SHARCS '09 Special-purpose Hardware for Attacking Cryptographic Systems 9{10 September 2009 Lausanne, Switzerland Organized by within ECRYPT II European Network of Excellence in Cryptography Program committee: Daniel J. Bernstein, University of Illinois at Chicago, USA Roger Golliver, Intel Corporation, USA Tim G¨uneysu,Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨at Bochum, Germany Marcelo E. Kaihara, Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland Tanja Lange, Technische Universiteit Eindhoven, The Netherlands Arjen Lenstra, Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland Christof Paar, Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨at Bochum, Germany Jean-Jacques Quisquater, Universit´eCatholique de Louvain, Belgium Eran Tromer, Massachusetts Institute of Technology, USA Michael J. Wiener, Cryptographic Clarity, Canada Subreviewers: Frederik Armknecht Maxime Augier Joppe Bos Behnaz Bostanipour Jorge Guajardo Timo Kasper Thorsten Kleinjung Dag Arne Osvik Onur Ozen¨ Christine Priplata Juraj Sarinayˇ Colin Stahlke Robert Szerwinski Local organization: Martijn Stam, Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland Invited speakers: Peter Alfke, Xilinx, USA Shay Gueron, University of Haifa and Intel Corporation, Israel Contributors: Jean-Philippe Aumasson, FHNW, Switzerland Daniel V. Bailey, RSA, USA Brian Baldwin, University College Cork, Ireland Lejla Batina, Katholieke Universiteit Leuven, Belgium Daniel J. Bernstein, University of Illinois at Chicago, USA Peter Birkner, Technische Universiteit Eindhoven, Netherlands Joppe W. Bos, Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland Johannes Buchmann, Technische Universit¨atDarmstadt, Germany Hsueh-Chung Chen, National Taiwan University, Taiwan Ming-Shing Chen, Academia Sinica, Taiwan Chen-Mou Cheng, National Taiwan University, Taiwan Giacomo de Meulenaer, Universit´eCatholique de Louvain, Belgium Itai Dinur, Weizmann Institute, Israel Junfeng Fan, Katholieke Universiteit Leuven, Belgium Tim G¨uneysu,Ruhr-Universit¨atBochum, Germany Frank Gurkaynak, ETH Z¨urich, Switzerland Luca Henzen, ETH Z¨urich, Switzerland Jens Hermans, Katholieke Universiteit Leuven, Belgium Chun-Hung Hsiao, Academia Sinica, Taiwan Marcelo E. Kaihara, Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland Timo Kasper, Ruhr-Universit¨atBochum, Germany Thorsten Kleinjung, Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland Tanja Lange, Technische Universiteit Eindhoven, Netherlands Zong-Cing Lin, National Taiwan University, Taiwan Willi Meier, FHNW, Switzerland Nele Mentens, Katholieke Universiteit Leuven, Belgium Peter L. Montgomery, Microsoft Research, USA Ruben Niederhagen, RWTH Aachen, Germany Martin Novotn´y,Czech Technical University in Prague, Czech Republic Christof Paar, Ruhr-Universit¨atBochum, Germany Christiane Peters, Technische Universiteit Eindhoven, Netherlands Gerd Pfeiffer, Christian-Albrechts-University of Kiel, Germany Bart Preneel, Katholieke Universiteit Leuven, Belgium Francesco Regazzoni, Universit´eCatholique de Louvain, Belgium Manfred Schimmler, Christian-Albrechts-University of Kiel, Germany Michael Schneider, Technische Universit¨atDarmstadt, Germany Peter Schwabe, Technische Universiteit Eindhoven, Netherlands Igor Semaev, University of Bergen, Norway Adi Shamir, Weizmann Institute, Israel Leif Uhsadel, Katholieke Universiteit Leuven, Belgium Gauthier van Damme, Katholieke Universiteit Leuven, Belgium Frederik Vercauteren, Katholieke Universiteit Leuven, Belgium Bo-Yin Yang, Academia Sinica, Taiwan Program and table of contents: Wednesday September 9 16:00{16:30 Registration 16:30{16:35 Opening remarks 16:35{17:05 G¨uneysu, Pfeiffer, Paar, Schimmler: Three Years of Evolution: Cryptanalysis with COPACOBANA ......................... 1 17:05{17:35 Semaev: Sparse Boolean equations and circuit lattices . 17 17:35{17:45 Break 17:45{18:15 Bos, Kaihara, Montgomery: Pollard Rho on the PlayStation 3 . 35 18:15{18:45 Bailey, Baldwin, Batina, Bernstein, Birkner, Bos, van Damme, de Meulenaer, Fan, G¨uneysu,Gurkaynak, Kleinjung, Lange, Mentens, Paar, Regazzoni, Schwabe, Uhsadel: The Certicom Challenges ECC2-X ................................... 51 18:45{19:30 Apero 19:30{ Dinner at Restaurant Le Corbusier in the SG building Thursday September 10 09:00{10:00 Gueron (invited speaker): Intel's New AES and Carry-Less Multiplication Instructions|Applications and Implications . 83 10:00{10:30 Coffee break 10:30{11:00 Bernstein, Lange, Niederhagen, Peters, Schwabe: FSBday: Implementing Wagner's Generalized Birthday Attack against the SHA-3 round-1 candidate FSB ............................ 85 11:00{11:30 Bernstein: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? . 105 11:30{12:00 Hermans, Schneider, Buchmann, Vercauteren, Preneel: Shortest Lattice Vector Enumeration on Graphics Cards . 117 12:00{12:30 Bernstein, Chen, Chen, Cheng, Hsiao, Lange, Lin, Yang: The Billion-Mulmod-Per-Second PC . 131 12:30{14:30 Lunch 14:30{15:30 Alfke (invited speaker): Virtex-6 and Spartan-6, plus a Look into the Future .......................................... 145 15:30{16:00 Coffee break 16:00{16:30 Aumasson, Dinur, Henzen, Meier, Shamir: Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128 .................................... 147 16:30{17:00 Novotn´y,Kasper: Cryptanalysis of KeeLoq with COPACOBANA ..................................... 159 17:00{17:10 Closing remarks Three Years of Evolution: Cryptanalysis with COPACOBANA Tim G¨uneysu1, Gerd Pfeiffer2, Christof Paar1, Manfred Schimmler2 1 Horst G¨ortz Institute for IT Security, Ruhr University Bochum, Germany {gueneysu,cpaar}@crypto.rub.de 2 Institute of Computer Science and Applied Mathematics, Faculty of Engineering, Christian-Albrechts-University of Kiel, Germany {gp,masch}@informatik.uni-kiel.de Abstract In this paper, we review three years of development and improvements on COPACOBANA, the probably most popular, reconfigurable cluster system dedicated to the task of cryptanal- ysis. Latest changes on the architecture involve modifications for larger and more powerful FPGA devices with dedicated 32 MB of external RAM and point-to-point communication links for improved data throughput. We outline how advanced cryptanalytic applications, such as Time-Memory Tradeoff (TMTO) attacks or attacks on asymmetric cryptosystems, can benefit from these new architectural improvements. 1 Introduction The security of symmetric and asymmetric ciphers is usually determined by the size of their security parameters, in particular the key-length. Hence, when designing a cryptosystem, these parameters need to be chosen according to the assumed computational capabilities of an at- tacker. Depending on the chosen security margin, many cryptosystems are potentially vulner- able to attacks when the attacker’s computational power increases unexpectedly. In real life, the limiting factor of an attacker is often the financial resources. Thus, it is quite crucial from a cryptographic point of view to not only investigate the complexity of an attack, but also to study possibilities to lower the cost-performance ratio of attack hardware. For instance, a cost-performance improvement of an attack machine by a factor of 1000 effectively reduces the key lengths of a symmetric cipher by roughly 10 bit (since 1000 210). Many cryptanalytical ≈ schemes spend their computations in independent operations, which allows for a high degree of parallelism. Such parallel functionality can be realized by individual hardware blocks that operate simultaneously, improving the running time of the overall computation by a perfect linear factor. At this point, it should be remarked that the high non-recurring engineering costs for ASICs have put most projects for building special-purpose hardware for cryptanalysis out of reach for commercial or research institutions. However, with the recent advent of low-cost programmable ICs which host vast amounts of logic resources, special-purpose cryptanalytical machines have now become a possibility outside government agencies. In this work we review the evolution of a special-purpose hardware system which provides a cost-performance that can be significantly better than that of recent PCs (e.g., for the exhaustive key search on DES). The hardware architecture of this Cost-Optimized Parallel Code Breaker (COPACOBANA) was initially introduced on the SHARCS and CHES workshops in 2006 [24, 25]. In this contribution we will describe further research on cryptanalytical applications over 1 SHARCS '09 Workshop Record G¨uneysu,Pfeiffer, Paar, Schimmler the last three years and ongoing improvements on the hardware to cope with new requirements of these advanced applications. The original prototype of the COPACOBANA cluster consists of up to 120 FPGA nodes which are connected by a shared bus providing an aggregate bandwidth of 1.6 Gbps on the backplane of the machine. COPACOBANA is not equipped with dedicated memory modules, but offers a limited number of RAM blocks inside each FPGA. Furthermore, COPACOBANA is connected to a host PC with a single interface to control all operations and provide a little amount of I/O data. In the following sections, we present cryptanalytic case studies for a large variety of attacks which all make use of the COPACOBANA cluster system. Examples for these case studies include exhaustive key search attacks on the Data Encryption Standard (DES) blockcipher and related systems (e.g., Norton Diskreet), the electronic passport as well as the GSM
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages172 Page
-
File Size-