lightweight symmetric crypto on a full circle from
play

Lightweight Symmetric Crypto on a Full Circle: From Industry to - PowerPoint PPT Presentation

Feb 16, 2023 •13 likes •523 views

Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian Rechberger TU Graz and DTU Security of modern IT Systems User Secure System Communication Protocol Cryptographic Primitive Security of modern IT

  1. Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian Rechberger TU Graz and DTU

  2. Security of modern IT Systems User Secure System Communication Protocol Cryptographic Primitive

  3. Security of modern IT Systems User Secure System Communication Protocol Cryptographic Primitive

  4. Security of modern IT Systems User Secure System Communication Protocol Ciphers, Hash functions

  5. Security of modern IT Systems User Secure System Communication Protocol DES, MD5, AES, SHA-3

  6. An often quoted myth “Crypto algorithms are never the weakest link in a system”

  7. MD5 cryptanalysis • Widely used cryptographic hash function • Chosen-prefix differential collision attacks since 2007 • Rogue certificates • Malware “Flame”

  8. RC4 cryptanalysis • Widely used stream cipher • Practical attack on WEP • Attack on WPA/TKIP • Attack on TLS

  9. Mifare (classic) and attacks • Contactless chipcard, product line by market leader NXP – 2 billion cards sold, 25 million readers – Based on proprietary cipher/protocol “Crypto - 1” – Very resource constrained • Public reverse engineering in 2007, attacks since 2008 – Cloning of card in 10 seconds with 300 queries – Lots of bad press, direct financial impact not clear

  10. Keeloq attacks • Cipher design in 1985 • Sold to Microchip Technologies Inc. (10M$) • Widely used for car immobilizer and in garage doors • Badly broken since mid 2000s (KUL, RUB)

  11. Many more examples • Megamos Cipher (again car immobilizer) • DST cipher, attacks on payment and car immobilizer systems • Hitag2 • A5/1, A5/2 as used in GSM communication • DECT, GMR, …

  12. DES – the first lightweight cipher • First public block cipher • Designed in mid 70s by IBM • NSA intervened: key-space only 56 bits • From mid 90s: easy to break by brute-force

  13. Advanced Encryption Standard • Designed as „Rijndael“ in 1997 by Joan Daemen and Vincent Rijmen • Selected to be the AES in 2001 – Open, public competition – Participation from Academia, Industry – Successor of DES • Key sizes: 128, 192, and 256 bit

  14. Is AES a lightweight cipher? • Perhaps yes: It can be implemented with less gates than ciphers standardized by ISO in the lightweight category (ISO/IEC 29192-2:2012)

  15. Why was AES not used? • AES is only around since 2001 • AES is a general purpose cipher, very versatile within limits • Too slow, too large, in very constrained environments

  16. Does it matter for IoT? • Often used claim: “ IoT needs TCP/IP Protocol stack and hence low-end is not part of IoT ” • Counter-example: Full (HW+SW) IPSEC Implementation on RFID-Tag (50kGates) “ PIONEER — a Prototype for the Internet of Things based on an Extendable EPC Gen2 RFID Tag ” by TU Graz: Hannes Gross, Erich Wenger, Honorio Martın, and Michael Hutter

  17. Progress in academic research on lightweight crypto? What is wrong with the “lightweight” cryptography hype of recent years? Slide credit: Gregor Leander

  18. Progress in academic research on lightweight crypto? What is wrong with the “lightweight” cryptography hype of recent years? Slide credit: Gregor Leander

  19. Trade-offs in Cryptography

  20. Trade-offs in Cryptography

  21. Trade-offs in Cryptography

  22. Low-latency designs Latency = #clock cycles * critical path length  Low-latency implies high-throughput  But high-throughput does not imply low- latency, because of  heavy use of pipelining  parallelization  Has good potential to also be “low - energy”

  23. What is a block cipher? Plain- “Ideal” if text 1) Knowledge of a set of plaintext/ciphertext pairs does not allow to deduce new plaintext/ciphertext pairs Key 2) Finding a key requires testing all keys Cipher -text

  24. Evolution of AES-128 security 128 96 Security 1997 64 2012 32 0 5 6 7 8 9 10

  25. Evolution of AES-192 security 192 160 128 Security 1997 96 2012 64 32 0 5 6 7 8 9 10 11 12

  26. Resembling an ideal cipher? • For a “lightweight” cipher, this is maybe too much to ask for? • Related-key attacks may not be relevant • High data-complexity attacks are not too important – How to formulate this in a security claim?

  27. PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications by Julia Borghoff and Anne Canteaut and Lars R. Knudsen and Gregor Leander and Christan Rechberger and Soeren S. Thomsen (DTU) Elif Bilge Kavun and Tolga Yalcin and Tim Güneysu and Christof Paar (RUB) Miroslav Knezevic and Ventzi Nikov and Peter Rombouts (NXP)

  28. PRINCE: Overview • Claim is 126-n bit security for an adversary with access to 2 n input/output pairs • FX construction (similar to DES-X) k 1

  29. PRINCEcore

  30. PRINCEcore details • S-layer: 4-bit sbox • M-layer: only M' is an involution, M is SR o MR' • ki-add: master key is simply added as round key • RCi-add: constants have high HW but have special structure

  31. PRINCEcore details • S-layer: 4-bit sbox • M-layer: only M' is an involution, M is SR o MR' • ki-add: master key is simply added as round key • RCi-add: constants have high HW but have special structure

  33. PRINCEcore details • S-layer: 4-bit sbox • M-layer: only M' is an involution, M is SR o MR' • ki-add: master key is simply added as round key • RCi-add: constants have high HW but have special structure RC i +RC 11-i = c0ac29b7c97c50dd !!!

  34. Alpha-reflection property Since M' is involution, PRINCEcore k (x) = PRINCEcore -1 k+Alpha (x) Allows for very simple implementation of decryption

  35. Advantages of PRINCE • Decryption for free (=encryption with related key) • Alpha-reflection method better than choosing all components to be involutions: More choice for Sboxes  Less multiplexers needed  Generic reductionist proof possible • Small number of relatively simple rounds → low latency • Bounds against various classical attacks (wide-trail strategy) applicable, but still lightweight building blocks

  36. Latency comparison

  37. Area comparison

  38. Symmetric crypto research  real world (1/2) • Consolidating lots of research on s-boxes, linear layer construction, SPN designs… • Meets very tough constraints from industry

  39. Symmetric crypto research  real world (2/2) • We convinced NXP management to allow us to publish the design ideas + security analysis (AC 2012) – Lots of “free” external cryptanalysis already after 1 year, increases confidence. Even more now, 3 years later. • Both sides are happy: – Industry gets problems solved, plan for global deployment in a few years. – Researchers get interesting problems to work on – Inspires both theory and practice

  40. Selected cryptanalysis • Reflection Cryptanalysis of Prince-like ciphers, FSE 2013 and JoC • Security Analysis of Prince, FSE 2013 • Sieve-in-the-middle: Improve MITM Attacks, Crypto 2013 • Improved MITM Attacks on AES-192 and Prince • On the Security of the core of PRINCE against Biclique and Differential attacks • Multiple-differential attacks on Round-Reduced Prince, FSE 2014 • Multi-user collisions: Applications to Discrete Logs, Even-Mansour and Prince, Asiacrypt 2014 • Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE • … several more in 2014 and 2015 • Various side-channel and fault attack papers

  41. Early cryptanalysis • All those focus to achieve as many rounds as possible, even at the cost of getting very close to the D*T<2 126 bound. • How to change the incentives?

  42. Input from Industry • Care about cryptanalysis • Care about practical attacks • Was usually not very concrete The 15.000 EUR PRINCE cryptanalysis competition makes it more concrete

  43. The PRINCE Challenge Setting 1: Given at most 2 20 chosen plaintexts/ciphertexts • How fast can you break 4 rounds? • How fast can you break 6 rounds? • How fast can you break 8 rounds? • How fast can you break 10 rounds? • How fast can you break 12 rounds?

  44. The PRINCE Challenge Setting 2: Given at most 2 30 known plaintexts • How fast can you break 4 rounds? • How fast can you break 6 rounds? • How fast can you break 8 rounds? • How fast can you break 10 rounds? • How fast can you break 12 rounds?

  45. Prizes • Best result for … – 4-round challenges: Chocolate/Beer – 6-round challenges: Chocolate/Beer – 8-round challenges: Chocolate/Beer – 10-round challenges: Chocolate/Beer – 12-round challenges: more Chocolate/Beer • First attack with less than 2 64 time, 2 45 bytes memory on… – 8-rounds: 1.000 Euros – 10-round: 4.000 Euros – 12-round: 10.000 Euros

  46. Timeline Start in March 2014 Round 1 (August 2014) Round 2 (April 2015) Round 3 (April 2016)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
FULL CIRCLE SPIRITUAL CARE FULL CIRCLE SPIRITUAL CARE CENTURA CHAPLAINS Presenters for Today

FULL CIRCLE SPIRITUAL CARE FULL CIRCLE SPIRITUAL CARE CENTURA CHAPLAINS Presenters for Today

FULL CIRCLE SPIRITUAL CARE FULL CIRCLE SPIRITUAL CARE CENTURA CHAPLAINS Presenters for Today Sister Rita Cammack Vice President for Mission Integration St. Anthony Summit Medical Center, Centura Health Reverend Steve Gomes

642 views • 37 slides
Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

199 views • 17 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop Taken from a document writen originally in English. The programming of billions of processors

903 views • 75 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI Kolkata November 18, 2018 Introduction Types of Circuits: Brief background. Block cipher circuits: Round based vs Serial. Eg: Working example

489 views • 44 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing

Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing

Lightweight Cryptography and Classification of AEAD Modes Nilanjan Datta Institute for Advancing Intelligence (IAI), TCG CREST International Crypto-Webniar 2020 Aug 30, 2020 N. Datta (IAI, TCG CREST) Lightweight Crypto and Classification of

1.62k views • 98 slides
Reawakening a Classic Prince of Persia Case Study Plan Anatomy of a 15 y.o. success

Reawakening a Classic Prince of Persia Case Study Plan Anatomy of a 15 y.o. success

Reawakening a Classic Prince of Persia Case Study Plan Anatomy of a 15 y.o. success brand attributes identification Challenges Keeping up the brand attributes Production challenges Backbone methodology

114 views • 8 slides
A CP Scheduler for High-Performance Computers Thomas Bridi, Michele Lombardi, Andrea Bartolini,

A CP Scheduler for High-Performance Computers Thomas Bridi, Michele Lombardi, Andrea Bartolini,

A CP Scheduler for High-Performance Computers Thomas Bridi, Michele Lombardi, Andrea Bartolini, Luca Benini, and Michela Milano Context Todays HPC machines have a cost that varies between 3M $ (Eurora HPC) and 390M $ (Tianhe-2 HPC)

1.08k views • 22 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Welcome! #readyby21 Sharon Adams-Taylor Associate Executive Director, American Association of

Welcome! #readyby21 Sharon Adams-Taylor Associate Executive Director, American Association of

Welcome! #readyby21 Sharon Adams-Taylor Associate Executive Director, American Association of School Administrators #readyby21 Karen Pittman Co-Founder and President The Forum for Youth Investment #readyby21 Megan Witherspoon Manager,

349 views • 10 slides
Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT Austin), Ramakrishna Kotla, Cathy Marshall, Venugopalan Rama Ramasubramanian, Tom Rodeheffer, Doug Terry, Ted Wobber (Microsoft Research

1.34k views • 85 slides
Applications of Rule Mining in Knowledge Bases Luis Galrraga November 3 rd , 2014 PIKM,

Applications of Rule Mining in Knowledge Bases Luis Galrraga November 3 rd , 2014 PIKM,

Applications of Rule Mining in Knowledge Bases Luis Galrraga November 3 rd , 2014 PIKM, Shanghai 1 Knowledge Bases (KBs) Barack Obama hasChild born On hasChild Malia Aug 4, 1961 hasChild marriedTo hasChild Michelle Sasha 2 KBs in

652 views • 49 slides
Logic Programming Prolog as Language Temur Kutsia Research Institute for Symbolic Computation

Logic Programming Prolog as Language Temur Kutsia Research Institute for Symbolic Computation

Logic Programming Prolog as Language Temur Kutsia Research Institute for Symbolic Computation Johannes Kepler University Linz, Austria kutsia@risc.jku.at 1 / 30 Prolog as Language Syntax Operators Equality Arithmetic

402 views • 15 slides
A new window on primordial non-Gaussianity based on 1201.5375 with M. Zaldarriaga Enrico Pajer

A new window on primordial non-Gaussianity based on 1201.5375 with M. Zaldarriaga Enrico Pajer

A new window on primordial non-Gaussianity based on 1201.5375 with M. Zaldarriaga Enrico Pajer Princeton University 2.0 R k 2 10 9 1.5 CMB LSS 1.0 10 4 0.01 1 100 10 4 k Mpc Summary We know little about

187 views • 14 slides

More recommend