Page 1
1
1. SHA-3 contest - Your Round 3 Report
2. Analyzing the Influence of a Computer Platform on Ranking of the SHA-3
Candidates in Terms of Performance in Software
3. Homomorphic Encryption
4. Security of GSM and 3G/4G Telephony
5. Security of Metro/Subway Cards
6. Security of Voting Machines
7. Survey of Codebreaking Machines and Projects Based on FPGAs,
GPUs, Cell processors, etc.
8. Encryption Schemes for Copy Protection of Digital Media
Analytical Projects
Page 2
Cryptographic StandardContests
Cryptographic StandardContests
Page 3
Cryptographic Standards Before 1997
time
1970 1980 1990 2000 2010
DES – Data Encryption Standard
1977 1999
Triple DES
SHA-1–Secure Hash Algorithm
SHA-2
Secret-Key Block Ciphers
Hash Functions 1995 20031993
SHA
2005
NSA
IBM& NSA
Page 4
Why a Contest for a Cryptographic Standard?
• Avoid back-door theories
• Speed-up the acceptance of the standard
• Stimulate non-classified research on methods of
designing a specific cryptographic transformation
• Focus the effort of a relatively small cryptographic
community
Page 5
Cryptographic Standard Contests
time
96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
AES
NESSIE
CRYPTREC
eSTREAM
SHA-3
34 stream ciphers 4 HW winners + 4 SW winners
51 hash functions 1 winner
15 block ciphers 1 winner
IX.1997 X.2000
I.2000 XII.2002
V.2008
X.2007 XII.2012
XI.2004
Page 6
6
Cryptographic Contests - Evaluation Criteria
Security
Software Efficiency Hardware Efficiency
Simplicity
FPGAs ASICs
Flexibility Licensing
μProcessors μControllers
Page 7
AESContest
1997-2000
AESContest
1997-2000
Page 8
Rules of the Contest
Each team submits
Detailedcipher
specification
Justificationof designdecisions
Tentativeresults
of cryptanalysis
Sourcecodein C
Sourcecode
in Java
Testvectors
Page 9
AES: Candidate Algorithms
USA: MarsRC6TwofishSafer+HPC
Canada:CAST-256Deal
Costa Rica:Frog
Australia:LOKI97
Japan:E2
Korea:Crypton
Belgium:Rijndael
France:DFC
Germany:Magenta
Israel, UK,Norway:
Serpent
8 42
1
Page 10
AES Contest Timeline
15 Candidates CAST-256, Crypton, Deal, DFC, E2, Frog, HPC, LOKI97, Magenta, Mars,
RC6, Rijndael, Safer+, Serpent, Twofish,
June 1998
August 1999
October 2000
1 winner: RijndaelBelgium
5 final candidatesMars, RC6, Twofish (USA)Rijndael, Serpent (Europe)
Round 1
Round 2
SecuritySoftware efficiency
SecuritySoftware efficiencyHardware efficiency
Page 11
Security: Theoretical attacks better than exhaustive key search
0 5 10 15 20 25 30 35
Twofish
Serpent
Rijndael
RC6
Mars without 16 mixing rounds
# of rounds in the attack/total # of rounds
6 16
329
7 10
15 20
1611
23
10
5
3
5
Page 12
0 10 20 30 40 50 60 70 80 90 100
Twofish
Serpent
Rijndael
RC6
Mars
Security: Theoretical attacks better than exhaustive key search
# of rounds in the attack/total # of rounds 100%
28% 72%
38% 62%
69% 31%
70% 30%
75% 25%
Page 13
Security: Authors of attacks
Team Attacked cipher
Twofish
MARSKelsey, Kohno, SchneierFerguson, Stay, Wagner, Whiting Serpent
Knudsen, MeierSerpent
RC6
Rijndael
TwofishLucks, U. MannheimGilbert, Minier, France Telecom
Other groups
Gilbert, Handschuh, Joux, Vaudenay, France Telecom
Page 14
Security
Simplicity
High
Adequate
SimpleComplex
NIST Report: Security & Simplicity
MARS
Rijndael
SerpentTwofish
RC6
Page 15
0
5
10
15
20
25
30
SerpentRijndael TwofishRC6 Mars
Efficiency in software: NIST-specified platform
128-bit key
192-bit key
256-bit key
200 MHz Pentium Pro, Borland C++
Throughput [Mbits/s]
Page 16
AES Contest: Encryption time in clock cycles on various platforms
Twofish team: Bruce Schneier & Doug Whiting
better
Page 17
NIST Report: Software Efficiency
Encryption and Decryption Speed
32-bitprocessors
64-bitprocessors
DSPs
high
medium
low
RC6
RijndaelMars
Twofish
Serpent
RijndaelTwofish
MarsRC6
Serpent
RijndaelTwofish
MarsRC6
Serpent
Page 18
NIST Report: Software EfficiencyEncryption and decryption speed in software
on smart cards
8-bit processors
32-bit processors
high
medium
low
Rijndael
RC6Mars
Twofish
Serpent
RijndaelRC6
Mars
TwofishSerpent
Page 19
Efficiency in Software
Strong dependence on:
1. Instruction set architecture (e.g., variable rotations)
2. Programming language (assembler, C, Java)
3. Compiler
5. Programming style
4. Compiler options
Page 20
Efficiency in FPGAs: Speed
0
50
100
150
200
250
300
350
400
450
500
Throughput [Mbit/s]
Serpent x8
Rijndael Twofish RC6 MarsSerpent x1
431 444
414
353
294
177173
104
149
62
143
11288
102
61
Worcester Polytechnic Institute
University of Southern California
George Mason University
Xilinx Virtex XCV-1000
Page 21
0
100
200
300
400
500
600
700
Rijndael Twofish RC6 MarsSerpent x1
606
202
105 10357
443
202
105 10457
3-in-1 (128, 192, 256 bit) key scheduling
128-bit key scheduling
Efficiency in ASICs: Speed
Throughput [Mbit/s]MOSIS 0.5μm, NSA Group
Page 22
Results for ASICs matched very well results for FPGAs,and were both very different than software
FPGA ASIC
Serpent fastest in hardware, slowest in software
GMU+USC, Xilinx Virtex XCV-1000 NSA Team, ASIC, 0.5μm MOSIS
Lessons Learned
x8
x1x1
Page 23
Hardware results matter!
Speed in FPGAs Votes at the AES 3 conference
Final round of the AES Contest, 2000
Lessons Learned
GMU results
Page 24
• Optimization for maximum throughput
• Single high-speed architecture per candidate
• No use of embedded resources of FPGAs (Block RAMs, dedicated multipliers)
• Single FPGA family from a single vendor:
Xilinx Virtex
Limitations of the AES Evaluation
Page 25
SHA-3Contest
2007-2012
SHA-3Contest
2007-2012
Page 26
NIST SHA-3 Contest - Timeline
51 candidates
Round 114 5 1
Round 3
July 2009 Dec. 2010 Mid 2012
Oct. 2008
Round 2
Page 27
SHA-3 Contest – Recent and Future Milestones
23 Aug 2010 – Second SHA-3 Candidate Conference, Santa Barbara, USA
9 Dec 2010 – Announcement of 5 algorithms qualified to Round 3
31 Jan 2011 – Acceptance of final tweaks for Round 3 Candidates
16 Feb 2011 – Publication of Round 2 report
22 Mar 2012 – Third SHA-3 Candidate Conference, Washington D.C.
or Gaithersburg, MD, USA
Summer 2012 – Announcement of the winner
Beginning of 2013 – Publication of the new FIPS standard
Page 28
28
eBACS: ECRYPT Benchmarking of Cryptographic Systems:
• measurements on multiple machines (currently over 90)
• each implementation is recompiled multiple times
(currently over 1600 times) with various compiler options
• time measured in clock cycles/byte for multiple
input/output sizes
• median, lower quartile (25th percentile), and upper quartile
(75th percentile) reported
• standardized function arguments (common API)
SUPERCOP - toolkit developed by D. Bernstein and T. Lange for measuring performance of cryptographic software
http://bench.cr.yp.to/
Page 29
SUPERCOP Extension for Microcontrollers – XBX: 2009-present
Christian Wenzel-Benner, ITK Engineering AG, Germany
Jens Gräf, LiNetCo GmbH, Heiger, Germany
Developers:
Allows on-board timing measurements
Supports at least the following microcontrollers:
8-bit:Atmel ATmega1284P (AVR)
32-bit:TI AR7 (MIPS)Atmel AT91RM9200 (ARM 920T)Intel XScale IXP420 (ARM v5TE)Cortex-M3 (ARM)
Page 30
ATHENa – Automated Tool for Hardware EvaluatioN
30
Open-source benchmarking environment, written in Perl, aimed at
AUTOMATED generation of OPTIMIZED results for MULTIPLE hardware platforms.
The most recent version0.6.2 released in June 2011.Full features in ATHENa 1.0
to be released in 2012.
http://cryptography.gmu.edu/athena
Page 31
ATHENaServer
FPGA Synthesis and Implementation
Result Summary+ Database Entries
2 3
HDL + scripts + configuration files
1
Database Entries
Download scripts and
configuration files8
Designer
4
HDL + FPGA Tools
User
Databasequery
Ranking of designs
5
6
Basic Dataflow of ATHENa
0
Interfaces+ Testbenches 31
Page 32
32
1. Low Area Implementation of a Selected Lightweight Hash Function
2. Use of Embedded FPGA Resources (BRAMs, DSP units, etc.) in
Implementations of 5 Round 3 SHA-3 Candidates
3. Your ECE 545 project + extension discussed with the Instructor
Hardware Projects
Page 33
33
1. Optimizing Best Available Software Implementations of the SHA-3
candidates (using coding techniques, special instructions, assembly
language, etc.).
2. Comparing the sphlib 2.1 C (or Java) Implementations of Hash Functions
with the Best C (or Java) Implementations Submitted to eBACS.
3. Porting Selected C Implementations of the SHA-3 Candidates to the TI
MSP430 microcontroller or Other Microcontroller Available to You.
4. Software Implementations of Selected Lightweight Hash Functions.
Software Projects