Quo vadis cryptology ?

SHA-3 Contest

7^th International Workshop on the state of the art in cryptology and new challenges ahead

Warsaw, Poland

Monday-Tuesday, May 23-24, 2011

LORD Hotel (near the Warsaw Airport)
Street: Al. Krakowska 218
Warsaw, POLAND

Program:

Day 1:
May 23, 2011, 9:00-18:00
Battle of Algorithms

8:00 - 9:00	-	Registration
9:00 - 9:05	-	Welcome Kris Gaj George Mason University, USA
9:05 - 10:05	-	The SHA-3 Competition to Date Bill Burr USA
10:05 - 11:05	-	Quo Vadis BLAKE? Jean-Philippe Aumasson Nagravision SA, Switzerland
11:05 - 11:30	-	Coffee Break
11:30 - 12:30	-	Groestl Krystian Matusiewicz Intel, Poland
12:30 - 14:00	-	Lunch
14:00 - 15:00	-	Keccak Guido Bertoni STMicroelectronics, Italy
15:00 - 16:00	-	The SHA-3 Competition Through the Rebound Lens Christian Rechberger ENS, France
16:00 - 16:30	-	Coffee Break
16:30 - 18:00	-	Panel Discussion with the Participation of All Day 1 Speakers moderators: Kris Gaj, George Mason University, USA Arkadiusz Orłowski, Instytut Fizyki PAN & Katedra Informatyki SGGW, Warsaw, Poland Josef Pieprzyk, Macquarie University, Australia

Day 2:
May 24, 2011, 9:00-18:00
Comprehensive Evaluations

9:00 - 10:00	-	Security Evaluation of SHA-3 Candidates Josef Pieprzyk Macquarie University, Australia
10:00 - 11:00	-	Software Benchmarking of SHA-3 Candidates Daniel J. Bernstein University of Illinois at Chicago, USA Tanja Lange Technische Universiteit Eindhoven, Netherlands
11:00 - 11:30	-	Coffee Break
11:30 - 12:30	-	On XBX, the Extension of SUPERCOP-eBASH to Microcontrollers (with an Outlook Towards FPGAs) Christian Wenzel-Benner ITK Engineering AG, Germany Jens Gräf LiNetCo, Germany
12:30 - 14:00	-	Lunch
14:00 - 15:00	-	Comparing Hardware Performance of SHA-3 Candidates Using FPGAs Kris Gaj George Mason University, USA
15:00 - 16:00	-	50 Ways to Report the Performance of Your Circuit Frank K. Gurkaynak ETH Zurich, Switzerland
16:00 - 16:30	-	Coffee Break
16:30 - 18:00	-	Panel Discussion with the Participation of All Day 2 Speakers moderators: Karol Górski, Poland Krystian Matusiewicz, Intel, Poland Arkadiusz Orłowski, Instytut Fizyki PAN & Katedra Informatyki SGGW, Warsaw, Poland

Workshop Materials (password protected):

Quo Vadis 2011 - all presentations (one slide per page)

Quo Vadis 2011 - introductions of all speakers

Quo Vadis 2011 - informal workshop proceedings (separate documents, two slides per page)

Quo Vadis 2011 - informal workshop proceedings (one document, two slides per page)

Location & fees:

Location:
LORD Hotel (near the Warsaw Airport)
Street: Al. Krakowska 218
WARSAW, POLAND

Workshop fee (including lecture notes):

Polish participants:
regular fee: 800 PLN + 23% VAT = 984 PLN
student fee: 200 PLN + 23% VAT = 246 PLN

Foreign participants:
regular fee: 200 EUR + 23% VAT = 246 EUR
student fee: 100 EUR + 23% VAT = 123 EUR

Payment method:
by cash (in Polish currency or Euro) at the workshop,
or by money transfer ahead of the workshop.

Pre-registration
in order to pre-register, please send an e-mail including your
first name, last name, and affiliation to kgaj@gmu.edu

Accommodation:
Please contact hotel LORD
tel: (48 22) 574 20 20,
fax: (48 22) 574 21 21,
e-mail: okecie@hotellord.com.pl

Approximate prices and on-line reservation

You can also consider other hotels in the Warsaw airport area.

Visas:
Citizens of the following countries may travel to Poland for tourism and business purposes without a visa if the planned stay in Poland does not exceed 90 days:

Andorra, Argentina, Austria, Australia, Belgium, Bolivia, Brazil, Brunei, Bulgaria, Canada, Chile, Costa Rica, Croatia, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Greece, Germany, Guatemala, Honduras, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Macao, Malaysia, Malta, Mexico, Monaco, Netherlands, Nicaragua, Norway, New Zealand, Panama, Portugal, Romania, Salvador, San Marino, Singapore, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, United Kingdom, United States of America, Uruguay, Vatican, Venezuela.

Citizens from other countries not enumerated on the list above need to have a visa when visiting Poland.

Organizer:
ENIGMA Information Security Systems Sp. z o.o.
Jutrzenki Street 116
02-230 Warsaw, POLAND
http://www.enigma.com.pl (in Polish)
phone: (+48 22) 570 57 10, fax: (+48 22) 570 57 15

Program Committee:

Kris Gaj, George Mason University, USA
Arkadiusz Orłowski, Instytut Fizyki PAN & Katedra Informatyki SGGW, Warsaw, Poland
Josef Pieprzyk, Macquarie University, Sydney, Australia

Local Organizing Committee:

Paweł Luksic, ENIGMA Information Security Systems, Warsaw, Poland
Arkadiusz Orłowski, Instytut Fizyki PAN & Katedra Informatyki SGGW, Warsaw, Poland

Abstracts:

The SHA-3 Competition to Date
Bill Burr
USA

In early 2004 NIST felt that it was ready for the future with a family of new, stronger, standardized “SHA-2” hash functions that should account for improvements in computer performance and be secure as far into the future as the eye could see. But in 2004 and 2005 the dramatic results of Xiaoyun Wang and who found collisions on MD4, MD5, and SHA-0, as well as an apparent attack on SHA-1 (all fairly direct precursors to SHA-2) shook confidence in SHA-1 and SHA-2, and led NIST to announce the SHA-3 competition in 2007 to select a new Federal hash function standard. This competition, as this workshop shows, has caught the attention of the cryptologic research community. In this talk we review the progress of that competition, its rationale and rules, review the recent selection of five finalist candidate algorithms, and review where we go from here.

The SHA-3 Competition Through the Rebound Lens
Christian Rechberger
ENS, France

After the MD5 disaster and related breakthroughs in hash cryptanalysis, the cryptologic community as well as practitioners are searching for a trustworthy next generation hash function standard. This culminated in a large international multi-year effort, the SHA-3 competition, planned to end in 2012. In this talk we survey the remaining candidates in this competition and discuss how this competition led to a new way of doing hash cryptanalysis: the rebound attack. AES-like proposals were first targets because of their simplicity. Recently we started to apply this method also to very different constructions, and consistently get results that beat the best known attacks. We survey those results, and comment on their impact on the outcome of the SHA-3 competition.

Security Evaluation of SHA-3 Candidates
Josef Pieprzyk
Macquarie University, Australia

The talk presents the events that led to the announcement of the SHA-3 competition and its terms of reference. The results of the stages 1 and 2 are discussed. The emphasis, however, will be placed on the overview of security analysis of the 5 finalists, namely, Blake, Groestl, JH, Keccak, and Skein. The talk concludes with remarks about the future research in the field of hash functions.

Software Benchmarking of SHA-3 Candidates
Daniel Bernstein
University of Illinois at Chicago, USA
Tanja Lange
Technische Universiteit Eindhoven, Netherlands

The eBACS project (ECRYPT Benchmarking of Cryptographic Systems) includes eBASH (ECRYPT Benchmarking of All Submitted Hashes), which has carefully measured the speed of 564 state-of-the-art software implementations of 91 different hash functions on 100 different computers. NIST's SHA-3 finalist selection report labelled eBASH as the "primary contributor" to NIST's software speed evaluations. This talk will review the context and accomplishments of eBASH and look to the future, with a particular emphasis on the SHA-3 finalists.

On XBX, the Extension of SUPERCOP-eBASH to Microcontrollers (with an Outlook Towards FPGAs)
Christian Wenzel-Benner
ITK Engineering AG, Germany
Jens Gräf
LiNetCo, Germany

NIST stated that performance on "small devices" would be an important selection criteria for SHA-3. However, in round 1 of the SHA-3 competition there was no comprehensive benchmarking method for small devices such as microcontrollers. XBX is an extension of eBASH to microcontrollers. This talk will review the history of XBX, the status quo, current SHA-3 finalist benchmarking results and give an outlook to the possible application of XBX to FPGAs.

Comparing Hardware Performance of SHA-3 Candidates Using FPGAs
Kris Gaj
George Mason University, USA

In this talk we present a comprehensive comparison of all Round 3 SHA-3 candidates and the current standard SHA-2 from the point of view of hardware performance in modern FPGAs. Each algorithm has been implemented using multiple architectures based on the concepts of folding, unrolling, and pipelining. Trade-offs between speed and area are investigated, and the best architecture from the point of view of the throughput to area ratio is identified. Finally, all algorithms are ranked based on their overall performance, and the characteristic features of each algorithm important from the point of view of its implementation in hardware are identified.
ATHENa (Automated Tool for Hardware EvaluatioN) - a benchmarking environment for fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages (such as VHDL and Verilog) - will be discussed. Additionally, the review of benchmarking methodologies and FPGA results reported by other groups, for both high-speed and low-area implementations will be provided.

50 Ways to Report the Performance of Your Circuit
Frank K. Gurkaynak
ETH Zurich, Switzerland

The priorities of IC designers in the research community and in industry differ considerably. While the research community is interested in discovering the extremes of the performance envelope, the industry focuses on ensuring that the IC design meets performance expectations under all working conditions. Unfortunately for the research community, the design tools are developed with the needs of the industry in mind. As a result, the research community faces a steep challenge when they need to examine several alternative algorithms and determine which one is the "best". The SHA-3 selection process is a very good example of such a challenge. In this talk, based on our experiences in compiling benchmark results, we will discuss why it is so difficult to determine performance numbers for digital IC designs reliably.

Speaker bios:

Bill Burr
USA

Bill Burr managed the NIST Cryptographic Technology Group for a decade prior to his retirement at the end of 2010. He organized and led the SHA-3 competition through the selection of five “finalist” algorithms. The Cryptographic Technology Group does Federal Information Processing Standards and recommendations for the use of cryptography by the US Federal Government, which have a significant effect on the cryptography used internationally to protect electronic commerce. Bill joined NIST in 1978 to work on computer peripheral interface and high speed local area network standards, and since 1990 he has worked in the Computer Security Division on standards for PKI and cryptography. Bill was the lead author of the influential NIST Special Publication 800-63 which gives technical guidance on authentication to Federal agencies implementing Internet E-Government services. Bill chaired the Federal Public Key Infrastructure Technical Working Group for about a decade and led the final selection round of the Advanced Encryption Standard (AES).

Jean-Philippe Aumasson
Nagravision SA, Switzerland

Jean-Philippe Aumasson is a cryptographer at Nagravision, a world leader in digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored several research papers in the field of cryptanalysis. He is principal submitter of the hash function BLAKE, one of the five candidates in NIST's SHA-3 competition. He was awarded several cryptanalysis prizes, and co-discovered new attack methods such as cube testers, zero-sum attacks, and tuple attacks.

Krystian Matusiewicz
Intel, Poland

Krystian Matusiewicz received BSc and MSc in mathematics from Catholic University of Lublin, Poland. His MSc thesis won the competition for the best Polish thesis in cryptography and information security organized by ENIGMA ISS in 2002. In 2004 he received PhD scholarship at Macquarie University, Sydney. His PhD research was focused on analysis of dedicated cryptographic hash functions. After finishing his thesis in 2007 he was working as a research fellow at Macquarie University. In February 2008 he joined Technical University of Denmark as a postdoctoral researcher. During that time he was involved in the design of Grøstl and analysis of other SHA-3 candidates. Since August 2010 he is employed as a software engineer by Intel Poland.

In addition to the design and analysis of cryptographic algorithms, he is also interested in broader problems of practical computer security and enjoys everything that has an algorithmic flavour to it.

Krystian serves as a reviewer for a number of cryptographic journals and conferences, including program committee membership of ACISP 2010 and 2011.

Guido Bertoni
STMicroelectronics, Italy

Guido Bertoni is a cryptographer, part of the security team of the corporate R&D of ST. He obtained a degree in computer science engineering and a PhD from Politecnico di Milano. His research interests are focused on cryptographic algorithms, implementation and secure implementation against side channel attacks. He has been contract professor at Politecnico di Milano and actively participated to different workshop and conferences as CHES and FDTC as member of the program committee.

Christian Rechberger
ENS, France

Christian Rechberger is currently a postdoctoral researcher at ENS Paris. He obtained his PhD at Graz University of Technology, Austria, with Vincent Rijmen, the developer of the Advanced Encryption Standard (AES), as advisor. His research interests span various topics in IT-security, cryptography, and algorithms, including design and analysis of cryptographic primitives, RFID security, and efficient implementations. Rechberger is known for his work on the international standard SHA-1, is co-developer of the rebound attack, and co-designer of Grindahl and the SHA-3 finalist Grostl, and is leading the hash function work group within the ECRYPT network of excellence.

Josef Pieprzyk
Macquarie University, Australia

Josef Pieprzyk received BSc in electrical engineering from Academy of Technology in Bydgoszcz, Poland, MSc in mathematics from Nicolaus Copernicus University of Toruń, Poland, and PhD degree in computer science from Polish Academy of Sciences, Warsaw, Poland. He is a Professor in the Department of Computing, Macquarie University, Sydney, Australia. His research interest includes computer network security, database security, design and analysis of cryptographic algorithms, algebraic analysis of block and stream ciphers, theory of cryptographic protocols, secret sharing schemes, threshold cryptography, copyright protection, e-Commerce and Web security. Professor Pieprzyk is a member of the editorial board for International Journal of Information Security (Springer-Verlag), Journal of Mathematical Cryptology (W de Gruyter), International Journal of Security and Networks, and International Journal of Information and Computer Security. He is a member of IACR. Josef Pieprzyk published 5 books, edited 15 books (conference proceedings published by Springer-Verlag), 5 book chapters, and ~250 papers in refereed journals and refereed international conferences. He led a group of 22 research students to successful completion of their PhDs.

Daniel J. Bernstein
University of Illinois at Chicago, USA

Daniel J. Bernstein is a Research Professor in the Department of Computer Science at the University of Illinois at Chicago. He is running the ECRYPT Benchmarking of Cryptographic Systems project together with Tanja Lange. He is the author of two of the Internet's most popular server software packages, djbdns and qmail, and the lead developer of a new easy-to-use public-domain software library for high-speed cryptography. His current mission is to cryptographically protect every Internet packet.

Tanja Lange
Technische Universiteit Eindhoven, Netherlands

Tanja Lange received her PhD in mathematics from the University of Essen. In 2006 she joined Technische Universiteit Eindhoven as Full Professor. She has published more than 50 research papers bridging the gaps between algebraic geometry, theoretical cryptography, and real-world information protection. She is an expert on curve-based cryptography and post-quantum cryptography. She is on the editorial board for 2 journals and serves on 3 steering committees, including the workshop series on Post-Quantum Cryptography. She has organized around 20 conferences and workshops, and has served on more than 40 program committees. She co-leads the Virtual Applications and Implementations Research (VAMPIRE) lab in the European Network of Excellence in Cryptography.

Christian Wenzel-Benner
ITK Engineering AG, Germany

Christian Wenzel-Benner graduated from Berufsakademie Stuttgart in 2002 with a BSc in computer engineering. He joined Bosch to work with automotive microcontrollers, in close cooperation with Texas Instruments and ARM. In 2007 he joined ITK Engineering, a software- and systems-engineering company, as a senior engineer for embedded development and obtained an MSc from Brunel University West London in 2008. Together with Jens Gräf he started the XBX extension project for SUPERCOP in 2009 where he is responsible for hardware design and most of the embedded software.

Jens Gräf
LiNetCo, Germany

Jens Gräf got an MSc in engineering cybernetics from Stuttgart University in 2006. He is a certified Linux professional and specializes in software design and test. Working as a self employed software engineer he has been designing and implementing technical software since the late 1990s, later becoming co-founder and managing partner of LiNetCo, a company specialising in process telemetry systems. On the XBX project his responsibilities cover most of the PC side scripts and databases, as well as continuous integration testing and system architecture.

Kris Gaj
George Mason University, USA

Kris Gaj received the M.Sc. and Ph.D. degrees in Electrical Engineering from Warsaw University of Technology in Warsaw, Poland. He was a co-founder of Enigma, a Polish company that generates practical software and hardware cryptographic applications used by major Polish banks. In 1998, he joined George Mason University, where he currently works as an Associate Professor, doing research and teaching courses in the area of cryptographic engineering and reconfigurable computing. His research projects center on benchmarking cryptographic algorithms in FPGAs, development of novel benchmarking tools and methodologies, and new hardware architectures for secret key ciphers, hash functions, public key cryptosystems, and factoring. He has been a member of the Program Committees of CHES, CryptArchi, and Quo Vadis Cryptology workshops; a General Co-chair of CHES 2008 in Washington D.C., and a Program Co-chair of CHES 2009 in Lausanne, Switzerland. He is an author of a book on breaking German Enigma cipher during World War II, and a co-author of the book on Cryptographic Engineering.

Frank K. Gurkaynak
ETH Zurich, Switzerland

Frank K. Gurkaynak was born in Istanbul, and obtained his BSc. and M.Sc. degrees from Electrical and Electronical Engineering Department of the Istanbul Technical University. He was with the Signal Processing Laboratory (formerly C3i) of the EPFL in 1997 and later started his Ph.D. studies at the Electrical and Computer Engineering department of the Worcester Polytechnic Institute working with the Analog / Digital Microelectronics Group. He worked at the Integrated Systems Laboratory (IIS) of ETH Zurich from 2000 till 2006 and completed his Ph.D.. He worked as a postdoctoral researcher at the Integrated Systems Laboratory (LSI) and Microelectronic Systems Laboratory (LSM) of the EPFL until June 2008. Currently he is employed by the Microelectronics Design Center of ETH Zurich. His research interests include design of VLSI systems, full-custom design, globally-asynchronous locally-synchronous systems, cryptography, and Lab-on-Chip systems.