ARMADILLO: a Multi-Purpose Cryptographic Primitive Dedicated to Hardware
|
|
- Kerrie Lucas
- 5 years ago
- Views:
Transcription
1 : a Multi-Purpose Cryptographic Primitive Dedicated to Stéphane Badel 1, Nilay Dağtekin 1, Jorge Nakahara Jr 1, Khaled Ouafi 1, Nicolas Reffé 2, Pouyan Sepehrdad 1, Petr Sušil 1, Serge Vaudenay 1 1 EPFL, Lausanne, Switzerland 2 Oridao, Montpellier, France EPFL, Switzerland and Oridao, France 1/ 30
2 EPFL, Switzerland and Oridao, France 2/ 30
3 EPFL, Switzerland and Oridao, France 3/ 30
4 small placental mammal, known for having a leathery armor shell. armadillo is Spanish for little armored one. Habitant: United States, from Texas to Illinois, Indiana and southern Ontario. used in the study of Leprosy: the few known non-human animal species that can contract the disease systemically. EPFL, Switzerland and Oridao, France 4/ 30
5 a general-purpose cryptographic function I FIL-MAC: for challenge-response protocols II Hashing and Digital Signatures III PRNG and PRF hardware oriented target environments: RFID tags and sensor networks based on data-dependent permutations patent pending by Oridao ( EPFL, Switzerland and Oridao, France 5/ 30
6 Overall Design: 2 Input: initial value C, message block U i Output: (V c,v t ) = 2(C,U i ) X = Q(U i,c U i ) X undergoes a sequence of bit permutations, σ 0 and σ 1 and XOR with a constant, denoted by Q: maps a bitstring of k bits and a vector X of k bits into a vector of k bits, then (V c,v t ) = 2(C,U i ) = Q(X,C U i ) X permutation Q defined recursively as Q(s b,x) = Q(s,X σb γ) for b {0,1} and bitstrings s and X and a constant bitstring γ = (10) k/2. EPFL, Switzerland and Oridao, France 6/ 30
7 Vc S m Vt Q(X, C U) X = Q(U, C U) C U i c m.. k. Figure: function of 2 EPFL, Switzerland and Oridao, France 7/ 30
8 Applications I FIL-MAC: for challenge-response protocols V t = AMAC C (U) II Hashing and Digital Signatures V c = AHASH IV (message padding) III PRNG and PRF APRF seed (x) = head t (AHASH seed (x cste)) EPFL, Switzerland and Oridao, France 8/ 30
9 Old Design: Input: initial value C, message block U i Output: (V c,v t ) = (C,U i ) Xinter = C U i x = Xinter Xinter x undergoes a sequence of bit permutations, σ 0 and σ 1, denoted by P: maps a bitstring of k bits and a vector x of 2k bits into a vector of 2k bits, then S = P(Xinter,x) = tail k ((Xinter Xinter) σxinter ) where P is defined recursively as P(s b,x) = P(s,X σb ) for b {0,1} and bitstrings s and X and P(,X) = tail k (X). (V c,v t ) S Xinter EPFL, Switzerland and Oridao, France 9/ 30
10 Schematic Diagram Outline Vc S m Vt (Xinter Xinter)σ Xinter Xinter Xinter C U i c m.. 3 k. 2 1 Figure: The function EPFL, Switzerland and Oridao, France 10/ 30
11 EPFL, Switzerland and Oridao, France 11/ 30
12 Table: Parameter vectors Vector k c m r t A B C D E EPFL, Switzerland and Oridao, France 12/ 30
13 2 no complementation of the k-bit input Xinter = (C U i ). σ i permutations (and so Q) operate on k-bit data (C U i ). no truncation anymore at the output of Q. EPFL, Switzerland and Oridao, France 13/ 30
14 2 no complementation of the k-bit input Xinter = (C U i ). σ i permutations (and so Q) operate on k-bit data (C U i ). no truncation anymore at the output of Q. more compact design and so performance advantage EPFL, Switzerland and Oridao, France 13/ 30
15 EPFL, Switzerland and Oridao, France 14/ 30
16 Defense Mechanism Greek Ouroboros Figure: Armadillo Lizard EPFL, Switzerland and Oridao, France 15/ 30
17 Bounds characterized by two parameters S offline and S online. the best offline attack has complexity 2 S offline. the best online attack, with practical complexity, has success probability 2 S online. aim at S offline 80 and S online 40, but we can only upper bound S offline and S online. EPFL, Switzerland and Oridao, France 16/ 30
18 Concern attack against, but not 2. extra pre-processing in 2, i.e X = Q(U i,c U i ) prevents the attack on. EPFL, Switzerland and Oridao, France 17/ 30
19 EPFL, Switzerland and Oridao, France 18/ 30
20 Armored Armadillo EPFL, Switzerland and Oridao, France 19/ 30
21 implementation of the function b d in [0] d in [1] d out [0] d out [1] key in load X inter X inter 2k J J-N J S-1 0 2k J-N 2k key out out d in [2k-1] d out [2k-1] clk en 0 N stages (a) (b) Figure: (a) one permutation stage, (b) P function building block EPFL, Switzerland and Oridao, France 20/ 30
22 Is FOM = throughput / GE enough? EPFL, Switzerland and Oridao, France 21/ 30
23 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. EPFL, Switzerland and Oridao, France 21/ 30
24 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. BUT, it is flawed: how about trading off throughput for power? EPFL, Switzerland and Oridao, France 21/ 30
25 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. BUT, it is flawed: how about trading off throughput for power? according to this metric, two designs A and B are as efficient: A s throughput and area is twice B s throughput and area. B s power dissipation is half that of A. EPFL, Switzerland and Oridao, France 21/ 30
26 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. BUT, it is flawed: how about trading off throughput for power? according to this metric, two designs A and B are as efficient: A s throughput and area is twice B s throughput and area. B s power dissipation is half that of A. by doubling B s operating frequency, its throughput can be made equal to that of A while consuming the same power and still occupying a smaller area. B should be recognized as superior to A. EPFL, Switzerland and Oridao, France 21/ 30
27 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. EPFL, Switzerland and Oridao, France 22/ 30
28 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: EPFL, Switzerland and Oridao, France 22/ 30
29 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. EPFL, Switzerland and Oridao, France 22/ 30
30 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. EPFL, Switzerland and Oridao, France 22/ 30
31 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. EPFL, Switzerland and Oridao, France 22/ 30
32 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. EPFL, Switzerland and Oridao, France 22/ 30
33 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. different standard-cell libraries exhibit various power/area/speed trade-offs. EPFL, Switzerland and Oridao, France 22/ 30
34 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. different standard-cell libraries exhibit various power/area/speed trade-offs. generally not available. EPFL, Switzerland and Oridao, France 22/ 30
35 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. different standard-cell libraries exhibit various power/area/speed trade-offs. generally not available. A fairer FOM: include the influence of power dissipation. we can assume that the power is proportional to the gate count. EPFL, Switzerland and Oridao, France 22/ 30
36 T-stage pipeline: R = k/(n.t) of permutations at each stage. throughput: 1/R items per cycle and the latency: k/n cycles. more pipeline stages: more hardware replication, area, power. a fully serial implementation: ideal for RFID applications. In practice, to maximize FOM with T = 1, we obtain N = 4 for 2. obtain an area of 4030 GE, 77 µw, and a latency of 44 cycles (1.09 Mbps for hashing or 2.9 Mbps for encryption). EPFL, Switzerland and Oridao, France 23/ 30
37 Synthesis Results synthesis in a 0.18µm CMOS process using a commercial standard-cell library. Synopsys Design Compiler in topographical mode. power consumption: Synopsys Primetime-PX using gate-level vector-based analysis. EPFL, Switzerland and Oridao, France 24/ 30
38 Synthesis results at 1 MHz N=1 N=4 Algorithm Vect. Area Power Thr. Latency Area Power Thr. Latency (GE) (µw) (kbps) (cycles) (GE) (µw) (kbps) (cycles) A B C D E Table: the throughput values correspond to hash mode. EPFL, Switzerland and Oridao, France 25/ 30
39 Comparing hash functions performance at 100 khz Algorithm Digest Block Area Time Throughput Logic FOM (bits) (bits) (GE) (cycles/block) (kb/s) (µm) (nanobit/cycle.ge 2 ) 2-A A H-PRESENT B MD B MD C C SHA D C-PRESENT D MAME E SHA E EPFL, Switzerland and Oridao, France 26/ 30
40 Comparing performance of ciphers at 100 khz Algorithm Key Block Area Time Throughput Logic FOM (bits) (bits) (GE) (cycles/block) (kb/s) (µm) (nanobit/cycle.ge 2 ) DES PRESENT Grain KTANTAN KATAN A Trivium PRESENT A mcrypton PRESENT HIGHT TEA B B AES C C DESXL D D E E EPFL, Switzerland and Oridao, France 27/ 30
41 EPFL, Switzerland and Oridao, France 28/ 30
42 a new hardware dedicated cryptographic function design. two instances: and 2 2: fully serial architecture, 2923 GE could perform one compression within 176 clock cycles, consuming 44 µw at 1 MHz. another tradeoff leads us to 4030 GE, 44 cycles, 77 µw, 11 Mbps of hashing, and 2.9 Mbps of encryption. EPFL, Switzerland and Oridao, France 29/ 30
43 Questions? EPFL, Switzerland and Oridao, France 30/ 30
Lightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationCryptanalysis of ARMADILLO2
Cryptanalysis of ARMADILLO2 Mohamed Ahmed Abdelraheem, Céline Blondeau, Maria Naya-Plasencia, Marion Videau, Erik Zenner To cite this version: Mohamed Ahmed Abdelraheem, Céline Blondeau, Maria Naya-Plasencia,
More informationCube Analysis of KATAN Family of Block Ciphers
Cube Analysis of KATAN Family of Block Ciphers Speaker: Bingsheng Zhang University of Tartu, Estonia This talk covers partial results of the paper Algebraic, AIDA/Cube and Side Channel Analysis of KATAN
More informationThe PHOTON Family of Lightweight Hash Functions
The PHOTON Family of Lightweight Hash Functions Jian Guo 1, Thomas Peyrin 2, and Axel Poschmann 2 1 Institute for Infocomm Research, Singapore 2 Nanyang Technological University, Singapore {ntu.guo,thomas.peyrin}@gmail.com,
More informationHardware implementations of ECC
Hardware implementations of ECC The University of Electro- Communications Introduction Public- key Cryptography (PKC) The most famous PKC is RSA and ECC Used for key agreement (Diffie- Hellman), digital
More informationEEC 216 Lecture #3: Power Estimation, Interconnect, & Architecture. Rajeevan Amirtharajah University of California, Davis
EEC 216 Lecture #3: Power Estimation, Interconnect, & Architecture Rajeevan Amirtharajah University of California, Davis Outline Announcements Review: PDP, EDP, Intersignal Correlations, Glitching, Top
More informationTHE security of cryptographic primitives is built upon
EDIC RESEARCH PROPOSAL Non-Linear Relations in Cryptographic Primitives Petr Sušil I&C, EPFL Abstract This report gives an overview over properties of non-linear relations generated by modular addition,
More informationMOSIS REPORT. Spring MOSIS Report 1. MOSIS Report 2. MOSIS Report 3
MOSIS REPORT Spring 2010 MOSIS Report 1 MOSIS Report 2 MOSIS Report 3 MOSIS Report 1 Design of 4-bit counter using J-K flip flop I. Objective The purpose of this project is to design one 4-bit counter
More informationDual-Field Arithmetic Unit for GF(p) and GF(2 m ) *
Institute for Applied Information Processing and Communications Graz University of Technology Dual-Field Arithmetic Unit for GF(p) and GF(2 m ) * CHES 2002 Workshop on Cryptographic Hardware and Embedded
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationVectorized 128-bit Input FP16/FP32/ FP64 Floating-Point Multiplier
Vectorized 128-bit Input FP16/FP32/ FP64 Floating-Point Multiplier Espen Stenersen Master of Science in Electronics Submission date: June 2008 Supervisor: Per Gunnar Kjeldsberg, IET Co-supervisor: Torstein
More informationNew Implementations of the WG Stream Cipher
New Implementations of the WG Stream Cipher Hayssam El-Razouk, Arash Reyhani-Masoleh, and Guang Gong Abstract This paper presents two new hardware designs of the WG-28 cipher, one for the multiple output
More informationELEC516 Digital VLSI System Design and Design Automation (spring, 2010) Assignment 4 Reference solution
ELEC516 Digital VLSI System Design and Design Automation (spring, 010) Assignment 4 Reference solution 1) Pulse-plate 1T DRAM cell a) Timing diagrams for nodes and Y when writing 0 and 1 Timing diagram
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationIntroduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results
The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs CHE 2011 Nara, Japan Outline Introduction The LED Round Function Minimalism for ey chedule ecurity
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationAnother View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis
Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis Bo Zhu 1, Guang Gong 1, Xuejia Lai 2 and Kefei Chen 2 1 Department of Electrical and Computer Engineering, University
More informationVLSI Signal Processing
VLSI Signal Processing Lecture 1 Pipelining & Retiming ADSP Lecture1 - Pipelining & Retiming (cwliu@twins.ee.nctu.edu.tw) 1-1 Introduction DSP System Real time requirement Data driven synchronized by data
More informationPipelining and Parallel Processing
Pipelining and Parallel Processing ( 范倫達 ), Ph. D. Department of Computer Science National Chiao Tung University Taiwan, R.O.C. Fall, 010 ldvan@cs.nctu.edu.tw http://www.cs.nctu.edu.tw/~ldvan/ Outlines
More informationFPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256
IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1, Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich,
More informationCSE241 VLSI Digital Circuits Winter Lecture 07: Timing II
CSE241 VLSI Digital Circuits Winter 2003 Lecture 07: Timing II CSE241 L3 ASICs.1 Delay Calculation Cell Fall Cap\Tr 0.05 0.2 0.5 0.01 0.02 0.16 0.30 0.5 2.0 0.04 0.32 0.178 0.08 0.64 0.60 1.20 0.1ns 0.147ns
More informationHighly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design
Saint-Malo, September 13th, 2015 Cryptographic Hardware and Embedded Systems Highly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design Rei Ueno 1, Naofumi
More information1 Reed Solomon Decoder Final Project. Group 3 Abhinav Agarwal S Branavan Grant Elliott. 14 th May 2007
1 Reed Solomon Decoder 6.375 Final Project Group 3 Abhinav Agarwal S Branavan Grant Elliott 14 th May 2007 2 Outline Error Correcting Codes Mathematical Foundation of Reed Solomon Codes Decoder Architecture
More information2. Accelerated Computations
2. Accelerated Computations 2.1. Bent Function Enumeration by a Circular Pipeline Implemented on an FPGA Stuart W. Schneider Jon T. Butler 2.1.1. Background A naive approach to encoding a plaintext message
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationFast Key Recovery Attack on ARMADILLO1 and Variants
Fast Key Recovery Attack on ARMADILLO and Variants Pouyan Sepehrdad, Petr Sušil, and Serge Vaudenay EPFL, Lausanne, Switzerland {pouyan.sepehrdad,petr.susil,serge.vaudenay}@epfl.ch Abstract. The ARMADILLO
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationDesign for Manufacturability and Power Estimation. Physical issues verification (DSM)
Design for Manufacturability and Power Estimation Lecture 25 Alessandra Nardi Thanks to Prof. Jan Rabaey and Prof. K. Keutzer Physical issues verification (DSM) Interconnects Signal Integrity P/G integrity
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationChair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics
Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle Network Security Chapter 2 Basics 2.4 Random Number Generation for Cryptographic Protocols Motivation It is
More informationCube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08: Shamir presents cube attacks
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationDatapath Component Tradeoffs
Datapath Component Tradeoffs Faster Adders Previously we studied the ripple-carry adder. This design isn t feasible for larger adders due to the ripple delay. ʽ There are several methods that we could
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationReversible computer hardware
Reversible computer hardware Alexis De Vos Imec v.z.w. and Universiteit Gent Belgium York, 22 March 2009 A logically irreversible computer 3 1 adding computer 4 3 1 adding computer 4?? adding computer
More informationAn Improved Fast and Secure Hash Algorithm
Journal of Information Processing Systems, Vol.8, No.1, March 2012 http://dx.doi.org/10.3745/jips.2012.8.1.119 An Improved Fast and Secure Hash Algorithm Siddharth Agarwal*, Abhinav Rungta*, R.Padmavathy*,
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationINTEGRATED CIRCUITS. For a complete data sheet, please also download:
INTEGRATED CIRCUITS DATA SHEET For a complete data sheet, please also download: The IC6 74HC/HCT/HCU/HCMOS Logic Family Specifications The IC6 74HC/HCT/HCU/HCMOS Logic Package Information The IC6 74HC/HCT/HCU/HCMOS
More informationL15: Custom and ASIC VLSI Integration
L15: Custom and ASIC VLSI Integration Average Cost of one transistor 10 1 0.1 0.01 0.001 0.0001 0.00001 $ 0.000001 Gordon Moore, Keynote Presentation at ISSCC 2003 0.0000001 '68 '70 '72 '74 '76 '78 '80
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationFiltering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications
Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University
More information8. Design Tradeoffs x Computation Structures Part 1 Digital Circuits. Copyright 2015 MIT EECS
8. Design Tradeoffs 6.004x Computation Structures Part 1 Digital Circuits Copyright 2015 MIT EECS 6.004 Computation Structures L08: Design Tradeoffs, Slide #1 There are a large number of implementations
More information8. Design Tradeoffs x Computation Structures Part 1 Digital Circuits. Copyright 2015 MIT EECS
8. Design Tradeoffs 6.004x Computation Structures Part 1 Digital Circuits Copyright 2015 MIT EECS 6.004 Computation Structures L08: Design Tradeoffs, Slide #1 There are a large number of implementations
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationEE241 - Spring 2001 Advanced Digital Integrated Circuits
EE241 - Spring 21 Advanced Digital Integrated Circuits Lecture 12 Low Power Design Self-Resetting Logic Signals are pulses, not levels 1 Self-Resetting Logic Sense-Amplifying Logic Matsui, JSSC 12/94 2
More informationProduct Specification Thermal Print Head Model: MT-S2-8-5ES1 Rev:
Product Specification Thermal Print Head Model: MT-S2-8-5ES1 Rev: 0086-6 Thermal Print Head Page 1 of 10 1. Description The specification is applicable to thermal print head, model MT-S2-8-5ES1, on which
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationEEC 216 Lecture #2: Metrics and Logic Level Power Estimation. Rajeevan Amirtharajah University of California, Davis
EEC 216 Lecture #2: Metrics and Logic Level Power Estimation Rajeevan Amirtharajah University of California, Davis Announcements PS1 available online tonight R. Amirtharajah, EEC216 Winter 2008 2 Outline
More informationWord-length Optimization and Error Analysis of a Multivariate Gaussian Random Number Generator
Word-length Optimization and Error Analysis of a Multivariate Gaussian Random Number Generator Chalermpol Saiprasert, Christos-Savvas Bouganis and George A. Constantinides Department of Electrical & Electronic
More informationPseudo-Random Generators
Pseudo-Random Generators Why do we need random numbers? Simulation Sampling Numerical analysis Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationPseudo-Random Generators
Pseudo-Random Generators Topics Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationXMX: A Firmware-oriented Block Cipher Based on Modular Multiplications
XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications [Published in E. Biham, Ed., Fast Software Encrytion, vol. 1267 of Lecture Notes in Computer Science, pp. 166 171, Springer-Verlag,
More informationUniversity of California at Berkeley College of Engineering Department of Electrical Engineering and Computer Sciences
University of California at Berkeley College of Engineering Department of Electrical Engineering and Computer Sciences EECS151/251A V. Stojanovic, J. Wawrzynek Fall 2015 10/13/15 Midterm Exam Name: ID
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationGF(2 m ) arithmetic: summary
GF(2 m ) arithmetic: summary EE 387, Notes 18, Handout #32 Addition/subtraction: bitwise XOR (m gates/ops) Multiplication: bit serial (shift and add) bit parallel (combinational) subfield representation
More informationINTEGRATED CIRCUITS. For a complete data sheet, please also download:
INTEGRATED CIRCUITS DATA SHEET For a complete data sheet, please also download: The IC06 74HC/HCT/HCU/HCMOS Logic Family Specifications The IC06 74HC/HCT/HCU/HCMOS Logic Package Information The IC06 74HC/HCT/HCU/HCMOS
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationDistributed by: www.jameco.com 1-800-831-4242 The content and copyrights of the attached material are the property of its owner. INTEGRATED CIRCUITS DATA SHEET For a complete data sheet, please also download:
More informationTopics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers
Topics Pseudo-Random Generators Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationPathchecker: an RFID Application for Tracing Products in Suply-Chains
Pathchecker: an RFID Application for Tracing Products in Suply-Chains Khaled Ouafi and Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland http://lasecwww.epfl.ch Abstract. In this paper, we present an application
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationEntropy Evaluation for Oscillator-based True Random Number Generators
Entropy Evaluation for Oscillator-based True Random Number Generators Yuan Ma DCS Center Institute of Information Engineering Chinese Academy of Sciences Outline RNG Modeling method Experiment Entropy
More informationPipelining and Parallel Processing
Pipelining and Parallel Processing Lan-Da Van ( 倫 ), Ph. D. Department of omputer Science National hiao Tung University Taiwan, R.O.. Spring, 007 ldvan@cs.nctu.edu.tw http://www.cs.nctu.edu.tw/~ldvan/
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationEE 466/586 VLSI Design. Partha Pande School of EECS Washington State University
EE 466/586 VLSI Design Partha Pande School of EECS Washington State University pande@eecs.wsu.edu Lecture 8 Power Dissipation in CMOS Gates Power in CMOS gates Dynamic Power Capacitance switching Crowbar
More informationPERFORMANCE METRICS. Mahdi Nazm Bojnordi. CS/ECE 6810: Computer Architecture. Assistant Professor School of Computing University of Utah
PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Jan. 17 th : Homework 1 release (due on Jan.
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationLOGIC CIRCUITS. Basic Experiment and Design of Electronics. Ho Kyung Kim, Ph.D.
Basic Experiment and Design of Electronics LOGIC CIRCUITS Ho Kyung Kim, Ph.D. hokyung@pusan.ac.kr School of Mechanical Engineering Pusan National University Digital IC packages TTL (transistor-transistor
More informationObjective and Outline. Acknowledgement. Objective: Power Components. Outline: 1) Acknowledgements. Section 4: Power Components
Objective: Power Components Outline: 1) Acknowledgements 2) Objective and Outline 1 Acknowledgement This lecture note has been obtained from similar courses all over the world. I wish to thank all the
More informationEfficient Hardware Calculation of Inverses in GF (2 8 )
Efficient Hardware Calculation of Inverses in GF (2 8 ) R. W. Ward, Dr. T. C. A. Molteno 1 Physics Department University of Otago Box 56, Dunedin, New Zealand 1 Email: tim@physics.otago.ac.nz Abstract:
More informationTestability. Shaahin Hessabi. Sharif University of Technology. Adapted from the presentation prepared by book authors.
Testability Lecture 6: Logic Simulation Shaahin Hessabi Department of Computer Engineering Sharif University of Technology Adapted from the presentation prepared by book authors Slide 1 of 27 Outline What
More informationPower Consumption in CMOS CONCORDIA VLSI DESIGN LAB
Power Consumption in CMOS 1 Power Dissipation in CMOS Two Components contribute to the power dissipation:» Static Power Dissipation Leakage current Sub-threshold current» Dynamic Power Dissipation Short
More informationECE 3401 Lecture 23. Pipeline Design. State Table for 2-Cycle Instructions. Control Unit. ISA: Instruction Specifications (for reference)
ECE 3401 Lecture 23 Pipeline Design Control State Register Combinational Control Logic New/ Modified Control Word ISA: Instruction Specifications (for reference) P C P C + 1 I N F I R M [ P C ] E X 0 PC
More informationEntropy Extraction in Metastability-based TRNG
Entropy Extraction in Metastability-based TRNG Vikram B. Suresh Dept. of Electrical & Computer Engineering University of Massachusetts Amherst, USA vsuresh@ecs.umass.edu Wayne P. Burleson Dept. of Electrical
More informationDesign of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES
Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More informationEE115C Digital Electronic Circuits Homework #4
EE115 Digital Electronic ircuits Homework #4 Problem 1 Power Dissipation Solution Vdd =1.0V onsider the source follower circuit used to drive a load L =20fF shown above. M1 and M2 are both NMOS transistors
More informationCost/Performance Tradeoffs:
Cost/Performance Tradeoffs: a case study Digital Systems Architecture I. L10 - Multipliers 1 Binary Multiplication x a b n bits n bits EASY PROBLEM: design combinational circuit to multiply tiny (1-, 2-,
More informationPower Dissipation. Where Does Power Go in CMOS?
Power Dissipation [Adapted from Chapter 5 of Digital Integrated Circuits, 2003, J. Rabaey et al.] Where Does Power Go in CMOS? Dynamic Power Consumption Charging and Discharging Capacitors Short Circuit
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationAre standards compliant Elliptic Curve Cryptosystems feasible on RFID?
Are standards compliant Elliptic Curve Cryptosystems feasible on RFID? Sandeep S. Kumar and Christof Paar Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany Abstract. With elliptic
More informationLow Latency Architectures of a Comparator for Binary Signed Digits in a 28-nm CMOS Technology
Low Latency Architectures of a Comparator for Binary Signed Digits in a 28-nm CMOS Technology Martin Schmidt, Thomas Veigel, Sebastian Haug, Markus Grözing, Manfred Berroth Stuttgart, Germany 1 Outline
More informationStudies on Disk Encryption
Studies on Disk Encryption Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Nov 14, 2011 Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Studies () on Disk Encryption Nov 14, 2011 1 / 74 Disk
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationNew Bit-Level Serial GF (2 m ) Multiplication Using Polynomial Basis
2015 IEEE 22nd Symposium on Computer Arithmetic New Bit-Level Serial GF 2 m ) Multiplication Using Polynomial Basis Hayssam El-Razouk and Arash Reyhani-Masoleh Department of Electrical and Computer Engineering
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More information