Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On Tue, May 12, 2015 at 5:00 PM, d...@deadhat.com wrote: There is a very simple way around this. Block XXTEA introduced a new method [snip] Although for the internet and smart cards, data packets are small enough for 64 bit blocks not to matter as long as you rekey between packets. To paraphrase Bowman: Oh my God. It's full of integer adders! Integer adders don't pass the sniff test for lightweight hardware. Alas, the world isn't just the internet and smart cards. We are throwing crypto on silicon as fast as we can to address the many threats to computer hardware. No one block size is correct. Did you some how miss the suggestion to convert AES to the same method by using XORs? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On the lightweight side, I get the impression that block ciphers are also a big topic, but that there isn't a ton of work being done there... besides the NSA ciphers, SIMON and SPECK. John Kelsey mentioned these at RWC. The NSA came to NIST and said Check out these ciphers! and NIST said Those look cool, but please publish them for academic review so we're not favoring you in any way. So they did. But now the onus is on the community to analyze them and either poke holes in them or present something better. -tom Simon and speck have had quite a few cryptanalyses published and time has passed. Simon is a lovely thing to implement in hardware. It goes up to 256,128 key and data size as is more efficient than AES in that configuration by about a factor of 3 in hardware for the same performance. If you don't read ISO specs for amusement (I can't blame you, they charge money) PRESENT and CLEFIA are approved lightweight ciphers in ISO. But they aren't as lightweight as Simon. So all other things being equal, it seems to have something over PRESENT, CLEFIA and AES. But all other things are not equal. The parentage is unfortunate, because as an implementor, I really want Simon to make it into the standards space, enabling us to deploy it in products where standards compliance is mandatory. My request to Doug Shors (who was at SC27 last week promoting Simon and Speck for WG2) was - Add the missing 256 bit block size. It's the same Achilles heel that AES has. The maximum block size is too small. The idea that there is a need for lightweight crypto has poisoned the design of lightweight ciphers. They are efficient ciphers, whether with small or big key sizes or small or big block sizes. The more tasteful ones are smoothly scalable in terms of width, unrolling and pipelining. But when they stop at 64 bit block sizes or 128 bit key sizes, they limit the deployability and performance limits. David ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
Don't be ridiculous, NIST providing standards that people care to standardize? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On Tue, May 12, 2015 at 1:19 AM, d...@deadhat.com wrote: On the lightweight side, I get the impression that block ciphers are also a big topic, but that there isn't a ton of work being done there... besides the NSA ciphers, SIMON and SPECK. John Kelsey mentioned these at RWC. The NSA came to NIST and said Check out these ciphers! and NIST said Those look cool, but please publish them for academic review so we're not favoring you in any way. So they did. But now the onus is on the community to analyze them and either poke holes in them or present something better. -tom Simon and speck have had quite a few cryptanalyses published and time has passed. Simon is a lovely thing to implement in hardware. It goes up to 256,128 key and data size as is more efficient than AES in that configuration by about a factor of 3 in hardware for the same performance. If you don't read ISO specs for amusement (I can't blame you, they charge money) PRESENT and CLEFIA are approved lightweight ciphers in ISO. But they aren't as lightweight as Simon. So all other things being equal, it seems to have something over PRESENT, CLEFIA and AES. But all other things are not equal. The parentage is unfortunate, because as an implementor, I really want Simon to make it into the standards space, enabling us to deploy it in products where standards compliance is mandatory. My request to Doug Shors (who was at SC27 last week promoting Simon and Speck for WG2) was - Add the missing 256 bit block size. It's the same Achilles heel that AES has. The maximum block size is too small. The idea that there is a need for lightweight crypto has poisoned the design of lightweight ciphers. They are efficient ciphers, whether with small or big key sizes or small or big block sizes. The more tasteful ones are smoothly scalable in terms of width, unrolling and pipelining. But when they stop at 64 bit block sizes or 128 bit key sizes, they limit the deployability and performance limits. David ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography There is a very simple way around this. Block XXTEA introduced a new method of operation, since folks seem to be renaming primitives (someone decided to call Block Cipher Spices Tweaks) so let's call it Cipher Round Chaining. Basically a simple cryptographic function is turned into a circular feistel array. In the event that people complain this breaks hardware, I just want to remind everyone that much cryptography is done through instruction sets, and making a single call for a round function. It's quite possible that one could achieve the same security of AES CBC in less rounds using Block XXTEA chaining, without the probabilistic risk of plaintext leakage. Block XXTEA also has some nice data integrity properties, so if the first few words were a shared authentification secret, it could be easy to reject encryptions that don't match the secret. Although for the internet and smart cards, data packets are small enough for 64 bit blocks not to matter as long as you rekey between packets. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
There is a very simple way around this. Block XXTEA introduced a new method [snip] Although for the internet and smart cards, data packets are small enough for 64 bit blocks not to matter as long as you rekey between packets. To paraphrase Bowman: Oh my God. It's full of integer adders! Integer adders don't pass the sniff test for lightweight hardware. Alas, the world isn't just the internet and smart cards. We are throwing crypto on silicon as fast as we can to address the many threats to computer hardware. No one block size is correct. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On 11/05/2015 17:56 pm, Thierry Moreau wrote: On 05/09/15 11:18, ianG wrote: Workshop on Elliptic Curve Cryptography Standards June 11-12, 2015 Agenda now available! The National Institute of Standards and Technology (NIST) will host a Workshop on Elliptic Curve Cryptography Standards at NIST headquarters in Gaithersburg, MD on June 11-12, 2015. The workshop will provide a venue to engage the cryptographic community, including academia, industry, and government users to discuss possible approaches to promote the adoption of secure, interoperable and efficient elliptic curve mechanisms. I doubt the foremost questions will be addressed: To which extent NSA influence motivates NIST in advancing the ECC standards? John Kelsey, chief of something or other at NIST, gave a pretty comprehensive talk on the NSA issue for NIST at Real World Crypto in Janaury [0]. My take-away is that they are taking it seriously. From memory, there wasn't anything directly spotted for the ECC stuff, but there has been this rising tide of demand for new curves ... so maybe now is the time. Can independent academia members present hypothetical mathematical advances (even breakthroughs) that NSA could have made, or could speculatively expect to make, in order for the NSA to provide the US a cryptanalysis advance over the rest of the world (central to NSA mission). If you're saying, can the academics stumble across something that the NSA had beforehand, well, of course. But I'm not sure that's what you mean. To which extent the table of key size equivalences (between factoring-based cryptosystems and ECC schemes) is biased for a faster adoption of ECC (e.g. it makes sense to move to ECC because the equivalent RSA key sizes are inconvenient)? NIST has been unquestionably useful for the cryptographic community with the AES and ASHA competitions. The outcome of the former is a widely deployed improvement over prior symmetric encryption algorithms. The outcome of the latter appears less attractive for adoption decisions, but the very challenges of an efficient secure hash algorithm seems to be the root cause, and not the NIST competition process. With ECC, I have less confidence in NIST ability to leverage the cryptographic community contributions. Yeah, curves look much harder than hashes and ciphers. But is there a better option? iang [0] http://www.realworldcrypto.com/rwc2015/program-2/RWC-2015-Kelsey-final.pdf?attredirects=0 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On Tue, May 12, 2015 at 1:56 AM, Thierry Moreau thierry.mor...@connotech.com wrote: With ECC, I have less confidence in NIST ability to leverage the cryptographic community contributions. One hopes they will recommend the same elliptic curve standards that the IRTF's CFRG is standardizing for use in e.g. TLS. Given that, so far, the CFRG has standardized curves developed by djb and Mike Hamburg, at least to me they feel free of NSA influence. We'll see what NIST actually ends up doing. Standardizing the CFRG curves seems like a great way they could help promote interoperability and rebuild their reputation. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On Tue, May 12, 2015 at 1:56 AM, Thierry Moreau thierry.mor...@connotech.com wrote: With ECC, I have less confidence in NIST ability to leverage the cryptographic community contributions. One hopes they will recommend the same elliptic curve standards that the IRTF's CFRG is standardizing for use in e.g. TLS. Given that, so far, the CFRG has standardized curves developed by djb and Mike Hamburg, at least to me they feel free of NSA influence. We'll see what NIST actually ends up doing. Standardizing the CFRG curves seems like a great way they could help promote interoperability and rebuild their reputation. The DJB curves are finding traction elsewhere and will be adopted by other standards bodies that I am involved in (because in part, I'm pushing for them). The efficiency, simplicity of implementation and acceptance by the crypto community of these algorithms make for strong arguments in standards contexts. NIST's primary problem with ECC are the NIST curves. If they can bring themselves to move on to curves with better provenance, then progress can be made with NIST. Otherwise the NIST curves will become obsolete and superseded by other standards bodies. There is also the Lightweight Crypto Workshop at NIST. This heavily overlaps with the ECC thing, because the right options for ECC curves are also the right options for lightweight crypto. I'm attending the lightweight Crypto Workshop, but not the ECC Workshop. I don't have bandwidth for both. I spoke with Lily Chen of NIST last week (at SC27) about the Lighweight/ECC overlap and the need for them to move to better curves. They know what I think. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On 05/12/15 00:16, ianG wrote: On 11/05/2015 17:56 pm, Thierry Moreau wrote: On 05/09/15 11:18, ianG wrote: Workshop on Elliptic Curve Cryptography Standards June 11-12, 2015 I doubt the foremost questions will be addressed: To which extent NSA influence motivates NIST in advancing the ECC standards? John Kelsey, chief of something or other at NIST, gave a pretty comprehensive talk on the NSA issue for NIST at Real World Crypto in Janaury [0]. My take-away is that they are taking it seriously. Thanks for the reminder. I did read one report by NIST on this subject and it was already surprising how self-critical NIST was. The above talk goes in the same encouraging direction. From memory, there wasn't anything directly spotted for the ECC stuff, but there has been this rising tide of demand for new curves ... so maybe now is the time. Can independent academia members present hypothetical mathematical advances (even breakthroughs) that NSA could have made, or could speculatively expect to make, in order for the NSA to provide the US a cryptanalysis advance over the rest of the world (central to NSA mission). If you're saying, can the academics stumble across something that the NSA had beforehand, well, of course. But I'm not sure that's what you mean. Let me try to re-phrase what I meant. I do not want to push any plot theory without a deep understanding of the ECC fundamentals. But recalling that NSA had prior knowledge of differential cryptanalysis (versus academia) and prior knowledge of RSA and D-H, is there any specific research directions in the ECC field in which the NSA could have advance knowledge that would induce them to push ECC deployment over factoring-based RSA? [0] http://www.realworldcrypto.com/rwc2015/program-2/RWC-2015-Kelsey-final.pdf?attredirects=0 - Thierry ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On 11 May 2015 at 20:13, d...@deadhat.com wrote: There is also the Lightweight Crypto Workshop at NIST. This heavily overlaps with the ECC thing, because the right options for ECC curves are also the right options for lightweight crypto. I'm attending the lightweight Crypto Workshop, but not the ECC Workshop. I don't have bandwidth for both. On the lightweight side, I get the impression that block ciphers are also a big topic, but that there isn't a ton of work being done there... besides the NSA ciphers, SIMON and SPECK. John Kelsey mentioned these at RWC. The NSA came to NIST and said Check out these ciphers! and NIST said Those look cool, but please publish them for academic review so we're not favoring you in any way. So they did. But now the onus is on the community to analyze them and either poke holes in them or present something better. -tom ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On Tue, May 12, 2015 at 11:14 AM, Thierry Moreau thierry.mor...@connotech.com wrote: I do not want to push any plot theory without a deep understanding of the ECC fundamentals. But recalling that NSA had prior knowledge of differential cryptanalysis (versus academia) and prior knowledge of RSA and D-H, is there any specific research directions in the ECC field in which the NSA could have advance knowledge that would induce them to push ECC deployment over factoring-based RSA? I think it's unlikely that the NSA had advance knowledge of some sort of class of weak curves / attack in the late '90s and baked that attack into the NIST curves in such a way that civilian cryptographers are yet to discover it in 2015. However, the NIST curves definitely have (unintentional?) security problems in addition to large mystery constants which do not inspire confidence. Hence djb and friends / MS / CFRG's desire to have rigid curve generation guidelines. Dual EC DRBG smelled much more of a backdoor. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On Mon, May 11, 2015 at 7:44 PM, Tom Ritter t...@ritter.vg wrote: On 11 May 2015 at 20:13, d...@deadhat.com wrote: There is also the Lightweight Crypto Workshop at NIST. This heavily overlaps with the ECC thing, because the right options for ECC curves are also the right options for lightweight crypto. I'm attending the lightweight Crypto Workshop, but not the ECC Workshop. I don't have bandwidth for both. On the lightweight side, I get the impression that block ciphers are also a big topic, but that there isn't a ton of work being done there... besides the NSA ciphers, SIMON and SPECK. John Kelsey mentioned these at RWC. The NSA came to NIST and said Check out these ciphers! and NIST said Those look cool, but please publish them for academic review so we're not favoring you in any way. So they did. But now the onus is on the community to analyze them and either poke holes in them or present something better. PRESENT, LED, and a few other proposals have been made in this area. -tom ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Man is born free, but everywhere he is in chains. --Rousseau. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
On 05/09/15 11:18, ianG wrote: Workshop on Elliptic Curve Cryptography Standards June 11-12, 2015 Agenda now available! The National Institute of Standards and Technology (NIST) will host a Workshop on Elliptic Curve Cryptography Standards at NIST headquarters in Gaithersburg, MD on June 11-12, 2015. The workshop will provide a venue to engage the cryptographic community, including academia, industry, and government users to discuss possible approaches to promote the adoption of secure, interoperable and efficient elliptic curve mechanisms. I doubt the foremost questions will be addressed: To which extent NSA influence motivates NIST in advancing the ECC standards? Can independent academia members present hypothetical mathematical advances (even breakthroughs) that NSA could have made, or could speculatively expect to make, in order for the NSA to provide the US a cryptanalysis advance over the rest of the world (central to NSA mission). To which extent the table of key size equivalences (between factoring-based cryptosystems and ECC schemes) is biased for a faster adoption of ECC (e.g. it makes sense to move to ECC because the equivalent RSA key sizes are inconvenient)? NIST has been unquestionably useful for the cryptographic community with the AES and ASHA competitions. The outcome of the former is a widely deployed improvement over prior symmetric encryption algorithms. The outcome of the latter appears less attractive for adoption decisions, but the very challenges of an efficient secure hash algorithm seems to be the root cause, and not the NIST competition process. With ECC, I have less confidence in NIST ability to leverage the cryptographic community contributions. - Thierry Moreau ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
Workshop on Elliptic Curve Cryptography Standards June 11-12, 2015 Agenda now available! The National Institute of Standards and Technology (NIST) will host a Workshop on Elliptic Curve Cryptography Standards at NIST headquarters in Gaithersburg, MD on June 11-12, 2015. The workshop will provide a venue to engage the cryptographic community, including academia, industry, and government users to discuss possible approaches to promote the adoption of secure, interoperable and efficient elliptic curve mechanisms. Register by June 4, 2015. There is no on-site registration for meetings held at NIST. Agenda, registration and workshop details are available at the workshop website: http://www.nist.gov/itl/csd/ct/ecc-workshop.cfm iang (as forwarded by Russ to [saag]) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
