Cryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000

Similar documents
Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Introduction to Modern Symmetric-Key Ciphers

Stream Ciphers and Block Ciphers

Data Encryption Standard (DES)

Winter 2011 Josh Benaloh Brian LaMacchia

Stream Ciphers and Block Ciphers

Week 5: Advanced Encryption Standard. Click

Content of this part

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

NIST Cryptographic Toolkit

CPSC 467b: Cryptography and Computer Security

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

Presented by: Kevin Hieb May 2, 2005

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

CPSC 467b: Cryptography and Computer Security

Block Ciphers. Secure Software Systems

Lecture 5. Encryption Continued... Why not 2-DES?

Fundamentals of Cryptography

A Low Device Occupation IP to Implement Rijndael Algorithm

Introduction to Cryptology. Lecture 17

Jaap van Ginkel Security of Systems and Networks

CPSC 467: Cryptography and Computer Security

Goals of Modern Cryptography

Jaap van Ginkel Security of Systems and Networks

DIFFUSION AND TIME ANALYSIS FOR AES CANDIDATES

Update on NIST Post-Quantum Cryptography Standardization. Lily Chen National Institute of Standards and Technology USA

Cryptographic Algorithm Validation Program:

Encryption I. An Introduction

AES Java Technology Comparisons

CS Network Security. Module 6 Private Key Cryptography

Lecture 2: Secret Key Cryptography

CS 392/681 Computer Security. Module 1 Private Key Cryptography

Cryptography. Summer Term 2010

APNIC elearning: Cryptography Basics

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

SMPTE Standards Transition Issues for NIST/FIPS Requirements

Cryptography MIS

FPGA Can be Implemented Using Advanced Encryption Standard Algorithm

Computer Security CS 526

PGP: An Algorithmic Overview

Advanced Encryption Standard

Efficient Hardware Design and Implementation of AES Cryptosystem

Hardware Architectures

Analysis, demands, and properties of pseudorandom number generators

Key Separation in Twofish

Permutation-based symmetric cryptography

Cryptography Functions

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Delineation of Trivial PGP Security

Cryptographic Algorithms - AES

ECE 646 Lecture 12. Cryptographic Standards. Secret-key cryptography standards

Secret Key Cryptography

Cryptography and Network Security

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Jaap van Ginkel Security of Systems and Networks

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

Performance of Symmetric Ciphers and One-way Hash Functions

Scanned by CamScanner

Symmetric-Key Cryptography

Report on the Development of the Advanced Encryption Standard (AES)

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011

Software implementation and performance comparison of popular block ciphers on 8-bit low-cost microcontroller

Elaine Barker and Allen Roginsky NIST June 29, 2010

The Case for Serpent

FPGA CAN BE IMPLEMENTED BY USING ADVANCED ENCRYPTION STANDARD ALGORITHM

Computer and Data Security. Lecture 3 Block cipher and DES

Recommendation to Protect Your Data in the Future

6 Cryptographic Techniques A Brief Introduction

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

Information Security CS526

IMPROVEMENT KEYS OF ADVANCED ENCRYPTION STANDARD (AES) RIJNDAEL_M

Cryptographic Hash Functions

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

A roadmap to migrating the internet to quantum-safe cryptography

NIST Post- Quantum Cryptography Standardiza9on

CSE 127: Computer Security Cryptography. Kirill Levchenko

Monte Carlo Scheme: Cryptography Application

A Methodology for Differential-Linear Cryptanalysis and Its Applications

EEC-484/584 Computer Networks

CCproc: A custom VLIW cryptography co-processor for symmetric-key ciphers

Design of block ciphers

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Protect Yourself Against Security Challenges with Next-Generation Encryption

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

Inside the World of Cryptographic Algorithm Validation Testing. Sharon Keller CAVP Program Manager NIST ICMC, May 2016

Introduction to Post-Quantum Cryptography

Introduction to Post-Quantum Cryptography

FIPS Security Policy

Security Applications

A New ShiftColumn Transformation: An Enhancement of Rijndael Key Scheduling

Cryptography III: Symmetric Ciphers

Advanced Crypto. 2. Public key, private key and key exchange. Author: Prof Bill Buchanan

8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers

Internet Engineering Task Force (IETF) Request for Comments: 5959 Category: Standards Track August 2010 ISSN:

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Uses of Cryptography

Cryptography (Overview)

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

Transcription:

Cryptography Trends: A US-Based Perspective Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000

Outline Advanced Encryption Standard Dominant design Thoughts on key size

Advanced Encryption Standard New symmetric encryption algorithm for US federal agencies Replaces Data Encryption Standard (DES), first published in 1977, providing stronger security: 128-bit minimum key size vs. 56 for DES 128-bit block size vs. 64 for DES Open, public evaluation process Likely to become a new worldwide de facto symmetric algorithm

Timetable 1997 1998 1999 2000 Jan.: First announcement Sept.: Call for algorithms June: Submission deadline August: First AES Conference March: Second AES Conference August: Finalists announced April: Third AES Conference May: Comments deadline Oct.: Winner announced ROUND 1 ROUND 2

Evaluation Criteria Security (primary) Cost and algorithm characteristics (secondary) general security attacks on implementations software implementations restricted-space environments hardware implementations encryption vs. decryption key agility other versatility and flexibility instruction-level parallelism intellectual property issues

AES Finalists Twofish (Bruce Schneier, John Kelsey et al.) MARS (IBM) RC6 (RSA Laboratories) Rijndael (Joan Daemen and Vincent Rijmen) Serpent (Ross Anderson, Eli Biham and Lars Knudsen)

And the Winner NIST announced on October 2, 2000: Rijndael will be the AES Draft standard to be published in November; final standard expected in April-June 2001

About Rijndael Design based on byte substitutions and permutations Adequate security margin with significant analysis during AES evaluation though some criticism of mathematical structure Consistently good performance across a wide range of environments Royalty-free for all purposes Pronunciation: Rain Doll or Rhine Dahl

What about the Other Finalists? NIST prefers Rijndael s security, efficiency and other attributes, taken together, but other finalists have their own advantages NIST s remarks: Each of the finalist algorithms appears to offer adequate security, and each offers a considerable number of advantages. Any of the finalists could serve admirably as the AES. However, each algorithm has one or more areas where is does not fare quite as well as some other algorithm; none of the finalists is outstandingly superior to the rest. (NIST Report, p. 91)

Dominant Design As security has become more widely deployed in recent years, a dominant design has emerged that governs mainstream implementation [Abernathy & Utterback, Technol. Rev., 1978] This dominant design is a challenge in moving toward stronger or more efficient cryptographic techniques until the next design emerges

Why It s a Challenge For interoperability, many elements must typically be updated together to support a new technique: applications services (e.g., certificate authorities) protocol standards Changes that affect only one element are often an easier investment e.g., local performance improvements Multi-element changes must therefore be relatively simple

Some Dominant Security Choices X.509 v3 certificates SSL protocol PKCS #1 v1.5 RSA, DES, RC4, SHA-1 algorithms All have become embedded in today s security infrastructure, and improvements must fit

Toward New Algorithms Despite the challenges, new techniques are needed DES key size, block size are too short PKCS #1 v1.5 RSA, though adequate in practice, lacks provable security SHA-1 hash size may not be enough Other hard problems besides integer factorization should be considered

How Hard to Update? Introducing AES is (relatively) simple: just the underlying block cipher though larger block size may add some complexity RSA-OAEP, RSA-PSS are also simple: just how a hash value is processed, not the keys deliberate design feature of standard RSA-PSS SHA-2 is simple ECC is more complex: keys, processing, possibly protocols (e.g., for EC key agreement) less constrained environments are easier targets

Towards the Next Design Wireless security may provide a next design lightweight certificates, WTLS, ECC, etc., optimized for constrained environment But even WAP and IETF protocols are converging, and it s not clear yet how next wireless will be in terms of security design New functionality is perhaps a better catalyst for new design e.g., multi-party secure computation, vs. signatures & encryption

US-Based Crypto Standards Efforts ASC X9.F.1 (Financial Services Industry) X9.30,.31,.62: Digital signatures X9.42,.44,.63: Key establishment three families: discrete log, factoring (RSA), ECC NIST (US Federal Government) FIPS 186-2: Digital signatures via three families AES SHA-2 key management FIPS Significant US company involvement in worldwide standards efforts, e.g., IEEE P1363, IETF, ISO/IEC, WAP

Thoughts on Key Size Operations vs. cost Key size comparisons A quiz question

Operations vs. Cost The security of a algorithm is often considered in terms of the number of operations to break it Other elements must also be considered Memory cost is a significant factor Availability of general-purpose workstations vs. development of custom machines, can affect analysis as well

Key Size Comparisons Various efforts to compare key sizes: Certicom Research cryptosavvy.com IEEE 1363 RSA Laboratories (see Bulletin #13) Comparison of key sizes depends significantly on assumptions and what is compared Moreover, at very large sizes, comparison is theoretical only: if cost were invested in research, situation could change dramatically

Example Key Size Equivalences (for purposes of discussion ) Symmetric ECC RSA (cost) RSA (operations) 80 161 760 1024 96 192 1020 ~1500 112 225 ~1500 2048 128 257 2060 3072

A Quiz Question An asymmetric key size for use with a 128-bit AES key should a) take 2 128 operations to break b) cost the same to break as 128-bit AES c) provide the security level an application needs

Conclusions Dominant design is a challenge for supporting new techniques When better techniques are needed, changes should be simple or part of a new design In the long term, new functionality is a catalyst Key size comparison is a challenge as well AES winner: Rijndael

For More Information Burt Kaliski RSA Laboratories bkaliski@rsasecurity.com www.rsasecurity.com/rsalabs AES Web page: www.nist.gov/aes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback