The eSTREAM Project Matt Robshaw Orange Labs 11.06.07 Orange Labs - - PDF document
The eSTREAM Project Matt Robshaw Orange Labs 11.06.07 Orange Labs ECRYPT An EU Framework VI Network of Excellence > 5 M over 4.5 years More than 30 european institutions (academic and industry) ECRYPT activities are
Orange Labs
11.06.07
The eSTREAM Project – Matt Robshaw (2) Orange Labs
STVL WG1 WG2 WG3 WG4
An EU Framework VI Network of Excellence
> 5 M€ over 4.5 years More than 30 european institutions (academic and industry)
ECRYPT activities are divided into Virtual Labs
Which in turn are divided into Working Groups
General Assembly Project Coordinator Executive Mgt Comm. Strategic Committee AZTEC PROVILAB VAMPIRE WAVILA
eSTREAM SPEED
The eSTREAM Project – Matt Robshaw (3) Orange Labs
Cryptographic algorithms often divided into two classes
Symmetric (secret-key) cryptography
Asymmetric (public-key) cryptography
Symmetric encryption can be divided into two classes
Block ciphers Stream ciphers
The eSTREAM Project – Matt Robshaw (4) Orange Labs
Stream encryption relies on the generation of a "random
Encryption itself uses bitwise exclusive-or
Stream encryption offers some interesting properties
They offer an attractive link with perfect secrecy (Shannon) No data buffering required Attractive error handling and propagation (for some applications)
How do we generate keystream ? 0110100111000111001110000111101010101010101 1110111011101110111011101110111011100000100 1000011100101001110101101001010001001010001
keystream plaintext ciphertext
The eSTREAM Project – Matt Robshaw (5) Orange Labs
Stream ciphers employ an evolving state
We sample the state to derive keystream
INITIALIZE STATE ENCRYPT OUTPUT UPDATE STATE ENCRYPT OUTPUT UPDATE
The eSTREAM Project – Matt Robshaw (6) Orange Labs
INITIALIZE STATE ENCRYPT OUTPUT UPDATE STATE ENCRYPT OUTPUT UPDATE
The eSTREAM Project – Matt Robshaw (7) Orange Labs
INITIALIZE STATE ENCRYPT OUTPUT UPDATE STATE ENCRYPT OUTPUT UPDATE
The eSTREAM Project – Matt Robshaw (8) Orange Labs
INITIALIZE STATE ENCRYPT OUTPUT AES STATE ENCRYPT OUTPUT AES key IV key
The eSTREAM Project – Matt Robshaw (9) Orange Labs
INITIALIZE ENCRYPT AES COUNT ENCRYPT AES COUNT key IV key STATE STATE
The eSTREAM Project – Matt Robshaw (10) Orange Labs
INITIALIZE STATE ENCRYPT EXTRACT UPDATE STATE ENCRYPT EXTRACT UPDATE key IV
The eSTREAM Project – Matt Robshaw (11) Orange Labs
Dedicated stream ciphers have an illustrious history
Dedicated stream ciphers have the reputation of being faster
and more compact than block ciphers
Can (at times) be effectively analysed
framework since the 1950's
However, dedicated stream ciphers don't always have the best
security reputation
The eSTREAM Project – Matt Robshaw (12) Orange Labs
Dedicated stream ciphers are widely used
GSM, TLS + some hiccups, e.g. 802.11
The issue is not "do we need stream ciphers" but "do we
There are very few established dedicated stream ciphers
RC4, SNOW 2.0 Attempts to change this haven't been successful; e.g. NESSIE
The eSTREAM Project – Matt Robshaw (13) Orange Labs
eSTREAM was launched with a workshop in October 2004
A variety of stream cipher proposals and industry position
From this the scope of eSTREAM was established Call for Proposals was devised
The eSTREAM Project – Matt Robshaw (14) Orange Labs
eSTREAM is a collaborative research effort
We (in ECRYPT) manage the eSTREAM process We do not analyze or assess candidates
Our focus is the research community eSTREAM is not a standardization body
However, the results of eSTREAM might be taken up by
standardisation bodies or industry
The eSTREAM Project – Matt Robshaw (15) Orange Labs
SASC (2004) CfP Phase 1 Phase 2 04/05 03/06
01/05 01/06 01/07 01/08
SASC (2006) SKEW (2005) 10/04 05/08 SASC (2007) Phase 3 03/07
The eSTREAM Project – Matt Robshaw (16) Orange Labs
Very modest submission requirements
Proposals had to be received by April 30, 2005
Submissions had to be either fast in software or resource-
Designers required to give an IP statement
32 or 64 32 or 64 80 Profile 2 32, 64, 96, or 128 64 or 128 128 Profile 1 tag (optional) IV key
The eSTREAM Project – Matt Robshaw (17) Orange Labs
There were 34 submissions
32 synchronous and 2 self-synchronising 7 submissions offered encryption + authentication
74% submissions from outside ECRYPT
13% Oceania 14%
16% Asia 57% Europe
10 12 12 SW HW
The eSTREAM Project – Matt Robshaw (18) Orange Labs
PROFILE II PROFILE I+II PROFILE I ZK-Crypt Yamb WG TRBDK3 YAEA VEST SSS SOSEMANUK TSC-3 Rabbit Salsa20 Trivium POMARANCH Py SFINKS Polar Bear Mir-1 MOSQUITO Phelix HC-256 MICKEY (128) NLS FROGBIT Grain MAG DRAGON Edon-80 LEX DICING DECIM Hermes8 CryptMT Achterbahn F-FCSR ABC
The eSTREAM Project – Matt Robshaw (19) Orange Labs
PROFILE II PROFILE I+II PROFILE I ZK-Crypt Yamb WG TRBDK3 YAEA VEST SSS SOSEMANUK TSC-3 Rabbit Salsa20 Trivium POMARANCH Py SFINKS Polar Bear Mir-1 MOSQUITO Phelix HC-256 MICKEY (128) NLS FROGBIT Grain MAG DRAGON Edon-80 LEX DICING DECIM Hermes8 CryptMT Achterbahn F-FCSR ABC
The eSTREAM Project – Matt Robshaw (20) Orange Labs
#1: The half-life of new stream ciphers is one year #2: Self-synchronizing stream ciphers are hard to design
The eSTREAM Project – Matt Robshaw (21) Orange Labs
Tweaking
The goal was to get better algorithms for the later stages The AES process allowed (minor) tweaks for the finalists but we
allowed all designers (even those of broken designs) to tweak
An administrative nightmare
Focus ciphers
We were very conscious of the limited time - we hoped to guide the
direction of some cryptanalytic attention
Trying to avoid the LHF problem (low hanging fruit)
The eSTREAM Project – Matt Robshaw (22) Orange Labs
Software
The eSTREAM Project – Matt Robshaw (23) Orange Labs
PROFILE I+II PROFILE I Yamb TRBDK3 YAEA SSS SOSEMANUK Rabbit Salsa20 POMARANCH Py Polar Bear Mir-1 Phelix HC-256 NLS FROGBIT MAG DRAGON LEX DICING Hermes8 CryptMT F-FCSR ABC
The eSTREAM Project – Matt Robshaw (24) Orange Labs
Archived Phase 2 Focus Phase 2 (10) (6) (7) Yamb TRBDK3 YAEA SSS POMARANCH SOSEMANUK Mir-1 Rabbit Salsa20 MAG Polar Bear Py Hermes8 NLS Phelix Fubuki DICING LEX FROGBIT CryptMT HC-256 F-FCSR ABC DRAGON
The eSTREAM Project – Matt Robshaw (25) Orange Labs
Hardware
The eSTREAM Project – Matt Robshaw (26) Orange Labs
PROFILE II PROFILE I+II ZK-Crypt Yamb WG TRBDK3 YAEA VEST SSS TSC-3 Rabbit Trivium POMARANCH SFINKS Polar Bear MOSQUITO Phelix MICKEY (128) NLS Grain MAG Edon-80 LEX DECIM Hermes8 Achterbahn F-FCSR
The eSTREAM Project – Matt Robshaw (27) Orange Labs
ZK-Crypt MICKEY SSS Edon-80 Phelix MOUSTIQUE TSC-4 Salsa20 (5) (17) (4)
Archived Phase 2 Phase 2 Focus
WG VEST Rabbit POMARANCH Polar Bear NLS LEX Yamb Hermes8 TRBDK3 YAEA F-FCSR Trivium SFINKS DECIM MICKEY-128 MAG Achterbahn Grain
The eSTREAM Project – Matt Robshaw (28) Orange Labs
Tweaking helped!
At the start of Phase 2, the SW profile contained 13 ciphers
At the start of Phase 2, the HW profile contained 21 ciphers
"Focus" ciphers didn't make much difference There is rarely a consistent view on "distinguishing"
The eSTREAM Project – Matt Robshaw (29) Orange Labs
The decision depended on many issues including …
Security Performance in comparison to the AES Performance in comparison to other submissions Simplicity
IP didn't have any role in the decision For hardware, the complicated implementation trade-
The eSTREAM Project – Matt Robshaw (30) Orange Labs
Software
The eSTREAM Project – Matt Robshaw (31) Orange Labs
Archived Archived Phase 2 Phase 3 (10) (5) (8) Yamb TRBDK3 YAEA SSS SOSEMANUK POMARANCH Salsa20 Mir-1 Rabbit MAG Py NLS v2 Hermes8 Polar Bear LEX v2 Fubuki Phelix HC-128 FROGBIT DICING DRAGON F-FCSR ABC CryptMT v3
The eSTREAM Project – Matt Robshaw (32) Orange Labs
Hardware
The eSTREAM Project – Matt Robshaw (33) Orange Labs
Salsa20 Trivium
(5) (12) (8)
Archived Archived Phase 2 Phase 3 ZK-Crypt WG VEST TSC-4 Rabbit POMARANCH v3 Polar Bear MOUSTIQUE Yamb Phelix MICKEY v2 TRBDK3 YAEA NLS Grain v1 SSS LEX F-FCSR-H v2 SFINKS Hermes8 Edon-80 MAG Achterbahn DECIM v2
The eSTREAM Project – Matt Robshaw (34) Orange Labs
As with the AES, there will probably be a concentration
Good for the attendees of SPEED Hardware results will be the hardest to come by
But we also really need cryptanalytic results!
The eSTREAM Project – Matt Robshaw (35) Orange Labs
(FTRD)
Matt Robshaw
(IAIK)
Vincent Rijmen
(KUL)
Bart Preneel
(RUB)
Christof Paar
(UiB)
Matthew Parker
(KUL)
Hongjun Wu
(LUND)
Thomas Johansson
(FTRD)
Henri Gilbert
(KUL)
Christophe de Cannière
(RHUL)
Carlos Cid
(INRIA)
Anne Canteaut
(VOD)
Steve Babbage
The eSTREAM Project – Matt Robshaw (36) Orange Labs
SASC (2004) CfP Phase 1 Phase 2 04/05 03/06
01/05 01/06 01/07 01/08
SASC (2006) SKEW (2005) 10/04 05/08 SASC (2007) Phase 3 03/07 SASC (2008)
The eSTREAM Project – Matt Robshaw (37) Orange Labs
Example of some performance data
23.34 18.85 36.87 20.75 32.00 20.07 29.01 22.90 69.24 332.52 656.89 40 bytes 5.80 6.83 7.74 9.00 8.99 10.73 11.91 16.19 25.76 30.01 48.24 576 bytes 7.58 45.71 16.30 RC4 15.96 16.62 16.10 AES (counter) STREAM IMIX 1500 bytes 11.74 27.99 23.71 DRAGON 4.75 6.88 5.28 SNOW v2 6.41 6.19 9.09 7.63 9.90 12.22 20.54 9.41 11.07 LEX 4.68 10.07 SOSEMANUK 6.25 7.50 Rabbit 5.99 9.17 NLS v2 4.87 9.84 CryptMT v3.0 11.71 13.20 Salsa20 3.07 79.80 HC-128
Salsa12 Salsa 8
The eSTREAM Project – Matt Robshaw (38) Orange Labs
Example of some performance data
656.89 32.00 23.34 20.75 36.87 18.85 332.52 20.07 29.01 69.24 22.90 40 bytes 48.24 8.99 5.80 9.00 7.74 6.83 30.01 10.73 11.91 25.76 16.19 576 bytes 11.74 27.99 23.71 DRAGON 9.41 11.07 9.90 LEX STREAM IMIX 1500 bytes 11.71 13.20 12.22 Salsa20 3.07 79.80 20.54 HC-128 7.63 5.28 9.09 6.19 6.41 16.30 16.10 6.25 7.50 Rabbit 5.99 9.17 NLS v2 4.68 10.07 SOSEMANUK 4.75 6.88 SNOW v2 4.87 9.84 CryptMT v3.0 7.58 45.71 RC4 15.96 16.62 AES (counter)
Salsa12 Salsa 8
The eSTREAM Project – Matt Robshaw (39) Orange Labs
Potential to be more compact than the AES
Ignores issues such as relative security levels and different speed optimisations Some sample area results are given below, there may be smaller
implementations while * denotes a crude estimate
Much more detail expected to become apparent in the final phase
3600 ≈12000 7000 3200 * F-FCSR-H AES 1300 Grain v1 1500 Trivium 3300 * POMARANCH v3 3400 MICKEY v2 2900 Edon-80 RC4 3000 * DECIM v2 SNOW 2.0
The eSTREAM Project – Matt Robshaw (40) Orange Labs
10
3
10
4
10
5
10 10
1
10
2
10
3
ASIC results for 100kHz clock Area, Equiv. NAND gates grain grainX8 grainX16 trivium triviumX8 triviumX64 F-FCSR-H grain128 grain128X32 Mickey128 phelixHR phelixFR Sosemaunk salsa20h1 salsa20h4 salsa20h16 salsa20h32 grain128X4 grain128X8 grain128X16 grainX4 triviumX4 triviumX16 triviumX32
Power-Latency product, nJ Area, Equiv NAND gates
The eSTREAM Project – Matt Robshaw (41) Orange Labs
Still too early to say … but there is considerable interest! 103 95 88 SASC Attendance 11,975 43,702 25,555 Web activity (unique visitors) 33,092 127,141 79,112 Web activity (page loads) 83 290 293 Discussion posts 37 60 50 (+35) Papers on-line 2007 (to 03/07) 2006 2005
The eSTREAM Project – Matt Robshaw (42) Orange Labs
eSTREAM has generated some new and provocative
Signs are good for an interesting final portfolio ! In terms of a research effort, real and lasting results
Please feel free to contribute to eSTREAM! http://www.ecrypt.eu.org/stream/