extending the salsa20 nonce d j bernstein university of
play

Extending the Salsa20 nonce D. J. Bernstein University of Illinois - PowerPoint PPT Presentation

Feb 16, 2023 •159 likes •762 views

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

  1. Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  2. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga D. J. Bernstein “The numb University of Illinois at Chicago to be com session ✿ ✿ ✿ ♥❂ allowed to DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  3. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated session ✿ ✿ ✿ should ♥❂ allowed to approach DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  4. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  5. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  6. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. Why do they say this? Answer: Their security proof AES has 128-bit block. fails for #messages ✙ 2 ♥❂ 2 Becoming troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR.

  7. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Common Krawczyk–Krovetz–Rogaway: Bernstein 128-bit “master” ❦ “The number of messages produces University of Illinois at Chicago to be communicated in a First session session ✿ ✿ ✿ should not be ❦ allowed to approach 2 ♥❂ 2 .” Second session ❦ had 64-bit block. etc. troublesome by 1990s. Why do they say this? ❦ ✵ Each session Answer: Their security proof has 128-bit block. fails for #messages ✙ 2 ♥❂ 2 for limited Becoming troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use and becomes quantitatively AES-CTR, useless long before that. for at most So what should users do? No advice from 2006 BHHKKR.

  8. Salsa20 nonce 2006 Black–Halevi–Hevia– Common user resp Krawczyk–Krovetz–Rogaway: 128-bit “master” AES ❦ “The number of messages produces 128-bit “session Illinois at Chicago to be communicated in a First session key: AES ❦ session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: ❦ block. etc. troublesome by 1990s. Why do they say this? Each session key ❦ ✵ Answer: Their security proof block. fails for #messages ✙ 2 ♥❂ 2 for limited #messages. troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use of session and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 So what should users do? No advice from 2006 BHHKKR.

  9. nonce 2006 Black–Halevi–Hevia– Common user response: Rek Krawczyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ “The number of messages produces 128-bit “session keys”. Chicago to be communicated in a First session key: AES ❦ (1). session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). etc. 1990s. Why do they say this? Each session key ❦ ✵ is used Answer: Their security proof fails for #messages ✙ 2 ♥❂ 2 for limited #messages. w ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use of session key: and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 40 blocks. So what should users do? No advice from 2006 BHHKKR.

  10. 2006 Black–Halevi–Hevia– Common user response: Rekeying. Krawczyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ “The number of messages produces 128-bit “session keys”. to be communicated in a First session key: AES ❦ (1). session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). etc. Why do they say this? Each session key ❦ ✵ is used Answer: Their security proof fails for #messages ✙ 2 ♥❂ 2 for limited #messages. (AES: #messages ✙ 2 64 ), Typical use of session key: and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 40 blocks. So what should users do? No advice from 2006 BHHKKR.

  11. Black–Halevi–Hevia– Common user response: Rekeying. In other czyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ 128-bit AES ❦ number of messages produces 128-bit “session keys”. AES AES ❦ ❀ ❀ ✿ ✿ ✿ ❦ communicated in a AES AES ❦ ❀ ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ❦ ✿ ✿ ✿ should not be AES AES ❦ ❀ ❀ ✿ ✿ ✿ d to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). ❦ and so on. etc. do they say this? This is real Each session key ❦ ✵ is used er: Their security proof ( ♠❀ ♥ ) ✼✦ ❦ ♠ ♥ r #messages ✙ 2 ♥❂ 2 for limited #messages. with a double- #messages ✙ 2 64 ), Typical use of session key: ecomes quantitatively AES-CTR, GCM, etc. long before that. for at most (e.g.) 2 40 blocks. what should users do? advice from 2006 BHHKKR.

  12. Black–Halevi–Hevia– Common user response: Rekeying. In other words: czyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ 128-bit AES key ❦ messages produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES ❀ ✿ ✿ ✿ ❦ municated in a AES AES ❦ (2) (1) ❀ AES ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ❦ ✿ ✿ ✿ should not be AES AES ❦ (3) (1) ❀ AES ❀ ✿ ✿ ✿ roach 2 ♥❂ 2 .” Second session key: AES ❦ (2). ❦ and so on. etc. this? This is really a new Each session key ❦ ✵ is used security proof ( ♠❀ ♥ ) ✼✦ AES AES ❦ ♠ ♥ #messages ✙ 2 ♥❂ 2 for limited #messages. with a double-size #messages ✙ 2 64 ), Typical use of session key: quantitatively AES-CTR, GCM, etc. re that. for at most (e.g.) 2 40 blocks. users do? 2006 BHHKKR.

  13. Common user response: Rekeying. In other words: ay: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ✿ ✿ ✿ AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ♥❂ .” Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used of ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) ♥❂ for limited #messages. ✙ with a double-size input. ✙ Typical use of session key: quantitatively AES-CTR, GCM, etc. for at most (e.g.) 2 40 blocks. BHHKKR.

  14. Common user response: Rekeying. In other words: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ ; AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ ; First session key: AES ❦ (1). AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ; Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) for limited #messages. with a double-size input. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 2 40 blocks.

  15. Common user response: Rekeying. In other words: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ ; AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ ; First session key: AES ❦ (1). AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ; Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) for limited #messages. with a double-size input. Typical use of session key: Alert: User-designed cipher! AES-CTR, GCM, etc. Is this cipher secure? for at most (e.g.) 2 40 blocks.

Recommend

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now 2006 BlackHaleviHevia

626 views • 19 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Note: ChaCha is not an eSTREAM candidate! Post-eSTREAM cryptography. The Salsa20 cipher family Salsa20/20 is faster than AES. I

256 views • 10 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

1 Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression function fixed Block cipher fixed Tweakable block cipher fixed Hash function variable MAC (without nonce) variable MAC (using nonce)

1.08k views • 107 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

521 views • 37 slides
GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

` GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per Byt yte Shay Gueron Yehuda Lindell Bar-Ilan University Haifa Univ. and Intel Appeared at ACM CCS 2015 ` How to Encry rypt wit ith a Blo

684 views • 30 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
On the Salsa20 Core Function Julio Cesar Hernandez-Castro Juan M. E. Tapiador Jean-Jacques

On the Salsa20 Core Function Julio Cesar Hernandez-Castro Juan M. E. Tapiador Jean-Jacques

Introduction Main Results Conclusions On the Salsa20 Core Function Julio Cesar Hernandez-Castro Juan M. E. Tapiador Jean-Jacques Quisquater Crypto Group DICE Universite Catholique de Louvain Computer Science Department Carlos III

781 views • 28 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of

Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of

Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of Basel Departement of Mathematics and Computer Science 18 September, 2020 Classical Planning A B start I G 1 G 2 C D Extending SymPA with

850 views • 45 slides
Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability 01 Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability 02 Testing for availability Many languages for message-passing concurrency allow programs to test

541 views • 19 slides
Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

1 Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. Short generators without quantum computers: the case of multiquadratics. Eurocrypt

1.13k views • 97 slides
Extending (part of) the Bruck-Ryser-Chowla Theorem to Coverings Daniel Horsley (Monash

Extending (part of) the Bruck-Ryser-Chowla Theorem to Coverings Daniel Horsley (Monash

Extending (part of) the Bruck-Ryser-Chowla Theorem to Coverings Daniel Horsley (Monash University, Australia) Joint work with Darryn Bryant, Melinda Buchanan, Barbara Maenhaut, and Victor Scharaschkin (University of Queensland) Extending (part

1.03k views • 48 slides
The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring

Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring

Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring Laura M. Roberts Princeton University / Akamai Technologies David Plonka Akamai Technologies NPS/CAIDA 2020 Virtual IPv6 Workshop June 17, 2020

624 views • 40 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Randomness Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit

Randomness Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit

Randomness Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven Preliminary analysis of some submissions to snakeoil.cr.yp.to Daniel J. Bernstein University

363 views • 32 slides
Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

428 views • 27 slides
Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich

Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich

Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich Department of Informatics Binzm uhlestrasse 14, 8050 Zurich, Switzerland { vorburger, bernstein } @ifi.unizh.ch Abstract per is a real-world

176 views • 6 slides

More recommend