1 2 symmetric crypto part 2 client d j bernstein
play

1 2 Symmetric crypto, part 2 client D. J. - PowerPoint PPT Presentation

Oct 13, 2023 •278 likes •2.03k views

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

  1. 3 4 objectives Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. ciphertexts. secret 30-digit numbers Sender attaches authenticato seeing t 1 to use for message 1; to message before sending it. out t 2 to use for message 2; Receiver checks authenticato can see t 3 to use for message 3; etc. This protects integrity. timing.) C 1 = ( m 1 + t 1 ) mod 10 30 ; objectives. C 2 = ( m 2 + t 2 ) mod 10 30 ; C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. slow, CPU. This protects confidentiality. lost. AES-GCM, ChaCha20-Poly1305 . work this way, scaled up to groups larger than Z = 10 30 .

  2. 4 5 Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. secret 30-digit numbers Sender attaches authenticator t 1 to use for message 1; to message before sending it. t 2 to use for message 2; Receiver checks authenticator. t 3 to use for message 3; etc. This protects integrity. C 1 = ( m 1 + t 1 ) mod 10 30 ; C 2 = ( m 2 + t 2 ) mod 10 30 ; C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. This protects confidentiality. AES-GCM, ChaCha20-Poly1305 work this way, scaled up to groups larger than Z = 10 30 .

  3. 4 5 Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. secret 30-digit numbers Sender attaches authenticator t 1 to use for message 1; to message before sending it. t 2 to use for message 2; Receiver checks authenticator. t 3 to use for message 3; etc. This protects integrity. C 1 = ( m 1 + t 1 ) mod 10 30 ; Details use multiplications. C 2 = ( m 2 + t 2 ) mod 10 30 ; AES-GCM, ChaCha20-Poly1305 C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. work this way, again scaled up. This protects confidentiality. AES-GCM, ChaCha20-Poly1305 work this way, scaled up to groups larger than Z = 10 30 .

  4. 4 5 Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. secret 30-digit numbers Sender attaches authenticator t 1 to use for message 1; to message before sending it. t 2 to use for message 2; Receiver checks authenticator. t 3 to use for message 3; etc. This protects integrity. C 1 = ( m 1 + t 1 ) mod 10 30 ; Details use multiplications. C 2 = ( m 2 + t 2 ) mod 10 30 ; AES-GCM, ChaCha20-Poly1305 C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. work this way, again scaled up. This protects confidentiality. This would be the whole picture AES-GCM, ChaCha20-Poly1305 if client, server started with work this way, scaled up to enough secret random numbers. groups larger than Z = 10 30 .

  5. 4 5 encryption mechanism: Last time: For each message AES expands Assume 30-digit messages. compute authenticator into F ( k Assume client, server know using another secret number. simulating 30-digit numbers secrets r Sender attaches authenticator use for message 1; to message before sending it. use for message 2; Receiver checks authenticator. use for message 3; etc. This protects integrity. m 1 + t 1 ) mod 10 30 ; Details use multiplications. m 2 + t 2 ) mod 10 30 ; AES-GCM, ChaCha20-Poly1305 m 3 + t 3 ) mod 10 30 ; etc. work this way, again scaled up. rotects confidentiality. This would be the whole picture AES-GCM, ChaCha20-Poly1305 if client, server started with this way, scaled up to enough secret random numbers. larger than Z = 10 30 .

  6. 4 5 mechanism: Last time: For each message AES expands 256-bit messages. compute authenticator into F ( k; 1) ; F ( k; 2) server know using another secret number. simulating many indep numbers secrets r; s 1 ; t 1 ; : : : Sender attaches authenticator message 1; to message before sending it. message 2; Receiver checks authenticator. message 3; etc. This protects integrity. mod 10 30 ; Details use multiplications. mod 10 30 ; AES-GCM, ChaCha20-Poly1305 mod 10 30 ; etc. work this way, again scaled up. confidentiality. This would be the whole picture ChaCha20-Poly1305 if client, server started with caled up to enough secret random numbers. than Z = 10 30 .

  7. 4 5 mechanism: Last time: For each message AES expands 256-bit secret messages. compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. Receiver checks authenticator. etc. This protects integrity. Details use multiplications. AES-GCM, ChaCha20-Poly1305 etc. work this way, again scaled up. confidentiality. This would be the whole picture oly1305 if client, server started with to enough secret random numbers. .

  8. 5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. Receiver checks authenticator. This protects integrity. Details use multiplications. AES-GCM, ChaCha20-Poly1305 work this way, again scaled up. This would be the whole picture if client, server started with enough secret random numbers.

  9. 5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. ChaCha20 also does this, Receiver checks authenticator. using a different function F . This protects integrity. Details use multiplications. AES-GCM, ChaCha20-Poly1305 work this way, again scaled up. This would be the whole picture if client, server started with enough secret random numbers.

  10. 5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. ChaCha20 also does this, Receiver checks authenticator. using a different function F . This protects integrity. Definition of PRG Details use multiplications. (“pseudorandom generator”): AES-GCM, ChaCha20-Poly1305 Attacker can’t distinguish work this way, again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent This would be the whole picture uniform random blocks. if client, server started with enough secret random numbers.

  11. 5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. ChaCha20 also does this, Receiver checks authenticator. using a different function F . This protects integrity. Definition of PRG Details use multiplications. (“pseudorandom generator”): AES-GCM, ChaCha20-Poly1305 Attacker can’t distinguish work this way, again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent This would be the whole picture uniform random blocks. if client, server started with enough secret random numbers. Warning: “pseudorandom” has many other meanings.

  12. 5 6 time: For each message AES expands 256-bit secret k PRF (“pseudo compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker another secret number. simulating many independent F ( k; 1) ; F secrets r; s 1 ; t 1 ; : : : . independent Sender attaches authenticator blocks, given message before sending it. ChaCha20 also does this, that returns Receiver checks authenticator. using a different function F . Server is rotects integrity. Definition of PRG Details use multiplications. (“pseudorandom generator”): AES-GCM, ChaCha20-Poly1305 Attacker can’t distinguish this way, again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent ould be the whole picture uniform random blocks. client, server started with enough secret random numbers. Warning: “pseudorandom” has many other meanings.

  13. 5 6 each message AES expands 256-bit secret k PRF (“pseudorandom into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish authenticator secret number. simulating many independent F ( k; 1) ; F ( k; 2) ; F ( secrets r; s 1 ; t 1 ; : : : . independent uniform authenticator blocks, given access re sending it. ChaCha20 also does this, that returns F ( k; i authenticator. using a different function F . Server is called an integrity. Definition of PRG multiplications. (“pseudorandom generator”): ChaCha20-Poly1305 Attacker can’t distinguish again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent the whole picture uniform random blocks. started with random numbers. Warning: “pseudorandom” has many other meanings.

  14. 5 6 essage AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish er. simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : secrets r; s 1 ; t 1 ; : : : . independent uniform random authenticator blocks, given access to a server it. ChaCha20 also does this, that returns F ( k; i ) given i . authenticator. using a different function F . Server is called an oracle . Definition of PRG multiplications. (“pseudorandom generator”): oly1305 Attacker can’t distinguish scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent picture uniform random blocks. with numbers. Warning: “pseudorandom” has many other meanings.

  15. 6 7 AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from secrets r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . using a different function F . Server is called an oracle . Definition of PRG (“pseudorandom generator”): Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent uniform random blocks. Warning: “pseudorandom” has many other meanings.

  16. 6 7 AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from secrets r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . using a different function F . Server is called an oracle . Definition of PRG PRP (“ : : : permutation”): (“pseudorandom generator”): Attacker can’t distinguish Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random from string of independent distinct blocks, given oracle. uniform random blocks. Warning: “pseudorandom” has many other meanings.

  17. 6 7 AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from secrets r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . using a different function F . Server is called an oracle . Definition of PRG PRP (“ : : : permutation”): (“pseudorandom generator”): Attacker can’t distinguish Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random from string of independent distinct blocks, given oracle. uniform random blocks. If block size is big then Warning: “pseudorandom” PRP ⇒ PRF ⇒ PRG. has many other meanings.

  18. 6 7 expands 256-bit secret k PRF (“pseudorandom function”): Small blo ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish PRF prop simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . a different function F . Server is called an oracle . Definition of PRG PRP (“ : : : permutation”): (“pseudorandom generator”): Attacker can’t distinguish er can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random string of independent distinct blocks, given oracle. random blocks. If block size is big then rning: “pseudorandom” PRP ⇒ PRF ⇒ PRG. many other meanings.

  19. 6 7 256-bit secret k PRF (“pseudorandom function”): Small block sizes a ; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish PRF property fails, independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security : : . independent uniform random blocks, given access to a server does this, that returns F ( k; i ) given i . function F . Server is called an oracle . PRG PRP (“ : : : permutation”): generator”): Attacker can’t distinguish distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : F ( k; 3) ; : : : from independent uniform random independent distinct blocks, given oracle. blocks. If block size is big then “pseudorandom” PRP ⇒ PRF ⇒ PRG. meanings.

  20. 6 7 secret k PRF (“pseudorandom function”): Small block sizes are dangerous. 3) ; : : : Attacker can’t distinguish PRF property fails, and often endent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random blocks, given access to a server that returns F ( k; i ) given i . F . Server is called an oracle . PRP (“ : : : permutation”): r”): Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : : : from independent uniform random endent distinct blocks, given oracle. If block size is big then random” PRP ⇒ PRF ⇒ PRG.

  21. 7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random blocks, given access to a server that returns F ( k; i ) given i . Server is called an oracle . PRP (“ : : : permutation”): Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random distinct blocks, given oracle. If block size is big then PRP ⇒ PRF ⇒ PRG.

  22. 7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random e.g. 2016 Bhargavan–Leurent blocks, given access to a server sweet32.info : Triple-DES that returns F ( k; i ) given i . broken in TLS. Same attack Server is called an oracle . also breaks small block sizes PRP (“ : : : permutation”): in NSA’s Simon, Speck. Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random distinct blocks, given oracle. If block size is big then PRP ⇒ PRF ⇒ PRG.

  23. 7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random e.g. 2016 Bhargavan–Leurent blocks, given access to a server sweet32.info : Triple-DES that returns F ( k; i ) given i . broken in TLS. Same attack Server is called an oracle . also breaks small block sizes PRP (“ : : : permutation”): in NSA’s Simon, Speck. Attacker can’t distinguish AES block size: 128 bits. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 from independent uniform random if AES is used for q blocks. distinct blocks, given oracle. Is this safe? How big is q ? If block size is big then PRP ⇒ PRF ⇒ PRG.

  24. 7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random e.g. 2016 Bhargavan–Leurent blocks, given access to a server sweet32.info : Triple-DES that returns F ( k; i ) given i . broken in TLS. Same attack Server is called an oracle . also breaks small block sizes PRP (“ : : : permutation”): in NSA’s Simon, Speck. Attacker can’t distinguish AES block size: 128 bits. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 from independent uniform random if AES is used for q blocks. distinct blocks, given oracle. Is this safe? How big is q ? If block size is big then ChaCha20 block size: 512 bits. PRP ⇒ PRF ⇒ PRG.

  25. 7 8 (“pseudorandom function”): Small block sizes are dangerous. Can prove er can’t distinguish PRF property fails, and often integrity 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. ChaCha20-P endent uniform random AES and e.g. 2016 Bhargavan–Leurent cks, given access to a server sweet32.info : Triple-DES returns F ( k; i ) given i . broken in TLS. Same attack is called an oracle . also breaks small block sizes (“ : : : permutation”): in NSA’s Simon, Speck. er can’t distinguish AES block size: 128 bits. 1) ; F ( k; 2) ; F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 independent uniform random if AES is used for q blocks. distinct blocks, given oracle. Is this safe? How big is q ? ck size is big then ChaCha20 block size: 512 bits. PRF ⇒ PRG.

  26. 7 8 random function”): Small block sizes are dangerous. Can prove confidentialit distinguish PRF property fails, and often integrity of AES-GCM F ( k; 3) ; : : : from application security fails. ChaCha20-Poly1305 uniform random AES and ChaCha20 e.g. 2016 Bhargavan–Leurent access to a server sweet32.info : Triple-DES ; i ) given i . broken in TLS. Same attack an oracle . also breaks small block sizes ermutation”): in NSA’s Simon, Speck. distinguish AES block size: 128 bits. F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 endent uniform random if AES is used for q blocks. given oracle. Is this safe? How big is q ? big then ChaCha20 block size: 512 bits. PRG.

  27. 7 8 function”): Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and : : from application security fails. ChaCha20-Poly1305 assuming random AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent erver sweet32.info : Triple-DES i . broken in TLS. Same attack also breaks small block sizes ermutation”): in NSA’s Simon, Speck. AES block size: 128 bits. : : PRF attack chance ≈ q 2 = 2 129 random if AES is used for q blocks. racle. Is this safe? How big is q ? ChaCha20 block size: 512 bits.

  28. 8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES broken in TLS. Same attack also breaks small block sizes in NSA’s Simon, Speck. AES block size: 128 bits. PRF attack chance ≈ q 2 = 2 129 if AES is used for q blocks. Is this safe? How big is q ? ChaCha20 block size: 512 bits.

  29. 8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security broken in TLS. Same attack of M ( F ) assuming cipher F is a also breaks small block sizes PRF. M is a mode of use of F . in NSA’s Simon, Speck. AES block size: 128 bits. PRF attack chance ≈ q 2 = 2 129 if AES is used for q blocks. Is this safe? How big is q ? ChaCha20 block size: 512 bits.

  30. 8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security broken in TLS. Same attack of M ( F ) assuming cipher F is a also breaks small block sizes PRF. M is a mode of use of F . in NSA’s Simon, Speck. Good modes: CTR (“counter AES block size: 128 bits. mode”), CBC, OFB, many more. PRF attack chance ≈ q 2 = 2 129 Bad modes: ECB, many more. if AES is used for q blocks. Is this safe? How big is q ? ChaCha20 block size: 512 bits.

  31. 8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security broken in TLS. Same attack of M ( F ) assuming cipher F is a also breaks small block sizes PRF. M is a mode of use of F . in NSA’s Simon, Speck. Good modes: CTR (“counter AES block size: 128 bits. mode”), CBC, OFB, many more. PRF attack chance ≈ q 2 = 2 129 Bad modes: ECB, many more. if AES is used for q blocks. Mode that claimed proof Is this safe? How big is q ? but was recently broken: OCB2. ChaCha20 block size: 512 bits. Have to check proofs carefully!

  32. 8 9 block sizes are dangerous. Can prove confidentiality and How do roperty fails, and often integrity of AES-GCM and ChaCha20 application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security in TLS. Same attack of M ( F ) assuming cipher F is a eaks small block sizes PRF. M is a mode of use of F . NSA’s Simon, Speck. Good modes: CTR (“counter block size: 128 bits. mode”), CBC, OFB, many more. attack chance ≈ q 2 = 2 129 Bad modes: ECB, many more. is used for q blocks. Mode that claimed proof safe? How big is q ? but was recently broken: OCB2. ChaCha20 block size: 512 bits. Have to check proofs carefully!

  33. 8 9 sizes are dangerous. Can prove confidentiality and How do we know that fails, and often integrity of AES-GCM and ChaCha20 are PRFs? security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. rgavan–Leurent Triple-DES Generalization: Prove security Same attack of M ( F ) assuming cipher F is a small block sizes PRF. M is a mode of use of F . Simon, Speck. Good modes: CTR (“counter 128 bits. mode”), CBC, OFB, many more. chance ≈ q 2 = 2 129 Bad modes: ECB, many more. r q blocks. Mode that claimed proof w big is q ? but was recently broken: OCB2. size: 512 bits. Have to check proofs carefully!

  34. 8 9 dangerous. Can prove confidentiality and How do we know that AES an often integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. rgavan–Leurent -DES Generalization: Prove security attack of M ( F ) assuming cipher F is a sizes PRF. M is a mode of use of F . Good modes: CTR (“counter mode”), CBC, OFB, many more. 2 129 Bad modes: ECB, many more. cks. Mode that claimed proof but was recently broken: OCB2. bits. Have to check proofs carefully!

  35. 9 10 Can prove confidentiality and How do we know that AES and integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. Generalization: Prove security of M ( F ) assuming cipher F is a PRF. M is a mode of use of F . Good modes: CTR (“counter mode”), CBC, OFB, many more. Bad modes: ECB, many more. Mode that claimed proof but was recently broken: OCB2. Have to check proofs carefully!

  36. 9 10 Can prove confidentiality and How do we know that AES and integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming We conjecture security AES and ChaCha20 are PRFs. after enough failed attack efforts. Generalization: Prove security “All of these attacks fail and we of M ( F ) assuming cipher F is a don’t have better attack ideas.” PRF. M is a mode of use of F . Good modes: CTR (“counter mode”), CBC, OFB, many more. Bad modes: ECB, many more. Mode that claimed proof but was recently broken: OCB2. Have to check proofs carefully!

  37. 9 10 Can prove confidentiality and How do we know that AES and integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming We conjecture security AES and ChaCha20 are PRFs. after enough failed attack efforts. Generalization: Prove security “All of these attacks fail and we of M ( F ) assuming cipher F is a don’t have better attack ideas.” PRF. M is a mode of use of F . Remaining slides today: Good modes: CTR (“counter • Simple example of block cipher. mode”), CBC, OFB, many more. Seems to be a good cipher, Bad modes: ECB, many more. except block size is too small. Mode that claimed proof • Variants of this block cipher but was recently broken: OCB2. that look similar but Have to check proofs carefully! can be quickly broken.

  38. 9 10 rove confidentiality and How do we know that AES and 1994 Wheeler–Needham integrity of AES-GCM and ChaCha20 are PRFs? We don’t. a tiny encryption ChaCha20-Poly1305 assuming We conjecture security void encrypt(uint32 and ChaCha20 are PRFs. after enough failed attack efforts. { Generalization: Prove security “All of these attacks fail and we uint32 F ) assuming cipher F is a don’t have better attack ideas.” uint32 M is a mode of use of F . for (r Remaining slides today: c += modes: CTR (“counter • Simple example of block cipher. x += de”), CBC, OFB, many more. Seems to be a good cipher, modes: ECB, many more. except block size is too small. y += that claimed proof • Variants of this block cipher } as recently broken: OCB2. that look similar but b[0] = to check proofs carefully! can be quickly broken. }

  39. 9 10 confidentiality and How do we know that AES and 1994 Wheeler–Needham AES-GCM and ChaCha20 are PRFs? We don’t. a tiny encryption algo oly1305 assuming We conjecture security void encrypt(uint32 ChaCha20 are PRFs. after enough failed attack efforts. { Prove security “All of these attacks fail and we uint32 x = b[0], assuming cipher F is a don’t have better attack ideas.” uint32 r, c = 0; de of use of F . for (r = 0;r < Remaining slides today: c += 0x9e3779b9; CTR (“counter • Simple example of block cipher. x += y+c ^ (y<<4)+k[0] OFB, many more. Seems to be a good cipher, ^ (y>>5)+k[1]; ECB, many more. except block size is too small. y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; claimed proof • Variants of this block cipher } broken: OCB2. that look similar but b[0] = x; b[1] roofs carefully! can be quickly broken. }

  40. 9 10 and How do we know that AES and 1994 Wheeler–Needham “TEA, ChaCha20 are PRFs? We don’t. a tiny encryption algorithm”: assuming We conjecture security void encrypt(uint32 *b,uint32 PRFs. after enough failed attack efforts. { security “All of these attacks fail and we uint32 x = b[0], y = b[1]; F is a don’t have better attack ideas.” uint32 r, c = 0; of F . for (r = 0;r < 32;r += Remaining slides today: c += 0x9e3779b9; (“counter • Simple example of block cipher. x += y+c ^ (y<<4)+k[0] more. Seems to be a good cipher, ^ (y>>5)+k[1]; more. except block size is too small. y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; • Variants of this block cipher } OCB2. that look similar but b[0] = x; b[1] = y; refully! can be quickly broken. }

  41. 10 11 How do we know that AES and 1994 Wheeler–Needham “TEA, ChaCha20 are PRFs? We don’t. a tiny encryption algorithm”: We conjecture security void encrypt(uint32 *b,uint32 *k) after enough failed attack efforts. { “All of these attacks fail and we uint32 x = b[0], y = b[1]; don’t have better attack ideas.” uint32 r, c = 0; for (r = 0;r < 32;r += 1) { Remaining slides today: c += 0x9e3779b9; • Simple example of block cipher. x += y+c ^ (y<<4)+k[0] Seems to be a good cipher, ^ (y>>5)+k[1]; except block size is too small. y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; • Variants of this block cipher } that look similar but b[0] = x; b[1] = y; can be quickly broken. }

  42. 10 11 do we know that AES and 1994 Wheeler–Needham “TEA, uint32 : ChaCha20 are PRFs? We don’t. a tiny encryption algorithm”: representing integer b conjecture security void encrypt(uint32 *b,uint32 *k) enough failed attack efforts. + : addition { of these attacks fail and we uint32 x = b[0], y = b[1]; c += d : have better attack ideas.” uint32 r, c = 0; ^ : xor; ⊕ for (r = 0;r < 32;r += 1) { Remaining slides today: each bit c += 0x9e3779b9; Simple example of block cipher. Lower precedence x += y+c ^ (y<<4)+k[0] Seems to be a good cipher, so spacing ^ (y>>5)+k[1]; except block size is too small. y += x+c ^ (x<<4)+k[2] <<4 : multiplication ^ (x>>5)+k[3]; riants of this block cipher (0 ; 0 ; 0 ; 0 } look similar but >>5 : division b[0] = x; b[1] = y; be quickly broken. ( b 5 ; b 6 ; : }

  43. 10 11 that AES and 1994 Wheeler–Needham “TEA, uint32 : 32 bits ( b PRFs? We don’t. a tiny encryption algorithm”: representing the “unsigned” integer b 0 + 2 b 1 + security void encrypt(uint32 *b,uint32 *k) ailed attack efforts. + : addition mod 2 { attacks fail and we uint32 x = b[0], y = b[1]; c += d : same as c etter attack ideas.” uint32 r, c = 0; ^ : xor; ⊕ ; addition for (r = 0;r < 32;r += 1) { today: each bit separately c += 0x9e3779b9; example of block cipher. Lower precedence x += y+c ^ (y<<4)+k[0] good cipher, so spacing is not misleading. ^ (y>>5)+k[1]; size is too small. y += x+c ^ (x<<4)+k[2] <<4 : multiplication ^ (x>>5)+k[3]; this block cipher (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : } similar but >>5 : division by 32, b[0] = x; b[1] = y; broken. ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; }

  44. 10 11 AES and 1994 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; a tiny encryption algorithm”: representing the “unsigned” don’t. integer b 0 + 2 b 1 + · · · + 2 31 b void encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . efforts. { and we uint32 x = b[0], y = b[1]; c += d : same as c = c + d . ideas.” uint32 r, c = 0; ^ : xor; ⊕ ; addition of for (r = 0;r < 32;r += 1) { each bit separately mod 2. c += 0x9e3779b9; cipher. Lower precedence than + in x += y+c ^ (y<<4)+k[0] cipher, so spacing is not misleading. ^ (y>>5)+k[1]; small. y += x+c ^ (x<<4)+k[2] <<4 : multiplication by 16, i.e., ^ (x>>5)+k[3]; cipher (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). } >>5 : division by 32, i.e., b[0] = x; b[1] = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0). }

  45. 11 12 1994 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) a tiny encryption algorithm”: representing the “unsigned” integer b 0 + 2 b 1 + · · · + 2 31 b 31 . void encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . { uint32 x = b[0], y = b[1]; c += d : same as c = c + d . uint32 r, c = 0; ^ : xor; ⊕ ; addition of for (r = 0;r < 32;r += 1) { each bit separately mod 2. c += 0x9e3779b9; Lower precedence than + in C, x += y+c ^ (y<<4)+k[0] so spacing is not misleading. ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] <<4 : multiplication by 16, i.e., ^ (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). } >>5 : division by 32, i.e., b[0] = x; b[1] = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0). }

  46. 11 12 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionalit encryption algorithm”: representing the “unsigned” TEA is a integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . uint32 x = b[0], y = b[1]; c += d : same as c = c + d . uint32 r, c = 0; ^ : xor; ⊕ ; addition of (r = 0;r < 32;r += 1) { each bit separately mod 2. += 0x9e3779b9; Lower precedence than + in C, += y+c ^ (y<<4)+k[0] so spacing is not misleading. ^ (y>>5)+k[1]; += x+c ^ (x<<4)+k[2] <<4 : multiplication by 16, i.e., ^ (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., = x; b[1] = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  47. 11 12 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality algorithm”: representing the “unsigned” TEA is a 64-bit blo integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . b[0], y = b[1]; c += d : same as c = c + d . 0; ^ : xor; ⊕ ; addition of 32;r += 1) { each bit separately mod 2. 0x9e3779b9; Lower precedence than + in C, (y<<4)+k[0] so spacing is not misleading. (y>>5)+k[1]; (x<<4)+k[2] <<4 : multiplication by 16, i.e., (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  48. 11 12 “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality rithm”: representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . *b,uint32 *k) + : addition mod 2 32 . b[1]; c += d : same as c = c + d . ^ : xor; ⊕ ; addition of 1) { each bit separately mod 2. Lower precedence than + in C, (y<<4)+k[0] so spacing is not misleading. (y>>5)+k[1]; (x<<4)+k[2] <<4 : multiplication by 16, i.e., (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  49. 12 13 uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . + : addition mod 2 32 . c += d : same as c = c + d . ^ : xor; ⊕ ; addition of each bit separately mod 2. Lower precedence than + in C, so spacing is not misleading. <<4 : multiplication by 16, i.e., (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  50. 12 13 uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . + : addition mod 2 32 . Input: 128-bit key (namely c += d : same as c = c + d . k[0],k[1],k[2],k[3] ); 64-bit plaintext ( b[0],b[1] ). ^ : xor; ⊕ ; addition of each bit separately mod 2. Output: 64-bit ciphertext Lower precedence than + in C, (final b[0],b[1] ). so spacing is not misleading. <<4 : multiplication by 16, i.e., (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  51. 12 13 uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . + : addition mod 2 32 . Input: 128-bit key (namely c += d : same as c = c + d . k[0],k[1],k[2],k[3] ); 64-bit plaintext ( b[0],b[1] ). ^ : xor; ⊕ ; addition of each bit separately mod 2. Output: 64-bit ciphertext Lower precedence than + in C, (final b[0],b[1] ). so spacing is not misleading. Can efficiently encrypt : <<4 : multiplication by 16, i.e., (key ; plaintext) �→ ciphertext. (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). Can efficiently decrypt : >>5 : division by 32, i.e., (key ; ciphertext) �→ plaintext. ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  52. 12 13 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality Wait, ho resenting the “unsigned” TEA is a 64-bit block cipher void encrypt(uint32 integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . { addition mod 2 32 . uint32 Input: 128-bit key (namely uint32 : same as c = c + d . k[0],k[1],k[2],k[3] ); for (r 64-bit plaintext ( b[0],b[1] ). r; ⊕ ; addition of c += bit separately mod 2. Output: 64-bit ciphertext x += precedence than + in C, (final b[0],b[1] ). spacing is not misleading. y += Can efficiently encrypt : multiplication by 16, i.e., (key ; plaintext) �→ ciphertext. } ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). Can efficiently decrypt : b[0] = division by 32, i.e., (key ; ciphertext) �→ plaintext. } ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).

  53. 12 13 ( b 0 ; b 1 ; : : : ; b 31 ) Functionality Wait, how can we “unsigned” TEA is a 64-bit block cipher void encrypt(uint32 + · · · + 2 31 b 31 . with a 128-bit key . { 2 32 . uint32 x = b[0], Input: 128-bit key (namely uint32 r, c = 0; c = c + d . k[0],k[1],k[2],k[3] ); for (r = 0;r < 64-bit plaintext ( b[0],b[1] ). addition of c += 0x9e3779b9; rately mod 2. Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] recedence than + in C, (final b[0],b[1] ). ^ (y>>5)+k[1]; not misleading. y += x+c ^ (x<<4)+k[2] Can efficiently encrypt : ^ (x>>5)+k[3]; multiplication by 16, i.e., (key ; plaintext) �→ ciphertext. } : : : ; b 27 ). Can efficiently decrypt : b[0] = x; b[1] 32, i.e., (key ; ciphertext) �→ plaintext. } 0 ; 0 ; 0 ; 0 ; 0).

  54. 12 13 : ; b 31 ) Functionality Wait, how can we decrypt? “unsigned” TEA is a 64-bit block cipher void encrypt(uint32 *b,uint32 31 b 31 . with a 128-bit key . { uint32 x = b[0], y = b[1]; Input: 128-bit key (namely uint32 r, c = 0; . k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 64-bit plaintext ( b[0],b[1] ). c += 0x9e3779b9; 2. Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] in C, (final b[0],b[1] ). ^ (y>>5)+k[1]; misleading. y += x+c ^ (x<<4)+k[2] Can efficiently encrypt : ^ (x>>5)+k[3]; i.e., (key ; plaintext) �→ ciphertext. } Can efficiently decrypt : b[0] = x; b[1] = y; (key ; ciphertext) �→ plaintext. } 0).

  55. 13 14 Functionality Wait, how can we decrypt? TEA is a 64-bit block cipher void encrypt(uint32 *b,uint32 *k) with a 128-bit key . { uint32 x = b[0], y = b[1]; Input: 128-bit key (namely uint32 r, c = 0; k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 1) { 64-bit plaintext ( b[0],b[1] ). c += 0x9e3779b9; Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] (final b[0],b[1] ). ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] Can efficiently encrypt : ^ (x>>5)+k[3]; (key ; plaintext) �→ ciphertext. } Can efficiently decrypt : b[0] = x; b[1] = y; (key ; ciphertext) �→ plaintext. }

  56. 13 14 unctionality Wait, how can we decrypt? Answer: is a 64-bit block cipher void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 128-bit key . { { uint32 x = b[0], y = b[1]; uint32 128-bit key (namely uint32 r, c = 0; uint32 k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 1) { for (r plaintext ( b[0],b[1] ). c += 0x9e3779b9; y -= Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] b[0],b[1] ). ^ (y>>5)+k[1]; x -= y += x+c ^ (x<<4)+k[2] efficiently encrypt : ^ (x>>5)+k[3]; c -= plaintext) �→ ciphertext. } } efficiently decrypt : b[0] = x; b[1] = y; b[0] = ciphertext) �→ plaintext. } }

  57. 13 14 Wait, how can we decrypt? Answer: Each step block cipher void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 key . { { uint32 x = b[0], y = b[1]; uint32 x = b[0], ey (namely uint32 r, c = 0; uint32 r, c = 32 k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 1) { for (r = 0;r < ( b[0],b[1] ). c += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] ciphertext x += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ). ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] y += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; encrypt : ^ (x>>5)+k[3]; c -= 0x9e3779b9; �→ ciphertext. } } decrypt : b[0] = x; b[1] = y; b[0] = x; b[1] �→ plaintext. } }

  58. 13 14 Wait, how can we decrypt? Answer: Each step is invertible. cipher void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; (namely uint32 r, c = 0; uint32 r, c = 32 * 0x9e3779b9; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += b[0],b[1] ). c += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] ciphertext x += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] y += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; ^ (x>>5)+k[3]; c -= 0x9e3779b9; ciphertext. } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; plaintext. } }

  59. 14 15 Wait, how can we decrypt? Answer: Each step is invertible. void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 32 * 0x9e3779b9; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] x += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] y += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; ^ (x>>5)+k[3]; c -= 0x9e3779b9; } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; } }

  60. 14 15 how can we decrypt? Answer: Each step is invertible. Generalization, (used in, encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Copp { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 r, c = 0; uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { x += function3(y,k); += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] y += function4(x,k); += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ... ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] Decryption, += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; ... ^ (x>>5)+k[3]; c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); = x; b[1] = y; b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);

  61. 14 15 e decrypt? Answer: Each step is invertible. Generalization, Feistel (used in, e.g., “Lucifer” encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Copp { b[0], y = b[1]; uint32 x = b[0], y = b[1]; x += function1(y,k); 0; uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); 32;r += 1) { for (r = 0;r < 32;r += 1) { x += function3(y,k); 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] y += function4(x,k); (y<<4)+k[0] ^ (x>>5)+k[3]; ... (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] Decryption, inverting (x<<4)+k[2] ^ (y>>5)+k[1]; ... (x>>5)+k[3]; c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); = y; b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);

  62. 14 15 decrypt? Answer: Each step is invertible. Generalization, Feistel netw (used in, e.g., “Lucifer” from *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Coppersmith): { b[1]; uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); 1) { for (r = 0;r < 32;r += 1) { x += function3(y,k); y -= x+c ^ (x<<4)+k[2] y += function4(x,k); (y<<4)+k[0] ^ (x>>5)+k[3]; ... (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] Decryption, inverting each step: (x<<4)+k[2] ^ (y>>5)+k[1]; ... (x>>5)+k[3]; c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);

  63. 15 16 Answer: Each step is invertible. Generalization, Feistel network (used in, e.g., “Lucifer” from void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Coppersmith): { uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); for (r = 0;r < 32;r += 1) { x += function3(y,k); y -= x+c ^ (x<<4)+k[2] y += function4(x,k); ^ (x>>5)+k[3]; ... x -= y+c ^ (y<<4)+k[0] Decryption, inverting each step: ^ (y>>5)+k[1]; ... c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);

  64. 15 16 er: Each step is invertible. Generalization, Feistel network TEA again (used in, e.g., “Lucifer” from decrypt(uint32 *b,uint32 *k) void encrypt(uint32 1973 Feistel–Coppersmith): { uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); uint32 (r = 0;r < 32;r += 1) { x += function3(y,k); for (r -= x+c ^ (x<<4)+k[2] y += function4(x,k); c += ^ (x>>5)+k[3]; ... x += -= y+c ^ (y<<4)+k[0] Decryption, inverting each step: ^ (y>>5)+k[1]; y += ... -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); = x; b[1] = y; b[0] = y -= function2(x,k); } x -= function1(y,k);

  65. 15 16 step is invertible. Generalization, Feistel network TEA again for compa (used in, e.g., “Lucifer” from decrypt(uint32 *b,uint32 *k) void encrypt(uint32 1973 Feistel–Coppersmith): { b[0], y = b[1]; x += function1(y,k); uint32 x = b[0], 32 * 0x9e3779b9; y += function2(x,k); uint32 r, c = 0; 32;r += 1) { x += function3(y,k); for (r = 0;r < (x<<4)+k[2] y += function4(x,k); c += 0x9e3779b9; (x>>5)+k[3]; ... x += y+c ^ (y<<4)+k[0] (y<<4)+k[0] ^ (y>>5)+k[1]; Decryption, inverting each step: (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ... 0x9e3779b9; ^ (x>>5)+k[3]; y -= function4(x,k); } x -= function3(y,k); = y; b[0] = x; b[1] y -= function2(x,k); } x -= function1(y,k);

  66. 15 16 invertible. Generalization, Feistel network TEA again for comparison (used in, e.g., “Lucifer” from *b,uint32 *k) void encrypt(uint32 *b,uint32 1973 Feistel–Coppersmith): { b[1]; x += function1(y,k); uint32 x = b[0], y = b[1]; 0x9e3779b9; y += function2(x,k); uint32 r, c = 0; 1) { x += function3(y,k); for (r = 0;r < 32;r += (x<<4)+k[2] y += function4(x,k); c += 0x9e3779b9; (x>>5)+k[3]; ... x += y+c ^ (y<<4)+k[0] (y<<4)+k[0] ^ (y>>5)+k[1]; Decryption, inverting each step: (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ... ^ (x>>5)+k[3]; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);

  67. 16 17 Generalization, Feistel network TEA again for comparison (used in, e.g., “Lucifer” from void encrypt(uint32 *b,uint32 *k) 1973 Feistel–Coppersmith): { x += function1(y,k); uint32 x = b[0], y = b[1]; y += function2(x,k); uint32 r, c = 0; x += function3(y,k); for (r = 0;r < 32;r += 1) { y += function4(x,k); c += 0x9e3779b9; ... x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; Decryption, inverting each step: y += x+c ^ (x<<4)+k[2] ... ^ (x>>5)+k[3]; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);

  68. 16 17 Generalization, Feistel network TEA again for comparison XORTEA: in, e.g., “Lucifer” from void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 eistel–Coppersmith): { { function1(y,k); uint32 x = b[0], y = b[1]; uint32 function2(x,k); uint32 r, c = 0; uint32 function3(y,k); for (r = 0;r < 32;r += 1) { for (r function4(x,k); c += 0x9e3779b9; c += x += y+c ^ (y<<4)+k[0] x ^= ^ (y>>5)+k[1]; Decryption, inverting each step: y += x+c ^ (x<<4)+k[2] y ^= ^ (x>>5)+k[3]; function4(x,k); } } function3(y,k); b[0] = x; b[1] = y; b[0] = function2(x,k); } } function1(y,k);

  69. 16 17 TEA again for comparison XORTEA: a bad cipher Feistel network “Lucifer” from void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 eistel–Coppersmith): { { function1(y,k); uint32 x = b[0], y = b[1]; uint32 x = b[0], function2(x,k); uint32 r, c = 0; uint32 r, c = 0; function3(y,k); for (r = 0;r < 32;r += 1) { for (r = 0;r < function4(x,k); c += 0x9e3779b9; c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; inverting each step: y += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; function4(x,k); } } function3(y,k); b[0] = x; b[1] = y; b[0] = x; b[1] function2(x,k); } } function1(y,k);

  70. 16 17 TEA again for comparison XORTEA: a bad cipher network from void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 mith): { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += c += 0x9e3779b9; c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; step: y += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; } }

  71. 17 18 TEA again for comparison XORTEA: a bad cipher void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; y += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; } }

  72. 17 18 again for comparison XORTEA: a bad cipher “Hardwa xor circuit encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 0; (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { += 0x9e3779b9; c += 0x9e3779b9; += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; } = x; b[1] = y; b[0] = x; b[1] = y; }

  73. 17 18 comparison XORTEA: a bad cipher “Hardware-friendlier” xor circuit is cheap encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { b[0], y = b[1]; uint32 x = b[0], y = b[1]; 0; uint32 r, c = 0; 32;r += 1) { for (r = 0;r < 32;r += 1) { 0x9e3779b9; c += 0x9e3779b9; (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] (y>>5)+k[1]; ^ (y>>5)^k[1]; (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] (x>>5)+k[3]; ^ (x>>5)^k[3]; } = y; b[0] = x; b[1] = y; }

  74. 17 18 XORTEA: a bad cipher “Hardware-friendlier” cipher, xor circuit is cheaper than add. *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; 1) { for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] (y>>5)+k[1]; ^ (y>>5)^k[1]; (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] (x>>5)+k[3]; ^ (x>>5)^k[3]; } b[0] = x; b[1] = y; }

  75. 18 19 XORTEA: a bad cipher “Hardware-friendlier” cipher, since xor circuit is cheaper than add. void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)^k[1]; y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)^k[3]; } b[0] = x; b[1] = y; }

  76. 18 19 XORTEA: a bad cipher “Hardware-friendlier” cipher, since xor circuit is cheaper than add. void encrypt(uint32 *b,uint32 *k) But output bits are linear { functions of input bits! uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)^k[1]; y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)^k[3]; } b[0] = x; b[1] = y; }

  77. 18 19 XORTEA: a bad cipher “Hardware-friendlier” cipher, since xor circuit is cheaper than add. void encrypt(uint32 *b,uint32 *k) But output bits are linear { functions of input bits! uint32 x = b[0], y = b[1]; uint32 r, c = 0; e.g. First output bit is for (r = 0;r < 32;r += 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ c += 0x9e3779b9; k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ x ^= y^c ^ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ ^ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ y ^= x^c ^ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ ^ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ } b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b[0] = x; b[1] = y; b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 . }

  78. 18 19 ORTEA: a bad cipher “Hardware-friendlier” cipher, since There is xor circuit is cheaper than add. with coefficients encrypt(uint32 *b,uint32 *k) such that, But output bits are linear XORTEA functions of input bits! uint32 x = b[0], y = b[1]; uint32 r, c = 0; e.g. First output bit is (r = 0;r < 32;r += 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ += 0x9e3779b9; k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ ^= y^c ^ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ ^ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ ^= x^c ^ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ ^ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ = x; b[1] = y; b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  79. 18 19 cipher “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in encrypt(uint32 *b,uint32 *k) such that, for all ( k But output bits are linear XORTEA k ( b ) = (1 functions of input bits! b[0], y = b[1]; 0; e.g. First output bit is 32;r += 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ 0x9e3779b9; k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ = y; b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  80. 18 19 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 *b,uint32 *k) such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! b[1]; e.g. First output bit is 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  81. 19 20 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! e.g. First output bit is 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  82. 19 20 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) e.g. First output bit is = (0 ; 0 ; b 1 ⊕ b 2 ) M . 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  83. 19 20 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) e.g. First output bit is = (0 ; 0 ; b 1 ⊕ b 2 ) M . 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ Very fast attack: k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ if b 4 = b 1 ⊕ b 2 ⊕ b 3 then k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ XORTEA k ( b 3 ) ⊕ XORTEA k ( b 4 ). b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

Recommend

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x

Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x

CS 166: Information Security Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 Y y 0 y 1 y 2 y 3 y 4 y 5 y

690 views • 45 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &amp;

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &amp;

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &amp; Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago &amp; Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago &amp; Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo

Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo

Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo Research Professor, to handle Internet mail; University of Illinois at Chicago tinydns , used by Facebook Hoogleraar, to publish server

625 views • 43 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

1.15k views • 86 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

810 views • 63 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago &amp; Example 1

1.55k views • 138 slides
Boring crypto Daniel J. Bernstein University of Illinois at Chicago &amp; Technische

Boring crypto Daniel J. Bernstein University of Illinois at Chicago &amp; Technische

Boring crypto Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Ancient Chinese curse: May you live in interesting times, so that you have many papers to write. Related mailing list:

871 views • 57 slides
NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago &amp; T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago &amp; T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago &amp; T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

874 views • 50 slides
Cleaning up crypto D. J. Bernstein, U. Illinois Chicago &amp; T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago &amp; T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago &amp; T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

844 views • 52 slides
Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &amp;

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &amp;

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Terrorist in Hong Kong prepares to throw deadly weapon at Chinese government workers. Image credit: Reuters.

1.74k views • 140 slides
Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &amp;

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &amp;

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Terrorist in Hong Kong prepares to throw deadly weapon at Chinese government workers. Image credit: Reuters.

739 views • 54 slides
Crypto developments Daniel J. Bernstein Research Professor, University of Illinois at Chicago

Crypto developments Daniel J. Bernstein Research Professor, University of Illinois at Chicago

Crypto developments Daniel J. Bernstein Research Professor, University of Illinois at Chicago Hoogleraar, Cryptographic Implementations, Technische Universiteit Eindhoven A bit about me Designer of: qmail , used by Yahoo to handle

753 views • 26 slides
Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general

Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general

Actual Cryptography at the Age of Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general engineering projects Part II: Adx Review Part III: Adx Crypto solutions Part IV: Conclusions From

861 views • 43 slides
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 BushingMarcanSegher University of Illinois at Chicago &amp; Sven failOverflow demolition Technische Universiteit Eindhoven of Sony PS3 security

1.08k views • 69 slides
Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University of Illinois at Chicago &amp; BEAST CBC attack. Technische Universiteit Eindhoven Trustwave HTTPS interception. CRIME compression attack. Lucky 13

1.3k views • 128 slides

More recommend