better proofs for rekeying rekeying seems less dangerous
play

Better proofs for rekeying Rekeying seems less dangerous. D. J. - PowerPoint PPT Presentation

Aug 02, 2023 •289 likes •881 views

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

  1. 1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .

  2. 1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .

  3. 1 2 Better proofs for rekeying “Rekeying” seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. far below 2 256 in most protocols: Output F ( k ′ ) for each subkey k ′ : (AES k (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); is distinguishable from uniform F (AES k (2) ; AES k (3)); : : : with probability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). plus tiny key-guessing probability. Yes, distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . Success chance ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .

  4. 1 2 proofs for rekeying “Rekeying” seems less dangerous. Attack strategy master k Bernstein Expand k into F ( k ) = from a unif (AES k (0) ; : : : ; AES k (999999)). Years of Security of AES-256 key k is Split F ( k ) into 500000 “subkeys”. elow 2 256 in most protocols: to distinguish Output F ( k ′ ) for each subkey k ′ : uniform (0) ; : : : ; AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); Distinctness distinguishable from uniform F (AES k (2) ; AES k (3)); : : : robability n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). tiny key-guessing probability. distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? er actually has T targets: endent keys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . Success chance ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .

  5. 1 2 r rekeying “Rekeying” seems less dangerous. Attack strategy 1: master key k . Distinguish Expand k into F ( k ) = from a uniform random (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis AES-256 key k is Split F ( k ) into 500000 “subkeys”. to distinguish AES most protocols: Output F ( k ′ ) for each subkey k ′ : uniform string of distinct AES k ( n − 1)) i.e., F (AES k (0) ; AES k (1)); Distinctness loses distinguishable from uniform F (AES k (2) ; AES k (3)); : : : n ( n − 1) = 2 129 , F (AES k (999998) ; AES k (999999)). ey-guessing probability. distinguishers matter. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? actually has T targets: eys k 1 ; : : : ; k T . Intuitively clear that p T ≤ Tp 1 . ≈ Tn ( n − 1) = 2 129 . So let’s analyze p 1 .

  6. 1 2 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: ha is Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from rotocols: Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blo 1)) Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); uniform F (AES k (2) ; AES k (3)); : : : 2 129 , F (AES k (999998) ; AES k (999999)). robability. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? rgets: T . Intuitively clear that p T ≤ Tp 1 . 1) = 2 129 . So let’s analyze p 1 .

  7. 2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : F (AES k (999998) ; AES k (999999)). Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .

  8. 2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : Attack strategy 2: Attack a F (AES k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .

  9. 2 3 “Rekeying” seems less dangerous. Attack strategy 1: Attack the master key k . Distinguish F ( k ) Expand k into F ( k ) = from a uniform random string. (AES k (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard Split F ( k ) into 500000 “subkeys”. to distinguish AES outputs from Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : Attack strategy 2: Attack a F (AES k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuition: No other attacks exist. Intuitively clear that p T ≤ Tp 1 . But where is this proven? So let’s analyze p 1 .

  10. 2 3 eying” seems less dangerous. Attack strategy 1: Attack the FOCS 1996 master key k . Distinguish F ( k ) Krawczyk Expand k into F ( k ) = from a uniform random string. security (0) ; : : : ; AES k (999999)). Years of cryptanalysis say: hard 2-level ca ( k ) into 500000 “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); Output F ( k ′ ) for each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . (AES k (0) ; AES k (1)); k (2) ; AES k (3)); : : : Attack strategy 2: Attack a k (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. eat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuition: No other attacks exist. Intuitively clear that p T ≤ Tp 1 . But where is this proven? let’s analyze p 1 .

  11. 2 3 seems less dangerous. Attack strategy 1: Attack the FOCS 1996 Bellare–Canetti– master key k . Distinguish F ( k ) Krawczyk claims to ( k ) = from a uniform random string. security of ‘ -level “cascade”. AES k (999999)). Years of cryptanalysis say: hard 2-level cascade: key 500000 “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); output S r each subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . AES k (1)); k (3)); : : : Attack strategy 2: Attack a (999998) ; AES k (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. : ; k T . What is success chance p T ? Intuition: No other attacks exist. that p T ≤ Tp 1 . But where is this proven? p 1 .

  12. 2 3 ngerous. Attack strategy 1: Attack the FOCS 1996 Bellare–Canetti– master key k . Distinguish F ( k ) Krawczyk claims to prove from a uniform random string. security of ‘ -level “cascade”. (999999)). Years of cryptanalysis say: hard 2-level cascade: key k ; input “subkeys”. to distinguish AES outputs from ( N 1 ; N 2 ); output S ( S ( k; N 1 ) subkey k ′ : uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . (1)); Attack strategy 2: Attack a (999999)). subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. What is chance p T ? Intuition: No other attacks exist. Tp 1 . But where is this proven?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road Chi Chiara Bersani, Claudio Roncoli B i Cl di R li University of Genova, Department of Communication, Computer and System Science DIST 16145

685 views • 39 slides
Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2 Interactive Proofs IP[k] IP[poly] = PSPACE 2 Interactive Proofs IP[k] IP[poly] = PSPACE IP protocol for TQBF using arithmetization 2 Interactive

1.75k views • 136 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter Schroeder-Heister Universit at T ubingen J agerfest Bern, 13.12.2013 p. 1 Russells antinomy in naive set theory Extend natural

688 views • 41 slides
NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs . . . Usual Proofs of NP- . . . Proofs of NP- . . . Pedagogical Problem . . . NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers Instead What Is NP-Hard: . . . Proof that . . . of

296 views • 12 slides
proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur (UC Berkeley) October 14, 2017 FOCS 2017 Workshop: Frontiers in Distribution Testing Joint work with Alessandro Chiesa (UC Berkeley) proofs of

2.25k views • 158 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

415 views • 37 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

655 views • 34 slides
There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous to most dangerous: Teddy Bear Black Bear (U. americanus) Brown or Grizzly Bear (U. Arctos) Chicago Bear (D. Butkus) Two types exist in New Mexico

420 views • 25 slides
Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In Mathematics we prove things The base angles of an isoceles triangle are equal seems obvious to a person with mathematical aptitude. a if a = b

678 views • 52 slides
Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

cse 311: foundations of computing Fall 2015 Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of inference to extend set of facts Result is proved when it is included in the set Statement Fact 2

185 views • 18 slides
Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur fr Wissensreprsentation und -verarbeitung Informatik, FAU Erlangen-Nrnberg http://kwarc.info 20. October 2016, Dagstuhl Seminar on

568 views • 39 slides
Department of Neighborhoods Dangerous Buildings and Make Safe Process 1 Agenda

Department of Neighborhoods Dangerous Buildings and Make Safe Process 1 Agenda

Department of Neighborhoods Dangerous Buildings and Make Safe Process 1 Agenda Responsibilities & Role of City employees Dangerous Building Reporting Process What is a Public Hearing? What is an Order? Enforcement

623 views • 26 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 FSE 2018

1.11k views • 70 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

524 views • 18 slides
Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This presentation may contain forward-looking information. Forward-looking statements describe expectations, plans, strategies, goals, future events or

602 views • 16 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September

493 views • 45 slides
Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction to Finite Fields AES

604 views • 31 slides
RC6The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun

RC6The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun

RC6The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun Lisa Yin yiqun@nttmcl.com RC6 is the right AES choice Security Performance Ease of implementation Simplicity Flexibility RC6 is

314 views • 15 slides

More recommend