichere ich, dass ich meine Diplomarbeit selber verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt, sowie Zitate kenntlich gemacht habe. Gezeichnet —————————– ——————————– Gordon Meiser Ort, Datum iv ACKNOWLEDGEMENT It is my pleasure to express my gratitude to all the people who contributed, in whatever manner, to the success of this work. I want to thank Prof. Dr.-Ing. Christof Paar for giving me the possibility to write my master thesis at the Chair for Communication Security at the Ruhr-University Bochum. Furthermore I’d like to thank my Co-Advisors Dipl.-Phys. Kerstin Lemke-Rust and Dipl.-Ing. Thomas Eisenbarth for advising me with writing scientific papers and an- swering all my questions. I also want to thank all the people sitting in my room, especially Leif Uhsadel and Sören Rinne, who helped me keep the focus on my work. I spent many nights working on my master thesis and with Leif this time was much easier to bear. Another thank you goes to all reviewers, especially to Phill Cabeen for reading, correcting, and revising my master thesis from the view of a native English speaker.