� � Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) � University of Illinois at Chicago � � � � Denmark Technical University Timings Alfred P. Sloan Foundation on various machines Graphing tools (Bernstein) � � � � � Speed graphs in this talk
� � Security disasters Cipher implementations from cipher authors ciphers Attack claimed on Attack claimed on Timing tools Presumably also Py6. (De Canni` ere) � Illinois at Chicago � Attack claimed on � � � echnical University Timings “2 226 .” Foundation on various machines Is there any dispute about these attacks? Graphing tools If not: Reject YAMB (Bernstein) competition for 256-bit � � � � � Speed graphs in this talk
� � Security disasters Cipher implementations from cipher authors Attack claimed on YAMB: “2 58 .” Attack claimed on Py: “2 72 .” Timing tools Presumably also Py6. (De Canni` ere) � � Attack claimed on SOSEMANUK: � � � Timings “2 226 .” on various machines Is there any dispute about these attacks? Graphing tools If not: Reject YAMB etc. as (Bernstein) competition for 256-bit AES. � � � � � Speed graphs in this talk
Security disasters Speed disasters implementations authors Attack claimed on YAMB: “2 58 .” FUBUKI is slower in all of these benchma Attack claimed on Py: “2 72 .” Timing tools Any hope of faster Presumably also Py6. (De Canni` ere) If not: Reject FUBUKI. � � Attack claimed on SOSEMANUK: � VEST is extremely Timings “2 226 .” in all of these benchma machines Is there any dispute On the other hand, about these attacks? VEST is claimed to Graphing tools If not: Reject YAMB etc. as faster in hardware. (Bernstein) competition for 256-bit AES. � � � graphs talk
Security disasters Speed disasters Attack claimed on YAMB: “2 58 .” FUBUKI is slower than AES in all of these benchmarks. Attack claimed on Py: “2 72 .” Any hope of faster FUBUKI? Presumably also Py6. If not: Reject FUBUKI. Attack claimed on SOSEMANUK: VEST is extremely slow “2 226 .” in all of these benchmarks. Is there any dispute On the other hand, about these attacks? VEST is claimed to be If not: Reject YAMB etc. as faster in hardware. competition for 256-bit AES.
disasters Speed disasters Remaining 256-bit CryptMT, DICING, on YAMB: “2 58 .” FUBUKI is slower than AES HC-256, Phelix, Salsa20. in all of these benchmarks. on Py: “2 72 .” Any hope of faster FUBUKI? Could say, e.g., Py6. If not: Reject FUBUKI. “CryptMT is practically on SOSEMANUK: slower than Phelix VEST is extremely slow and should be eliminated”; in all of these benchmarks. but what if Phelix dispute On the other hand, attacks? VEST is claimed to be Attacks on Py, SOSEMANUK AMB etc. as faster in hardware. were published in 256-bit AES. Need more time fo
Speed disasters Remaining 256-bit ciphers: CryptMT, DICING, Dragon, FUBUKI is slower than AES HC-256, Phelix, Salsa20. in all of these benchmarks. Any hope of faster FUBUKI? Could say, e.g., If not: Reject FUBUKI. “CryptMT is practically always slower than Phelix VEST is extremely slow and should be eliminated”; in all of these benchmarks. but what if Phelix is broken? On the other hand, VEST is claimed to be Attacks on Py, SOSEMANUK faster in hardware. were published in December. Need more time for cryptanalysis.
Remaining 256-bit ciphers: Speedup: security CryptMT, DICING, Dragon, er than AES Can speed up AES HC-256, Phelix, Salsa20. enchmarks. by reducing rounds faster FUBUKI? Could say, e.g., from 14 to, e.g., 10. FUBUKI. “CryptMT is practically always No known attacks. slower than Phelix extremely slow Can speed up Salsa20 and should be eliminated”; enchmarks. by reducing rounds but what if Phelix is broken? hand, from 20 to, e.g., 12 claimed to be Attacks on Py, SOSEMANUK No known attacks. re. were published in December. Do any other submissions Need more time for cryptanalysis. have a security ma
Remaining 256-bit ciphers: Speedup: security margin CryptMT, DICING, Dragon, Can speed up AES HC-256, Phelix, Salsa20. by reducing rounds Could say, e.g., from 14 to, e.g., 10. “CryptMT is practically always No known attacks. slower than Phelix Can speed up Salsa20 and should be eliminated”; by reducing rounds but what if Phelix is broken? from 20 to, e.g., 12 or 8. Attacks on Py, SOSEMANUK No known attacks. were published in December. Do any other submissions Need more time for cryptanalysis. have a security margin?
256-bit ciphers: Speedup: security margin Slowdown: forgeries DICING, Dragon, Can speed up AES Packets must be authenticated. Phelix, Salsa20. by reducing rounds State of the art: P from 14 to, e.g., 10. around 4 cycles per ractically always No known attacks. plus encrypting 16 Phelix Can speed up Salsa20 Fastest encryption eliminated”; by reducing rounds fastest authenticated Phelix is broken? from 20 to, e.g., 12 or 8. Not necessarily! SOSEMANUK No known attacks. Phelix includes authentication. in December. Do any other submissions Benchmarks need for cryptanalysis. have a security margin?
Speedup: security margin Slowdown: forgeries Can speed up AES Packets must be authenticated. by reducing rounds State of the art: Poly1305, from 14 to, e.g., 10. around 4 cycles per byte No known attacks. plus encrypting 16 bytes. Can speed up Salsa20 Fastest encryption implies by reducing rounds fastest authenticated encryption? from 20 to, e.g., 12 or 8. Not necessarily! No known attacks. Phelix includes authentication. Do any other submissions Benchmarks need to cover this. have a security margin?
security margin Slowdown: forgeries Slowdown: timing AES Packets must be authenticated. Typical AES softw rounds leaks key through State of the art: Poly1305, e.g., 10. Often attacker can around 4 cycles per byte attacks. plus encrypting 16 bytes. Constant-time AES Salsa20 is considerably slo Fastest encryption implies rounds fastest authenticated encryption? Slowdown depends e.g., 12 or 8. Not necessarily! CryptMT, Phelix, attacks. Phelix includes authentication. DICING, Dragon, submissions Benchmarks need to cover this. Benchmarks need margin?
Slowdown: forgeries Slowdown: timing attacks Packets must be authenticated. Typical AES software leaks key through timing. State of the art: Poly1305, Often attacker can see timing. around 4 cycles per byte plus encrypting 16 bytes. Constant-time AES software is considerably slower. Fastest encryption implies fastest authenticated encryption? Slowdown depends on cipher. Not necessarily! CryptMT, Phelix, Salsa20: 0. Phelix includes authentication. DICING, Dragon, HC-256: ? Benchmarks need to cover this. Benchmarks need to cover this.
Recommend
More recommend