chacha20 and poly1305 cipher suites for tls
play

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh - PowerPoint PPT Presentation

Feb 03, 2024 •519 likes •648 views

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

  1. ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang

  2. Outline ● ChaCha20 stream cipher ● Poly1305 authenticator ● ChaCha20+Poly1305 AEAD construction ● TLS cipher suites ● Performance

  3. ChaCha20 stream cipher ● Designed by Dan J. Bernstein ● A variant of Salsa20 to improve diffusion ● Used in BLAKE, a SHA-3 finalist ● 256-bit key ● 64-bit nonce ● 64-bit block counter ● Outputs a 64-byte block of key stream and increments block counter in each invocation ● Plaintext is XOR’ed with the key stream

  4. ChaCha20 function Input constants key nonce counter S3 S0 S1 S2 State S7 S4 S5 S6 (16 words) S11 S8 S9 S10 S13 S14 S15 S12 Output key stream (64 bytes)

  5. Poly1305 authenticator ● A Wegman-Carter, one-time authenticator ● Designed by Dan J. Bernstein ● 256-bit key ● 128-bit output

  6. Poly1305 calculation Key (r, s): r => integer R, s => integer S Input is divided into 16-byte chunks . . . C0 C1 C2 C3 C4 C5 Cn-2 Cn-1 C0*R^n + C1*R^(n-1) + C2*R^(n-2) + … + Cn-2*R^2 + Cn-1*R mod (2^130- 5) Evaluate this polynomial with Horner’s Rule + S mod 2^128

  7. AEAD construction ● The AEAD key is a ChaCha20 key ● For each nonce, derive: Poly1305 key = ChaCha20(000...0, counter=0) Discard the last 32 bytes of output ● A = additional data ● S = ChaCha20(plaintext, counter=1) ● T = Poly1305(A || len(A) || S || len(S)) ● Ciphertext = S || T

  8. TLS cipher suites ● Three forward secret, AEAD ciphers: ○ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ○ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ○ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ● No implicit nonce: fixed_iv_length = 0 ● No explicit nonce: record_iv_length = 0 ○ 8-byte ChaCha20 nonce is the TLS sequence number

  9. Performance Intel Xeon E5-2690@2.9GHz with Hyper- Threading and Turbo Boost disabled AES-128-GCM, AES-NI disabled 131 MB/s AES-128-GCM, AES-NI enabled 892 MB/s ChaCha20+Poly1305 427 MB/s ChaCha20+Poly1305, -march=native 560 MB/s

  10. Performance ARM Cortex-A9@1.2GHz AES-128-GCM 25 MB/s ChaCha20+Poly1305 92 MB/s

  11. MAC performance Intel Xeon E5-2690@2.90GHz with Hyper- Threading and Turbo Boost disabled ● To authenticate 1KB of data VMAC (128-bit, with AES calls removed) 270 ns with 248 bytes of memory Poly1305 561 ns

  12. MAC performance ARM Cortex-A8@1.2GHz, with NEON enabled ● To authenticate 1KB of data VMAC (128-bit, with AES calls removed) 5015.1 ns with 248 bytes of memory Poly1305 (code from SUPERCOP) 3567 ns

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Poly1305-AES MAC Sami Vaarala Helsinki University of Technology sami.vaarala@iki.fi 1

Poly1305-AES MAC Sami Vaarala Helsinki University of Technology sami.vaarala@iki.fi 1

T-79.515 Cryptography: Special Topics Poly1305-AES MAC Sami Vaarala Helsinki University of Technology sami.vaarala@iki.fi 1 Background Security of MD5 and SHA1 is dubious, so a MAC with a security proof relative to a block cipher would be

3.43k views • 31 slides
A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and Kenneth G. Paterson ACM CCS - 27/10/2016 Outline of this talk Overview of SSH and related work. SSH deployment statistics. A new attack on

356 views • 25 slides
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation The Poly1305-AES function Given byte sequence , , 16-byte sequence

1.08k views • 15 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4 CONNECTING JUNIOR SUITES 4 PRIVATE JUNIOR SUITES 2 FAMILY SUITES 2 SELENI SUITES 1 PRIVATE SELENI SUITE 1 SUPERIOR SELENI SUITE 2 SMALL APARTMENTS

853 views • 74 slides
TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4 CONNECTING JUNIOR SUITES 4 PRIVATE JUNIOR SUITES 2 FAMILY SUITES 2 SELENI SUITES 1 PRIVATE SELENI SUITE 1 SUPERIOR SELENI SUITE 2 SMALL APARTMENTS

1.15k views • 75 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I

SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I

PARK HYATT CHICAGO SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I T E G O L D C O A S T S U I T E L A K E S U I T E W A T E R T O W E R S U I T E *13 suites total PARK SUITE This suite

402 views • 15 slides
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation The AES function (Rijndael 1998 Daemen Rijmen; 2001

867 views • 29 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed

Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed

Introducing our new Deluxe Suites Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed with the ultimate luxury, elegance and comfort in mind. They feature king size luxury beds, comfortable sofa

712 views • 14 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
CS 327E Class 8 Oct 30, 2020 Final Project Components Choose a primary and secondary

CS 327E Class 8 Oct 30, 2020 Final Project Components Choose a primary and secondary

CS 327E Class 8 Oct 30, 2020 Final Project Components Choose a primary and secondary dataset (Milestone 1) Load the raw data into BigQuery (Milestone 1) Explore the raw data with SQL (Milestone 1) Cleanse the data with SQL

495 views • 22 slides
Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41 Overview Introduction Conditional differentials High-order differentials Applications to Trivium and Grain Recent results Open

630 views • 41 slides
On the volume conjecture for quantum 6 j symbols Jun Murakami Waseda University July 27, 2016

On the volume conjecture for quantum 6 j symbols Jun Murakami Waseda University July 27, 2016

On the volume conjecture for quantum 6 j symbols Jun Murakami Waseda University July 27, 2016 Workshop on Teichmller and Grothendieck-Teichmller theories Chern Institute of Mathematics, Nankai University Quantum Invariants Volume

530 views • 23 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (9/30/04) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (9/30/04) I E S R C E O V U

VLSI Design Verification and Test Combo ATPG I CMPE 646 ATPG Automatic Test Pattern Generation has several purposes: It can generate test patterns (obviously) It can find redundant circuit logic. It can prove one implementation

311 views • 18 slides
Resolving m c and m b in precision Higgs boson analyses Zhengkang Zhang University of Michigan

Resolving m c and m b in precision Higgs boson analyses Zhengkang Zhang University of Michigan

Resolving m c and m b in precision Higgs boson analyses Zhengkang Zhang University of Michigan Based on A. A. Petrov, S. Pokorski, J. D. Wells, ZZ, Phys. Rev. D 91 , 073001 (2015) [arXiv:1501.02803 [hep-ph]] Zhengkang Zhang (U Michigan)

615 views • 23 slides
Remediation and Regulation February 27, 2019 Andy Adams , CHMM Mark Keefer, PG (MN) Vice

Remediation and Regulation February 27, 2019 Andy Adams , CHMM Mark Keefer, PG (MN) Vice

Non-Stick Future: PFAS Remediation and Regulation February 27, 2019 Andy Adams , CHMM Mark Keefer, PG (MN) Vice President / Principal Scientist Group Manager / Senior Scientist Houston, TX Bloomington, MN W&M Environmental

351 views • 20 slides
Latches, Flip-flops, Registers, Memory Sequential logic: elements to store values Output depends

Latches, Flip-flops, Registers, Memory Sequential logic: elements to store values Output depends

Latch: CC-BY Rberteig@flickr Latches, Flip-flops, Registers, Memory Sequential logic: elements to store values Output depends on inputs and stored values . (vs. combinational logic: output depends only on inputs) Processor: Data Path Components

209 views • 19 slides
Lecture 7: Sequential Networks CK Cheng Dept. of Computer Science and Engineering University of

Lecture 7: Sequential Networks CK Cheng Dept. of Computer Science and Engineering University of

CSE 140: Components and Design Techniques for Digital Systems Lecture 7: Sequential Networks CK Cheng Dept. of Computer Science and Engineering University of California, San Diego 1 Part II: Sequential Networks Introduction

885 views • 59 slides

More recommend