extending the salsa20 nonce d j bernstein university of
play

Extending the Salsa20 nonce D. J. Bernstein University of Illinois - PowerPoint PPT Presentation

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006


  1. Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  2. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga D. J. Bernstein “The numb University of Illinois at Chicago to be com session ✿ ✿ ✿ ♥❂ allowed to DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  3. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated session ✿ ✿ ✿ should ♥❂ allowed to approach DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  4. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  5. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  6. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. Why do they say this? Answer: Their security proof AES has 128-bit block. fails for #messages ✙ 2 ♥❂ 2 Becoming troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR.

  7. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Common Krawczyk–Krovetz–Rogaway: Bernstein 128-bit “master” ❦ “The number of messages produces University of Illinois at Chicago to be communicated in a First session session ✿ ✿ ✿ should not be ❦ allowed to approach 2 ♥❂ 2 .” Second session ❦ had 64-bit block. etc. troublesome by 1990s. Why do they say this? ❦ ✵ Each session Answer: Their security proof has 128-bit block. fails for #messages ✙ 2 ♥❂ 2 for limited Becoming troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use and becomes quantitatively AES-CTR, useless long before that. for at most So what should users do? No advice from 2006 BHHKKR.

  8. Salsa20 nonce 2006 Black–Halevi–Hevia– Common user resp Krawczyk–Krovetz–Rogaway: 128-bit “master” AES ❦ “The number of messages produces 128-bit “session Illinois at Chicago to be communicated in a First session key: AES ❦ session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: ❦ block. etc. troublesome by 1990s. Why do they say this? Each session key ❦ ✵ Answer: Their security proof block. fails for #messages ✙ 2 ♥❂ 2 for limited #messages. troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use of session and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 So what should users do? No advice from 2006 BHHKKR.

  9. nonce 2006 Black–Halevi–Hevia– Common user response: Rek Krawczyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ “The number of messages produces 128-bit “session keys”. Chicago to be communicated in a First session key: AES ❦ (1). session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). etc. 1990s. Why do they say this? Each session key ❦ ✵ is used Answer: Their security proof fails for #messages ✙ 2 ♥❂ 2 for limited #messages. w ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use of session key: and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 40 blocks. So what should users do? No advice from 2006 BHHKKR.

  10. 2006 Black–Halevi–Hevia– Common user response: Rekeying. Krawczyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ “The number of messages produces 128-bit “session keys”. to be communicated in a First session key: AES ❦ (1). session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). etc. Why do they say this? Each session key ❦ ✵ is used Answer: Their security proof fails for #messages ✙ 2 ♥❂ 2 for limited #messages. (AES: #messages ✙ 2 64 ), Typical use of session key: and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 40 blocks. So what should users do? No advice from 2006 BHHKKR.

  11. Black–Halevi–Hevia– Common user response: Rekeying. In other czyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ 128-bit AES ❦ number of messages produces 128-bit “session keys”. AES AES ❦ ❀ ❀ ✿ ✿ ✿ ❦ communicated in a AES AES ❦ ❀ ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ❦ ✿ ✿ ✿ should not be AES AES ❦ ❀ ❀ ✿ ✿ ✿ d to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). ❦ and so on. etc. do they say this? This is real Each session key ❦ ✵ is used er: Their security proof ( ♠❀ ♥ ) ✼✦ ❦ ♠ ♥ r #messages ✙ 2 ♥❂ 2 for limited #messages. with a double- #messages ✙ 2 64 ), Typical use of session key: ecomes quantitatively AES-CTR, GCM, etc. long before that. for at most (e.g.) 2 40 blocks. what should users do? advice from 2006 BHHKKR.

  12. Black–Halevi–Hevia– Common user response: Rekeying. In other words: czyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ 128-bit AES key ❦ messages produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES ❀ ✿ ✿ ✿ ❦ municated in a AES AES ❦ (2) (1) ❀ AES ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ❦ ✿ ✿ ✿ should not be AES AES ❦ (3) (1) ❀ AES ❀ ✿ ✿ ✿ roach 2 ♥❂ 2 .” Second session key: AES ❦ (2). ❦ and so on. etc. this? This is really a new Each session key ❦ ✵ is used security proof ( ♠❀ ♥ ) ✼✦ AES AES ❦ ♠ ♥ #messages ✙ 2 ♥❂ 2 for limited #messages. with a double-size #messages ✙ 2 64 ), Typical use of session key: quantitatively AES-CTR, GCM, etc. re that. for at most (e.g.) 2 40 blocks. users do? 2006 BHHKKR.

  13. Common user response: Rekeying. In other words: ay: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ✿ ✿ ✿ AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ♥❂ .” Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used of ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) ♥❂ for limited #messages. ✙ with a double-size input. ✙ Typical use of session key: quantitatively AES-CTR, GCM, etc. for at most (e.g.) 2 40 blocks. BHHKKR.

  14. Common user response: Rekeying. In other words: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ ; AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ ; First session key: AES ❦ (1). AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ; Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) for limited #messages. with a double-size input. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 2 40 blocks.

  15. Common user response: Rekeying. In other words: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ ; AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ ; First session key: AES ❦ (1). AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ; Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) for limited #messages. with a double-size input. Typical use of session key: Alert: User-designed cipher! AES-CTR, GCM, etc. Is this cipher secure? for at most (e.g.) 2 40 blocks.

Recommend


More recommend