Special-purpose Hardware for Attacking Cryptographic Systems Caesar: Cryptanalysis of the Full Aes Using Gpu-like Hardware *
نویسندگان
چکیده
The block cipher Rijndael has undergone more than ten years of extensive cryptanalysis since its submission as a candidate for the Advanced Encryption Standard (AES) in April 1998. To date, most of the publicly-known cryptanalytic results are based on reduced-round variants of the AES (respectively Rijndael) algorithm. Among the few exceptions that target the full AES are the Related-Key Cryptanalysis (RKC) introduced at ASIACRYPT 2009 and attacks exploiting TimeMemory-Key (TMK) trade-offs such as demonstrated at SAC 2005. However, all these attacks are generally considered infeasible in practice due to their high complexity (i.e. 299.5 AES operations for RKC, 280 for TMK). In this paper, we evaluate the cost of cryptanalytic attacks on the full AES when using special-purpose hardware in the form of multi-core AES processors that are designed in a similar way as modern Graphics Processing Units (GPUs) such as the NVIDIA GT200b. Using today’s VLSI technology would allow for the implementation of a GPU-like processor reaching a throughput of up to 1012 AES operations per second. An organization able to spend one trillion US$ for designing and building a supercomputer based on such processors could theoretically break the full AES in a time frame of as little as one year when using RKC, or in merely one month when performing a TMK attack. We also analyze different time-cost trade-offs and assess the implications of progress in VLSI technology under the assumption that Moore’s law will continue to hold for the next ten years. These assessments raise some concerns about the long-term security of the AES.
منابع مشابه
Cryptanalysis of the Full AES Using GPU-Like Special-Purpose Hardware
The block cipher Rijndael has undergone more than ten years of extensive cryptanalysis since its submission as a candidate for the Advanced Encryption Standard (AES) in April 1998. To date, most of the publicly-known cryptanalytic results are based on reduced-round variants of the AES (respectively Rijndael) algorithm. Among the few exceptions that target the full AES are the Related-Key Crypta...
متن کاملHardware Performance of ELmD and ELmD(6,6)
ELmD (Encrypt-Linear mix-Decrypt) is a blockcipher based efficient authenticated encryption scheme, which is nonce misuse resistant, fully pipeline implementable. ELmD is a candidate for CAESAR competition and it has been selected for the second round. In this document, we first consider two versions of ELmDv2.0 (i) ELmD: full 10-round AES encryptiondecryption, no intermediate tag, fixed tag si...
متن کاملCryptanalysis of some first round CAESAR candidates
ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES _ CMCCv₁ with the complexity of two queries and the success ...
متن کاملDifferential Power Analysis: A Serious Threat to FPGA Security
Differential Power Analysis (DPA) implies measuring the supply current of a cipher-circuit in an attempt to uncover part of a cipher key. Cryptographic security gets compromised if the current waveforms obtained correlate with those from a hypothetical power model of the circuit. As FPGAs are becoming integral parts of embedded systems and increasingly popular for cryptographic applications and...
متن کاملHeuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates
Differential and linear cryptanalysis are the general purpose tools to analyze various cryptographic primitives. Both techniques have in common that they rely on the existence of good differential or linear characteristics. The difficulty of finding such characteristics depends on the primitive. For instance, AES is designed to be resistant against differential and linear attacks and therefore,...
متن کامل