examples of symmetric primitives d j bernstein message
play

Examples of symmetric primitives D. J. Bernstein message len - PDF document

May 02, 2023 •7 likes •1.08k views

1 Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression function fixed Block cipher fixed Tweakable block cipher fixed Hash function variable MAC (without nonce) variable MAC (using nonce)

  1. 19 “Hardware-friendlier” cipher, since xor circuit is cheaper than add.

  2. 19 “Hardware-friendlier” cipher, since xor circuit is cheaper than add. But output bits are linear functions of input bits!

  3. 19 “Hardware-friendlier” cipher, since xor circuit is cheaper than add. But output bits are linear functions of input bits! e.g. First output bit is 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  4. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M .

  5. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M . XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = (0 ; 0 ; b 1 ⊕ b 2 ) M .

  6. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M . XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = (0 ; 0 ; b 1 ⊕ b 2 ) M . Very fast attack: if b 4 = b 1 ⊕ b 2 ⊕ b 3 then XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = XORTEA k ( b 3 ) ⊕ XORTEA k ( b 4 ).

  7. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M . XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = (0 ; 0 ; b 1 ⊕ b 2 ) M . Very fast attack: if b 4 = b 1 ⊕ b 2 ⊕ b 3 then XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = XORTEA k ( b 3 ) ⊕ XORTEA k ( b 4 ). This breaks PRP (and PRF): uniform random permutation (or function) F almost never has F ( b 1 ) ⊕ F ( b 2 ) = F ( b 3 ) ⊕ F ( b 4 ).

  8. 21 LEFTEA: another bad cipher void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] ^ (y<<5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x<<5)+k[3]; } b[0] = x; b[1] = y; }

  9. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 .

  10. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 . Higher output bits are increasingly nonlinear but they never affect first bit.

  11. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 . Higher output bits are increasingly nonlinear but they never affect first bit. How TEA avoids this problem: >>5 diffuses nonlinear changes from high bits to low bits.

  12. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 . Higher output bits are increasingly nonlinear but they never affect first bit. How TEA avoids this problem: >>5 diffuses nonlinear changes from high bits to low bits. (Diffusion from low bits to high bits: <<4 ; carries in addition.)

  13. 23 TEA4: another bad cipher void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 4;r += 1) { c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; } b[0] = x; b[1] = y; }

  14. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit.

  15. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit. Trace x; y differences through steps in computation. r = 0: multiples of 2 31 ; 2 26 . r = 1: multiples of 2 21 ; 2 16 . r = 2: multiples of 2 11 ; 2 6 . r = 3: multiples of 2 1 ; 2 0 .

  16. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit. Trace x; y differences through steps in computation. r = 0: multiples of 2 31 ; 2 26 . r = 1: multiples of 2 21 ; 2 16 . r = 2: multiples of 2 11 ; 2 6 . r = 3: multiples of 2 1 ; 2 0 . Uniform random function F : F ( x + 2 31 ; y ) and F ( x; y ) have same first bit with probability 1 = 2.

  17. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit. Trace x; y differences through steps in computation. r = 0: multiples of 2 31 ; 2 26 . r = 1: multiples of 2 21 ; 2 16 . r = 2: multiples of 2 11 ; 2 6 . r = 3: multiples of 2 1 ; 2 0 . Uniform random function F : F ( x + 2 31 ; y ) and F ( x; y ) have same first bit with probability 1 = 2. PRF advantage 1 = 2. Two pairs ( x; y ): advantage 3 = 4.

  18. 25 More sophisticated attacks: trace probabilities of differences; probabilities of linear equations; probabilities of higher-order differences C ( x + ‹ + › ) − C ( x + ‹ ) − C ( x + › ) + C ( x ); etc. Use algebra+statistics to exploit non-randomness in probabilities.

  19. 25 More sophisticated attacks: trace probabilities of differences; probabilities of linear equations; probabilities of higher-order differences C ( x + ‹ + › ) − C ( x + ‹ ) − C ( x + › ) + C ( x ); etc. Use algebra+statistics to exploit non-randomness in probabilities. Attacks get beyond r = 4 but rapidly lose effectiveness. Very far from full TEA.

  20. 25 More sophisticated attacks: trace probabilities of differences; probabilities of linear equations; probabilities of higher-order differences C ( x + ‹ + › ) − C ( x + ‹ ) − C ( x + › ) + C ( x ); etc. Use algebra+statistics to exploit non-randomness in probabilities. Attacks get beyond r = 4 but rapidly lose effectiveness. Very far from full TEA. Hard question in cipher design: How many “rounds” are really needed for security?

  21. 26 REPTEA: another bad cipher void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0x9e3779b9; for (r = 0;r < 1000;r += 1) { x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; } b[0] = x; b[1] = y; }

  22. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... .

  23. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ).

  24. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ). Good chance that some b in list also has a = I k ( b ) in list. Then REPTEA k ( a )= I k (REPTEA k ( b )).

  25. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ). Good chance that some b in list also has a = I k ( b ) in list. Then REPTEA k ( a )= I k (REPTEA k ( b )). For each ( b; a ) from list: Try solving equations a = I k ( b ), REPTEA k ( a )= I k (REPTEA k ( b )) to figure out k . (More equations: try re-encrypting these outputs.)

  26. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ). Good chance that some b in list also has a = I k ( b ) in list. Then REPTEA k ( a )= I k (REPTEA k ( b )). For each ( b; a ) from list: Try solving equations a = I k ( b ), REPTEA k ( a )= I k (REPTEA k ( b )) to figure out k . (More equations: try re-encrypting these outputs.) This is a slide attack. TEA avoids this by varying c .

  27. 28 What about original TEA? void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; } b[0] = x; b[1] = y; }

  28. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]).

  29. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack?

  30. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack? PRP attack goal: distinguish TEA k , for one secret key k , from uniform random permutation.

  31. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack? PRP attack goal: distinguish TEA k , for one secret key k , from uniform random permutation. Brute-force attack: Guess key g , see if TEA g matches TEA k on some outputs.

  32. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack? PRP attack goal: distinguish TEA k , for one secret key k , from uniform random permutation. Brute-force attack: Guess key g , see if TEA g matches TEA k on some outputs. Related keys ⇒ g succeeds with chance 2 − 126 . Still very small.

  33. 30 1997 Kelsey–Schneier–Wagner: Fancier relationship between k; k ′ has chance 2 − 11 of producing a particular output equation.

  34. 30 1997 Kelsey–Schneier–Wagner: Fancier relationship between k; k ′ has chance 2 − 11 of producing a particular output equation. No evidence in literature that this helps brute-force attack, or otherwise affects PRP security. No challenge to security analysis of TEA-CTR-XCBC-MAC.

  35. 30 1997 Kelsey–Schneier–Wagner: Fancier relationship between k; k ′ has chance 2 − 11 of producing a particular output equation. No evidence in literature that this helps brute-force attack, or otherwise affects PRP security. No challenge to security analysis of TEA-CTR-XCBC-MAC. But advertised as “related-key cryptanalysis” and claimed to justify recommendations for designers regarding key scheduling.

  36. 31 Some ways to learn more about cipher attacks, hash-function attacks, etc.: Take upcoming course “Selected areas in cryptology”. Includes symmetric attacks. Read attack papers, especially from FSE conference. Try to break ciphers yourself: e.g., find attacks on FEAL. Reasonable starting point: 2000 Schneier “Self-study course in block-cipher cryptanalysis”.

  37. 32 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard.

  38. 32 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES proposal. 64-bit block, 56-bit key.

  39. 32 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES proposal. 64-bit block, 56-bit key. 1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”

  40. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year.

  41. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”.

  42. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard.

  43. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.

  44. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key.

  45. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals.

  46. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year.

  47. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  48. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really?

  49. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.”

  50. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers.

  51. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition.

  52. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–now: CAESAR competition.

  53. 36 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block.

  54. 36 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. No serious threats to AES-256 multi-target SPRP security (which implies PRP security), even in a post-quantum world.

  55. 36 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. No serious threats to AES-256 multi-target SPRP security (which implies PRP security), even in a post-quantum world. So why isn’t AES-256 the end of the symmetric-crypto story?

  56. 37

  57. 38

  58. 39

  59. 40 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy.

  60. 40 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing.

  61. 40 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits PRF security. Workarounds are hard to audit.

  62. 41 ChaCha creates safe systems with much less work than AES.

Recommend

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32 ; 32 ! 32 xor;

634 views • 39 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
New MILP Modelings for Symmetric-Key Primitives Christina Boura (Joint-work with Daniel Coggia)

New MILP Modelings for Symmetric-Key Primitives Christina Boura (Joint-work with Daniel Coggia)

New MILP Modelings for Symmetric-Key Primitives Christina Boura (Joint-work with Daniel Coggia) University of Versailles and Inria de Paris August 6, 2020 1 / 43 Symmetric-key encryption Alice and Bob share the same secret key for encryption

983 views • 47 slides
Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives

Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives

Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives on the RL78 Microcontroller - Mitsuru Matsui and Yumiko Murakami Information Technology R&amp;D Center Mitsubishi Electric Corporation Agenda 1.

719 views • 32 slides
Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU Compute, DTU March 7, 2017 Based on Joint Work With David Derler Claudio Orlandi Sebastian Ramacher Daniel Slamanig TU Graz Aarhus University TU

187 views • 14 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

779 views • 47 slides
On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers, and other secret-key primitives, D. J. Bernstein should we use University of Illinois at Chicago integer multiplication? AES uses 32 32 32

1.76k views • 149 slides
MPC-Friendly Symmetric Key Primitives Lorenzo Grassi 1 Christian Rechberger 1 s Rotaru 2 Drago

MPC-Friendly Symmetric Key Primitives Lorenzo Grassi 1 Christian Rechberger 1 s Rotaru 2 Drago

MPC-Friendly Symmetric Key Primitives Lorenzo Grassi 1 Christian Rechberger 1 s Rotaru 2 Drago Peter Scholl 2 Nigel P. Smart 2 1 Graz University of Technology 2 University of Bristol October 25, 2016 What is Multiparty Computation? What is

1.32k views • 64 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation The AES function (Rijndael 1998 Daemen Rijmen; 2001

867 views • 29 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
Interprocess Communication Primitives Message Passing: issues Communication

Interprocess Communication Primitives Message Passing: issues Communication

CPSC-662 Distributed Computing Interprocess Communication Interprocess Communication Primitives Message Passing: issues Communication Schemes Reading: Colouris, Chapter 4 Interprocess Communication (IPC) communicate by

372 views • 6 slides
Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch Hardware Enclaves A trusted component in an untrusted system Protected memory isolates enclave from compromised OS Untrusted System Enclave

505 views • 34 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago

The DNS security mess D. J. Bernstein University of Illinois at Chicago

The DNS security mess D. J. Bernstein University of Illinois at Chicago A public-key signature system m Message Signers Signed secret message n m; r ; s key Verify Signers r = SHA-256 public sB

478 views • 33 slides
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation The Poly1305-AES function Given byte sequence , , 16-byte sequence

1.08k views • 15 slides
Software benchmarking of SHA-3 candidates http://bench.cr.yp.to D. J. Bernstein University of

Software benchmarking of SHA-3 candidates http://bench.cr.yp.to D. J. Bernstein University of

Software benchmarking of SHA-3 candidates http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Selecting cryptographic primitives NISTs final AES report, 2001: Security

950 views • 61 slides
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

529 views • 34 slides
Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

IN3210/4210 Network and Communications Security Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original message/data ciphertext (C)- coded message/data cipher - algorithm for transforming

672 views • 17 slides
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter

813 views • 43 slides

More recommend