the state of the art in symmetric lightweight cryptography
play

The State of the Art in Symmetric Lightweight Cryptography Lo - PowerPoint PPT Presentation

Aug 25, 2022 •142 likes •903 views

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop Taken from a document writen originally in English. The programming of billions of processors

  1. The State of the Art in Symmetric Lightweight Cryptography Léo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop

  2. Taken from a document writen originally in English. The programming of billions of processors embedded in all our devices, which must take into account devices that are very cheap and poorly secured, that require for instance the implementation of weak cryptographic algorithm, is a challenge... Translation 1 / 33

  3. Weak Cryptography? Weak � Lightweight 2 / 33

  4. Weak Cryptography? Weak � Lightweight What is lightweight (symmetric) cryptography? 2 / 33

  5. It is vast (1/2) Stream C. Block C. Hash F. Auth. C. MAC Total Academia 14 50 10 10 2 86 Proprietary 17 5 0 0 1 23 Government 1 5 0 0 0 6 Total 32 60 10 10 3 115 3 / 33

  6. It is vast (1/2) Stream C. Block C. Hash F. Auth. C. MAC Total Academia 14 50 10 10 2 86 Proprietary 17 5 0 0 1 23 Government 1 5 0 0 0 6 Total 32 60 10 10 3 115 3 / 33

  7. It is vast (2/2) Several scatered national/international standards, none chosen afer a competition (apart from the AES). 4 / 33

  8. It is vast (2/2) Several scatered national/international standards, none chosen afer a competition (apart from the AES). State of the Art in Lightweight Symmetric Cryptography , Alex Biryukov and Léo Perrin https://ia.cr/2017/511 http://cryptolux.org 4 / 33

  9. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 5 / 33

  10. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 1 A5-GCM-1 and A5-GCM-2 What not to do 5 / 33

  11. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 1 A5-GCM-1 and A5-GCM-2 What not to do 2 Plantlet and LEA Specialized algorithms 5 / 33

  12. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 1 A5-GCM-1 and A5-GCM-2 What not to do 2 Plantlet and LEA Specialized algorithms 3 GIMLI Multi-purpose algorithms 5 / 33

  13. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Outline 1 Introduction 2 A5-GCM-1/2 Plantlet and LEA 3 GIMLI 4 Conclusion 5 5 / 33

  14. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Plan of this Section Introduction 1 A5-GCM-1/2 2 Presentation of A5-GMR-1/2 Security Level Lessons Learnt Plantlet and LEA 3 GIMLI 4 Conclusion 5 5 / 33

  15. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Satellite Phone Encryption GSM Protocol (regular phone) Cell phone communications in many countries (incl. Europe) are encrypted with A5/1. A5/2 was used for products sold outside Europe (e.g. Irak). 6 / 33

  16. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Satellite Phone Encryption GSM Protocol (regular phone) Cell phone communications in many countries (incl. Europe) are encrypted with A5/1. A5/2 was used for products sold outside Europe (e.g. Irak). Satphone Standards For satellite phones, there are two competing standards: GMR-1 and GMR-2, each with their own crypto. 6 / 33

  17. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Satellite Phone Encryption GSM Protocol (regular phone) Cell phone communications in many countries (incl. Europe) are encrypted with A5/1. A5/2 was used for products sold outside Europe (e.g. Irak). Satphone Standards For satellite phones, there are two competing standards: GMR-1 and GMR-2, each with their own crypto. Their crypto had to be reverse-engineered [DHW + 12]. 6 / 33

  18. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Stream Cipher κ Stream Cipher X 0 X 1 F U I ϕ ϕ Key stream k 0 k 1 κ : secret key F : initialization I : IV U : state update function X i : internal state ϕ : filter 7 / 33

  19. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion A5-GMR-1 (1/2) Diagram of A5-GMR-1 (from [DHW + 12]). Internal state size: 82 bits; key size: 64 bits; IV size: 19 bits. 8 / 33

  20. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion A5-GMR-1 (2/2) “Intuitive” characteristics of a LW algo Intended for low-power devices Very small internal state, very small key LFSRs → simple logic Some operations are far cheaper than others. Example LFSR: a handful of XORs Memory itself is expensive → small state 9 / 33

  21. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion A5-GMR-2 Diagram of A5-GMR-1 (from [DHW + 12]). Internal state size: 68 bits; key size: 64 bits; IV size: 22 bits. 10 / 33

  22. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Cryptanalysis Are these algorithms secure? 11 / 33

  23. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Cryptanalysis Are these algorithms secure? No In fact, A5-GMR-1 is based on A5 /2 ! 11 / 33

  24. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Name Things Reference Key IS IV At. time 224 A5/1 [And94] 64 64 22 216 A5/2 [BBK08] 64 81 22 Cell phones 232 [WSK97] 64 16–48 – cmea † 216 [WSD + 99] 96 96 – Oryx 238 . 1 [DHW + 12] A5-GMR-1 64 82 19 Satellite phones 228 [DHW + 12] A5-GMR-2 64 68 22 234 [LST + 09] Dsc Cordless phones 64 80 35 229 . 8 SecureMem. 64 109 128 Atmel chips [GvRVWS10] 250 CryptoMem. 64 117 128 235 Hitag2 [VGB12] 48 48 64 248 Megamos Car key/ [VGE13] 96 57 56 244 . 5 Keeloq † immobilizer [BSK96] 64 32 – 240 [BGS + 05] Dst 40 † 40 40 – 240 iClass [GdKGV14] 64 40 – Smart cards 232 Crypto-1 [NESP08] 48 48 96 240 Css [BD04] 40 42 – DVD players 248 Cryptomeria † [BKLM09] 56 64 – 264 Csa -BC † 64 64 – Digital televisions [WW05] 245 . 7 Csa -SC 64 103 64 231 PC-1 Amazon Kindle [BLR13] 128 152 – 244 SecurID ‡ Secure token [BLP04] 64 64 – 238 E0 [FL01] 128 128 – Anything 232 RC4 [Nob94] 128 2064 – 12 / 33

  25. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key 13 / 33

  26. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction 13 / 33

  27. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” 13 / 33

  28. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” doesn’t work 13 / 33

  29. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” doesn’t work Overall bad design 13 / 33

  30. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” doesn’t work Overall bad design not cryptographers/old 13 / 33

  31. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Lessons Learnt Design There are cases where a dedicated lightweight algorithm is used. Implementation performance implies lower block/internal state size. Usually only one functionnality/device. 14 / 33

  32. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Lessons Learnt Design There are cases where a dedicated lightweight algorithm is used. Implementation performance implies lower block/internal state size. Usually only one functionnality/device. Context Cryptography is hard. Export restrictions were a bad idea. Old algorithms stay for a while. 14 / 33

  33. Introduction A5-GCM-1/2 Primer on Hardware Implementation Plantlet and LEA Plantlet GIMLI LEA Conclusion Outline 1 Introduction 2 A5-GCM-1/2 Plantlet and LEA 3 GIMLI 4 Conclusion 5 14 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event Cryptography for 2020 Tenerife January 23 rd , 2013 Organization Lightweight Cryptography: Mission Accomplished? Introduction Technical perspective

478 views • 20 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance Performance of State-of-the-Art Cryptography on ARM-based Microprocessors Hannes Tschofenig & Manuel Pegourie-Gonnard (Hannes.Tschofenig@arm.com,

509 views • 40 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views • 38 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System Symmetric Key System a shared symmetric key Examples: DES IDEA RC4 AES Examples: DES, IDEA, RC4, AES Asymmetric Key System y y y a pair

661 views • 38 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

590 views • 45 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H R A M A M O O R T H Y , M A

The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H R A M A M O O R T H Y , M A

The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H R A M A M O O R T H Y , M A R I U S C . S I L A G H I , T O S H I H I R O M A T S U I , K A T S U T O S H I H I R A Y A M A , a n d M A K O T O Y O K O O

282 views • 26 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published encryption functions E, D; {M} K is the ciphertext (another sequence of bits) Symmetric (secret key) cryptography E(K, M) = {M} K D(K, E(K, M)) = M

571 views • 30 slides
Introduction to Cryptology: confidentiality, integrity, authenticity 2015/12 Yaound,

Introduction to Cryptology: confidentiality, integrity, authenticity 2015/12 Yaound,

Introduction to Cryptology: confidentiality, integrity, authenticity 2015/12 Yaound, Cameroun Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathmatiques de Bordeaux quipe MACISA, Laboratoire International de

753 views • 53 slides
Yasser F. O. Mohammad REMINDER 1: What is X.509? Part of X.500 standard for directory services

Yasser F. O. Mohammad REMINDER 1: What is X.509? Part of X.500 standard for directory services

Yasser F. O. Mohammad REMINDER 1: What is X.509? Part of X.500 standard for directory services Recommended by ITU-T in 1988 Used in many applications SSL/TLS S/MIME IP Security SET etc No specific public key

405 views • 40 slides
Secure Data Sharing and Distribution Platform for Integrated Big Data Utilization - Handling all

Secure Data Sharing and Distribution Platform for Integrated Big Data Utilization - Handling all

Secure Data Sharing and Distribution Platform for Integrated Big Data Utilization Oct.2015-Mar.2021 funded by Japan Science and Technology Agency Secure Data Sharing and Distribution Platform for Integrated Big Data Utilization - Handling all

312 views • 17 slides
Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse,

Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse,

Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse, Angelo De Caro, and David Pointcheval ENS, CNRS, INRIA, and PSL, 45 Rue dUlm, 75230 Paris Cedex 05, France {

535 views • 19 slides
Using Standards to Cost- Effectively Manage Risk Georgia Logistics Summit Atlanta, Georgia May

Using Standards to Cost- Effectively Manage Risk Georgia Logistics Summit Atlanta, Georgia May

Using Standards to Cost- Effectively Manage Risk Georgia Logistics Summit Atlanta, Georgia May 2011 Steve OMalley - ISO Ship & Supply Chain Security Standards Coordinator Motivators* Fear Guilt Government regulation Or,

883 views • 40 slides

More recommend