View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS
Hirosato Tsuji Toshio Tokita Mitsubishi Electri
c Corporation
2000/08/01 48th IETF, Pittsburgh, PA, USA 2
Presentation Agenda
Current Status and Next Steps of MISTY1 to support TLS
Block Cipher “MISTY1”
--- by Toshio Tokita
--- by Hirosato Tsuji
2000/08/01 48th IETF, Pittsburgh, PA, USA 4
Overview Secret-key block cipher
64-bit block, 128-bit key, a variable number of rounds (8-round recommended)
proposed by M.Matsui (Mitsubishi) in 1996 at Fast Software Encryption Workshop “FSE4”
Widely used in many applications: Governmental applications:
Public transportation systems, Secure network systems, etc,etc
Commercial products: S/MIME E-mail software, VPN(Routers/Hubs), Encryption LSI, PKI Software & services, etc, etc
2000/08/01 48th IETF, Pittsburgh, PA, USA 5
Recent News “KASUMI” has been adopted as a
mandatory algorithm for data confidentiality and data integrity in W-CDMA by 3GPP. (March, 2000)
KASUMI will be also used in current GSM systems as an alternative for A5.
KASUMI is a variant of MISTY1 designed for W-CDMA systems.
“KASUMI”=“MIST” 3GPP: 3rd Generation Partnership Project
2000/08/01 48th IETF, Pittsburgh, PA, USA 6
Pointers ISO9979 No.13 (algorithm registration)
URL for Internet-Draft : http://www.ietf.org/internet-drafts/draft-ohta-misty1desc-02.txt
Specifications http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf
Royalty Free License http://www.mitsubishi.com/ghp_japan/misty/licensee.htm
MISTY1 essential patent is licensed under royalty free conditions.
2000/08/01 48th IETF, Pittsburgh, PA, USA 7
Design Criteria
High security: – Provable security against differential and linear cryptanalysis
Multi platform:– High speed in both software and hardware implementations
Compact:– Low gate count and low power consumption in hardware
2000/08/01 48th IETF, Pittsburgh, PA, USA 8
High security MISTY1 is designed to be highly secure
as a 64-bit block cipher; particularly to be provably secure against differential and linear cryptanalysis.
Differential Cryptanalysis Differential Cryptanalysis (Biham, Shamir 1990)– First DES attack faster than an exhaustive key search
Linear Cryptanalysis Linear Cryptanalysis (Matsui 1993)– First successful computer experiment for breaking DES
Powerful Cryptographic AttacksPowerful Cryptographic Attacks
2000/08/01 48th IETF, Pittsburgh, PA, USA 9
Multi Platform
MISTY1 is designed to be sufficiently fast in
both software and hardware implementations. Ex1) Pentium III (800MHz) (Assembly Language Program)
Encryption speed 230Mbps
Ex2) ASIC H/W (Mitsubishi 0.35 micron CMOS Design Library)
Encryption speed 800Mbps
Gate size 50Kgates
2000/08/01 48th IETF, Pittsburgh, PA, USA 10
Compact Encryption/decryption logics of MISTY1
can be realized in very compact size.
Ex) ASIC (Mitsubishi 0.35 micron CMOS Design Library)
Gate size 7.6Kgates
Encryption speed 72Mbps
Note:
A requirement for W-CDMA encryption algorithm:
“gate size must be smaller than 10Kgates”
2000/08/01 48th IETF, Pittsburgh, PA, USA 11
Structure of MISTY
FO
FO
FO
FO
FI
FI
FI
S9
S7
S9
32
32
16
16
9
7
Plain text
Cipher text
FL FL
FL FL
FL FL
Structure of MISTY1
Recursive structure 1 (FO function)
Recursive structre 2 (FI function)
2000/08/01 48th IETF, Pittsburgh, PA, USA 12
Hardware
M16C Core
Memory
Rnd. Num. Gen.
RSA core
MISTY1 core M16C(CPU)
Current Status and Next Steps of MISTY1
to support TLS
Hirosato Tsuji
Mitsubishi Electric Corporation
2000/08/01 48th IETF, Pittsburgh, PA, USA 14
Summary
What is MISTY1?– High security, Multi platform, Compact,
Block cipher
In this presentation– Actual Application of MISTY1– Proposal of MISTY1– Current Status to support TLS– Next Steps to support TLS
2000/08/01 48th IETF, Pittsburgh, PA, USA 15
Actual Application of MISTY1 (1) Secure E-mail Systems
S/MIME-based e-mail application Extended S/MIME V2 specification Implemented by Mitsubishi and other
Japanese venders Interoperability had been confirmed
between these venders
2000/08/01 48th IETF, Pittsburgh, PA, USA 16
Actual Application of MISTY1 (2) Secure Web Access Systems
Secure Web Access Systems– provide authentication, access control,
integrity and confidentiality
Implemented on the HTTP and TCP ( sorry, not on TLS )
Contents is encrypted by MISTY1
2000/08/01 48th IETF, Pittsburgh, PA, USA 17
Actual Application of MISTY1 (3) Other Apps based on MISTY Toolkit
MISTY Cryptographic / PKI Toolkit– Content Encryption Algorithm in PKCS #7– Encryption Scheme ( Symmetric Cipher )
for PKCS #5 Password-based Encryption Other Apps implemented on Toolkit
– Secure Contents Distribution Systems– Governmental Services
2000/08/01 48th IETF, Pittsburgh, PA, USA 18
Proposal of MISTY1
As ONE of block ciphers of Cipher Suites for TLS 1.0
Reason to use MISTY1– Suitable Block Cipher– Royalty Free License– Applied to Actual Internet Applications
2000/08/01 48th IETF, Pittsburgh, PA, USA 19
Current Status to support TLS
Submit Internet Draft of Description of MISTY1– posted.
Make a presentation of MISTY1 at 48th IETF, Pittsburgh, PA– now.
2000/08/01 48th IETF, Pittsburgh, PA, USA 20
Next Steps to support TLS
Proceed Internet Draft of Description of MISTY1 to Informational RFC
Submit Internet Draft of MISTY1-based Cipher Suites for TLS 1.0
Request TLS WG to assign the Register Number of these Cipher Suites