3 4 1977: DES is standardized. 1997: U.S. National Institute of Standards and Technology 1977: Diffie and Hellman (NIST, formerly NBS) calls publish detailed design of for proposals for Advanced $20,000,000 machine to break Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. 1978: Congressional investigation 1998: 15 AES proposals. into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
3 4 1977: DES is standardized. 1997: U.S. National Institute of Standards and Technology 1977: Diffie and Hellman (NIST, formerly NBS) calls publish detailed design of for proposals for Advanced $20,000,000 machine to break Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. 1978: Congressional investigation 1998: 15 AES proposals. into NSA influence concludes “NSA convinced IBM that a 1998: EFF builds “Deep Crack” reduced key size was sufficient”. for under $250000 to break hundreds of DES keys per year. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
3 4 1977: DES is standardized. 1997: U.S. National Institute of Standards and Technology 1977: Diffie and Hellman (NIST, formerly NBS) calls publish detailed design of for proposals for Advanced $20,000,000 machine to break Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. 1978: Congressional investigation 1998: 15 AES proposals. into NSA influence concludes “NSA convinced IBM that a 1998: EFF builds “Deep Crack” reduced key size was sufficient”. for under $250000 to break hundreds of DES keys per year. 1983, 1988, 1993: Government reaffirms DES standard. 1999: NIST selects five AES finalists: MARS, RC6, Researchers publish new cipher Rijndael, Serpent, Twofish. proposals and security analysis.
3 4 DES is standardized. 1997: U.S. National Institute 2000: NIST, of Standards and Technology selects Rijnd Diffie and Hellman (NIST, formerly NBS) calls detailed design of “Security for proposals for Advanced $20,000,000 machine to break factor in Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. Congressional investigation 1998: 15 AES proposals. NSA influence concludes convinced IBM that a 1998: EFF builds “Deep Crack” reduced key size was sufficient”. for under $250000 to break hundreds of DES keys per year. 1988, 1993: Government reaffirms DES standard. 1999: NIST selects five AES finalists: MARS, RC6, rchers publish new cipher Rijndael, Serpent, Twofish. osals and security analysis.
3 4 standardized. 1997: U.S. National Institute 2000: NIST, advised of Standards and Technology selects Rijndael as Hellman (NIST, formerly NBS) calls design of “Security was the for proposals for Advanced machine to break factor in the evaluation”—Really? Encryption Standard. 128-bit keys per year. block, 128/192/256-bit key. Congressional investigation 1998: 15 AES proposals. influence concludes IBM that a 1998: EFF builds “Deep Crack” was sufficient”. for under $250000 to break hundreds of DES keys per year. 1993: Government standard. 1999: NIST selects five AES finalists: MARS, RC6, publish new cipher Rijndael, Serpent, Twofish. ecurity analysis.
3 4 rdized. 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most impo for proposals for Advanced reak factor in the evaluation”—Really? Encryption Standard. 128-bit year. block, 128/192/256-bit key. investigation 1998: 15 AES proposals. concludes a 1998: EFF builds “Deep Crack” sufficient”. for under $250000 to break hundreds of DES keys per year. Government 1999: NIST selects five AES finalists: MARS, RC6, cipher Rijndael, Serpent, Twofish. analysis.
4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five 2007–2012: SHA-3 competition. AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five 2007–2012: SHA-3 competition. AES finalists: MARS, RC6, 2013–2019: CAESAR competition. Rijndael, Serpent, Twofish.
4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five 2007–2012: SHA-3 competition. AES finalists: MARS, RC6, 2013–2019: CAESAR competition. Rijndael, Serpent, Twofish. 2019–now: NISTLWC competition.
4 5 U.S. National Institute 2000: NIST, advised by NSA, Main op Standards and Technology selects Rijndael as AES. add round (NIST, formerly NBS) calls apply substitution “Security was the most important x �→ x 254 roposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit to each b “Rijndael appears to offer an 128/192/256-bit key. linearly m adequate security margin. : : : 15 AES proposals. Serpent appears to offer a EFF builds “Deep Crack” high security margin.” under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. NIST selects five 2007–2012: SHA-3 competition. finalists: MARS, RC6, 2013–2019: CAESAR competition. Rijndael, Serpent, Twofish. 2019–now: NISTLWC competition.
4 5 National Institute 2000: NIST, advised by NSA, Main operations in and Technology selects Rijndael as AES. add round key to blo NBS) calls apply substitution “Security was the most important x �→ x 254 in F 256 Advanced factor in the evaluation”—Really? Standard. 128-bit to each byte in blo “Rijndael appears to offer an 128/192/256-bit key. linearly mix bits across adequate security margin. : : : roposals. Serpent appears to offer a builds “Deep Crack” high security margin.” $250000 to break 2004–2008: eSTREAM keys per year. competition for stream ciphers. selects five 2007–2012: SHA-3 competition. MARS, RC6, 2013–2019: CAESAR competition. ent, Twofish. 2019–now: NISTLWC competition.
4 5 Institute 2000: NIST, advised by NSA, Main operations in AES: ology selects Rijndael as AES. add round key to block; calls apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? 128-bit to each byte in block; “Rijndael appears to offer an ey. linearly mix bits across block. adequate security margin. : : : Serpent appears to offer a Crack” high security margin.” reak 2004–2008: eSTREAM year. competition for stream ciphers. 2007–2012: SHA-3 competition. RC6, 2013–2019: CAESAR competition. sh. 2019–now: NISTLWC competition.
5 6 2000: NIST, advised by NSA, Main operations in AES: selects Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
5 6 2000: NIST, advised by NSA, Main operations in AES: selects Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Extensive security analysis. Serpent appears to offer a Even in a post-quantum world, high security margin.” no serious threats to AES-256 2004–2008: eSTREAM in a strong security model, competition for stream ciphers. “multi-target SPRP security”. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
5 6 2000: NIST, advised by NSA, Main operations in AES: selects Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Extensive security analysis. Serpent appears to offer a Even in a post-quantum world, high security margin.” no serious threats to AES-256 2004–2008: eSTREAM in a strong security model, competition for stream ciphers. “multi-target SPRP security”. 2007–2012: SHA-3 competition. So why isn’t AES-256 the end 2013–2019: CAESAR competition. of the symmetric-crypto story? 2019–now: NISTLWC competition.
5 6 NIST, advised by NSA, Main operations in AES: Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Extensive security analysis. ent appears to offer a Even in a post-quantum world, security margin.” no serious threats to AES-256 2004–2008: eSTREAM in a strong security model, etition for stream ciphers. “multi-target SPRP security”. 2007–2012: SHA-3 competition. So why isn’t AES-256 the end 2013–2019: CAESAR competition. of the symmetric-crypto story? 2019–now: NISTLWC competition.
5 6 advised by NSA, Main operations in AES: as AES. add round key to block; apply substitution box the most important x �→ x 254 in F 256 evaluation”—Really? to each byte in block; rs to offer an linearly mix bits across block. y margin. : : : Extensive security analysis. to offer a Even in a post-quantum world, rgin.” no serious threats to AES-256 eSTREAM in a strong security model, stream ciphers. “multi-target SPRP security”. SHA-3 competition. So why isn’t AES-256 the end CAESAR competition. of the symmetric-crypto story? NISTLWC competition.
5 6 NSA, Main operations in AES: add round key to block; apply substitution box important x �→ x 254 in F 256 evaluation”—Really? to each byte in block; an linearly mix bits across block. : : : Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, ciphers. “multi-target SPRP security”. etition. So why isn’t AES-256 the end competition. of the symmetric-crypto story? competition.
6 7 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end of the symmetric-crypto story?
6 7 operations in AES: round key to block; substitution box 254 in F 256 each byte in block; rly mix bits across block. Extensive security analysis. in a post-quantum world, serious threats to AES-256 strong security model, “multi-target SPRP security”. why isn’t AES-256 the end symmetric-crypto story?
6 7 in AES: to block; substitution box block; across block. ecurity analysis. ost-quantum world, threats to AES-256 security model, SPRP security”. AES-256 the end symmetric-crypto story?
6 7 ck. analysis. orld, AES-256 del, security”. end story?
7 8
7 8
7 8
7 8
8 9
8 9
8 9
8 9
9 10
9 10
9 10
9 10
10 11
10 11
10 11 . . .
10 11 . . .
11 12 . . .
11 12 . AES perfo . . in both ha by small heavy S-b
11 12 . AES performance seems . . in both hardware and by small 128-bit blo heavy S-box design
11 12 . AES performance seems limited . . in both hardware and softwa by small 128-bit block size, heavy S-box design strategy.
12 13 . AES performance seems limited . . in both hardware and software by small 128-bit block size, heavy S-box design strategy.
12 13 . AES performance seems limited . . in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing.
12 13 . AES performance seems limited . . in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
12 13 . AES performance seems limited ChaCha . . in both hardware and software with much by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
12 13 . AES performance seems limited ChaCha creates safe . . in both hardware and software with much less wo by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
12 13 AES performance seems limited ChaCha creates safe systems in both hardware and software with much less work than AES. by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
13 14 AES performance seems limited ChaCha creates safe systems in both hardware and software with much less work than AES. by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
13 14 AES performance seems limited ChaCha creates safe systems in both hardware and software with much less work than AES. by small 128-bit block size, More examples of how symmetric heavy S-box design strategy. primitives have been improving AES software ecosystem is speed, simplicity, security: complicated and dangerous. PRESENT is better than DES. Fast software implementations Skinny is better than of AES S-box often leak Simon and Speck. secrets through timing. Keccak, BLAKE2, Ascon Picture is worse for high-security are better than MD5, SHA-0, authenticated ciphers. 128-bit SHA-1, SHA-256, SHA-512. block size limits “PRF” security. Workarounds are hard to audit.
13 14 erformance seems limited ChaCha creates safe systems Authentication oth hardware and software with much less work than AES. Standardize small 128-bit block size, More examples of how symmetric Assume S-box design strategy. primitives have been improving uniform software ecosystem is speed, simplicity, security: r 1 ∈ { 0 ; 1 complicated and dangerous. PRESENT is better than DES. r 2 ∈ { 0 ; 1 software implementations . . . Skinny is better than S-box often leak r 5 ∈ { 0 ; 1 Simon and Speck. through timing. s 1 ∈ { 0 ; Keccak, BLAKE2, Ascon Picture is worse for high-security . . . are better than MD5, SHA-0, authenticated ciphers. 128-bit s 100 ∈ { 0 SHA-1, SHA-256, SHA-512. size limits “PRF” security. rounds are hard to audit.
13 14 rmance seems limited ChaCha creates safe systems Authentication details re and software with much less work than AES. Standardize a prime block size, More examples of how symmetric Assume sender kno design strategy. primitives have been improving uniform random secrets ecosystem is speed, simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 dangerous. PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 implementations . . . Skinny is better than often leak r 5 ∈ { 0 ; 1 ; : : : ; 999999 Simon and Speck. timing. s 1 ∈ { 0 ; 1 ; : : : ; 999999 Keccak, BLAKE2, Ascon for high-security . . . are better than MD5, SHA-0, ciphers. 128-bit s 100 ∈ { 0 ; 1 ; : : : ; 999999 SHA-1, SHA-256, SHA-512. “PRF” security. hard to audit.
13 14 limited ChaCha creates safe systems Authentication details ware with much less work than AES. Standardize a prime p = 1000003. size, More examples of how symmetric Assume sender knows independent strategy. primitives have been improving uniform random secrets speed, simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , s. PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , implementations . . . Skinny is better than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , Simon and Speck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , Keccak, BLAKE2, Ascon high-security . . . are better than MD5, SHA-0, 128-bit s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-1, SHA-256, SHA-512. security. audit.
14 15 ChaCha creates safe systems Authentication details with much less work than AES. Standardize a prime p = 1000003. More examples of how symmetric Assume sender knows independent primitives have been improving uniform random secrets speed, simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . Skinny is better than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , Simon and Speck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , Keccak, BLAKE2, Ascon . . . are better than MD5, SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-1, SHA-256, SHA-512.
14 15 ChaCha creates safe systems Authentication details Assume much less work than AES. secrets r Standardize a prime p = 1000003. examples of how symmetric Assume sender knows independent rimitives have been improving uniform random secrets simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . is better than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , and Speck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , Keccak, BLAKE2, Ascon . . . etter than MD5, SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-1, SHA-256, SHA-512.
14 15 safe systems Authentication details Assume receiver kno ork than AES. secrets r 1 ; r 2 ; : : : ; r Standardize a prime p = 1000003. of how symmetric Assume sender knows independent een improving uniform random secrets , security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , etter than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , eck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , BLAKE2, Ascon . . . MD5, SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-256, SHA-512.
14 15 systems Authentication details Assume receiver knows the same AES. secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s Standardize a prime p = 1000003. symmetric Assume sender knows independent roving uniform random secrets r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-512.
15 16 Authentication details Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . s 100 ∈ { 0 ; 1 ; : : : ; 999999 } .
15 16 Authentication details Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Standardize a prime p = 1000003. Later: Sender wants to send Assume sender knows independent 100 messages m 1 ; : : : ; m 100 , uniform random secrets each m n having 5 components r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . s 100 ∈ { 0 ; 1 ; : : : ; 999999 } .
15 16 Authentication details Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Standardize a prime p = 1000003. Later: Sender wants to send Assume sender knows independent 100 messages m 1 ; : : : ; m 100 , uniform random secrets each m n having 5 components r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . . . . Sender transmits 30-digit r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , together with an authenticator . . . ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . + s n mod 1000000 and the message number n .
15 16 Authentication details Assume receiver knows the same e.g. r 1 = secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323 Standardize a prime p = 1000003. r 5 = 338327 Later: Sender wants to send Assume sender knows independent m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ 100 messages m 1 ; : : : ; m 100 , random secrets each m n having 5 components 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 0 ; 1 ; : : : ; 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 0 ; 1 ; : : : ; 999999 } , together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) { 0 ; 1 ; : : : ; 999999 } . + s n mod 1000000 and the message number n .
15 16 details Assume receiver knows the same e.g. r 1 = 314159, r secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = rime p = 1000003. r 5 = 338327, s 10 = Later: Sender wants to send knows independent m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ 100 messages m 1 ; : : : ; m 100 , secrets each m n having 5 components 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 999999 } , together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) 999999 } . + s n mod 1000000 and the message number n .
15 16 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358 secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, 1000003. r 5 = 338327, s 10 = 950288, Later: Sender wants to send independent m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ 100 messages m 1 ; : : : ; m 100 , each m n having 5 components m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n .
16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, Later: Sender wants to send m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 messages m 1 ; : : : ; m 100 , each m n having 5 components m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n .
16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, Later: Sender wants to send m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 messages m 1 ; : : : ; m 100 , each m n having 5 components Sender computes authenticator m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 Sender transmits 30-digit mod 1000003) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + 950288 mod 1000000 = together with an authenticator 742451 + 950288 mod 1000000 = ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) 692739. + s n mod 1000000 and the message number n .
16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, Later: Sender wants to send m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 messages m 1 ; : : : ; m 100 , each m n having 5 components Sender computes authenticator m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 Sender transmits 30-digit mod 1000003) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + 950288 mod 1000000 = together with an authenticator 742451 + 950288 mod 1000000 = ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) 692739. + s n mod 1000000 and the message number n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, A MAC using r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, Instead of r 5 = 338327, s 10 = 950288, Sender wants to send r 1 ; r 2 ; : : : m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : messages m 1 ; : : : ; m 100 , choose r n having 5 components Sender computes authenticator n; 2 ; m n; 3 ; m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) n;i ∈ { 0 ; 1 ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 Sender transmits 30-digit mod 1000003) n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + 950288 mod 1000000 = together with an authenticator 742451 + 950288 mod 1000000 = + · · · + m n; 5 r 5 mod p ) 692739. mod 1000000 the message number n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
16 17 knows the same e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, Instead of choosing r 5 = 338327, s 10 = 950288, ants to send r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : ; : : : ; m 100 , choose r; s 1 ; s 2 ; : : : 5 components Sender computes authenticator m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 transmits 30-digit mod 1000003) m n; 4 ; m n; 5 + 950288 mod 1000000 = authenticator 742451 + 950288 mod 1000000 = m n; 5 r 5 mod p ) 692739. 1000000 number n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
16 17 the same e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer secrets : ; s 100 . r 3 = 979323, r 4 = 846264, Instead of choosing independent r 5 = 338327, s 10 = 950288, send r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 , choose r; s 1 ; s 2 ; : : : ; s 100 . onents Sender computes authenticator (6 r 1 + 7 r 2 mod p ) 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = authenticator 742451 + 950288 mod 1000000 = d p ) 692739. n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
17 18 e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer secrets r 3 = 979323, r 4 = 846264, Instead of choosing independent r 5 = 338327, s 10 = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . Sender computes authenticator (6 r 1 + 7 r 2 mod p ) + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
17 18 e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer secrets r 3 = 979323, r 4 = 846264, Instead of choosing independent r 5 = 338327, s 10 = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . Sender computes authenticator Sender transmits 30-digit (6 r 1 + 7 r 2 mod p ) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + s 10 mod 1000000 = together with an authenticator (6 · 314159 + 7 · 265358 ( m n; 1 r + · · · + m n; 5 r 5 mod p ) mod 1000003) + s n mod 1000000 + 950288 mod 1000000 = and the message number n . 742451 + 950288 mod 1000000 = i.e.: take r i = r i in previous 692739. ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) Sender transmits + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
17 18 = 314159, r 2 = 265358, A MAC using fewer secrets e.g. r = 979323, r 4 = 846264, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Instead of choosing independent 338327, s 10 = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . Sender computes authenticator Sender transmits 30-digit 7 r 2 mod p ) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 10 mod 1000000 = together with an authenticator 314159 + 7 · 265358 ( m n; 1 r + · · · + m n; 5 r 5 mod p ) d 1000003) + s n mod 1000000 950288 mod 1000000 = and the message number n . 742451 + 950288 mod 1000000 = i.e.: take r i = r i in previous 692739. ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) Sender transmits + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
17 18 , r 2 = 265358, A MAC using fewer secrets e.g. r = 314159, s 10 = 846264, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Instead of choosing independent = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . computes authenticator Sender transmits 30-digit ) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 1000000 = together with an authenticator · 265358 ( m n; 1 r + · · · + m n; 5 r 5 mod p ) 1000003) + s n mod 1000000 d 1000000 = and the message number n . 950288 mod 1000000 = i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) transmits + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
17 18 265358, A MAC using fewer secrets e.g. r = 314159, s 10 = 265358 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Instead of choosing independent 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . authenticator Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 = and the message number n . 1000000 = i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .
18 19 A MAC using fewer secrets e.g. r = 314159, s 10 = 265358, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , choose r; s 1 ; s 2 ; : : : ; s 100 . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n . i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000.
18 19 A MAC using fewer secrets e.g. r = 314159, s 10 = 265358, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) choose r; s 1 ; s 2 ; : : : ; s 100 . + s 10 mod 1000000 = Sender transmits 30-digit (6 · 314159 + 7 · 314159 2 m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 mod 1000003) together with an authenticator + 265358 mod 1000000 = ( m n; 1 r + · · · + m n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = + s n mod 1000000 218669. and the message number n . i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000.
18 19 A MAC using fewer secrets e.g. r = 314159, s 10 = 265358, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) choose r; s 1 ; s 2 ; : : : ; s 100 . + s 10 mod 1000000 = Sender transmits 30-digit (6 · 314159 + 7 · 314159 2 m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 mod 1000003) together with an authenticator + 265358 mod 1000000 = ( m n; 1 r + · · · + m n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = + s n mod 1000000 218669. and the message number n . Sender transmits i.e.: take r i = r i in previous authenticated message ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . + s n mod 1000000.
18 19 C using fewer secrets e.g. r = 314159, s 10 = 265358, Security m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent Attacker Find n ′ ; m : : : ; r 5 ; s 1 ; : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n r; s 1 ; s 2 ; : : : ; s 100 . ( m ′ ( r ) mo + s 10 mod 1000000 = Sender transmits 30-digit (6 · 314159 + 7 · 314159 2 Here m ′ ( n; 2 ; m n; 3 ; m n; 4 ; m n; 5 mod 1000003) together with an authenticator + 265358 mod 1000000 = + · · · + m n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = mod 1000000 218669. the message number n . Sender transmits take r i = r i in previous authenticated message + · · · + m n; 5 r 5 mod p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . mod 1000000.
18 19 fewer secrets e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : osing independent Attacker’s goal: Find n ′ ; m ′ ; a ′ such : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = : : ; s 100 . ( m ′ ( r ) mod p ) + s n + s 10 mod 1000000 = transmits 30-digit (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m m n; 4 ; m n; 5 mod 1000003) authenticator + 265358 mod 1000000 = n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = 1000000 218669. number n . Sender transmits in previous authenticated message m n; 5 r 5 mod p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . 1000000.
18 19 secrets e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : endent Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) authenticator + 265358 mod 1000000 = d p ) 953311 + 265358 mod 1000000 = 218669. n . Sender transmits revious authenticated message d p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .
19 20 e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .
19 20 e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) Obvious attack: + 265358 mod 1000000 = Choose any m ′ � = m 1 . 953311 + 265358 mod 1000000 = Choose uniform random a ′ . 218669. Success chance 1 = 1000000. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .
19 20 e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) Obvious attack: + 265358 mod 1000000 = Choose any m ′ � = m 1 . 953311 + 265358 mod 1000000 = Choose uniform random a ′ . 218669. Success chance 1 = 1000000. Sender transmits Can repeat attack. authenticated message Each forgery has chance ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . 1 = 1000000 of being accepted.
Recommend
More recommend