Lecture 13. Modern Cryptographic Algorithms. Key Sizes. Cryptographic Standards. Secret-Key Cryptography. Modern Secret-Key Ciphers

Transcription

1 Lecture 13 Modern Cryptographic Algorithms Key Sizes Cryptographic Standards Secret-Key Cryptography Modern Secret-Key Ciphers American standards DES 56 bit key AES 2002 contest Triple DES 112, 168 bit 168 bit only AES - Rijndael 128, 192, and 256 bit keys Other popular algorithms IDEA RC5 Blowfish CAST Serpent Twofish RC6 Mars 1

2 IX.1997 X.2000 AES Cryptographic Standard Contests NESSIE I.2000 XII.2002 CRYPTREC 34 stream 4 HW winners ciphers + 4 SW winners 15 block ciphers 1 winner XI.2004 estream 51 hash functions 1 winner V XI.2007 X.2012 SHA-3 57 authenticated ciphers multiple winners IV.2013 XII.2017 CAESAR time Why a Contest for a Cryptographic Standard? Avoid back-door theories Speed-up the acceptance of the standard Stimulate non-classified research on methods of designing a specific cryptographic transformation Focus the effort of a relatively small cryptographic community Cryptographic Contests - Evaluation Criteria Security Software Efficiency Hardware Efficiency μprocessors μcontrollers ASICs FPGAs Flexibility Simplicity Licensing 6 2

3 Specific Challenges of Evaluations in Cryptographic Contests Very wide range of possible applications, and as a result performance and cost targets speed: cost: tens of Mbits/s to hundreds Gbits/s single cents to thousands of dollars Winner in use for the next years, implemented using technologies not in existence today Large number of candidates Limited time for evaluation The results are final Mitigating Circumstances Performance of competing algorithms tend to very significantly (sometimes as much as 500 times) Only relatively large differences in performance matter (typically at least 20%) Multiple groups independently implement the same algorithms (catching mistakes, comparing best results, etc.) Second best may be good enough AES Contest

4 Rules of the Contest Each team submits Detailed cipher specification Justification of design decisions Tent at iv e results of cryptanalysis Source code in C Source code in Java Tes t vectors AES: Candidate Algorithms Canada: CAST-256 Deal USA: Mars RC6 Twofish Safer+ HPC Costa Rica: Frog Germany: Magenta Belgium: Rijndael France: DFC Israel, UK, Norway: Serpent Korea: Crypton Japan: E2 1 Australia: LOKI97 AES Contest Timeline June Candidates CAST-256, Crypton, Deal, DFC, E2, Frog, HPC, LOKI97, Magenta, Mars, RC6, Rijndael, Safer+, Serpent, Twofish, August 1999 October final candidates Mars, RC6, Twofish (USA) Rijndael, Serpent (Europe) 1 winner: Rijndael Belgium Round 1 Security Software efficiency Round 2 Security Software efficiency Hardware efficiency 4

5 NIST Report: Security & Simplicity Security High MARS Twofi sh Serpent Adequate Rijndael RC6 Complex Simple Simplicity Efficiency in software: NIST-specified platform 200 MHz Pentium Pro, Borland C++ Throughput [Mbits/s] bit key 192-bit key 256-bit key 0 Rijndael RC6 Twofish Mars Serpent NIST Report: Software Efficiency Encryption and Decryption Speed 32-bit processors 64-bit processors DSPs high RC6 Rijndael Twofish Rijndael Twofish medium Rijndael Mars Twofish Mars RC6 Mars RC6 low Serpent Serpent Serpent 5

6 Throughput [Mbit/s] Serpent x8 Efficiency in FPGAs: Speed 353 Xilinx Virtex XCV George Mason University University of Southern California Worcester Polytechnic Institute 149 Rijndael Twofish Serpent RC6 Mars x Throughput [Mbit/s] Efficiency in ASICs: Speed MOSIS 0.5μm, NSA Group 128-bit key scheduling 3-in-1 (128, 192, 256 bit) key scheduling Rijndael Serpent Twofish RC6 Mars x1 Lessons Learned Results for ASICs matched very well results for FPGAs, and were both very different than software FPGA ASIC x8 x1 x1 GMU+USC, Xilinx Virtex XCV-1000 NSA Team, ASIC, 0.5μm MOSIS Serpent fastest in hardware, slowest in software 6

7 Lessons Learned Hardware results matter! Final round of the AES Contest, 2000 Speed in FPGAs GMU results Votes at the AES 3 conference Conclusion of the AES contest 2 October 2000 Winner announced November 2001 FIPS-197: AES announced May 2002 Standard becomes effective External format of the AES algorithm plaintext block 128 bits AES key 128, 192, 256 bits 128 bits ciphertext block 7

8 Iterative cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i<#rounds? i:=i+1 #rounds times Round Key[#rounds+1] Final transformation One round of a Substitution-Linear Transformation Network cipher 128 S-boxes K[i] Linear Transformation Input, internal state, and output 128 bits = 16 bytes a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 column 0 column 1 column 2 column 3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 8

9 Variable block size Allowed only in the initial specification of Rijndael a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3, bits 192 bits 256 bits a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3, Nb columns = Nb 32-bit words Nb=4, 6 or 8 Key, Internal keys Variable key size k 0,0 k 1,0 k 2,0 k 3,0 k 0,1 k 1,1 k 2,1 k 3,1 k 0,2 k 1,2 k 2,2 k 3,2 k 0,3 k 1,3 k 2,3 k 3, bits 192 bits 256 bits k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3, Nk columns = Nk 32-bit words Nk=4, 6 or 8 Pseudocode for AES encryption 9

10 Pseudocode for AES decryption SubBytes S-box a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 1,2 a a 1,3 i,j a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 a 1,2 b b 1,3 i,j b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 Bytes are transformed by applying an invertible S-box One single S-box for the complete cipher S-box: substitution values for the byte xy (in hexadecimal notation) 10

11 ShiftRows a b c d e f g h i j k l m n o p no shift a b c d cyclic shift left by C1=1 f g h e cyclic shift left by C2=2 k l i j cyclic shift left by C3=3 p m n o C1 C2 C3 Block size 128 bits 192 bits 256 bits only in the initial specification, not supported by the standard MixColumns a 0,0 a 0,1 a 0,20,j a 0,3 a 1,0 a 1,1 1,2 a a 1,3 1,j a 2,0 a 2,1 2,2 a 2,3 a 2,j a 3,0 a 3,1 a 3,2 a 3,3 a 3,j b 0,0 b 0,1 ba 0,j 0,2 b 0,3 b 1,0 b 1,1 a 1,2 b b 1,3 1,j b 2,0 b 2,1 a 2,2 b 2,3 b b 3,0 b 3,1 a 2,j 3,2 b 3,3 b 3,j High diffusion A difference in 1 input byte propagates to all 4 output bytes A difference in 2 input bytes propagates to at least 3 output bytes Any linear relation between input and output bits involves bits from at least 5 different bytes (branch number = 5) AddRoundKey a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 + k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 = b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 simple bitwise addition (xor) of round keys 11

12 Number of rounds Key length Block length 128 bits Nb=4 192 bits Nb=6 256 bits Nb=8 128 bits Nk=4 192 bits Nk=6 256 bits Nk= required by the standard non-standard extensions Secret-key cryptography standards Federal standards Banking standards International standards NIST ANSI ISO FIPS 46-1 DES FIPS 46-2 DES FIPS 81 Modes of operation FIPS 46-3 Triple DES FIPS 197 AES X3.92 DES X3.106 DES modes of operation X9.52 Modes of operation of Triple DES ISO Modes of operation of an n-bit cipher ISO/IEC AES, Camellia, SEED, TDEA, MISTY1, CAST-128, MUGI, SNOW NIST FIPS National Institute of Standards and Technology Federal Information Processing Standards American Federal Standards Required in the government institutions Original algorithms developed in cooperation with the National Security Agency (NSA), and algorithms developed in the open research adapted and approved by NIST. 12

13 ANSI X9 American National Standards Institute Work in the subcommittee X9F developing standards for financial institutions Standards for the wholesale (e.g., interbank) and retail transactions (np. bank machines, smart card readers) ANSI represents U.S.A. in ISO ISO International Organization for Standardization International standards Common standards with IEC- International Electrotechnical Commission ISO/IEC JTC1 SC 27 Joint Technical Committee 1, Subcommitte 27 ISO: International Organization for Standardization Long and laborious process of the standard development Minimum 3 years Study period NP - New Proposal WD - Wo rk i n g Draft CD - Committee Draft DIS - Draft International Standard IS - International Standard Review of the standard after 5 years = ratification, corrections or revocation 13

14 Public-Key Cryptography Public-Key Cryptography Standards unofficial industry standards RSA Labs PKCS PKCS industry standards IEEE P1363 bank standards ANSI ANSI X9 international standards ISO ISO federal standards NIST FIPS PKCS Public-Key Cryptography Standards Informal Industry Standards developed by RSA Laboratories in cooperation with Apple, Digital, Lotus, Microsoft, MIT, Northern Tel eco m, No v el l, Su n First, except PGP, formal specification of RSA and formats of messages. 14

15 IEEE P1363 Working group of IEEE including representatives of major cryptographic companies and university centers from USA, Canada and other countries Part of the Microprocessors Standards Committee Modern, open style Quarterly meetings + multiple teleconferences + + discussion list + very informative web page with the draft versions of standards IEEE P1363 Combined standard including the majority of modern public key cryptography Several algorithms for implementation of the same function Tool for constructing other, more specific standards Specific applications or implementations may determine a profile (subset) of the standard Bases of the public cryptosystems security Factorization Discrete Logarithm Elliptic Curve Discrete Logarithm Given: N = p q y = g x mod p = = g g g... g x times Q = x P = = P+P+ +P x times constants p, g P - point of an elliptic curve Unknown: p, q x x 15

16 Elliptic Curve over GF(p) y 2 =x 3 +x Elliptic Curve Addition over GF(p) Y 2 = X 3 + X mod 23 Y 25 Points fullfiling the equation of the curve P=(6,19) Addition P=(3,13) A Q=(7,12) D 2P=P+P=(7,11) Doubling R=P+Q=(13,7) + special point ϑ (point at infinity) such that: P+ ϑ = ϑ+ P = P X Scalar Multiplication Q = k. P = P + P + P P point number (scalar) point k- times 16

17 Elliptic Curve Cryptosystems - ECC Advantages a family of public key cryptosystems, rather than a single cryptosystem strong alternative for RSA several times shorter keys fast and compact implementations, in particular in hardware Elliptic Curve Cryptosystems - ECC Disdvantages complex mathematical description shorter period of research on the cryptanalysis Best known attacks Basis of the cryptosystem security Factorization Discrete Logarithm Elliptic Curve Discrete Logarithm Best known attack General Number Field Sieve 1. General Number Field Sieve 2. Parallel collision search 2. Parallel collision search Complexity of the attack: subexponential 1. subexponential 2. exponential exponential 17

18 Best Algorithm to Factor Large Numbers NUMBER FIELD SIEVE Complexity: Sub-exponential time and memory Execution time N = Number to factor, k = Number of bits of N Ex ponential function, e k Sub-exponential function, e k1/3 (ln k) 2/3 Poly nomial func tion, a k m k = Number of bits of N Factoring 1024-bit RSA keys using Number Field Sieve (NFS) Polynomial Selection Relation Collection Sieving 200 bit & 350 bit smooth numbers Minifactoring (Cofactoring, Norm Factoring) ECM, p-1 method, rho method Linear Algebra Square Root number decimal digits Factorization records date time (phase 1) algorithm C MIPS years mpqs RSA VI MIPS years mpqs RSA IV MIPS years mpqs RSA IV MIPS years gnfs RSA II MIPS years gnfs RSA VIII MIPS years gnfs C I Pentium 1GHz CPU years gnfs RSA III Pentium 1GHz CPU years gnfs RSA XII Pentium 1GHz CPU years gnfs C V Pentium 1GHz CPU years gnfs RSA V Pentium 1GHz CPU years gnfs RSA XII ,400 Opteron 1 GHz CPU years gnfs 18

19 When? Who? Factoring RSA bits = 232 decimal digits Aug Dec Multiple researchers from EPFL, NTT, Bonn University, INRIA, MS Research, CWI Effort? Sieving time Total time 3,300 Opteron 1 GHz CPU years 4,400 Opteron 1 GHz CPU years Factorization records He who has absolute confidence in linear regression will expect a 1024-bit RSA number to be factored on December 17, 2028 For the most recent records see Factorization Announcements & Records at nnouncements.html ds.html 19

20 TWIRL February 2003 Adi Shamir & Eran Tromer, Weizmann Institute of Science Hardware implementation of the sieving phase of Number Field Sieve (NFS) Assumed technology: CMOS, 0.13 µm clock 1 GHz 30 cm semiconductor wafers at the cost of $5,000 each Tentative estimations (no experimental data): TWIRL A. Shamir, E. Tromer Crypto bit RSA: < 10 minutes $ 10 k 1024-bit RSA: < 1 year $ 10 million Theoretical Designs for Sieving (1) TWINKLE ( Shamir, CHES 1999; Shamir & Lenstra, Eurocrypt 2000) - based on optoelectronic devices (fast LEDs) - not even a small prototype built in practice - not suitable for 1024 bit numbers 2003 TWIRL (Shamir & Tromer, Crypto 2003) - semiconductor wafer design - requires fast communication between chips located on the same 30 cm diameter wafer - difficult to realize using current fabrication technology 20

21 Theoretical Designs for Sieving (2) Mesh Based Sieving / YASD (Geiselmann & Steinwandt, PKC 2003 Geiselmann & Steinwandt, CT-RSA 2004) - not suitable for 1024 bit numbers 2005 SHARK (Franke et al., SHARCS & CHES 2005) - relies on an elaborate butterfly switch connecting large number of chips - difficult to realize using current technology 2007 Theoretical Designs for Sieving (3) Non-Wafer-Scale Sieving Hardware (Geiselmann & Steinwandt, Eurocrypt 2007) - based on moderate size chips (2.2 x 2.2 cm) - communication among chips seems to be realistic - 2 to 3.5 times slower than TWIRL - supports only linear sieving, and not more optimal lattice sieving Estimated recurring costs with current technology (US$ year) Traditional PC-based 768-bit TWINKLE bit TWIRL Mesh-based by Eran Tromer, May 2005 SHARK But: non-recurring costs, chip size, chip transport networks 21

22 However None of the theoretical designs ever built. Just analytical estimations, no real implementations, no concrete numbers First Practical Implementation of the Relation Collection Step in Hardware 2007 Japan Tets uy a Iz u and J un K ogure and Takeshi Shimoyama (Fujitsu) CHES CAIRN 2 machine, September 2007 SHARCS 2007 CAIRN 3 machine, September 2007 First large number factored using FPGA support Factored number: N = P Q 423-bits 205 bits 218 bits Time of computations: One month of computations using a PC supported by CAIRN 2 for a 423-bit number Problems: CAIRN 3 about 40 times faster than CAIRN 2 Time of sieving with CAIRN 3 for a 768-bit key estimated at 270 years - Speed up vs. one PC (AMD Opteron): only about 4 times - Limited scalability 22

23 Workshop Series SHARCS - Special-purpose Hardware for Attacking Cryptographic Systems 1 st edition: Paris, Feb , nd edition: Cologne, Apr. 3-4, rd edition: Vienna, Sep. 9-10, th edition: Lausanne, Sep. 9-10, th edition: Washington, Mar , 2012 See CERG Team Organizing SHARCS 2012 in Washington D.C., Mar , 2012 Keylengths in public key cryptosystems that provide the same level of security as AES and other secret-key ciphers Arjen K. Lenstra, Eric R. Verheul Selecting Cryptographic Key Sizes Journal of Cryptology, 2001 Arjen K. Lenstra Unbelievable Security: Matching AES Security Using Public Key Systems ASIACRYPT

24 Keylengths in RSAproviding the same level of security as selected secret-key cryptosystems 0 DES The same cost The same number of operations DES (2 keys) 3 DES (3 keys) AES-128 AES-192 AES Keylengths in RSAproviding the same level of security as selected secret-key cryptosystems 0 AES-256 AES-192 AES DES (3K) 3 DES (2K) DES year Recommendations of RSA Security Inc. May 6, 2003 Validity period Minimal RSA key length (bits) Equivalent symmetric key length (bits)

25 Five security levels allowed by American government NIST SP Level RSA / DH ECC Symmetric ciphers I II III IV V Most known public key cryptosystems Based on the difficulty of Factorization Discrete logarithm Elliptic curve discrete logarithm Signature RSA DSA, N-R EC-DSA Encryption RSA El-Gamal EC-El-Gamal Key agreement RSA Diffie-Hellman (DH) EC-DH IEEE P Factorization Discrete logarithm Elliptic curve discrete logarithm encryption RSA with OAEP signature RSA & R-W with ISO or ISO 9796 DSA, NR with ISO 9796 EC-DSA, EC-NR with ISO 9796 key agreement DH1 DH2 and MQV EC-DH1, EC-DH2 and EC-MQV 25

26 IEEE P1363a factorization discrete logarithm elliptic curve discrete logarithm encryption RSA with OAEP new scheme new scheme signature RSA & R-W with ISO or ISO 9796 DSA, NR with ISO-9796 EC-DSA, EC-NR with ISO 9796 key agreement new scheme DH1 DH2 & MQV EC-DH1 EC-DH2 & EC-MQV ANSI X9 Standards factorization discrete logarithm elliptic curve discrete logarithm encryption X9.44 RSA signature X9.31 (RSA & R-W) X9.30 DSA X9.62 EC-DSA key agreement X9.42 DH1, DH2, MQV X9.63 EC-DH1, 2 EC-MQV Notes for users of cryptographic products (1) Agreement with a standard does not guarantee the security of a cryptographic product! Security = secure algorithms (guaranteed by standards) proper choice of parameters secure implementation proper use 26

27 Notes for users of cryptographic products (2) Agreement with the same standard does not guarantee the compatibility of two cryptographic products! compatibility = the same algorithm (guaranteed by standards) the same protocol the same subset of algorithms the same range of parameters Modern Cryptography RSA DH DSA ECC 27