1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .
1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .
1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . Success chance ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .
1 2 proofs for rekeying “Rekeying” seems less dangerous. Attack strategy master k Bernstein Expand k into F ( k ) = from a unif (AES k (0) ; : : : ; AES k (999999)). Years of Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. elow 2 256 in most protocols: to distinguish Output F ( k ′ ) for each subkey k ′ : uniform (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); Distinctness distinguishable from uniform F (AES k (2) ; AES k (3)); : : : robability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). tiny key-guessing probability. distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? er actually has T targets: endent keys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . Success chance ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .
1 2 r rekeying “Rekeying” seems less dangerous. Attack strategy 1: master key k . Distinguish Expand k into F ( k ) = from a uniform random (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis AES-256 key k is Split F ( k ) into 500000 “subkeys”. to distinguish AES most protocols: Output F ( k ′ ) for each subkey k ′ : uniform string of distinct AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); Distinctness loses distinguishable from uniform F (AES k (2) ; AES k (3)); : : : n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). ey-guessing probability. distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? actually has T targets: eys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .
1 2 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: ha is Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from rotocols: Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blo 1)) Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); uniform F (AES k (2) ; AES k (3)); : : : 2 129 , F (AES k (999998) ; AES k (999999)). robability. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? rgets: T . Intuitively clear that p T ≤ Tp 1 . 1) = 2 129 . So let’s analyze p 1 .
2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : F (AES k (999998) ; AES k (999999)). Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .
2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : Attack strategy 2: Attack a F (AES k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .
2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : Attack strategy 2: Attack a F (AES k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuition: No other attacks exist. Intuitively clear that p T ≤ Tp 1 . But where is this proven? So let’s analyze p 1 .
2 3 eying” seems less dangerous. Attack strategy 1: Attack the FOCS 1996 master key k . Distinguish F ( k ) Krawczyk Expand k into F ( k ) = from a uniform random string. security (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard 2-level ca ( k ) into 500000 “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . (AES k (0) ; AES k (1)); k (2) ; AES k (3)); : : : Attack strategy 2: Attack a k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. eat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuition: No other attacks exist. Intuitively clear that p T ≤ Tp 1 . But where is this proven? let’s analyze p 1 .
2 3 seems less dangerous. Attack strategy 1: Attack the FOCS 1996 Bellare–Canetti– master key k . Distinguish F ( k ) Krawczyk claims to ( k ) = from a uniform random string. security of ‘ -level “cascade”. AES k (999999)). Years of cryptanalysis say: hard 2-level cascade: key 500000 “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); output S r each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . AES k (1)); k (3)); : : : Attack strategy 2: Attack a (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. : ; k T . What is success chance p T ? Intuition: No other attacks exist. that p T ≤ Tp 1 . But where is this proven? p 1 .
2 3 ngerous. Attack strategy 1: Attack the FOCS 1996 Bellare–Canetti– master key k . Distinguish F ( k ) Krawczyk claims to prove from a uniform random string. security of ‘ -level “cascade”. (999999)). Years of cryptanalysis say: hard 2-level cascade: key k ; input “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); output S ( S ( k; N 1 ) subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . (1)); Attack strategy 2: Attack a (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. What is chance p T ? Intuition: No other attacks exist. Tp 1 . But where is this proven?
Recommend
More recommend