VAMPIRE Virtual Application and Implementation Research Lab ECRYPT: Achievements and Perspectives Antwerp, May 27-28, 2008 Tanja Lange (Technical University of Eindhoven) Christof Paar (Ruhr University Bochum) Overview 1. Intro VAMPIRE (3) CHRISTOF 2. Workshops (3) Christof • SHARCS Legende: • RFID (Zahl) = Anzahl Folien, ca. • SECSI Name = Hauptverantwortlicher, Input 3. Summer Schools (3) Tanja vom geschätzten Co-Leader willkommen • ECC, • HW Summer school, • TC 4. Selected Research Activities (3) Tanja • eBATS • SCA Lounge • PRESENT 5. Interactions with other VL (1): Tanja eSTREAM, PRESENT, CASE, ??? , am besten nur ein Bild mit VAMPIRE in der Mitte 6. Major Outcomes (1-2): SHARCS, RFID, eBats, CACE , PRESENT, SCA lounges, (Bem: Ist natürlich redundant mit den anderen Folien, brauchen wir vielleicht nicht) 1
Overview 1. Introduction to VAMPIRE 2. Workshops 3. Summer Schools 4. Selected Research Activities 5. Outlook Why do we need Implementation Research? (or: Why do we need VAMPIRE?) 1. Many real-world attacks exploit implementation weaknesses – Ex: Side channel attack, fault injection attack 2. Often, new schemes are only practical if efficiently implemented – Ex: early days of elliptic curves & (until recently) hyperelliptic curves 3. Interaction between implementation and cipher design – Ex: Lightweight ciphers are crucial for RFID security ⇒ Crypto engineering is integral part of IT security 2
VAMPIRE Working Groups VAM 2 VAM 1 VAM 3 Hardware Software Sidechannel • VAM 1: Software Implementation WP leader: Bristol, D. Page; co-leader Gemplus, C. Clavier • VAM 2: Hardware Implementation WP leader: IAIK TU Graz, S. Tillich; T. Popp • VAM 3: Side-channel Attacks WP leader: UCL, J.-J. Quisquater, F.X. Standaert http://www.rub.de/itsc/tanja/vampire/ VAMPIRE Topics VAM1 – SW – general implementation techniques & automation – benchmarking of public-key cryptography – curve based cryptography; pairings VAM2 – HW – RFID and lightweight algorithms and implementations – instruction set extensions – special purpose hardware for cryptanalysis – stream cipher performance analysis VAM3 – Side Channel Resistance – power analysis attacks against FPGA implementations – masking method as countermeasure – particular side-channel attacks and countermeasures – theoretical models of side-channel attacks http://www.rub.de/itsc/tanja/vampire/ 3
VAMPIRE Partners VAMPIRE Partners and leader KUL RUB RHUL INRIA BRIS G+ UCL IEM IAIK Axa Master EDI TUE LUND lto card V A V M A 1 M 2 V A M 3 • 14 partners: 10 universities + 4 companies • 44% of all ECRYPT partners, • 44% of all industry partners http://www.rub.de/itsc/tanja/vampire/ 4
Workshops Christof • SHARCS (done?) • RFID - Christof? • SECSI - Christof? • we should also include SPEED and CRASH • Speed (done) • CRASH - Christof? Overview 1. Introduction to VAMPIRE 2. Workshops 3. Summer Schools 4. Selected Research Activities 5. Outlook 5
SHARCS: Special-Purpose Hardware for Attacking Cryptographic Systems • First workshop ever on breaking crypto with special-purpose computers. • Topics covered: • FPGAs for cryptanalysis • clusters of standard computers • factoring circuits • specific symmetric and asymmetric attacks • optical devices for cryptanalysis SHARCS: Special-Purpose Hardware for Attacking Cryptographic Systems • SHARCS 05 – Paris – 8 invited speakers (Bernstein, Lenstra, Quisquarter, Sale, Shamir, Steinwandt,Tromer, Wiener) – very positive feedback; stimulation of new research • SHARCS 06 – Cologne – 4 invited speakers (Franke, Gaj, Gara, Leblebici) – COPCAOBANA • SHARCS 2007,Vienna – FPGA Implementation of the Sieving Step 6
SHARCS Special-Purpose Hardware for Attacking Cryptographic Systems • Topics: • FPGAs for cryptanalysis • clusters of standard computers • routing protocols • index calculus attacks • factoring circuits • specific block and stream ciphers • optical devices for cryptanalysis • analog computers for cryptanalysis http://www.sharcs.org Brief History of SHARCS • SHARCS 2005, Paris – 8 invited speakers (Bernstein, Lenstra, Quisquarter, Sale, Shamir, Steinwandt,Tromer, Wiener) – very positive feedback; stimulation of new research –SHARCS 2006, Cologne • 4 invited speakers (Franke, Gaj, Gara, Leblebici) • Copacobana, 80-bit stream cipher analysis (eSTREAM) –SHARCS 2007,Vienna • FPGA Implementation of the Sieving Step http://www.sharcs.org 7
Copacobana http://www.copacobana.org / RFIDSec • First workshop addressing cryptographic issues of RFID • Topics covered: • New applications for secure RFID systems • Privay-enhancing techniques for RFID • Cryptographic protocols forFID • Resource-efficient implementation • Workshops: • RFIDSec 05 & 06 – Graz • RFIDSec 07 – Malaga • RFIDSec 08 – Budapest • Some major outcomes: • New security protocols • much better understanding of low-cost crypto • to be continued 8
SECSI – Secure Component and System Identification • First workshop ever addressing component ID • Why? • Anti-counterfiting of pharmaceuticals, textiles, ICs, … • Spare-part controls of machines, cars, … • … • Topics covered: • Physical Unclonable Functions (PUFs) • Cryptographic protocols and algorithms • RFID and component identification • Non-technical aspects of device identification • SECSI 2008 in Berlin, www.secsi-workshop.org • Some major outcomes: • Bringing together of people with diverse backgrounds • Many open challenges identified SPEED 2007: Software Performance Enhancement for Encryption and Decryption • Topics covered: • Software implementation of hash functions, public and symmetric-key systems • Algorithmic speed-ups • CPU specific speed-ups • Benchmarking • Cryptographic software engineering tools • Compilers for efficient code and executables • Compilers to introduce cryptographic security • Workshops: • SPEED 2007, Amsterdam http://www.hyperelliptic.org/SPEED 9
Single Workshops CRASH – CRyptographic Advances in Secure Hardware – KU Leuven, 2005 – Topics: Secure and efficient cryptographic hardware – Most of the leading European players present Workshop on Secure Embedded Implementations – co-located with DATE (Design, Automation and Test in Europe) – Nice, 2007 – Secure implementation, efficient implementation, evaluation Overview 1. Introduction to VAMPIRE 2. Workshops 3. Summer Schools 4. Selected Research Activities 5. Outlook 10
VAMPIRE Summer Schools • School on Elliptic Curve Cryptography , 2004, Bochum – co-located with ECC Workshop – has become annual event – www.rub.de/itsc/tanja/summerschool/ • School on Cryptographic Hardware, Side-Channel and Fault Attacks, 2006, Louvain-la-Neuve – first ever summer school on this topic – co-located with SCARD event (important IP project) – www.dice.ucl.ac.be/crypto/sumschool.htm • School on Trusted Computing, 2007, Bochum – joint event of PROVILAB and VAMPIRE – major industry interest – www.softeng.ox.ac.uk/etiss / Overview 1. Introduction to VAMPIRE 2. Workshops 3. Summer Schools 4. Selected Research Activities 5. Interactions with other VL 6. Major Outcomes 11
Overview 1. Introduction to VAMPIRE 2. Workshops 3. Summer Schools 4. Selected Research Activities 5. Outlook Selected Research Activities Tanja • eBATS (done) • SCA Lounge (done) • PRESENT – Christof, kannst Du das bitte erledigen • noch dazugefuegt: results (CACE; • Christof, bitte ergaenzen! 12
eBATS: E CRYPT B enchmarking of A symmetric S ystems 17 Benchmarkable Asymmetric Tools (BATs) submitted • • with parametrization: 116 different public key systems 451,13 lines of (written) code in BATs • Timings obtained on 22 computers, covering 5 different architectures: • amd64, ia64, ppc32, sparcv9, x86 • Measurements: • time to generate public-secret key pair • time to encrypt/decrypt • time to sign/verify • time to share a secret • lengths of public/secret keys • lengths of Ciphertext • length of signed message • length of shared secret http://www.ecrypt.eu.org/ebats/ Raw eBATS Data • 8 out of the 3227696 lines of BATMAN output: http://www.ecrypt.eu.org/ebats/ 13
Example of eBATS Output Graph of timings on Pentium M laptop. cf. D.VAM9, p 51 VAMPIRE Lounge (1) AES Lounge (maintained by IAIK) – Implementation of AES in software and hardware – special architectures for high-speed or low-cost – instruction set extensions – side-channel and fault attacks on AES – general security considerations – lots of references to research papers on AES http://www.iaik.tu- t/ h/k t /AES/i d h 14
VAMPIRE Lounge (2) Side-Channel Lounge (maintained by RUB) – definition of active and passive attacks; of simple and differential attacks – extensive glossary – grouped by type of attack & by algorithm – presents attacks as well as countermeasures – lots of references with links to papers and reports on SCA; extensive bibliography http://www.crypto.rub.de/en_sclounge.html PRESENT – A New Block Cipher for RFID P Key • An agressively hardware- Register optimized block cipher Key Schedule • joint work of France Telekom, TU Denmark, Ruhr Uni Bochum … S S • pure substitution-permutation Permutation network • 64 bit block C • 80/128 bit key 15
Recommend
More recommend