Entries Tagged "Schneier news"

Page 29 of 46

Wanted: Skein Hardware Help

As part of NIST’s SHA-3 selection process, people have been implementing the candidate hash functions on a variety of hardware and software platforms. Our team has implemented Skein in Intel’s 32 nm ASIC process, and got some impressive performance results (presentation and paper). Several other groups have implemented Skein in FPGA and ASIC, and have seen significantly poorer performance. We need help understanding why.

For example, a group led by Brian Baldwin at the Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography implemented all the second-round candidates in FPGA (presentation and paper). Skein performance was terrible, but when they checked their code, they found an error. Their corrected performance comparison (presentation and paper) has Skein performing much better and in the top ten.

We suspect that the adders in all the designs may not be properly optimized, although there may be other performance issues. If we can at least identify (or possibly even fix) the slowdowns in the design, it would be very helpful, both for our understanding and for Skein’s hardware profile. Even if we find that the designs are properly optimized, that would also be good to know.

A group at George Mason University led by Kris Gaj implemented all the second-round candidates in FPGA (presentation, paper, and much longer paper). Skein had the worst performance of any of the implementations. We’re looking for someone who can help us understand the design, and determine if it can be improved.

Another group, led by Stefan Tillich at University of Bristol, implemented all the candidates in 180 nm custom ASIC (presentation and paper). Here, Skein is one of the worst performers. We’re looking for someone who can help us understand what this group did.

Three other groups—one led by Patrick Schaumont of Virginia Tech (presentation and paper), another led by Shin’ichiro Matsuo at National Institute of Information and Communications Technology in Japan (presentation and paper), and a third led by Luca Henzen at ETH Zurich (paper with appendix, and conference version)—implemented the SHA-3 candidates. Again, we need help understanding how their Skein performance numbers are so different from ours.

We’re looking for people with FPGA and ASIC skills to work with the Skein team. We don’t have money to pay anyone; co-authorship on a paper (and a Skein polo shirt) is our primary reward. Please send me e-mail if you’re interested.

Posted on September 1, 2010 at 1:17 PMView Comments

More Skein News

Skein is my new hash function. Well, “my” is an overstatement; I’m one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Here’s the Skein paper; source code is here. The Skein website is here.

Last week was the Second SHA-3 Candidate Conference. Lots of people presented papers on the candidates: cryptanalysis papers, implementation papers, performance comparisons, etc. There were two cryptanalysis papers on Skein. The first was by Kerry McKay and Poorvi L. Vora (presentation and paper). They tried to extend linear cryptanalysis to groups of bits to attack Threefish (the block cipher inside Skein). It was a nice analysis, but it didn’t get very far at all.

The second was a fantastic piece of cryptanalysis by Dmitry Khovratovich, Ivica Nikolié, and Christian Rechberger. They used a rotational rebound attack (presentation and paper) to mount a “known-key distinguisher attack” on 57 out of 72 Threefish rounds faster than brute force. It’s a new type of attack—some go so far as to call it an “observation”—and the community is still trying to figure out what it means. It only works if the attacker can manipulate both the plaintexts and the keys in a structured way. Against 57-round Threefish, it requires 2503 work—barely better than brute force. And it only distinguishes reduced-round Threefish from a random permutation; it doesn’t actually recover any key bits.

Even with the attack, Threefish has a good security margin. Also, the attack doesn’t affect Skein. But changing one constant in the algorithm’s key schedule makes the attack impossible. NIST has said they’re allowing second-round tweaks, so we’re going to make the change. It won’t affect any performance numbers or obviate any other cryptanalytic results—but the best attack would be 33 out of 72 rounds.

Our update on Skein, which we presented at the conference, is here. All the other papers and presentations are here. (My 2008 essay on SHA-3 is here, and my 2009 update is here.) The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, here. NIST will select approximately five algorithms to go on to the third round by the end of the year.

In other news, we’re once again making Skein polo shirts available to the public. Those of you who attended either of the two SHA-3 conferences might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. Details (with photos) are here. All orders must be received before October 1, and we’ll have all the shirts made in one batch.

Posted on September 1, 2010 at 6:01 AMView Comments

Third SHB Workshop

I’m at SHB 2010, the Third Interdisciplinary Workshop on Security and Human Behavior, at Cambridge University. This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others—all of whom are studying the human side of security—organized by Ross Anderson, Alessandro Acquisti, and myself.

Here is the program. The list of attendees contains links to readings from each of them—definitely a good place to browse for more information on this topic.

Here are links to my posts on the first and second SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops. I may liveblog this workshop—I did it last year—but I may just pay attention. Ross Anderson has liveblogged the previous two years, and is very likely to do so again. There will also be audio.

EDITED TO ADD (6/28): Ross is liveblogging the workshop here. I’m not; I find I pay better attention when I’m not trying to take coherent and accessible notes.

Posted on June 28, 2010 at 4:02 AMView Comments

Reading Me

The number of different ways to read my essays, commentaries, and links has grown recently. Here’s the rundown:

I think that about covers it for useful distribution formats right now.

EDITED TO ADD (6/20): One more; there’s a Crypto-Gram podcast.

Posted on June 15, 2010 at 1:05 PMView Comments

Another Scene from an Airport

I’ve gotten to the front of the security line at a different airport, and handed a different TSA officer my ID and ticket.

TSA Officer: (Looks everything over. Reads the name on my passport.) The Bruce Schneier?

Me: (Nods, managing not to say: “No no, just a Bruce Schneier; didn’t you hear I come in six-packs?”)

TSA Officer: The security expert?

Me: Yes.

TSA Officer: (Takes off his glove. Offers me his hand to shake.)

Me: (Shakes his hand.)

TSA Officer: I read your stuff all the time.

That’s twice in a row, after years of not being recognized by any TSA officer ever. This is starting to worry me.

Posted on May 28, 2010 at 12:00 PMView Comments

Scene from an Airport

I’ve gotten to the front of the security line and handed the TSA officer my ID and ticket.

TSA Officer: (Looks at my ticket. Looks at my ID. Looks at me. Smiles.)

Me: (Smiles back.)

TSA Officer: (Looks at my ID. Looks at me. Smiles.)

Me: (Tips hat. Smiles back.)

TSA Officer: A beloved name from the blogosphere.

Me: And I always thought that I slipped through these lines anonymously.

TSA Officer: Don’t worry. No one will notice. This isn’t the sort of job that rewards competence, you know.

Me: Have a good day.

Posted on May 24, 2010 at 2:29 PMView Comments

1 27 28 29 30 31 46

Sidebar photo of Bruce Schneier by Joe MacInnis.