Comparison of Cipher implementations 256-bit stream ciphers from cipher authors D. J. Bernstein Timing tools Thanks to: (De Canni`ere) University of Illinois at Chicago Denmark Technical University Timings Alfred P. Sloan Foundation on various machines Graphing tools (Bernstein) Speed graphs in this talk Comparison of Cipher implementations Security disasters 256-bit stream ciphers from cipher authors Attack claimed on YAMB: “258.” D. J. Bernstein 72 Timing tools Attack claimed on Py: “2 .” Thanks to: (De Canni`ere) Presumably also Py6. University of Illinois at Chicago Attack claimed on SOSEMANUK: Denmark Technical University Timings “2226.” Alfred P. Sloan Foundation on various machines Is there any dispute Graphing tools about these attacks? (Bernstein) If not: Reject YAMB etc. as competition for 256-bit AES. Speed graphs in this talk Cipher implementations Security disasters from cipher authors Attack claimed on YAMB: “258.” 72 Timing tools Attack claimed on Py: “2 .” (De Canni`ere) Presumably also Py6. Attack claimed on SOSEMANUK: Timings “2226.” on various machines Is there any dispute Graphing tools about these attacks? (Bernstein) If not: Reject YAMB etc. as competition for 256-bit AES. Speed graphs in this talk Cipher implementations Security disasters Speed disasters from cipher authors Attack claimed on YAMB: “258.” FUBUKI is slower than AES 72 in all of these benchmarks. Timing tools Attack claimed on Py: “2 .” Any hope of faster FUBUKI? (De Canni`ere) Presumably also Py6. If not: Reject FUBUKI. Attack claimed on SOSEMANUK: VEST is extremely slow Timings “2226.” on various machines in all of these benchmarks. Is there any dispute On the other hand, Graphing tools about these attacks? VEST is claimed to be (Bernstein) If not: Reject YAMB etc. as faster in hardware. competition for 256-bit AES. Speed graphs in this talk Security disasters Speed disasters Attack claimed on YAMB: “258.” FUBUKI is slower than AES in all of these benchmarks. Attack claimed on Py: “272.” Any hope of faster FUBUKI? Presumably also Py6. If not: Reject FUBUKI. Attack claimed on SOSEMANUK: VEST is extremely slow “2226.” in all of these benchmarks. Is there any dispute On the other hand, about these attacks? VEST is claimed to be If not: Reject YAMB etc. as faster in hardware. competition for 256-bit AES. Security disasters Speed disasters Remaining 256-bit ciphers: CryptMT, DICING, Dragon, Attack claimed on YAMB: “258.” FUBUKI is slower than AES HC-256, Phelix, Salsa20. in all of these benchmarks. Attack claimed on Py: “272.” Any hope of faster FUBUKI? Could say, e.g., Presumably also Py6. If not: Reject FUBUKI. “CryptMT is practically always Attack claimed on SOSEMANUK: slower than Phelix 226 VEST is extremely slow “2 .” and should be eliminated”; in all of these benchmarks. but what if Phelix is broken? Is there any dispute On the other hand, about these attacks? VEST is claimed to be Attacks on Py, SOSEMANUK If not: Reject YAMB etc. as faster in hardware. were published in December. competition for 256-bit AES. Need more time for cryptanalysis. Speed disasters Remaining 256-bit ciphers: CryptMT, DICING, Dragon, FUBUKI is slower than AES HC-256, Phelix, Salsa20. in all of these benchmarks. Any hope of faster FUBUKI? Could say, e.g., If not: Reject FUBUKI. “CryptMT is practically always slower than Phelix VEST is extremely slow and should be eliminated”; in all of these benchmarks. but what if Phelix is broken? On the other hand, VEST is claimed to be Attacks on Py, SOSEMANUK faster in hardware. were published in December. Need more time for cryptanalysis. Speed disasters Remaining 256-bit ciphers: Speedup: security margin CryptMT, DICING, Dragon, FUBUKI is slower than AES Can speed up AES HC-256, Phelix, Salsa20. in all of these benchmarks. by reducing rounds Any hope of faster FUBUKI? Could say, e.g., from 14 to, e.g., 10. If not: Reject FUBUKI. “CryptMT is practically always No known attacks. slower than Phelix VEST is extremely slow Can speed up Salsa20 and should be eliminated”; in all of these benchmarks. by reducing rounds but what if Phelix is broken? On the other hand, from 20 to, e.g., 12 or 8. VEST is claimed to be Attacks on Py, SOSEMANUK No known attacks. faster in hardware. were published in December. Do any other submissions Need more time for cryptanalysis. have a security margin? Remaining 256-bit ciphers: Speedup: security margin CryptMT, DICING, Dragon, Can speed up AES HC-256, Phelix, Salsa20. by reducing rounds Could say, e.g., from 14 to, e.g., 10. “CryptMT is practically always No known attacks. slower than Phelix Can speed up Salsa20 and should be eliminated”; by reducing rounds but what if Phelix is broken? from 20 to, e.g., 12 or 8. Attacks on Py, SOSEMANUK No known attacks. were published in December. Do any other submissions Need more time for cryptanalysis. have a security margin? Remaining 256-bit ciphers: Speedup: security margin Slowdown: forgeries CryptMT, DICING, Dragon, Can speed up AES Packets must be authenticated. HC-256, Phelix, Salsa20. by reducing rounds State of the art: Poly1305, Could say, e.g., from 14 to, e.g., 10. around 4 cycles per byte “CryptMT is practically always No known attacks. plus encrypting 16 bytes. slower than Phelix Can speed up Salsa20 and should be eliminated”; Fastest encryption implies by reducing rounds but what if Phelix is broken? fastest authenticated encryption? from 20 to, e.g., 12 or 8. Not necessarily! Attacks on Py, SOSEMANUK No known attacks. Phelix includes authentication. were published in December. Do any other submissions Need more time for cryptanalysis. Benchmarks need to cover this. have a security margin? Speedup: security margin Slowdown: forgeries Can speed up AES Packets must be authenticated. by reducing rounds State of the art: Poly1305, from 14 to, e.g., 10. around 4 cycles per byte No known attacks. plus encrypting 16 bytes. Can speed up Salsa20 Fastest encryption implies by reducing rounds fastest authenticated encryption? from 20 to, e.g., 12 or 8. Not necessarily! No known attacks. Phelix includes authentication. Do any other submissions Benchmarks need to cover this. have a security margin? Speedup: security margin Slowdown: forgeries Slowdown: timing attacks Can speed up AES Packets must be authenticated. Typical AES software by reducing rounds leaks key through timing. State of the art: Poly1305, from 14 to, e.g., 10. Often attacker can see timing. around 4 cycles per byte No known attacks. plus encrypting 16 bytes. Constant-time AES software Can speed up Salsa20 is considerably slower. Fastest encryption implies by reducing rounds fastest authenticated encryption? Slowdown depends on cipher. from 20 to, e.g., 12 or 8. Not necessarily! CryptMT, Phelix, Salsa20: 0. No known attacks. Phelix includes authentication. DICING, Dragon, HC-256: ? Do any other submissions Benchmarks need to cover this. Benchmarks need to cover this. have a security margin? Slowdown: forgeries Slowdown: timing attacks Packets must be authenticated. Typical AES software leaks key through timing. State of the art: Poly1305, Often attacker can see timing. around 4 cycles per byte plus encrypting 16 bytes. Constant-time AES software is considerably slower. Fastest encryption implies fastest authenticated encryption? Slowdown depends on cipher. Not necessarily! CryptMT, Phelix, Salsa20: 0. Phelix includes authentication. DICING, Dragon, HC-256: ? Benchmarks need to cover this. Benchmarks need to cover this..