Embed Size (px)
Citation preview
1
ECE 646 Lecture 12
Cryptographic Standards
Secret-key cryptography standards
NIST ANSI
X3.92 DES X3.106 DES modes of operation X9.52 Modes of operation of Triple DES
Federal standards
Banking standards
International standards
ISO
ISO 10116 Modes of operation of an n-bit cipher
FIPS 46-1 DES FIPS 46-2 DES FIPS 81 Modes of operation FIPS 46-3 Triple DES
FIPS 197 AES
ISO/IEC 18033-3 – AES, Camellia, SEED, TDEA, MISTY1, CAST-128, MUGI, SNOW
2
NIST FIPS National Institute of Standards and Technology
Federal Information Processing Standards
American Federal Standards
Required in the government institutions
Original algorithms developed in cooperation with the National Security Agency (NSA),
and algorithms developed in the open research adapted and approved by NIST.
Public-Key Cryptography Standards
IEEE ANSI
NIST
ISO
RSA Labs PKCS
industry standards
bank standards
federal standards
international standards
unofficial industry standards
P1363
ANSI X9
FIPS
PKCS
ISO
3
PKCS Public-Key Cryptography Standards
Informal Industry Standards
developed by RSA Laboratories
in cooperation with
Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell, Sun
First, except PGP, formal specification of RSA and formats of messages.
IEEE P1363
Working group of IEEE including representatives of major cryptographic companies
and university centers from USA, Canada and other countries
Part of the Microprocessors Standards Committee
Quarterly meetings + multiple teleconferences + + discussion list + very informative web page
with the draft versions of standards
Modern, open style
4
Combined standard including the majority of modern public key cryptography
Several algorithms for implementation of the same function
Tool for constructing other, more specific standards
Specific applications or implementations may determine a profile (subset) of the standard
IEEE P1363
ANSI X9 American National Standards Institute
Work in the subcommittee X9F developing standards for financial institutions
ANSI represents U.S.A. in ISO
Standards for the wholesale (e.g., interbank)
and retail transactions (np. bank machines, smart card readers)
5
ISO International Organization for Standardization
International standards
Common standards with IEC - International Electrotechnical Commission
ISO/IEC JTC1 SC 27 Joint Technical Committee 1, Subcommitte 27
Australia, Belgium, Brazil, Canada, China, Denmark, Finland, France, Germany, Italy, Japan , Korea, Holland , Norway , Poland, Russia , Spain, Sweden, Switzerland , UK, USA
Full members:
ISO: International Organization for Standardization
Long and laborious process of the standard development
Study period NP - New Proposal WD - Working Draft CD - Committee Draft DIS - Draft International Standard IS - International Standard
Minimum 3 years
Review of the standard after 5 years = ratification, corrections or revocation
6
Public-key Cryptography Standards
IEEE ANSI
NIST
ISO
RSA Labs PKCS
industry standards
bank standards
federal standards
international standards
unofficial industry standards
P1363
ANSI X9
FIPS
PKCS
ISO
IEEE P1363-2000
Factorization Discrete logarithm
encryption
signature
key agreement
RSA with OAEP
RSA & R-W with ISO-14888
or ISO 9796
DSA, NR with ISO 9796
EC-DSA, EC-NR
with ISO 9796
DH1 DH2 and MQV
EC-DH1, EC-DH2
and EC-MQV
Elliptic curve discrete
logarithm
7
EC-DSA, EC-NR
with ISO 9796
IEEE P1363a-2004
Factorization Discrete logarithm
encryption
signature
RSA with OAEP
RSA & R-W with ISO-14888
or ISO 9796
DSA, NR with ISO-9796
DH1 DH2 & MQV
EC-DH1 EC-DH2
& EC-MQV
Elliptic curve discrete logarithm
new scheme new scheme
key agreement
EC-DSA, EC-NR
with ISO 9796
IEEE P1363a
factorization discrete logarithm
encryption
signature
RSA with OAEP
RSA & R-W with ISO-14888
or ISO 9796
DSA, NR with ISO-9796
DH1 DH2 & MQV
EC-DH1 EC-DH2
& EC-MQV
elliptic curve discrete
logarithm
new scheme new scheme
new scheme key
agreement
8
ANSI X9 Standards
X9.44 RSA
X9.31 (RSA & R-W)
X9.30 DSA
X9.62 EC-DSA
X9.42 DH1, DH2, MQV
X9.63 EC-DH1, 2 EC-MQV
factorization discrete logarithm
elliptic curve discrete
logarithm
encryption
signature
key agreement
Industry standards - PKCS
PKCS #1 RSA
PKCS #1 (RSA & R-W)
PKCS #13 EC-DSA
PKCS #2 DH
PKCS #13 EC-DH1, 2 EC-MQV
PKCS #13 new scheme
factorization discrete logarithm
elliptic curve discrete
logarithm
encryption
signature
key agreement
9
NIST - FIPS
FIPS 186-4 DSA
FIPS 186-4 RSA
factorization discrete logarithm
elliptic curve discrete
logarithm
encryption
signature
key agreement
FIPS 186-4 EC-DSA
International standards ISO
ISO-11770-3
ISO-14888-3 ISO 9796-3
ISO-14888-3 ISO 9796-3
ISO-11770-3
ISO 14888-2 ISO 9796-2
factorization discrete logarithm
elliptic curve discrete
logarithm
encryption
signature
key agreement
10
Cryptographic Standard Contests
time 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
AES
NESSIE
CRYPTREC
eSTREAM
SHA-3
34 stream 4 HW winners ciphers → + 4 SW winners
51 hash functions → 1 winner
15 block ciphers → 1 winner
IX.1997 X.2000
I.2000 XII.2002
V.2008
XI.2007 X.2012
XI.2004
CAESAR
IV.2013
57 authenticated ciphers → multiple winners
XII.2017
Why a Contest for a Cryptographic Standard?
• Avoid back-door theories • Speed-up the acceptance of the standard • Stimulate non-classified research on methods of designing a specific cryptographic transformation • Focus the effort of a relatively small cryptographic community
11
21
Cryptographic Contests - Evaluation Criteria
Security
Software Efficiency Hardware Efficiency
Simplicity
ASICs FPGAs
Flexibility Licensing
µProcessors µControllers
Specific Challenges of Evaluations in Cryptographic Contests
• Very wide range of possible applications, and as a result
performance and cost targets
speed: tens of Mbits/s to hundreds Gbits/s
cost: single cents to thousands of dollars
• Winner in use for the next 20-30 years, implemented using
technologies not in existence today
• Large number of candidates
• Limited time for evaluation
• The results are final
12
Mitigating Circumstances
• Performance of competing algorithms tend to very significantly
(sometimes as much as 500 times)
• Only relatively large differences in performance matter
(typically at least 20%)
• Multiple groups independently implement the same algorithms
(catching mistakes, comparing best results, etc.)
• Second best may be good enough
AES Contest
1997-2000
13
Rules of the Contest
Each team submits
Detailed cipher
specification
Justification of design decisions
Tentative results
of cryptanalysis
Source code in C
Source code
in Java
Test vectors
AES: Candidate Algorithms
USA: Mars RC6 Twofish Safer+ HPC
Canada: CAST-256 Deal
Costa Rica: Frog
Australia: LOKI97
Japan: E2
Korea: Crypton
Belgium: Rijndael
France: DFC
Germany: Magenta
Israel, UK, Norway:
Serpent
8 4 2
1
14
AES Contest Timeline
15 Candidates CAST-256, Crypton, Deal, DFC, E2, Frog, HPC, LOKI97, Magenta, Mars,
RC6, Rijndael, Safer+, Serpent, Twofish,
June 1998
August 1999
October 2000 1 winner: Rijndael
Belgium
5 final candidates Mars, RC6, Twofish (USA) Rijndael, Serpent (Europe)
Round 1
Round 2
Security Software efficiency
Security Software efficiency Hardware efficiency
Security
Simplicity
High
Adequate
Simple Complex
NIST Report: Security & Simplicity
MARS
Rijndael
Serpent Twofish
RC6
15
0
5
10
15
20
25
30
Serpent Rijndael Twofish RC6 Mars
Efficiency in software: NIST-specified platform
128-bit key 192-bit key 256-bit key
200 MHz Pentium Pro, Borland C++ Throughput [Mbits/s]
NIST Report: Software Efficiency Encryption and Decryption Speed
32-bit processors
64-bit processors
DSPs
high
medium
low
RC6
Rijndael Mars
Twofish
Serpent
Rijndael Twofish
Mars RC6
Serpent
Rijndael Twofish
Mars RC6
Serpent
16
Efficiency in FPGAs: Speed
0
50
100
150
200
250
300
350
400
450
500 Throughput [Mbit/s]
Serpent x8
Rijndael Twofish RC6 Mars Serpent x1
431 444 414
353
294
177 173
104
149
62
143 112
88 102
61
Worcester Polytechnic Institute
University of Southern California
George Mason University
Xilinx Virtex XCV-1000
0
100
200
300
400
500
600
700
Rijndael Twofish RC6 Mars Serpent x1
606
202
105 103 57
443
202
105 104 57
3-in-1 (128, 192, 256 bit) key scheduling
128-bit key scheduling
Efficiency in ASICs: Speed Throughput [Mbit/s]
MOSIS 0.5µm, NSA Group
17
Results for ASICs matched very well results for FPGAs, and were both very different than software
FPGA ASIC
Serpent fastest in hardware, slowest in software
GMU+USC, Xilinx Virtex XCV-1000 NSA Team, ASIC, 0.5µm MOSIS
Lessons Learned
x8
x1 x1
Hardware results matter!
Speed in FPGAs Votes at the AES 3 conference
Final round of the AES Contest, 2000
Lessons Learned
GMU results
18
SHA-3 Contest
2007-2012
NIST SHA-3 Contest - Timeline
51 candidates
Round 1 14 5 1
Round 3
July 2009 Dec. 2010 Oct. 2012 Oct. 2008
Round 2
19
37
SHA-3 Round 2
38
Primary Secondary 1. Throughput
2. Area 3. Throughput / Area
4. Hash Time for Short Messages (up to 1000 bits)
Performance Metrics
20
39
Overall Normalized Throughput: 256-bit variants of algorithms Normalized to SHA-256, Averaged over 10 FPGA families
7.47 7.21
5.40
3.83 3.46
2.98
2.21 1.82 1.74 1.70 1.69 1.66 1.51
0.98
0
1
2
3
4
5
6
7
8
40
Thr/Area Thr Area Short msg. Thr/Area Thr Area Short msg.
256-bit variants 512-bit variants
BLAKE BMW CubeHash ECHO Fugue Groestl Hamsi JH Keccak Luffa Shabal SHAvite-3 SIMD Skein
21
41
SHA-3 Round 3
SHA-3 Contest Finalists
22
43
• 6 algorithms (BLAKE, Groestl, JH, Keccak, Skein, SHA-2) • 2 variants (with a 256-bit and a 512-bit output) • 7 to 12 different architectures per algorithm • 4 modern FPGA families (Virtex 5, Virtex 6, Stratix III,
Stratix IV)
Benchmarking of the SHA-3 Finalists by CERG GMU
Total: ~ 120 designs ~ 600+ results
44
BLAKE-256 in Virtex 5
x1 – basic iterative architecture xk – unrolling by a factor of k
xk-PPLn – unrolling by a factor of k with n pipeline stages
/k(h) – horizontal folding by a factor of k /k(v) – vertical folding by a factor of k
23
45
256-bit variants in Virtex 5
46
512-bit variants in Virtex 5
24
47
256-bit variants in 4 high-performance FPGA families
48
512-bit variants in 4 high-performance FPGA families
25
49
SHA-3 in ASICs
• standard-cell CMOS 65nm UMC ASIC process
• 256-bit variants of algorithms • Taped-out in Oct. 2011, successfully tested in Feb. 2012
GMU/ETH Zurich ASIC
26
51
Correlation Between ASIC Results and FPGA Results
ASIC Stratix III FPGA
52
Correlation Between ASIC Results and FPGA Results
ASIC Stratix III FPGA
27
CAESAR Contest
2013-2017
Message
Bob
Tag
Alice
Authenticated Ciphers
KAB KAB Authenticated Cipher
IV
Ciphertext IV
Tag Ciphertext IV
Message
Authenticated Cipher
valid
KAB - Secret key of Alice and Bob IV – Initialization Vector
28
Message
Bob
Tag
Alice
Authenticated Ciphers with Associated Data
KAB KAB Authenticated Cipher
IV
Ciphertext IV
Tag Ciphertext IV
Authenticated Cipher
valid
KAB - Secret key of Alice and Bob IV – Initialization Vector, AD – Associated Data
AD
AD
AD
Message
• 2014.03.15: Deadline for first-round submissions • 2014.04.15: Deadline for first-round software • 2015.01.15: Announcement of second-round
candidates • 2015.04.15: Deadline for second-round
Verilog/VHDL • 2015.12.15: Announcement of third-round
candidates • 2016.12.15: Announcement of finalists • 2017.12.15: Announcement of final portfolio
Contest Timeline
29
Notes for users of cryptographic products (1)
Agreement with a standard does not guarantee the security of a cryptographic product!
Security = secure algorithms (guaranteed by standards) • proper choice of parameters • secure implementation • proper use
Agreement with the same standard does not guarantee the compatibility of two cryptographic products !
compatibility = • the same algorithm (guaranteed by standards)
• the same protocol • the same subset of algorithms • the same range of parameters
Notes for users of cryptographic products (2)
