Appendix 11A Mathematical Basis of Birthday Attack Hash ... · SHA -256, SHA384, SHA512 broken;...

1

Hash functions & MACs

ECE 646 Lecture 9

1

W. Stallings, "Cryptography and Network-Security,”

Chapter 11 Cryptographic Hash Functions

Appendix 11A Mathematical Basis of Birthday Attack

Chapter 12 Message Authentication Codes

Required Reading

Recommended Reading

SHA-3 Projecthttps://csrc.nist.gov/projects/hash-functions/sha-3-project

2

Message

Hash function

Public keyalgorithm

AliceSignature

Alice’s private key

Bob

Hash function

Alice’s public key

Digital Signature

Hash value 1

Hash value 2

Hash value

Public key algorithm

yes no

Message Signature

3

Hash function

arbitrary length

message

hashfunction

hash valueh(m)

h

m

fixed length

4

2

Vocabulary

hash function

message digest

hash value

hash total

fingerprint

imprintcryptographic checksumcompressed encodingMDC, Message Digest Code

message digest

5

Hash functionsBasic requirements

1. Public description, NO key

2. Compression

arbitrary length input ® fixed length output

3. Ease of computation

6

Hash functionsSecurity requirements

1. Preimage resistance

It is computationally infeasible

Given To Find

y x, such thath(x) = y

2. 2nd preimage resistancex and y=h(x) x’ ¹ x, such that

h(x’) = h(x) = y

3. Collision resistance x’ ¹ x, such thath(x’) = h(x)

7

Hash functionsDependence between requirements

collision resistant

2nd preimage resistant

8

3

Hash functions(unkeyed)

OWHF CRHF

One-Way Hash Functions

Collision-Resistant Hash Functions

preimage resistance

2nd preimage resistance

collision resistance

9

Brute force attack against One-Way Hash Function

mi’

i=1..2n

2n messages with the contentsrequired by the forger

h

h(mi’) = y

n - bits

?

Given y

10

Creating multiple versions of the required message

I stateconfirm

thereby- that I

borrowedreceived

$10,000ten thousand dollars

fromMr.Dr.

KrisKrzysztof

Gaj on October 23,10 / 23 / 2019. This

moneysum of money

shouldis required to be returned

given back to Mr.Dr.

Gaj

by the4th

fourthday of December

Dec.2019.

11

Brute force attack against Collision Resistant Hash Function

Yuval

mi

h

n - bits

h(mi)

r messagesacceptable for the signer

mj’

h

n - bits

h(mj’)

r messagesrequired by the forger

h(mi) = h(mj’)

i=1..r j=1..r

12

4

Creating multiple versions of the required message

I stateconfirm

thereby- that I

borrowedreceived

$10,000ten thousand dollars

fromMr.Dr.

KrisKrzysztof

Gaj on October 23,10 / 23 / 2019. This

moneysum of money



Gaj

by the4th


Dec.2019.

13

I stateconfirm

thereby- that on

borrowedreceived from

Mr.Dr.

KrisKrzysztof

on

October 23,10 / 23 /

2019

This textitem



Gaj

Message acceptable for the signer

I a papermanuscript

security of Electronic Voting.side-channel attacks for PQC.

by the4th


Dec.2019.

14

Birthday paradox

How many students must be in a class so thatthere is a greater than 50% chance that

2. any two of the students share the samebirthday (up to the day and month)?

1. one of the students shares the teacher’s birthday (up to the day and month)?

15

Birthday paradox

How many students must be in a class so thatthere is a greater than 50% chance that

1. one of the students shares the teacher’s birthday (day and month)?

~ 366/2 = 183

2. any two of the students share the samebirthday (day and month)?

~Ö 366 » 19

16

5


Probability p that two different messages have thesame hash value:

p = 1 − exp (− r2

2n )

For r = 2n/2 p = 63%

17


Storage requirements

J.J. Quisquater

collision search algorithm

Number of operations: 2 Ö p/2 · 2n/2 » 2.5 · 2n/2

Storage: Negligible

18

Hash value size

Older algorithms (currently insecure):

Old standards:

One-Way Collision-Resistant

n ³ 648 bytes

n ³ 12816 bytes

n ³ 8010 bytes

n ³ 16020 bytes

Current standards (e.g., SHA-2, SHA-3):n = 128, 192, 25616, 24, 32 bytes

n = 256, 384, 51232, 48, 64 bytes

19

Hash function algorithms

Customized(dedicated)

Based onblock ciphers

Based onmodular arithmetic

MDC-2MDC-4

IBM, Brachtl, Meyer, Schilling, 1988

MASH-11988-1996

MD2Rivest 1988

MD4Rivest 1990

MD5Rivest 1990

SHA-0

SHA-1

RIPEMD

RIPEMD-160

European RACE Integrity Primitives Evaluation Project, 1992

NSA, 1992

NSA, 1995

SHA-256, SHA-384, SHA-512 NSA, 2000

20

6

Attacks against dedicated hash functionsknown by 2004

MD2

MD4

MD5 SHA-0

SHA-1

RIPEMD

RIPEMD-160

partially broken

broken, H. Dobbertin, 1995(one hour on PC, 20 free bytes at the start of the message)

partially broken,collisions for the compression function,Dobbertin, 1996(10 hours on PC)

weakness discovered, 1995 NSA,1998 France

reduced round version broken, Dobbertin 1995

SHA-256, SHA-384, SHA-512

21

MD4

MD5SHA-0

SHA-1

RIPEMD

RIPEMD-160

SHA-256, SHA-384, SHA-512

broken;Wang, Feng, Lai, YuCrypto 2004(1 hr on a PC)

attack with240 operationsCrypto 2004

What was discovered in 2004-2005?broken;Wang, Feng, Lai, Yu, Crypto 2004(manually, without using a computer)

broken;Wang, Feng, Lai, Yu, Crypto 2004(manully, withoutusing a computer)

attack with263 operationsWang, Yin, Yu, Aug 2005

22

263 operationsSchneier, 2005

In hardware:

Machine similar to the one used to break DES:

Cost = $50,000-$70,000 Time: 18 daysorCost = $0.9-$1.26M Time: 24 hours

In software:

Computer network similar to distributed.netused to break DES (~331,252 computers) :

Cost = ~ $0 Time: 7 months

23

Recommendations of NIST (1)NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1

Feb 2005

The new attack is applicable primarilyto the use of hash functions in digital signatures.

In many cases applications of digital signatures introduce additional context information,which may make attacks impracticle.

Other applications of hash functions,such as Message Authentication Codes (MACs), are not threatened by the new attacks.

24

7

NIST was already earlier planning to withdraw SHA-1 in favor of SHA-224, SHA-256, SHA-384 & SHA-512by 2010.

New implementations should use new hash functions.

NIST encourages government agancies to develop plansfor gradually moving towards new hash functions,taking into account the sensitivity of the systemswhen setting the timetables.

Recommendations of NIST (2)

25

SHA-3 Contest Timeline2007

• publication of requirements• 29.X. 2007: request for candidates

2008• 31.X.2008: deadline for submitting candidates• 9.XII.2008: announcement of 51 candidates accepted for Round 1

2009• 25-28.II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium• 24.VII.2009: 14 Round 2 candidates announced

2010• 23-24.VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA• 9.XII.2010: 5 Round 3 candidates announced

2012• 22-23.III.2012: 3rd SHA-3 Candidate Conference, Washington, D.C.• 2.X.2012: selection of the winner

2014: • 28.V.2014: draft version of the standard published

2015: • 5.VIII.2015: final version of the standard published

26

Number of Submissions

• Number of submissions received by NIST: 64

• Number of submissions publicly available: 56

• Number of submissions qualified to the first round: 51

27

Basic Requirements for a new hash function

• Must support hash values of224, 256, 384 and 512 bits

• Available worldwide without licensing fees• Secure over tens of years• Suitable for use in

- digital signatures FIPS 186- message authentication codes, HMAC, FIPS 198- key agreement schemes, SP 800-56A- random number generators, SP 800-90

• At least the same security level as SHA-2 with increased efficiency

28

8

SHA-3 Contest: 2008-2012

29

51candidates

Round 114 5

Round 3

Jul. 2009 Dec. 2010 Oct. 2012

Oct. 2008

Round 21

Hardware benchmarking

Security Analysis & Software Benchmarking

29

FPGA Benchmarking of Round 2 Candidates

30

Marcin Rogawski

Designers:

EkawatHomsirikamol

(“Ice”)

Altera Xilinx

Technology Low-cost High-performance

Low-cost High-performance

90 nm Cyclone II Stratix II Spartan 3 Virtex 4

65 nm Cyclone III Stratix III Virtex 5

Designers:

30

ATHENa – Automated Tool for Hardware EvaluatioN

31

FPL Community Award 2010Milan, Italy, Sep. 2010

• Open-source• Written in Perl• Developed 2009-2012• Automated search for optimal

§ Options of tools§ Target frequency§ Starting placement point

• Supporting Xilinx ISE& Altera Quartus

Image of Athena Goddess courtesy of Carolyn Angus

31

ATHENa Inputs/Outputs

32

synthesizable source files

configuration files

testbench

result summary (human-friendly)

database entries (machine- friendly)

OR

32

9

ATHENa Database of Results

33

http://cryptography.gmu.edu/athenadb

33

ATHENa Gains

34

0

0.5

1

1.5

2

2.5

3AreaThrThr/Area

Ratios of results obtained using ATHENa suggested optionsvs. default options of FPGA tools

34

ATHENa Gains

35

old days…

“working” with ATHENa…

35

Why ATHENa?

36

"The Greek goddess Athena was frequently called upon to settle disputes between the gods or various mortals. Athena Goddess of Wisdom was known for her superb logic and intellect. Her decisions were usually well-considered, highly ethical, and seldom motivated by self-interest.”

from "Athena, Greek Goddess of Wisdom and Craftsmanship"

36

10

SHA-3 Round 2 Results: 14 candidates

37

Throughput vs. Area: Normalized to Results for SHA-2 and Averaged over 7 FPGA Families

Area

Throughput

Best: Fast & Small

Worst: Slow & Big

37

Research: Multiple Architectures

38

• datapath width = state size • two clock cycles per one

round/step

Typically Throughput/Area ratio increases

Throughput

AreaA

Th x1/2(h)

Horizontal Folding /2(h)

38

Research: Design Space Exploration

39Results for BLAKE

39

Research: Design Space Exploration

40

All Final SHA-3 Candidates (Keccak, SHA-2, JH, BLAKE, Groestl) & the old standard SHA-2

40

11

Research: FPGA vs. ASIC

41

• ASIC developed in collaboration with ETH Zurich

• standard-cell CMOS 65nm UMC process

• 6 GMU implementations 6 ETH Zurich implementations

• Taped-out in Oct. 2011,successfully testedin Feb. 2012

• Results reported at the 3rd SHA-3 Candidate Conference in Washington D.C. in Mar. 2012

41

Research: FPGA vs. ASIC

42

ASIC Stratix III FPGA

42

Results Relative to SHA-2

43

2.830.79 4.002.001.411.000.500.350.25

43

Hash functionsApplications (1)

1. Digital Signatures

Advantages1. Shorter signature2. Much faster computations3. Larger resistance to manipulation(one block instead of several blocks of signature)

4. Resistance to the multiplicative attacks

5. Avoids problems with different sizes of thesender and the receiver moduli

44

12


2. Fingerprint of a program or a document(e.g., to detect a modification by a virusor an intruder)

program

hash

fingerprintoriginal_fingerprint

safe place

=?

45


3. Storing passwords

password

hash

hash(password)

Instead of:

ID, password

System stores:

ID, hash(password)

46

UNIX password scheme

password

password

password

. . . .

“00000000”

hash(password, salt)

DES

DES

DES

salt

salt

salt

ID, salt, hash(password, salt)

salt modifies the expansion function E

of DES

47


4. Fast encryption

PRNG

ki

mi ci

k0 = hash(KAB || IV )k1 = hash(KAB || k0). . . . . . . . . . . . . . . . .kn = hash(KAB || kn-1)

ork0 = hash(KAB || IV)k1 = hash(KAB || c0). . . . . . . . . . . . . . . . .kn = hash(KAB || cn-1)

48

13

General scheme for constructing a secure hash function

Message m

Padding, appending bit length, M

M1

IVH0 H1 H2

f f . . .Ht

compressionfunction

output transformation

h(m)g

M2 Mt. . .

49

Merkle-Damgard Scheme

50

Parameters of the Merkle-Damgard Scheme

H0 = IVHi = f(Hi-1, Mi)h(m) = g(Ht)

f

Compressionfunction r

n n

Entire hash

Hi-1 Hi

Mi In SHA-1n=160r=512

In SHA-256n=256r=512

In SHA-512n=512r=1024

51

Sponge Scheme

52

14

Hash padding – SHA-1 & SHA-256

message 100000000000 length

lengthof the entire

message in bits

X X X 0 0 0 0 0

64-bits

All zero padding:

X X X 0 0 0 0 0

Correct padding:X X X 0 0 1 0 0X X X 1 0 0 0 0

53

Hash padding – SHA-3 Candidates

BLAKE256 len641000 . . . 0001

#blocksGrøstl 1000 . . . 0000

1000 . . . 0001JH42 len128

1000 . . . 0001Keccak

Skein 0000 . . . 0000

len641000 . . . 0000SHA−2 (256)

CounterPaddingMinimumPaddingData

D

D

D

D

D

D

CPMD

54

SHA-1 SHA-256 SHA-384 SHA-512

Size of hash 160 256 384 512valueComplexity of 280 2128 2192 2256

the birthdayattackEquivalently secure Skipjack AES-128 AES-192 AES-256secret-key cipherMessage size < 264 < 264 < 2128 < 2128

Parameters of new hash functionsFeatures affecting security and functionality

55

Message block 512 512 1024 1024sizeNumber of 80 64 80 80digest rounds

SHA-1 SHA-256 SHA-384 SHA-512

Parameters of new hash functionsFeatures affecting implementation speed

56

15

SHA-512, SHA-384

SHA-256

SHA-1

Speed

Area

Hardware implementationsConceptual comparison

57

0

100

200

300

400

500

600

700

462

616

Speed in hardware [Mbit/s]

SHA-1 SHA-512

Results of the prototype FPGA implementation

Complexityof the best attack 280 2256

Skipjack AES-256the same as

GMU, 2002

58

Hash functions20 years ago Present

U.S. Government standards:

SHA-1

Other popular hash functions:

MD5, RIPEMD

Security status:

MD4 broken (1995)SHA-1 replaced SHA-0 (1995)MD5 partially broken

(collisions in compressionfunction, 1996)


SHA-1,SHA-224, SHA-256, SHA-384, SHA-512SHA-3

Other popular hash functions:

Whirlpool – winner of NESSIE

Security status:

MD5 broken (1 hr on PC)SHA-0 brokenRIPEMD broken

(without a need for computer)SHA-1 practically broken,

best attack – 263 operations –only 128 x more than breaking DES

59

Hash functionsTimeline

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006


Contests:

Attacks:

II. 2003SHA-1

SHA-256, 384, 512SHA-224

NESSIE

I. 2000 XII. 2002SHA-256, SHA-384, SHA-512,Whirlpool

VIII. 1998MD5 – collisionsfor compressionfunction,10 hrs on PC

VIII. 2004broken:MD4, MD5, SHA-0,RIPEMD

FIPS 180-2FIPS 180-2

II. 2004

FIPS 180-2FIPS 180

SHA-0 – attackwith 261 operations II-VIII. 2005

attack on SHA-1269®263 operations

60

16

Message

Secret keyalgorithm

AliceMAC

Secret key of Alice and Bob

Bob

Secret keyalgorithm

Authentication

MAC’

MAC

yes no

Message MAC

Secret key of Alice and Bob

KAB KAB

61

MAC - Message Autentication Codes(keyed hash functions)

arbitrary length

message

MACfunction

MAC

m

fixed length

secret keyK

62

MAC functionsBasic requirements

1. Public description, SECRET key parameter

2. Compression

arbitrary length input ® fixed length output

3. Ease of computation

63

MAC functionsSecurity requirements

Given zero or more pairs

mi, MACK(mi) i = 1..k

it is computationally impossible to find any new pair

m’, MACK(m’)

Such thatm’ ¹mi i = 1..k

64

17

MAC functionsSecurity requirements

Resistance against

1. Known-text attack

2. Chosen-text attack

3. Adaptive chosen-text attack

65

CBC-MAC (1)

E

K

m1

E

K

m2

. . . .

E

K

mt

0

H1 H2

Ht

Ht-1

D

E

K’

K

MAC

MAC

FIPS-113

66

CBC-MAC (1)

H0 = IV = 0Hi = DESK(mi Å Hi-1) i = 1..t

MAC(m) = Ht[1..32]orMAC(m) = EK(EK’-1(Ht))[1..32]

67

MAC functions

Based onblock ciphers

CBC-MACCFB-MACRIPE-MACCMAC

HMACMD5-MAC

MAA CRC-MAC

DedicatedBased on

hashfunctions

Based on stream

ciphers

68

18

CMAC

69

RIPE-MAC

Hi = DESK(mi Å Hi-1) Å mi i = 1..t

MAC(m) = EK(EK’-1(Ht))[0..31]

H0 = IV = 0

K’ = K Å 0xf0f0…f0

70

HMAC

HMAC(m) = h(K Å ipad || h(K Å opad || m))

Bellare, Canetti, Krawczyk, 1996

ipad, opad - constant padding strings of the length of themessage block size in the hash function h

Used in SSL and IPSec

ipad = repetitions of 0x36 = 00110110opad = repetitions of 0x5A = 01011010

71

=

Å

=

Å

KEY

KEY

ipad

opad

KEY’

KEY”

h

h

message m

HMAC

HMAC

• American standardFIPS 198

• Arbitrary hash function and key size

72

19

Message Authentication Codes - MACs20 years ago Present


MAC (DAC) based on DES(since 1985)

Other MACs in use:

RIPE-MAC3, CRC-MAC, MAA


HMAC – based on hash functionsused in SSL and IPSec

CMAC – block cipher mode (AES, Triple DES, Skipjack)

Other MACs in use:

UMAC, TTMAC, EMAC– winners of the NESSIE contest

73

NESSIE: Winners of the contest: 2002Message Authentication Codes, MACs

1. UMAC UC Davis2. TTMAC K.U. Leuven3. EMAC U. of Toronto4. HMAC NIST & NSA

Name Origin

Security level Key size Output width

highnormal

³ 256

³ 128

32×k32×k

74

Message Authentication CodesTimeline

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

U.S. standards:

Contests:

Attacks:

V. 2005III. 2002

MAC (DAC)HMAC

RMAC – practical attackagainst MAC proposedby NIST and based onTriple DES

2002

SP 800-38CCMAC

FIPS 113 (based on DES)

NESSIEContest winners:UMAC, TTMAC, EMAC

FIPS 198 (based on hash functions)withdrawn in 2008

75

Message

Bob

Tag

Alice

Confidentiality & AuthenticationAuthenticated Ciphers

KAB KABAuthenticatedCipher

Encryption

N

CiphertextN

TagCiphertextN

Message

AuthenticatedCipher

Decryption

invalid

KAB - Secret key of Alice and BobN – Nonce or Initialization Vector

or

76

20

Confidentiality & AuthenticationAuthenticated Ciphers

or

Key

TagNpub AD CiphertextNsecEnc

Key

Encryption

Npub Nsec AD Message

Npub AD CiphertextNsecEnc Tag Nsec AD MessageInvalid

Decryption

Npub - Public Message NumberNsec - Secret Message NumberEnc Nsec - Encrypted Secret Message NumberAD - Associated DataKAB - Secret key of Alice and Bob

KAB KAB

77

Examples of Most Commonly UsedAuthenticated Ciphers

• AES-GCM• AES-OCB3• AES-OCB• AES-CCM• AES-EAX

78

CAESARContest

2013-2019

79

Cryptographic Standard Contests

time97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17

AES

NESSIE

CRYPTREC

eSTREAM

SHA-3

34 stream 4 HW winnersciphers ® + 4 SW winners

51 hash functions ® 1 winner

15 block ciphers ® 1 winnerIX.1997 X.2000

I.2000 XII.2002

IV.2008

X.2007 X.2012

XI.2004

CAESARI.2013

57 authenticated ciphers ® multiple winnersII.2019

80

21

Evaluation of Candidates in Cryptographic Contests

Year07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22

SHA-3

51 hash functions ® 1 winnerX.2007 X.2012

CAESARI.2013

57 authenticated ciphers ® multiple winners

II.2019

56 Lightweight authenticated ciphers & hash functions

VIII.2018Lightweight

Cryptography

TBD

Completed

In progressX.2012X.2012

8182

Evaluation Criteria

Security

Software Efficiency Hardware Efficiency

Simplicity

FPGAs ASICs

Flexibility Licensing

µProcessors µControllers

82

CAESAR Contest: 2015-2018

83

57candidates

Round 1

29 15

Round 3

Jul. 2015 Aug. 2016

Mar. 2014

Round 2

Hardware benchmarking

Security Analysis & Software Benchmarking

6

Mar. 2018

Round 4

Final Portfolio

Feb. 2019

7

83

CAESAR Major Challenges

84

Fairness Number of Candidates

84

22

CAESAR Hardware API

85

1. Minimum Compliance Criteria

• Encryption, decryption, key scheduling• Padding• Maximum size of message & AD• Permitted data port widths, etc.

3. Communication Protocol

2. Interface 4. Timing Characteristics

Proposed by GMU in Feb. 2016, approved by the CAESAR Committee in May 2016

85

CAESAR Development Package

86

Universal Testbench (VHDL)

Test Vector Generator (Python)

Code Common for All Candidates (VHDL)

86

VHDL/Verilog Code Submitters

87

1. CCRG NTU (Nanyang Technological University) Singapore –ACORN, AEGIS, JAMBU, & MORUS

2. CLOC-SILC Team, Japan – CLOC & SILC3. Ketje-Keyak Team – Ketje & Keyak4. Lab Hubert Curien, St. Etienne, France – ELmD & TriviA-ck5. Axel Y. Poschmann and Marc Stöttinger – Deoxys & Joltik6. NEC Japan – AES-OTR7. IAIK TU Graz, Austria – Ascon8. DS Radboud University Nijmegen, Netherlands – HS1-SIV9. IIS ETH Zurich, Switzerland – NORX10.Pi-Cipher Team – Pi-Cipher11.EmSec RUB, Germany – POET12.CG UCL, INRIA – SCREAM13.Shanghai Jiao Tong University, China – SHELL

13 Design Groups, 19 CAESAR Round 2 Candidates

87

VHDL/Verilog Code Submitters

88

“Ice” HomsirikamolAES-GCM, AEZ,Ascon, Deoxys, HS1-SIV, ICEPOLE, Joltik, NORX, OCB,PAEQ, Pi-Cipher, STRIBOB

Will Diehl

AhmedFerozpuriPRIMATEs-GIBBON &HANUMAN,PAEQ

Farnoud FarahmandAES-COPACLOC

Mike X.LyonsTriviA-ck

MinalpherOMDPOETSCREAM

GMU alone, 19 Candidate Families + AES-GCM

88

23

89

CAESAR Contest: Impact

75 unique open-source designsCovering the majority of primary variants of 28 out of 29 Round 2 Candidate Families (all except Tiaoxin)High-speed implementation of AES-GCM (baseline)

The biggest and the earliest hardware benchmarking effort in the history of cryptographic competitions

89

Percentage of Candidates in Hardware

90

Initial numberof candidates

15

34

51

57

AES

eSTREAM

SHA-3

CAESAR

Implementedin hardware

5

8

14

28

Percentage

33.3%

23.5%

27.5%

49.1%

90

91

CAESAR Contest: Results for Round 2

Relative (w.r.t. AES-GCM) Throughput in Virtex 6

Throughput of AES-GCM = 3239 Mbit/s

E – Throughput for EncryptionD – Throughput for DecryptionA – Throughput for Authentication OnlyDefault: Throughput the same for all 3 operations

Red – algorithms qualified to Round 3

14-16x better than the current standard

Why the slowest?

9192

CAESAR Contest: Results for Round 2

Throughput/Area of AES-GCM = 1.020 (Mbit/s)/LUTs

E – Throughput/Area for EncryptionD – Throughput/Area for DecryptionA – Throughput/Area for Authentication OnlyDefault: Throughput/Area the same for all 3 operations

Red – algorithms qualified to Round 3

Relative (w.r.t. AES-GCM) Throughput/Area in Virtex 6

Team Keccak

92

24

93

Use Case: Lightweight applications(resource constrained environments)

Side-Channel Analysis Resistance

Will Diehl(co-advised with Jens-Peter Kaps)

• critical: fits into small hardware area and/or small code for 8-bit CPUs

• desirable: ability to protect against side-channel attacks (e.g., power attacks)

t-test using low-costFOBOS environmentdeveloped by CERG

9394

Unprotected Lightweight Implementations

Best:ACORNJAMBU-SIMON

Worst:CLOC-AESSILC-AES

Side-Channel Analysis – Preliminary Results

Best: Fast & Small

Worst: Slow & Big

x

94

Side-Channel Analysis – Preliminary Results

95

Protected Lightweight Implementations On Average:Area: x2.7Thr: x1.8Thr/Area: x5.4Best:ACORNJAMBU-SIMON

Worst:CLOC-TWINECLOC-AES

95

Presentation of Prof. D. Bernstein at the Rump Session of the Fast Software Encryption conference, March 2018

96

Appendix 11A Mathematical Basis of Birthday Attack Hash ... · SHA -256, SHA384, SHA512 broken;...

Documents

Transcript of Appendix 11A Mathematical Basis of Birthday Attack Hash ... · SHA -256, SHA384, SHA512 broken;...