An Introduction to new Stream Cipher Designs

Similar documents
Correlated Keystreams in Moustique

New Time-Memory-Data Trade-Off Attack on the Estream Finalists and Modes of Operation of Block Ciphers

A Cache Timing Analysis of HC-256

Cycle counts for authenticated encryption

The Salsa20 Family of Stream Ciphers

Cache Timing Attacks on estream Finalists

Throughput/code size trade-off for stream ciphers

Differential Fault Analysis of Trivium

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1

Stream Ciphers and Block Ciphers

Stream Ciphers An Overview

Linear Cryptanalysis of Reduced Round Serpent

NIST s Lightweight Crypto Standardization Process

The RAKAPOSHI Stream Cipher

COZMO - A New Lightweight Stream Cipher

Stream Cipher Criteria

Cache Timing Analysis of LFSR-based Stream Ciphers

Grain - A Stream Cipher for Constrained Environments

Stream Ciphers and Block Ciphers

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

The Rectangle Attack

Hardware evaluation of estream Candidates: Grain, Lex, Mickey128, Salsa20 and Trivium

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Cryptography for Resource Constrained Devices: A Survey

Lecture 1 Applied Cryptography (Part 1)

Differential-Linear Cryptanalysis of Serpent

Network Security Essentials Chapter 2

Stream Ciphers. Stream Ciphers 1

On the Applicability of Distinguishing Attacks Against Stream Ciphers

A New Attack on the LEX Stream Cipher

ULCL An Ultra-lightweight Cryptographic Library for Embedded Systems

Hardware Accelerator for Stream Cipher Spritz

High-Performance Cryptography in Software

ChaCha, a variant of Salsa20

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Survey and Benchmark of Stream Ciphers for Wireless Sensor Networks

An Overview of Cryptanalysis Research for the Advanced Encryption Standard

arxiv: v1 [cs.cr] 10 Oct 2008

Challenges in Lightweight Crypto Standardization

CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS

Improved Truncated Differential Attacks on SAFER

TWO GENERIC METHODS OF. Chinese Academy of Sciences

A New Attack on the LEX Stream Cipher

Private-Key Encryption

Key Separation in Twofish

A Chosen-Plaintext Linear Attack on DES

Implementation and Comparative Analysis of AES as a Stream Cipher

BLOSTREAM: A HIGH SPEED STREAM CIPHER

Hardware Architectures

EEC-484/584 Computer Networks

Trivium. 2 Specifications

A New Version of Grain-128 with Authentication

ECE 646 Lecture 8. Modes of operation of block ciphers

Light Weight Implementation of Stream Ciphers for M-Commerce Applications

FPGA Implementation of WG Stream Cipher

Block Ciphers. Secure Software Systems

City, University of London Institutional Repository

Improved Attack on Full-round Grain-128

Susceptibility of estream Candidates towards Side Channel Analysis

NON LINEAR FEEDBACK STREAM CIPHER

Chapter 6 Contemporary Symmetric Ciphers

Weak Keys. References

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Better price-performance ratios for generalized birthday attacks. D. J. Bernstein University of Illinois at Chicago

Related-key Attacks on Triple-DES and DESX Variants

IoT Security: Performance Evaluation of Grain, MICKEY, and Trivium - Lightweight Stream Ciphers

SAT Solvers in the Context of Cryptography

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Chapter 3 Block Ciphers and the Data Encryption Standard

Hardware Accelerator for Stream Cipher Spritz

Standardisation efforst in lightweight cryptography

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

CPS2323. Symmetric Ciphers: Stream Ciphers

Implementing AES : performance and security challenges

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Necessary conditions for designing secure stream ciphers with the minimal internal states

Lecture 2: Secret Key Cryptography

Some Aspects of Block Ciphers

New mobile phone algorithms a real world story

CSE 127: Computer Security Cryptography. Kirill Levchenko

DSP-128: Stream Cipher Based On Discrete Log Problem And Polynomial Arithmetic

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography and Network Security

symmetric cryptography s642 computer security adam everspaugh

Double-DES, Triple-DES & Modes of Operation

Cryptography 2017 Lecture 3

Computer Security 3/23/18

Breaking Grain-128 with Dynamic Cube Attacks

Cryptanalysis vs. Reality

Computer and Data Security. Lecture 3 Block cipher and DES

Lightweight Crypto Design Principles - Approaches and Limitations

Data Encryption Standard (DES)

AES as A Stream Cipher

Salsa20 speed. Daniel J. Bernstein

Winter 2011 Josh Benaloh Brian LaMacchia

EEC-682/782 Computer Networks I

Improving the Diffusion of the Stream Cipher Salsa20 by Employing a Chaotic Logistic Map

Encryption. INST 346, Section 0201 April 3, 2018

On the Security of Stream Cipher CryptMT v3

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Transcription:

An Introduction to new Stream Cipher Designs Ways of Turning Your Data into Line Noise T. E. Bjørstad The Selmer Center, Department of Informatics University of Bergen, Norway 25th Chaos Communications Congress, Berlin, Germany 2008-12-29

Outline 1 Introduction to Stream Ciphers Current State of the Art 2 HC-128 Rabbit Salsa20/12 SOSEMANUK Grain v1 MICKEY 2.0 Trivium 3

What is a Stream Cipher? Introduction to Stream Ciphers Current State of the Art Block ciphers (such as AES) are keyed permutations on a fixed-length data block. Stream ciphers output a sequence of random-looking symbols, the keystream, which is combined with the data with a simple XOR. Key IV Stream Cipher Keystream Data Stream Ciphertext Stream

What do we mean by Security? Introduction to Stream Ciphers Current State of the Art Usual assumption: attacker can choose IVs adaptively, knows the keystream produced. Resource usage: an attack should be more efficient (wrt. time, memory, money, etc.) than checking all possible keys. Main types of attack (informal): 1 Distinguishing: Attacker is unable to distinguish keystream from a true random source. 2 State recovery: Attacker is unable to recover the internal state of the cipher / the secret key.

On RC4 Introduction to Stream Ciphers Current State of the Art RC4: By far the most widely used stream cipher. Used or supported in WEP, WPA, Bittorrent, SSL, Kerberos,... Advantages: Very fast in software. Simple description. Can be implemented in a dozen lines of C. Disadvantages: Output can be distinguished from random. No specified IV-handling. Hard to use correctly. State is large (2048 bits). Not suitable for hardware. Saga of WEP and WPA RC4 is dangerous.

On AES Introduction to Stream Ciphers Current State of the Art The Advanced Encryption Standard (FIPS 197). AES in Counter mode (AES-CTR) is a stream cipher. Advantages: It s the Standard. Everybody uses it. Secure. Reasonable resource requirements. Disadvantages: Bad for biodiversity. Everybody wants to break it. One size fits all badly.

Other Stream Ciphers Introduction to Stream Ciphers Current State of the Art Lots of bad proprietary stream ciphers. A5/1 and A5/2 used in GSM... broken. E0 used in Bluetooth... broken. MIFARE Classic, KEELOQ... oh dear. EU project NESSIE (2000 2003): all six stream ciphers were successfully attacked. There is a demand for secure stream ciphers but most real-world stream ciphers suck. :-(

estream ECRYPT European Network of Excellence for Cryptology EU-funded research project, 2004 2008. estream the ECRYPT Stream Cipher Project. Goal: identify new stream ciphers that might become suitable for widespread adoption. Ciphers: must be demonstrably superior to the AES in at least one significant aspect. estream is not a formal standardisation process.

estream timetable Call for primitives: November 2004. Deadline for submissions: April 29, 2005. Received 34 submissions in 2 usage profiles Profile 1 Software applications with high throughput requirements. Profile 2 Hardware applications with restricted resources. About half were broken. Final portfolio selection: April 15, 2008.

The Profile 1 ( Software ) Ciphers Formal requirements for Profile 1: Key length at least 128 bits. IV length either 64 or 128 bits. The Profile 1 portfolio consists of four ciphers. HC-128 designed by Wu. Rabbit designed by Boesgaard et al. Salsa20/12 designed by Bernstein. SOSEMANUK designed by Berbain et al.

HC-128 (Specs) HC named after the author, Hongyun s Cipher. Key length: 128 bits. IV length: 128 bits. State: 2x 512-word registers = 4 kilobytes. Output symbols: 32-bit words. Stream: Up to 2 64 bits. Security: 128 bits.

HC-128 (Illustrated) Cell j-10 Cell j-3 Cell j Cell j+1 Cell update g Cell j-12 Cell j Used as index for S-box lookup in other array. Keystream

HC-128 (Notes) HC-128 is the estream that resembles RC4 the most. It reuses components from SHA-256. No regular attacks known. Cache timing (Zenner 2008)? The fastest estream for long streams (2-4 cycles/byte). AES-CTR runs at 15-30 CPB in the same setting (depending on platform). Horribly slow (> 500 cycles/byte) for short (40-byte) packets (AES: 18-26 CPB). Variant cipher HC-256 supports 256-bit keys.

Rabbit (Specs) Rabbit was designed by the Danish company Cryptico. Key length: 128 bits. IV length: 64 bits. State: 8 state words, 8 counter words, 1 carry bit = 513 bits (in practice 544 bits). Output: 128-bit blocks. Stream: Up to 2 64 output blocks. Security: 128 bits.

Rabbit (Illustrated) c 0 c 1 x 0 x 1 c 7 c 2 x 7 x 2 Each round, extract 128 bits from x 0... x 7 x 6 x 3 c 6 c 3 x 5 x 4 c 5 c 4

Rabbit (Notes) One of the oldest estreams, first published in early 2003. Simple symmetrical structure. The only portfolio cipher which had patent issues, but has always been free for noncommercial use. The cipher was released into the public domain by Cryptico in 2008, after estream ended. Rabbit is described in RFC 4503. About the same speed as AES on short packets, fast (2-10 cycles/byte) on long streams.

Salsa20/12 (Specs) I m sure you all know who djb is. ;-) Key length: 256 bits. IV length: 64 bits. State: 4x4 matrix of words = 512 bits. Output: 512-bit blocks (entire state). Stream: At most 2 64 blocks, due to the block counter. Security: 256 bits.

Salsa20/12 (Illustrated) x 0 x 1 x 2 x 3 y 0 y 1 y 2 y 3 x 4 x 5 x 6 x 7 Rowround y 4 y 5 y 6 y 7 x 8 x 9 x 10 x 11 y 8 y 9 y 10 y 11 x 12 x 13 x 14 x 15 y 12 y 13 y 14 y 15 Columnround Two rounds of Salsa20: (y 0, y 1, y 2, y 3 ) z 0 z 1 z 2 z 3 = quarterround (x 0, x 1, x 2, x 3 ) z 4 z 5 z 6 z 7 (z 0, z 4, z 8, z 12 ) z 8 z 9 z 10 z 11 = quarterround (y 0, y 4, y 8, y 12 ) z 12 z 13 z 14 z 15

Salsa20/12 (Notes) Quarterround function: simple ADD-ROL-XOR. Salsa20 is basically a hash function in counter mode. Easy to describe, analyse, implement. djb has a good track record with respect to security. Salsa20/x has x rounds. Full version is Salsa20/20. Best attack is on 8 rounds (i.e. Salsa20/8). Slightly faster than AES on short packets; 2.5-8 cycles/byte for long streams. Variant: ChaCha, proposed in early 2008.

SOSEMANUK (Specs) SOSEMANUK means snowsnake in the Cree language. Key length: 128-256 bits. IV length: 128 bits. State: 10 word LFSR and 2 words of FSM = 384 bits. Stream: (not specified) Output: one 128-bit block every 4 steps. Security: 128 bits.

SOSEMANUK (Illustrated) Feedback function uses s 0, s 3, s 9 s 9 10-stage LFSR of 32-bit words s 0 Mux Serpent R1 Trans R2 Output

SOSEMANUK (Notes) The cipher reuses parts of previous ciphers; notably the stream cipher SNOW 2.0 and the block cipher SERPENT. While SOSEMANUK supports key lengths up to 256 bits, the designers only claim 128-bit security. The best known attack (on the 256-bit version) takes on the order of 2 224 steps. Performance: 3.5-8 cycles/byte for long streams, slower than AES-CTR on 40-byte packets.

The Profile 2 ( Hardware ) Ciphers Formal requirements for Profile 2: Key length at least 80 bits. IV length either 32 or 64 bits. The Profile 2 portfolio consists of three ciphers. Grain designed by Hell et al. MICKEY designed by Babbage and Dodd. Trivium designed by De Cannère and Preneel.

Grain v1 (Specs) I have no idea where they got the name for this one. Key length: 80 bits. IV length: 64 bits. State: 2x 80-bit registers = 160 bits. Stream: (not specified) Output: 1 bit, can be unrolled for 16 steps. Security: 79 bits.

Grain v1 (Illustrated) Non-linear feedback, g(x) Linear feedback, f(x) 13 bits 6 bits 80 bit NFSR 80 bit LFSR 7 bits 1 bit 4 bits Filter, h(x) Masking bits Keystream

Grain v1 (Notes) The most compact hardware cipher, can be implemented in about 1300 NAND eq. gates. Fast in hardware, unrolling enables different tradeoffs. Security margin is extremely tight. Attacks on initialisation. Sliding property. Time/Memory tradeoff. Also a 128-bit version, Grain-128.

MICKEY 2.0 (Specs) Mutually Irregular Clocking KEYstream generator. Key length: 80 bits IV length: up to 80 bits State: 200 bits Stream: 2 40 bits for 2 40 unique IVs. Output: 1 bit. Security: 80 bits.

MICKEY 2.0 (Illustrated) CBR = 1: Jump clocking CBR = 0: Regular clocking X R 99 Linear Register R 00 CBR Output CBS S 99 Non-Linear Register S 00 CBS = 0: Feedback 0 X CBS = 1: Feedback 1

MICKEY 2.0 (Notes) Slower and larger than Grain and Trivium, more conservative design. Possible side channel issues as result of irregular clocking mechanism? Design is said to be clear and easy to implement. No known attacks that approach the complexity of bruteforcing the key. Variant MICKEY-128 supports longer keys.

Trivium (Specs) Trivium refers both to the cipher s structure, and its simplicity. Key length: 80 bits IV length: 80 bits State: 288 bits Stream: 2 64 bits Output: 1 bit, can be unrolled for 64 steps. Security: 80 bits?

Trivium (Illustrated)

Trivium (Notes) The fastest Profile 2 cipher, but the largest state. Extremely simple description has made Trivium a prime target for almost everyone. Possibility of unrolling allows flexible tradeoffs. Maximov and Biryukov show that guess-and-determine attacks almost break the cipher. Dinur and Shamir break 735 (of 1152) initialisation rounds by cube attack, estimate that attack works for 1024 rounds.

On the Final Portfolio Cipher There used to be four Profile 2 ciphers in the portfolio. F-FCSR-H was recently broken by Hell and Johansson. Practical linearisation attack which breaks the cipher in minutes. The attack was published at ASIACRYPT 2008. The cipher was removed from the estream portfolio in September 2008. Whoops.

On Confidence and Future Attacks Attacks never get worse, they only get better. Confidence in security increases over time. Faith in security of AES remains much stronger. New attacks may not be practical, or depend on specific usage. Or not. Do Cube Attacks (Dinur and Shamir, CRYPTO 2008) apply to the hardware candidates? Use at own risk. ;-)

The NIST Hash Function Competition (SHA-3) The next big thing for cryptanalysts to play with. NIST wants to find a new hash function standard. Similar to the AES process (and estream). 64 submissions, 51 made it to the first evaluation round. Currently 17 of the proposals have been broken. Final decision expected in Q2 2012.

Summary estream has identified 7 new, promising stream ciphers. Ciphers offer various performance tradeoffs. All better than AES in some respect. Beware of future cryptanalysis still very young ciphers. If in doubt, AES(-CTR) is still the safest choice. ;-)

Thank You! Thanks for listening! Any questions?

Appendix Further Reading Further Reading M. Robshaw and O. Billet (Eds.). New Stream Cipher Designs The estream Finalists. LNCS 4986. Springer Verlag, 2008. http://www.ecrypt.eu.org/stream/ Stream-cipher timings (Software). http://cr.yp.to/streamciphers/timings.html The SHA-3 Zoo. http://ehash.iaik.tugraz.at/wiki/the_sha-3_zoo

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback