8 research outputs found
On the Design and Analysis of Stream Ciphers
This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware
Randomness Generation for Secure Hardware Masking - Unrolled Trivium to the Rescue
Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed over the past decades. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency and performance of secure implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium B outperform all competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle while maintaining high performance, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers (LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a high rate per cycle even more efficiently than Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking scheme, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating n fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as 20n to 30n ASIC gate equivalents (GE) or 3n to 4n FPGA look-up tables (LUTs), where n is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable and potentially moving low randomness usage in hardware masking research from a primary to secondary design goal
Stream ciphers for secure display
In any situation where private, proprietary or highly confidential material is being dealt with, the need to consider aspects of data security has grown ever more important. It is usual to secure such data from its source, over networks and on to the intended recipient. However, data security considerations typically stop at the recipient's processor, leaving connections to a display transmitting raw data which is increasingly in a digital format and of value to an adversary. With a progression to wireless display technologies the prominence of this vulnerability is set to rise, making the implementation of 'secure display' increasingly desirable. Secure display takes aspects of data security right to the display panel itself, potentially minimising the cost, component count and thickness of the final product. Recent developments in display technologies should help make this integration possible. However, the processing of large quantities of time-sensitive data presents a significant challenge in such resource constrained environments. Efficient high- throughput decryption is a crucial aspect of the implementation of secure display and one for which the widely used and well understood block cipher may not be best suited. Stream ciphers present a promising alternative and a number of strong candidate algorithms potentially offer the hardware speed and efficiency required. In the past, similar stream ciphers have suffered from algorithmic vulnerabilities. Although these new-generation designs have done much to respond to this concern, the relatively short 80-bit key lengths of some proposed hardware candidates, when combined with ever-advancing computational power, leads to the thesis identifying exhaustive search of key space as a potential attack vector. To determine the value of protection afforded by such short key lengths a unique hardware key search engine for stream ciphers is developed that makes use of an appropriate data element to improve search efficiency. The simulations from this system indicate that the proposed key lengths may be insufficient for applications where data is of long-term or high value. It is suggested that for the concept of secure display to be accepted, a longer key length should be used
Tester for chosen sub-standard of the IEEE 802.1Q
Tato práce se zabĂ˝vá analyzovánĂm IEEE 802.1Q standardu TSN skupiny a návrhem testovacĂho modulu. TestovacĂ modul je napsán v jazyku VHDL a je moĹľnĂ© jej implementovat do Intel Stratix® V GX FPGA (5SGXEA7N2F45C2) vĂ˝vojovĂ© desky. Standard IEEE 802.1Q (TSN) definuje deterministickou komunikace pĹ™es Ethernet sĂt, v reálnĂ©m ÄŤase, poĹľĂvánĂm globálnĂho ÄŤasu a správnĂ˝m rozvrhem vysĂlánĂm a pĹ™Ăjmem zpráv. HlavnĂ funkce tohoto standardu jsou: ÄŤasová synchronizace, plánovánĂ provozu a konfigurace sĂtÄ›. KaĹľdá z tÄ›chto funkcĂ je definovaná pomocĂ vĂce rĹŻznĂ˝ch podskupin tohoto standardu. Podle definice IEEE 802.1Q standardu je moĹľno tyto podskupiny vzájemnÄ› libovolnÄ› kombinovat. NÄ›kterĂ© podskupiny standardu nemohou fungovat nezávisle, musĂ vyuĹľĂvat funkce jinĂ˝ch podskupin standardu. Realizace funkce podskupin standardu je moĹľná softwarovÄ›, hardwarovÄ›, nebo jejich kombinacĂ. Na základÄ› výše uvedenĂ˝ch fakt, implementace podskupin standardu, kterĂ© jsou softwarovÄ› souvisejĂcĂ, byly vylouÄŤenĂ©. Taky byly vylouÄŤenĂ© podskupiny standardĹŻ, kterĂ© jsou závislĂ© na jinĂ˝ch podskupinách. IEEE 802.1Qbu byl vybrán jako vhodná část pro realizaci hardwarovĂ©ho testu. RĹŻznĂ© zpĹŻsoby testovánĂ byly vysvÄ›tleny jako DFT, BIST, ATPG a dalšà jinĂ© techniky. Pro hardwarovĂ© testovánĂ byla vybrána „Protocol Aware (PA)“technika, protoĹľe tato technika zrychluje testovánĂ, dovoluje opakovanou pouĹľitelnost a taky zkracuje dobu uvedenĂ na trh. TestovacĂ modul se skládá ze dvou objektĹŻ (generátor a monitor), kterĂ© majĂ implementovanou IEEE 802.1Qbu podskupinu standardu. Funkce generátoru je vygenerovat náhodnĂ© nebo nenáhodnĂ© impulzy a potom je poslat do testovanĂ©ho zaĹ™Ăzeni ve správnĂ©m definovanĂ©m protokolu. Funkce monitoru je pĹ™ijat ethernet rámce a ověřit jejich správnost. Objekty jsou navrhnuty stejnĂ˝m zpĹŻsobem na „TOP“úrovni a skládajĂ se ze ÄŤtyĹ™ modulĹŻ: Avalon MM rozhranĂ, dvou šablon a jednoho portu. Avalon MM rozhranĂ bylo vytvoĹ™eno pro komunikaci softwaru s hardwarem. Tento modul pĹ™ijme pakety ze softwaru a potom je dekĂłduje podle definovanĂ©ho protokolu a „pod-protokolu “. „Pod-protokol“se skládá z pĹ™Ăkazu a hodnoty danĂ©ho pĹ™Ăkazu. Podle dekĂłdovanĂ©ho pĹ™Ăkazu a hodnot danĂ˝ch pĹ™Ăkazem je kontrolovanĂ˝ celĂ˝ objekt. Ĺ ablona se pouĹľĂvá na generovánĂ nebo ověřovánĂ náhodnĂ˝ch nebo nenáhodnĂ˝ch dat. DvÄ› šablony byly implementovány pro expresnĂ ověřovánĂ nebo preempÄŤnĂ transakce, definovanĂ© IEEE 802.1Qbu. Porty byly vytvoĹ™enĂ© pro komunikaci mezi testovanĂ˝m zaĹ™ĂzenĂm a šablonou podle danĂ©ho standardu. Port „generátor“má za Ăşkol vybrat a vyslat rámce podle priority a ÄŤasu vysĂlanĂ. Port „monitor“pĹ™ijme rámce do „content-addressable memory”, která ověřuje priority rámce a podle toho je posĂlá do správnĂ© šablony. VĂ˝sledky prokázaly, Ĺľe tato testovacĂ technika dosahuje vysokĂ© rychlosti a rychlĂ© implementace.This master paper is dealing with the analysis of IEEE 802.1Q group of TSN standards and with the design of HW tester. Standard IEEE 802.1Qbu has appeared to be an optimal solution for this paper. Detail explanation of this sub-standard are included in this paper. As HW test the implementation, a protocol aware technique was chosen in order to accelerate testing. Paper further describes architecture of this tester, with detail explanation of the modules. Essential issue of protocol aware controlling objects by SW, have been resolved and described. Result proof that this technique has reached higher speed of testing, reusability, and fast implementation.
On Some Symmetric Lightweight Cryptographic Designs
This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented. The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption. These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext. Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way. The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this. Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair. Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings
Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs
Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic standards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and acceptable for the majority of the cryptographic community. In this report, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round~2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the development of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking.
The VHDL codes for 256 and 512-bit variants of all 14 SHA-3 Round 2 candidates and the old standard SHA-2 have been developed and thoroughly verified. These codes have been then used to evaluate the relative performance of all aforementioned algorithms using ten modern families of Field Programmable Gate Arrays (FPGAs) from two major vendors, Xilinx and Altera. All algorithms have been evaluated using four performance measures: the throughput to area ratio, throughput, area, and the execution time for short messages. Based on these results, the 14 Round 2 SHA-3 candidates have been divided into several groups depending on their overall performance in FPGAs
Authentication Using Lightweight Cryptography
DisertaÄŤnĂ práce se zabĂ˝vá kryptografickĂ˝mi protokoly zajišťujĂcĂ zabezpeÄŤenou autentizaci komunikujĂcĂch stran, jenĹľ jsou urÄŤeny primárnÄ› pro implementaci na nĂzkonákladovĂ˝ch zaĹ™ĂzenĂch vyuĹľĂvanĂ˝ch v Internetu vÄ›cĂ. NĂzkonákladová zaĹ™ĂzenĂ pĹ™edstavujĂ vĂ˝poÄŤetnÄ›, paměťovÄ› a napěťovÄ› omezená zaĹ™ĂzenĂ. Práce se zaměřuje pĹ™edevšĂm na moĹľnosti vyuĹľitĂ matematicky nenároÄŤnĂ˝ch kryptografickĂ˝ch prostĹ™edkĹŻ pro zajištÄ›nĂ integrity, bezpeÄŤnĂ© autentizace a dĹŻvÄ›rnosti pĹ™enášenĂ˝ch dat na nĂzkonákladovĂ˝ch zaĹ™ĂzenĂch. HlavnĂ cĂle práce se zaměřujĂ na návrh novĂ˝ch pokroÄŤilĂ˝ch kryptografickĂ˝ch protokolĹŻ zajišťujĂcĂ integritu pĹ™enášenĂ˝ch dat, autentizaci, zabezpeÄŤenĂ˝ pĹ™enos dat mezi dvÄ›ma nĂzkonákladovĂ˝mi zaĹ™ĂzenĂmi a autentizaci s nepopiratelnostĂ uskuteÄŤnÄ›nĂ˝ch událostĂ. Práce popisuje návrhy třà autentizaÄŤnĂch protokolĹŻ, jednoho jednosmÄ›rnĂ©ho autentizaÄŤnĂho protokolu a dvou obousmÄ›rnĂ˝ch autentizaÄŤnĂch protokolĹŻ. Práce takĂ© popisuje návrhy dvou protokolĹŻ pro zabezpeÄŤenĂ˝ pĹ™enos dat mezi dvÄ›ma zaĹ™ĂzenĂmi, jednoho bez potvrzenĂ pĹ™Ăjmu dat a jednoho s potvrzenĂm pĹ™Ăjmu dat. V práci je dále provedena bezpeÄŤnostnĂ analĂ˝za a diskuze k navrĹľenĂ˝m protokolĹŻm.The dissertation thesis deals with cryptographic protocols for secure authentication of communicating parties, which are intended primarily for low-cost devices used in Internet of Things. Low-cost devices represent computationally, memory and power constrained devices. The thesis focuses mainly on the possibilities of using mathematically undemanding cryptographic resorces for ensuring integrity of transmitted dat, authenticity of and secured transmission of data on low-cost devices. The main goals of the thesis focus on the design of new advanced cryptographic protocols for ensuring integrity of transmitted data, authenticity, confidentiality of transmitted data between low-cost devices and authenticity with non-repudiation of done events. The thesis describes proposal of three authentication protocols, one unilateral authentication protocol and two mutual authentication protocols. The thesis also describes proposals of two protocols for secured transmission of data between two devices, one protocol without a proof of receipt data and one protocol with proof of receipt data. In this thesis is also performed a security analysis and a discussion to proposed protocols.