the state of the art in symmetric lightweight cryptography
play

The State of the Art in Symmetric Lightweight Cryptography Lo - PowerPoint PPT Presentation

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop Taken from a document writen originally in English. The programming of billions of processors


  1. The State of the Art in Symmetric Lightweight Cryptography Léo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop

  2. Taken from a document writen originally in English. The programming of billions of processors embedded in all our devices, which must take into account devices that are very cheap and poorly secured, that require for instance the implementation of weak cryptographic algorithm, is a challenge... Translation 1 / 33

  3. Weak Cryptography? Weak � Lightweight 2 / 33

  4. Weak Cryptography? Weak � Lightweight What is lightweight (symmetric) cryptography? 2 / 33

  5. It is vast (1/2) Stream C. Block C. Hash F. Auth. C. MAC Total Academia 14 50 10 10 2 86 Proprietary 17 5 0 0 1 23 Government 1 5 0 0 0 6 Total 32 60 10 10 3 115 3 / 33

  6. It is vast (1/2) Stream C. Block C. Hash F. Auth. C. MAC Total Academia 14 50 10 10 2 86 Proprietary 17 5 0 0 1 23 Government 1 5 0 0 0 6 Total 32 60 10 10 3 115 3 / 33

  7. It is vast (2/2) Several scatered national/international standards, none chosen afer a competition (apart from the AES). 4 / 33

  8. It is vast (2/2) Several scatered national/international standards, none chosen afer a competition (apart from the AES). State of the Art in Lightweight Symmetric Cryptography , Alex Biryukov and Léo Perrin https://ia.cr/2017/511 http://cryptolux.org 4 / 33

  9. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 5 / 33

  10. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 1 A5-GCM-1 and A5-GCM-2 What not to do 5 / 33

  11. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 1 A5-GCM-1 and A5-GCM-2 What not to do 2 Plantlet and LEA Specialized algorithms 5 / 33

  12. Outline Goal of this Talk We will look at several “lightweight” algorithms and see what they can tell us about lightweightness. 1 A5-GCM-1 and A5-GCM-2 What not to do 2 Plantlet and LEA Specialized algorithms 3 GIMLI Multi-purpose algorithms 5 / 33

  13. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Outline 1 Introduction 2 A5-GCM-1/2 Plantlet and LEA 3 GIMLI 4 Conclusion 5 5 / 33

  14. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Plan of this Section Introduction 1 A5-GCM-1/2 2 Presentation of A5-GMR-1/2 Security Level Lessons Learnt Plantlet and LEA 3 GIMLI 4 Conclusion 5 5 / 33

  15. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Satellite Phone Encryption GSM Protocol (regular phone) Cell phone communications in many countries (incl. Europe) are encrypted with A5/1. A5/2 was used for products sold outside Europe (e.g. Irak). 6 / 33

  16. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Satellite Phone Encryption GSM Protocol (regular phone) Cell phone communications in many countries (incl. Europe) are encrypted with A5/1. A5/2 was used for products sold outside Europe (e.g. Irak). Satphone Standards For satellite phones, there are two competing standards: GMR-1 and GMR-2, each with their own crypto. 6 / 33

  17. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Satellite Phone Encryption GSM Protocol (regular phone) Cell phone communications in many countries (incl. Europe) are encrypted with A5/1. A5/2 was used for products sold outside Europe (e.g. Irak). Satphone Standards For satellite phones, there are two competing standards: GMR-1 and GMR-2, each with their own crypto. Their crypto had to be reverse-engineered [DHW + 12]. 6 / 33

  18. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Stream Cipher κ Stream Cipher X 0 X 1 F U I ϕ ϕ Key stream k 0 k 1 κ : secret key F : initialization I : IV U : state update function X i : internal state ϕ : filter 7 / 33

  19. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion A5-GMR-1 (1/2) Diagram of A5-GMR-1 (from [DHW + 12]). Internal state size: 82 bits; key size: 64 bits; IV size: 19 bits. 8 / 33

  20. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion A5-GMR-1 (2/2) “Intuitive” characteristics of a LW algo Intended for low-power devices Very small internal state, very small key LFSRs → simple logic Some operations are far cheaper than others. Example LFSR: a handful of XORs Memory itself is expensive → small state 9 / 33

  21. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion A5-GMR-2 Diagram of A5-GMR-1 (from [DHW + 12]). Internal state size: 68 bits; key size: 64 bits; IV size: 22 bits. 10 / 33

  22. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Cryptanalysis Are these algorithms secure? 11 / 33

  23. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Cryptanalysis Are these algorithms secure? No In fact, A5-GMR-1 is based on A5 /2 ! 11 / 33

  24. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Name Things Reference Key IS IV At. time 224 A5/1 [And94] 64 64 22 216 A5/2 [BBK08] 64 81 22 Cell phones 232 [WSK97] 64 16–48 – cmea † 216 [WSD + 99] 96 96 – Oryx 238 . 1 [DHW + 12] A5-GMR-1 64 82 19 Satellite phones 228 [DHW + 12] A5-GMR-2 64 68 22 234 [LST + 09] Dsc Cordless phones 64 80 35 229 . 8 SecureMem. 64 109 128 Atmel chips [GvRVWS10] 250 CryptoMem. 64 117 128 235 Hitag2 [VGB12] 48 48 64 248 Megamos Car key/ [VGE13] 96 57 56 244 . 5 Keeloq † immobilizer [BSK96] 64 32 – 240 [BGS + 05] Dst 40 † 40 40 – 240 iClass [GdKGV14] 64 40 – Smart cards 232 Crypto-1 [NESP08] 48 48 96 240 Css [BD04] 40 42 – DVD players 248 Cryptomeria † [BKLM09] 56 64 – 264 Csa -BC † 64 64 – Digital televisions [WW05] 245 . 7 Csa -SC 64 103 64 231 PC-1 Amazon Kindle [BLR13] 128 152 – 244 SecurID ‡ Secure token [BLP04] 64 64 – 238 E0 [FL01] 128 128 – Anything 232 RC4 [Nob94] 128 2064 – 12 / 33

  25. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key 13 / 33

  26. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction 13 / 33

  27. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” 13 / 33

  28. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” doesn’t work 13 / 33

  29. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” doesn’t work Overall bad design 13 / 33

  30. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Why are they all broken? Too small key save space/export restriction “Security through obscurity” doesn’t work Overall bad design not cryptographers/old 13 / 33

  31. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Lessons Learnt Design There are cases where a dedicated lightweight algorithm is used. Implementation performance implies lower block/internal state size. Usually only one functionnality/device. 14 / 33

  32. Introduction A5-GCM-1/2 Presentation of A5-GMR-1/2 Plantlet and LEA Security Level GIMLI Lessons Learnt Conclusion Lessons Learnt Design There are cases where a dedicated lightweight algorithm is used. Implementation performance implies lower block/internal state size. Usually only one functionnality/device. Context Cryptography is hard. Export restrictions were a bad idea. Old algorithms stay for a while. 14 / 33

  33. Introduction A5-GCM-1/2 Primer on Hardware Implementation Plantlet and LEA Plantlet GIMLI LEA Conclusion Outline 1 Introduction 2 A5-GCM-1/2 Plantlet and LEA 3 GIMLI 4 Conclusion 5 14 / 33

Recommend


More recommend