Advanced Encryption Standard

Advanced Encryption Standard

ECE297:11Lecture7 Whyanewstandard? 1.Oldstandardinsecureagainstbrute-forceattacks 2.Straightforwardfixesleadtoinefficient implementations AdvancedEncryptionStandard K1 K2 K3 • TripleDES in out 3.Newtrendsinfastsoftwareencryption • useofbasicinstructionsofthemicroprocessor 4.Newwaysofassessingcipherstrength • differentialcryptanalysis • linearcryptanalysis Whyacontest? ExternalformatoftheAESalgorithm • Focustheeffortofcryptographiccommunity plaintextblock Smallnumberofspecialistsintheopenresearch 128bits • Stimulatetheresearchonmethodsofconstructing secureciphers AES key • Avoidbackdoortheories 128,192,256bits 128bits • Speed-uptheacceptanceofthestandard ciphertextblock Rulesofthecontest AESContestEffort Eachteamsubmits June1998 15Candidates Round1 Detailed Justification Tentative fromUSA,Canada,Belgium, Security France,Germany,Norway,UK, Isreal, Softwareefficiency cipher ofdesign results Korea,Japan,Australia,CostaRica description decisions ofcryptanalysis August1999 Round2 5finalcandidates Security Source Mars,RC6, Rijndael,Serpent, Twofish Source Test Hardwareefficiency code code vectors inC inJava October2000 1winner: Rijndael Belgium 1 AEScontest- FirstRound AES:Candidatealgorithms NorthAmerica (8) Europe(4) Asia(2) 15June1998 Deadlineforsubmittingcandidates 21 submissions, Canada: Germany: Korea: 15fulfilledallrequirements CAST-256 Magenta Crypton Deal August1998 1stAESConferenceinVentura,CA Belgium: Japan: USA: Presentationofcandidates Mars Rijndael E2 RC6 March1999 2ndAESConferenceinwRome,Italy Twofish France: Safer+ Australia(1) ReviewofresultsoftheFirstRound DFC HPC analysis Israel,GB, CostaRica: Australia: August1999 NISTannouncesfivefinalcandidates Norway: LOKI97 Frog Serpent FirstroundJune1998-August1999 Surveyfilledby104participantsofthe SecondAESConferenceinRome,March1999 1. Rijndael +76 Security Software 2.RC6 +73 3. Twofish +61 OverwhelmingYES Resistance implementations 4.Mars +52 toknownattacks, 5.Serpent +45 randomnesstests PC Smartcards 6.E2 +14 MildYES 7.CAST-256 -2 8.Safer+ -4 Middle-of-the-Road 9.DFC -5 10. Crypton -15 MildNO 11.DEAL -70 12.HPC -77 13.Magenta -83 OverwhelmingNO 14.Loki97 -85 15.Frog -85 AESFinalists(1) AESFinalists(2) USA Mars - IBM Europe C. Burwick,D.Coppersmith,E. D’Avignon, R. Gennaro,S. Halevi,C. Jutla,S.M. Matyas, Rijndael - J. Daemen,V. Rijmen L.O’Connor,M. Peyravian,D.Safford, KatholiekeUniversiteitLeuven N. Zunic Belgium RC6- RSADataSecurity,Inc. R. Rivest - MIT Serpent - R.Anderson,Cambridge,England M. Robshaw,R.Sidney,Y.L.Yin- RSA E. Biham - Technion,Israel L.Knudsen,UniversityofBergen,Norway Twofish - CounterpaneSystems B. Schneier,J.Kelsey,C.Hall,N.Ferguson - Counterpane,D.Whiting- Hi/fn, D.Wagner- Berkeley 2 AEScontest:SecondRound SecondroundAugust1999-August2000 13-14April2000 3rdAESConferenceinNewYork Security Hardware 15May2000 Resistanceto implementations EndofthecommentperiodforRoundII newattacks FPGA ASIC 2October2000 Winnerannounced November2001 FIPS-197:AESannounced May2002 Standardbecomeseffective HowNISThasmadeafinaldecision? Security:Theoreticalattacksbetter thanexhaustivekeysearch Serpent 9 32 BASICCRITERIA = Twofish 6 16 security softwareefficiency Mars 11 16 without16mixingrounds hardwareefficiency flexibility Rijndael 7 10 RC6 15 20 0 5 10 15 20 25 30 35 #ofroundsintheattack/total#ofrounds Security:Authorsofattacks NISTReport:Security Team Attackedcipher SecurityMargin Twofish Kelsey,Kohno, Schneier MARS Ferguson,Stay,Wagner, High Serpent MARS Whiting Serpent Twofish Serpent Rijndael Knudsen,Meier Rijndael RC6 Adequate Othergroups RC6 Lucks,U.Mannheim Twofish Gilbert, Minier,FranceTelecom Simple Complex Gilbert, Handschuh, Joux, Vaudenay,FranceTelecom Complexity 3 Efficiencyinsoftware:NIST-specifiedplatform Efficiencyinsoftware:NISTtests 200MHzPentiumPro,BorlandC++ 450MHzPentiumII,DJGPP gcc Speed[Mbits/s] Speed[Mbits/s] 128-bitkey 160 192-bitkey 128-bitkey 30 256-bitkey 140 192-bitkey 25 120 256-bitkey 20 100 80 15 60 10 40 5 20 0 0 Rijndael Rijndael RC6 Twofish Mars Serpent Mars RC6 Serpent Twofish Efficiencyinsoftware:Rankingofencryption NISTReport:SoftwareEfficiency speedsforvariousplatforms EncryptionandDecryptionSpeed Intel Alpha Sun-Sparc H-P 32-bit 64-bit DSPs processors processors Mars 442432 344 3 3 RC6 1 31 1 41 433 5 4 RC6 Rijndael Rijndael high Twofish Twofish Twofish 21 321 4 222 2 2 Rijndael Mars Rijndael 324323 1 1 1 1 1 Mars Mars medium RC6 RC6 Serpent 555555 555 4 5 Twofish low Serpent Serpent Serpent NISTReport:SoftwareEfficiency Efficiencyinsoftware:Keysetup 200MHzPentiumPro,BorlandC++ Encryptionanddecryptionspeedinsoftware Time[clockcycles] onsmartcards 25000 128-bitkey 8-bit 32-bit 192-bitkey processors 20000 processors 256-bitkey Rijndael 15000 Rijndael better high RC6 RC6 10000 medium Mars Mars Twofish 5000 low Serpent Twofish Serpent 0 Rijndael RC6 Mars Serpent Twofish 4 NISTReport:SoftwareEfficiency NISTReport:SoftwareEfficiency Keyscheduling Keyscheduling onsmartcards 32-bit 64-bit DSPs 8-bit processors processors processors Rijndael Rijndael Rijndael high Serpent high Rijndael Mars RC6 Mars Mars medium RC6 Serpent RC6 medium Twofish Mars Serpent Twofish RC6 low Twofish low Twofish Serpent Efficiencyinsoftware Efficiencyinsoftware:Conclusions Encryption/decryption Strongdependenceon: Strongvariationofresults 1.Instructionsetarchitecture (e.g.,variablerotations) Serpenttheworstformajorityofplatforms 2.Programminglanguage Keysetup (assembler,C,Java) Moderatevariationofresults 3.Compiler Rijndael andRC6thebestformajorityofplatforms 4.Programmingstyle TwofishandSerpenttheworstformajorityof platforms Primarywaysofimplementingcryptography Whichwaytogo? inhardware ASIC FPGA ASICs FPGAs Application Specific Field Programmable Integrated Circuit Gate Array Off-the-shelf Highperformance • designsmustbesent • boughtofftheshelf Lowdevelopmentcosts forexpensiveandtime andreconfiguredby consumingfabrication designersthemselves Lowpower Shorttimetothemarket insemiconductorfoundry • nophysicallayoutdesign; • designedalltheway designendswith Lowcost(butonly frombehavioraldescription abitstream used inhighvolumes) Reconfigurability tophysicallayout toconfigureadevice 5 Reconfigurability Implementationofasecret-keycipher Roundkeyscomputedon-the-fly control ExternalROMandmicroprocessorenables input key changinganFPGAfunctioninseveralmilliseconds Encryptionvs.decryptionvs.keyscheduling Control inputinterface unit FPGA FPGA FPGA Key Encryption Decryption scheduling key 5-15ms 5-15ms encryption/decryption scheduling Variousalgorithms FPGA FPGA FPGA roundkey outputinterface AES TripleDES IDEA 5-15ms 5-15ms output Implementationofasecret-keycipher TypicalFlowDiagramof Roundkeysprecomputed aSecret-KeyBlockCipher control input/key RoundKey[0] Initialtransformation inputinterface Control i:=1 unit key RoundKey[i] CipherRound scheduling i:=i+1 encryption/decryption #rounds times memoryof i<#rounds? round keys outputinterface RoundKey[#rounds+1] Finaltransformation output Basiciterativearchitecture Primaryparametersofhardwareimplementations forsecret-keyblockciphers Latency Throughput multiplexer Mi+2 M i Mi+1 M register i Timeto Encryption/ encrypt/decrypt Encryption/ oneround combinational decryption asingleblock decryption ofdata logic Numberofbits Ci+2 encrypted/decrypted Ci Ci+1 inaunitoftime Ci Block_size·Number_of_blocks_processed_simultaneously Throughput= Latency 6 Dependenceoftheencryptiontime Efficiencyinhardware:FPGA Virtex 1000:Speed onlatencyandthroughput Throughput[Mbit/s] 500 Messagesize 431 444 GeorgeMasonUniversity 450 414 UniversityofSouthernCalifornia 400 353 WorcesterPolytechnicInstitute 350 294 300 (Message_size–Block_size) Latency 250 Throughput 177 173 200 149 143 150 104 112 102 88 Time 100 62 61 50 Encryptiontime 0 Serpent Rijndael Twofish Serpent RC6 Mars I8 I1 Efficiencyinhardware:FPGA Virtex 1000:Area ASICimplementations:NSAgroup Area[CLBslices] 700 606 128-bitkeyscheduling 9000 GeorgeMasonUniversity 7964 3-in-1(128,192,256bit)keyscheduling 8000 UniversityofSouthernCalifornia 600 7000 WorcesterPolytechnicInstitute 500 443 6000 5511 4621 400 5000 4312 4507 300 4000 2507 3528 202 202 2809 2744 2666 2638 3000 200 105 105 103 104 1749 57 57 2000 1076 1137 1250 100 1000 0 Rijndael Serpent Twofish RC6 Mars 0 Twofish RC6 SerpentRijndaelMars Serpent I1 I8 I1 GMUResults: Encryptionincipherfeedbackmodes NSAResults: Encryptionincipherfeedbackmodes (CBC,CFB,OFB)- Virtex FPGA (CBC,CFB,OFB)- ASIC,0.5µmCMOS Throughput[Mbit/s] Throughput[Mbit/s] 500 700 400 600 Rijndael SerpentI8 Rijndael 500 300 400 200 Twofish SerpentI1 300 SerpentI1 100 RC6 200 Mars Mars 100 RC6 Twofish 0 0 0 1000 2000 3000 4000 5000 0 5 10 15 20 25 30 35 40 Area[CLBslices] Area[CLBslices] 7 NISTReport+GMUReport: Conclusionsforfeedbackciphermodes(1) HardwareEfficiency (CBC,CFB,OFB) Feedbackciphermodes:CBC,CFB Speed • Speed (throughput)shouldbetheprimary criteriaofcomparison High Rijndael Serpent • Basiciterativearchitectureisthemostappropriate Twofish Medium forcomparisonandfutureimplementations RC6 • Serpentand Rijndael areovertwiceasfastasthe Low MARS nextbestcandidateforallimplementations Small Medium Large Area Conclusionsforfeedbackciphermodes(2) EncryptionKeySetupLatency[µs] (CBC,CFB,OFB) 9.55 1.96 5.74 1 NSA • Resultsconfirmedby 0.8 - threeindependentuniversitygroupsfor FPGAs,and USC - NSAgroupfor ASICs 0.6 • Resultsofcomparisonindependentof 0.4 implementationtechnology (FPGAs vs. ASICs) 0.17 0.18 0.2 0.07 0.08 0.06 0 0.02 0 Mars RC6 Rijndael Serpent Twofish I1 Encryptionvs.DecryptionKeySetupLatency[µs] Feedbackciphermodes- CBC M1 M2 M3 MN-1 MN 9.55 9.55 5.74 5.74 ..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us