DOCSLIB.ORG

Format-Preserving Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Format-Preserving Encryption Format-Preserving Encryption Somitra Kumar Sanadhya Indian Institute of Technology Ropar August 27, 2020 Somitra Format-Preserving Encryption 1 / 68 Credits Credits for the work described: Co-authors (Designs): Donghoon Chang, Mohona Ghosh, Kishan Chand Gupta, Arpan Jati, Abhishek Kumar, Dukjae Moon, Indranil Ghosh Ray. Co-authors (Recent cryptanalysis results): Orr Dunkelman, Abhishek Kumar, Eran Lambooij. Significant contribution in preparing these slides: Abhishek Kumar, IIT Ropar. Funding: India-Israel Collaborative Project, DST, Govt. of India. The research described is a part of the (ongoing) PhD work of Abhishek. Somitra Format-Preserving Encryption 2 / 68 Block cipher Block cipher: A family of permutations indexed by the secret key. Deterministic primitive. Security notion: PRP. Modes of operation and padding schemes are required to construct an encryption scheme. Syntax: E : f0; 1gk × f0; 1gn ! f0; 1gn Issues: Can't be used for small domains (Codebook attack) Changing the key is costly. Somitra Format-Preserving Encryption 3 / 68 Tweakable Block Cipher A block cipher with a twist - \tweak". A public tweak allows switching to a different family of permutations (even for the same key). Changing the tweak is a low cost operation. Syntax: E : f0; 1gk × f0; 1gn × f0; 1gt ! f0; 1gn Idea used first in the \Hasty Pudding cipher" by Schroeppel (AES competition, 1998). Formalized by Liskov, Rivest, Wagner (Crypto 2002). Somitra Format-Preserving Encryption 4 / 68 Format Preserving Encryption (FPE) FPE: Encryption scheme where the input and the output have the same format. Why can't we use a block cipher? Loss of format Ciphertext expansion \Cipher text ... bears roughly the same resemblance to plain text ... as a hamburger to a T-bone steak." (Brightwell and Smith, 1997). Somitra Format-Preserving Encryption 5 / 68 Is the problem interesting? Applications Credit card encryption, SSN encryption, ... Database Encryption Data capturing devises used to capture data of specific format (PIN pads, used with ATM machines). Product First product of Voltage Security Inc. (Now Microfocus Inc.) Standardization Draft NIST SP 800-38G (March 2016), updated in 2017. Requirements Any (user defined) format should be supported. Ciphertext length expansion is not permitted. First formal treatment byBellare,Ristenpart,Rogaway,Stegers (Selected Areas in Cryptography 2009). Somitra Format-Preserving Encryption 6 / 68 Draft Standard Somitra FigureFormat-Preserving 1: NIST Document. Encryption 7 / 68 FPE Security notions (BRRS'09) Pseudo-Random Permutation (PRP): Distinguishing Ek(·) from RP (·). Single Point Indist. (SPI): Distinguishing Ek(m) (for adversarial choice of m) from a c = Ek(r) for a random message r. Message Privacy (MP): Ek(m) reveals no information on m, except its format. Formalized by comparing the \performance" of the real-world adversary to that of a degenerate adversary S that can only make equality queries of the form \is m the encrypted message?"). Message Recovery (MR): Adversary can't \completely reveal" m when supplied with Ek(m). Somitra Format-Preserving Encryption 8 / 68 Comments on the Security notions (BRRS'09) PRP =) all other security notions. SPI =) MP, MR with tight bound. MP and MR are what are needed in applications. PRP is an overkill. Attacks against PRP may not be a threat in practice for an FPE scheme. Somitra Format-Preserving Encryption 9 / 68 Existing FPE Schemes General techniques: (Black and Rogaway, CT-RSA 2002) Prefix Cipher Extension: Rank-then-Encipher (RtE) - BRRS'09 Cycle-walking Generalized-Feistel Cipher Specific constructions: FFSEM (Spies, Voltage Inc.) Superceded by FFX. FFX (FF1, FF2). (Bellare, Rogaway, Spies, Submitted to NIST, Feb 2010) BPS (renamed FF3 by NIST). (Brier, Peyrin, Stern, Submitted to NIST, March 2010) VFPE (John Sheets, Kim R. Wagner, VISA USA Inc., Submitted to NIST, Oct 2011) FEA-1 and FEA-2 (Lee, Koo, Roh, Kim, Kwon, ICISC 2014, Korean FPE Standard) Somitra Format-Preserving Encryption 10 / 68 General Technique 1: Prefix Cipher (Black and Rogaway, CT-RSA 2002) Domain = f0; 1; : : : ; t − 1g. n Use n-bit block cipher Ek(:) with domain N = 2 ≥ t. Permut. [0; 1; : : : ; t − 1] = Ordering [Ek(0);Ek(1);:::;Ek(t − 1)]. Method is computationally reasonable for small t (such as t < 230). Somitra Format-Preserving Encryption 11 / 68 Extension: Rank-then-Encipher (RtE) \It would be undesirable to design an encryption schemes whose internal workings were tailored to the specialized task in hand." { BRRS, SAC 2009. integer domain FPE ! arbitrary domain FPE. Given a format space, rank the input, and then use an integer FPE. If E is secure then so is RtE(E, rank, unrank). Figure 2: RtE scheme. Somitra Format-Preserving Encryption 12 / 68 General Technique 2: Cycle Walking (Black and Rogaway, CT-RSA 2002) Domain M = f0; 1; : : : ; m − 1g. Use Ek(:) with domain N such that jNj ≥ jMj. Map m 2 M to Ek(:::Ek(:::Ek(m)) = c until c 2 M. Need M to be dense in block cipher domain N, otherwise too may block cipher invocations. N c1 M m c c 2 c3 Somitra FigureFormat-Preserving 3: Cycle Encryption Walking 13 / 68 General Technique 3: Generalized Feistel (Black and Rogaway, CT-RSA 2002) Let message space size = t. Choose two integers a and b such that ab ≥ t, with a ≥ jLj and b ≥ jRj (Fig 4). L R Fk(·) Perform cycle walking when out of range. Efficient when (ab − t) is small. L0 R0 Suggested number of rounds is 3. Figure 4: One round of GF. Somitra Format-Preserving Encryption 14 / 68 Specific Construction 1: FFSEM Designed by Terrence Spies and submitted to NIST in 2008. Concrete instance of the Black-Rogaway technique. Uses a tweak to make round-PRFs different. Suggestions: For message domain > 40 bits, use at least 6 rounds (considering Patarin's attack). For message domain 2 f32; 40g bits, use extra rounds (not efficient for most of practical FPE applications). Somitra Format-Preserving Encryption 15 / 68 Specific Construction 2: FFX (FF1 and FF2) (BRRS 2009) \Theory" of FPE developed in this work. Two variants: (NIST Special Publication 800-38G) Type-1 Feistel: FF1 Type-2 Feistel: FF2 Both variants have at least 10 rounds of Feistel. (More, if message size or format is large). The round function is one invocation of AES. Thus, at least 10 calls to AES needed for each encryption or decryption. Somitra Format-Preserving Encryption 16 / 68 FF1 Figure 5 and algorithm 1 represent two rounds and encryption function of FF1 respectively. N;T Algorithm 1: FF1K (X) 1 (a; b) N; X0 X 2 for i = 1; 2; : : : ; r(N) do 3 Ai−1 Xi−1 div b 4 Bi−1 Xi−1 mod b 5 Ci (Ai−1 + FK (N; T; i; Bi−1)) mod a 6 Xi aBi−1 + Ci 7 ret Xr(N) Figure 5: Two Rounds of FF1. Somitra Format-Preserving Encryption 17 / 68 FF2 Figure 6 and algorithm 2 represent two rounds and encryption function of FF2 respectively. N;T Algorithm 2: FF2K (X) 1 (a; b) N 2 Ai−1 Xi−1 div b ; Bi−1 Xi−1 mod b 3 for i = 1; 2; : : : ; r(N) do 4 if i mod 2=1 then s a else s b 5 Ai Bi−1 6 Bi (Ai−1 + FK (N; T; i; Bi−1)) mod s 7 ret sAr(N) + Br(N) Figure 6: Two Rounds of FF2. Somitra Format-Preserving Encryption 18 / 68 Specific Construction 3: FF3 Designed by Brier, Peyrin, Stern and named as BPS initially. It is a Feistel based design and consists of 8 rounds (faster than FFX). BPS is a combination of the following two components: 1 A length restricted internal block cipher. Initially renamed as FF3 by NIST, later renamed as FF3-1. This internal block cipher is used to encrypt the data while preserving the format. 2 A mode of operation to handle long messages. This mode is malleable and hence not adopted by NIST. Hence, maximum input size is fixed (unlike FF1, and FF2). The tweak size is 64-bits, hence not suitable for very large messages. Somitra Format-Preserving Encryption 19 / 68 Analysis of FF1, FF2 and FF3 (M. Dworkin and R. Perlner, eprint 2015/30): FF2 does not provide the expected 128-bits of security strength. Hence, removed from NIST recommended designs. (Bellare et. al, ACM CCS 2016): A practical attack message recovery attack for small domain messages for FF1 and FF3. { For one byte messages, the data complexity of the attacks is approx 234 and 242 for FF3 and FF1 respectively. (Hoang et. al, Crypto 2018) Improved attack to recover one byte message with data complexity 227 and 236 for FF3 and FF1 respectively. (Durak and Vaudenay, Crypto 2017) gave a generic attack against 11 FF3 with complexity O(N 6 ) chosen plaintexts and time complexity O(N 5), where N 2 is the domain size. All these attacks work only for messages of ≈ 15 bits or smaller. Somitra Format-Preserving Encryption 20 / 68 Specific Constructions 4: FEA-1 & FEA-2 Designed by a team of South Korean researchers in 2014. Currently a Korean FPE standard. Feistel based design, with a tweakable round function. The round function of FEA-1 and FEA-2 consists of two iteration of S-box layer and diffusion layer (like DES). Somitra Format-Preserving Encryption 21 / 68 Specific Constructions 4: FEA-1 & FEA-2 Suggested number of rounds for FEA-1 and FEA-2 for different key sizes. Key length FEA-1 FEA-2 128 12 18 192 14 21 256 16 24 As per designer's claim, both FEA-1 and FEA-2 are almost two times faster than FF1 and FF3. Somitra Format-Preserving Encryption 22 / 68 Status of FEA-1 and FEA-2 No publicly known results. Somitra Format-Preserving Encryption 23 / 68 Summary Feistel based designs (FF1, FF2 and FF3) requires many invocation of internal primitives (due to Patarin's attack).
Load more

Recommended publications
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • The Long Road to the Advanced Encryption Standard
    The Long Road to the Advanced Encryption Standard Jean-Luc Cooke CertainKey Inc. [email protected], http://www.certainkey.com/˜jlcooke Abstract 1 Introduction This paper will start with a brief background of the Advanced Encryption Standard (AES) process, lessons learned from the Data Encryp- tion Standard (DES), other U.S. government Two decades ago the state-of-the-art in cryptographic publications and the fifteen first the private sector cryptography was—we round candidate algorithms. The focus of the know now—far behind the public sector. presentation will lie in presenting the general Don Coppersmith’s knowledge of the Data design of the five final candidate algorithms, Encryption Standard’s (DES) resilience to and the specifics of the AES and how it dif- the then unknown Differential Cryptanaly- fers from the Rijndael design. A presentation sis (DC), the design principles used in the on the AES modes of operation and Secure Secure Hash Algorithm (SHA) in Digital Hash Algorithm (SHA) family of algorithms Signature Standard (DSS) being case and will follow and will include discussion about point[NISTDSS][NISTDES][DC][NISTSHA1]. how it is directly implicated by AES develop- ments. The selection and design of the DES was shrouded in controversy and suspicion. This very controversy has lead to a fantastic acceler- Intended Audience ation in private sector cryptographic advance- ment. So intrigued by the NSA’s modifica- tions to the Lucifer algorithm, researchers— This paper was written as a supplement to a academic and industry alike—powerful tools presentation at the Ottawa International Linux in assessing block cipher strength were devel- Symposium.
    [Show full text]
  • Elastic Block Ciphers: the Basic Design
    Elastic Block Ciphers: The Basic Design ∗ † Debra Cook Angelos Keromytis Moti Yung Bell Labs Columbia University RSA Labs, EMC Corp, and Murray Hill, NJ, USA Dept. of Computer Science Columbia University [email protected] New York, NY, USA Dept. of Computer Science [email protected] [email protected] ABSTRACT We introduce the concept of an elastic block cipher, which We introduce the concept of an elastic block cipher, which allows us to ”stretch” the supported block size of a block refers to stretching the supported block size of a block ci- cipher up to a length double the original block size, while pher to any length up to twice the original block size while increasing the computational workload proportionally to the incurring a computational workload that is proportional to block size. This, together with modes of operation, permits the block size. We define a method for converting any ex- block sizes to be set based on an application’s requirements, isting block cipher into an elastic block cipher and mention allowing, for example, a non-traditional block size to be used our analysis of the construction. for all blocks, or a traditional block size to be used for all but the last block in a given mode of operation. We pro- Categories and Subject Descriptors pose a general method for creating an elastic block cipher E.0 [General]: Data Encryption from an existing block cipher. Our intent is not to design a new ad-hoc cipher, but to systematically build upon existing General Terms block ciphers. Our method consists of a network structure block ciphers, algorithms, encryption that uses the round function from an existing block cipher, allowing us to treat the round function of the original ci- Keywords pher as a black box and reuse its properties.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Design and Analysis of Lightweight Block Ciphers : a Focus on the Linear
    Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer Christof Beierle Doctoral Dissertation Faculty of Mathematics Ruhr-Universit¨atBochum December 2017 Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer vorgelegt von Christof Beierle Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum Dezember 2017 First reviewer: Prof. Dr. Gregor Leander Second reviewer: Prof. Dr. Alexander May Date of oral examination: February 9, 2018 Abstract Lots of cryptographic schemes are based on block ciphers. Formally, a block cipher can be defined as a family of permutations on a finite binary vector space. A majority of modern constructions is based on the alternation of a nonlinear and a linear operation. The scope of this work is to study the linear operation with regard to optimized efficiency and necessary security requirements. Our main topics are • the problem of efficiently implementing multiplication with fixed elements in finite fields of characteristic two. • a method for finding optimal alternatives for the ShiftRows operation in AES-like ciphers. • the tweakable block ciphers Skinny and Mantis. • the effect of the choice of the linear operation and the round constants with regard to the resistance against invariant attacks. • the derivation of a security argument for the block cipher Simon that does not rely on computer-aided methods. Zusammenfassung Viele kryptographische Verfahren basieren auf Blockchiffren. Formal kann eine Blockchiffre als eine Familie von Permutationen auf einem endlichen bin¨arenVek- torraum definiert werden. Eine Vielzahl moderner Konstruktionen basiert auf der wechselseitigen Anwendung von nicht-linearen und linearen Abbildungen.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • SKINNY-AEAD and SKINNY-Hash Specification
    SKINNY-AEAD and SKINNY-Hash v1.1 Christof Beierle1;4, J´er´emy Jean2, Stefan K¨olbl3, Gregor Leander4, Amir Moradi4, Thomas Peyrin5, Yu Sasaki6, Pascal Sasdrich4;7, and Siang Meng Sim5 1 SnT, University of Luxembourg, Luxembourg [email protected] 2 ANSSI, Paris, France [email protected] 3 Cybercrypt A/S, Denmark [email protected] 4 Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨atBochum, Germany [email protected] 5 School of Physical and Mathematical Sciences Nanyang Technological University, Singapore [email protected], [email protected] 6 NTT Secure Platform Laboratories, Japan [email protected] 7 Rambus Cryptography, The Netherlands Table of Contents 1 Introduction...........................................................3 2 Specification..........................................................5 2.1 Notations........................................................5 2.2 Parameter Sets....................................................5 2.3 The Tweakable Block Ciphers SKINNY-128-256 and SKINNY-128-384 ....6 2.4 The AEAD Scheme SKINNY-AEAD....................................9 2.5 The Hash Functionality SKINNY-Hash ................................ 26 3 Security Claims........................................................ 29 4 Design Rationale....................................................... 31 4.1 Rationale for the Tweakable Block Ciphers........................... 31 4.2 Rationale for the AEAD scheme..................................... 33 4.3 Rationale for the Hash Function Scheme............................
    [Show full text]
  • AES); Cryptography; Cryptanaly- the Candidates
    Volume 104, Number 5, September–October 1999 Journal of Research of the National Institute of Standards and Technology [J. Res. Natl. Inst. Stand. Technol. 104, 435 (1999)] Status Report on the First Round of the Development of the Advanced Encryption Standard Volume 104 Number 5 September–October 1999 James Nechvatal, Elaine Barker, In 1997, the National Institute of Standards (MARS, RC6, Rijndael, Serpent and Donna Dodson, Morris Dworkin, and Technology (NIST) initiated a pro- Twofish) as finalists. The research results James Foti, and Edward Roback cess to select a symmetric-key encryption and rationale for the selection of the fi- algorithm to be used to protect sensitive nalists are documented in this report. National Institute of Standards and (unclassified) Federal information in The five finalists will be the subject of furtherance of NIST’s statutory responsi- further study before the selection of one or Technology, bilities. In 1998, NIST announced the more of these algorithms for inclusion in Gaithersburg, MD 20899-0001 acceptance of 15 candidate algorithms the Advanced Encryption Standard. and requested the assistance of the crypto- Key words: Advanced Encryption graphic research community in analyzing Standard (AES); cryptography; cryptanaly- the candidates. This analysis included an sis; cryptographic algorithms; initial examination of the security and encryption. efficiency characteristics for each al- gorithm. NIST has reviewed the results Accepted: August 11, 1999 of this research and selected five algorithms Available online: http://www.nist.gov/jres Contents 2.4.1.2 Other Architectural Issues ...........442 1. Overview of the Development Process for the Advanced 2.4.1.3 Software .........................442 Encryption Standard and Summary of Round 1 2.4.2 Measured Speed on General Platforms.........442 Evaluations ......................................
    [Show full text]
  • Zero-Correlation Attacks on Tweakable Block Ciphers with Linear Tweakey Expansion
    Zero-Correlation Attacks on Tweakable Block Ciphers with Linear Tweakey Expansion Ralph Ankele1,4, Christoph Dobraunig2,3, Jian Guo4, Eran Lambooij5, Gregor Leander6 and Yosuke Todo7 1 Royal Holloway University of London, UK 2 Graz University of Technology, Austria 3 Digital Security Group, Radboud University, Nijmegen, The Netherlands 4 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 5 University of Haifa, Israel 6 Ruhr-Universität Bochum, Germany 7 NTT Secure Platform Laboratories, Japan [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Abstract. The design and analysis of dedicated tweakable block ciphers is a quite recent and very active research field that provides an ongoing stream of new insights. For instance, results of Kranz, Leander, and Wiemer from FSE 2017 show that the addition of a tweak using a linear tweak schedule does not introduce new linear characteristics. In this paper, we consider — to the best of our knowledge — for the first time the effect of the tweak on zero-correlation linear cryptanalysis for ciphers that have a linear tweak schedule. It turns out that the tweak can often be used to get zero-correlation linear hulls covering more rounds compared to just searching zero-correlation linear hulls on the data-path of a cipher. Moreover, this also implies the existence of integral distinguishers on the same number of rounds. We have applied our technique on round reduced versions of Qarma, Mantis, and Skinny. As a result, we can present — to the best of our knowledge — the best attack (with respect to number of rounds) on a round-reduced variant of Qarma.
    [Show full text]
  • Performance Comparison of the AES Submissions
    Performance Comparison of the AES Submissions Bruce Schneier∗ John Kelseyy Doug Whitingz David Wagnerx Chris Hall{ Niels Ferguson k Version 2.0 February 1, 1999 1 Introduction of the algorithms have different performance char- acteristics for different key lengths. The results are The principal goal guiding the design of any encryp- summarized in Table 1. tion algorithm must be security. In the real world, Nine algorithms|CAST-256, Crypton, DFC, however, performance and implementation cost are E2, Frog, HPC, Mars, RC6, and Serpent|are com- always of concern. Making the assumption that the pletely independent of key length. Two algorithms| major AES candidates are secure (a big assumption, Loki97 and Twofish—encrypt and decrypt indepen- to be sure, but one that is best dealt with in an- dent of key length, but take different times to set up other paper), the most important properties the al- different-size keys1. Twofish takes longer to set up gorithms will be judged on will be the performance a longer key, while Loki97 actually takes less time and cost of implementation. to set up a longer key than it does to set up a In this paper, we will completely ignore secu- shorter key. Four algorithms|DEAL, Magenta, Ri- rity. Instead, we will compare the performance of jndael, and SAFER+|encrypt and decrypt at dif- the leading AES candidates on a variety of common ferent speeds, depending on key length. platforms: 32-bit CPUs, 64-bit CPUs, cheap 8-bit In this paper, we will concentrate on key setup smart-card CPUs, and dedicated hardware.
    [Show full text]
  • Adiantum: Length-Preserving Encryption for Entry-Level Processors
    Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers Google LLC {paulcrowley,ebiggers}@google.com Abstract. We present HBSH, a simple construction for tweakable length-preserving encryption which supports the fastest options for hashing and stream encryption for processors without AES or other crypto instructions, with a provable quadratic advantage bound. Our composition Adiantum uses NH, Poly1305, XChaCha12, and a single AES invocation. On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages at 10.6 cycles per byte, over five times faster than AES-256-XTS, with a constant-time implementation. We also define HPolyC which is simpler and has excellent key agility at 13.6 cycles per byte. Keywords: super-pseudorandom permutation · variable input length · tweakable encryption · disk encryption 1 Introduction Two aspects of disk encryption make it a challenge for cryptography. First, performance is critical; every extra cycle is a worse user experience, and on a mobile device a reduced battery life. Second, the ciphertext can be no larger than the plaintext: a sector-sized read or write to the filesystem must mean a sector-sized read or write to the underlying device, or performance will again suffer greatly (as well as, in the case of writes to flash memory, the life of the device). Nonce reuse is inevitable as there is nowhere to store a varying nonce, and there is no space for a MAC; thus standard constructions like AES-GCM are not an option and standard notions of semantic security are unachievable. The best that can be done under the circumstances is a “tweakable super-pseudorandom permutation”: an adversary with access to both encryption and decryption functions who can choose tweak and plaintext/ciphertext freely is unable to distinguish it from a family of independent random permutations.
    [Show full text]
  • Tweakable Block Ciphers
    J. Cryptol. (2011) 24: 588–613 DOI: 10.1007/s00145-010-9073-y Tweakable Block Ciphers Moses Liskov Computer Science Department, The College of William and Mary, Williamsburg, VA 23187, USA [email protected] Ronald L. Rivest Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge, MA 02139, USA [email protected] David Wagner University of California Berkeley, Soda Hall, Berkeley, CA 94720, USA [email protected] Communicated by Mihir Bellare Received 28 July 2005 Online publication 2 September 2010 Abstract. A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of tech- niques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher. We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.
    [Show full text]