3 4 Random nonces in DSA/ECDSA Denial of service via flooding 1992 Rivest: “The poor user is Suspected terrorists Alice and given enough rope with which Bob are aided and abetted b to hang himself—something “auditors” (= “cryptanalysts” a standard should not do.” = “reviewers”) checking for NSA+NBS: exploitable security problems Standardize anyway. in cryptographic systems. enough! 2010 Bushing–Marcan–Segher– Example: SHA-3 competition it! Sven “PS3 epic fail”: PS3 involved 200 cryptographers forgeries—Sony hung itself. continues to around the world and took decades, Add complicated options years of sustained public effo for deterministic nonces, How can we slip a security while preserving old options. problem past all of them?
4 5 Random nonces in DSA/ECDSA Denial of service via flooding 1992 Rivest: “The poor user is Suspected terrorists Alice and given enough rope with which Bob are aided and abetted by to hang himself—something “auditors” (= “cryptanalysts” a standard should not do.” = “reviewers”) checking for exploitable security problems Standardize anyway. in cryptographic systems. 2010 Bushing–Marcan–Segher– Example: SHA-3 competition Sven “PS3 epic fail”: PS3 involved 200 cryptographers forgeries—Sony hung itself. around the world and took Add complicated options years of sustained public effort. for deterministic nonces, How can we slip a security while preserving old options. problem past all of them?
4 5 Random nonces in DSA/ECDSA Denial of service via flooding During the NIST also Rivest: “The poor user is Suspected terrorists Alice and FIPS 186-3 enough rope with which Bob are aided and abetted by FIPS 198-1 hang himself—something “auditors” (= “cryptanalysts” SP 800-38E standard should not do.” = “reviewers”) checking for SP 800-38F exploitable security problems Standardize anyway. SP 800-56C in cryptographic systems. SP 800-57 Bushing–Marcan–Segher– Example: SHA-3 competition SP 800-67 “PS3 epic fail”: PS3 involved 200 cryptographers SP 800-108 rgeries—Sony hung itself. around the world and took SP 800-131A complicated options years of sustained public effort. SP 800-133 terministic nonces, How can we slip a security SP 800-152 preserving old options. problem past all of them? and related such as SP
4 5 in DSA/ECDSA Denial of service via flooding During the same p NIST also published “The poor user is Suspected terrorists Alice and FIPS 186-3 (signatures), rope with which Bob are aided and abetted by FIPS 198-1 (authentication), himself—something “auditors” (= “cryptanalysts” SP 800-38E (disk should not do.” = “reviewers”) checking for SP 800-38F (key wrapping), exploitable security problems anyway. SP 800-56C (key derivation), in cryptographic systems. SP 800-57 (key management), Bushing–Marcan–Segher– Example: SHA-3 competition SP 800-67 (block encryption), fail”: PS3 involved 200 cryptographers SP 800-108 (key derivation), hung itself. around the world and took SP 800-131A (key options years of sustained public effort. SP 800-133 (key generation), nonces, How can we slip a security SP 800-152 (key management), old options. problem past all of them? and related protoc such as SP 800-81r1.
4 5 DSA/ECDSA Denial of service via flooding During the same period, NIST also published user is Suspected terrorists Alice and FIPS 186-3 (signatures), which Bob are aided and abetted by FIPS 198-1 (authentication), himself—something “auditors” (= “cryptanalysts” SP 800-38E (disk encryption), do.” = “reviewers”) checking for SP 800-38F (key wrapping), exploitable security problems SP 800-56C (key derivation), in cryptographic systems. SP 800-57 (key management), rcan–Segher– Example: SHA-3 competition SP 800-67 (block encryption), involved 200 cryptographers SP 800-108 (key derivation), itself. around the world and took SP 800-131A (key lengths), years of sustained public effort. SP 800-133 (key generation), How can we slip a security SP 800-152 (key management), options. problem past all of them? and related protocol documents such as SP 800-81r1.
5 6 Denial of service via flooding During the same period, NIST also published Suspected terrorists Alice and FIPS 186-3 (signatures), Bob are aided and abetted by FIPS 198-1 (authentication), “auditors” (= “cryptanalysts” SP 800-38E (disk encryption), = “reviewers”) checking for SP 800-38F (key wrapping), exploitable security problems SP 800-56C (key derivation), in cryptographic systems. SP 800-57 (key management), Example: SHA-3 competition SP 800-67 (block encryption), involved 200 cryptographers SP 800-108 (key derivation), around the world and took SP 800-131A (key lengths), years of sustained public effort. SP 800-133 (key generation), How can we slip a security SP 800-152 (key management), problem past all of them? and related protocol documents such as SP 800-81r1.
5 6 of service via flooding During the same period, Attention NIST also published not entirely ected terrorists Alice and FIPS 186-3 (signatures), re aided and abetted by Auditors FIPS 198-1 (authentication), “auditors” (= “cryptanalysts” security SP 800-38E (disk encryption), “reviewers”) checking for just befo SP 800-38F (key wrapping), exploitable security problems SP 800-56C (key derivation), cryptographic systems. SP 800-57 (key management), Example: SHA-3 competition SP 800-67 (block encryption), involved 200 cryptographers SP 800-108 (key derivation), the world and took SP 800-131A (key lengths), of sustained public effort. SP 800-133 (key generation), can we slip a security SP 800-152 (key management), roblem past all of them? and related protocol documents such as SP 800-81r1.
5 6 via flooding During the same period, Attention of audito NIST also published not entirely on SHA-3. rists Alice and FIPS 186-3 (signatures), and abetted by Auditors caught a FIPS 198-1 (authentication), “cryptanalysts” security flaw in EAX SP 800-38E (disk encryption), checking for just before NIST standa SP 800-38F (key wrapping), security problems SP 800-56C (key derivation), systems. SP 800-57 (key management), competition SP 800-67 (block encryption), cryptographers SP 800-108 (key derivation), and took SP 800-131A (key lengths), sustained public effort. SP 800-133 (key generation), a security SP 800-152 (key management), of them? and related protocol documents such as SP 800-81r1.
5 6 ding During the same period, Attention of auditors was NIST also published not entirely on SHA-3. and FIPS 186-3 (signatures), by Auditors caught a severe FIPS 198-1 (authentication), “cryptanalysts” security flaw in EAX Prime SP 800-38E (disk encryption), for just before NIST standardization. SP 800-38F (key wrapping), roblems SP 800-56C (key derivation), SP 800-57 (key management), etition SP 800-67 (block encryption), cryptographers SP 800-108 (key derivation), SP 800-131A (key lengths), effort. SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.
6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.
6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), Also a troublesome flaw in SP 800-56C (key derivation), the GCM security “proofs” SP 800-57 (key management), years after NIST standardization. SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.
6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), Also a troublesome flaw in SP 800-56C (key derivation), the GCM security “proofs” SP 800-57 (key management), years after NIST standardization. SP 800-67 (block encryption), SP 800-108 (key derivation), Why did this take years? SP 800-131A (key lengths), Scientific advances? No! SP 800-133 (key generation), We successfully denied service. SP 800-152 (key management), and related protocol documents such as SP 800-81r1.
6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), Also a troublesome flaw in SP 800-56C (key derivation), the GCM security “proofs” SP 800-57 (key management), years after NIST standardization. SP 800-67 (block encryption), SP 800-108 (key derivation), Why did this take years? SP 800-131A (key lengths), Scientific advances? No! SP 800-133 (key generation), We successfully denied service. SP 800-152 (key management), And NIST is just the tip of the and related protocol documents crypto standardization iceberg. such as SP 800-81r1.
6 7 the same period, Attention of auditors was Flooding also published not entirely on SHA-3. If we were 186-3 (signatures), Auditors caught a severe would tell 198-1 (authentication), security flaw in EAX Prime ciphers/hashes 800-38E (disk encryption), just before NIST standardization. 800-38F (key wrapping), Also a troublesome flaw in 800-56C (key derivation), the GCM security “proofs” 800-57 (key management), years after NIST standardization. 800-67 (block encryption), 800-108 (key derivation), Why did this take years? 800-131A (key lengths), Scientific advances? No! 800-133 (key generation), We successfully denied service. 800-152 (key management), And NIST is just the tip of the related protocol documents crypto standardization iceberg. as SP 800-81r1.
6 7 period, Attention of auditors was Flooding via dishonest lished not entirely on SHA-3. If we were honest then (signatures), Auditors caught a severe would tell Alice+Bob (authentication), security flaw in EAX Prime ciphers/hashes as (disk encryption), just before NIST standardization. wrapping), Also a troublesome flaw in ey derivation), the GCM security “proofs” management), years after NIST standardization. ck encryption), derivation), Why did this take years? ey lengths), Scientific advances? No! generation), We successfully denied service. management), And NIST is just the tip of the rotocol documents crypto standardization iceberg. 800-81r1.
6 7 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse (authentication), security flaw in EAX Prime ciphers/hashes as PRNGs. encryption), just before NIST standardization. wrapping), Also a troublesome flaw in derivation), the GCM security “proofs” management), years after NIST standardization. encryption), derivation), Why did this take years? lengths), Scientific advances? No! generation), We successfully denied service. management), And NIST is just the tip of the cuments crypto standardization iceberg.
7 8 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse security flaw in EAX Prime ciphers/hashes as PRNGs. just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.
7 8 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse security flaw in EAX Prime ciphers/hashes as PRNGs. just before NIST standardization. But why should we be honest? Also a troublesome flaw in Let’s build PRNGs from scratch! the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.
7 8 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse security flaw in EAX Prime ciphers/hashes as PRNGs. just before NIST standardization. But why should we be honest? Also a troublesome flaw in Let’s build PRNGs from scratch! the GCM security “proofs” 2004: Number-theoretic RNGs years after NIST standardization. provide “increased assurance.” Why did this take years? 2006: Dual EC Scientific advances? No! “is the only DRBG mechanism We successfully denied service. in this Recommendation And NIST is just the tip of the whose security is related to a crypto standardization iceberg. hard problem in number theory.”
7 8 ttention of auditors was Flooding via dishonesty Denial of entirely on SHA-3. If we were honest then we 2006 Gjøsteen, rs caught a severe would tell Alice+Bob to reuse 2006 Scho y flaw in EAX Prime ciphers/hashes as PRNGs. Dual EC efore NIST standardization. definition But why should we be honest? troublesome flaw in Let’s build PRNGs from scratch! GCM security “proofs” 2004: Number-theoretic RNGs after NIST standardization. provide “increased assurance.” did this take years? 2006: Dual EC Scientific advances? No! “is the only DRBG mechanism successfully denied service. in this Recommendation NIST is just the tip of the whose security is related to a standardization iceberg. hard problem in number theory.”
7 8 auditors was Flooding via dishonesty Denial of service via SHA-3. If we were honest then we 2006 Gjøsteen, indep a severe would tell Alice+Bob to reuse 2006 Schoenmakers–Sido EAX Prime ciphers/hashes as PRNGs. Dual EC flunks well-established standardization. definition of PRNG But why should we be honest? troublesome flaw in Let’s build PRNGs from scratch! y “proofs” 2004: Number-theoretic RNGs standardization. provide “increased assurance.” e years? 2006: Dual EC advances? No! “is the only DRBG mechanism successfully denied service. in this Recommendation just the tip of the whose security is related to a rdization iceberg. hard problem in number theory.”
7 8 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenk Prime ciphers/hashes as PRNGs. Dual EC flunks well-established rdization. definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs rdization. provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism service. in this Recommendation of the whose security is related to a iceberg. hard problem in number theory.”
8 9 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: ciphers/hashes as PRNGs. Dual EC flunks well-established definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”
8 9 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: ciphers/hashes as PRNGs. Dual EC flunks well-established definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! Are all applications broken? Obviously not! Standardize! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”
8 9 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: ciphers/hashes as PRNGs. Dual EC flunks well-established definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! Are all applications broken? Obviously not! Standardize! 2004: Number-theoretic RNGs provide “increased assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have 2006: Dual EC been easy to build Q with the key. “is the only DRBG mechanism in this Recommendation 2007 Schneier: Never use Dual whose security is related to a EC. “Both NIST and the NSA hard problem in number theory.” have some explaining to do.”
8 9 ding via dishonesty Denial of service via hoops Did Shumo show us ere honest then we 2006 Gjøsteen, independently tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: Maintain ciphers/hashes as PRNGs. Dual EC flunks well-established standard. definition of PRNG security. why should we be honest? 2008.07–2014.03: build PRNGs from scratch! Are all applications broken? 73 validation Obviously not! Standardize! for Dual Number-theoretic RNGs rovide “increased assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have Dual EC been easy to build Q with the key. only DRBG mechanism Recommendation 2007 Schneier: Never use Dual security is related to a EC. “Both NIST and the NSA roblem in number theory.” have some explaining to do.”
8 9 dishonesty Denial of service via hoops Did Shumow and F show us the key? No! t then we 2006 Gjøsteen, independently Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: Maintain and promote as PRNGs. Dual EC flunks well-established standard. Pay people definition of PRNG security. we be honest? 2008.07–2014.03: PRNGs from scratch! Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. er-theoretic RNGs reased assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. DRBG mechanism Recommendation 2007 Schneier: Never use Dual is related to a EC. “Both NIST and the NSA number theory.” have some explaining to do.”
8 9 Denial of service via hoops Did Shumow and Ferguson show us the key? No! 2006 Gjøsteen, independently reuse 2006 Schoenmakers–Sidorenko: Maintain and promote Dual Dual EC flunks well-established standard. Pay people to use definition of PRNG security. est? 2008.07–2014.03: NIST issues scratch! Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. NGs assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. mechanism 2007 Schneier: Never use Dual to a EC. “Both NIST and the NSA theory.” have some explaining to do.”
9 10 Denial of service via hoops Did Shumow and Ferguson show us the key? No! 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Maintain and promote Dual EC Dual EC flunks well-established standard. Pay people to use it. definition of PRNG security. 2008.07–2014.03: NIST issues Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual EC. “Both NIST and the NSA have some explaining to do.”
9 10 Denial of service via hoops Did Shumow and Ferguson show us the key? No! 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Maintain and promote Dual EC Dual EC flunks well-established standard. Pay people to use it. definition of PRNG security. 2008.07–2014.03: NIST issues Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. 2007 Shumow–Ferguson: Dual Even after being caught, EC has a back door. Would have continue to burn auditors’ time by been easy to build Q with the key. demanding that they jump higher. 2007 Schneier: Never use Dual NSA’s Dickie George, 2014: Gee, EC. “Both NIST and the NSA Dual EC is really hard to exploit! have some explaining to do.”
9 10 of service via hoops Did Shumow and Ferguson System vs. show us the key? No! Gjøsteen, independently Traditiona Schoenmakers–Sidorenko: Maintain and promote Dual EC Auditor lo EC flunks well-established standard. Pay people to use it. an RNG. definition of PRNG security. 2008.07–2014.03: NIST issues Auditor’s all applications broken? 73 validation certificates random numb Obviously not! Standardize! for Dual EC implementations. Bob are Shumow–Ferguson: Dual Even after being caught, has a back door. Would have continue to burn auditors’ time by easy to build Q with the key. demanding that they jump higher. Schneier: Never use Dual NSA’s Dickie George, 2014: Gee, “Both NIST and the NSA Dual EC is really hard to exploit! some explaining to do.”
9 10 via hoops Did Shumow and Ferguson System vs. ecosystem show us the key? No! independently Traditional RNG auditing: enmakers–Sidorenko: Maintain and promote Dual EC Auditor looks at one well-established standard. Pay people to use it. an RNG. Tries to find PRNG security. 2008.07–2014.03: NIST issues Auditor’s starting assumption: applications broken? 73 validation certificates random numbers fo Standardize! for Dual EC implementations. Bob are created by erguson: Dual Even after being caught, door. Would have continue to burn auditors’ time by build Q with the key. demanding that they jump higher. Never use Dual NSA’s Dickie George, 2014: Gee, and the NSA Dual EC is really hard to exploit! explaining to do.”
9 10 ops Did Shumow and Ferguson System vs. ecosystem show us the key? No! endently Traditional RNG auditing: renko: Maintain and promote Dual EC Auditor looks at one system, ell-established standard. Pay people to use it. an RNG. Tries to find weakness. y. 2008.07–2014.03: NIST issues Auditor’s starting assumption: en? 73 validation certificates random numbers for Alice and rdize! for Dual EC implementations. Bob are created by an RNG. Dual Even after being caught, ould have continue to burn auditors’ time by the key. demanding that they jump higher. Dual NSA’s Dickie George, 2014: Gee, NSA Dual EC is really hard to exploit! do.”
10 11 Did Shumow and Ferguson System vs. ecosystem show us the key? No! Traditional RNG auditing: Maintain and promote Dual EC Auditor looks at one system, standard. Pay people to use it. an RNG. Tries to find weakness. 2008.07–2014.03: NIST issues Auditor’s starting assumption: 73 validation certificates random numbers for Alice and for Dual EC implementations. Bob are created by an RNG. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit!
10 11 Did Shumow and Ferguson System vs. ecosystem show us the key? No! Traditional RNG auditing: Maintain and promote Dual EC Auditor looks at one system, standard. Pay people to use it. an RNG. Tries to find weakness. 2008.07–2014.03: NIST issues Auditor’s starting assumption: 73 validation certificates random numbers for Alice and for Dual EC implementations. Bob are created by an RNG. Even after being caught, Reality: random numbers continue to burn auditors’ time by are created by a much more demanding that they jump higher. complicated ecosystem that designs, evaluates, standardizes, NSA’s Dickie George, 2014: Gee, selects, implements, and deploys Dual EC is really hard to exploit! RNGs. (Same for other crypto.)
10 11 Shumow and Ferguson System vs. ecosystem This is a us the key? No! perspective. Traditional RNG auditing: defending Maintain and promote Dual EC Auditor looks at one system, rd. Pay people to use it. an RNG. Tries to find weakness. The ecosyste weaknesses 2008.07–2014.03: NIST issues Auditor’s starting assumption: inside any validation certificates random numbers for Alice and al EC implementations. Bob are created by an RNG. e.g. Easily after being caught, Reality: random numbers continue to burn auditors’ time by are created by a much more demanding that they jump higher. complicated ecosystem that designs, evaluates, standardizes, Dickie George, 2014: Gee, selects, implements, and deploys EC is really hard to exploit! RNGs. (Same for other crypto.)
10 11 and Ferguson System vs. ecosystem This is a critical change ? No! perspective. Audito Traditional RNG auditing: defending the wrong romote Dual EC Auditor looks at one system, eople to use it. an RNG. Tries to find weakness. The ecosystem has weaknesses that are 2008.07–2014.03: NIST issues Auditor’s starting assumption: inside any particula ertificates random numbers for Alice and implementations. Bob are created by an RNG. e.g. Easily take control caught, Reality: random numbers auditors’ time by are created by a much more they jump higher. complicated ecosystem that designs, evaluates, standardizes, George, 2014: Gee, selects, implements, and deploys hard to exploit! RNGs. (Same for other crypto.)
10 11 erguson System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Dual EC Auditor looks at one system, use it. an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible issues Auditor’s starting assumption: inside any particular system. random numbers for Alice and implementations. Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers time by are created by a much more higher. complicated ecosystem that designs, evaluates, standardizes, 2014: Gee, selects, implements, and deploys exploit! RNGs. (Same for other crypto.)
11 12 System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Auditor looks at one system, an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible Auditor’s starting assumption: inside any particular system. random numbers for Alice and Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys RNGs. (Same for other crypto.)
11 12 System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Auditor looks at one system, an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible Auditor’s starting assumption: inside any particular system. random numbers for Alice and Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers e.g. Propose 20 weak standards. are created by a much more Some will survive auditing. complicated ecosystem that Then manipulate selection. designs, evaluates, standardizes, selects, implements, and deploys RNGs. (Same for other crypto.)
11 12 System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Auditor looks at one system, an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible Auditor’s starting assumption: inside any particular system. random numbers for Alice and Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers e.g. Propose 20 weak standards. are created by a much more Some will survive auditing. complicated ecosystem that Then manipulate selection. designs, evaluates, standardizes, Deter publication of weaknesses: selects, implements, and deploys “This attack is trivial. Reject.” RNGs. (Same for other crypto.)
� � 11 12 vs. ecosystem Textbook This is a critical change in perspective. Auditor is stuck using standa raditional RNG auditing: defending the wrong targets! on a standa r looks at one system, Alice’s RNG. Tries to find weakness. The ecosystem has many secret weaknesses that are not visible r’s starting assumption: inside any particular system. numbers for Alice and Alice’s re created by an RNG. e.g. Easily take control of ISO. public aP y: random numbers e.g. Propose 20 weak standards. created by a much more Some will survive auditing. { Alice ; Bob complicated ecosystem that Then manipulate selection. shared designs, evaluates, standardizes, abP Deter publication of weaknesses: selects, implements, and deploys “This attack is trivial. Reject.” (Same for other crypto.)
� � 11 12 ecosystem Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point auditing: defending the wrong targets! on a standard elliptic one system, Alice’s to find weakness. The ecosystem has many secret key a weaknesses that are not visible rting assumption: inside any particular system. ers for Alice and Alice’s by an RNG. e.g. Easily take control of ISO. public key aP ▲ numbers e.g. Propose 20 weak standards. ▲ ▲ � rrrrr ▲ ▲ much more Some will survive auditing. { Alice ; Bob } ’s osystem that Then manipulate selection. = shared secret evaluates, standardizes, abP Deter publication of weaknesses: implements, and deploys “This attack is trivial. Reject.” r other crypto.)
� � � � 11 12 Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E system, Alice’s Bob’s eakness. The ecosystem has many secret key a secret k weaknesses that are not visible assumption: inside any particular system. and Alice’s Bob’s RNG. e.g. Easily take control of ISO. public key public aP bP ▲ e.g. Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ re Some will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice that Then manipulate selection. shared secret shared sec rdizes, abP baP Deter publication of weaknesses: deploys “This attack is trivial. Reject.” crypto.)
� � � � � 12 13 Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E : Alice’s Bob’s The ecosystem has many secret key a secret key b weaknesses that are not visible inside any particular system. Alice’s Bob’s e.g. Easily take control of ISO. public key public key aP bP ▲ e.g. Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ Some will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s Then manipulate selection. shared secret shared secret abP baP Deter publication of weaknesses: “This attack is trivial. Reject.”
� � � � � 12 13 Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E : Alice’s Bob’s The ecosystem has many secret key a secret key b weaknesses that are not visible inside any particular system. Alice’s Bob’s e.g. Easily take control of ISO. public key public key aP bP ▲ e.g. Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ Some will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s Then manipulate selection. shared secret shared secret abP baP Deter publication of weaknesses: “This attack is trivial. Reject.” Security depends on choice of E .
� � � � � � � 12 13 Textbook key exchange Our is a critical change in ective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E : Alice’s Bob’s Alice’s ecosystem has many secret key a secret key b secret eaknesses that are not visible any particular system. Alice’s Bob’s Alice’s Easily take control of ISO. public key public key public aP bP aP ▲ Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob manipulate selection. shared secret shared secret shared abP baP abP publication of weaknesses: attack is trivial. Reject.” Security depends on choice of E . This is not
� � � � � � � � 12 13 Textbook key exchange Our partner critical change in choice of Auditor is stuck using standard point P wrong targets! on a standard elliptic curve E : Alice’s Bob’s Alice’s has many secret key a secret key b secret key a are not visible rticular system. Alice’s Bob’s Alice’s control of ISO. public key public key public key aP bP aP ▲ ▲ weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ � rrrrr ▲ ▲ ▲ ▲ survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s manipulate selection. = shared secret shared secret shared secret abP baP abP publication of weaknesses: trivial. Reject.” Security depends on choice of E . This is not the same
� � � � � � � � � � � 12 13 Textbook key exchange Our partner Jerry’s in choice of E; P stuck using standard point P rgets! on a standard elliptic curve E : Alice’s Bob’s Alice’s Bob’s secret key a secret key b secret key a secret k visible system. Alice’s Bob’s Alice’s Bob’s ISO. public key public key public key public aP bP aP bP ▲ ▲ standards. � rrrrrrr ▲ � rrrrrrr ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ auditing. ▲ ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice election. shared secret shared secret shared secret shared sec abP baP abP baP eaknesses: Reject.” Security depends on choice of E . This is not the same picture!
� � � � � � � � � � � � 13 14 Textbook key exchange Our partner Jerry’s choice of E; P using standard point P on a standard elliptic curve E : Alice’s Bob’s Alice’s Bob’s secret key a secret key b secret key a secret key b Alice’s Bob’s Alice’s Bob’s public key public key public key public key aP bP aP bP ▲ ▲ � rrrrrrr ▲ � rrrrrrr ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s shared secret shared secret shared secret shared secret abP baP abP baP Security depends on choice of E . This is not the same picture!
� � � � � � � � � � � 13 14 ok key exchange Our partner Jerry’s One final choice of E; P standard point P 2005 Brainp standard elliptic curve E : “The choice Alice’s Bob’s Alice’s Bob’s from which secret key a secret key b secret key a secret key b parameters not motivated part of the Alice’s Bob’s Alice’s Bob’s public key public key public key public key : : : Verifiably aP bP aP bP ▲ ▲ � rrrrrrr ▲ � rrrrrrr ▲ The [Brainp ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ generated ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using red secret shared secret shared secret shared secret generated bP baP abP baP comprehensive Security depends on choice of E . This is not the same picture!
� � � � � � � � � � 13 14 exchange Our partner Jerry’s One final example choice of E; P oint P 2005 Brainpool standa elliptic curve E : “The choice of the Bob’s Alice’s Bob’s from which the [NIST] secret key b secret key a secret key b parameters have b not motivated leaving part of the security Bob’s Alice’s Bob’s public key public key public key : : : Verifiably pseudo-random. bP aP bP ▲ rrrr � rrrrrrr ▲ The [Brainpool] curves ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ generated in a pseudo-random = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using seeds shared secret shared secret shared secret generated in a systematic baP abP baP comprehensive way ends on choice of E . This is not the same picture!
� � � � � � � � 13 14 Our partner Jerry’s One final example choice of E; P 2005 Brainpool standard: curve E : “The choice of the seeds Bob’s Alice’s Bob’s from which the [NIST] curve key b secret key a secret key b parameters have been derived not motivated leaving an essential part of the security analysis Bob’s Alice’s Bob’s public key public key public key : : : Verifiably pseudo-random. P aP bP ▲ � rrrrrrr ▲ The [Brainpool] curves shall ▲ ▲ ▲ ▲ ▲ generated in a pseudo-random Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using seeds that are secret shared secret shared secret generated in a systematic and aP abP baP comprehensive way.” choice of E . This is not the same picture!
� � � � � � � 14 15 Our partner Jerry’s One final example choice of E; P 2005 Brainpool standard: “The choice of the seeds Alice’s Bob’s from which the [NIST] curve secret key a secret key b parameters have been derived is not motivated leaving an essential part of the security analysis open. Alice’s Bob’s public key public key : : : Verifiably pseudo-random. aP bP ▲ � rrrrrrr ▲ The [Brainpool] curves shall be ▲ ▲ ▲ ▲ ▲ generated in a pseudo-random { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using seeds that are shared secret shared secret generated in a systematic and abP baP comprehensive way.” This is not the same picture!
� � � � � � 14 15 Our partner Jerry’s One final example import hashlib def hash(seed): h choice of E; P seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = “The choice of the seeds def secure(A,B): if k(B).is_square(): Alice’s Bob’s from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and secret key a secret key b and Integers(n)(p).multiplicative_order() parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. Alice’s Bob’s def update(seed): public key public key return int2str(str2int(seed) : : : Verifiably pseudo-random. def fullhash(seed): aP bP ▲ return str2int(hash(seed) � rrrrrrr ▲ The [Brainpool] curves shall be ▲ ▲ ▲ def real2str(seed,bytes): ▲ ▲ generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) ; Bob } ’s = { Bob ; Alice } ’s nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] red secret shared secret while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): bP baP S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): print ’p’,hex(p).upper() is not the same picture! print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
� � � � 14 15 rtner Jerry’s One final example import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); of E; P seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] “The choice of the seeds def secure(A,B): if k(B).is_square(): return False Bob’s from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() secret key b and Integers(n)(p).multiplicative_order() parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. Bob’s def update(seed): public key return int2str(str2int(seed) + 1,len(seed)) : : : Verifiably pseudo-random. def fullhash(seed): bP return str2int(hash(seed) + hash(update(seed))) rrrr The [Brainpool] curves shall be ▲ def real2str(seed,bytes): ▲ ▲ generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) = { Bob ; Alice } ’s nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] shared secret while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); baP S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() same picture! print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
� 14 15 Jerry’s One final example import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] “The choice of the seeds def secure(A,B): if k(B).is_square(): return False Bob’s from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() key b and Integers(n)(p).multiplicative_order() * 100 >= n-1) parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. Bob’s def update(seed): public key return int2str(str2int(seed) + 1,len(seed)) : : : Verifiably pseudo-random. def fullhash(seed): P return str2int(hash(seed) + hash(update(seed))) % 2^223 The [Brainpool] curves shall be def real2str(seed,bytes): generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) Alice } ’s nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] secret while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue aP S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() picture! print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
15 16 One final example import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] “The choice of the seeds def secure(A,B): if k(B).is_square(): return False from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. def update(seed): return int2str(str2int(seed) + 1,len(seed)) : : : Verifiably pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 The [Brainpool] curves shall be def real2str(seed,bytes): generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
15 16 final example 2015: W import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-gene seedbytes = 20 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the k = GF(p); R.<x> = k[] choice of the seeds def secure(A,B): Previous if k(B).is_square(): return False which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) rameters have been derived is Output of def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) motivated leaving an essential p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E return Integer(seed.encode(’hex’),16) of the security analysis open. B 68AEC4BFE84C659E def update(seed): return int2str(str2int(seed) + 1,len(seed)) erifiably pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 [Brainpool] curves shall be def real2str(seed,bytes): generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) rehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
15 16 example 2015: We carefully import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation seedbytes = 20 standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool k = GF(p); R.<x> = k[] the seeds def secure(A,B): Previous slide: 224-bit if k(B).is_square(): return False [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) been derived is Output of this pro def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) leaving an essential p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E return Integer(seed.encode(’hex’),16) security analysis open. B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 curves shall be def real2str(seed,bytes): pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) seeds that are S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) ay.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
15 16 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) derived is Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) essential p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) analysis open. B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 shall be def real2str(seed,bytes): pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) re S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
16 17 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
16 17 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) The standard 224-bit Brainpool def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 curve is not the same curve : def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF S = nums[2*seedbytes:3*seedbytes] A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 while True: B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
16 17 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) The standard 224-bit Brainpool def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 curve is not the same curve : def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF S = nums[2*seedbytes:3*seedbytes] A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 while True: B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) Next slide: a procedure if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() that does generate print ’A’,hex(A).upper() print ’B’,hex(B).upper() break the standard Brainpool curve.
16 17 2015: We carefully implemented import hashlib = hashlib.sha1(); h.update(seed); return h.digest() def hash(seed): h the curve-generation procedure seedbytes = 20 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. = k[] k = GF(p); R.<x> = def secure(A,B): Previous slide: 224-bit procedure. k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() EllipticCurve([k(A),k(B)]).cardinality() return (n < p and and n.is_prime() and Integers(n)(p).multiplicative_order() Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF str2int(seed): return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E Integer(seed.encode(’hex’),16) def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool fullhash(seed): return str2int(hash(seed) str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF nums[2*seedbytes:3*seedbytes] while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure secure(A,B): S = update(S); continue if not k(B).is_square(): ’p’,hex(p).upper() if not secure(A,B): that does generate ’A’,hex(A).upper() print ’p’,hex(p).upper() ’B’,hex(B).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break
16 17 2015: We carefully implemented import hashlib h.update(seed); return h.digest() def hash(seed): h = hashlib.sha1(); h.update(seed); the curve-generation procedure seedbytes = 20 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E Integer(seed.encode(’hex’),16) def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure continue if not k(B).is_square(): break if not secure(A,B): S = update(S); continue that does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break
16 17 2015: We carefully implemented import hashlib h.digest() def hash(seed): h = hashlib.sha1(); h.update(seed); return the curve-generation procedure seedbytes = 20 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue that does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break
17 18 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue that does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break
17 18 We carefully implemented Did Brainp import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() curve-generation procedure publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF the Brainpool standard. Did they k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: advertised def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, def str2int(seed): D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E transparent”, def update(seed): 8AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) say the same def fullhash(seed): standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) slide: a procedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() standard Brainpool curve. break
17 18 refully implemented Did Brainpool check import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() ation procedure publication? After seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF ool standard. Did they know befo k = GF(p); R.<x> = k[] def secure(A,B): 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) rocedure: advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E transparent”, etc. def update(seed): BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) say the same for b def fullhash(seed): 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) cedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() Brainpool curve. break
17 18 implemented Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() cedure publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF rd. Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): cedure. n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) 8AEC4BFE84C659E transparent”, etc. Surely we def update(seed): BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() curve. break
18 19 Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can def update(seed): return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
18 19 Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can def update(seed): return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): Can quietly manipulate choice return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
18 19 Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can def update(seed): return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): Can quietly manipulate choice return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue Interesting Brainpool quote: “It while True: S = update(S) B = fullhash(S) is envisioned to provide additional if not k(B).is_square(): break if not secure(A,B): S = update(S); continue curves on a regular basis.” print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break
18 19 Did Brainpool check before We made = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? using standa 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? = k[] To avoid EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is complications and n.is_prime() Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, hash outputs: int2str(seed,bytes): ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely from SHA-1 str2int(seed): Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can maximum-securit int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. Also upgraded fullhash(seed): str2int(hash(seed) + hash(update(seed))) % 2^223 maximum real2str(seed,bytes): Can quietly manipulate choice int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. Brainpool nums[2*seedbytes:3*seedbytes] and arctan(1) (k(A)*x^4+3).roots(): S = update(S); continue Interesting Brainpool quote: “It uses sin(1), fullhash(S) is envisioned to provide additional k(B).is_square(): break We also secure(A,B): S = update(S); continue curves on a regular basis.” ’p’,hex(p).upper() ’A’,hex(A).upper() pattern of ’B’,hex(B).upper()
18 19 Did Brainpool check before We made a new 224- h.update(seed); return h.digest() publication? After publication? using standard NIST 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? To avoid Brainpool’s EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is complications of concatenating Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, hash outputs: We ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely from SHA-1 to state-of-the-a Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can maximum-security 1,len(seed)) say the same for both procedures. Also upgraded to requiring hash(update(seed))) % 2^223 maximum twist securit Can quietly manipulate choice int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. Brainpool uses exp(1) and arctan(1) = ı update(S); continue Interesting Brainpool quote: “It uses sin(1), so we is envisioned to provide additional We also used much continue curves on a regular basis.” pattern of searching
18 19 Did Brainpool check before We made a new 224-bit curve h.digest() publication? After publication? using standard NIST P-224 p 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? To avoid Brainpool’s Brainpool procedure is complications of concatenating n-1) advertised as “systematic”, hash outputs: We upgraded reversed(range(bytes))]) “comprehensive”, “completely from SHA-1 to state-of-the-a transparent”, etc. Surely we can maximum-security SHA3-512. say the same for both procedures. Also upgraded to requiring maximum twist security. Can quietly manipulate choice int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) to take the weaker procedure. Brainpool uses exp(1) = e and arctan(1) = ı= 4, and M Interesting Brainpool quote: “It uses sin(1), so we used cos(1). is envisioned to provide additional We also used much simpler curves on a regular basis.” pattern of searching for seeds.
19 20 Did Brainpool check before We made a new 224-bit curve publication? After publication? using standard NIST P-224 prime. Did they know before 2015? To avoid Brainpool’s Brainpool procedure is complications of concatenating advertised as “systematic”, hash outputs: We upgraded “comprehensive”, “completely from SHA-1 to state-of-the-art transparent”, etc. Surely we can maximum-security SHA3-512. say the same for both procedures. Also upgraded to requiring maximum twist security. Can quietly manipulate choice to take the weaker procedure. Brainpool uses exp(1) = e and arctan(1) = ı= 4, and MD5 Interesting Brainpool quote: “It uses sin(1), so we used cos(1). is envisioned to provide additional We also used much simpler curves on a regular basis.” pattern of searching for seeds.
19 20 Brainpool check before We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 publication? After publication? using standard NIST P-224 prime. p = 2^224 - 2^96 + k = GF(p) they know before 2015? seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() ool procedure is complications of concatenating return (n.is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() advertised as “systematic”, hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) rehensive”, “completely from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) the same for both procedures. Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. quietly manipulate choice sizeofint = 4 nums = real2str(cos(1),seedbytes for counter in xrange(0,256^sizeofint): e the weaker procedure. Brainpool uses exp(1) = e S = int2str(counter,sizeofint) T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) Interesting Brainpool quote: “It if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() envisioned to provide additional print ’B’,hex(B).upper() We also used much simpler break on a regular basis.” pattern of searching for seeds.
19 20 check before We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 After publication? using standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) efore 2015? seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() cedure is complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() “systematic”, hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) rehensive”, “completely from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) etc. Surely we can maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for both procedures. Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. manipulate choice sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): er procedure. Brainpool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) Brainpool quote: “It if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() provide additional print ’B’,hex(B).upper() We also used much simpler break regular basis.” pattern of searching for seeds.
19 20 re We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 publication? using standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) 2015? seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= “systematic”, hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “completely from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) we can maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) cedures. Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. choice sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): cedure. Brainpool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) quote: “It if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() additional print ’B’,hex(B).upper() We also used much simpler break pattern of searching for seeds.
20 21 We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 using standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): Brainpool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() We also used much simpler break pattern of searching for seeds.
20 21 made a new 224-bit curve Output: import simplesha3 hash = simplesha3.sha3512 standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): ool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) rctan(1) = ı= 4, and MD5 B = str2int(hash(T)) if secure(A,B): sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() also used much simpler break pattern of searching for seeds.
20 21 224-bit curve Output: 7144BA12CE8A0C3BEFA053ED import simplesha3 hash = simplesha3.sha3512 NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 ool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) e upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) o requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) security. sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) ı= 4, and MD5 B = str2int(hash(T)) if secure(A,B): e used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() much simpler break rching for seeds.
Recommend
More recommend