• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Research Challenges in Applied Cryptology
Bart Preneel
SEC –May 2009
1
1
Research Challenges inApplied Cryptology
Bart PreneelCOSIC, K.U.Leuven, BelgiumBart.Preneel(at)esat.kuleuven.be
http://homes.esat.kuleuven.be/~preneelMay 2009
http://www.ecrypt.eu.org
2
Information processing
manual processing (10
2
)mechanical processing (10
4
)mainframe (10
5
)PCs and LANs (10
7
)Internet and mobile (10
9
)
the Internet of things,ubiquitous computing, pervasive computing,ambient intelligence
(10
12
)
3
Exponential growth
Ray Kurzweil, KurzweilAI.net
Human brain: 10
14
…10
15
ops and 10
13
bits memory2025: 1 computer can perform 10
16
ops (2
53
)2013: 10
13
RAM bits (1 Terabyte) cost 1000$
45
Context
HARDWARE
Limited (govt+financialsector)DES, 3DESDES, RSA, DH, CBC-MACProvable security (PKC),ZK, ElGamal, ECC, streamciphersMD4, MD5Provable security (SKC)Key escrowHow to use RSA?Alternatives to RSAPKIAESID-Based Crypto
708090
SOFTWARE
GSM, PGPC libraries (RSA, DH)SSL/TLS, IPsec, SSH, S/MIMEJava crypto librariesWLAN
EVERYWHERE
Trusted computing, DRM,3GPP, RFID, sensor nodes
6
Implementations in embedded systems
Cipher Design,Biometrics
DQ
 Vcc
CPUCryptoMEMJCAJavaJVM
CLK
IdentificationConfidentialityIntegrity
SIM
 
DQ
 Vcc
CPUMEMJCAJavaKVM
CLK
Protocol:Wireless authentication protocoldesignAlgorithm:Embedded fingerprint matchingalgorithms, crypto algorithmsArchitecture:Co-design, HW/SW, SOCCircuit:Circuit techniques to combat sidechannel analysis attacksMicro-Architecture:co-processor design
IdentificationConfidentialityIntegrityIdentificationIntegrity
SIM
 
SIM
 
SIM
Slide credit: Prof. Ingrid Verbauwhede
Technology aware solutions?
 
Research Challenges in Applied Cryptology
Bart Preneel
SEC –May 2009
2
7
Disclaimer:cryptography
security
crypto is only a tiny piece of the security puzzle
 –but an important one
most systems break elsewhere
 –incorrect requirements or specifications –implementation errors –application level –social engineering
for intelligence, traffic analysis (SIGINT) is oftenmuch more important than cryptanalysis
8
[Adi Shamir] We are winning yesterday’sinformation security battles, but we arelosing the war. Security gets worse by afactor of 2 every year.[Andrew Odlyzko] Humans can live withinsecure systems. We couldn’t live withsecure ones.
9
Challenges for crypto
CostSecurityPerformance
security for 50-100 yearsauthenticated encryption of Terabit/snetworksultra-low power/footprint
secure software andhardwareimplementationsAlgorithm agility
10
Outline
ContextBlock ciphersHash functionsPublic-key cryptologyProtocolsImplementations issuesResearch challenges
11
Block cipher
larger data units: 64…128 bitsmemorylessrepeat simple operation (round) many times
blockcipher
P1C1
blockcipher
P2C2
blockcipher
P3C3
12
Block ciphers
3-DES (112-168)IDEA (128)KASUMI (128 in 3G, 64 in 2G)MISTY1 (128)PRESENT (80-128)
insecuresecure
?
06480128Symmetric key lengths
AES (128-192-256)RC6CAMELLIA
64-bit block128-bit block
 
Research Challenges in Applied Cryptology
Bart Preneel
SEC –May 2009
3
13
AES (2001)
open competition: 1997-2000FIPS 197 published on December 2001mandatory for sensitive US govt. informationfast adoption in the market –ten thousands of products –NIST validation list: 1076 implementations
http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html
 –standardization: ISO, IETF, IEEE 802.11,…slower adoption in financial sectormid 2003: AES-128 also forclassifiedinformation andAES-192/-256 forsecretandtop secretinformation!
AdiShamir: AES may well be the last block cipher 
14
AES/Rijndael
   K  e  y   S  c   h  e   d  u   l  e
round
.....
roundroundroundSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
 
MixColumnsMixColumnsMixColumnsMixColumns
Block length: 128 bitsKeylength: 128-192-256 bits
A machine that cracks a DES key in 1 secondwould take 149 trillion years to crack a 128-bit key
15
AES: rich mathematical structure
very compact/efficient implementations
 –SW: 14 cycles per byte or 2 Gbit/son high end PCs (8 cycles/bytein bit-slicing) –HW: most compact: 3600 gates (PRESENT: 1750) –HW: fastest up to 43 Gbit/sin 130 nm CMOS –Intel (+AMD): new AES instruction: 0.75 cycles/byte
security
 –compact description: 8000 quadratic equations with 1600 variablesfor 128-bit AES: is it hard to solve sets of non-linear Booleanequations?
no attack has been found that can exploit this structure (in spite ofearlier claims)
 –main threat is implementation level attack (cache timing, faultattacks): requires special countermeasures –recent result: AES-256 is not an ideal cipher [Biryukov+’09]
16
Block ciphers: Keeloq
Microchip Inc algorithm, designed in the 1980sAllegedly used in 80% of the cars for car locks, caralarmsBlock cipher with 32-bit blocks, 64-bit keys and 528simple rounds
17
Block ciphers: Keeloq(2)
Leaked on the internet in 2006
[Bogdanov07]in some cases car key = Master key + Car ID[Bogdanov07], [Courtois-Bard-Wagner07] first cryptanalysis[Biham-Dunkelman-Indesteeghe-Keller-Preneel07]:1 hour access to token (2
16
known texts)2 days of calculation on 50 PCs (10.000$) -2
44.5
encryptions[Eisenbarth-Kasper-Moradi-Paar-Salmasizadeh-ManzuriShalmani-Paar08]
Side channel attack allows to recover master key
in 2010 cryptographers will drive expensive cars
18
Block ciphers: conclusions
Several mature block ciphers availableSecurity well understood
 –in particular against statistical attacks(differential, linear) and structural attacks –algebraic attacks may be further developed
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...