ECE 646 Lecture 12. Cryptographic Standards. Secret-key cryptography standards

Transcription

1 ECE 646 Lecture 12 Cryptographic Standards Secret-key cryptography Federal Banking International NIST FIPS 46-1 DES FIPS 46-2 DES FIPS 81 Modes of operation FIPS 46-3 Triple DES FIPS 197 AES X3.92 DES ANSI X3.106 DES modes of operation X9.52 Modes of operation of Triple DES ISO ISO Modes of operation of an n-bit cipher ISO/IEC AES, Camellia, SEED, TDEA, MISTY1, CAST-128, MUGI, SNOW NIST FIPS National Institute of Standards and Technology Federal Information Processing Standards American Federal Standards Required in the government institutions Original algorithms developed in cooperation with the National Security Agency (NSA), and algorithms developed in the open research adapted and approved by NIST.

2 Public-Key Cryptography Standards unofficial industry RSA Labs PKCS PKCS industry IEEE P1363 bank ANSI ANSI X9 international ISO ISO federal NIST FIPS PKCS Public-Key Cryptography Standards Informal Industry Standards developed by RSA Laboratories in cooperation with Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell, Sun First, except PGP, formal specification of RSA and formats of messages. IEEE P1363 Working group of IEEE including representatives of major cryptographic companies and university centers from USA, Canada and other countries Part of the Microprocessors Standards Committee Modern, open style Quarterly meetings + multiple teleconferences + + discussion list + very informative web page with the draft versions of

3 IEEE P1363 Combined standard including the majority of modern public key cryptography Several algorithms for implementation of the same function Tool for constructing other, more specific Specific applications or implementations may determine a profile (subset) of the standard ANSI X9 American National Standards Institute Work in the subcommittee X9F developing for financial institutions Standards for the wholesale (e.g., interbank) and retail transactions (np. bank machines, smart card readers) ANSI represents U.S.A. in ISO ISO International Organization for Standardization International Common with IEC - International Electrotechnical Commission ISO/IEC JTC1 SC 27 Joint Technical Committee 1, Subcommitte 27 Full members: Australia, Belgium, Brazil, Canada, China, Denmark, Finland, France, Germany, Italy, Japan, Korea, Holland, Norway, Poland, Russia, Spain, Sweden, Switzerland, UK, USA

4 ISO: International Organization for Standardization Long and laborious process of the standard development Minimum 3 years Study period NP - New Proposal WD - Working Draft CD - Committee Draft DIS - Draft International Standard IS - International Standard Review of the standard after 5 years = ratification, corrections or revocation Public-key Cryptography Standards unofficial industry RSA Labs PKCS PKCS industry IEEE P1363 bank ANSI ANSI X9 international ISO ISO federal NIST FIPS IEEE P Factorization Discrete Elliptic curve discrete encryption RSA with OAEP signature key agreement RSA & R-W with ISO or ISO 9796 DSA, NR with ISO 9796 DH1 DH2 and MQV EC-DSA, EC-NR with ISO 9796 EC-DH1, EC-DH2 and EC-MQV

5 IEEE P1363a-2004 Factorization Discrete Elliptic curve discrete encryption RSA with OAEP new scheme new scheme signature RSA & R-W with ISO or ISO 9796 DSA, NR with ISO-9796 EC-DSA, EC-NR with ISO 9796 key agreement DH1 DH2 & MQV EC-DH1 EC-DH2 & EC-MQV IEEE P1363a factorization discrete elliptic curve discrete encryption RSA with OAEP new scheme new scheme signature RSA & R-W with ISO or ISO 9796 DSA, NR with ISO-9796 EC-DSA, EC-NR with ISO 9796 key agreement new scheme DH1 DH2 & MQV EC-DH1 EC-DH2 & EC-MQV ANSI X9 Standards factorization discrete elliptic curve discrete encryption X9.44 RSA signature X9.31 (RSA & R-W) X9.30 DSA X9.62 EC-DSA key agreement X9.42 DH1, DH2, MQV X9.63 EC-DH1, 2 EC-MQV

6 Industry - PKCS factorization discrete elliptic curve discrete encryption PKCS #1 RSA PKCS #13 new scheme signature PKCS #1 (RSA & R-W) PKCS #13 EC-DSA key agreement PKCS #2 DH PKCS #13 EC-DH1, 2 EC-MQV NIST - FIPS factorization discrete elliptic curve discrete encryption signature FIPS RSA FIPS DSA FIPS EC-DSA key agreement International ISO factorization discrete elliptic curve discrete encryption signature ISO ISO ISO ISO ISO ISO key agreement ISO ISO

7 IX.1997 X.2000 AES Cryptographic Standard Contests NESSIE I.2000 XII.2002 CRYPTREC 34 stream 4 HW winners ciphers + 4 SW winners 15 block ciphers 1 winner XI.2004 estream 51 hash functions 1 winner V.2008 XI.2007 X.2012 SHA-3 57 authenticated ciphers multiple winners IV.2013 XII.2017 CAESAR time Why a Contest for a Cryptographic Standard? Avoid back-door theories Speed-up the acceptance of the standard Stimulate non-classified research on methods of designing a specific cryptographic transformation Focus the effort of a relatively small cryptographic community Cryptographic Contests - Evaluation Criteria Security Software Efficiency Hardware Efficiency µprocessors µcontrollers ASICs FPGAs Flexibility Simplicity Licensing 21

8 Specific Challenges of Evaluations in Cryptographic Contests Very wide range of possible applications, and as a result performance and cost targets speed: cost: tens of Mbits/s to hundreds Gbits/s single cents to thousands of dollars Winner in use for the next years, implemented using technologies not in existence today Large number of candidates Limited time for evaluation The results are final Mitigating Circumstances Performance of competing algorithms tend to very significantly (sometimes as much as 500 times) Only relatively large differences in performance matter (typically at least 20%) Multiple groups independently implement the same algorithms (catching mistakes, comparing best results, etc.) Second best may be good enough AES Contest

9 Rules of the Contest Each team submits Detailed cipher specification Justification of design decisions Tentative results of cryptanalysis Source code in C Source code in Java Test vectors AES: Candidate Algorithms Canada: CAST-256 Deal USA: Mars RC6 Twofish Safer+ HPC Costa Rica: Frog Germany: Magenta Belgium: Rijndael France: DFC Israel, UK, Norway: Serpent Korea: Crypton Japan: E2 1 Australia: LOKI97 AES Contest Timeline June Candidates CAST-256, Crypton, Deal, DFC, E2, Frog, HPC, LOKI97, Magenta, Mars, RC6, Rijndael, Safer+, Serpent, Twofish, August 1999 October final candidates Mars, RC6, Twofish (USA) Rijndael, Serpent (Europe) 1 winner: Rijndael Belgium Round 1 Security Software efficiency Round 2 Security Software efficiency Hardware efficiency

10 NIST Report: Security & Simplicity Security High MARS Twofish Serpent Adequate Rijndael RC6 Complex Simple Simplicity Efficiency in software: NIST-specified platform 200 MHz Pentium Pro, Borland C++ Throughput [Mbits/s] 128-bit key 192-bit key bit key Rijndael RC6 Twofish Mars Serpent NIST Report: Software Efficiency Encryption and Decryption Speed 32-bit processors 64-bit processors DSPs high RC6 Rijndael Twofish Rijndael Twofish medium Rijndael Mars Twofish Mars RC6 Mars RC6 low Serpent Serpent Serpent

11 Throughput [Mbit/s] Serpent x8 Efficiency in FPGAs: Speed 353 Xilinx Virtex XCV George Mason University University of Southern California Worcester Polytechnic Institute 149 Rijndael Twofish Serpent RC6 Mars x Throughput [Mbit/s] Efficiency in ASICs: Speed MOSIS 0.5µm, NSA Group 128-bit key scheduling 3-in-1 (128, 192, 256 bit) key scheduling Rijndael Serpent Twofish RC6 Mars x1 Lessons Learned Results for ASICs matched very well results for FPGAs, and were both very different than software FPGA ASIC x8 x1 x1 GMU+USC, Xilinx Virtex XCV-1000 NSA Team, ASIC, 0.5µm MOSIS Serpent fastest in hardware, slowest in software

12 Lessons Learned Hardware results matter! Final round of the AES Contest, 2000 Speed in FPGAs GMU results Votes at the AES 3 conference SHA-3 Contest NIST SHA-3 Contest - Timeline 51 candidates Round 1 Round 2 Round Oct July 2009 Dec Oct. 2012

13 SHA-3 Round 2 37 Performance Metrics Primary Secondary 1. Throughput 2. Area 3. Throughput / Area 4. Hash Time for Short Messages (up to 1000 bits) 38 Overall Normalized Throughput: 256-bit variants of algorithms Normalized to SHA-256, Averaged over 10 FPGA families Keccak ECHO Luffa Groestl BMW JH CubeHash Fugue SHAvite-3 Hamsi SIMD BLAKE Skein Shabal

14 BLAKE BMW CubeHash ECHO Fugue Groestl Hamsi JH Keccak Luffa Shabal SHAvite-3 SIMD Skein 256-bit variants 512-bit variants Thr/Area Thr Area Short msg. Thr/Area Thr Area Short msg. 40 SHA-3 Round 3 41 SHA-3 Contest Finalists

15 Benchmarking of the SHA-3 Finalists by CERG GMU 6 algorithms (BLAKE, Groestl, JH, Keccak, Skein, SHA-2) 2 variants (with a 256-bit and a 512-bit output) 7 to 12 different architectures per algorithm 4 modern FPGA families (Virtex 5, Virtex 6, Stratix III, Stratix IV) Total: ~ 120 designs ~ 600+ results 43 BLAKE-256 in Virtex 5 x1 basic iterative architecture /k(h) horizontal folding by a factor of k xk unrolling by a factor of k /k(v) vertical folding by a factor of k xk-ppln unrolling by a factor of k with n pipeline stages bit variants in Virtex 5 45

16 512-bit variants in Virtex bit variants in 4 high-performance FPGA families bit variants in 4 high-performance FPGA families 48

17 SHA-3 in ASICs 49 GMU/ETH Zurich ASIC standard-cell CMOS 65nm UMC ASIC process 256-bit variants of algorithms Taped-out in Oct. 2011, successfully tested in Feb Correlation Between ASIC Results and FPGA Results ASIC Stratix III FPGA 51

18 Correlation Between ASIC Results and FPGA Results ASIC Stratix III FPGA 52 CAESAR Contest Authenticated Ciphers Bob Alice IV Message IV Ciphertext Tag K AB Authenticated Cipher K AB Authenticated Cipher valid IV Ciphertext Tag Message K AB - Secret key of Alice and Bob IV Initialization Vector

19 Authenticated Ciphers with Associated Data Bob Alice IV AD Message IV AD Ciphertext Tag K AB Authenticated Cipher K AB Authenticated Cipher valid IV AD Ciphertext Tag Message K AB - Secret key of Alice and Bob IV Initialization Vector, AD Associated Data Contest Timeline : Deadline for first-round submissions : Deadline for first-round software : Announcement of second-round candidates : Deadline for second-round Verilog/VHDL : Announcement of third-round candidates : Announcement of finalists : Announcement of final portfolio Notes for users of cryptographic products (1) Agreement with a standard does not guarantee the security of a cryptographic product! Security = secure algorithms (guaranteed by ) proper choice of parameters secure implementation proper use

20 Notes for users of cryptographic products (2) Agreement with the same standard does not guarantee the compatibility of two cryptographic products! compatibility = the same algorithm (guaranteed by ) the same protocol the same subset of algorithms the same range of parameters