Federal standards NIST FIPS 46-1 DES FIPS 46-2 DES. FIPS 81 Modes of. operation. FIPS 46-3 Triple DES FIPS 197 AES. industry.

Transcription

1 ECE 646 Lecture 12 Federal Secret- cryptography Banking International Cryptographic Standards NIST FIPS 46-1 DES FIPS 46-2 DES FIPS 81 Modes of operation FIPS 46-3 Triple DES FIPS 197 AES X3.92 DES ANSI X3.106 DES modes of operation X9.52 Modes of operation of Triple DES Modes of operation of an n-bit cipher /IEC AES, Camellia, SEED, TDEA, MISTY1, CAST-128, MUGI, SNOW NIST FIPS National Institute of Standards and Technology Federal Information Processing Standards American Federal Standards Required in the government institutions Original algorithms developed in cooperation with the National Security Agency (NSA), and algorithms developed in the open research adapted and approved by NIST. unofficial industry RSA Labs PKCS PKCS Public-Key Cryptography Standards industry IEEE P1363 bank ANSI ANSI X9 international federal NIST FIPS PKCS Public-Key Cryptography Standards Informal Industry Standards developed by RSA Laboratories in cooperation with Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell, Sun First, except PGP, formal specification of RSA and formats of messages. IEEE P1363 Working group of IEEE including representatives of major cryptographic companies and university centers from USA, Canada and other countries Part of the Microprocessors Standards Committee Modern, open style Quarterly meetings + multiple teleconferences + + discussion list + very informative web page with the draft versions of

2 IEEE P1363 Combined standard including the majority of modern public cryptography Several algorithms for implementation of the same function Tool for constructing other, more specific Specific applications or implementations may determine a profile (subset) of the standard ANSI X9 American National Standards Institute Work in the subcommittee X9F developing for financial institutions Standards for the wholesale (e.g., interbank) and retail transactions (np. bank machines, smart card readers) ANSI represents U.S.A. in International Organization for Standardization International Common with IEC - International Electrotechnical Commission /IEC JTC1 SC 27 Joint Technical Committee 1, Subcommitte 27 Full members: Australia, Belgium, Brazil, Canada, China, Denmark, Finland, France, Germany, Italy, Japan, Korea, Holland, Norway, Poland, Russia, Spain, Sweden, Switzerland, UK, USA : International Organization for Standardization Long and laborious process of the standard development Minimum 3 years Study period NP - New Proposal WD - Working Draft CD - Committee Draft DIS - Draft International Standard IS - International Standard Review of the standard after 5 years = ratification, corrections or revocation Public- Cryptography Standards IEEE P unofficial industry RSA Labs PKCS PKCS industry IEEE P1363 bank ANSI ANSI X9 international federal Factorization RSA with OAEP RSA & R-W with or 9796 Discrete DSA, NR with 9796 Elliptic curve EC-DSA, EC-NR with 9796 NIST FIPS DH1 DH2 and MQV EC-DH1, EC-DH2 and EC-MQV

3 IEEE P1363a-2004 IEEE P1363a Factorization Discrete Elliptic curve factorization elliptic curve RSA with OAEP RSA with OAEP RSA & R-W with or 9796 DSA, NR with EC-DSA, EC-NR with 9796 RSA & R-W with or 9796 DSA, NR with EC-DSA, EC-NR with 9796 DH1 DH2 & MQV EC-DH1 EC-DH2 & EC-MQV DH1 DH2 & MQV EC-DH1 EC-DH2 & EC-MQV ANSI X9 Standards Industry - PKCS factorization elliptic curve factorization elliptic curve X9.44 RSA PKCS #1 RSA PKCS #13 X9.31 (RSA & R-W) X9.30 DSA X9.62 EC-DSA PKCS #1 (RSA & R-W) PKCS #13 EC-DSA X9.42 DH1, DH2, MQV X9.63 EC-DH1, 2 EC-MQV PKCS #2 DH PKCS #13 EC-DH1, 2 EC-MQV NIST - FIPS International factorization elliptic curve factorization elliptic curve FIPS RSA FIPS DSA FIPS EC-DSA

4 IX.1997 X.2000 AES Cryptographic Standard Contests NESSIE I.2000 XII.2002 CRYPTREC 34 stream 4 HW winners ciphers + 4 SW winners 15 block ciphers 1 winner XI.2004 estream 51 hash functions 1 winner V.2008 XI.2007 X.2012 SHA-3 57 authenticated ciphers multiple winners IV.2013 XII.2017 CAESAR Why a Contest for a Cryptographic Standard? Avoid back-door theories Speed-up the acceptance of the standard Stimulate non-classified research on methods of designing a specific cryptographic transformation Focus the effort of a relatively small cryptographic community time Cryptographic Contests - Evaluation Criteria Security Software Efficiency Hardware Efficiency µprocessors µcontrollers ASICs FPGAs Flexibility Simplicity Licensing Specific Challenges of Evaluations in Cryptographic Contests Very wide range of possible applications, and as a result performance and cost targets speed: cost: tens of Mbits/s to hundreds Gbits/s single cents to thousands of dollars Winner in use for the next years, implemented using technologies not in existence today Large number of candidates Limited time for evaluation The results are final 21 Mitigating Circumstances Performance of competing algorithms tend to very significantly (sometimes as much as 500 times) Only relatively large differences in performance matter (typically at least 20%) Multiple groups independently implement the same algorithms (catching mistakes, comparing best results, etc.) Second best may be good enough AES Contest

5 Each team submits Rules of the Contest AES: Candidate Algorithms Detailed cipher specification Source code in C Justification of design decisions Source code in Java Tentative results of cryptanalysis Test vectors Canada: CAST-256 Deal USA: Mars Safer+ HPC Costa Rica: Frog Germany: Magenta Belgium: France: DFC Israel, UK, Norway: Korea: Crypton Japan: E2 1 Australia: LOKI97 June 1998 AES Contest Timeline 15 Candidates CAST-256, Crypton, Deal, DFC, E2, Frog, HPC, LOKI97, Magenta, Mars,,, Safer+,,, August 1999 October final candidates Mars,, (USA), (Europe) 1 winner: Belgium Round 1 Security Software efficiency Round 2 Security Software efficiency Hardware efficiency NIST Report: Security & Simplicity Security High MARS Adequate Complex Simple Simplicity Efficiency in software: NIST-specified platform 200 MHz Pentium Pro, Borland C++ Throughput [Mbits/s] 128-bit 192-bit bit Mars high medium low NIST Report: Software Efficiency Encryption and Decryption Speed 32-bit processors Mars 64-bit processors Mars DSPs Mars

6 Throughput [Mbit/s] x8 Efficiency in FPGAs: Speed 353 Xilinx Virtex XCV George Mason University University of Southern California Worcester Polytechnic Institute 149 Mars x Efficiency in ASICs: Speed MOSIS 0.5µm, NSA Group Throughput [Mbit/s] bit scheduling in-1 (128, 192, 256 bit) scheduling Mars x Results for ASICs matched very well results for FPGAs, and were both very different than software FPGA Lessons Learned x8 ASIC Lessons Learned Hardware results matter! Final round of the AES Contest, 2000 Speed in FPGAs Votes at the AES 3 conference GMU results x1 x1 GMU+USC, Xilinx Virtex XCV-1000 NSA Team, ASIC, 0.5µm MOSIS fastest in hardware, slowest in software NIST SHA-3 Contest - Timeline SHA-3 Contest candidates Oct Round 1 Round 2 Round July 2009 Dec Oct. 2012

7 Performance Metrics Primary Secondary SHA-3 Round 2 1. Throughput 3. Throughput / Area 2. Area 4. Hash Time for Short Messages (up to 1000 bits) Overall Normalized Throughput: 256-bit variants of algorithms Normalized to SHA-256, Averaged over 10 FPGA families Keccak ECHO Luffa Groestl BMW JH CubeHash Fugue SHAvite-3 Hamsi SIMD BLAKE Skein Shabal 39 BLAKE BMW CubeHash ECHO Fugue Groestl Hamsi JH Keccak Luffa Shabal SHAvite-3 SIMD Skein 256-bit variants 512-bit variants Thr/Area Thr Area Short msg. Thr/Area Thr Area Short msg. 40 SHA-3 Contest Finalists SHA-3 Round 3 41

8 Benchmarking of the SHA-3 Finalists by CERG GMU BLAKE-256 in Virtex 5 6 algorithms (BLAKE, Groestl, JH, Keccak, Skein, SHA-2) 2 variants (with a 256-bit and a 512-bit output) 7 to 12 different architectures per algorithm 4 modern FPGA families (Virtex 5, Virtex 6, Stratix III, Stratix IV) Total: ~ 120 designs ~ 600+ results 43 x1 basic iterative architecture /k(h) horizontal folding by a factor of k xk unrolling by a factor of k /k(v) vertical folding by a factor of k xk-ppln unrolling by a factor of k with n pipeline stages bit variants in Virtex bit variants in Virtex bit variants in 4 high-performance FPGA families 512-bit variants in 4 high-performance FPGA families 47 48

9 GMU/ETH Zurich ASIC SHA-3 in ASICs standard-cell CMOS 65nm UMC ASIC process 256-bit variants of algorithms Taped-out in Oct. 2011, successfully tested in Feb Correlation Between ASIC Results and FPGA Results Correlation Between ASIC Results and FPGA Results ASIC Stratix III FPGA ASIC Stratix III FPGA Authenticated Ciphers Bob Alice IV Message IV Ciphertext Tag CAESAR Contest K AB Authenticated Cipher K AB Authenticated Cipher valid IV Ciphertext Tag Message K AB - Secret of Alice and Bob IV Initialization Vector

10 Bob K AB IV AD IV AD Authenticated Ciphers with Associated Data Message Authenticated Cipher Ciphertext Tag IV K AB AD Ciphertext Authenticated Cipher Message Alice Tag valid Contest Timeline : Deadline for first-round submissions : Deadline for first-round software : Announcement of second-round candidates : Deadline for second-round Verilog/VHDL : Announcement of third-round candidates : Announcement of finalists : Announcement of final portfolio K AB - Secret of Alice and Bob IV Initialization Vector, AD Associated Data Notes for users of cryptographic products (1) Agreement with a standard does not guarantee the security of a cryptographic product! Security = secure algorithms (guaranteed by ) proper choice of parameters secure implementation proper use Notes for users of cryptographic products (2) Agreement with the same standard does not guarantee the compatibility of two cryptographic products! compatibility = the same algorithm (guaranteed by ) the same protocol the same subset of algorithms the same range of parameters