appendix 11a mathematical basis of birthday attack hash ... · sha -256, sha384, sha512 broken;...
TRANSCRIPT
1
Hash functions & MACs
ECE 646 Lecture 9
1
W. Stallings, "Cryptography and Network-Security,”
Chapter 11 Cryptographic Hash Functions
Appendix 11A Mathematical Basis of Birthday Attack
Chapter 12 Message Authentication Codes
Required Reading
Recommended Reading
SHA-3 Projecthttps://csrc.nist.gov/projects/hash-functions/sha-3-project
2
Message
Hash function
Public keyalgorithm
AliceSignature
Alice’s private key
Bob
Hash function
Alice’s public key
Digital Signature
Hash value 1
Hash value 2
Hash value
Public key algorithm
yes no
Message Signature
3
Hash function
arbitrary length
message
hashfunction
hash valueh(m)
h
m
fixed length
4
2
Vocabulary
hash function
message digest
hash value
hash total
fingerprint
imprintcryptographic checksumcompressed encodingMDC, Message Digest Code
message digest
5
Hash functionsBasic requirements
1. Public description, NO key
2. Compression
arbitrary length input ® fixed length output
3. Ease of computation
6
Hash functionsSecurity requirements
1. Preimage resistance
It is computationally infeasible
Given To Find
y x, such thath(x) = y
2. 2nd preimage resistancex and y=h(x) x’ ¹ x, such that
h(x’) = h(x) = y
3. Collision resistance x’ ¹ x, such thath(x’) = h(x)
7
Hash functionsDependence between requirements
collision resistant
2nd preimage resistant
8
3
Hash functions(unkeyed)
OWHF CRHF
One-Way Hash Functions
Collision-Resistant Hash Functions
preimage resistance
2nd preimage resistance
collision resistance
9
Brute force attack against One-Way Hash Function
mi’
i=1..2n
2n messages with the contentsrequired by the forger
h
h(mi’) = y
n - bits
?
Given y
10
Creating multiple versions of the required message
I stateconfirm
thereby- that I
borrowedreceived
$10,000ten thousand dollars
fromMr.Dr.
KrisKrzysztof
Gaj on October 23,10 / 23 / 2019. This
moneysum of money
shouldis required to be returned
given back to Mr.Dr.
Gaj
by the4th
fourthday of December
Dec.2019.
11
Brute force attack against Collision Resistant Hash Function
Yuval
mi
h
n - bits
h(mi)
r messagesacceptable for the signer
mj’
h
n - bits
h(mj’)
r messagesrequired by the forger
h(mi) = h(mj’)
i=1..r j=1..r
12
4
Creating multiple versions of the required message
I stateconfirm
thereby- that I
borrowedreceived
$10,000ten thousand dollars
fromMr.Dr.
KrisKrzysztof
Gaj on October 23,10 / 23 / 2019. This
moneysum of money
shouldis required to be returned
given back to Mr.Dr.
Gaj
by the4th
fourthday of December
Dec.2019.
13
I stateconfirm
thereby- that on
borrowedreceived from
Mr.Dr.
KrisKrzysztof
on
October 23,10 / 23 /
2019
This textitem
shouldis required to be returned
given back to Mr.Dr.
Gaj
Message acceptable for the signer
I a papermanuscript
security of Electronic Voting.side-channel attacks for PQC.
by the4th
fourthday of December
Dec.2019.
14
Birthday paradox
How many students must be in a class so thatthere is a greater than 50% chance that
2. any two of the students share the samebirthday (up to the day and month)?
1. one of the students shares the teacher’s birthday (up to the day and month)?
15
Birthday paradox
How many students must be in a class so thatthere is a greater than 50% chance that
1. one of the students shares the teacher’s birthday (day and month)?
~ 366/2 = 183
2. any two of the students share the samebirthday (day and month)?
~Ö 366 » 19
16
5
Brute force attack against Collision Resistant Hash Function
Probability p that two different messages have thesame hash value:
p = 1 − exp (− r2
2n )
For r = 2n/2 p = 63%
17
Brute force attack against Collision Resistant Hash Function
Storage requirements
J.J. Quisquater
collision search algorithm
Number of operations: 2 Ö p/2 · 2n/2 » 2.5 · 2n/2
Storage: Negligible
18
Hash value size
Older algorithms (currently insecure):
Old standards:
One-Way Collision-Resistant
n ³ 648 bytes
n ³ 12816 bytes
n ³ 8010 bytes
n ³ 16020 bytes
Current standards (e.g., SHA-2, SHA-3):n = 128, 192, 25616, 24, 32 bytes
n = 256, 384, 51232, 48, 64 bytes
19
Hash function algorithms
Customized(dedicated)
Based onblock ciphers
Based onmodular arithmetic
MDC-2MDC-4
IBM, Brachtl, Meyer, Schilling, 1988
MASH-11988-1996
MD2Rivest 1988
MD4Rivest 1990
MD5Rivest 1990
SHA-0
SHA-1
RIPEMD
RIPEMD-160
European RACE Integrity Primitives Evaluation Project, 1992
NSA, 1992
NSA, 1995
SHA-256, SHA-384, SHA-512 NSA, 2000
20
6
Attacks against dedicated hash functionsknown by 2004
MD2
MD4
MD5 SHA-0
SHA-1
RIPEMD
RIPEMD-160
partially broken
broken, H. Dobbertin, 1995(one hour on PC, 20 free bytes at the start of the message)
partially broken,collisions for the compression function,Dobbertin, 1996(10 hours on PC)
weakness discovered, 1995 NSA,1998 France
reduced round version broken, Dobbertin 1995
SHA-256, SHA-384, SHA-512
21
MD4
MD5SHA-0
SHA-1
RIPEMD
RIPEMD-160
SHA-256, SHA-384, SHA-512
broken;Wang, Feng, Lai, YuCrypto 2004(1 hr on a PC)
attack with240 operationsCrypto 2004
What was discovered in 2004-2005?broken;Wang, Feng, Lai, Yu, Crypto 2004(manually, without using a computer)
broken;Wang, Feng, Lai, Yu, Crypto 2004(manully, withoutusing a computer)
attack with263 operationsWang, Yin, Yu, Aug 2005
22
263 operationsSchneier, 2005
In hardware:
Machine similar to the one used to break DES:
Cost = $50,000-$70,000 Time: 18 daysorCost = $0.9-$1.26M Time: 24 hours
In software:
Computer network similar to distributed.netused to break DES (~331,252 computers) :
Cost = ~ $0 Time: 7 months
23
Recommendations of NIST (1)NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1
Feb 2005
The new attack is applicable primarilyto the use of hash functions in digital signatures.
In many cases applications of digital signatures introduce additional context information,which may make attacks impracticle.
Other applications of hash functions,such as Message Authentication Codes (MACs), are not threatened by the new attacks.
24
7
NIST was already earlier planning to withdraw SHA-1 in favor of SHA-224, SHA-256, SHA-384 & SHA-512by 2010.
New implementations should use new hash functions.
NIST encourages government agancies to develop plansfor gradually moving towards new hash functions,taking into account the sensitivity of the systemswhen setting the timetables.
Recommendations of NIST (2)
25
SHA-3 Contest Timeline2007
• publication of requirements• 29.X. 2007: request for candidates
2008• 31.X.2008: deadline for submitting candidates• 9.XII.2008: announcement of 51 candidates accepted for Round 1
2009• 25-28.II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium• 24.VII.2009: 14 Round 2 candidates announced
2010• 23-24.VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA• 9.XII.2010: 5 Round 3 candidates announced
2012• 22-23.III.2012: 3rd SHA-3 Candidate Conference, Washington, D.C.• 2.X.2012: selection of the winner
2014: • 28.V.2014: draft version of the standard published
2015: • 5.VIII.2015: final version of the standard published
26
Number of Submissions
• Number of submissions received by NIST: 64
• Number of submissions publicly available: 56
• Number of submissions qualified to the first round: 51
27
Basic Requirements for a new hash function
• Must support hash values of224, 256, 384 and 512 bits
• Available worldwide without licensing fees• Secure over tens of years• Suitable for use in
- digital signatures FIPS 186- message authentication codes, HMAC, FIPS 198- key agreement schemes, SP 800-56A- random number generators, SP 800-90
• At least the same security level as SHA-2 with increased efficiency
28
8
SHA-3 Contest: 2008-2012
29
51candidates
Round 114 5
Round 3
Jul. 2009 Dec. 2010 Oct. 2012
Oct. 2008
Round 21
Hardware benchmarking
Security Analysis & Software Benchmarking
29
FPGA Benchmarking of Round 2 Candidates
30
Marcin Rogawski
Designers:
EkawatHomsirikamol
(“Ice”)
Altera Xilinx
Technology Low-cost High-performance
Low-cost High-performance
90 nm Cyclone II Stratix II Spartan 3 Virtex 4
65 nm Cyclone III Stratix III Virtex 5
Designers:
30
ATHENa – Automated Tool for Hardware EvaluatioN
31
FPL Community Award 2010Milan, Italy, Sep. 2010
• Open-source• Written in Perl• Developed 2009-2012• Automated search for optimal
§ Options of tools§ Target frequency§ Starting placement point
• Supporting Xilinx ISE& Altera Quartus
Image of Athena Goddess courtesy of Carolyn Angus
31
ATHENa Inputs/Outputs
32
synthesizable source files
configuration files
testbench
result summary (human-friendly)
database entries (machine- friendly)
OR
32
9
ATHENa Database of Results
33
http://cryptography.gmu.edu/athenadb
33
ATHENa Gains
34
0
0.5
1
1.5
2
2.5
3AreaThrThr/Area
Ratios of results obtained using ATHENa suggested optionsvs. default options of FPGA tools
34
ATHENa Gains
35
old days…
“working” with ATHENa…
35
Why ATHENa?
36
"The Greek goddess Athena was frequently called upon to settle disputes between the gods or various mortals. Athena Goddess of Wisdom was known for her superb logic and intellect. Her decisions were usually well-considered, highly ethical, and seldom motivated by self-interest.”
from "Athena, Greek Goddess of Wisdom and Craftsmanship"
36
10
SHA-3 Round 2 Results: 14 candidates
37
Throughput vs. Area: Normalized to Results for SHA-2 and Averaged over 7 FPGA Families
Area
Throughput
Best: Fast & Small
Worst: Slow & Big
37
Research: Multiple Architectures
38
• datapath width = state size • two clock cycles per one
round/step
Typically Throughput/Area ratio increases
Throughput
AreaA
Th x1/2(h)
Horizontal Folding /2(h)
38
Research: Design Space Exploration
39Results for BLAKE
39
Research: Design Space Exploration
40
All Final SHA-3 Candidates (Keccak, SHA-2, JH, BLAKE, Groestl) & the old standard SHA-2
40
11
Research: FPGA vs. ASIC
41
• ASIC developed in collaboration with ETH Zurich
• standard-cell CMOS 65nm UMC process
• 6 GMU implementations 6 ETH Zurich implementations
• Taped-out in Oct. 2011,successfully testedin Feb. 2012
• Results reported at the 3rd SHA-3 Candidate Conference in Washington D.C. in Mar. 2012
41
Research: FPGA vs. ASIC
42
ASIC Stratix III FPGA
42
Results Relative to SHA-2
43
2.830.79 4.002.001.411.000.500.350.25
43
Hash functionsApplications (1)
1. Digital Signatures
Advantages1. Shorter signature2. Much faster computations3. Larger resistance to manipulation(one block instead of several blocks of signature)
4. Resistance to the multiplicative attacks
5. Avoids problems with different sizes of thesender and the receiver moduli
44
12
Hash functionsApplications (2)
2. Fingerprint of a program or a document(e.g., to detect a modification by a virusor an intruder)
program
hash
fingerprintoriginal_fingerprint
safe place
=?
45
Hash functionsApplications (3)
3. Storing passwords
password
hash
hash(password)
Instead of:
ID, password
System stores:
ID, hash(password)
46
UNIX password scheme
password
password
password
. . . .
“00000000”
hash(password, salt)
DES
DES
DES
salt
salt
salt
ID, salt, hash(password, salt)
salt modifies the expansion function E
of DES
47
Hash functionsApplications (4)
4. Fast encryption
PRNG
ki
mi ci
k0 = hash(KAB || IV )k1 = hash(KAB || k0). . . . . . . . . . . . . . . . .kn = hash(KAB || kn-1)
ork0 = hash(KAB || IV)k1 = hash(KAB || c0). . . . . . . . . . . . . . . . .kn = hash(KAB || cn-1)
48
13
General scheme for constructing a secure hash function
Message m
Padding, appending bit length, M
M1
IVH0 H1 H2
f f . . .Ht
compressionfunction
output transformation
h(m)g
M2 Mt. . .
49
Merkle-Damgard Scheme
50
Parameters of the Merkle-Damgard Scheme
H0 = IVHi = f(Hi-1, Mi)h(m) = g(Ht)
f
Compressionfunction r
n n
Entire hash
Hi-1 Hi
Mi In SHA-1n=160r=512
In SHA-256n=256r=512
In SHA-512n=512r=1024
51
Sponge Scheme
52
14
Hash padding – SHA-1 & SHA-256
message 100000000000 length
lengthof the entire
message in bits
X X X 0 0 0 0 0
64-bits
All zero padding:
X X X 0 0 0 0 0
Correct padding:X X X 0 0 1 0 0X X X 1 0 0 0 0
53
Hash padding – SHA-3 Candidates
BLAKE256 len641000 . . . 0001
#blocksGrøstl 1000 . . . 0000
1000 . . . 0001JH42 len128
1000 . . . 0001Keccak
Skein 0000 . . . 0000
len641000 . . . 0000SHA−2 (256)
CounterPaddingMinimumPaddingData
D
D
D
D
D
D
CPMD
54
SHA-1 SHA-256 SHA-384 SHA-512
Size of hash 160 256 384 512valueComplexity of 280 2128 2192 2256
the birthdayattackEquivalently secure Skipjack AES-128 AES-192 AES-256secret-key cipherMessage size < 264 < 264 < 2128 < 2128
Parameters of new hash functionsFeatures affecting security and functionality
55
Message block 512 512 1024 1024sizeNumber of 80 64 80 80digest rounds
SHA-1 SHA-256 SHA-384 SHA-512
Parameters of new hash functionsFeatures affecting implementation speed
56
15
SHA-512, SHA-384
SHA-256
SHA-1
Speed
Area
Hardware implementationsConceptual comparison
57
0
100
200
300
400
500
600
700
462
616
Speed in hardware [Mbit/s]
SHA-1 SHA-512
Results of the prototype FPGA implementation
Complexityof the best attack 280 2256
Skipjack AES-256the same as
GMU, 2002
58
Hash functions20 years ago Present
U.S. Government standards:
SHA-1
Other popular hash functions:
MD5, RIPEMD
Security status:
MD4 broken (1995)SHA-1 replaced SHA-0 (1995)MD5 partially broken
(collisions in compressionfunction, 1996)
U.S. Government standards:
SHA-1,SHA-224, SHA-256, SHA-384, SHA-512SHA-3
Other popular hash functions:
Whirlpool – winner of NESSIE
Security status:
MD5 broken (1 hr on PC)SHA-0 brokenRIPEMD broken
(without a need for computer)SHA-1 practically broken,
best attack – 263 operations –only 128 x more than breaking DES
59
Hash functionsTimeline
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
U.S. Government standards:
Contests:
Attacks:
II. 2003SHA-1
SHA-256, 384, 512SHA-224
NESSIE
I. 2000 XII. 2002SHA-256, SHA-384, SHA-512,Whirlpool
VIII. 1998MD5 – collisionsfor compressionfunction,10 hrs on PC
VIII. 2004broken:MD4, MD5, SHA-0,RIPEMD
FIPS 180-2FIPS 180-2
II. 2004
FIPS 180-2FIPS 180
SHA-0 – attackwith 261 operations II-VIII. 2005
attack on SHA-1269®263 operations
60
16
Message
Secret keyalgorithm
AliceMAC
Secret key of Alice and Bob
Bob
Secret keyalgorithm
Authentication
MAC’
MAC
yes no
Message MAC
Secret key of Alice and Bob
KAB KAB
61
MAC - Message Autentication Codes(keyed hash functions)
arbitrary length
message
MACfunction
MAC
m
fixed length
secret keyK
62
MAC functionsBasic requirements
1. Public description, SECRET key parameter
2. Compression
arbitrary length input ® fixed length output
3. Ease of computation
63
MAC functionsSecurity requirements
Given zero or more pairs
mi, MACK(mi) i = 1..k
it is computationally impossible to find any new pair
m’, MACK(m’)
Such thatm’ ¹mi i = 1..k
64
17
MAC functionsSecurity requirements
Resistance against
1. Known-text attack
2. Chosen-text attack
3. Adaptive chosen-text attack
65
CBC-MAC (1)
E
K
m1
E
K
m2
. . . .
E
K
mt
0
H1 H2
Ht
Ht-1
D
E
K’
K
MAC
MAC
FIPS-113
66
CBC-MAC (1)
H0 = IV = 0Hi = DESK(mi Å Hi-1) i = 1..t
MAC(m) = Ht[1..32]orMAC(m) = EK(EK’-1(Ht))[1..32]
67
MAC functions
Based onblock ciphers
CBC-MACCFB-MACRIPE-MACCMAC
HMACMD5-MAC
MAA CRC-MAC
DedicatedBased on
hashfunctions
Based on stream
ciphers
68
18
CMAC
69
RIPE-MAC
Hi = DESK(mi Å Hi-1) Å mi i = 1..t
MAC(m) = EK(EK’-1(Ht))[0..31]
H0 = IV = 0
K’ = K Å 0xf0f0…f0
70
HMAC
HMAC(m) = h(K Å ipad || h(K Å opad || m))
Bellare, Canetti, Krawczyk, 1996
ipad, opad - constant padding strings of the length of themessage block size in the hash function h
Used in SSL and IPSec
ipad = repetitions of 0x36 = 00110110opad = repetitions of 0x5A = 01011010
71
=
Å
=
Å
KEY
KEY
ipad
opad
KEY’
KEY”
h
h
message m
HMAC
HMAC
• American standardFIPS 198
• Arbitrary hash function and key size
72
19
Message Authentication Codes - MACs20 years ago Present
U.S. Government standards:
MAC (DAC) based on DES(since 1985)
Other MACs in use:
RIPE-MAC3, CRC-MAC, MAA
U.S. Government standards:
HMAC – based on hash functionsused in SSL and IPSec
CMAC – block cipher mode (AES, Triple DES, Skipjack)
Other MACs in use:
UMAC, TTMAC, EMAC– winners of the NESSIE contest
73
NESSIE: Winners of the contest: 2002Message Authentication Codes, MACs
1. UMAC UC Davis2. TTMAC K.U. Leuven3. EMAC U. of Toronto4. HMAC NIST & NSA
Name Origin
Security level Key size Output width
highnormal
³ 256
³ 128
32×k32×k
74
Message Authentication CodesTimeline
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
U.S. standards:
Contests:
Attacks:
V. 2005III. 2002
MAC (DAC)HMAC
RMAC – practical attackagainst MAC proposedby NIST and based onTriple DES
2002
SP 800-38CCMAC
FIPS 113 (based on DES)
NESSIEContest winners:UMAC, TTMAC, EMAC
FIPS 198 (based on hash functions)withdrawn in 2008
75
Message
Bob
Tag
Alice
Confidentiality & AuthenticationAuthenticated Ciphers
KAB KABAuthenticatedCipher
Encryption
N
CiphertextN
TagCiphertextN
Message
AuthenticatedCipher
Decryption
invalid
KAB - Secret key of Alice and BobN – Nonce or Initialization Vector
or
76
20
Confidentiality & AuthenticationAuthenticated Ciphers
or
Key
TagNpub AD CiphertextNsecEnc
Key
Encryption
Npub Nsec AD Message
Npub AD CiphertextNsecEnc Tag Nsec AD MessageInvalid
Decryption
Npub - Public Message NumberNsec - Secret Message NumberEnc Nsec - Encrypted Secret Message NumberAD - Associated DataKAB - Secret key of Alice and Bob
KAB KAB
77
Examples of Most Commonly UsedAuthenticated Ciphers
• AES-GCM• AES-OCB3• AES-OCB• AES-CCM• AES-EAX
78
CAESARContest
2013-2019
79
Cryptographic Standard Contests
time97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
AES
NESSIE
CRYPTREC
eSTREAM
SHA-3
34 stream 4 HW winnersciphers ® + 4 SW winners
51 hash functions ® 1 winner
15 block ciphers ® 1 winnerIX.1997 X.2000
I.2000 XII.2002
IV.2008
X.2007 X.2012
XI.2004
CAESARI.2013
57 authenticated ciphers ® multiple winnersII.2019
80
21
Evaluation of Candidates in Cryptographic Contests
Year07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22
SHA-3
51 hash functions ® 1 winnerX.2007 X.2012
CAESARI.2013
57 authenticated ciphers ® multiple winners
II.2019
56 Lightweight authenticated ciphers & hash functions
VIII.2018Lightweight
Cryptography
TBD
Completed
In progressX.2012X.2012
8182
Evaluation Criteria
Security
Software Efficiency Hardware Efficiency
Simplicity
FPGAs ASICs
Flexibility Licensing
µProcessors µControllers
82
CAESAR Contest: 2015-2018
83
57candidates
Round 1
29 15
Round 3
Jul. 2015 Aug. 2016
Mar. 2014
Round 2
Hardware benchmarking
Security Analysis & Software Benchmarking
6
Mar. 2018
Round 4
Final Portfolio
Feb. 2019
7
83
CAESAR Major Challenges
84
Fairness Number of Candidates
84
22
CAESAR Hardware API
85
1. Minimum Compliance Criteria
• Encryption, decryption, key scheduling• Padding• Maximum size of message & AD• Permitted data port widths, etc.
3. Communication Protocol
2. Interface 4. Timing Characteristics
Proposed by GMU in Feb. 2016, approved by the CAESAR Committee in May 2016
85
CAESAR Development Package
86
Universal Testbench (VHDL)
Test Vector Generator (Python)
Code Common for All Candidates (VHDL)
86
VHDL/Verilog Code Submitters
87
1. CCRG NTU (Nanyang Technological University) Singapore –ACORN, AEGIS, JAMBU, & MORUS
2. CLOC-SILC Team, Japan – CLOC & SILC3. Ketje-Keyak Team – Ketje & Keyak4. Lab Hubert Curien, St. Etienne, France – ELmD & TriviA-ck5. Axel Y. Poschmann and Marc Stöttinger – Deoxys & Joltik6. NEC Japan – AES-OTR7. IAIK TU Graz, Austria – Ascon8. DS Radboud University Nijmegen, Netherlands – HS1-SIV9. IIS ETH Zurich, Switzerland – NORX10.Pi-Cipher Team – Pi-Cipher11.EmSec RUB, Germany – POET12.CG UCL, INRIA – SCREAM13.Shanghai Jiao Tong University, China – SHELL
13 Design Groups, 19 CAESAR Round 2 Candidates
87
VHDL/Verilog Code Submitters
88
“Ice” HomsirikamolAES-GCM, AEZ,Ascon, Deoxys, HS1-SIV, ICEPOLE, Joltik, NORX, OCB,PAEQ, Pi-Cipher, STRIBOB
Will Diehl
AhmedFerozpuriPRIMATEs-GIBBON &HANUMAN,PAEQ
Farnoud FarahmandAES-COPACLOC
Mike X.LyonsTriviA-ck
MinalpherOMDPOETSCREAM
GMU alone, 19 Candidate Families + AES-GCM
88
23
89
CAESAR Contest: Impact
75 unique open-source designsCovering the majority of primary variants of 28 out of 29 Round 2 Candidate Families (all except Tiaoxin)High-speed implementation of AES-GCM (baseline)
The biggest and the earliest hardware benchmarking effort in the history of cryptographic competitions
89
Percentage of Candidates in Hardware
90
Initial numberof candidates
15
34
51
57
AES
eSTREAM
SHA-3
CAESAR
Implementedin hardware
5
8
14
28
Percentage
33.3%
23.5%
27.5%
49.1%
90
91
CAESAR Contest: Results for Round 2
Relative (w.r.t. AES-GCM) Throughput in Virtex 6
Throughput of AES-GCM = 3239 Mbit/s
E – Throughput for EncryptionD – Throughput for DecryptionA – Throughput for Authentication OnlyDefault: Throughput the same for all 3 operations
Red – algorithms qualified to Round 3
14-16x better than the current standard
Why the slowest?
9192
CAESAR Contest: Results for Round 2
Throughput/Area of AES-GCM = 1.020 (Mbit/s)/LUTs
E – Throughput/Area for EncryptionD – Throughput/Area for DecryptionA – Throughput/Area for Authentication OnlyDefault: Throughput/Area the same for all 3 operations
Red – algorithms qualified to Round 3
Relative (w.r.t. AES-GCM) Throughput/Area in Virtex 6
Team Keccak
92
24
93
Use Case: Lightweight applications(resource constrained environments)
Side-Channel Analysis Resistance
Will Diehl(co-advised with Jens-Peter Kaps)
• critical: fits into small hardware area and/or small code for 8-bit CPUs
• desirable: ability to protect against side-channel attacks (e.g., power attacks)
t-test using low-costFOBOS environmentdeveloped by CERG
9394
Unprotected Lightweight Implementations
Best:ACORNJAMBU-SIMON
Worst:CLOC-AESSILC-AES
Side-Channel Analysis – Preliminary Results
Best: Fast & Small
Worst: Slow & Big
x
94
Side-Channel Analysis – Preliminary Results
95
Protected Lightweight Implementations On Average:Area: x2.7Thr: x1.8Thr/Area: x5.4Best:ACORNJAMBU-SIMON
Worst:CLOC-TWINECLOC-AES
95
Presentation of Prof. D. Bernstein at the Rump Session of the Fast Software Encryption conference, March 2018
96