DOCSLIB.ORG

Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process NISTIR8369 StatusReportontheSecondRoundof theNISTLightweightCryptography StandardizationProcess MeltemSonmezTuran¨ KerryMcKay DonghoonChang C¸gdasa˘ ¸Calık ¸ LawrenceBassham JinkeonKang JohnKelsey Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 NISTIR8369 StatusReportontheSecondRoundof theNISTLightweightCryptography StandardizationProcess MeltemSonmezTuran¨ KerryMcKay DonghoonChang C¸gdasa˘ ¸Calık ¸ LawrenceBassham JinkeonKang JohnKelsey ComputerSecurityDivision InformationTechnologyLaboratory Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 July2021 U.S.DepartmentofCommerce GinaM.Raimondo,Secretary NationalInstituteofStandardsandTechnology James K. Olthoff, Performing the Non-Exclusive Functions and Duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology Certaincommercialentities,equipment,ormaterialsmaybeidentifiedinthisdocumentinordertodescribe an experimental procedure or concept adequately. Such identification is not intended to imply recommendationorendorsementbytheNationalInstituteofStandardsandTechnology,norisitintendedto implythattheentities,materials,orequipmentarenecessarilythebestavailableforthepurpose. NationalInstituteofStandardsandTechnology InteragencyorInternalReport8369 Natl.Inst.Stand.Technol.Interag.Intern.Rep.8369,81pages(July2021) Thispublicationisavailablefreeofchargefrom: https://doi.org/10.6028/NIST.IR.8369 ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport Abstract TheNationalInstituteofStandardsandTechnology(NIST)initiatedapublicstandardiza- tionprocesstoselectoneormoreAuthenticatedEncryptionwithAssociatedData(AEAD) andhashingschemessuitableforconstrainedenvironments. InFebruary2019,57candi- This datesweresubmittedtoNISTforconsideration. Amongthese,56wereacceptedasfirst- publication roundcandidatesinApril2019. Afterfourmonths,NISTselected32ofthecandidates forthesecondround. InMarch2021,NISTannounced10finaliststomoveforwardto thefinalroundoftheselectionprocess. ThefinalistsareASCON,Elephant,GIFT-COFB, Grain-128AEAD,ISAP,PHOTON-Beetle,Romulus,SPARKLE,TinyJAMBU,andXoodyak. Thisreportdescribestheevaluationcriteriaandselectionprocess,whichisbasedonpublic is available feedbackandinternalreviewofthesecond-roundcandidates. Keywords free authenticatedencryption· cryptography· hashfunctions· lightweightcryptography of charge from: https://doi.org/10.6028/NIST.IR.8369 i ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport Acknowledgments NIST thanks the second-round submission teams, who developed and designed the second-roundcandidates,andthecryptographiccommunity,whoanalyzedthecandidates, sharedtheircommentsthroughthe ,andpublishedpapersonvarioustechnical This lwc-forum aspectsofthecandidates. publication NISTalsothanksthedevelopers,whoprovidedoptimizedimplementationsofthecan- didatesaswellasthehardwareandsoftwarebenchmarkinginitiatives,fortheircontribution totheunderstandingoftheperformancecharacteristicsofthealgorithmsonvarioustarget platforms. Specifically,NISTthanksallthosewhocontributedtothefollowingprojects:(i)FPGA is available benchmarkingbyK.Mohajerani,R.Haeussler,R.Nagpal,F.Farahmand,A.Abdulgadir, J.-P.Kaps,andK.Gaj;(ii)ASICbenchmarkingbyM.AagaardandN.Zidaric;(ˇ iii)ASIC benchmarkingbyM.Khairallah, T.Peyrin, andA.Chattopadhyay; (iv)Microcontroller benchmarkingbyS.Renner,E.Pozzobon,andJ.Mottok;(v)Microcontrollerbenchmark- free ingbyR.Weatherley;(vi)RISC-VbenchmarkingbyF.Campos,L.Jellema,M.Lemmen, L. Muller,D.Sprenkels,andB.Viguier;¨ (vii)RISC-VbenchmarkingbyG.Nisanci,R. of charge Atay,M.K.Pehlivanoglu,E.B.Kavun,andT.Yalc¸ın;and(viii)eBACS(ECRYPTBench- markingofCryptographicSystems)benchmarkingbyD.J.BernsteinandT.Lange. Theauthorsofthisreportacknowledgeandappreciatecontributionsfromtheircol- from: leaguesatNIST–LilyChen,AndrewRegenscheid,SaraKerman,NoahWaller,IsabelVan Wyk,RayPerlner,Lu´ısBrandao,SherylTaylor,DustinMoody,andMichaelJ.Fagan–˜ https://doi.org/10.6028/NIST.IR.8369 whoprovidedtechnicalandadministrativesupportandparticipatedinmeetingstodiscuss theselectionofthefinalists. ii ______________________________________________________________________________________________________ Contents 1 Introduction 1 2 EvaluationCriteria 2 This 3 Second-RoundCandidates 3 3.1 ClassificationoftheSecond-RoundCandidates 3 publication 3.2 EvaluationoftheSecond-RoundCandidates 4 3.2.1 ACE 5 3.2.2 ASCON 6 3.2.3 COMET 7 is 3.2.4 DryGASCON 8 available 3.2.5 Elephant 8 3.2.6 ESTATE 9 3.2.7 ForkAE 10 free 3.2.8 GIFT-COFB 11 3.2.9 Gimli 11 of 3.2.10 Grain-128AEAD 12 charge 3.2.11 HyENA 13 3.2.12 ISAP 14 3.2.13 KNOT 15 from: 3.2.14 LOTUS-AEADandLOCUS-AEAD 16 3.2.15 mixFeed 16 https://doi.org/10.6028/NIST.IR.8369 3.2.16 ORANGE 17 3.2.17 Oribatida 18 3.2.18 PHOTON-Beetle 19 3.2.19 Pyjamask 19 3.2.20 Romulus 20 3.2.21 SAEAES 22 3.2.22 SATURNIN 22 3.2.23 SKINNY-AEAD andSKINNY-HASH 23 3.2.24 SPARKLE 24 3.2.25 SPIX 25 3.2.26 SpoC 25 3.2.27 Spook 26 3.2.28 Subterranean2.0 27 3.2.29 SUNDAE-GIFT 28 3.2.30 TinyJAMBU 28 3.2.31 WAGE 29 3.2.32 Xoodyak 30 3.3 AdditionalConsiderations 30 3.3.1 Side-ChannelResistance 30 3.3.2 Nonce-MisuseSecurity 31 iii ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport 3.3.3 RUPSecurity 32 3.3.4 ImpactsofStateRecovery 32 3.3.5 Post-QuantumSecurity 33 4 PerformanceBenchmarking 34 This 4.1 SoftwareBenchmarking 34 4.1.1 MicrocontrollerBenchmarkingbyNIST 34 publication 4.1.2 MicrocontrollerBenchmarkingbyRenneretal. 35 4.1.3 MicrocontrollerBenchmarkingbyWeatherley 36 4.1.4 AdditionalResults 37 4.2 HardwareBenchmarking 37 is 4.2.1 FPGABenchmarkingbyGMUCERG 38 available 4.2.2 ASICBenchmarkingbyKhairallahetal. 38 4.2.3 ASICBenchmarkingbyAagaardandZidaricˇ 39 5 SelectingtheFinalists 40 free 6 NextSteps 41 of References 42 charge A NISTSoftwareBenchmarkingResults 67 from: https://doi.org/10.6028/NIST.IR.8369 iv ______________________________________________________________________________________________________ ListofTables Table1 TimelineoftheNISTLightweightCryptographyStandardizationProcess 2 Table2 Underlyingprimitivesofthesecond-roundcandidates 4 Table3 AEADmode-of-operationclassificationofprimaryvariants 5 This Table4 Hashingmodesofthe12candidateswithhashingfunctionalities 6 publication Table5 SummaryofattacksonASCON family 7 Table6 Anon-exhaustivesummaryofattacksonGIFT-128 12 Table7 SummaryofattacksonGimli 13 Table8 SummaryofdistinguishingattacksonPHOTON256 19 Table9 Summaryofbestkey-recoveryattacksonSKINNY-128-256andSKINNY- is available 128-384 21 Table10 Specificationsofmicrocontrollersusedinbenchmarkinginitiatives 35 Table11 Summaryofthehardwarebenchmarkinginitiatives 39 Table12 Code sizes (in bytes) for the smallest implementations of the primary free AEADvariantsonmicrocontrollers 69 Table13 Codesizes(inbytes)forthesmallestimplementationsoftheprimaryhash of charge variantsonmicrocontrollers 70 Table14 Timings(inµs)forthefastestimplementationsofprimaryAEADvari- antsforauthenticatedencryptionof16-bytemessageand16-byteADon from: microcontrollers 71 Table15 Timings(inµs)forthefastestimplementationsofprimaryhashvariants https://doi.org/10.6028/NIST.IR.8369 forprocessing16-bytemessageonmicrocontrollers 72 v ______________________________________________________________________________________________________ ListofFigures Figure1 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- thenticatedencryptionof16-bytemessageand16-byteADonATmega328P 73 Figure2 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- This thenticatedencryptionof16-bytemessageand16-byteADonATmega4809 73 publication Figure3 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonSAMD21 74 Figure4 Codesizevs.speedresultsofthesmallestprimaryAEADvariantsforau- thenticatedencryptionof16-bytemessageand16-byteADonnRF52840 74 is available Figure5 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonPIC32MX 75 Figure6 Codesizevs. speedresultsofthesmallestprimaryAEADvariantsfor authenticatedencryptionof16-bytemessageand16-byteADonESP8266 75 free Figure7 RelativespeedsofthecandidatescomparedtoAES-GCMonATmega328P 76 Figure8 RelativespeedsofthecandidatescomparedtoAES-GCMonATmega4809 77 of charge Figure9 RelativespeedsofthecandidatescomparedtoAES-GCMonSAMD21 78 Figure10RelativespeedsofthecandidatescomparedtoAES-GCMonnRF52840 79 Figure11RelativespeedsofthecandidatescomparedtoAES-GCMonPIC32MX 80 from: Figure12RelativespeedsofthecandidatescomparedtoAES-GCMonESP8266 81 https://doi.org/10.6028/NIST.IR.8369 vi ______________________________________________________________________________________________________ NISTIR8369 SecondRoundStatusReport Acronyms AD AssociatedData AEAD AuthenticatedEncryptionwithAssociatedData This AES AdvancedEncryptionStandard publication ARX Addition-Rotation-Xor ASIC ApplicationSpecificIntegratedCircuit is CAESAR CompetitionforAuthenticatedEncryption: Security,Applicability,andRo- available bustness CBC CipherBlockChaining free CCA ChosenCiphertextAttack of CCAm CCAwithnoncemisuse-resilience charge CI CiphertextIntegrity from: CIM CiphertextIntegritywithMisuse-resistance CTR Counter https://doi.org/10.6028/NIST.IR.8369 eBACS ECRYPTBenchmarkingofCryptographicSystem eSTREAM ECRYPTSTREAMcipherproject FOBOS FlexibleOpensourceworkBenchfOrSide-channelanalysis
Load more

Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Basic Cryptography
    Basic cryptography • How cryptography works... • Symmetric cryptography... • Public key cryptography... • Online Resources... • Printed Resources... I VP R 1 © Copyright 2002-2007 Haim Levkowitz How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption I VP R 2 © Copyright 2002-2007 Haim Levkowitz Simple cryptosystem ... ! ABCDEFGHIJKLMNOPQRSTUVWXYZ ! DEFGHIJKLMNOPQRSTUVWXYZABC • Caesar Cipher • Simple substitution cipher • ROT-13 • rotate by half the alphabet • A => N B => O I VP R 3 © Copyright 2002-2007 Haim Levkowitz Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ... I VP R 4 © Copyright 2002-2007 Haim Levkowitz Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA (international data encryption algorithm) in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years I VP R 5 © Copyright 2002-2007 Haim Levkowitz Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA Key • Blowfish Plaintext Encryption Ciphertext Decryption Plaintext Sender Recipient I VP R 6 © Copyright 2002-2007 Haim Levkowitz DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous => detect missing block I VP R 7 © Copyright 2002-2007 Haim Levkowitz Triple DES, DESX,
    [Show full text]
  • MD5 Collisions the Effect on Computer Forensics April 2006
    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
    [Show full text]
  • A Novel and Highly Efficient AES Implementation Robust Against Differential Power Analysis Massoud Masoumi K
    A Novel and Highly Efficient AES Implementation Robust against Differential Power Analysis Massoud Masoumi K. N. Toosi University of Tech., Tehran, Iran [email protected] ABSTRACT been proposed. Unfortunately, most of these techniques are Developed by Paul Kocher, Joshua Jaffe, and Benjamin Jun inefficient or costly or vulnerable to higher-order attacks in 1999, Differential Power Analysis (DPA) represents a [6]. They include randomized clocks, memory unique and powerful cryptanalysis technique. Insight into encryption/decryption schemes [7], power consumption the encryption and decryption behavior of a cryptographic randomization [8], and decorrelating the external power device can be determined by examining its electrical power supply from the internal power consumed by the chip. signature. This paper describes a novel approach for Moreover, the use of different hardware logic, such as implementation of the AES algorithm which provides a complementary logic, sense amplifier based logic (SABL), significantly improved strength against differential power and asynchronous logic [9, 10] have been also proposed. analysis with a minimal additional hardware overhead. Our Some of these techniques require about twice as much area method is based on randomization in composite field and will consume twice as much power as an arithmetic which entails an area penalty of only 7% while implementation that is not protected against power attacks. does not decrease the working frequency, does not alter the For example, the technique proposed in [10] adds area 3 algorithm and keeps perfect compatibility with the times and reduces throughput by a factor of 4. Another published standard. The efficiency of the proposed method is masking which involves ensuring the attacker technique was verified by practical results obtained from cannot predict any full registers in the system without real implementation on a Xilinx Spartan-II FPGA.
    [Show full text]
  • Rotational Cryptanalysis of ARX
    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Partly-Pseudo-Linear Cryptanalysis of Reduced-Round SPECK
    cryptography Article Partly-Pseudo-Linear Cryptanalysis of Reduced-Round SPECK Sarah A. Alzakari * and Poorvi L. Vora Department of Computer Science, The George Washington University, 800 22nd St. NW, Washington, DC 20052, USA; [email protected] * Correspondence: [email protected] Abstract: We apply McKay’s pseudo-linear approximation of addition modular 2n to lightweight ARX block ciphers with large words, specifically the SPECK family. We demonstrate that a pseudo- linear approximation can be combined with a linear approximation using the meet-in-the-middle attack technique to recover several key bits. Thus we illustrate improvements to SPECK linear distinguishers based solely on Cho–Pieprzyk approximations by combining them with pseudo-linear approximations, and propose key recovery attacks. Keywords: SPECK; pseudo-linear cryptanalysis; linear cryptanalysis; partly-pseudo-linear attack 1. Introduction ARX block ciphers—which rely on Addition-Rotation-XOR operations performed a number of times—provide a common approach to lightweight cipher design. In June 2013, a group of inventors from the US’s National Security Agency (NSA) proposed two families of lightweight block ciphers, SIMON and SPECK—each of which comes in a variety of widths and key sizes. The SPECK cipher, as an ARX cipher, provides efficient software implementations, while SIMON provides efficient hardware implementations. Moreover, both families perform well in both hardware and software and offer the flexibility across Citation: Alzakari, S.; Vora, P. different platforms that will be required by future applications [1,2]. In this paper, we focus Partly-Pseudo-Linear Cryptanalysis on the SPECK family as an example lightweight ARX block cipher to illustrate our attack.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • Network Security Chapter 8
    Network Security Chapter 8 Network security problems can be divided roughly into 4 closely intertwined areas: secrecy (confidentiality), authentication, nonrepudiation, and integrity control. Question: what does non-repudiation mean? What does “integrity” mean? • Cryptography • Symmetric-Key Algorithms • Public-Key Algorithms • Digital Signatures • Management of Public Keys • Communication Security • Authentication Protocols • Email Security -- skip • Web Security • Social Issues -- skip Revised: August 2011 CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security Security concerns a variety of threats and defenses across all layers Application Authentication, Authorization, and non-repudiation Transport End-to-end encryption Network Firewalls, IP Security Link Packets can be encrypted on data link layer basis Physical Wireless transmissions can be encrypted CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security (1) Some different adversaries and security threats • Different threats require different defenses CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cryptography Cryptography – 2 Greek words meaning “Secret Writing” Vocabulary: • Cipher – character-for-character or bit-by-bit transformation • Code – replaces one word with another word or symbol Cryptography is a fundamental building block for security mechanisms. • Introduction » • Substitution ciphers » • Transposition ciphers » • One-time pads
    [Show full text]
  • Fast Correlation Attacks: Methods and Countermeasures
    Fast Correlation Attacks: Methods and Countermeasures Willi Meier FHNW, Switzerland Abstract. Fast correlation attacks have considerably evolved since their first appearance. They have lead to new design criteria of stream ciphers, and have found applications in other areas of communications and cryp- tography. In this paper, a review of the development of fast correlation attacks and their implications on the design of stream ciphers over the past two decades is given. Keywords: stream cipher, cryptanalysis, correlation attack. 1 Introduction In recent years, much effort has been put into a better understanding of the design and security of stream ciphers. Stream ciphers have been designed to be efficient either in constrained hardware or to have high efficiency in software. A synchronous stream cipher generates a pseudorandom sequence, the keystream, by a finite state machine whose initial state is determined as a function of the secret key and a public variable, the initialization vector. In an additive stream cipher, the ciphertext is obtained by bitwise addition of the keystream to the plaintext. We focus here on stream ciphers that are designed using simple devices like linear feedback shift registers (LFSRs). Such designs have been the main tar- get of correlation attacks. LFSRs are easy to implement and run efficiently in hardware. However such devices produce predictable output, and cannot be used directly for cryptographic applications. A common method aiming at destroy- ing the predictability of the output of such devices is to use their output as input of suitably designed non-linear functions that produce the keystream. As the attacks to be described later show, care has to be taken in the choice of these functions.
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A
    Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 9-13-2012 Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A. Koziel Follow this and additional works at: https://scholar.afit.edu/etd Part of the Computer and Systems Architecture Commons, and the Information Security Commons Recommended Citation Koziel, Eric A., "Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation" (2012). Theses and Dissertations. 1127. https://scholar.afit.edu/etd/1127 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Eric A. Koziel AFIT/GCO/ENG/12-25 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States. AFIT/GCO/ENG/12-25 EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Presented to the Faculty Department of Electrical & Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Operations Eric A.
    [Show full text]