1
Lecture 13
Modern Cryptographic Algorithms
Key Sizes
Cryptographic Standards
Secret-Key Cryptography
2
Modern Secret-Key Ciphers
1980 1990 2000 2010 2020 2030
Triple DESDES
AES - RijndaelAmericanstandards
Otherpopular
algorithms
IDEA
AEScontest
1977 1999
2002
Blowfish
RC5
CAST
Twofish
RC6
Mars
Serpent
128, 192, and 256 bit keys56 bit key
112, 168 bit 168 bit only
Cryptographic Standard Contests
time97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
AES
NESSIE
CRYPTREC
eSTREAM
SHA-3
34 stream 4 HW winnersciphers → + 4 SW winners
51 hash functions → 1 winner
15 block ciphers → 1 winnerIX.1997 X.2000
I.2000 XII.2002
V.2008
XI.2007 X.2012
XI.2004
CAESAR
IV.2013
57 authenticated ciphers →multiple winners
XII.2017
3
Why a Contest for a Cryptographic Standard?
• Avoid back-door theories• Speed-up the acceptance of the standard• Stimulate non-classified research on methods of
designing a specific cryptographic transformation• Focus the effort of a relatively small cryptographic
community
6
Cryptographic Contests - Evaluation Criteria
Security
Software Efficiency Hardware Efficiency
Simplicity
ASICs FPGAs
Flexibility Licensing
μProcessors μControllers
4
Specific Challenges of Evaluationsin Cryptographic Contests
• Very wide range of possible applications, and as a result
performance and cost targets
speed: tens of Mbits/s to hundreds Gbits/s
cost: single cents to thousands of dollars
• Winner in use for the next 20-30 years, implemented using
technologies not in existence today
• Large number of candidates
• Limited time for evaluation
• The results are final
Mitigating Circumstances
• Performance of competing algorithms tend to very significantly
(sometimes as much as 500 times)
• Only relatively large differences in performance matter
(typically at least 20%)
• Multiple groups independently implement the same algorithms
(catching mistakes, comparing best results, etc.)
• Second best may be good enough
5
AESContest
1997-2000
Rules of the Contest
Each team submits
Detailedcipher
specification
Justificationof designdecisions
Tentativeresults
of cryptanalysis
Sourcecodein C
Sourcecode
in Java
Testvectors
6
AES: Candidate Algorithms
USA: MarsRC6TwofishSafer+HPC
Canada:CAST-256Deal
Costa Rica:Frog
Australia:LOKI97
Japan:E2
Korea:Crypton
Belgium:Rijndael
France:DFC
Germany:Magenta
Israel, UK,Norway:
Serpent
8 42
1
AES Contest Timeline
15 CandidatesCAST-256, Crypton, Deal, DFC, E2, Frog, HPC, LOKI97, Magenta, Mars,
RC6, Rijndael, Safer+, Serpent, Twofish,
June 1998
August 1999
October 20001 winner: Rijndael
Belgium
5 final candidatesMars, RC6, Twofish (USA)Rijndael, Serpent (Europe)
Round 1
Round 2
SecuritySoftware efficiency
SecuritySoftware efficiencyHardware efficiency
7
Security
Simplicity
High
Adequate
SimpleComplex
NIST Report: Security & Simplicity
MARS
Rijndael
SerpentTwofish
RC6
0
5
10
15
20
25
30
SerpentRijndael TwofishRC6 Mars
Efficiency in software: NIST-specified platform
128-bit key192-bit key256-bit key
200 MHz Pentium Pro, Borland C++Throughput [Mbits/s]
8
NIST Report: Software EfficiencyEncryption and Decryption Speed
32-bitprocessors
64-bitprocessors
DSPs
high
medium
low
RC6
RijndaelMars
Twofish
Serpent
RijndaelTwofish
MarsRC6
Serpent
RijndaelTwofish
MarsRC6
Serpent
Efficiency in FPGAs: Speed
0
50
100
150
200
250
300
350
400
450
500Throughput [Mbit/s]
Serpent x8
Rijndael Twofish RC6 MarsSerpent x1
431 444414
353
294
177 173
104
149
62
143112
88102
61
Worcester Polytechnic Institute
University of Southern CaliforniaGeorge Mason University
Xilinx Virtex XCV-1000
9
0
100
200
300
400
500
600
700
Rijndael Twofish RC6 MarsSerpent x1
606
202
105 10357
443
202
105 10457
3-in-1 (128, 192, 256 bit) key scheduling
128-bit key scheduling
Efficiency in ASICs: SpeedThroughput [Mbit/s]
MOSIS 0.5μm, NSA Group
Results for ASICs matched very well results for FPGAs,and were both very different than software
FPGA ASIC
Serpent fastest in hardware, slowest in software
GMU+USC, Xilinx Virtex XCV-1000 NSA Team, ASIC, 0.5μm MOSIS
Lessons Learned
x8
x1x1
10
Hardware results matter!
Speed in FPGAs Votes at the AES 3 conference
Final round of the AES Contest, 2000
Lessons Learned
GMU results
Conclusion of the AES contest
2 October 2000 Winner announced
November 2001 FIPS-197: AES announced
May 2002 Standard becomes effective
11
128 bits
128 bits
128, 192, 256 bits
plaintext block
ciphertext block
keyAES
External format of the AES algorithm
Initial transformation
Final transformation
#rounds times
Round Key[i]i:=i+1
Round Key[0]
i:=1
i<#rounds?
Cipher Round
Round Key[#rounds+1]
Iterative cipher
12
One round of aSubstitution-Linear Transformation Network
cipher
S-boxes
Linear Transformation
128
128
K[i]
128
Input, internal state, and output
128 bits = 16 bytes
a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3
column 0 column 1 column 2 column 3
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
13
Variable block sizeAllowed only in the initial specification of Rijndael
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
a0,4
a1,4
a2,4
a3,4
a0,5
a1,5
a2,5
a3,5
a0,6
a1,6
a2,6
a3,6
a0,7
a1,7
a2,7
a3,7
128 bits 192 bits 256 bits
a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3 ...
0
Nb columns = Nb 32-bit words
1 2 3 4 5 6 7
Nb=4, 6 or 8
Key, Internal keysVariable key size
k0,0 k0,1 k0,2 k0,3
k1,0 k1,1 k1,2 k1,3
k2,0 k2,1 k2,2 k2,3
k3,0 k3,1 k3,2 k3,3
k0,4
k1,4
k2,4
k3,4
k0,5
k1,5
k2,5
k3,5
k0,6
k1,6
k2,6
k3,6
k0,7
k1,7
k2,7
k3,7
128 bits 192 bits 256 bits
k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 ...
0
Nk columns = Nk 32-bit words
1 2 3 4 5 6 7
Nk=4, 6 or 8
14
Pseudocode for AES encryption
Pseudocode for AES decryption
15
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
b0,0 b0,1 b0,2 b0,3
b1,0 b1,1 a1,2 b1,3
b2,0 b2,1 b2,2 b2,3
b3,0 b3,1 b3,2 b3,3
ai,j
S-box
bi,j
SubBytes
• Bytes are transformed by applying an invertible S-box
• One single S-box for the complete cipher
S-box: substitution values for the byte xy (in hexadecimal notation)
16
a b c d
e g h
i j k l
m n o p
ShiftRows
f
a b c d
g ef
i jk l
op m n
h
no shift
cyclic shift left by C1=1
cyclic shift left by C2=2
cyclic shift left by C3=3
Block size
C1
C2
C3
128 bits 192 bits 256 bits
1
2
3
1
2
3
1
3
4
only in the initial specification,not supported bythe standard
MixColumns
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
b0,0 b0,1 a0,2 b0,3
b1,0 b1,1 a1,2 b1,3
b2,0 b2,1 a2,2 b2,3
b3,0 b3,1 a3,2 b3,3
a1,j
a0,j
a2,j
a3,j
b1,j
b0,j
b2,j
b3,j
2 3 1 1 1 2 3 11 1 2 33 1 1 2
A difference in 1 input byte propagates to all 4 output bytesA difference in 2 input bytes propagates to at least 3 output bytesAny linear relation between input and output bits involves bits from
at least 5 different bytes (branch number = 5)
High diffusion
17
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
b0,0 b0,1 b0,2 b0,3
b1,0 b1,1 b1,2 b1,3
b2,0 b2,1 b2,2 b2,3
b3,0 b3,1 b3,2 b3,3
AddRoundKey
k0,0 k0,1 k0,2 k0,3
k1,0 k1,1 k1,2 k1,3
k2,0 k2,1 k2,2 k2,3
k3,0 k3,1 k3,2 k3,3
+ =
• simple bitwise addition (xor) of round keys
Number of roundsKey length
Blocklength
128 bitsNk=4
192 bitsNk=6
256 bitsNk=8
128 bitsNb=4
192 bitsNb=6
256 bitsNb=8
10 12 14
12 12 14
14 14 14
required by the standard
non-standard extensions
18
Secret-key cryptography standards
NIST ANSI
X3.92 DES
X3.106 DES modes of operation
X9.52 Modes of operationof Triple DES
Federalstandards
Bankingstandards
Internationalstandards
ISO
ISO 10116 Modes ofoperationof an n-bitcipher
FIPS 46-1 DESFIPS 46-2 DES
FIPS 81 Modes ofoperation
FIPS 46-3 TripleDES
FIPS 197 AES
ISO/IEC 18033-3 –AES, Camellia, SEED, TDEA, MISTY1, CAST-128, MUGI,SNOW
NIST FIPSNational Institute of Standards and Technology
Federal Information Processing Standards
American Federal Standards
Required in the government institutions
Original algorithms developed in cooperation with the National Security Agency (NSA),
and algorithms developed in the open researchadapted and approved by NIST.
19
ANSI X9American National Standards Institute
Work in the subcommittee X9Fdeveloping standards for financial institutions
ANSI represents U.S.A. in ISO
Standards for the wholesale(e.g., interbank)
and retail transactions(np. bank machines, smart card readers)
ISO International Organization for Standardization
International standards
Common standards with IEC -International Electrotechnical Commission
ISO/IEC JTC1 SC 27Joint Technical Committee 1, Subcommitte 27
20
ISO: International Organization for Standardization
Long and laborious process of the standard development
Study periodNP - New ProposalWD - Working DraftCD - Committee DraftDIS - Draft International StandardIS - International Standard
Minimum3 years
Review of the standard after 5 years = ratification, corrections or
revocation
Public-Key Cryptography
21
Public-Key Cryptography Standards
IEEEANSI
NIST
ISO
RSA LabsPKCS
industrystandards
bankstandards
federal standards
internationalstandards
unofficialindustrystandards
P1363ANSI X9
FIPS
PKCS
ISO
PKCSPublic-Key Cryptography Standards
Informal Industry Standards
developed by RSA Laboratories
in cooperation with
Apple, Digital, Lotus, Microsoft, MIT, NorthernTelecom, Novell, Sun
First, except PGP, formal specification of RSA and formats of messages.
22
IEEE P1363Working group of IEEE including representatives
of major cryptographic companiesand university centers from USA, Canada
and other countries
Part of the Microprocessors Standards Committee
Quarterly meetings + multiple teleconferences ++ discussion list + very informative web page
with the draft versions of standards
Modern, open style
Combined standard including the majority ofmodern public key cryptography
Several algorithms for implementationof the same function
Tool for constructing other, more specific standards
Specific applications or implementations may determine a profile (subset) of the standard
IEEE P1363
23
Bases of the public cryptosystems security
Factorization
Given:
Unknown:
Discrete Logarithm
Elliptic CurveDiscrete Logarithm
N = p · q
p, q
y = gx mod p == g ·g ·g ·... ·g
x
Q = x·P = = P+P+…+P
P - point of an ellipticcurve
x times
x
constants p, g
x times
Elliptic Curve over GF(p)y2=x3+x
24
Elliptic Curve Addition over GF(p)Y 2 = X 3 + X mod 23
Points fullfiling the equation of the curve
0
5
10
15
20
25
0 5 10 15 20X
Y
special point (point at infinity)such that:P P P
ϑ
ϑ ϑ
+
+ = + =
P=(6,19)
Q=(7,12)
R=P+Q=(13,7)
AAddition
P=(3,13)
2P=P+P=(7,11)D
Doubling
Scalar Multiplication
Q = Pk . = P + P + P + - - - - - - - - + P
point number(scalar)
pointk- times
25
Elliptic Curve Cryptosystems - ECC
Advantages
• a family of public key cryptosystems, rather thana single cryptosystem
• strong alternative for RSA• several times shorter keys• fast and compact implementations, in particular
in hardware
• complex mathematical description
• shorter period of research on the cryptanalysis
Elliptic Curve Cryptosystems - ECC
Disdvantages
26
Best known attacksBasis of the cryptosystem
security
Best knownattack
GeneralNumber Field Sieve
1. GeneralNumber Field Sieve
2. Parallelcollision search
Complexityof the attack: subexponential 1. subexponential
2. exponentialexponential
Factorization Discrete Logarithm
Elliptic CurveDiscrete Logarithm
2. Parallelcollision search
Best Algorithm to Factor Large NumbersNUMBER FIELD SIEVE
Complexity: Sub-exponential time and memory N = Number to factor, k = Number of bits of N
Polynomial function, a·km
Exponential function, ek
Sub-exponential function,
e k1/3 (ln k)2/3
k = Number of bits of N
Executiontime
27
Factoring 1024-bit RSA keysusing Number Field Sieve (NFS)
Polynomial Selection
Linear Algebra
Square Root
Relation Collection
Sieving
Minifactoring (Cofactoring,Norm Factoring)200 bit
smooth numbers& 350 bit
ECM, p-1 method, rho method
number decimal digits date time (phase 1) algorithm
C116 116 1990 275 MIPS years mpqsRSA-120 120 VI. 1993 830 MIPS years mpqsRSA-129 129 IV. 1994 5000 MIPS years mpqsRSA-130 130 IV. 1996 1000 MIPS years gnfsRSA-140 140 II. 1999 2000 MIPS years gnfsRSA-155 155 VIII. 1999 8000 MIPS years gnfsC158 158 I. 2002 3.4 Pentium 1GHz CPU years gnfsRSA-160 160 III. 2003 2.7 Pentium 1GHz CPU years gnfs
RSA-576 174 XII. 2003 13.2 Pentium 1GHz CPU years gnfs
C176 176 V. 2005 48.6 Pentium 1GHz CPU years gnfs
RSA-200 200 V. 2005 121 Pentium 1GHz CPU years gnfs
RSA-768 232 XII.2009 4,400 Opteron 1 GHz CPU years gnfs
Factorization records
28
Factoring RSA-768768 bits = 232 decimal digitsWhen?
Who?Aug. 2007 – Dec. 2009
Multiple researchers fromEPFL, NTT, Bonn University, INRIA, MS Research, CWI
Sieving time
Total time
Effort?
3,300 Opteron 1 GHz CPU years
4,400 Opteron 1 GHz CPU years
Factorization records
He who has absolute confidence in linear regression willexpect a 1024-bit RSA number to be factored on
December 17, 2028
29
For the most recent records see
Factorization Announcements & Records at
http://www.crypto-world.com/FactorAnnouncements.html
http://www.crypto-world.com/FactorRecords.html
TWIRL February 2003Adi Shamir & Eran Tromer, Weizmann Institute of Science
Hardware implementation of the sieving phase of Number Field Sieve (NFS)
Assumed technology:CMOS, 0.13 µm
clock 1 GHz30 cm semiconductor wafers at the cost of $5,000 each
30
TWIRL
Tentative estimations(no experimental data):
512-bit RSA:
1024-bit RSA:
< 10 minutes$ 10 k
< 1 year$ 10 million
A. Shamir, E. TromerCrypto 2003
Theoretical Designs for Sieving (1)1999-2000TWINKLE ( Shamir, CHES 1999;
Shamir & Lenstra, Eurocrypt 2000)
- based on optoelectronic devices (fast LEDs)- not even a small prototype built in practice- not suitable for 1024 bit numbers
2003TWIRL (Shamir & Tromer, Crypto 2003)
- semiconductor wafer design- requires fast communication between chips locatedon the same 30 cm diameter wafer
- difficult to realize using current fabrication technology
31
Theoretical Designs for Sieving (2)2003-2004Mesh Based Sieving / YASD
(Geiselmann & Steinwandt, PKC 2003Geiselmann & Steinwandt, CT-RSA 2004)
- not suitable for 1024 bit numbers
2005SHARK (Franke et al., SHARCS & CHES 2005)
- relies on an elaborate butterfly switch connecting large number of chips
- difficult to realize using current technology
Theoretical Designs for Sieving (3)2007Non-Wafer-Scale Sieving Hardware
(Geiselmann & Steinwandt, Eurocrypt 2007)
- based on moderate size chips (2.2 x 2.2 cm)- communication among chips seems to be realistic- 2 to 3.5 times slower than TWIRL- supports only linear sieving, and not more optimallattice sieving
32
Estimated recurring costs withcurrent technology (US$×year)
768-bit 1024-bitTraditional PC-based
1.3×107 1012
TWINKLE 8×106
TWIRL 5×103 10×106
Mesh-based 3×104
SHARK 230×106
But: non-recurring costs, chip size, chip transport networks…
by Eran Tromer, May 2005
However…
Just analytical estimations, no real implementations, no concrete numbers
None of the theoretical designs ever built.
33
First Practical Implementation ofthe Relation Collection Step in Hardware
Tetsuya Izu and Jun Kogure and Takeshi Shimoyama (Fujitsu)
CHES 2007 - CAIRN 2 machine, September 2007SHARCS 2007 – CAIRN 3 machine, September 2007
2007
Japan
First large number factored using FPGA support
Factored number:N = P · Q
423-bits 205 bits 218 bits
Time of computations:
One month of computations using a PC supported by CAIRN 2for a 423-bit number
Problems:- Speed up vs. one PC (AMD Opteron): only about 4 times- Limited scalability
CAIRN 3 about 40 times faster than CAIRN 2
Time of sieving with CAIRN 3 for a 768-bit key estimated at 270 years
34
SHARCS - Special-purpose Hardware for Attacking Cryptographic Systems
1st edition: Paris, Feb. 24-25, 20052nd edition: Cologne, Apr. 3-4, 20063rd edition: Vienna, Sep. 9-10, 20074th edition: Lausanne, Sep. 9-10, 20095th edition: Washington, Mar. 17-18, 2012
Workshop Series
Seehttp://www.sharcs.org/
CERG Team Organizing SHARCS 2012in Washington D.C., Mar. 17-18, 2012
35
Keylengths in public key cryptosystemsthat provide the same level of security as AES
and other secret-key ciphers
Arjen K. Lenstra, Eric R. VerheulSelecting Cryptographic Key SizesJournal of Cryptology, 2001
Arjen K. LenstraUnbelievable Security: Matching AES Security Using Public Key SystemsASIACRYPT’ 2001
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
Keylengths in RSA providing the same levelof security as selected secret-key cryptosystems
DES 3 DES(2 keys)
3 DES(3 keys) AES-128 AES-192 AES-256
The same number of operations
The same cost
416 620 13331723 1941
2426 26443224
68977918
13840
15387
36
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2001 2010 2020 2030DES3 DES (2K)3 DES (3K)AES-128
AES-192
AES-256
year
Keylengths in RSA providing the same levelof security as selected secret-key cryptosystems
Recommendations of RSA Security Inc.May 6, 2003
2003-2010
2010-2030
2030-
Validity periodMinimal
RSA key length (bits)
Equivalent symmetrickey length
(bits)
80
112
128
1024
2048
3072
37
Five security levels allowed by American government
NIST SP 800-56
RSA / DH ECC SymmetricciphersLevel
IIIIIIIVV
80
112
128
192
256
160
224
256
384
512
1024
2048
3072
8192
15360
Most known public key cryptosystems
Signature
Encryption
Key agreement
Based on the difficulty of
Factorization Discrete logarithm
Elliptic curvediscrete
logarithm
RSA DSA,N-R
EC-DSA
RSA El-Gamal EC-El-Gamal
RSA Diffie-Hellman(DH)
EC-DH
38
IEEE P1363-2000
Factorization Discretelogarithm
encryption
signature
keyagreement
RSA with OAEP
RSA & R-Wwith ISO-14888
or ISO 9796
DSA,NR with ISO 9796
EC-DSA,EC-NR
with ISO 9796
DH1DH2 and MQV
EC-DH1,EC-DH2
and EC-MQV
Ellipticcurve discrete
logarithm
EC-DSA,EC-NR
with ISO 9796
IEEE P1363a
factorization discretelogarithm
encryption
signature
RSA with OAEP
RSA & R-Wwith ISO-14888
or ISO 9796
DSA,NR with ISO-9796
DH1DH2 & MQV
EC-DH1EC-DH2
& EC-MQV
elliptic curve discrete
logarithm
new scheme new scheme
new schemekey
agreement
39
ANSI X9 Standards
X9.44RSA
X9.31(RSA & R-W)
X9.30DSA
X9.62EC-DSA
X9.42DH1, DH2, MQV
X9.63EC-DH1, 2EC-MQV
factorization discretelogarithm
elliptic curve discrete
logarithm
encryption
signature
keyagreement
Notes for users of cryptographicproducts (1)
Agreement with a standard does not guarantee the security of a cryptographic product!
Security = secure algorithms (guaranteed by standards)
• proper choice of parameters• secure implementation
• proper use
40
Agreement with the same standard doesnot guarantee the compatibilityof two cryptographic products !
compatibility =• the same algorithm (guaranteed by standards)
• the same protocol• the same subset of algorithms• the same range of parameters
Notes for users of cryptographicproducts (2)
Modern Cryptography
RSA ECCDHDSA