Hardware Evaluation of SHA-3 Candidates

Huang, Sinan

26 May 2011

Cryptographic hash functions are used extensively in information security, most notably in digital authentication and data integrity verification. Their performance is an important factor of the overall performance of a secure system. In 2005, some groups of cryptanalysts were making increasingly successful attacks and exploits on the cryptographic hash function, SHA-1, the most widely used hash function of the secure hashing algorithm family. Although these attacks do not work on SHA-2, the next in the series of the secure hashing algorithm family, the National Institute of Standards and Technology still believes that it is necessary to hold a competition to select a new algorithm to be added to the current secure hashing algorithm family. The new algorithm will be chosen through a public competition. The entries will be evaluated with different kinds of criteria, such as security, performance and implementation characteristics. These criteria will not only cover the domain of software, but the domain of hardware as well. This is the motivation of this thesis. This thesis will describe the experiments and measurements done to evaluate the SHA-3 cryptographic hash function candidates' performance on both ASIC and FPGA devices. The methodology, metrics, implementation details, and the framework of the experiments will be described. The results on both hardware devices will be shown and possible future directions will be discussed. / Master of Science

Cryptography

Security

SHA-3

Hardware Evaluation

Σχεδίαση και FPGA υλοποιήσεις αρχιτεκτονικών για το κρυπτογραφικό πρότυπο SHA-3 / Designs of hardware architectures and FPGA implementations for SHA-3 cryptographic hash standard

Μάκκας, Γεώργιος - Πάρις

10 June 2014

Σε αυτήν την διπλωματική εργασία, υλοποιήθηκε ο κρυπτογραφικός αλγόριθμος Keccak σε σύστημα FPGA. Σχεδιάστηκαν τρεις αρχιτεκτονικές υλοποίησης, η κάθε μία με σκοπό την υλοποίηση ενός στόχου. Η πρώτη είχε σκοπό την απλή υλοποίηση του αλγορίθμου, η δεύτερη την αύξηση της ρυθμαπόδοσης και η τρίτη την μείωση του υλικού που χρησιμοποιείται. Στο τέλος, υπάρχει μια σύγκριση των σχεδιάσεων μεταξύ τους, αλλά και με κάποιες άλλες που έχουν δημοσιευτεί τα τελευταία χρόνια. / In this thesis, cryptographic algorithm Keccak was implemented for FPGA systems. There were three designs proposed, each one with a different goal to accomplish. The first one was a simple implementation, the second one aimed at increasing throughput and the third one aimed at reducing the amount of area used. At the end, there is a comparison between those designs and, also, some of those published in recent years.

Κρυπτογράφηση

005.82

Keccak

SHA-3

FPGA

Implementation

Podpora kryptografických primitiv v jazyce P4 / P4 cryptographic primitive support

Cíbik, Peter

January 2020

This diploma thesis deals with the problem of high-speed communication security which leads to the usage of hardware accelerators, in this case high-speed FPGA NICs. Work with simplification of development of FPGA hardware accelerator applications using the P4 to VHDL compiler. Describes extension of compiler of cryptographic external objects support. Teoretical introduction of the thesis explains basics of P4 language and used technologies. Describes mapping of external objects to P4 pipeline and therefore to FPGA chip. Subsequently deals with cryptographic external object, compatible wrapper implementation and verification of design. Last part describes implementation and compiler extension, cryptographic external object support and summarizes reached goals.

Advances in the Side-Channel Analysis of Symmetric Cryptography

Taha, Mostafa Mohamed Ibrahim

10 June 2014

Side-Channel Analysis (SCA) is an implementation attack where an adversary exploits unintentional outputs of a cryptographic module to reveal secret information. Unintentional outputs, also called side-channel outputs, include power consumption, electromagnetic radiation, execution time, photonic emissions, acoustic waves and many more. The real threat of SCA lies in the ability to mount attacks over small parts of the key and to aggregate information over many different traces. The cryptographic community acknowledges that SCA can break any security module if the adequate protection is not implemented. In this dissertation, we propose several advances in side-channel attacks and countermeasures. We focus on symmetric cryptographic primitives, namely: block-ciphers and hashing functions. In the first part, we focus on improving side-channel attacks. First, we propose a new method to profile highly parallel cryptographic modules. Profiling, in the context of SCA, characterizes the power consumption of a fully-controlled module to extract power signatures. Then, the power signatures are used to attack a similar module. Parallel designs show excessive algorithmic-noise in the power trace. Hence, we propose a novel attack that takes design parallelism into consideration, which results in a more powerful attack. Also, we propose the first comprehensive SCA of the new secure hashing function mbox{SHA-3}. Although the main application of mbox{SHA-3} is hashing, there are other keyed applications including Message Authentication Codes (MACs), where protection against SCA is required. We study the SCA properties of all the operations involved in mbox{SHA-3}. We also study the effect of changing the key-length on the difficulty of mounting attacks. Indeed, changing the key-length changes the attack methodology. Hence, we propose complete attacks against five different case studies, and propose a systematic algorithm to choose an attack methodology based on the key-length. In the second part, we propose different techniques for protection against SCA. Indeed, the threat of SCA can be mitigated if the secret key changes before every execution. Although many contributions, in the domain of leakage resilient cryptography, tried to achieve this goal, the proposed solutions were inefficient and required very high implementation cost. Hence, we highlight a generic framework for efficient leakage resiliency through lightweight key-updating. Then, we propose two complete solutions for protecting AES modes of operation. One uses a dedicated circuit for key-updating, while the other uses the underlying AES block cipher itself. The first one requires small area (for the additional circuit) but achieves negligible performance overhead. The second one has no area overhead but requires small performance overhead. Also, we address the problem of executing all the applications of hashing functions, e.g. the unkeyed application of regular hashing and the keyed application of generating MACs, on the same core. We observe that, running unkeyed application on an SCA-protected core will involve a huge loss of performance (3x to 4x). Hence, we propose a novel SCA-protected core for hashing. Our core has no overhead in unkeyed applications, and negligible overhead in keyed ones. Our research provides a better understanding of side-channel analysis and supports the cryptographic community with lightweight and efficient countermeasures. / Ph. D.

Side-Channel Analysis

Practical Leakage Resiliency

AES

SHA-3

Statistinė SHA-3 konkurso maišos funkcijų analizė / Statistical analysis of hash functions from sha-3 competition

Orvidaitė, Halina

04 July 2014

Pagrindinis magistro baigiamojo darbo tikslas buvo, pasinaudojant NIST SHA-3 maišos algoritmų kompresijos funkcijomis, sukurti pseudo-atsitiktinių skaičių generatorių ir atliktų juo sugeneruotų sekų statistinius testus. Darbo metu surinkau pagrindinę teorinę bazę, reikalingą, norint susipaţinti su naujosiomis SHA-3 maišos funkcijomis bei NIST pateikiamu statistinių testų paketu. Detaliai išanalizavau algoritmus, kurie šiuo metu yra maišos funkcijų standartai, ir kurių savybių tenkinimas yra minimalus reikalavimas SHA-3 algoritmų kandidatams. Detaliai pristačiau kiekvieną iš penkių finalinių SHA-3 algoritmų, testavimo algoritmus, kurie yra pateikti statistinių testų pakete: aptariau jų idėją ir tikslą, pateikiamus įvesties kintamuosius, atliekamus algoritmų ţingsnius, reikalavimus funkcijoms paduodamiems kintamiesiems bei gautų rezultatų interpretavimo aspektus. Taip pat pristačiau sugalvotą pseudo-atsitiktinių skaičių generatoriaus algoritmą ir jo Java realizaciją. Sugeneravus testinių duomenų paketą, jį įvertinau NIST statistinių testų pagalba. / The main aim of my final master paper work was to gather theoretical basis, which provides description of cryptology and it‘s elements, valid hash function standards and NIST competition for SHA-3. During my studies I’ve gathered needed information to understand hash algorithms which are represented by five finalists of NIST SHA-3 competition. I’ve analyzed algorithms of current hash function standards and main requirements participants must fulfil in order to become a winner of a competition in detail. I’ve represented each SHA-3 finalist’s function with deep analysis. Also I’ve gathered theoretical basis, which provides description of US National Institute of Standards and Technology created Statistical Test Suite. This statistical test suite is testing binary streams generated by random or pseudorandom number generators. I have given a detailed description of algorithms in given statistical suite: I have provided the main idea and aim of those tests, variables used for input, steps of those algorithms, requirements for input data and possible interpretation of results. Also I’ve introduced an algorithm of pseudorandom numbers generator and have given its’ realization in Java. Finally I’ve created a test data suite and have assessed it with NIST provided statistical test suite.

Statistinė

SHA-3

Konkursas

Maišos funkcijos

Analizė

Statistical

Analysis

Hash Functions

Competition

Analýza návrhu nových hašovacích funkcí pro soutěž SHA-3 / Analýza návrhu nových hašovacích funkcí pro soutěž SHA-3

Marková, Lucie

January 2011

In the present work we study a linearization framework for assessing the security of hash functions and analyze the proposal of hash function BLAKE. The thesis demonstrates a limitation of a method presented in the linearization framework for which the method could not be applied to the full extent. Further in the thesis, it is explained how to find a message difference for second preimage attack with the help of linear codes. To that end, a matrix representing the linearized compression function of BLAKE is constructed. My thesis as a PDF file and source codes of computations that I created in Mathematica software are on an enclosed CD.

Testování náhodnosti a použití statistických testů v kryptografii / Testování náhodnosti a použití statistických testů v kryptografii

Nižnanský, Petr

January 2013

Pseudorandom generators belong to the primary focus of cryptology. The key to every cipher has to be generated at random, otherwise the security of the whole cipher is threatened. Another point of importance is the pseudorandom generators' close relationship to the stream ciphers. In this work, we first introduce statistical theory related to randomness testing. Then, we describe 8 classical statistical tests. We introduce a concept of next bit testing and derive variants of previous tests. Moreover, with this new battery of tests we examine the randomness of SHA-3 second round candidates and present the results. Also a sensitivity of tests is investigated and several useful transformations are shown. Powered by TCPDF (www.tcpdf.org)

Vector Instruction Set Extensions for Efficient and Reliable Computation of Keccak

Rawat, Hemendra Kumar

27 August 2016

Recent processor architectures such as Intel Westmere (and later) and ARMv8 include instruction-level support for the Advanced Encryption Standard (AES), for the Secure Hashing Standard (SHA-1, SHA2) and for carry-less multiplication. These crypto-instructions are optimized for a single algorithm and provide significant performance improvements over software written using general-purpose instruction set. However, today's secure systems and protocols do not rely on just one, but a suite of many cryptographic applications that are expected to work in a correct and reliable manner. In this work, we propose a new instruction set for supporting efficient and reliable cryptography on modern processors. For efficiency, we propose flexible instruction set extensions for Keccak, a cryptographic kernel for hashing, authenticated encryption, key-stream generation and random-number generation. Keccak is the basis of the SHA-3 standard and the newly proposed Keyak and Ketje authenticated ciphers. For reliability, we propose a set of trusted instructions to verify the integrity of a cryptographic software library. These instructions are aimed at detecting tamper in the software or in the configurable hardware. We develop the instruction extensions for a 128-bit interface, commonly available in the vector processing unit of many modern processors. Simulation results on GEM5 architectural simulator show that the proposed instructions not only improves the performance of Keccak applications by 2 times (over NEON programming) and 6 times (over assembly programming), but also improves the reliability of applications at a performance overhead of just 6%. / Master of Science

SIMD

Instruction Set Extensions

SHA-3

Hashing

Authenticated Encryption

Software Integrity

Algebraicko-diferenční analýza Keccaku / Algebraic-differential analysis of Keccak

Seidlová, Monika

January 2016

In this thesis, we analyze the cryptographic sponge function family Keccak - the winner of the SHA-3 Cryptographic Hash Standard competition. Firstly, we explore how higher order differentials can be used to forge a tag in a parallelizable MAC function. We introduce new terms and theory studying what affine spaces remain affine after one round of Keccak's underlying permutation Keccak-f. This allows us to improve the forgery. Secondly, collisions in Keccak could be generated from pairs of values, that follow particular differential trails in Keccak-f. We tested finding pairs for a given differential trail in reduced-round Keccak-f using algebraic techniques with the mathematics software SAGE. We found a pair in a 4-round trail in Keccak-f[50] in under 5 minutes and a 3-round trail in Keccak-f[100] in 80 seconds on a regular PC. Powered by TCPDF (www.tcpdf.org)

Secure and Efficient Implementations of Cryptographic Primitives

Guo, Xu

30 May 2012

Nowadays pervasive computing opens up many new challenges. Personal and sensitive data and computations are distributed over a wide range of computing devices. This presents great challenges in cryptographic system designs: how to protect privacy, authentication, and integrity in this distributed and connected computing world, and how to satisfy the requirements of different platforms, ranging from resource constrained embedded devices to high-end servers. Moreover, once mathematically strong cryptographic algorithms are implemented in either software or hardware, they are known to be vulnerable to various implementation attacks. Although many countermeasures have been proposed, selecting and integrating a set of countermeasures thwarting multiple attacks into a single design is far from trivial. Security, performance and cost need to be considered together. The research presented in this dissertation deals with the secure and efficient implementation of cryptographic primitives. We focus on how to integrate cryptographic coprocessors in an efficient and secure way. The outcome of this research leads to four contributions to hardware security research. First, we propose a programmable and parallel Elliptic Curve Cryptography (ECC) coprocessor architecture. We use a systematic way of analyzing the impact of System-on-Chip (SoC) integration to the cryptographic coprocessor performance and optimize the hardware/software codesign of cryptographic coprocessors. Second, we provide a hardware evaluation methodology to the NIST SHA-3 standardization process. Our research efforts cover both of the SHA-3 fourteen Second Round candidates and five Third Round finalists. We design the first SHA-3 benchmark chip and discuss the technology impact to the SHA-3 hardware evaluation process. Third, we discuss two technology dependent issues in the fair comparison of cryptographic hardware. We provide a systematic approach to do a cross-platform comparison between SHA-3 FPGA and ASIC benchmarking results and propose a methodology for lightweight hash designs. Finally, we provide guidelines to select implementation attack countermeasures in ECC cryptosystem designs. We discuss how to integrate a set of countermeasures to resist a collection of side-channel analysis (SCA) attacks and fault attacks. The first part of the dissertation discusses how system integration can affect the efficiency of the cryptographic primitives. We focus on the SoC integration of cryptographic coprocessors and analyze the system profile in a co-simulation environment and then on an actual FPGA-based SoC platform. We use this system-level design flow to analyze the SoC integration issues of two block ciphers: the existing Advanced Encryption Standard (AES) and a newly proposed lightweight cipher PRESENT. Next, we use hardware/software codesign techniques to design a programmable ECC coprocessor architecture which is highly flexible and scalable for system integration into a SoC architecture. The second part of the dissertation describes our efforts in designing a hardware evaluation methodology applied to the NIST SHA-3 standardization process. Our Application Specific Integrated Circuit (ASIC) implementation results of five SHA-3 finalists are the first ASIC real measurement results reported in the literature. As a contribution to the NIST SHA-3 competition, we provide timely ASIC implementation cost and performance results of the five SHA-3 finalists in the SHA-3 standard final round evaluation process. We define a consistent and comprehensive hardware evaluation methodology to the NIST SHA-3 standardization process from Field Programmable Gate Array (FPGA) prototyping to ASIC implementation. The third part of the dissertation extends the discussion on hardware benchmarking of NIST SHA-3 candidates by analyzing the impact of technology to the fair comparison of cryptographic hardware. First, a cross-platform comparison between the FPGA and ASIC results of SHA-3 designs demonstrates the gap between two sets of benchmarking results. We describe a systematic approach to analyze a SHA-3 hardware benchmark process for both FPGAs and ASICs. Next, by observing the interaction of hash algorithm design, architecture design, and technology mapping, we propose a methodology for lightweight hash implementation and apply it to CubeHash optimizations. Our ultra-lightweight design of the CubeHash algorithm represents the smallest ASIC implementation of this algorithm reported in the literature. Then, we introduced a cost model for analyzing the hardware cost of lightweight hash implementations. The fourth part of the dissertation discusses SCA attacks and fault attacks resistant cryptosystem designs. We complete a comprehensive survey of state-of-the-art of secure ECC implementations and propose a methodology on selecting countermeasures to thwart multiple side-channel attacks and fault attacks. We focus on a systematic way of organizing and understanding known attacks and countermeasures. / Ph. D.

Block Cipher

Side-Channel Attacks

SHA-3

Hash Function

System-on-Chip

Cryptographic Coprocessor

Elliptic Curve Cryptography

Fault Attacks