3 4 objectives Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. ciphertexts. secret 30-digit numbers Sender attaches authenticato seeing t 1 to use for message 1; to message before sending it. out t 2 to use for message 2; Receiver checks authenticato can see t 3 to use for message 3; etc. This protects integrity. timing.) C 1 = ( m 1 + t 1 ) mod 10 30 ; objectives. C 2 = ( m 2 + t 2 ) mod 10 30 ; C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. slow, CPU. This protects confidentiality. lost. AES-GCM, ChaCha20-Poly1305 . work this way, scaled up to groups larger than Z = 10 30 .
4 5 Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. secret 30-digit numbers Sender attaches authenticator t 1 to use for message 1; to message before sending it. t 2 to use for message 2; Receiver checks authenticator. t 3 to use for message 3; etc. This protects integrity. C 1 = ( m 1 + t 1 ) mod 10 30 ; C 2 = ( m 2 + t 2 ) mod 10 30 ; C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. This protects confidentiality. AES-GCM, ChaCha20-Poly1305 work this way, scaled up to groups larger than Z = 10 30 .
4 5 Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. secret 30-digit numbers Sender attaches authenticator t 1 to use for message 1; to message before sending it. t 2 to use for message 2; Receiver checks authenticator. t 3 to use for message 3; etc. This protects integrity. C 1 = ( m 1 + t 1 ) mod 10 30 ; Details use multiplications. C 2 = ( m 2 + t 2 ) mod 10 30 ; AES-GCM, ChaCha20-Poly1305 C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. work this way, again scaled up. This protects confidentiality. AES-GCM, ChaCha20-Poly1305 work this way, scaled up to groups larger than Z = 10 30 .
4 5 Easy encryption mechanism: Last time: For each message Assume 30-digit messages. compute authenticator Assume client, server know using another secret number. secret 30-digit numbers Sender attaches authenticator t 1 to use for message 1; to message before sending it. t 2 to use for message 2; Receiver checks authenticator. t 3 to use for message 3; etc. This protects integrity. C 1 = ( m 1 + t 1 ) mod 10 30 ; Details use multiplications. C 2 = ( m 2 + t 2 ) mod 10 30 ; AES-GCM, ChaCha20-Poly1305 C 3 = ( m 3 + t 3 ) mod 10 30 ; etc. work this way, again scaled up. This protects confidentiality. This would be the whole picture AES-GCM, ChaCha20-Poly1305 if client, server started with work this way, scaled up to enough secret random numbers. groups larger than Z = 10 30 .
4 5 encryption mechanism: Last time: For each message AES expands Assume 30-digit messages. compute authenticator into F ( k Assume client, server know using another secret number. simulating 30-digit numbers secrets r Sender attaches authenticator use for message 1; to message before sending it. use for message 2; Receiver checks authenticator. use for message 3; etc. This protects integrity. m 1 + t 1 ) mod 10 30 ; Details use multiplications. m 2 + t 2 ) mod 10 30 ; AES-GCM, ChaCha20-Poly1305 m 3 + t 3 ) mod 10 30 ; etc. work this way, again scaled up. rotects confidentiality. This would be the whole picture AES-GCM, ChaCha20-Poly1305 if client, server started with this way, scaled up to enough secret random numbers. larger than Z = 10 30 .
4 5 mechanism: Last time: For each message AES expands 256-bit messages. compute authenticator into F ( k; 1) ; F ( k; 2) server know using another secret number. simulating many indep numbers secrets r; s 1 ; t 1 ; : : : Sender attaches authenticator message 1; to message before sending it. message 2; Receiver checks authenticator. message 3; etc. This protects integrity. mod 10 30 ; Details use multiplications. mod 10 30 ; AES-GCM, ChaCha20-Poly1305 mod 10 30 ; etc. work this way, again scaled up. confidentiality. This would be the whole picture ChaCha20-Poly1305 if client, server started with caled up to enough secret random numbers. than Z = 10 30 .
4 5 mechanism: Last time: For each message AES expands 256-bit secret messages. compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. Receiver checks authenticator. etc. This protects integrity. Details use multiplications. AES-GCM, ChaCha20-Poly1305 etc. work this way, again scaled up. confidentiality. This would be the whole picture oly1305 if client, server started with to enough secret random numbers. .
5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. Receiver checks authenticator. This protects integrity. Details use multiplications. AES-GCM, ChaCha20-Poly1305 work this way, again scaled up. This would be the whole picture if client, server started with enough secret random numbers.
5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. ChaCha20 also does this, Receiver checks authenticator. using a different function F . This protects integrity. Details use multiplications. AES-GCM, ChaCha20-Poly1305 work this way, again scaled up. This would be the whole picture if client, server started with enough secret random numbers.
5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. ChaCha20 also does this, Receiver checks authenticator. using a different function F . This protects integrity. Definition of PRG Details use multiplications. (“pseudorandom generator”): AES-GCM, ChaCha20-Poly1305 Attacker can’t distinguish work this way, again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent This would be the whole picture uniform random blocks. if client, server started with enough secret random numbers.
5 6 Last time: For each message AES expands 256-bit secret k compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : using another secret number. simulating many independent secrets r; s 1 ; t 1 ; : : : . Sender attaches authenticator to message before sending it. ChaCha20 also does this, Receiver checks authenticator. using a different function F . This protects integrity. Definition of PRG Details use multiplications. (“pseudorandom generator”): AES-GCM, ChaCha20-Poly1305 Attacker can’t distinguish work this way, again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent This would be the whole picture uniform random blocks. if client, server started with enough secret random numbers. Warning: “pseudorandom” has many other meanings.
5 6 time: For each message AES expands 256-bit secret k PRF (“pseudo compute authenticator into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker another secret number. simulating many independent F ( k; 1) ; F secrets r; s 1 ; t 1 ; : : : . independent Sender attaches authenticator blocks, given message before sending it. ChaCha20 also does this, that returns Receiver checks authenticator. using a different function F . Server is rotects integrity. Definition of PRG Details use multiplications. (“pseudorandom generator”): AES-GCM, ChaCha20-Poly1305 Attacker can’t distinguish this way, again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent ould be the whole picture uniform random blocks. client, server started with enough secret random numbers. Warning: “pseudorandom” has many other meanings.
5 6 each message AES expands 256-bit secret k PRF (“pseudorandom into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish authenticator secret number. simulating many independent F ( k; 1) ; F ( k; 2) ; F ( secrets r; s 1 ; t 1 ; : : : . independent uniform authenticator blocks, given access re sending it. ChaCha20 also does this, that returns F ( k; i authenticator. using a different function F . Server is called an integrity. Definition of PRG multiplications. (“pseudorandom generator”): ChaCha20-Poly1305 Attacker can’t distinguish again scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent the whole picture uniform random blocks. started with random numbers. Warning: “pseudorandom” has many other meanings.
5 6 essage AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish er. simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : secrets r; s 1 ; t 1 ; : : : . independent uniform random authenticator blocks, given access to a server it. ChaCha20 also does this, that returns F ( k; i ) given i . authenticator. using a different function F . Server is called an oracle . Definition of PRG multiplications. (“pseudorandom generator”): oly1305 Attacker can’t distinguish scaled up. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent picture uniform random blocks. with numbers. Warning: “pseudorandom” has many other meanings.
6 7 AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from secrets r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . using a different function F . Server is called an oracle . Definition of PRG (“pseudorandom generator”): Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from string of independent uniform random blocks. Warning: “pseudorandom” has many other meanings.
6 7 AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from secrets r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . using a different function F . Server is called an oracle . Definition of PRG PRP (“ : : : permutation”): (“pseudorandom generator”): Attacker can’t distinguish Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random from string of independent distinct blocks, given oracle. uniform random blocks. Warning: “pseudorandom” has many other meanings.
6 7 AES expands 256-bit secret k PRF (“pseudorandom function”): into F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from secrets r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . using a different function F . Server is called an oracle . Definition of PRG PRP (“ : : : permutation”): (“pseudorandom generator”): Attacker can’t distinguish Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random from string of independent distinct blocks, given oracle. uniform random blocks. If block size is big then Warning: “pseudorandom” PRP ⇒ PRF ⇒ PRG. has many other meanings.
6 7 expands 256-bit secret k PRF (“pseudorandom function”): Small blo ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish PRF prop simulating many independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application r; s 1 ; t 1 ; : : : . independent uniform random blocks, given access to a server ChaCha20 also does this, that returns F ( k; i ) given i . a different function F . Server is called an oracle . Definition of PRG PRP (“ : : : permutation”): (“pseudorandom generator”): Attacker can’t distinguish er can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random string of independent distinct blocks, given oracle. random blocks. If block size is big then rning: “pseudorandom” PRP ⇒ PRF ⇒ PRG. many other meanings.
6 7 256-bit secret k PRF (“pseudorandom function”): Small block sizes a ; 2) ; F ( k; 3) ; : : : Attacker can’t distinguish PRF property fails, independent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security : : . independent uniform random blocks, given access to a server does this, that returns F ( k; i ) given i . function F . Server is called an oracle . PRG PRP (“ : : : permutation”): generator”): Attacker can’t distinguish distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : F ( k; 3) ; : : : from independent uniform random independent distinct blocks, given oracle. blocks. If block size is big then “pseudorandom” PRP ⇒ PRF ⇒ PRG. meanings.
6 7 secret k PRF (“pseudorandom function”): Small block sizes are dangerous. 3) ; : : : Attacker can’t distinguish PRF property fails, and often endent F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random blocks, given access to a server that returns F ( k; i ) given i . F . Server is called an oracle . PRP (“ : : : permutation”): r”): Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : : : from independent uniform random endent distinct blocks, given oracle. If block size is big then random” PRP ⇒ PRF ⇒ PRG.
7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random blocks, given access to a server that returns F ( k; i ) given i . Server is called an oracle . PRP (“ : : : permutation”): Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random distinct blocks, given oracle. If block size is big then PRP ⇒ PRF ⇒ PRG.
7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random e.g. 2016 Bhargavan–Leurent blocks, given access to a server sweet32.info : Triple-DES that returns F ( k; i ) given i . broken in TLS. Same attack Server is called an oracle . also breaks small block sizes PRP (“ : : : permutation”): in NSA’s Simon, Speck. Attacker can’t distinguish F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from independent uniform random distinct blocks, given oracle. If block size is big then PRP ⇒ PRF ⇒ PRG.
7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random e.g. 2016 Bhargavan–Leurent blocks, given access to a server sweet32.info : Triple-DES that returns F ( k; i ) given i . broken in TLS. Same attack Server is called an oracle . also breaks small block sizes PRP (“ : : : permutation”): in NSA’s Simon, Speck. Attacker can’t distinguish AES block size: 128 bits. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 from independent uniform random if AES is used for q blocks. distinct blocks, given oracle. Is this safe? How big is q ? If block size is big then PRP ⇒ PRF ⇒ PRG.
7 8 PRF (“pseudorandom function”): Small block sizes are dangerous. Attacker can’t distinguish PRF property fails, and often F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. independent uniform random e.g. 2016 Bhargavan–Leurent blocks, given access to a server sweet32.info : Triple-DES that returns F ( k; i ) given i . broken in TLS. Same attack Server is called an oracle . also breaks small block sizes PRP (“ : : : permutation”): in NSA’s Simon, Speck. Attacker can’t distinguish AES block size: 128 bits. F ( k; 1) ; F ( k; 2) ; F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 from independent uniform random if AES is used for q blocks. distinct blocks, given oracle. Is this safe? How big is q ? If block size is big then ChaCha20 block size: 512 bits. PRP ⇒ PRF ⇒ PRG.
7 8 (“pseudorandom function”): Small block sizes are dangerous. Can prove er can’t distinguish PRF property fails, and often integrity 1) ; F ( k; 2) ; F ( k; 3) ; : : : from application security fails. ChaCha20-P endent uniform random AES and e.g. 2016 Bhargavan–Leurent cks, given access to a server sweet32.info : Triple-DES returns F ( k; i ) given i . broken in TLS. Same attack is called an oracle . also breaks small block sizes (“ : : : permutation”): in NSA’s Simon, Speck. er can’t distinguish AES block size: 128 bits. 1) ; F ( k; 2) ; F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 independent uniform random if AES is used for q blocks. distinct blocks, given oracle. Is this safe? How big is q ? ck size is big then ChaCha20 block size: 512 bits. PRF ⇒ PRG.
7 8 random function”): Small block sizes are dangerous. Can prove confidentialit distinguish PRF property fails, and often integrity of AES-GCM F ( k; 3) ; : : : from application security fails. ChaCha20-Poly1305 uniform random AES and ChaCha20 e.g. 2016 Bhargavan–Leurent access to a server sweet32.info : Triple-DES ; i ) given i . broken in TLS. Same attack an oracle . also breaks small block sizes ermutation”): in NSA’s Simon, Speck. distinguish AES block size: 128 bits. F ( k; 3) ; : : : PRF attack chance ≈ q 2 = 2 129 endent uniform random if AES is used for q blocks. given oracle. Is this safe? How big is q ? big then ChaCha20 block size: 512 bits. PRG.
7 8 function”): Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and : : from application security fails. ChaCha20-Poly1305 assuming random AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent erver sweet32.info : Triple-DES i . broken in TLS. Same attack also breaks small block sizes ermutation”): in NSA’s Simon, Speck. AES block size: 128 bits. : : PRF attack chance ≈ q 2 = 2 129 random if AES is used for q blocks. racle. Is this safe? How big is q ? ChaCha20 block size: 512 bits.
8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES broken in TLS. Same attack also breaks small block sizes in NSA’s Simon, Speck. AES block size: 128 bits. PRF attack chance ≈ q 2 = 2 129 if AES is used for q blocks. Is this safe? How big is q ? ChaCha20 block size: 512 bits.
8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security broken in TLS. Same attack of M ( F ) assuming cipher F is a also breaks small block sizes PRF. M is a mode of use of F . in NSA’s Simon, Speck. AES block size: 128 bits. PRF attack chance ≈ q 2 = 2 129 if AES is used for q blocks. Is this safe? How big is q ? ChaCha20 block size: 512 bits.
8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security broken in TLS. Same attack of M ( F ) assuming cipher F is a also breaks small block sizes PRF. M is a mode of use of F . in NSA’s Simon, Speck. Good modes: CTR (“counter AES block size: 128 bits. mode”), CBC, OFB, many more. PRF attack chance ≈ q 2 = 2 129 Bad modes: ECB, many more. if AES is used for q blocks. Is this safe? How big is q ? ChaCha20 block size: 512 bits.
8 9 Small block sizes are dangerous. Can prove confidentiality and PRF property fails, and often integrity of AES-GCM and application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. e.g. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security broken in TLS. Same attack of M ( F ) assuming cipher F is a also breaks small block sizes PRF. M is a mode of use of F . in NSA’s Simon, Speck. Good modes: CTR (“counter AES block size: 128 bits. mode”), CBC, OFB, many more. PRF attack chance ≈ q 2 = 2 129 Bad modes: ECB, many more. if AES is used for q blocks. Mode that claimed proof Is this safe? How big is q ? but was recently broken: OCB2. ChaCha20 block size: 512 bits. Have to check proofs carefully!
8 9 block sizes are dangerous. Can prove confidentiality and How do roperty fails, and often integrity of AES-GCM and ChaCha20 application security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. 2016 Bhargavan–Leurent sweet32.info : Triple-DES Generalization: Prove security in TLS. Same attack of M ( F ) assuming cipher F is a eaks small block sizes PRF. M is a mode of use of F . NSA’s Simon, Speck. Good modes: CTR (“counter block size: 128 bits. mode”), CBC, OFB, many more. attack chance ≈ q 2 = 2 129 Bad modes: ECB, many more. is used for q blocks. Mode that claimed proof safe? How big is q ? but was recently broken: OCB2. ChaCha20 block size: 512 bits. Have to check proofs carefully!
8 9 sizes are dangerous. Can prove confidentiality and How do we know that fails, and often integrity of AES-GCM and ChaCha20 are PRFs? security fails. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. rgavan–Leurent Triple-DES Generalization: Prove security Same attack of M ( F ) assuming cipher F is a small block sizes PRF. M is a mode of use of F . Simon, Speck. Good modes: CTR (“counter 128 bits. mode”), CBC, OFB, many more. chance ≈ q 2 = 2 129 Bad modes: ECB, many more. r q blocks. Mode that claimed proof w big is q ? but was recently broken: OCB2. size: 512 bits. Have to check proofs carefully!
8 9 dangerous. Can prove confidentiality and How do we know that AES an often integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. rgavan–Leurent -DES Generalization: Prove security attack of M ( F ) assuming cipher F is a sizes PRF. M is a mode of use of F . Good modes: CTR (“counter mode”), CBC, OFB, many more. 2 129 Bad modes: ECB, many more. cks. Mode that claimed proof but was recently broken: OCB2. bits. Have to check proofs carefully!
9 10 Can prove confidentiality and How do we know that AES and integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming AES and ChaCha20 are PRFs. Generalization: Prove security of M ( F ) assuming cipher F is a PRF. M is a mode of use of F . Good modes: CTR (“counter mode”), CBC, OFB, many more. Bad modes: ECB, many more. Mode that claimed proof but was recently broken: OCB2. Have to check proofs carefully!
9 10 Can prove confidentiality and How do we know that AES and integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming We conjecture security AES and ChaCha20 are PRFs. after enough failed attack efforts. Generalization: Prove security “All of these attacks fail and we of M ( F ) assuming cipher F is a don’t have better attack ideas.” PRF. M is a mode of use of F . Good modes: CTR (“counter mode”), CBC, OFB, many more. Bad modes: ECB, many more. Mode that claimed proof but was recently broken: OCB2. Have to check proofs carefully!
9 10 Can prove confidentiality and How do we know that AES and integrity of AES-GCM and ChaCha20 are PRFs? We don’t. ChaCha20-Poly1305 assuming We conjecture security AES and ChaCha20 are PRFs. after enough failed attack efforts. Generalization: Prove security “All of these attacks fail and we of M ( F ) assuming cipher F is a don’t have better attack ideas.” PRF. M is a mode of use of F . Remaining slides today: Good modes: CTR (“counter • Simple example of block cipher. mode”), CBC, OFB, many more. Seems to be a good cipher, Bad modes: ECB, many more. except block size is too small. Mode that claimed proof • Variants of this block cipher but was recently broken: OCB2. that look similar but Have to check proofs carefully! can be quickly broken.
9 10 rove confidentiality and How do we know that AES and 1994 Wheeler–Needham integrity of AES-GCM and ChaCha20 are PRFs? We don’t. a tiny encryption ChaCha20-Poly1305 assuming We conjecture security void encrypt(uint32 and ChaCha20 are PRFs. after enough failed attack efforts. { Generalization: Prove security “All of these attacks fail and we uint32 F ) assuming cipher F is a don’t have better attack ideas.” uint32 M is a mode of use of F . for (r Remaining slides today: c += modes: CTR (“counter • Simple example of block cipher. x += de”), CBC, OFB, many more. Seems to be a good cipher, modes: ECB, many more. except block size is too small. y += that claimed proof • Variants of this block cipher } as recently broken: OCB2. that look similar but b[0] = to check proofs carefully! can be quickly broken. }
9 10 confidentiality and How do we know that AES and 1994 Wheeler–Needham AES-GCM and ChaCha20 are PRFs? We don’t. a tiny encryption algo oly1305 assuming We conjecture security void encrypt(uint32 ChaCha20 are PRFs. after enough failed attack efforts. { Prove security “All of these attacks fail and we uint32 x = b[0], assuming cipher F is a don’t have better attack ideas.” uint32 r, c = 0; de of use of F . for (r = 0;r < Remaining slides today: c += 0x9e3779b9; CTR (“counter • Simple example of block cipher. x += y+c ^ (y<<4)+k[0] OFB, many more. Seems to be a good cipher, ^ (y>>5)+k[1]; ECB, many more. except block size is too small. y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; claimed proof • Variants of this block cipher } broken: OCB2. that look similar but b[0] = x; b[1] roofs carefully! can be quickly broken. }
9 10 and How do we know that AES and 1994 Wheeler–Needham “TEA, ChaCha20 are PRFs? We don’t. a tiny encryption algorithm”: assuming We conjecture security void encrypt(uint32 *b,uint32 PRFs. after enough failed attack efforts. { security “All of these attacks fail and we uint32 x = b[0], y = b[1]; F is a don’t have better attack ideas.” uint32 r, c = 0; of F . for (r = 0;r < 32;r += Remaining slides today: c += 0x9e3779b9; (“counter • Simple example of block cipher. x += y+c ^ (y<<4)+k[0] more. Seems to be a good cipher, ^ (y>>5)+k[1]; more. except block size is too small. y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; • Variants of this block cipher } OCB2. that look similar but b[0] = x; b[1] = y; refully! can be quickly broken. }
10 11 How do we know that AES and 1994 Wheeler–Needham “TEA, ChaCha20 are PRFs? We don’t. a tiny encryption algorithm”: We conjecture security void encrypt(uint32 *b,uint32 *k) after enough failed attack efforts. { “All of these attacks fail and we uint32 x = b[0], y = b[1]; don’t have better attack ideas.” uint32 r, c = 0; for (r = 0;r < 32;r += 1) { Remaining slides today: c += 0x9e3779b9; • Simple example of block cipher. x += y+c ^ (y<<4)+k[0] Seems to be a good cipher, ^ (y>>5)+k[1]; except block size is too small. y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; • Variants of this block cipher } that look similar but b[0] = x; b[1] = y; can be quickly broken. }
10 11 do we know that AES and 1994 Wheeler–Needham “TEA, uint32 : ChaCha20 are PRFs? We don’t. a tiny encryption algorithm”: representing integer b conjecture security void encrypt(uint32 *b,uint32 *k) enough failed attack efforts. + : addition { of these attacks fail and we uint32 x = b[0], y = b[1]; c += d : have better attack ideas.” uint32 r, c = 0; ^ : xor; ⊕ for (r = 0;r < 32;r += 1) { Remaining slides today: each bit c += 0x9e3779b9; Simple example of block cipher. Lower precedence x += y+c ^ (y<<4)+k[0] Seems to be a good cipher, so spacing ^ (y>>5)+k[1]; except block size is too small. y += x+c ^ (x<<4)+k[2] <<4 : multiplication ^ (x>>5)+k[3]; riants of this block cipher (0 ; 0 ; 0 ; 0 } look similar but >>5 : division b[0] = x; b[1] = y; be quickly broken. ( b 5 ; b 6 ; : }
10 11 that AES and 1994 Wheeler–Needham “TEA, uint32 : 32 bits ( b PRFs? We don’t. a tiny encryption algorithm”: representing the “unsigned” integer b 0 + 2 b 1 + security void encrypt(uint32 *b,uint32 *k) ailed attack efforts. + : addition mod 2 { attacks fail and we uint32 x = b[0], y = b[1]; c += d : same as c etter attack ideas.” uint32 r, c = 0; ^ : xor; ⊕ ; addition for (r = 0;r < 32;r += 1) { today: each bit separately c += 0x9e3779b9; example of block cipher. Lower precedence x += y+c ^ (y<<4)+k[0] good cipher, so spacing is not misleading. ^ (y>>5)+k[1]; size is too small. y += x+c ^ (x<<4)+k[2] <<4 : multiplication ^ (x>>5)+k[3]; this block cipher (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : } similar but >>5 : division by 32, b[0] = x; b[1] = y; broken. ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; }
10 11 AES and 1994 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; a tiny encryption algorithm”: representing the “unsigned” don’t. integer b 0 + 2 b 1 + · · · + 2 31 b void encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . efforts. { and we uint32 x = b[0], y = b[1]; c += d : same as c = c + d . ideas.” uint32 r, c = 0; ^ : xor; ⊕ ; addition of for (r = 0;r < 32;r += 1) { each bit separately mod 2. c += 0x9e3779b9; cipher. Lower precedence than + in x += y+c ^ (y<<4)+k[0] cipher, so spacing is not misleading. ^ (y>>5)+k[1]; small. y += x+c ^ (x<<4)+k[2] <<4 : multiplication by 16, i.e., ^ (x>>5)+k[3]; cipher (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). } >>5 : division by 32, i.e., b[0] = x; b[1] = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0). }
11 12 1994 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) a tiny encryption algorithm”: representing the “unsigned” integer b 0 + 2 b 1 + · · · + 2 31 b 31 . void encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . { uint32 x = b[0], y = b[1]; c += d : same as c = c + d . uint32 r, c = 0; ^ : xor; ⊕ ; addition of for (r = 0;r < 32;r += 1) { each bit separately mod 2. c += 0x9e3779b9; Lower precedence than + in C, x += y+c ^ (y<<4)+k[0] so spacing is not misleading. ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] <<4 : multiplication by 16, i.e., ^ (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). } >>5 : division by 32, i.e., b[0] = x; b[1] = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0). }
11 12 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionalit encryption algorithm”: representing the “unsigned” TEA is a integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . uint32 x = b[0], y = b[1]; c += d : same as c = c + d . uint32 r, c = 0; ^ : xor; ⊕ ; addition of (r = 0;r < 32;r += 1) { each bit separately mod 2. += 0x9e3779b9; Lower precedence than + in C, += y+c ^ (y<<4)+k[0] so spacing is not misleading. ^ (y>>5)+k[1]; += x+c ^ (x<<4)+k[2] <<4 : multiplication by 16, i.e., ^ (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., = x; b[1] = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
11 12 Wheeler–Needham “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality algorithm”: representing the “unsigned” TEA is a 64-bit blo integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key encrypt(uint32 *b,uint32 *k) + : addition mod 2 32 . b[0], y = b[1]; c += d : same as c = c + d . 0; ^ : xor; ⊕ ; addition of 32;r += 1) { each bit separately mod 2. 0x9e3779b9; Lower precedence than + in C, (y<<4)+k[0] so spacing is not misleading. (y>>5)+k[1]; (x<<4)+k[2] <<4 : multiplication by 16, i.e., (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., = y; ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
11 12 “TEA, uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality rithm”: representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . *b,uint32 *k) + : addition mod 2 32 . b[1]; c += d : same as c = c + d . ^ : xor; ⊕ ; addition of 1) { each bit separately mod 2. Lower precedence than + in C, (y<<4)+k[0] so spacing is not misleading. (y>>5)+k[1]; (x<<4)+k[2] <<4 : multiplication by 16, i.e., (x>>5)+k[3]; (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
12 13 uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . + : addition mod 2 32 . c += d : same as c = c + d . ^ : xor; ⊕ ; addition of each bit separately mod 2. Lower precedence than + in C, so spacing is not misleading. <<4 : multiplication by 16, i.e., (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
12 13 uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . + : addition mod 2 32 . Input: 128-bit key (namely c += d : same as c = c + d . k[0],k[1],k[2],k[3] ); 64-bit plaintext ( b[0],b[1] ). ^ : xor; ⊕ ; addition of each bit separately mod 2. Output: 64-bit ciphertext Lower precedence than + in C, (final b[0],b[1] ). so spacing is not misleading. <<4 : multiplication by 16, i.e., (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). >>5 : division by 32, i.e., ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
12 13 uint32 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality representing the “unsigned” TEA is a 64-bit block cipher integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . + : addition mod 2 32 . Input: 128-bit key (namely c += d : same as c = c + d . k[0],k[1],k[2],k[3] ); 64-bit plaintext ( b[0],b[1] ). ^ : xor; ⊕ ; addition of each bit separately mod 2. Output: 64-bit ciphertext Lower precedence than + in C, (final b[0],b[1] ). so spacing is not misleading. Can efficiently encrypt : <<4 : multiplication by 16, i.e., (key ; plaintext) �→ ciphertext. (0 ; 0 ; 0 ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). Can efficiently decrypt : >>5 : division by 32, i.e., (key ; ciphertext) �→ plaintext. ( b 5 ; b 6 ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
12 13 : 32 bits ( b 0 ; b 1 ; : : : ; b 31 ) Functionality Wait, ho resenting the “unsigned” TEA is a 64-bit block cipher void encrypt(uint32 integer b 0 + 2 b 1 + · · · + 2 31 b 31 . with a 128-bit key . { addition mod 2 32 . uint32 Input: 128-bit key (namely uint32 : same as c = c + d . k[0],k[1],k[2],k[3] ); for (r 64-bit plaintext ( b[0],b[1] ). r; ⊕ ; addition of c += bit separately mod 2. Output: 64-bit ciphertext x += precedence than + in C, (final b[0],b[1] ). spacing is not misleading. y += Can efficiently encrypt : multiplication by 16, i.e., (key ; plaintext) �→ ciphertext. } ; 0 ; b 0 ; b 1 ; : : : ; b 27 ). Can efficiently decrypt : b[0] = division by 32, i.e., (key ; ciphertext) �→ plaintext. } ; : : : ; b 31 ; 0 ; 0 ; 0 ; 0 ; 0).
12 13 ( b 0 ; b 1 ; : : : ; b 31 ) Functionality Wait, how can we “unsigned” TEA is a 64-bit block cipher void encrypt(uint32 + · · · + 2 31 b 31 . with a 128-bit key . { 2 32 . uint32 x = b[0], Input: 128-bit key (namely uint32 r, c = 0; c = c + d . k[0],k[1],k[2],k[3] ); for (r = 0;r < 64-bit plaintext ( b[0],b[1] ). addition of c += 0x9e3779b9; rately mod 2. Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] recedence than + in C, (final b[0],b[1] ). ^ (y>>5)+k[1]; not misleading. y += x+c ^ (x<<4)+k[2] Can efficiently encrypt : ^ (x>>5)+k[3]; multiplication by 16, i.e., (key ; plaintext) �→ ciphertext. } : : : ; b 27 ). Can efficiently decrypt : b[0] = x; b[1] 32, i.e., (key ; ciphertext) �→ plaintext. } 0 ; 0 ; 0 ; 0 ; 0).
12 13 : ; b 31 ) Functionality Wait, how can we decrypt? “unsigned” TEA is a 64-bit block cipher void encrypt(uint32 *b,uint32 31 b 31 . with a 128-bit key . { uint32 x = b[0], y = b[1]; Input: 128-bit key (namely uint32 r, c = 0; . k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 64-bit plaintext ( b[0],b[1] ). c += 0x9e3779b9; 2. Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] in C, (final b[0],b[1] ). ^ (y>>5)+k[1]; misleading. y += x+c ^ (x<<4)+k[2] Can efficiently encrypt : ^ (x>>5)+k[3]; i.e., (key ; plaintext) �→ ciphertext. } Can efficiently decrypt : b[0] = x; b[1] = y; (key ; ciphertext) �→ plaintext. } 0).
13 14 Functionality Wait, how can we decrypt? TEA is a 64-bit block cipher void encrypt(uint32 *b,uint32 *k) with a 128-bit key . { uint32 x = b[0], y = b[1]; Input: 128-bit key (namely uint32 r, c = 0; k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 1) { 64-bit plaintext ( b[0],b[1] ). c += 0x9e3779b9; Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] (final b[0],b[1] ). ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] Can efficiently encrypt : ^ (x>>5)+k[3]; (key ; plaintext) �→ ciphertext. } Can efficiently decrypt : b[0] = x; b[1] = y; (key ; ciphertext) �→ plaintext. }
13 14 unctionality Wait, how can we decrypt? Answer: is a 64-bit block cipher void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 128-bit key . { { uint32 x = b[0], y = b[1]; uint32 128-bit key (namely uint32 r, c = 0; uint32 k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 1) { for (r plaintext ( b[0],b[1] ). c += 0x9e3779b9; y -= Output: 64-bit ciphertext x += y+c ^ (y<<4)+k[0] b[0],b[1] ). ^ (y>>5)+k[1]; x -= y += x+c ^ (x<<4)+k[2] efficiently encrypt : ^ (x>>5)+k[3]; c -= plaintext) �→ ciphertext. } } efficiently decrypt : b[0] = x; b[1] = y; b[0] = ciphertext) �→ plaintext. } }
13 14 Wait, how can we decrypt? Answer: Each step block cipher void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 key . { { uint32 x = b[0], y = b[1]; uint32 x = b[0], ey (namely uint32 r, c = 0; uint32 r, c = 32 k[0],k[1],k[2],k[3] ); for (r = 0;r < 32;r += 1) { for (r = 0;r < ( b[0],b[1] ). c += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] ciphertext x += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ). ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] y += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; encrypt : ^ (x>>5)+k[3]; c -= 0x9e3779b9; �→ ciphertext. } } decrypt : b[0] = x; b[1] = y; b[0] = x; b[1] �→ plaintext. } }
13 14 Wait, how can we decrypt? Answer: Each step is invertible. cipher void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; (namely uint32 r, c = 0; uint32 r, c = 32 * 0x9e3779b9; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += b[0],b[1] ). c += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] ciphertext x += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] y += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; ^ (x>>5)+k[3]; c -= 0x9e3779b9; ciphertext. } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; plaintext. } }
14 15 Wait, how can we decrypt? Answer: Each step is invertible. void encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 32 * 0x9e3779b9; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] x += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] y += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; ^ (x>>5)+k[3]; c -= 0x9e3779b9; } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; } }
14 15 how can we decrypt? Answer: Each step is invertible. Generalization, (used in, encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Copp { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 r, c = 0; uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { x += function3(y,k); += 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] y += function4(x,k); += y+c ^ (y<<4)+k[0] ^ (x>>5)+k[3]; ... ^ (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] Decryption, += x+c ^ (x<<4)+k[2] ^ (y>>5)+k[1]; ... ^ (x>>5)+k[3]; c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); = x; b[1] = y; b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);
14 15 e decrypt? Answer: Each step is invertible. Generalization, Feistel (used in, e.g., “Lucifer” encrypt(uint32 *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Copp { b[0], y = b[1]; uint32 x = b[0], y = b[1]; x += function1(y,k); 0; uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); 32;r += 1) { for (r = 0;r < 32;r += 1) { x += function3(y,k); 0x9e3779b9; y -= x+c ^ (x<<4)+k[2] y += function4(x,k); (y<<4)+k[0] ^ (x>>5)+k[3]; ... (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] Decryption, inverting (x<<4)+k[2] ^ (y>>5)+k[1]; ... (x>>5)+k[3]; c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); = y; b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);
14 15 decrypt? Answer: Each step is invertible. Generalization, Feistel netw (used in, e.g., “Lucifer” from *b,uint32 *k) void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Coppersmith): { b[1]; uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); 1) { for (r = 0;r < 32;r += 1) { x += function3(y,k); y -= x+c ^ (x<<4)+k[2] y += function4(x,k); (y<<4)+k[0] ^ (x>>5)+k[3]; ... (y>>5)+k[1]; x -= y+c ^ (y<<4)+k[0] Decryption, inverting each step: (x<<4)+k[2] ^ (y>>5)+k[1]; ... (x>>5)+k[3]; c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);
15 16 Answer: Each step is invertible. Generalization, Feistel network (used in, e.g., “Lucifer” from void decrypt(uint32 *b,uint32 *k) 1973 Feistel–Coppersmith): { uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); for (r = 0;r < 32;r += 1) { x += function3(y,k); y -= x+c ^ (x<<4)+k[2] y += function4(x,k); ^ (x>>5)+k[3]; ... x -= y+c ^ (y<<4)+k[0] Decryption, inverting each step: ^ (y>>5)+k[1]; ... c -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);
15 16 er: Each step is invertible. Generalization, Feistel network TEA again (used in, e.g., “Lucifer” from decrypt(uint32 *b,uint32 *k) void encrypt(uint32 1973 Feistel–Coppersmith): { uint32 x = b[0], y = b[1]; x += function1(y,k); uint32 uint32 r, c = 32 * 0x9e3779b9; y += function2(x,k); uint32 (r = 0;r < 32;r += 1) { x += function3(y,k); for (r -= x+c ^ (x<<4)+k[2] y += function4(x,k); c += ^ (x>>5)+k[3]; ... x += -= y+c ^ (y<<4)+k[0] Decryption, inverting each step: ^ (y>>5)+k[1]; y += ... -= 0x9e3779b9; y -= function4(x,k); } x -= function3(y,k); = x; b[1] = y; b[0] = y -= function2(x,k); } x -= function1(y,k);
15 16 step is invertible. Generalization, Feistel network TEA again for compa (used in, e.g., “Lucifer” from decrypt(uint32 *b,uint32 *k) void encrypt(uint32 1973 Feistel–Coppersmith): { b[0], y = b[1]; x += function1(y,k); uint32 x = b[0], 32 * 0x9e3779b9; y += function2(x,k); uint32 r, c = 0; 32;r += 1) { x += function3(y,k); for (r = 0;r < (x<<4)+k[2] y += function4(x,k); c += 0x9e3779b9; (x>>5)+k[3]; ... x += y+c ^ (y<<4)+k[0] (y<<4)+k[0] ^ (y>>5)+k[1]; Decryption, inverting each step: (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ... 0x9e3779b9; ^ (x>>5)+k[3]; y -= function4(x,k); } x -= function3(y,k); = y; b[0] = x; b[1] y -= function2(x,k); } x -= function1(y,k);
15 16 invertible. Generalization, Feistel network TEA again for comparison (used in, e.g., “Lucifer” from *b,uint32 *k) void encrypt(uint32 *b,uint32 1973 Feistel–Coppersmith): { b[1]; x += function1(y,k); uint32 x = b[0], y = b[1]; 0x9e3779b9; y += function2(x,k); uint32 r, c = 0; 1) { x += function3(y,k); for (r = 0;r < 32;r += (x<<4)+k[2] y += function4(x,k); c += 0x9e3779b9; (x>>5)+k[3]; ... x += y+c ^ (y<<4)+k[0] (y<<4)+k[0] ^ (y>>5)+k[1]; Decryption, inverting each step: (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ... ^ (x>>5)+k[3]; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);
16 17 Generalization, Feistel network TEA again for comparison (used in, e.g., “Lucifer” from void encrypt(uint32 *b,uint32 *k) 1973 Feistel–Coppersmith): { x += function1(y,k); uint32 x = b[0], y = b[1]; y += function2(x,k); uint32 r, c = 0; x += function3(y,k); for (r = 0;r < 32;r += 1) { y += function4(x,k); c += 0x9e3779b9; ... x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; Decryption, inverting each step: y += x+c ^ (x<<4)+k[2] ... ^ (x>>5)+k[3]; y -= function4(x,k); } x -= function3(y,k); b[0] = x; b[1] = y; y -= function2(x,k); } x -= function1(y,k);
16 17 Generalization, Feistel network TEA again for comparison XORTEA: in, e.g., “Lucifer” from void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 eistel–Coppersmith): { { function1(y,k); uint32 x = b[0], y = b[1]; uint32 function2(x,k); uint32 r, c = 0; uint32 function3(y,k); for (r = 0;r < 32;r += 1) { for (r function4(x,k); c += 0x9e3779b9; c += x += y+c ^ (y<<4)+k[0] x ^= ^ (y>>5)+k[1]; Decryption, inverting each step: y += x+c ^ (x<<4)+k[2] y ^= ^ (x>>5)+k[3]; function4(x,k); } } function3(y,k); b[0] = x; b[1] = y; b[0] = function2(x,k); } } function1(y,k);
16 17 TEA again for comparison XORTEA: a bad cipher Feistel network “Lucifer” from void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 eistel–Coppersmith): { { function1(y,k); uint32 x = b[0], y = b[1]; uint32 x = b[0], function2(x,k); uint32 r, c = 0; uint32 r, c = 0; function3(y,k); for (r = 0;r < 32;r += 1) { for (r = 0;r < function4(x,k); c += 0x9e3779b9; c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; inverting each step: y += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; function4(x,k); } } function3(y,k); b[0] = x; b[1] = y; b[0] = x; b[1] function2(x,k); } } function1(y,k);
16 17 TEA again for comparison XORTEA: a bad cipher network from void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 mith): { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += c += 0x9e3779b9; c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; step: y += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; } }
17 18 TEA again for comparison XORTEA: a bad cipher void encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; y += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; } } b[0] = x; b[1] = y; b[0] = x; b[1] = y; } }
17 18 again for comparison XORTEA: a bad cipher “Hardwa xor circuit encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; uint32 r, c = 0; (r = 0;r < 32;r += 1) { for (r = 0;r < 32;r += 1) { += 0x9e3779b9; c += 0x9e3779b9; += y+c ^ (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)+k[1]; ^ (y>>5)^k[1]; += x+c ^ (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)+k[3]; ^ (x>>5)^k[3]; } = x; b[1] = y; b[0] = x; b[1] = y; }
17 18 comparison XORTEA: a bad cipher “Hardware-friendlier” xor circuit is cheap encrypt(uint32 *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { b[0], y = b[1]; uint32 x = b[0], y = b[1]; 0; uint32 r, c = 0; 32;r += 1) { for (r = 0;r < 32;r += 1) { 0x9e3779b9; c += 0x9e3779b9; (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] (y>>5)+k[1]; ^ (y>>5)^k[1]; (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] (x>>5)+k[3]; ^ (x>>5)^k[3]; } = y; b[0] = x; b[1] = y; }
17 18 XORTEA: a bad cipher “Hardware-friendlier” cipher, xor circuit is cheaper than add. *b,uint32 *k) void encrypt(uint32 *b,uint32 *k) { b[1]; uint32 x = b[0], y = b[1]; uint32 r, c = 0; 1) { for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; (y<<4)+k[0] x ^= y^c ^ (y<<4)^k[0] (y>>5)+k[1]; ^ (y>>5)^k[1]; (x<<4)+k[2] y ^= x^c ^ (x<<4)^k[2] (x>>5)+k[3]; ^ (x>>5)^k[3]; } b[0] = x; b[1] = y; }
18 19 XORTEA: a bad cipher “Hardware-friendlier” cipher, since xor circuit is cheaper than add. void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)^k[1]; y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)^k[3]; } b[0] = x; b[1] = y; }
18 19 XORTEA: a bad cipher “Hardware-friendlier” cipher, since xor circuit is cheaper than add. void encrypt(uint32 *b,uint32 *k) But output bits are linear { functions of input bits! uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x ^= y^c ^ (y<<4)^k[0] ^ (y>>5)^k[1]; y ^= x^c ^ (x<<4)^k[2] ^ (x>>5)^k[3]; } b[0] = x; b[1] = y; }
18 19 XORTEA: a bad cipher “Hardware-friendlier” cipher, since xor circuit is cheaper than add. void encrypt(uint32 *b,uint32 *k) But output bits are linear { functions of input bits! uint32 x = b[0], y = b[1]; uint32 r, c = 0; e.g. First output bit is for (r = 0;r < 32;r += 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ c += 0x9e3779b9; k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ x ^= y^c ^ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ ^ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ y ^= x^c ^ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ ^ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ } b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b[0] = x; b[1] = y; b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 . }
18 19 ORTEA: a bad cipher “Hardware-friendlier” cipher, since There is xor circuit is cheaper than add. with coefficients encrypt(uint32 *b,uint32 *k) such that, But output bits are linear XORTEA functions of input bits! uint32 x = b[0], y = b[1]; uint32 r, c = 0; e.g. First output bit is (r = 0;r < 32;r += 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ += 0x9e3779b9; k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ ^= y^c ^ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ ^ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ ^= x^c ^ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ ^ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ = x; b[1] = y; b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .
18 19 cipher “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in encrypt(uint32 *b,uint32 *k) such that, for all ( k But output bits are linear XORTEA k ( b ) = (1 functions of input bits! b[0], y = b[1]; 0; e.g. First output bit is 32;r += 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ 0x9e3779b9; k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ = y; b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .
18 19 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 *b,uint32 *k) such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! b[1]; e.g. First output bit is 1) { 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ (y<<4)^k[0] k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ (y>>5)^k[1]; k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ (x<<4)^k[2] k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ (x>>5)^k[3]; b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .
19 20 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! e.g. First output bit is 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .
19 20 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) e.g. First output bit is = (0 ; 0 ; b 1 ⊕ b 2 ) M . 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .
19 20 “Hardware-friendlier” cipher, since There is a matrix M xor circuit is cheaper than add. with coefficients in F 2 such that, for all ( k; b ), But output bits are linear XORTEA k ( b ) = (1 ; k; b ) M . functions of input bits! XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) e.g. First output bit is = (0 ; 0 ; b 1 ⊕ b 2 ) M . 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ Very fast attack: k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ if b 4 = b 1 ⊕ b 2 ⊕ b 3 then k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ XORTEA k ( b 3 ) ⊕ XORTEA k ( b 4 ). b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .
Recommend
More recommend