Algorithms, key size and parameters report – 2014 November, 2014 European Union Agency for Network and Information Security www.enisa.europa.eu Algorithms, key size and parameters report – 2014 November, 2014 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors Contributors to this report: This work was commissioned by ENISA under contract ENISA D-COD-14-TO9 (under F-COD-13-C23) to the consortium formed by K.U.Leuven (BE) and University of Bristol (UK). Contributors: Nigel P. Smart (University of Bristol), Vincent Rijmen (KU Leuven), Benedikt Gierlichs (KU Leuven), Kenneth G. Paterson (Royal Holloway, University of London), Martijn Stam (University of Bristol), Bogdan Warinschi (University of Bristol), Gaven Watson (University of Bristol). Editor: Nigel P. Smart (University of Bristol). ENISA Project Manager: Rodica Tirtea. Agreements of Acknowledgements We would like to extend our gratitude to: External Reviewers: Michel Abdalla (ENS Paris), Kenneth G. Paterson (Royal Holloway, University of London), Ahmad-Reza Sadeghi (T.U. Darmstadt), Michael Ward (Mastercard) for their comments suggestions and feedback. We also thank a number of people for providing anonymous input and Cas Cremers (Oxford University) and Hugo Krawczyk (IBM) for detailed comments on various aspects. Contact For contacting the authors please use [email protected]. For media enquires about this paper, please use [email protected]. Page ii Algorithms, key size and parameters report – 2014 November, 2014 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2014 Reproduction is authorised provided the source is acknowledged. Catalogue number TP-05-14-084-EN-N ISBN 978-92-9204-102-1 DOI 10.2824/36822 Page iii Algorithms, key size and parameters report – 2014 November, 2014 Catalogue Number Catalogue (IF APPLICABLE) (IF doi: xx.xxxx/xxxxx REMOVE If not applicable Page 1 Algorithms, Key Size and Parameters Report Contents 1 Executive Summary 9 2 How to Read this Document 11 2.1 Understanding Terminology and Structure . 13 2.2 Making a Decision . 14 2.2.1 Public key signatures . 14 2.2.2 Public key encryption . 15 2.3 Comparison to Other Documents . 16 2.4 Open Issues and Areas Not Covered . 17 3 Primitives 20 3.1 Comparison . 20 3.2 Block Ciphers . 22 3.2.1 Future Use Block Ciphers . 23 3.2.2 Legacy Block Ciphers . 24 3.2.3 Historical (non-endorsed) Block Ciphers . 25 3.3 Hash Functions . 25 3.3.1 Future Use Hash Functions . 25 3.3.2 Legacy Hash Functions . 27 3.3.3 Historical (non-endorsed) Hash Functions . 27 3.4 Stream Ciphers . 28 3.4.1 Future Use Stream Ciphers . 28 3.4.2 Legacy Stream Ciphers . 30 3.4.3 Historical (non-endorsed) Stream Ciphers . 31 3.5 Public Key Primitives . 31 3.5.1 Factoring . 32 3.5.2 Discrete Logarithms . 33 3.5.3 Pairings . 35 3.6 Key Size Analysis . 36 Page: 1 Algorithms, Key Size and Parameters Report 4 Basic Cryptographic Schemes 38 4.1 Block Cipher Basic Modes of Operation . 39 4.1.1 ECB . 39 4.1.2 CBC . 40 4.1.3 OFB . 41 4.1.4 CFB . 41 4.1.5 CTR . 41 4.1.6 XTS . 41 4.1.7 EME . 42 4.2 Message Authentication Codes . 42 4.2.1 Block Cipher Based MACs . 43 4.2.2 Hash Function Based MACs . 44 4.2.3 MACs Based on Universal Hash functions . 45 4.3 Authenticated Encryption (with Associated Data) . 46 4.3.1 Generic Composition (Encrypt-then-MAC) . 46 4.3.2 OCB . 47 4.3.3 CCM . 47 4.3.4 EAX . 47 4.3.5 CWC . 47 4.3.6 GCM . 48 4.4 Key Derivation Functions . 48 4.4.1 NIST-800-108-KDF . 49 4.4.2 X9.63-KDF . 49 4.4.3 NIST-800-56-KDFs . 50 4.4.4 HKDF, IKE-v1-KDF and IKE-v2-KDF . 50 4.4.5 TLS-KDF . 50 4.5 Generalities on Public Key Schemes . 50 4.6 Public Key Encryption . 51 4.6.1 RSA-PKCS# 1 v1.5 . 51 4.6.2 RSA-OAEP . 52 4.7 Hybrid Encryption . 52 4.7.1 RSA-KEM . 53 4.7.2 PSEC-KEM . 53 4.7.3 ECIES-KEM . 53 4.8 Public Key Signatures . 54 4.8.1 RSA-PKCS# 1 v1.5 . 54 4.8.2 RSA-PSS . 54 4.8.3 RSA-FDH . 54 4.8.4 ISO 9796-2 RSA Based Mechanisms . 54 4.8.5 (EC)DSA . 55 Page: 2 Algorithms, Key Size and Parameters Report 4.8.6 PV Signatures . 55 4.8.7 (EC)Schnorr . 56 5 Advanced Cryptographic Schemes 57 5.1 Password-Based Key Derivation . 58 5.1.1 PBKDF2 . 58 5.1.2 bcrypt . 58 5.1.3 scrypt . 59 5.2 Key Wrap Algorithms . 59 5.2.1 KW and TKW . 59 5.2.2 KWP . 60 5.2.3 AESKW and TDKW . 60 5.2.4 AKW1 . 60 5.2.5 AKW2 . 60 5.2.6 SIV . 60 5.3 Encrypted Storage . 61 5.4 Identity Based Encryption/KEMs . 61 5.4.1 BF . 61 5.4.2 BB . ..