better proofs for rekeying rekeying seems less dangerous
play

Better proofs for rekeying Rekeying seems less dangerous. D. J. - PowerPoint PPT Presentation

Aug 02, 2023 •289 likes •881 views

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

  1. 1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .

  2. 1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .

  3. 1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . Success chance ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .

  4. 1 2 proofs for rekeying “Rekeying” seems less dangerous. Attack strategy master k Bernstein Expand k into F ( k ) = from a unif (AES k (0) ; : : : ; AES k (999999)). Years of Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. elow 2 256 in most protocols: to distinguish Output F ( k ′ ) for each subkey k ′ : uniform (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); Distinctness distinguishable from uniform F (AES k (2) ; AES k (3)); : : : robability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). tiny key-guessing probability. distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? er actually has T targets: endent keys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . Success chance ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .

  5. 1 2 r rekeying “Rekeying” seems less dangerous. Attack strategy 1: master key k . Distinguish Expand k into F ( k ) = from a uniform random (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis AES-256 key k is Split F ( k ) into 500000 “subkeys”. to distinguish AES most protocols: Output F ( k ′ ) for each subkey k ′ : uniform string of distinct AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); Distinctness loses distinguishable from uniform F (AES k (2) ; AES k (3)); : : : n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). ey-guessing probability. distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? actually has T targets: eys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .

  6. 1 2 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: ha is Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from rotocols: Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blo 1)) Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); uniform F (AES k (2) ; AES k (3)); : : : 2 129 , F (AES k (999998) ; AES k (999999)). robability. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? rgets: T . Intuitively clear that p T ≤ Tp 1 . 1) = 2 129 . So let’s analyze p 1 .

  7. 2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : F (AES k (999998) ; AES k (999999)). Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .

  8. 2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : Attack strategy 2: Attack a F (AES k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .

  9. 2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : Attack strategy 2: Attack a F (AES k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuition: No other attacks exist. Intuitively clear that p T ≤ Tp 1 . But where is this proven? So let’s analyze p 1 .

  10. 2 3 eying” seems less dangerous. Attack strategy 1: Attack the FOCS 1996 master key k . Distinguish F ( k ) Krawczyk Expand k into F ( k ) = from a uniform random string. security (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard 2-level ca ( k ) into 500000 “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . (AES k (0) ; AES k (1)); k (2) ; AES k (3)); : : : Attack strategy 2: Attack a k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. eat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuition: No other attacks exist. Intuitively clear that p T ≤ Tp 1 . But where is this proven? let’s analyze p 1 .

  11. 2 3 seems less dangerous. Attack strategy 1: Attack the FOCS 1996 Bellare–Canetti– master key k . Distinguish F ( k ) Krawczyk claims to ( k ) = from a uniform random string. security of ‘ -level “cascade”. AES k (999999)). Years of cryptanalysis say: hard 2-level cascade: key 500000 “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); output S r each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . AES k (1)); k (3)); : : : Attack strategy 2: Attack a (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. : ; k T . What is success chance p T ? Intuition: No other attacks exist. that p T ≤ Tp 1 . But where is this proven? p 1 .

  12. 2 3 ngerous. Attack strategy 1: Attack the FOCS 1996 Bellare–Canetti– master key k . Distinguish F ( k ) Krawczyk claims to prove from a uniform random string. security of ‘ -level “cascade”. (999999)). Years of cryptanalysis say: hard 2-level cascade: key k ; input “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); output S ( S ( k; N 1 ) subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . (1)); Attack strategy 2: Attack a (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. What is chance p T ? Intuition: No other attacks exist. Tp 1 . But where is this proven?

Recommend

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road Chi Chiara Bersani, Claudio Roncoli B i Cl di R li University of Genova, Department of Communication, Computer and System Science DIST 16145

685 views • 39 slides
Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2 Interactive Proofs IP[k] IP[poly] = PSPACE 2 Interactive Proofs IP[k] IP[poly] = PSPACE IP protocol for TQBF using arithmetization 2 Interactive

1.75k views • 136 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter Schroeder-Heister Universit at T ubingen J agerfest Bern, 13.12.2013 p. 1 Russells antinomy in naive set theory Extend natural

688 views • 41 slides
NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs . . . Usual Proofs of NP- . . . Proofs of NP- . . . Pedagogical Problem . . . NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers Instead What Is NP-Hard: . . . Proof that . . . of

296 views • 12 slides
proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur (UC Berkeley) October 14, 2017 FOCS 2017 Workshop: Frontiers in Distribution Testing Joint work with Alessandro Chiesa (UC Berkeley) proofs of

2.25k views • 158 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

415 views • 37 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

655 views • 34 slides
There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous to most dangerous: Teddy Bear Black Bear (U. americanus) Brown or Grizzly Bear (U. Arctos) Chicago Bear (D. Butkus) Two types exist in New Mexico

420 views • 25 slides
Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In Mathematics we prove things The base angles of an isoceles triangle are equal seems obvious to a person with mathematical aptitude. a if a = b

678 views • 52 slides
Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

cse 311: foundations of computing Fall 2015 Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of inference to extend set of facts Result is proved when it is included in the set Statement Fact 2

185 views • 18 slides
Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur fr Wissensreprsentation und -verarbeitung Informatik, FAU Erlangen-Nrnberg http://kwarc.info 20. October 2016, Dagstuhl Seminar on

568 views • 39 slides
Department of Neighborhoods Dangerous Buildings and Make Safe Process 1 Agenda

Department of Neighborhoods Dangerous Buildings and Make Safe Process 1 Agenda

Department of Neighborhoods Dangerous Buildings and Make Safe Process 1 Agenda Responsibilities & Role of City employees Dangerous Building Reporting Process What is a Public Hearing? What is an Order? Enforcement

623 views • 26 slides
On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs Robert Rothenberg 1 2 1 School of Computer Science University of St Andrews 2 Interactive Information, Ltd Edinburgh Workshop in Honour of Roy

393 views • 26 slides
(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

15-251: Great Theoretical Ideas in Computer Science Lecture 24 (Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit. Then there was Russell Principia Mathematica Volume 2 Russell and others worked

949 views • 50 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Protecting Consumers In the EU market from dangerous imports Mike Turner, International Paper

Protecting Consumers In the EU market from dangerous imports Mike Turner, International Paper

Protecting Consumers In the EU market from dangerous imports Mike Turner, International Paper Pack2Go Europe Spring meeting 2015 3-4-5 June The Landmark, London Dangerous goods in the EU market Who are the stakeholders? 1. The consumer:

412 views • 11 slides
Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

15-251: Great Theoretical Ideas in Computer Science Fall 2016 Lecture 1.5 August 31, 2016 Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to Succeed in This Class No specific topic covered

857 views • 61 slides
The Safe Journey of Dangerous Goods by Rail RDIMS # 14054460 PURPOSE - To get a better

The Safe Journey of Dangerous Goods by Rail RDIMS # 14054460 PURPOSE - To get a better

The Safe Journey of Dangerous Goods by Rail RDIMS # 14054460 PURPOSE - To get a better understanding of: - Transport Canadas regulatory regime: - Rail; - Transportation of Dangerous Goods; - What happens in an emergency situation involving

550 views • 19 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a proof? Statement: A formula is satisfiable. Proof: assignment, a . Property: 5 minute presentations. Can check proof in polynomial time. A real

401 views • 3 slides

More recommend