the salsa20 stream cipher salsa20 additive stream cipher
play

The Salsa20 stream cipher Salsa20: additive stream cipher, - PowerPoint PPT Presentation

Apr 08, 2024 •265 likes •714 views

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

  1. The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR–9983950 Same speed either way, Alfred P. Sloan Foundation simplifying hardware. � : 8 bytes. Nonce Can send 2 64 messages under one key. � ): Stream Salsa20 ✁ ( 2 70 bytes for each message.

  2. � � ☎ ✁ ✄ � � stream cipher Salsa20: additive stream cipher, For authentication, expanding key and nonce combine Salsa20 with into long stream of bytes http://cr.yp.to/mac.html to add to plaintext. Given message Illinois at Chicago � Poly1305 �✂✁ �✆☎ Key : 16 or 32 bytes. Send ( CCR–9983950 �✝✁ ) = Salsa20 Same speed either way, ( ✁ ( Foundation simplifying hardware. �✟✞ Very fast; short secret � : 8 bytes. Nonce provably secure if Salsa20 Can send 2 64 messages better than encrypt-then-MA under one key. Easily adapt to “AEAD,” � ): Stream Salsa20 ✁ ( i.e., allow unencrypted 2 70 bytes for each message.

  3. � ☎ ✁ � Salsa20: additive stream cipher, For authentication, expanding key and nonce combine Salsa20 with Poly1305, into long stream of bytes http://cr.yp.to/mac.html . to add to plaintext. � : Given message with nonce � Poly1305 �✆☎ )) where �✂✁ Key : 16 or 32 bytes. Send ( ✄ ( �✝✁ ) = Salsa20 � ) Same speed either way, ( ✁ ( (0 ). simplifying hardware. �✟✞ ); Very fast; short secret key ( � : 8 bytes. Nonce provably secure if Salsa20 is secure; Can send 2 64 messages better than encrypt-then-MAC. under one key. Easily adapt to “AEAD,” � ): Stream Salsa20 ✁ ( i.e., allow unencrypted header. 2 70 bytes for each message.

  4. � � � � � � � � ☎ � � � � ✁ � additive stream cipher, For authentication, Let’s watch how Salsa20 and nonce combine Salsa20 with Poly1305, generates block of � 2 � 3 of bytes http://cr.yp.to/mac.html . from key (1 � 227 � 11 plaintext. nonce (255 � : Given message with nonce � Poly1305 �✆☎ )) where �✂✁ bytes. Send ( ✄ ( Notation: means �✝✁ ) = Salsa20 � ) either way, ( ✁ ( (0 ). Little-endian everywhere. are. �✟✞ ); Very fast; short secret key ( Key: ytes. provably secure if Salsa20 is secure; messages better than encrypt-then-MAC. Easily adapt to “AEAD,” Nonce: � ): ✁ ( i.e., allow unencrypted header. each message.

  5. � ✁ � � � � ☎ � For authentication, Let’s watch how Salsa20 combine Salsa20 with Poly1305, generates block of 64 bytes � 2 � 3 � 16), http://cr.yp.to/mac.html . from key (1 � 227 � 11 � 84 � 2 � 0 � 0 � 0). nonce (255 � : Given message with nonce � Poly1305 �✆☎ )) where �✂✁ Send ( ✄ ( Notation: means 1 + 2 + 16. �✝✁ ) = Salsa20 � ) ( ✁ ( (0 ). Little-endian everywhere. �✟✞ ); Very fast; short secret key ( Key: provably secure if Salsa20 is secure; better than encrypt-then-MAC. . Easily adapt to “AEAD,” Nonce: i.e., allow unencrypted header. .

  6. � � � � � � � ✁ � ☎ authentication, Let’s watch how Salsa20 Build 4 4 array of with Poly1305, generates block of 64 bytes � 2 � 3 � 16), http://cr.yp.to/mac.html . from key (1 � 227 � 11 � 84 � 2 � 0 � 0 � 0). nonce (255 � : with nonce �✆☎ )) where �✂✁ oly1305 ✄ ( Notation: means 1 + 2 + 16. � ) �✝✁ ✁ ( (0 ). Little-endian everywhere. Diagonal entries are �✟✞ ); secret key ( Key: if Salsa20 is secure; Other entries are k encrypt-then-MAC. . “AEAD,” Nonce: ; blo unencrypted header. . ; key

  7. � � � � � Let’s watch how Salsa20 Build 4 4 array of 4-byte words: generates block of 64 bytes � 2 � 3 � 16), from key (1 � 227 � 11 � 84 � 2 � 0 � 0 � 0). nonce (255 Notation: means 1 + 2 + 16. Little-endian everywhere. Diagonal entries are constants: Key: Other entries are key . ; nonce Nonce: ; block counter . ; key again.

  8. � � � � � � � � Salsa20 Build 4 4 array of 4-byte words: Modify one word using of 64 bytes � 16), � 11 � 84 � 2 � 0 � 0 � 0). means 1 + 2 + 16. everywhere. Diagonal entries are constants: The modification is add two underlined rotate left by 7 bits; Other entries are key . xor into next word ; nonce ; block counter x[9] ^= (x[1]+x[5]) . ; key again. Will do long series simple modifications,

  9. � Build 4 4 array of 4-byte words: Modify one word using two others: Diagonal entries are constants: The modification is very simple: add two underlined words; rotate left by 7 bits; Other entries are key xor into next word down. ; nonce ; block counter x[9] ^= (x[1]+x[5]) <<< 7 ; key again. Will do long series of these simple modifications, as in TEA.

  10. � y of 4-byte words: Modify one word using two others: Modify other columns: are constants: The modification is very simple: Columns wrap around add two underlined words; from bottom to top. rotate left by 7 bits; key x[4] ^= (x[12]+x[0]) xor into next word down. ; nonce x[14] ^= (x[6]+x[10]) block counter x[9] ^= (x[1]+x[5]) <<< 7 x[3] ^= (x[11]+x[15]) key again. Will do long series of these Total: 4 modifications. simple modifications, as in TEA.

  11. Modify one word using two others: Modify other columns: The modification is very simple: Columns wrap around add two underlined words; from bottom to top. rotate left by 7 bits; x[4] ^= (x[12]+x[0]) <<< 7 xor into next word down. x[14] ^= (x[6]+x[10]) <<< 7 x[9] ^= (x[1]+x[5]) <<< 7 x[3] ^= (x[11]+x[15]) <<< 7 Will do long series of these Total: 4 modifications. simple modifications, as in TEA.

  12. using two others: Modify other columns: Modify each column is very simple: Columns wrap around This time rotate by underlined words; from bottom to top. x[8] ^= (x[0]+x[4]) bits; x[4] ^= (x[12]+x[0]) <<< 7 x[13] ^= (x[5]+x[9]) rd down. x[14] ^= (x[6]+x[10]) <<< 7 x[2] ^= (x[10]+x[14]) (x[1]+x[5]) <<< 7 x[3] ^= (x[11]+x[15]) <<< 7 x[7] ^= (x[15]+x[3]) series of these Total: 4 modifications. Total: 8 modifications. difications, as in TEA.

  13. Modify other columns: Modify each column again: Columns wrap around This time rotate by 9 bits. from bottom to top. x[8] ^= (x[0]+x[4]) <<< 9 x[4] ^= (x[12]+x[0]) <<< 7 x[13] ^= (x[5]+x[9]) <<< 9 x[14] ^= (x[6]+x[10]) <<< 7 x[2] ^= (x[10]+x[14]) <<< 9 x[3] ^= (x[11]+x[15]) <<< 7 x[7] ^= (x[15]+x[3]) <<< 9 Total: 4 modifications. Total: 8 modifications.

  14. columns: Modify each column again: Modify each column round This time rotate by 9 bits. This time rotate by top. x[8] ^= (x[0]+x[4]) <<< 9 x[12] ^= (x[4]+x[8]) (x[12]+x[0]) <<< 7 x[13] ^= (x[5]+x[9]) <<< 9 x[1] ^= (x[9]+x[13]) (x[6]+x[10]) <<< 7 x[2] ^= (x[10]+x[14]) <<< 9 x[6] ^= (x[14]+x[2]) (x[11]+x[15]) <<< 7 x[7] ^= (x[15]+x[3]) <<< 9 x[11] ^= (x[3]+x[7]) difications. Total: 8 modifications. Total: 12 modifications.

  15. Modify each column again: Modify each column again: This time rotate by 9 bits. This time rotate by 13 bits. x[8] ^= (x[0]+x[4]) <<< 9 x[12] ^= (x[4]+x[8]) <<< 13 x[13] ^= (x[5]+x[9]) <<< 9 x[1] ^= (x[9]+x[13]) <<< 13 x[2] ^= (x[10]+x[14]) <<< 9 x[6] ^= (x[14]+x[2]) <<< 13 x[7] ^= (x[15]+x[3]) <<< 9 x[11] ^= (x[3]+x[7]) <<< 13 Total: 8 modifications. Total: 12 modifications.

  16. column again: Modify each column again: Modify each column by 9 bits. This time rotate by 13 bits. This time rotate by (x[0]+x[4]) <<< 9 x[12] ^= (x[4]+x[8]) <<< 13 x[0] ^= (x[8]+x[12]) (x[5]+x[9]) <<< 9 x[1] ^= (x[9]+x[13]) <<< 13 x[5] ^= (x[13]+x[1]) (x[10]+x[14]) <<< 9 x[6] ^= (x[14]+x[2]) <<< 13 x[10] ^= (x[2]+x[6]) (x[15]+x[3]) <<< 9 x[11] ^= (x[3]+x[7]) <<< 13 x[15] ^= (x[7]+x[11]) difications. Total: 12 modifications. Total: 16 modifications.

  17. Modify each column again: Modify each column again: This time rotate by 13 bits. This time rotate by 18 bits. x[12] ^= (x[4]+x[8]) <<< 13 x[0] ^= (x[8]+x[12]) <<< 18 x[1] ^= (x[9]+x[13]) <<< 13 x[5] ^= (x[13]+x[1]) <<< 18 x[6] ^= (x[14]+x[2]) <<< 13 x[10] ^= (x[2]+x[6]) <<< 18 x[11] ^= (x[3]+x[7]) <<< 13 x[15] ^= (x[7]+x[11]) <<< 18 Total: 12 modifications. Total: 16 modifications.

  18. � � � column again: Modify each column again: Modify rows by 7 by 13 bits. This time rotate by 18 bits. Now every word has been modified (x[4]+x[8]) <<< 13 x[0] ^= (x[8]+x[12]) <<< 18 Total: 32 modifications. (x[9]+x[13]) <<< 13 x[5] ^= (x[13]+x[1]) <<< 18 (x[14]+x[2]) <<< 13 x[10] ^= (x[2]+x[6]) <<< 18 That’s 2 rounds of (x[3]+x[7]) <<< 13 x[15] ^= (x[7]+x[11]) <<< 18 difications. Total: 16 modifications.

Recommend

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Note: ChaCha is not an eSTREAM candidate! Post-eSTREAM cryptography. The Salsa20 cipher family Salsa20/20 is faster than AES. I

256 views • 10 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB 2019 October 21st 23rd, 2019 Casa Convalescncia, Barcelona, Spain Authors: Hassan Noura, Raphal Couturier, CongDuc Pham and Ali Chehab

149 views • 13 slides
Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with B.Preneel and G. Sekar) Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering-ESAT Katholieke Universiteit

655 views • 16 slides
MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng

MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng

MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng The City University of New York Contents Motivation Algorithm Details Key Scheduling State Initialization Keystream Generation

383 views • 17 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&amp;D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

359 views • 15 slides
ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov Russian State University for the Humanities Faculty of Information Security *Partially supported by the Institute for Experimental Mathematics, University

453 views • 19 slides
Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of

790 views • 28 slides
Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m (stream) Enc G is a PRG if {G k (x)} x {0,1}k U n(k) and G PPT A PRG can be used to obtain a one-time SC PRG K CPA-secure SKE Stream

555 views • 10 slides
Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m (stream) Enc G is a PRG if {G k (x)} x {0,1}k U n(k) and G PPT A PRG can be used to obtain a one-time SC PRG K CPA-secure SKE Stream

320 views • 11 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China. Institute of Software, Chinese Academy of Sciences,

1.08k views • 97 slides
Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-1 Overview Problems What can go wrong if you naively use ciphers Cipher types Stream or block ciphers? Networks Link vs

1.79k views • 129 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides

More recommend