on the design of when we design message authentication
play

On the design of When we design message-authentication codes hash - PowerPoint PPT Presentation

On the design of When we design message-authentication codes hash functions, stream ciphers, and other secret-key primitives, D. J. Bernstein should we use University of Illinois at Chicago integer multiplication? AES uses 32 32 32


  1. is slow!” “Multiplication An authentication ❃ ✂ bit operations scrambles its output Let’s use multiplication as thoroughly as to authenticate messages. several simple operations!” rgument: Standardize a prime ♣ “No, it doesn’t! Sender rolls 10-sided fast!” Look at these scary attacks. to generate independent applications, Need many multiplications uniform random secrets designers include to achieve confidence.” r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ multiplication circuits. What if we can prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ can start a that multiplication provides s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ multiplication every cycle. the security we need? ✿ ✿ ✿ , s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣

  2. “Multiplication An authentication system ❃ ✂ erations scrambles its output Let’s use multiplication as thoroughly as to authenticate messages. several simple operations!” Standardize a prime ♣ = 1000003. “No, it doesn’t! Sender rolls 10-sided die Look at these scary attacks. to generate independent Need many multiplications uniform random secrets to achieve confidence.” r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , What if we can prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , that multiplication provides s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , cycle. the security we need? ✿ ✿ ✿ , s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ .

  3. “Multiplication An authentication system scrambles its output Let’s use multiplication as thoroughly as to authenticate messages. several simple operations!” Standardize a prime ♣ = 1000003. “No, it doesn’t! Sender rolls 10-sided die Look at these scary attacks. to generate independent Need many multiplications uniform random secrets to achieve confidence.” r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , What if we can prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , that multiplication provides s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , the security we need? ✿ ✿ ✿ , s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ .

  4. “Multiplication An authentication system Sender meets scrambles its output and tells Let’s use multiplication roughly as secrets r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s to authenticate messages. several simple operations!” Later: Sender Standardize a prime ♣ = 1000003. it doesn’t! 100 mess ♠ ❀ ✿ ✿ ✿ ❀ ♠ Sender rolls 10-sided die at these scary attacks. each having to generate independent many multiplications ♠ ♥ [1] ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ uniform random secrets achieve confidence.” with ♠ ♥ ✐ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , if we can prove Sender transmits s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , multiplication provides ♠ ♥ [1] ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , security we need? together ✿ ✿ ✿ , ( ♠ ♥ [1] r ✁ ✁ ✁ ♠ ♥ r ♣ s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ and the ♥

  5. An authentication system Sender meets receiver output and tells receiver the Let’s use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s to authenticate messages. operations!” Later: Sender wants Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ Sender rolls 10-sided die scary attacks. each having 5 comp to generate independent multiplications ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ ❀ ♠ ♥ uniform random secrets confidence.” with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ❣ r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , Sender transmits 30-digit prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , multiplication provides ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ ❀ ♠ ♥ s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , need? together with an authenticato ✿ ✿ ✿ , ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ r ♣ s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 and the message numb ♥

  6. An authentication system Sender meets receiver in private and tells receiver the same Let’s use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . to authenticate messages. Later: Sender wants to send Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , Sender rolls 10-sided die attacks. each having 5 components to generate independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ uniform random secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , Sender transmits 30-digit s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , rovides ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticato ✿ ✿ ✿ , ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mo ♣ s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 and the message number ♥ .

  7. An authentication system Sender meets receiver in private and tells receiver the same Let’s use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . to authenticate messages. Later: Sender wants to send Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , Sender rolls 10-sided die each having 5 components to generate independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] uniform random secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , Sender transmits 30-digit s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticator ✿ ✿ ✿ , ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 and the message number ♥ .

  8. authentication system Sender meets receiver in private e.g. r = s and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . authenticate messages. Sender computes Later: Sender wants to send (6 r + 7 r ♣ Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 Sender rolls 10-sided die each having 5 components (6 ✁ 314159 ✁ generate independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) random secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 r ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 953311 + Sender transmits 30-digit s ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticator Sender transmits ✿ ✿ ✿ ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated s ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ and the message number ♥ .

  9. authentication system Sender meets receiver in private e.g. r = 314159, s and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . messages. Sender computes authenticato (6 r + 7 r 2 mod ♣ ) Later: Sender wants to send rime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 10-sided die each having 5 components (6 ✁ 314159 + 7 ✁ 314159 independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 r ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 953311 + 265358 mo Sender transmits 30-digit s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticator Sender transmits ✿ ✿ ✿ ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ and the message number ♥ .

  10. Sender meets receiver in private e.g. r = 314159, s 10 = 265358 and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticato (6 r + 7 r 2 mod ♣ ) Later: Sender wants to send 1000003. ♣ 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 314159 2 each having 5 components ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = r ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ 953311 + 265358 mod 1000000 Sender transmits 30-digit s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ together with an authenticator Sender transmits ✿ ✿ ✿ ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ and the message number ♥ .

  11. Sender meets receiver in private e.g. r = 314159, s 10 = 265358, and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticator (6 r + 7 r 2 mod ♣ ) Later: Sender wants to send 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 314159 2 each having 5 components ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = Sender transmits 30-digit 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] together with an authenticator Sender transmits ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . and the message number ♥ .

  12. Sender meets receiver in private e.g. r = 314159, s 10 = 265358, Speed analysis P ♠ ♥ ✐ ① ✐ tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Notation: ♠ ♥ ① r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticator To compute ♠ ♥ r ♣ (6 r + 7 r 2 mod ♣ ) Sender wants to send multiply ♠ ♥ r messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = add ♠ ♥ [4], r (6 ✁ 314159 + 7 ✁ 314159 2 having 5 components add ♠ ♥ [3], r ♠ ♥ ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) add ♠ ♥ [2], r ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = add ♠ ♥ [1], r 953311 + 265358 mod 1000000 = Sender transmits 30-digit Reduce mo ♣ 218669. ♠ ♥ ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] Slightly mo together with an authenticator Sender transmits compute ❛ ♥ ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message ( ♠ ♥ ( r ) mo ♣ s ♥ s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . the message number ♥ .

  13. receiver in private e.g. r = 314159, s 10 = 265358, Speed analysis Notation: ♠ ♥ ( ① ) = P ♠ ♥ ✐ ① ✐ receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticator To compute ♠ ♥ ( r ♣ (6 r + 7 r 2 mod ♣ ) ants to send multiply ♠ ♥ [5] by r ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = add ♠ ♥ [4], multiply r (6 ✁ 314159 + 7 ✁ 314159 2 components add ♠ ♥ [3], multiply r ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) add ♠ ♥ [2], multiply r ♠ ♥ ✐ ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = add ♠ ♥ [1], multiply r 953311 + 265358 mod 1000000 = transmits 30-digit Reduce mod ♣ after 218669. ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] Slightly more time Sender transmits authenticator compute authenticato ❛ ♥ ♠ ♥ [5] r 5 mod ♣ ) authenticated message ♠ ♥ r ✁ ✁ ✁ ( ♠ ♥ ( r ) mod ♣ ) + s ♥ s ♥ 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . number ♥ .

  14. rivate e.g. r = 314159, s 10 = 265358, Speed analysis Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ① ✐ ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s Sender computes authenticator To compute ♠ ♥ ( r ) mod ♣ : (6 r + 7 r 2 mod ♣ ) send multiply ♠ ♥ [5] by r , ♠ ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = add ♠ ♥ [4], multiply by r , (6 ✁ 314159 + 7 ✁ 314159 2 add ♠ ♥ [3], multiply by r , ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) add ♠ ♥ [2], multiply by r , ♠ ♥ ✐ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = add ♠ ♥ [1], multiply by r . 953311 + 265358 mod 1000000 = Reduce mod ♣ after each mult. 218669. ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] Slightly more time to Sender transmits authenticator compute authenticator ❛ ♥ = r mod ♣ ) authenticated message ♠ ♥ r ✁ ✁ ✁ ♠ ♥ ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. s ♥ ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . ♥ .

  15. e.g. r = 314159, s 10 = 265358, Speed analysis Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Sender computes authenticator To compute ♠ ♥ ( r ) mod ♣ : (6 r + 7 r 2 mod ♣ ) multiply ♠ ♥ [5] by r , + s 10 mod 1000000 = add ♠ ♥ [4], multiply by r , (6 ✁ 314159 + 7 ✁ 314159 2 add ♠ ♥ [3], multiply by r , mod 1000003) add ♠ ♥ [2], multiply by r , + 265358 mod 1000000 = add ♠ ♥ [1], multiply by r . 953311 + 265358 mod 1000000 = Reduce mod ♣ after each mult. 218669. Slightly more time to Sender transmits compute authenticator ❛ ♥ = authenticated message ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .

  16. r = 314159, s 10 = 265358, Speed analysis Reducing Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : e.g., 240881099091 240881 ✁ ✑ Sender computes authenticator To compute ♠ ♥ ( r ) mod ♣ : 240881( � 7 r 2 mod ♣ ) r multiply ♠ ♥ [5] by r , � 722643 s 10 mod 1000000 = add ♠ ♥ [4], multiply by r , � 623552. ✁ 314159 + 7 ✁ 314159 2 add ♠ ♥ [3], multiply by r , d 1000003) Easily adjust add ♠ ♥ [2], multiply by r , 265358 mod 1000000 = ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � ❣ add ♠ ♥ [1], multiply by r . 953311 + 265358 mod 1000000 = by adding/subtracting ♣ Reduce mod ♣ after each mult. 218669. (Beware Slightly more time to Sender transmits Speedup: compute authenticator ❛ ♥ = authenticated message extra ♣ ’s ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . subsequent

  17. r , s 10 = 265358, Speed analysis Reducing mod 1000003 Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : e.g., 240881099091 240881 ✁ 1000000 + ✑ computes authenticator To compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 r r ♣ ) multiply ♠ ♥ [5] by r , � 722643 + 99091 s 1000000 = add ♠ ♥ [4], multiply by r , � 623552. ✁ 314159 2 ✁ add ♠ ♥ [3], multiply by r , 1000003) Easily adjust to range add ♠ ♥ [2], multiply by r , d 1000000 = ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ add ♠ ♥ [1], multiply by r . 265358 mod 1000000 = by adding/subtracting ♣ Reduce mod ♣ after each mult. (Beware timing attacks!) Slightly more time to transmits Speedup: Delay the compute authenticator ❛ ♥ = message extra ♣ ’s won’t damage ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . subsequent field op

  18. r s 265358, Speed analysis Reducing mod 1000003 is easy: Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ authenticator To compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = r r ♣ multiply ♠ ♥ [5] by r , � 722643 + 99091 = s add ♠ ♥ [4], multiply by r , � 623552. ✁ ✁ add ♠ ♥ [3], multiply by r , Easily adjust to range add ♠ ♥ [2], multiply by r , = ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ add ♠ ♥ [1], multiply by r . 1000000 = by adding/subtracting a few ♣ Reduce mod ♣ after each mult. (Beware timing attacks!) Slightly more time to Speedup: Delay the adjustment; compute authenticator ❛ ♥ = extra ♣ ’s won’t damage ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . subsequent field operations.

  19. Speed analysis Reducing mod 1000003 is easy: Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ To compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = multiply ♠ ♥ [5] by r , � 722643 + 99091 = add ♠ ♥ [4], multiply by r , � 623552. add ♠ ♥ [3], multiply by r , Easily adjust to range add ♠ ♥ [2], multiply by r , ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ add ♠ ♥ [1], multiply by r . by adding/subtracting a few ♣ ’s. Reduce mod ♣ after each mult. (Beware timing attacks!) Slightly more time to Speedup: Delay the adjustment; compute authenticator ❛ ♥ = extra ♣ ’s won’t damage ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. subsequent field operations.

  20. analysis Reducing mod 1000003 is easy: Main wo Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = For each 240881 ✁ 1000000 + 99091 ✑ have to do compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = of the 6-digit r multiply ♠ ♥ [5] by r , � 722643 + 99091 = into an a ♣ ♠ ♥ [4], multiply by r , � 623552. Scaled up ♠ ♥ [3], multiply by r , Easily adjust to range “Poly1305” ♣ � ♠ ♥ [2], multiply by r , ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each ♠ ♥ [1], multiply by r . by adding/subtracting a few ♣ ’s. have to do Reduce mod ♣ after each mult. (Beware timing attacks!) of a 128-bit r Slightly more time to into an a � Speedup: Delay the adjustment; compute authenticator ❛ ♥ = ✙ 5 cycles extra ♣ ’s won’t damage ♠ ♥ r ) mod ♣ ) + s ♥ mod 1000000. depending subsequent field operations.

  21. Reducing mod 1000003 is easy: Main work is multiplication. ♠ ♥ ① ) = P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = For each 6-digit me 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = of the 6-digit secret r by r , ♠ ♥ � 722643 + 99091 = into an accumulato ♣ ♠ ♥ multiply by r , � 623552. Scaled up for serious ♠ ♥ multiply by r , Easily adjust to range “Poly1305” uses ♣ � ♠ ♥ multiply by r , ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit me ♠ ♥ multiply by r . by adding/subtracting a few ♣ ’s. have to do one multiplication ♣ after each mult. (Beware timing attacks!) of a 128-bit secret r time to into an accumulato � Speedup: Delay the adjustment; authenticator ❛ ♥ = ✙ 5 cycles per message extra ♣ ’s won’t damage ♠ ♥ r ♣ + s ♥ mod 1000000. depending on the CPU. subsequent field operations.

  22. Reducing mod 1000003 is easy: Main work is multiplication. P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = For each 6-digit message chunk, ♠ ♥ ① 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication ♠ ♥ r ♣ : 240881( � 3) + 99091 = of the 6-digit secret r ♠ ♥ r � 722643 + 99091 = into an accumulator mod ♣ . ♠ ♥ r � 623552. Scaled up for serious security: ♠ ♥ r “Poly1305” uses ♣ = 2 130 � Easily adjust to range ♠ ♥ r ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit message chunk, ♠ ♥ r by adding/subtracting a few ♣ ’s. have to do one multiplication ♣ mult. (Beware timing attacks!) of a 128-bit secret r into an accumulator mod 2 130 � Speedup: Delay the adjustment; ❛ ♥ = ✙ 5 cycles per message byte, extra ♣ ’s won’t damage ♠ ♥ r ♣ s ♥ 1000000. depending on the CPU. subsequent field operations.

  23. Reducing mod 1000003 is easy: Main work is multiplication. e.g., 240881099091 = For each 6-digit message chunk, 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication 240881( � 3) + 99091 = of the 6-digit secret r � 722643 + 99091 = into an accumulator mod ♣ . � 623552. Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. Easily adjust to range ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit message chunk, by adding/subtracting a few ♣ ’s. have to do one multiplication (Beware timing attacks!) of a 128-bit secret r into an accumulator mod 2 130 � 5. Speedup: Delay the adjustment; ✙ 5 cycles per message byte, extra ♣ ’s won’t damage depending on the CPU. subsequent field operations.

  24. Reducing mod 1000003 is easy: Main work is multiplication. Security 240881099091 = For each 6-digit message chunk, Attacker 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ 240881( � 3) + 99091 = of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ ❛ ✵ � 722643 + 99091 = into an accumulator mod ♣ . ( ♠ ✵ ( r ) mo ♣ s ♥ ✵ � 623552. ✐ ♠ ✵ ✐ ① ✐ Here ♠ ✵ ( ① P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. adjust to range Obvious ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit message chunk, Choose any ♠ ✵ ✻ ♠ ding/subtracting a few ♣ ’s. have to do one multiplication ❛ ✵ Choose unifo re timing attacks!) of a 128-bit secret r Success ❂ into an accumulator mod 2 130 � 5. eedup: Delay the adjustment; Can repeat ✙ 5 cycles per message byte, ♣ ’s won’t damage Each for depending on the CPU. subsequent field operations. 1 ❂ 1000000

  25. 1000003 is easy: Main work is multiplication. Security analysis 240881099091 = For each 6-digit message chunk, Attacker’s goal: ✁ 1000000 + 99091 ✑ have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such � 99091 = of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = � 99091 = into an accumulator mod ♣ . ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ � ✐ ♠ ✵ ✐ ① ✐ Here ♠ ✵ ( ① ) = P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. range Obvious attack: ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ For each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ ding/subtracting a few ♣ ’s. have to do one multiplication ❛ ✵ Choose uniform ran attacks!) of a 128-bit secret r Success chance 1 ❂ into an accumulator mod 2 130 � 5. the adjustment; Can repeat attack. ✙ 5 cycles per message byte, damage ♣ Each forgery has chance depending on the CPU. operations. 1 ❂ 1000000 of being

  26. easy: Main work is multiplication. Security analysis For each 6-digit message chunk, Attacker’s goal: ✁ ✑ have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that � of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = � into an accumulator mod ♣ . ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. � ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. Obvious attack: ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ For each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . few ♣ ’s. have to do one multiplication Choose uniform random ❛ ✵ . of a 128-bit secret r Success chance 1 ❂ 1000000. into an accumulator mod 2 130 � 5. tment; Can repeat attack. ✙ 5 cycles per message byte, ♣ Each forgery has chance depending on the CPU. erations. 1 ❂ 1000000 of being accepted.

  27. Main work is multiplication. Security analysis For each 6-digit message chunk, Attacker’s goal: have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = into an accumulator mod ♣ . ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. Obvious attack: For each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . have to do one multiplication Choose uniform random ❛ ✵ . of a 128-bit secret r Success chance 1 ❂ 1000000. into an accumulator mod 2 130 � 5. Can repeat attack. ✙ 5 cycles per message byte, Each forgery has chance depending on the CPU. 1 ❂ 1000000 of being accepted.

  28. work is multiplication. Security analysis More subtle Choose ♠ ✵ ✻ each 6-digit message chunk, ♠ Attacker’s goal: the polynomial ♠ ✵ ① � ♠ to do one multiplication ① Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that 6-digit secret r has 5 distinct ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = an accumulator mod ♣ . ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. ❛ ✵ modulo ♣ ❛ ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P up for serious security: oly1305” uses ♣ = 2 130 � 5. e.g. ♠ 1 ❀ ❀ ❀ ❀ Obvious attack: ♠ ✵ = (125 ❀ ❀ ❀ ❀ each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ to do one multiplication ① ① ① ① Choose uniform random ❛ ✵ . 128-bit secret r which has ♣ Success chance 1 ❂ 1000000. an accumulator mod 2 130 � 5. 0 ❀ 299012 ❀ ❀ ❀ Can repeat attack. ✙ cycles per message byte, Success ❂ Each forgery has chance ending on the CPU. 1 ❂ 1000000 of being accepted.

  29. multiplication. Security analysis More subtle attack: Choose ♠ ✵ ✻ = ♠ 1 so message chunk, Attacker’s goal: the polynomial ♠ ✵ ① � ♠ multiplication ① Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that secret r has 5 distinct roots ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = cumulator mod ♣ . ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ ❛ ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P serious security: ♣ = 2 130 � 5. e.g. ♠ 1 = (100 ❀ 0 ❀ ❀ ❀ Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① multiplication ① ① Choose uniform random ❛ ✵ . secret r which has five roots ♣ Success chance 1 ❂ 1000000. cumulator mod 2 130 � 5. 0 ❀ 299012 ❀ 334447 ❀ ❀ Can repeat attack. ✙ message byte, Success chance 5 ❂ Each forgery has chance the CPU. 1 ❂ 1000000 of being accepted.

  30. multiplication. Security analysis More subtle attack: Choose ♠ ✵ ✻ = ♠ 1 so that chunk, Attacker’s goal: the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that r has 5 distinct roots ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = ♣ . ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P security: ♣ � 5. e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): chunk, Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + multiplication ① Choose uniform random ❛ ✵ . r which has five roots mod ♣ : Success chance 1 ❂ 1000000. 2 130 � 5. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can repeat attack. ✙ yte, Success chance 5 ❂ 1000000. Each forgery has chance 1 ❂ 1000000 of being accepted.

  31. Security analysis More subtle attack: Choose ♠ ✵ ✻ = ♠ 1 so that Attacker’s goal: the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that has 5 distinct roots ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Choose uniform random ❛ ✵ . which has five roots mod ♣ : Success chance 1 ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can repeat attack. Success chance 5 ❂ 1000000. Each forgery has chance 1 ❂ 1000000 of being accepted.

  32. Security analysis More subtle attack: Actually, Choose ♠ ✵ ✻ = ♠ 1 so that can be ab ❂ er’s goal: the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that Example: ♠ ♣ has 5 distinct roots ♠ ✵ ✻ ♠ ♥ ✵ but ❛ ✵ = ✷ ❢ 1000000 ❀ ❀ ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ♠ ✵ r ) mod ♣ )+ s ♥ ✵ mod 1000000. ❀ ♠ ✵ ❀ ❛ then a fo modulo ♣ . Choose ❛ ✵ = ❛ . ✐ ♠ ✵ [ ✐ ] ① ✐ . ♠ ✵ ( ① ) = P ♠ ✵ ( ① ) = ♠ ① ① ① ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds r Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chan ❂ ose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: ose uniform random ❛ ✵ . ♠ ✵ ( ① ) � ♠ which has five roots mod ♣ : ① Success chance 1 ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have repeat attack. of ( ♠ ✵ ( ① � ♠ Success chance 5 ❂ 1000000. ① ✁ forgery has chance ( ♠ ✵ ( ① ) � ♠ ① ✁ ❂ 1000000 of being accepted. ( ♠ ✵ ( ① ) � ♠ ① �

  33. More subtle attack: Actually, success chance Choose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that Example: If ♠ 1 (334885) ♣ has 5 distinct roots ♠ ✵ ✻ ❛ ✵ = ♠ ♥ ✵ ✷ ❢ 1000000 ❀ 1000001 ❀ ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ♠ ✵ r then a forgery (1 ❀ ♠ ✵ ❀ ❛ ♣ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ① ✐ ♠ ✵ [ ✐ ] ① ✐ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① P ① ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is random ❛ ✵ . ♠ ✵ ( ① ) � ♠ 1 ( ① ) + which has five roots mod ♣ : 1 ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many attack. of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. chance ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + ✁ ❂ eing accepted. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) �

  34. More subtle attack: Actually, success chance Choose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ Example: If ♠ 1 (334885) mo ♣ has 5 distinct roots ♠ ✵ ✻ ❛ ✵ ♠ ♥ ✵ ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ♠ ✵ r then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with ♣ s ♥ ✵ 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ① ✐ ♠ ✵ ✐ ① ✐ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + P ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ♠ ✵ ✻ ♠ ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ❛ ✵ . ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. which has five roots mod ♣ : ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ ❂ accepted. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000).

  35. More subtle attack: Actually, success chance Choose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) Example: If ♠ 1 (334885) mod ♣ has 5 distinct roots ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with modulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. which has five roots mod ♣ : 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000).

  36. ❛ ✵ subtle attack: Actually, success chance Do better ose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. No. Easy olynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♠ ✵ ✻ of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ Example: If ♠ 1 (334885) mod ♣ ♠ ♥ ✵ distinct roots ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ ❂ ① ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being dulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying ✔ ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; of ( ♠ ✵ ( ① � ♠ ① � ❛ ✵ ❛ ✁ ♠ ✵ (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ ① � ❛ ✵ ❛ ✁ ♠ ✵ ① � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ ① � ❛ ✵ ❛ � ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. has five roots mod ♣ : Warning: ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots the oversimplified of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. ( ♠ ♥ [1] + ✁ ✁ ✁ ♠ ♥ r ♣ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). solve ♠ ✵ ① � ♠ ❛ ✵ � ❛ ①

  37. Do better by varying ❛ ✵ attack: Actually, success chance ♠ ✵ ✻ ♠ 1 so that can be above 5 ❂ 1000000. No. Easy to prove: ♠ ✵ ( ① ) � ♠ 1 ( ① ) of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ Example: If ♠ 1 (334885) mod ♣ ♠ ♥ ✵ ots ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ① ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted ose ❛ ✵ = ❛ . ♣ ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ ♠ ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ ❛ ✁ ♠ ✵ ❀ ❀ ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ ❛ ✁ ♠ ✵ ① � ♠ ① = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ ❛ � ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. ots mod ♣ : Warning: very easy ❀ ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots the oversimplified of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ 5 ❂ 1000000. ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ r ♣ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ mod 1000000: ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). ❛ ✵ � ❛ solve ♠ ✵ ( ① ) � ♠ 1 ( ①

  38. Do better by varying ❛ ✵ ? Actually, success chance ♠ ✵ ✻ ♠ can be above 5 ❂ 1000000. No. Easy to prove: Every choice ♠ ✵ ① � ♠ 1 ( ① ) of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ Example: If ♠ 1 (334885) mod ♣ ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ① ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. ❛ ✵ ❛ . ♣ ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ 15 roots ♠ ❀ ❀ ❀ ❀ also succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ ✁ ♠ ✵ ❀ ❀ ❀ ❀ success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + ✁ ♠ ✵ ① � ♠ ① + 25 ① Reason: 334885 is a root of ① ① ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. ♣ : Warning: very easy to break ❀ ❀ ❀ ❀ 735144. Can have as many as 15 roots the oversimplified authenticato of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ ❂ 1000000. ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ mod 1000000: ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛

  39. Do better by varying ❛ ✵ ? Actually, success chance can be above 5 ❂ 1000000. No. Easy to prove: Every choice of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ Example: If ♠ 1 (334885) mod ♣ ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ 15 roots also succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. Warning: very easy to break Can have as many as 15 roots the oversimplified authenticator of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ mod 1000000: ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  40. Do better by varying ❛ ✵ ? Actually, success chance Scaled up above 5 ❂ 1000000. No. Easy to prove: Every choice Poly1305 r of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ Example: If ♠ 1 (334885) mod ♣ with 22 bits ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 Adds s ♥ forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. Assuming ✔ ▲ ♠ ✵ ① = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ 15 roots Each for succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ r success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probabilit ✔ ❞ ▲❂ ❡ ❂ Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ① � ♠ 1 ( ① ) + 1000000. ❉ forgeries Warning: very easy to break with prob have as many as 15 roots the oversimplified authenticator ✕ 1 � 8 ❉ ❞ ▲❂ ❡ ❂ ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 ♠ ✵ ① ) � ♠ 1 ( ① ) + 1000000) ✁ ▲ + s ♥ mod 1000000: ♠ ✵ ① ) � ♠ 1 ( ① ) � 1000000). Pr[all rejected] ✕ ✿ solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  41. Do better by varying ❛ ✵ ? chance Scaled up for serious ❂ 1000000. No. Easy to prove: Every choice Poly1305 uses 128-bit r of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ ♠ (334885) mod ♣ with 22 bits cleared Adds s ♥ mod 2 128 ✷ ❢ ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. Assuming ✔ ▲ -byte ♠ ✵ ① ① + ① 5 + ① 2 + 25 ① ♠ Underlying fact: ✔ 15 roots Each forgery succeeds r r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices r ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ ❡ ❂ is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ① � ♠ ❉ forgeries are all ① + 1000000. Warning: very easy to break with probability many as 15 roots the oversimplified authenticator ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ ♠ ✵ ① � ♠ ( ① )) ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 forgeries, ▲ ♠ ✵ ① � ♠ ① + 1000000) ✁ + s ♥ mod 1000000: ♠ ✵ ① � ♠ Pr[all rejected] ✕ 0 ✿ ① � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  42. Do better by varying ❛ ✵ ? Scaled up for serious security: ❂ No. Easy to prove: Every choice Poly1305 uses 128-bit r ’s, of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ ♠ mod ♣ with 22 bits cleared for speed. Adds s ♥ mod 2 128 . ✷ ❢ ❀ ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ❀ ♠ ✵ ❀ ❛ with of being accepted by receiver. Assuming ✔ ▲ -byte messages: ♠ ✵ ① ♠ ① ① ① + 25 ① Underlying fact: ✔ 15 roots Each forgery succeeds for r 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ① � ♠ ❉ forgeries are all rejected ① 1000000. Warning: very easy to break with probability roots ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . the oversimplified authenticator ♠ ✵ ① � ♠ ① ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 forgeries, ▲ = 1536: ♠ ✵ ① � ♠ ① 1000000) ✁ + s ♥ mod 1000000: ♠ ✵ ① � ♠ Pr[all rejected] ✕ 0 ✿ 9999999998. ① � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  43. Do better by varying ❛ ✵ ? Scaled up for serious security: No. Easy to prove: Every choice Poly1305 uses 128-bit r ’s, of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ with 22 bits cleared for speed. Adds s ♥ mod 2 128 . has chance ✔ 15 ❂ 1000000 of being accepted by receiver. Assuming ✔ ▲ -byte messages: Underlying fact: ✔ 15 roots Each forgery succeeds for of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ❉ forgeries are all rejected Warning: very easy to break with probability ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . the oversimplified authenticator ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 forgeries, ▲ = 1536: + s ♥ mod 1000000: Pr[all rejected] ✕ 0 ✿ 9999999998. solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  44. etter by varying ❛ ✵ ? Scaled up for serious security: Authenticato for variable-length Easy to prove: Every choice Poly1305 uses 128-bit r ’s, if different ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ with 22 bits cleared for speed. different ♣ Adds s ♥ mod 2 128 . chance ✔ 15 ❂ 1000000 eing accepted by receiver. Split string Assuming ✔ ▲ -byte messages: maybe with Underlying fact: ✔ 15 roots Each forgery succeeds for append 1 ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian ♠ ✵ ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . ✟ ✠ in 1 ❀ 2 ❀ ❀ ✿ ✿ ✿ ❀ ♠ ✵ ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ❉ forgeries are all rejected Multiply r rning: very easy to break with probability add next r ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . oversimplified authenticator etc., last r ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) mod 2 130 � s ♥ e.g. 2 64 forgeries, ▲ = 1536: s ♥ mod 1000000: Pr[all rejected] ✕ 0 ✿ 9999999998. ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  45. rying ❛ ✵ ? Scaled up for serious security: Authenticator is still for variable-length rove: Every choice Poly1305 uses 128-bit r ’s, if different messages ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ with ♠ ✵ ✻ = ♠ ♥ ✵ with 22 bits cleared for speed. different polynomials ♣ Adds s ♥ mod 2 128 . ✔ ❂ 1000000 accepted by receiver. Split string into 16-b Assuming ✔ ▲ -byte messages: maybe with smaller ✔ 15 roots Each forgery succeeds for append 1 to each chunk; ♠ ✵ ① � ♠ ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian ♠ ✵ ① � ♠ ① � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in ♠ ✵ ① � ♠ ① � ❛ ✵ + ❛ 1 � 10 6 ). ❉ forgeries are all rejected Multiply first chunk r easy to break with probability add next chunk, multiply r ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . oversimplified authenticator etc., last chunk, multiply r ♠ ♥ [5] r 4 mod ♣ ) mod 2 130 � 5, add s ♥ ♠ ♥ ✁ ✁ ✁ e.g. 2 64 forgeries, ▲ = 1536: s ♥ 1000000: Pr[all rejected] ✕ 0 ✿ 9999999998. ♠ ✵ ① � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  46. ❛ ✵ Scaled up for serious security: Authenticator is still secure for variable-length messages, choice Poly1305 uses 128-bit r ’s, if different messages are ♠ ✵ ✻ ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ♠ ♥ ✵ with 22 bits cleared for speed. different polynomials mod ♣ . Adds s ♥ mod 2 128 . ✔ ❂ receiver. Split string into 16-byte chunks, Assuming ✔ ▲ -byte messages: maybe with smaller final chunk; ✔ ots Each forgery succeeds for append 1 to each chunk; ♠ ✵ ① � ♠ ① � ❛ ✵ ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian integers ♠ ✵ ① � ♠ ❛ + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . ① � ❛ ✵ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . ♠ ✵ ① � ♠ ❛ � 10 6 ). ① � ❛ ✵ ❉ forgeries are all rejected Multiply first chunk by r , reak with probability add next chunk, multiply by r ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . authenticator etc., last chunk, multiply by r mod 2 130 � 5, add s ♥ mod 2 ♠ ♥ ✁ ✁ ✁ ♠ ♥ r mod ♣ ) e.g. 2 64 forgeries, ▲ = 1536: s ♥ Pr[all rejected] ✕ 0 ✿ 9999999998. ♠ ✵ ① � ♠ ❛ ✵ � ❛ 1 . ①

  47. Scaled up for serious security: Authenticator is still secure for variable-length messages, Poly1305 uses 128-bit r ’s, if different messages are with 22 bits cleared for speed. different polynomials mod ♣ . Adds s ♥ mod 2 128 . Split string into 16-byte chunks, Assuming ✔ ▲ -byte messages: maybe with smaller final chunk; Each forgery succeeds for append 1 to each chunk; ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian integers Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . ❉ forgeries are all rejected Multiply first chunk by r , with probability add next chunk, multiply by r , ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . etc., last chunk, multiply by r , mod 2 130 � 5, add s ♥ mod 2 128 . e.g. 2 64 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0 ✿ 9999999998.

  48. up for serious security: Authenticator is still secure Reducing for variable-length messages, Like the oly1305 uses 128-bit r ’s, if different messages are this authentication 22 bits cleared for speed. different polynomials mod ♣ . s ♥ mod 2 128 . has a securit Split string into 16-byte chunks, One-time Assuming ✔ ▲ -byte messages: maybe with smaller final chunk; ▲ shared forgery succeeds for append 1 to each chunk; to encrypt ▲ ✔ ❞ ▲❂ 16 ❡ choices of r . view as little-endian integers Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . Authentication 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared ❉ rgeries are all rejected Multiply first chunk by r , to authenticate ▲ robability add next chunk, multiply by r , � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . ✕ etc., last chunk, multiply by r , Each new mod 2 130 � 5, add s ♥ mod 2 128 . 64 forgeries, ▲ = 1536: new shared used only rejected] ✕ 0 ✿ 9999999998. How to handle

  49. serious security: Authenticator is still secure Reducing the key length for variable-length messages, Like the one-time 128-bit r ’s, if different messages are this authentication red for speed. different polynomials mod ♣ . 128 . has a security guarantee. s ♥ Split string into 16-byte chunks, One-time pad needs ✔ ▲ yte messages: maybe with smaller final chunk; ▲ shared secret bytes succeeds for append 1 to each chunk; to encrypt ▲ message ✔ ❞ ▲❂ ❡ choices of r . view as little-endian integers ❞ ▲❂ 16 ❡ ❂ 2 106 . ✔ Authentication system 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared secret byte ❉ all rejected Multiply first chunk by r , to authenticate ▲ message add next chunk, multiply by r , ❡ ❂ 2 106 . ✕ � ❉ ❞ ▲❂ etc., last chunk, multiply by r , Each new message mod 2 130 � 5, add s ♥ mod 2 128 . new shared secret rgeries, ▲ = 1536: used only once. ✕ 0 ✿ 9999999998. How to handle many

  50. security: Authenticator is still secure Reducing the key length for variable-length messages, Like the one-time pad, r if different messages are this authentication system eed. different polynomials mod ♣ . has a security guarantee. s ♥ Split string into 16-byte chunks, One-time pad needs ✔ ▲ messages: maybe with smaller final chunk; ▲ shared secret bytes append 1 to each chunk; to encrypt ▲ message bytes. ✔ ❞ ▲❂ ❡ r view as little-endian integers ❡ ❂ 106 . ✔ ❞ ▲❂ Authentication system needs 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared secret bytes ❉ Multiply first chunk by r , to authenticate ▲ message b add next chunk, multiply by r , ✕ � ❉ ❞ ▲❂ ❡ ❂ etc., last chunk, multiply by r , Each new message needs mod 2 130 � 5, add s ♥ mod 2 128 . new shared secret bytes, ▲ 1536: used only once. ✕ ✿ 9999999998. How to handle many messages?

  51. Authenticator is still secure Reducing the key length for variable-length messages, Like the one-time pad, if different messages are this authentication system different polynomials mod ♣ . has a security guarantee. Split string into 16-byte chunks, One-time pad needs maybe with smaller final chunk; ▲ shared secret bytes append 1 to each chunk; to encrypt ▲ message bytes. view as little-endian integers Authentication system needs 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared secret bytes Multiply first chunk by r , to authenticate ▲ message bytes. add next chunk, multiply by r , etc., last chunk, multiply by r , Each new message needs mod 2 130 � 5, add s ♥ mod 2 128 . new shared secret bytes, used only once. How to handle many messages?

  52. Authenticator is still secure Reducing the key length Authenticato ♠ ♥ r ♣ riable-length messages, encrypted s ♥ Like the one-time pad, different messages are this authentication system Can replace different polynomials mod ♣ . has a security guarantee. with stream-cipher string into 16-byte chunks, One-time pad needs Typical stream with smaller final chunk; ▲ shared secret bytes AES in counter end 1 to each chunk; to encrypt ▲ message bytes. Sender, receiver r❀ ❦ as little-endian integers where ❦ Authentication system needs ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ . compute s ♥ ❦ ♥ 16 shared secret bytes Multiply first chunk by r , to authenticate ▲ message bytes. Security next chunk, multiply by r , since s ♥ ’s last chunk, multiply by r , Each new message needs 130 � 5, add s ♥ mod 2 128 . but can new shared secret bytes, attack on used only once. implies attack How to handle many messages?

  53. still secure Reducing the key length Authenticator is ♠ ♥ r ♣ riable-length messages, encrypted with one-time s ♥ Like the one-time pad, messages are this authentication system Can replace one-time olynomials mod ♣ . has a security guarantee. with stream-cipher 16-byte chunks, One-time pad needs Typical stream cipher: smaller final chunk; ▲ shared secret bytes AES in counter mo each chunk; to encrypt ▲ message bytes. Sender, receiver sha r❀ ❦ little-endian integers where ❦ is 16-byte Authentication system needs 129 ✠ ✟ . ❀ ❀ ❀ ✿ ✿ ✿ ❀ compute s ♥ = AES ❦ ♥ 16 shared secret bytes chunk by r , to authenticate ▲ message bytes. Security proof breaks multiply by r , since s ♥ ’s are dependent, multiply by r , Each new message needs add s ♥ mod 2 128 . but can still prove � new shared secret bytes, attack on authenticato used only once. implies attack on AES. How to handle many messages?

  54. secure Reducing the key length Authenticator is ♠ ♥ ( r ) mod ♣ messages, encrypted with one-time pad s ♥ Like the one-time pad, this authentication system Can replace one-time pad ♣ . has a security guarantee. with stream-cipher output. chunks, One-time pad needs Typical stream cipher: chunk; ▲ shared secret bytes AES in counter mode. to encrypt ▲ message bytes. Sender, receiver share ( r❀ ❦ ) integers where ❦ is 16-byte AES key; Authentication system needs ✟ ✠ ❀ ❀ ❀ ✿ ✿ ✿ ❀ compute s ♥ = AES ❦ ( ♥ ). 16 shared secret bytes r to authenticate ▲ message bytes. Security proof breaks down by r , since s ♥ ’s are dependent, by r , Each new message needs d 2 128 . but can still prove that � s ♥ new shared secret bytes, attack on authenticator used only once. implies attack on AES. How to handle many messages?

  55. Reducing the key length Authenticator is ♠ ♥ ( r ) mod ♣ encrypted with one-time pad s ♥ . Like the one-time pad, this authentication system Can replace one-time pad has a security guarantee. with stream-cipher output. One-time pad needs Typical stream cipher: ▲ shared secret bytes AES in counter mode. to encrypt ▲ message bytes. Sender, receiver share ( r❀ ❦ ) where ❦ is 16-byte AES key; Authentication system needs compute s ♥ = AES ❦ ( ♥ ). 16 shared secret bytes to authenticate ▲ message bytes. Security proof breaks down since s ♥ ’s are dependent, Each new message needs but can still prove that new shared secret bytes, attack on authenticator used only once. implies attack on AES. How to handle many messages?

  56. Reducing the key length Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int mpz_class rbar encrypted with one-time pad s ♥ . for (j = 0;j the one-time pad, rbar += ((mpz_class) mpz_class h authentication system Can replace one-time pad mpz_class p while (mlen security guarantee. with stream-cipher output. mpz_class for (j = c += ((mpz_class) One-time pad needs Typical stream cipher: c += ((mpz_class) m += j; mlen ▲ red secret bytes AES in counter mode. h = ((h + } encrypt ▲ message bytes. Sender, receiver share ( r❀ ❦ ) unsigned char aes(aeskn,k,n); where ❦ is 16-byte AES key; Authentication system needs for (j = 0;j h += ((mpz_class) compute s ♥ = AES ❦ ( ♥ ). red secret bytes for (j = 0;j mpz_class authenticate ▲ message bytes. h >>= 8; Security proof breaks down out[j] = } since s ♥ ’s are dependent, new message needs but can still prove that shared secret bytes, attack on authenticator only once. implies attack on AES. to handle many messages?

  57. ey length Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . for (j = 0;j < 16;++j) one-time pad, rbar += ((mpz_class) r[j]) mpz_class h = 0; authentication system Can replace one-time pad mpz_class p = (((mpz_class) while (mlen > 0) { guarantee. with stream-cipher output. mpz_class c = 0; for (j = 0;(j < 16) && c += ((mpz_class) m[j]) needs Typical stream cipher: c += ((mpz_class) 1) << m += j; mlen -= j; ▲ bytes AES in counter mode. h = ((h + c) * rbar) % } ▲ message bytes. Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; aes(aeskn,k,n); where ❦ is 16-byte AES key; system needs for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) compute s ♥ = AES ❦ ( ♥ ). bytes for (j = 0;j < 16;++j) { mpz_class c = h % 256; ▲ message bytes. h >>= 8; Security proof breaks down out[j] = c.get_ui(); } since s ♥ ’s are dependent, message needs but can still prove that secret bytes, attack on authenticator implies attack on AES. many messages?

  58. Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; Can replace one-time pad mpz_class p = (((mpz_class) 1) << 130) while (mlen > 0) { with stream-cipher output. mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); Typical stream cipher: c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; ▲ AES in counter mode. h = ((h + c) * rbar) % p; } ▲ ytes. Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; aes(aeskn,k,n); where ❦ is 16-byte AES key; needs for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * compute s ♥ = AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { mpz_class c = h % 256; ▲ bytes. h >>= 8; Security proof breaks down out[j] = c.get_ui(); } since s ♥ ’s are dependent, but can still prove that attack on authenticator implies attack on AES. ssages?

  59. Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; Can replace one-time pad mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { with stream-cipher output. mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); Typical stream cipher: c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; AES in counter mode. h = ((h + c) * rbar) % p; } Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; aes(aeskn,k,n); where ❦ is 16-byte AES key; for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); compute s ♥ = AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8; Security proof breaks down out[j] = c.get_ui(); } since s ♥ ’s are dependent, but can still prove that attack on authenticator implies attack on AES.

  60. Authenticator is ♠ ♥ ( r ) mod ♣ Another unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . ❋ ❦ ( ♥ ) = ❦❀ ♥ for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat mpz_class h = 0; replace one-time pad mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { stream-cipher output. “Hasn’t mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ❦❀ ♥ ❀ ❦ ✵ ❀ ♥ ✵ c += ((mpz_class) m[j]) << (8 * j); ypical stream cipher: c += ((mpz_class) 1) << (8 * j); ❦ ✵ ❀ ♥ ✵ with MD5( ❦❀ ♥ m += j; mlen -= j; counter mode. h = ((h + c) * rbar) % p; (2004 W } Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; Still not aes(aeskn,k,n); ❦ is 16-byte AES key; for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ❦ h += ((mpz_class) aeskn[j]) << (8 * j); compute s ♥ = AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { We know mpz_class c = h % 256; h >>= 8; Security proof breaks down out[j] = c.get_ui(); Many other } s ♥ ’s are dependent, are unbrok can still prove that on authenticator implies attack on AES.

  61. ♠ ♥ ( r ) mod ♣ Another stream cipher: unsigned int j; mpz_class rbar = 0; one-time pad s ♥ . ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat slower than mpz_class h = 0; one-time pad mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { stream-cipher output. “Hasn’t MD5 been mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ c += ((mpz_class) m[j]) << (8 * j); cipher: c += ((mpz_class) 1) << (8 * j); ❦ ✵ ❀ ♥ ✵ with MD5( ❦❀ ♥ ) = m += j; mlen -= j; mode. h = ((h + c) * rbar) % p; (2004 Wang) } share ( r❀ ❦ ) unsigned char aeskn[16]; Still not obvious ho aes(aeskn,k,n); ❦ yte AES key; for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) fo ❦ h += ((mpz_class) aeskn[j]) << (8 * j); s ♥ AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { We know AES collisions mpz_class c = h % 256; h >>= 8; reaks down out[j] = c.get_ui(); Many other stream } s ♥ dependent, are unbroken, faster rove that nticator on AES.

  62. ♠ ♥ r mod ♣ Another stream cipher: unsigned int j; mpz_class rbar = 0; pad s ♥ . ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat slower than AES. mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { output. “Hasn’t MD5 been broken?” mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are kno c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ m += j; mlen -= j; h = ((h + c) * rbar) % p; (2004 Wang) } r❀ ❦ ) unsigned char aeskn[16]; Still not obvious how to predict aes(aeskn,k,n); ❦ ey; for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ h += ((mpz_class) aeskn[j]) << (8 * j); s ♥ ❦ ♥ for (j = 0;j < 16;++j) { We know AES collisions too! mpz_class c = h % 256; h >>= 8; wn out[j] = c.get_ui(); Many other stream ciphers } s ♥ are unbroken, faster than AES.

  63. Another stream cipher: unsigned int j; mpz_class rbar = 0; ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat slower than AES. mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { “Hasn’t MD5 been broken?” mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). m += j; mlen -= j; h = ((h + c) * rbar) % p; (2004 Wang) } unsigned char aeskn[16]; Still not obvious how to predict aes(aeskn,k,n); for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { We know AES collisions too! mpz_class c = h % 256; h >>= 8; out[j] = c.get_ui(); Many other stream ciphers } are unbroken, faster than AES.

  64. Another stream cipher: Alternatives int j; rbar = 0; ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). 0;j < 16;++j) Use ✁ ✁ ✁ ✟ ❦ ♥ ((mpz_class) r[j]) << (8 * j); Somewhat slower than AES. h = 0; instead of ✁ ✁ ✁ ❦ ♥ p = (((mpz_class) 1) << 130) - 5; (mlen > 0) { “Hasn’t MD5 been broken?” No! Destro mpz_class c = 0; 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allo ((mpz_class) m[j]) << (8 * j); ((mpz_class) 1) << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES mlen -= j; + c) * rbar) % p; (2004 Wang) Use AES ❦ ✁ ✁ ✁ ♥ char aeskn[16]; Still not obvious how to predict aes(aeskn,k,n); No! Brok 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . ((mpz_class) aeskn[j]) << (8 * j); using ❁ 0;j < 16;++j) { We know AES collisions too! mpz_class c = h % 256; But ok fo c.get_ui(); Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ are unbroken, faster than AES. Seems to

  65. Another stream cipher: Alternatives to + ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) r[j]) << (8 * j); Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ♥ (((mpz_class) 1) << 130) - 5; “Hasn’t MD5 been broken?” No! Destroys securit (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful m[j]) << (8 * j); << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. p; (2004 Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ Still not obvious how to predict No! Broken by kno ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticato aeskn[j]) << (8 * j); We know AES collisions too! But ok for small # Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ are unbroken, faster than AES. Seems to be massive

  66. Another stream cipher: Alternatives to + ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) j); Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? 130) - 5; “Hasn’t MD5 been broken?” No! Destroys security analysis; mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. (2004 Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? Still not obvious how to predict No! Broken by known attacks ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticators. j); We know AES collisions too! But ok for small # messages. Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? are unbroken, faster than AES. Seems to be massive overkill.

  67. Another stream cipher: Alternatives to + ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? “Hasn’t MD5 been broken?” No! Destroys security analysis; Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. (2004 Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? Still not obvious how to predict No! Broken by known attacks ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticators. We know AES collisions too! But ok for small # messages. Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? are unbroken, faster than AES. Seems to be massive overkill.

  68. Another stream cipher: Alternatives to + Alternatives ❋ ❦ ♥ = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: r ♠ Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? ( ♠ ( r ) mo � “Hasn’t MD5 been broken?” No! Destroys security analysis; ♠❀ ♠ ✵ For all distinct Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries Pr[Poly1305 r ♠ MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. Poly1305 r ♠ ✵ Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision not obvious how to predict No! Broken by known attacks ♠❀ ♠ ✵ For all distinct ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticators. and all 16- know AES collisions too! But ok for small # messages. Pr[Poly1305 r ♠ other stream ciphers Poly1305 r ♠ ✵ Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? broken, faster than AES. Seems to be massive overkill. is very small. “Small differential

  69. cipher: Alternatives to + Alternatives to Poly1305 ❋ ❦ ♥ ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ♠ er than AES. ( ♠ ( r ) mod 2 130 � instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? een broken?” No! Destroys security analysis; ♠❀ ♠ ✵ For all distinct mess ❦❀ ♥ ❀ ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries Pr[Poly1305 r ( ♠ ) = ❦❀ ♥ = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. Poly1305 r ( ♠ ✵ )] Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” how to predict No! Broken by known attacks ♠❀ ♠ ✵ For all distinct mess ❦❀ ♥ for secret ❦ . ♥ ✼✦ using ❁ 2 64 authenticators. and all 16-byte sequences collisions too! But ok for small # messages. Pr[Poly1305 r ( ♠ ) = stream ciphers Poly1305 r ( ♠ ✵ ) Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? faster than AES. Seems to be massive overkill. is very small. “Small differential

  70. Alternatives to + Alternatives to Poly1305 ❋ ❦ ♥ ❦❀ ♥ Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ( ♠ ) = AES. ( ♠ ( r ) mod 2 130 � 5) mod 2 128 instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? en?” No! Destroys security analysis; For all distinct messages ♠❀ ♠ ✵ ❦❀ ♥ ❀ ❦ ✵ ❀ ♥ ✵ known might allow successful forgeries Pr[Poly1305 r ( ♠ ) = ❦ ✵ ❀ ♥ ✵ ). ❦❀ ♥ even if AES is secure. Poly1305 r ( ♠ ✵ )] is very small. Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” redict No! Broken by known attacks For all distinct messages ♠❀ ♠ ✵ ❦ . ♥ ✼✦ ❦❀ ♥ using ❁ 2 64 authenticators. and all 16-byte sequences ∆: o! But ok for small # messages. Pr[Poly1305 r ( ♠ ) = ciphers Poly1305 r ( ♠ ✵ ) + ∆ mod Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? AES. Seems to be massive overkill. is very small. “Small differential probabilities.”

  71. Alternatives to + Alternatives to Poly1305 Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? No! Destroys security analysis; For all distinct messages ♠❀ ♠ ✵ : might allow successful forgeries Pr[Poly1305 r ( ♠ ) = even if AES is secure. Poly1305 r ( ♠ ✵ )] is very small. Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” No! Broken by known attacks For all distinct messages ♠❀ ♠ ✵ using ❁ 2 64 authenticators. and all 16-byte sequences ∆: But ok for small # messages. Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? Seems to be massive overkill. is very small. “Small differential probabilities.”

  72. Alternatives to + Alternatives to Poly1305 Easy to build that satisfy ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . of ✁ ✁ ✁ + AES ❦ ( ♥ )? Embed messages Destroys security analysis; polynomial ① ❀ ① ❀ ① ❀ ✿ ✿ ✿ For all distinct messages ♠❀ ♠ ✵ : allow successful forgeries Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ r if AES is secure. Poly1305 r ( ♠ ✵ )] is very small. r is a random AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” Small differential Broken by known attacks means that ♠ � ♠ ✵ � For all distinct messages ♠❀ ♠ ✵ ❁ 2 64 authenticators. and all 16-byte sequences ∆: is divisible r for small # messages. ♠ ✵ Pr[Poly1305 r ( ♠ ) = when ♠ ✻ Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? (Addition to be massive overkill. is very small. mod 2 128 “Small differential probabilities.”

  73. Alternatives to Poly1305 Easy to build other that satisfy these p ✁ ✁ ✁ ✟ ❦ ♥ ) Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . ✁ ✁ ✁ AES ❦ ( ♥ )? Embed messages and security analysis; polynomial ring Z [ ① ❀ ① ❀ ① ❀ ✿ ✿ ✿ For all distinct messages ♠❀ ♠ ✵ : successful forgeries Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r secure. Poly1305 r ( ♠ ✵ )] is very small. r is a random prime ❦ ✁ ✁ ✁ omitting ♥ ? “Small collision probabilities.” Small differential p known attacks means that ♠ � ♠ ✵ � For all distinct messages ♠❀ ♠ ✵ ❁ authenticators. and all 16-byte sequences ∆: is divisible by very r # messages. when ♠ ✻ = ♠ ✵ . Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] ❦❀ ♥❀ ✁ ✁ ✁ )? (Addition of ∆ is massive overkill. is very small. mod 2 128 ; be careful. “Small differential probabilities.”

  74. Alternatives to Poly1305 Easy to build other functions that satisfy these properties. ✁ ✁ ✁ ✟ ❦ ♥ Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . ✁ ✁ ✁ ❦ ♥ Embed messages and outputs analysis; polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ For all distinct messages ♠❀ ♠ ✵ : rgeries Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r where Poly1305 r ( ♠ ✵ )] is very small. r is a random prime ideal. ❦ ✁ ✁ ✁ ♥ ? “Small collision probabilities.” Small differential probability attacks means that ♠ � ♠ ✵ � ∆ For all distinct messages ♠❀ ♠ ✵ ❁ rs. and all 16-byte sequences ∆: is divisible by very few r ’s messages. when ♠ ✻ = ♠ ✵ . Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] ❦❀ ♥❀ ✁ ✁ ✁ (Addition of ∆ is overkill. is very small. mod 2 128 ; be careful.) “Small differential probabilities.”

  75. Alternatives to Poly1305 Easy to build other functions that satisfy these properties. Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . Embed messages and outputs into polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. For all distinct messages ♠❀ ♠ ✵ : Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r where Poly1305 r ( ♠ ✵ )] is very small. r is a random prime ideal. “Small collision probabilities.” Small differential probability means that ♠ � ♠ ✵ � ∆ For all distinct messages ♠❀ ♠ ✵ and all 16-byte sequences ∆: is divisible by very few r ’s when ♠ ✻ = ♠ ✵ . Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] (Addition of ∆ is is very small. mod 2 128 ; be careful.) “Small differential probabilities.”

  76. ✻ Alternatives to Poly1305 Easy to build other functions Example: that satisfy these properties. Notation: Poly1305 r ( ♠ ) = View mes ♠ ♠ r mod 2 130 � 5) mod 2 128 . Embed messages and outputs into specifically ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: ❀ ❀ ✿ ✿ ✿ ❀ � distinct messages ♠❀ ♠ ✵ : oly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r where Reduce ♠ oly1305 r ( ♠ ✵ )] is very small. r is a random prime ideal. random p r “Small collision probabilities.” between Small differential probability (Problem: r means that ♠ � ♠ ✵ � ∆ distinct messages ♠❀ ♠ ✵ all 16-byte sequences ∆: is divisible by very few r ’s Low differential ♠ � ♠ ✵ � when ♠ ✻ = ♠ ✵ . if ♠ ✻ = ♠ ✵ oly1305 r ( ♠ ) = so ♠ � ♠ ✵ � oly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] (Addition of ∆ is small. by very few mod 2 128 ; be careful.) “Small differential probabilities.”

  77. ✻ oly1305 Easy to build other functions Example: (1981 Ka that satisfy these properties. oly1305 r ( ♠ ) = View messages ♠ � 5) mod 2 128 . ♠ r Embed messages and outputs into specifically multiples ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ � messages ♠❀ ♠ ✵ : r ♠ ) = Use ♠ ✼✦ ♠ mod r where Reduce ♠ modulo r ♠ ✵ )] is very small. r is a random prime ideal. random prime numb r between 2 120 and probabilities.” Small differential probability (Problem: generating r means that ♠ � ♠ ✵ � ∆ messages ♠❀ ♠ ✵ sequences ∆: is divisible by very few r ’s Low differential probabilit if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � when ♠ ✻ = ♠ ✵ . r ♠ ) = so ♠ � ♠ ✵ � ∆ is r ♠ ✵ ) + ∆ mod 2 128 ] (Addition of ∆ is by very few prime mod 2 128 ; be careful.) differential probabilities.”

  78. Easy to build other functions Example: (1981 Karp Rabin) that satisfy these properties. r ♠ View messages ♠ as integers, 2 128 . specifically multiples of 2 128 . ♠ r � Embed messages and outputs into 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: ♠❀ ♠ ✵ : r ♠ Use ♠ ✼✦ ♠ mod r where Reduce ♠ modulo a uniform r ♠ ✵ small. r is a random prime ideal. random prime number r between 2 120 and 2 128 . robabilities.” Small differential probability (Problem: generating r is slo means that ♠ � ♠ ✵ � ∆ ♠❀ ♠ ✵ ∆: is divisible by very few r ’s Low differential probability: if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ when ♠ ✻ = ♠ ✵ . r ♠ so ♠ � ♠ ✵ � ∆ is divisible d 2 128 ] r ♠ ✵ (Addition of ∆ is by very few prime numbers. mod 2 128 ; be careful.) robabilities.”

  79. Easy to build other functions Example: (1981 Karp Rabin) that satisfy these properties. View messages ♠ as integers, specifically multiples of 2 128 . Embed messages and outputs into 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . Use ♠ ✼✦ ♠ mod r where Reduce ♠ modulo a uniform r is a random prime ideal. random prime number r between 2 120 and 2 128 . Small differential probability (Problem: generating r is slow.) means that ♠ � ♠ ✵ � ∆ is divisible by very few r ’s Low differential probability: if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 when ♠ ✻ = ♠ ✵ . so ♠ � ♠ ✵ � ∆ is divisible (Addition of ∆ is by very few prime numbers. mod 2 128 ; be careful.)

  80. to build other functions Example: (1981 Karp Rabin) Variant that ✟ satisfy these properties. View messages ♠ as integers, View mes ♠ specifically multiples of 2 128 . ♠ 128 ① 128 messages and outputs into ♠ ① ✁ ✁ ✁ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ olynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . with each ♠ ✐ ❢ ❀ ❣ ♠ ✼✦ ♠ mod r where Reduce ♠ modulo a uniform Outputs: ♦ ♦ ① ✁ ✁ ✁ ♦ ① r random prime ideal. random prime number r with each ♦ ✐ ❢ ❀ ❣ between 2 120 and 2 128 . differential probability Reduce ♠ ❀ r (Problem: generating r is slow.) that ♠ � ♠ ✵ � ∆ r is a uni divisible by very few r ’s Low differential probability: degree-128 ❂ if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✻ = ♠ ✵ . (Problem: r so ♠ � ♠ ✵ � ∆ is divisible typical CPU (Addition of ∆ is by very few prime numbers. for polynomial 128 ; be careful.)

  81. other functions Example: (1981 Karp Rabin) Variant that works ✟ these properties. View messages ♠ as integers, View messages ♠ ♠ 128 ① 128 + ♠ 129 ① specifically multiples of 2 128 . messages and outputs into ✁ ✁ ✁ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . with each ♠ ✐ in ❢ 0 ❀ ❣ ♠ ✼✦ ♠ d r where Reduce ♠ modulo a uniform Outputs: ♦ 0 + ♦ 1 ① ✁ ✁ ✁ ♦ ① r rime ideal. random prime number r with each ♦ ✐ in ❢ 0 ❀ ❣ between 2 120 and 2 128 . differential probability Reduce ♠ modulo ❀ r (Problem: generating r is slow.) ♠ � ♠ ✵ � ∆ r is a uniform random very few r ’s Low differential probability: degree-128 polynomial ❂ if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division r so ♠ � ♠ ✵ � ∆ is divisible typical CPU has no is by very few prime numbers. for polynomial multip reful.)

  82. functions Example: (1981 Karp Rabin) Variant that works with ✟ : erties. View messages ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ specifically multiples of 2 128 . outputs into 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ ① ❀ ① ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . ♠ ✼✦ ♠ r Reduce ♠ modulo a uniform Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① r random prime number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . between 2 120 and 2 128 . robability Reduce ♠ modulo 2 ❀ r where (Problem: generating r is slow.) ♠ � ♠ ✵ � r is a uniform random irreducible r Low differential probability: degree-128 polynomial over Z ❂ if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division by r is slo so ♠ � ♠ ✵ � ∆ is divisible typical CPU has no big circuit by very few prime numbers. for polynomial multiplication.)

  83. Example: (1981 Karp Rabin) Variant that works with ✟ : View messages ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ specifically multiples of 2 128 . 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ Outputs: . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 Reduce ♠ modulo a uniform random prime number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . between 2 120 and 2 128 . Reduce ♠ modulo 2 ❀ r where (Problem: generating r is slow.) r is a uniform random irreducible Low differential probability: degree-128 polynomial over Z ❂ 2. if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 (Problem: division by r is slow; so ♠ � ♠ ✵ � ∆ is divisible typical CPU has no big circuit by very few prime numbers. for polynomial multiplication.)

  84. Example: (1981 Karp Rabin) Variant that works with ✟ : Example: MacWilliams messages ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ ecifically multiples of 2 128 . Choose p ♣ ✙ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ Outputs: . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . View mes ♠ polys ♠ 1 ① ♠ ① ♠ ① Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 Reduce ♠ modulo a uniform ♠ 1 ❀ ♠ 2 ❀ ♠ ✷ ❢ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ prime number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ❢ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ een 2 120 and 2 128 . Reduce ♠ modulo 2 ❀ r where (Problem: generating r is slow.) Reduce ♠ r is a uniform random irreducible ♣❀ ① 1 � r ❀ ① � r ❀ ① � r differential probability: degree-128 polynomial over Z ❂ 2. to ♠ 1 r 1 ♠ r ♠ r ♣ ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✻ (Problem: division by r is slow; (Problem: ♠ r ♠ � ♠ ✵ � ∆ is divisible typical CPU has no big circuit very few prime numbers. for polynomial multiplication.)

  85. Karp Rabin) Variant that works with ✟ : Example: (1974 Gilb MacWilliams Sloane) ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ multiples of 2 128 . Choose prime numb ♣ ✙ ❀ ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . View messages ♠ polys ♠ 1 ① 1 + ♠ 2 ① ♠ ① Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 ♠ dulo a uniform ♠ 1 ❀ ♠ 2 ❀ ♠ 3 ✷ ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � ❣ number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � ❣ and 2 128 . Reduce ♠ modulo 2 ❀ r where generating r is slow.) Reduce ♠ modulo r is a uniform random irreducible ♣❀ ① 1 � r 1 ❀ ① 2 � r 2 ❀ ① � r probability: degree-128 polynomial over Z ❂ 2. to ♠ 1 r 1 + ♠ 2 r 2 + ♠ r ♣ ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division by r is slow; (Problem: long ♠ r ♠ � ♠ ✵ � is divisible typical CPU has no big circuit rime numbers. for polynomial multiplication.)

  86. Rabin) Variant that works with ✟ : Example: (1974 Gilbert MacWilliams Sloane) ♠ integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ 128 . Choose prime number ♣ ✙ 2 ✟ ✠ ❀ ❀ ✿ ✿ ✿ ❀ � 1 . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . View messages ♠ as linear polys ♠ 1 ① 1 + ♠ 2 ① 2 + ♠ 3 ① 3 Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 ♠ rm ♠ 1 ❀ ♠ 2 ❀ ♠ 3 ✷ ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . Reduce ♠ modulo 2 ❀ r where r slow.) Reduce ♠ modulo r is a uniform random irreducible ♣❀ ① 1 � r 1 ❀ ① 2 � r 2 ❀ ① 3 � r 3 y: degree-128 polynomial over Z ❂ 2. to ♠ 1 r 1 + ♠ 2 r 2 + ♠ 3 r 3 mo ♣ ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division by r is slow; (Problem: long ♠ needs long r ♠ � ♠ ✵ � divisible typical CPU has no big circuit rs. for polynomial multiplication.)

Recommend


More recommend