Symmetric Cryptography Research
Overview
Research on symmetric cryptography aims at two basic goals: to learn how to break the existing ciphers (cryptanalysis) and how to make a secure one from the known attacks.
We study the cryptanalysis and security evaluation on ciphers. As a result, we developed massive cipher evaluation systems, new cryptanalytic methods based on differential or higher-order differentials, etc.
We also study the design methodology for ciphers. Our CIPHERUNICORN was selected as one of the recommended cipher algorithms in CRYPTREC (*1). We are recently focusing on lightweight ciphers suitable to embedded systems and IC cards.
Furthermore, we study the blockcipher mode of operation, which is a method to realize a concrete security function using a block cipher algorithm (such as AES) as a module. One of our results is the fast message authentication code (MAC) called PC-MAC. An instantiation based on AES, PC-MAC-AES, is now under the evaluation by CRYPTREC.
As well as these algorithm-oriented topics, we study the side-channel attacks, which is an attack exploiting the physical side-channel information obtained from the cryptographic modules. Timing, power consumption, and electromagnetic wave are examples of side-channel information. We are researching both the analysis techniques and protections.
- (*1)A crypto-standardization project for Japanese e-government
Cryptanalysis
The security of a symmetric-key encryption is basically assured by the size of the key: the exhaustive search of all keys always finds a correct one but its time complexity is impractically large if the keys are sufficiently long.
Therefore the goal of cryptanalysts is to find a shortcut, a key-finding procedure faster than the exhaustive search, exploiting the structural flaw of the encryption algorithm. The security evaluation in practice is a search for the possible shortcuts, and a practically secure encryption is that no one could find a shortcut. We have been working on the security evaluation of various algorithms and making a feedback on the cipher designs.
Designing block cipher and mode of operation
CIPHERUNICORN block cipher family
CIPHERUNICORN is a family of block ciphers developed by NEC. We have a 128-bit block cipher, CIPHERUNICORN-A, and a 64-bit block cipher, CIPHERUNICORN-E, etc. The round functions of these ciphers are carefully designer to provide good cryptographic properties with the help of massive statistical testings. CIPHERUNICORN-A and CIPHERUNICORN-E are included in the recommendation list of CRYPTREC.
Ultra-lightweight block cipher, TWINE
As recent developments of tiny computing devices, such as cell phones and IC cards, the significance of encryption algorithms that can work with small hardware logics of software memories is getting increased. To fulfill such needs, we developed an ultra-lightweight block cipher, called TWINE.
TWINE is based on a generalized Feistel structure (GFS), which is a classical approach to block cipher.
GFS enables quite small implementations for both software and hardware, however, it generally requires many iterations to make the resulting cipher sufficiently secure. TWINE employs an improved variant of GFS to recover this drawback. As a result, TWINE is ultra-lightweight while keeping sufficient speed.
TWINE was proposed at Workshop on Lightweight Cryptography 2011 held by ECRYPT, an European crypto-technology evaluation project. It can be implemented within 1.5 KGates in hardware, which is comparable to other lightweight block cipher candidates. Moreover, TWINE can be implemented low-end micro-controllers due to its small memory consumption. These characteristics enables to realize secure encryption and authentication for cars, RFIDs, and sensor nets, etc. The details of TWINE is provided here.
Block cipher mode of operation | Message authentication code
When one wants to implement a concrete security function (e.g. encryption of variable-length messages) using a block cipher, it needs a mode of operation. For example, CBC and CTR modes for encryption and CBC-MAC for message authentication code (MAC).
We research modes that can provide better security and efficiency than the previous ones. One of our proposals is a fast MAC mode using AES, called PC-MAC-AES. It is now under the evaluation of CRYPTREC.
We also developed modes for storage encryption (e.g. HDD) and some encryption/authentication modes that can be immune to attacks using huge computations.
Implementation Attacks
An implementation attack (or side-channel attacks, SCA) is to exploit a side-channel information leaked from the target crypto device to recover the secret key. The examples of side-channels are timing, power consumption, and electromagnetic wave. We proposed a new type of SCA that works on software, called the cache attack. As its name suggests, it uses the timing information via the difference in the response speed of the main memory and the cache. In 2002 we proposed the concept and demonstrated the feasibility of cache attack. Since then the cache attack has been intensively studied. Now it becomes one of the popular SW SCA attacks.
We recently research the SCA against HW crypto modules. Specifically we study SCAs using the power and electromagnetic wave against the SASEBO (*1) board and contact-less IC cards.
(*1) A standard SCA evaluation board developed by National Institute of Advanced Industrial Science and Technology (AIST) and Tohoku University.