LIGHTWEIGHT CRYPTOGRAPHY Cryptographic Engineering for a Pervasive World
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
A Quantitative Study of Advanced Encryption Standard Performance
United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible. -
Low-Latency Hardware Masking with Application to AES
Low-Latency Hardware Masking with Application to AES Pascal Sasdrich, Begül Bilgin, Michael Hutter, and Mark E. Marson Rambus Cryptography Research, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States {psasdrich,bbilgin,mhutter,mmarson}@rambus.com Abstract. During the past two decades there has been a great deal of research published on masked hardware implementations of AES and other cryptographic primitives. Unfortunately, many hardware masking techniques can lead to increased latency compared to unprotected circuits for algorithms such as AES, due to the high-degree of nonlinear functions in their designs. In this paper, we present a hardware masking technique which does not increase the latency for such algorithms. It is based on the LUT-based Masked Dual-Rail with Pre-charge Logic (LMDPL) technique presented at CHES 2014. First, we show 1-glitch extended strong non- interference of a nonlinear LMDPL gadget under the 1-glitch extended probing model. We then use this knowledge to design an AES implementation which computes a full AES-128 operation in 10 cycles and a full AES-256 operation in 14 cycles. We perform practical side-channel analysis of our implementation using the Test Vector Leakage Assessment (TVLA) methodology and analyze univariate as well as bivariate t-statistics to demonstrate its DPA resistance level. Keywords: AES · Low-Latency Hardware · LMDPL · Masking · Secure Logic Styles · Differential Power Analysis · TVLA · Embedded Security 1 Introduction Masking countermeasures against side-channel analysis [KJJ99] have received a lot of attention over the last two decades. They are popular because they are relatively easy and inexpensive to implement, and their strengths and limitations are well understood using theoretical models and security proofs. -
Investigating Profiled Side-Channel Attacks Against the DES Key
IACR Transactions on Cryptographic Hardware and Embedded Systems ISSN 2569-2925, Vol. 2020, No. 3, pp. 22–72. DOI:10.13154/tches.v2020.i3.22-72 Investigating Profiled Side-Channel Attacks Against the DES Key Schedule Johann Heyszl1[0000−0002−8425−3114], Katja Miller1, Florian Unterstein1[0000−0002−8384−2021], Marc Schink1, Alexander Wagner1, Horst Gieser2, Sven Freud3, Tobias Damm3[0000−0003−3221−7207], Dominik Klein3[0000−0001−8174−7445] and Dennis Kügler3 1 Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany, [email protected] 2 Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Germany, [email protected] 3 Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany, [email protected] Abstract. Recent publications describe profiled single trace side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with surprisingly large, key-dependent variations of attack results, and individual cases with remaining key entropies as low as a few bits. Unfortunately, they leave important questions unanswered: Are the reported wide distributions of results plausible - can this be explained? Are the results device- specific or more generally applicable to other devices? What is the actual impact on the security of 3-key triple DES? We systematically answer those and several other questions by analyzing two commercial security controllers and a general purpose microcontroller. We observe a significant overall reduction and, importantly, also observe a large key-dependent variation in single DES key security levels, i.e. -
Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation
cryptography Article Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation Takeshi Sugawara Department of Informatics, The University of Electro-Communications, Tokyo 182-8585, Japan; [email protected] Received: 30 June 2020; Accepted: 5 August 2020; Published: 9 August 2020 Abstract: SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI. Keywords: threshold implementation; SAEAES; authenticated encryption, side-channel attack; changing of the guards; lightweight cryptography; implementation 1. Introduction There is an increasing demand for secure data communication between embedded devices in many areas, including automotive, industrial, and smart-home applications. -
ASIC-Oriented Comparative Review of Hardware Security Algorithms for Internet of Things Applications Mohamed A
ASIC-Oriented Comparative Review of Hardware Security Algorithms for Internet of Things Applications Mohamed A. Bahnasawi1, Khalid Ibrahim2, Ahmed Mohamed3, Mohamed Khalifa Mohamed4, Ahmed Moustafa5, Kareem Abdelmonem6, Yehea Ismail7, Hassan Mostafa8 1,3,5,6,8Electronics and Electrical Communications Engineering Department, Cairo University, Giza, Egypt 2Electronics Department, Faculty of Information Engineering and Technology, German University in Cairo, Cairo, Egypt 4Electrical, Electronics and Communications Engineering Department, Faculty of Engineering, Alexandria University, Egypt 7,8Center for Nanoelectronics and Devices, AUC and Zewail City of Science and Technology, New Cairo, Egypt {[email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected] } Abstract— Research into the security of the Internet of Applications have different requirements for the Things (IoT) needs to utilize particular algorithms that offer cryptographic algorithms that secure them, varying in the ultra-low power consumption and a long lifespan, along with throughput needed, the extent of immunity against attacks, other parameters such as strong immunity against attacks, power consumption, the area needed on-chip, etc. The lower chip area and acceptable throughput. This paper offers Internet of Things (IoT) focuses mainly on low-power an ASIC-oriented comparative review of the most popular and implementations of security algorithms. This is because powerful cryptographic algorithms worldwide, namely AES, most of them are related to autonomous applications or 3DES, Twofish and RSA. The ASIC implementations of those embedded systems applications (i.e. an ultra-thin sensor algorithms are analyzed by studying statistical data extracted system [2] embedded inside clothes or biomedical from the ASIC layouts of the algorithms and comparing them to determine the most suited algorithms for IoT hardware- applications). -
Comparison of 256-Bit Stream Ciphers at the Beginning of 2006
Comparison of 256-bit stream ciphers at the beginning of 2006 Daniel J. Bernstein ? [email protected] Abstract. This paper evaluates and compares several stream ciphers that use 256-bit keys: counter-mode AES, CryptMT, DICING, Dragon, FUBUKI, HC-256, Phelix, Py, Py6, Salsa20, SOSEMANUK, VEST, and YAMB. 1 Introduction ECRYPT, a consortium of European research organizations, issued a Call for Stream Cipher Primitives in November 2004. A remarkable variety of ciphers were proposed in response by a total of 97 authors spread among Australia, Belgium, Canada, China, Denmark, England, France, Germany, Greece, Israel, Japan, Korea, Macedonia, Norway, Russia, Singapore, Sweden, Switzerland, and the United States. Evaluating a huge pool of stream ciphers, to understand the merits of each cipher, is not an easy task. This paper simplifies the task by focusing on the relatively small pool of ciphers that allow 256-bit keys. Ciphers limited to 128- bit keys (or 80-bit keys) are ignored. See Section 2 to understand my interest in 256-bit keys. The ciphers allowing 256-bit keys are CryptMT, DICING, Dragon, FUBUKI, HC-256, Phelix, Py, Py6, Salsa20, SOSEMANUK, VEST, and YAMB. I included 256-bit AES in counter mode as a basis for comparison. Beware that there are unresolved claims of attacks against Py (see [4] and [3]), SOSEMANUK (see [1]), and YAMB (see [5]). ECRYPT, using measurement tools written by Christophe De Canni`ere, has published timings for each cipher on several common general-purpose CPUs. The original tools and timings used reference implementations (from the cipher authors) but were subsequently updated for faster implementations (also from the cipher authors). -
Cs 255 (Introduction to Cryptography)
CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2. -
Two Practical and Provably Secure Block Ciphers: BEAR and LION
Two Practical and Provably Secure Block Ciphers: BEAR and LION Ross Anderson 1 and Eh Biham 2 Cambridge University, England; emall rja14~cl.cmn.ar .uk 2 Technion, Haifa, Israel; email biham~cs .teclmion.ac.il Abstract. In this paper we suggest two new provably secure block ci- phers, called BEAR and LION. They both have large block sizes, and are based on the Luby-Rackoff construction. Their underlying components are a hash function and a stream cipher, and they are provably secure in the sense that attacks which find their keys would yield attacks on one or both of the underlying components. They also have the potential to be much faster than existing block ciphers in many applications. 1 Introduction There are a number of ways in which cryptographic primitives can be trans- formed by composition, such as output feedback mode which transforms a block cipher into a stream cipher, and feedforward mode which transforms it into a hash function [P]. A number of these reductions are provable, in the sense that certain kinds of attack on the composite function would yield an attack on the underlying primitive; a recent example is the proof that the ANSI message au- thentication code is as secure as the underlying block cipher [BKR]. One construction which has been missing so far is a means of building a block cipher out of a stream cipher. In this paper, we show provably secure ways to construct a block cipher from a stream cipher and a hash function. Given that ways of constructing keyed hash functions from stream ciphers already exist [LRW] [K], this enables block ciphers to be constructed from stream ciphers. -
CHUCK CHONSON: AMERICAN CIPHER by ERIC NOLAN A
CHUCK CHONSON: AMERICAN CIPHER By ERIC NOLAN A THESIS PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF FINE ARTS UNIVERSITY OF FLORIDA 2003 Copyright 2003 by Eric Nolan To my parents, and to Nicky ACKNOWLEDGMENTS I thank my parents, my teachers, and my colleagues. Special thanks go to Dominique Wilkins and Don Mattingly. iv TABLE OF CONTENTS ACKNOWLEDGMENTS..................................................................................................iv ABSTRACT......................................................................................................................vii CHAPTER 1 LIVE-IN GIRLFRIEND, SHERRY CRAVENS ...................................................... 1 2 DEPARTMENT CHAIR, FURRY LUISSON..........................................................8 3 TRAIN CONDUCTOR, BISHOP PROBERT........................................................ 12 4 TWIN BROTHER, MARTY CHONSON .............................................................. 15 5 DEALER, WILLIE BARTON ................................................................................ 23 6 LADY ON BUS, MARIA WOESSNER................................................................. 33 7 CHILDHOOD PLAYMATE, WHELPS REMIEN ................................................ 36 8 GUY IN TRUCK, JOE MURHPY .........................................................................46 9 EX-WIFE, NORLITTA FUEGOS...........................................................................49 10 -
Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format. -
Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms . -
All-Or-Nothing Encryption and the Package Transform
All-or-Nothing Encryption and the Package Transform Ronald L. Rivest MIT Laboratory for Computer Science 545 Technology Square, Cambridge, Mass. 02139 rivest@theory, ics.mit, edu Abstract. We present a new mode of encryption for block ciphers, which we call all-or-nothing encryption. This mode has the interesting defining property that one must decrypt the entire ciphertext before one can de- termine even one message block. This means that brute-force searches against all-or-nothing encryption are slowed down by a factor equal to the number of blocks in the ciphertext. We give a specific way of im- plementing all-or-nothing encryption using a "package transform" as a pre-processing step to an ordinary encryption mode. A package trans- form followed by ordinary codebook encryption also has the interest- ing property that it is very efficiently implemented in parallel. All-or- nothing encryption can also provide protection against chosen-plaintext and related-message attacks. 1 Introduction One way in which a cryptosystem may be attacked is by brute-force search: an adversary tries decrypting an intercepted ciphertext with all possible keys until the plaintext "makes sense" or until it matches a known target plaintext. Our primary motivation is to devise means to make brute-force search more difficult, by appropriately pre-processing a message before encrypting it. In this paper, we assume that the cipher under discussion is a block cipher with fixed-length input/output blocks, although our remarks generalize to other kinds of ciphers. An "encryption mode" is used to extend the encryption function to arbitrary length messages (see, for example, Schneier [9] and Biham [3]).