Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Information processing http://www.ecrypt.eu.org the Internet of things, ubiquitous computing, Lightweight Crypto pervasive computing, ambient intelligence (1012) An Overview Internet and mobile (109) PCs and LANs (107) Bart Preneel COSIC, K.U.Leuven, Belgium mainframe 5 Bart.Preneel(at)esat.kuleuven.be (10 ) http://homes.esat.kuleuven.be/~preneel mechanical April 2010 4 (10 ) 2 1 2 Information processing Research ↔ Practice DES, RSA, DH, CBC-MAC Everything is always HARDWARE Provable security (PKC), 70 connected everywhere Limited (govt+financial sector) ZK, ElGamal, ECC, stream DES, 3DES ciphers 80 Quantum crypto MD4, MD5 SOFTWARE 90 Provable security (SKC) GSM, PGP Key escrow C libraries (RSA, DH) SSL/TLS, IPsec, SSH, S/MIME Quantum cryptanalysis Java crypto libraries How to use RSA? WLAN Continuum between software Alternatives to RSA and hardware PKI EVERYWHERE ASIC (microcode) – FPGA – AES Trusted computing, DRM, fully programmable ID-Based Crypto 3GPP, RFID, sensor nodes … processor 3 4 Implementations in embedded systems Lightweight crypto design • Overall protocol crucial Confidentiality Integrity Protocol: Wireless authentication protocol Identification • Security architecture: SK-PK, central-distributed SIM design Cipher Design, • Relative cost of Biometrics Algorithm: Embedded fingerprint matching algorithms, crypto algorithms Java computation/communication/storage JCA Architecture: Co-design, HW/SW, SOC JVMKVM • Architectural decisions CPU Crypto Micro-Architecture: co-processor design –area MEM Vcc – clock frequency D Q CLK Circuit: Circuit techniques to combat side – power consumption and energy channel analysis attacks • Flexibility can be sacrificed Technology aware solutions? • Side channel attacks Slide credit: Prof. Ingrid Verbauwhede 5 6 1 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Challenges for crypto Outline • security for 50-100 years • authenticated encryption of Terabit/s •Context networks • Block ciphers • ultra-low power/footprint • Stream ciphers performance • Hash functions • MAC algorithms secure software and hardware • Public-key cryptography implementations • Secure implementations • RFID protocols algorithm agility cost security 7 8 Block cipher Block ciphers P1 P2 P3 64-bit block 128-bit block 3-DES (112-168) AES (128-192-256) IDEA (128) CAMELLIA MISTY1 (128) block block block RC6 KASUMI (128 in 3G, 64 in 2G) CLEFIA cipher cipher cipher HIGHT (128) PRESENT (80-128) TEA (128) 56 bits: 4 seconds with M$ 5 mCRYPTON (128) 80 bits: 2 year with M$ 5 KATAN (80) C1 C2 C3 128 bits: 256 billion years with B$ 5 • larger data units: 64…128 bits Symmetric key lengths •memoryless insecure? secure • repeat simple operation (round) many times 0 50 80 128 9 10 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) extremely vulnerable to • FIPS 197 published on December 2001after 4-year open a related key attack competition • single DES abandoned (56 bit) – other standards: ISO, IETF, IEEE 802.11,… • double DES not good enough (72 bit) • fast adoption in the market • 2-key triple DES: until 2009 (80 bit) – except for financial sector • 3-key triple DES: until 2030 (100 bit) – NIST validation list: 1267 implementations • http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html • 2003: AES-128 also for classified information and AES- 192/-256 for secret and top secret information! Clear DES DES-1 DES %^C& • security: text @&^( – algebraic attacks of [Courtois+02] not effective – side channel attacks: cache attacks on unprotected implementations 1 23 [Shamir ’07] AES may well be the last block cipher 11 12 2 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • HW: 43 Gbit/s in 130 nm CMOS [‘05] secret plaintext plaintext plaintext • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s round round. round . bitsliced [Käsper-Schwabe’09] . round . round Key (128) . round round Key (192) . • HW: most compact: 3600 gates Key (256) Key Schedule Key . Key Schedule Key round . – PRESENT: 1029, KATAN: 1054, CLEFIA: 4950 Key Schedule Key round Light weight key schedule, in particular for the 256-bit version 13 14 AES-256 security What is a related key attack? • Attacker chooses plaintexts and key difference C • Exhaustive key search on AES-256 takes 2256 encryptions • Attacker gets ciphertexts –264: 10 minutes with $ 5M • Task: find the key 80 –2 : 2 year with $ 5M C –2120 : 1 billion years with $ 5B plaintext2 • [Biryukov-Khovratovich’09] related key attack on AES-256 plaintext1 – requires 2119 encryptions with 4 related keys, – data & time complexity 2119 << 2256 round round • Why does it work? Very lightweight key schedule round round round round Key (256) . Key (256) . • Is AES-256 broken? . Schedule Key No, only an academic “weakness” that is easy to fix Schedule Key round round • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction ciphertext1 ciphertext2 15 16 AES-256 Should I worry about a related key attack? [Biryukov-Khovratovich’09] • Very hard in practice (except some old US banking [Biryukov-Dunkelman-Keller-Khovratovich-Shamir’09] schemes) Related key • If you are vulnerable to a related key attack, you are attack: 4 keys, making very bad implementation mistakes data & time plaintext complexity • This is a very powerful attack 119 << 256 2 2 model: if an opponent can zeroize (= AND 0) 224 key bits round of his choice (rather than ⊕ C) round he can find the key in a few round seconds for any cipher with a h Key (256) . 256-bit key . Key Schedule Key round • If you are worried, hashing the key is an easy fix ciphertext Slide credit: Orr Dunkelman 17 18 3 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Keeloq [Smit+/-’85] KATAN/KTANTAN aka the M$10 cipher [De Cannière-Dunkelman-Knežević’09] http://www.cs.technion.ac.il/~orrd/KATAN/ • block length: 32, 48, 64 • block length: 32 • key length: 64 • key length: 64 • rounds: 254 • rounds: 528 19 20 Low cost hardware Throughput/Area Low cost hw: throughput versus area [Bogdanov+08,Sugawara+08] (bps/GE) @ 100KHz 100 KHz clock (technology in 10 nm) 200 600 180 mCRYPTON-96 (13) 160 ) 500 140 120 Kbps 400 100 ( (9) 80 CLEFIA 60 300 40 hput g PRESENT-128 (18) HIGHT (25) 20 200 0 PRES-80 mCRYPT HIGHT 3-DES AES-128 TEA (18) TDEA (9) ON-96 TEA KATAN CLEFIA AES-128 MISTY1 (18) Throu 100 PRES-128 KATAN (18) 128-bit block AES (35) AES (13) Warning: this is not a “fair” comparison 0 • Technologies range from 90nm-350nm 0 1000 2000 3000 4000 5000 6000 • Power consumption could be real problem PRESENT-80 (18) Gate equivalents 21 22 Stream ciphers Block ciphers: conclusions • historically very important (compact) • Several mature block ciphers available – LFSR-based: A5/1, E0 – practical attacks known • Security well understood – in particular against statistical attacks (differential, – software-oriented: RC4 – serious weaknesses linear) and structural attacks – block cipher in CTR or OFB (slower) • More work: • today: – algebraic attacks – related key attacks – many broken schemes – understanding of structural tradeoffs – lack of standards and open solutions • What are the limitations for lightweight block – standards: SNOW2.0, SNOW3G, MUGI, Rabbit, ciphers? DECIM, K2,.. 23 24 4 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Moore’s Law: computation/storage 2000-2020 Open competition for stream ciphers Storage: Gigabyte/s http://www.ecrypt.eu.org Ethernet: speed in Gbps Microprocessor performance: Gflops/s 1000000 • run by ECRYPT 100000 – high performance in software (32/64-bit): 128-bit key – low-gate count hardware (< 1000 gates): 80-bit key 10000 – variants: authenticated encryption 1000 • 29 April 2005: 33 submissions 100 • Many broken in first year 10 • End of competition: April 2008 1 2000 2002 2004 2006 2008 2010 2012 20142016 25 26 Trivium The eSTREAM Portfolio Apr. 2008 (Rev1 Sept. 2008) in alphabetical order Software Hardware HC-128 F-FCSR-H Rabbit Grain v1 Salsa20/12 MICKEY v2 Sosemanuk Trivium 3-10 cycles per byte 1500..3000 gates 27 28 Performance reference data Cube attack [Dinur-Shamir’08] (Pentium M 1.70GHz Model 6/9/5) • Exploits low degree equations in stream cipher encryption speed (cycles/byte) • Can break certain ciphers which could not be 120 broken before 100 • …Media hype and controversy 80 – Relation to higher order attacks (Lai) and AIDA 60 key setup (cycles) (algebraic IV differential attack) (Vielhaber) 40 35000 20 30000 25000 0 •Trivium: RC4 HC-128 DES 3-DES AES 20000 – key setup can be broken if number of rounds is 15000 reduced from 1024 to 793 (Aida) or 767 (cube) 10000 – attack can probably be further improved 5000 – solution: increase number of rounds to 2048 0 RC4 HC- DES 3-DES AES 128 29 30 5 Lightweight Crypto Finse, Norway – April 2010 Bart Preneel Low cost hw: throughput versus area Stream ciphers: conclusions 100 KHz clock (technology in 10 nm) 900 GRAIN[8] (13) Trivium[8](13) ) 800 Enocoro-80[8](18) 700 • Substantial progress made in last 5 years – concrete designs Kbps 600 ( mCRYPTON-96 (13) 500 – data-time-memory tradeoffs • 80-bit security implies 160-bit memory hput hput 400 CLEFIA (9) g 300 (seems to be a lower bound) PRESENT-128 (18) 200 HIGHT (25) • Many designs still “at the edge” (quite risky) (13) Trivium(13) Throu GRAIN 100 TDEA (9) KATAN (18) TEA (18) AES (35) AES (13) • Expect further progress 0 MISTY1 (18) 0 1000 2000 3000 4000 5000 6000 PRESENT-80 (18) Gate equivalents 31 32 Hash functions The complexity of collision attacks • MDC (manipulation • collision resistance Brute force: 4 million PCs or US$ 100K hardware (1 year) detection code) • preimage resistance • Protect short hash value 90 nd rather than long text •2 preimage 80 resistance 70 MD4 60 MD5 This is an input to a crypto- 50 SHA-0 graphic hash function.