256 bit standardized crypto for 650 ge - gost …...axel poschmann 256 bit standardized crypto for...
TRANSCRIPT
256 Bit Standardized Crypto for 650 GE - GOST Revisited
A. Poschmann, S. Ling, and H. Wang
Axel PoschmannDivision of Mathematical Sciences, School of Physical and Mathematical Sciences
18 August 2010
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010
Outline
• Introduction• GOST• How to choose a set of S-boxes?• Implementation Results• Conclusions
2
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 3
IntroductionGOST = GOvernment STandard
государственный стандарт
In this talk we focus on GOST 28147-89
• GOST 28147-89:• Block cipher standardized in 1989• „Soviet cousin“ of DES• IETF draft• Discussed for inclusion in ISO 18033-3
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 3
IntroductionGOST = GOvernment STandard
государственный стандарт
In this talk we focus on GOST 28147-89
• 21 years of cryptanalysis:• Related-key DC breaks 21 rounds /w 256 CP• Slide attack breaks 24 rounds /w 263 CP (30 when S-boxes are known)• Reflection attack on full-round GOST /w 232 CP and time 2192 (assumes bijective S-boxes, works only on 2224 keys)
• GOST 28147-89:• Block cipher standardized in 1989• „Soviet cousin“ of DES• IETF draft• Discussed for inclusion in ISO 18033-3
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 3
IntroductionGOST = GOvernment STandard
государственный стандарт
In this talk we focus on GOST 28147-89
• 21 years of cryptanalysis:• Related-key DC breaks 21 rounds /w 256 CP• Slide attack breaks 24 rounds /w 263 CP (30 when S-boxes are known)• Reflection attack on full-round GOST /w 232 CP and time 2192 (assumes bijective S-boxes, works only on 2224 keys)
• GOST 28147-89:• Block cipher standardized in 1989• „Soviet cousin“ of DES• IETF draft• Discussed for inclusion in ISO 18033-3
2010 GOST is still secure!
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010
Outline
• Introduction• GOST• How to choose a set of S-boxes?• Implementation Results• Conclusions
4
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 5
GOST I
• 2 branch Feistel Network• 32 rounds• 64-bit block size• 256-bit key length• K=K0||K1||K2||K3||K4||K5||K6||K7
• No key schedule
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 5
GOST I
• 2 branch Feistel Network• 32 rounds• 64-bit block size• 256-bit key length• K=K0||K1||K2||K3||K4||K5||K6||K7
• No key schedule
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 5
GOST I
• 2 branch Feistel Network• 32 rounds• 64-bit block size• 256-bit key length• K=K0||K1||K2||K3||K4||K5||K6||K7
• No key schedule
Reverse Order!
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 6
GOST II
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 6
GOST II
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 6
GOST II
S-boxes not specified!
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 6
GOST II
S-boxes not specified!• Design goal: flexible security level (possibly security concerns)• Selection of S-boxes is part of key• 28·16! possible sets• => 354 additional key bits• But! set revealed by 232 chosen keys• No restrictions for S-boxes
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 6
GOST II
S-boxes not specified!• Design goal: flexible security level (possibly security concerns)• Selection of S-boxes is part of key• 28·16! possible sets• => 354 additional key bits• But! set revealed by 232 chosen keys• No restrictions for S-boxes
Proper choice of S-boxes is crucial!
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010
Outline
• Introduction• GOST•How to choose a set of S-boxes?• Implementation Results• Conclusions
7
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 8
A Proper ChoiceOne example are the S-boxes used by the Central Bank of Russian Federation
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 8
A Proper ChoiceOne example are the S-boxes used by the Central Bank of Russian Federation
Another standard conform example is to use 8 times the PRESENT S-box
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 8
A Proper ChoiceOne example are the S-boxes used by the Central Bank of Russian Federation
Another standard conform example is to use 8 times the PRESENT S-box
8 4
66664688
max DC
812121212121212
max SbW
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 8
A Proper ChoiceOne example are the S-boxes used by the Central Bank of Russian Federation
Another standard conform example is to use 8 times the PRESENT S-box
8 4
66664688
max DC
812121212121212
max SbW
GOST-FB
GOST-PS
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010
Outline
• Introduction• GOST• How to choose a set of S-boxes?•Implementation Results• Conclusions
9
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 10
Implementation Comments
• In RFID scenarios key is most likely fixed• store key in EEPROM etc• hardwire key• if key update needed• additional 256 FF required
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
GOST-FB GOST-PS
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
GOST-FB GOST-PS
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
GOST-FB GOST-PS
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
<<11
>>11
GOST-FB GOST-PS
input
State R[Reg-4/32]
output
44 44
S-layer
controldone
counter[5bit]
4
+
State L[Reg-4/32]
4
4
32
32
32
>>11<<11
3232
4
k0
k1
k2
k3
k4
k5
k6
k7
4
4
4
NLFSR[3bit]
3
3
5
3reset
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
<<11
>>11
GOST-FB GOST-PS
input
State R[Reg-4/32]
output
44 44
S-layer
controldone
counter[5bit]
4
+
State L[Reg-4/32]
4
4
32
32
32
>>11<<11
3232
4
k0
k1
k2
k3
k4
k5
k6
k7
4
4
4
NLFSR[3bit]
3
3
5
3reset
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
<<11
>>11
GOST-FB GOST-PS
input
State R[Reg-4/32]
output
44 44
S-layer
controldone
counter[5bit]
4
+
State L[Reg-4/32]
4
4
32
32
32
>>11<<11
3232
4
k0
k1
k2
k3
k4
k5
k6
k7
4
4
4
NLFSR[3bit]
3
3
5
3reset
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
651GE
800GE
264 CLKserial264 CLKserial
<<11
>>11
GOST-FB GOST-PS
input
State R[Reg-4/32]
output
44 44
S-layer
controldone
counter[5bit]
4
+
State L[Reg-4/32]
4
4
32
32
32
>>11<<11
3232
4
k0
k1
k2
k3
k4
k5
k6
k7
4
4
4
NLFSR[3bit]
3
3
5
3reset
<<11 S-layer
Li
Ri
Ki
Ri+1
Li+1
32
32
32
3232
32
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 11
Implementation Results IUMCL18G212T3 library
S
S
S
S
S
S
S
S
4
4
4
44
4
4
4
32 32
S1
S2
S3
S4
S5
S6
S7
S8
4
4
4
44
4
4
4
32 32
651GE
800GE
264 CLKserial264 CLKserial
1017 GE
1000 GE
32 CLKround32 CLKround
<<11
>>11
GOST-FB GOST-PS
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 12
Implementation Results II
0
500
1.000
1.500
2.000
2.500
3.000
3.500
PRINTcipher-48KTANTAN48
GOST-PS
KATAN48PRESENT
AES(tbp)
AES
PRINTcipher-96
8080
256160
80128128
80
GE
GOST-FB
256
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010
Outline
• Introduction• GOST• How to choose a set of S-boxes?• Implementation Results•Conclusions
13
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 14
Conclusions
• First hardware implementation of GOST 28147-89• GOST 28147-89:• is standardized since 1989• survived 21 years of cryptanalysis• has a very compact hardware area footprint (651 GE)• has a key length of 256 bits
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 14
Conclusions
• First hardware implementation of GOST 28147-89• GOST 28147-89:• is standardized since 1989• survived 21 years of cryptanalysis• has a very compact hardware area footprint (651 GE)• has a key length of 256 bits
GOST seems to be suitable for low-cost yet high secure applications
Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 15
Thank you!
Axel PoschmannDivision of Mathematical Sciences Nanyang Technological UniversitySPMS-MAS-04-20, 50 Nanyang AvenueSingapore 639798 T (65) 6513-7459 GMT+8h E [email protected] www.ntu.edu.sg/home/aposchmann/
Questions?