examples of symmetric primitives d j bernstein message
play

Examples of symmetric primitives D. J. Bernstein message len - PDF document

May 02, 2023 •7 likes •1.08k views

1 Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression function fixed Block cipher fixed Tweakable block cipher fixed Hash function variable MAC (without nonce) variable MAC (using nonce)

  1. 19 “Hardware-friendlier” cipher, since xor circuit is cheaper than add.

  2. 19 “Hardware-friendlier” cipher, since xor circuit is cheaper than add. But output bits are linear functions of input bits!

  3. 19 “Hardware-friendlier” cipher, since xor circuit is cheaper than add. But output bits are linear functions of input bits! e.g. First output bit is 1 ⊕ k 0 ⊕ k 1 ⊕ k 3 ⊕ k 10 ⊕ k 11 ⊕ k 12 ⊕ k 20 ⊕ k 21 ⊕ k 30 ⊕ k 32 ⊕ k 33 ⊕ k 35 ⊕ k 42 ⊕ k 43 ⊕ k 44 ⊕ k 52 ⊕ k 53 ⊕ k 62 ⊕ k 64 ⊕ k 67 ⊕ k 69 ⊕ k 76 ⊕ k 85 ⊕ k 94 ⊕ k 96 ⊕ k 99 ⊕ k 101 ⊕ k 108 ⊕ k 117 ⊕ k 126 ⊕ b 1 ⊕ b 3 ⊕ b 10 ⊕ b 12 ⊕ b 21 ⊕ b 30 ⊕ b 32 ⊕ b 33 ⊕ b 35 ⊕ b 37 ⊕ b 39 ⊕ b 42 ⊕ b 43 ⊕ b 44 ⊕ b 47 ⊕ b 52 ⊕ b 53 ⊕ b 57 ⊕ b 62 .

  4. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M .

  5. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M . XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = (0 ; 0 ; b 1 ⊕ b 2 ) M .

  6. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M . XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = (0 ; 0 ; b 1 ⊕ b 2 ) M . Very fast attack: if b 4 = b 1 ⊕ b 2 ⊕ b 3 then XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = XORTEA k ( b 3 ) ⊕ XORTEA k ( b 4 ).

  7. 20 There is a matrix M with coefficients in F 2 such that, for all ( k; b ), XORTEA k ( b ) = (1 ; k; b ) M . XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = (0 ; 0 ; b 1 ⊕ b 2 ) M . Very fast attack: if b 4 = b 1 ⊕ b 2 ⊕ b 3 then XORTEA k ( b 1 ) ⊕ XORTEA k ( b 2 ) = XORTEA k ( b 3 ) ⊕ XORTEA k ( b 4 ). This breaks PRP (and PRF): uniform random permutation (or function) F almost never has F ( b 1 ) ⊕ F ( b 2 ) = F ( b 3 ) ⊕ F ( b 4 ).

  8. 21 LEFTEA: another bad cipher void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] ^ (y<<5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x<<5)+k[3]; } b[0] = x; b[1] = y; }

  9. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 .

  10. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 . Higher output bits are increasingly nonlinear but they never affect first bit.

  11. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 . Higher output bits are increasingly nonlinear but they never affect first bit. How TEA avoids this problem: >>5 diffuses nonlinear changes from high bits to low bits.

  12. 22 Addition is not F 2 -linear, but addition mod 2 is F 2 -linear. First output bit is 1 ⊕ k 0 ⊕ k 32 ⊕ k 64 ⊕ k 96 ⊕ b 32 . Higher output bits are increasingly nonlinear but they never affect first bit. How TEA avoids this problem: >>5 diffuses nonlinear changes from high bits to low bits. (Diffusion from low bits to high bits: <<4 ; carries in addition.)

  13. 23 TEA4: another bad cipher void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 4;r += 1) { c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; } b[0] = x; b[1] = y; }

  14. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit.

  15. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit. Trace x; y differences through steps in computation. r = 0: multiples of 2 31 ; 2 26 . r = 1: multiples of 2 21 ; 2 16 . r = 2: multiples of 2 11 ; 2 6 . r = 3: multiples of 2 1 ; 2 0 .

  16. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit. Trace x; y differences through steps in computation. r = 0: multiples of 2 31 ; 2 26 . r = 1: multiples of 2 21 ; 2 16 . r = 2: multiples of 2 11 ; 2 6 . r = 3: multiples of 2 1 ; 2 0 . Uniform random function F : F ( x + 2 31 ; y ) and F ( x; y ) have same first bit with probability 1 = 2.

  17. 24 Fast attack: TEA4 k ( x + 2 31 ; y ) and TEA4 k ( x; y ) have same first bit. Trace x; y differences through steps in computation. r = 0: multiples of 2 31 ; 2 26 . r = 1: multiples of 2 21 ; 2 16 . r = 2: multiples of 2 11 ; 2 6 . r = 3: multiples of 2 1 ; 2 0 . Uniform random function F : F ( x + 2 31 ; y ) and F ( x; y ) have same first bit with probability 1 = 2. PRF advantage 1 = 2. Two pairs ( x; y ): advantage 3 = 4.

  18. 25 More sophisticated attacks: trace probabilities of differences; probabilities of linear equations; probabilities of higher-order differences C ( x + ‹ + › ) − C ( x + ‹ ) − C ( x + › ) + C ( x ); etc. Use algebra+statistics to exploit non-randomness in probabilities.

  19. 25 More sophisticated attacks: trace probabilities of differences; probabilities of linear equations; probabilities of higher-order differences C ( x + ‹ + › ) − C ( x + ‹ ) − C ( x + › ) + C ( x ); etc. Use algebra+statistics to exploit non-randomness in probabilities. Attacks get beyond r = 4 but rapidly lose effectiveness. Very far from full TEA.

  20. 25 More sophisticated attacks: trace probabilities of differences; probabilities of linear equations; probabilities of higher-order differences C ( x + ‹ + › ) − C ( x + ‹ ) − C ( x + › ) + C ( x ); etc. Use algebra+statistics to exploit non-randomness in probabilities. Attacks get beyond r = 4 but rapidly lose effectiveness. Very far from full TEA. Hard question in cipher design: How many “rounds” are really needed for security?

  21. 26 REPTEA: another bad cipher void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0x9e3779b9; for (r = 0;r < 1000;r += 1) { x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; } b[0] = x; b[1] = y; }

  22. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... .

  23. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ).

  24. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ). Good chance that some b in list also has a = I k ( b ) in list. Then REPTEA k ( a )= I k (REPTEA k ( b )).

  25. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ). Good chance that some b in list also has a = I k ( b ) in list. Then REPTEA k ( a )= I k (REPTEA k ( b )). For each ( b; a ) from list: Try solving equations a = I k ( b ), REPTEA k ( a )= I k (REPTEA k ( b )) to figure out k . (More equations: try re-encrypting these outputs.)

  26. 27 REPTEA k ( b ) = I 1000 ( b ) k where I k does x+=...;y+=... . Try list of 2 32 inputs b . Collect outputs REPTEA k ( b ). Good chance that some b in list also has a = I k ( b ) in list. Then REPTEA k ( a )= I k (REPTEA k ( b )). For each ( b; a ) from list: Try solving equations a = I k ( b ), REPTEA k ( a )= I k (REPTEA k ( b )) to figure out k . (More equations: try re-encrypting these outputs.) This is a slide attack. TEA avoids this by varying c .

  27. 28 What about original TEA? void encrypt(uint32 *b,uint32 *k) { uint32 x = b[0], y = b[1]; uint32 r, c = 0; for (r = 0;r < 32;r += 1) { c += 0x9e3779b9; x += y+c ^ (y<<4)+k[0] ^ (y>>5)+k[1]; y += x+c ^ (x<<4)+k[2] ^ (x>>5)+k[3]; } b[0] = x; b[1] = y; }

  28. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]).

  29. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack?

  30. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack? PRP attack goal: distinguish TEA k , for one secret key k , from uniform random permutation.

  31. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack? PRP attack goal: distinguish TEA k , for one secret key k , from uniform random permutation. Brute-force attack: Guess key g , see if TEA g matches TEA k on some outputs.

  32. 29 Related keys: e.g., TEA k ′ ( b ) = TEA k ( b ) where ( k ′ [0] ; k ′ [1] ; k ′ [2] ; k ′ [3]) = ( k [0] + 2 31 ; k [1] + 2 31 ; k [2] ; k [3]). Is this an attack? PRP attack goal: distinguish TEA k , for one secret key k , from uniform random permutation. Brute-force attack: Guess key g , see if TEA g matches TEA k on some outputs. Related keys ⇒ g succeeds with chance 2 − 126 . Still very small.

  33. 30 1997 Kelsey–Schneier–Wagner: Fancier relationship between k; k ′ has chance 2 − 11 of producing a particular output equation.

  34. 30 1997 Kelsey–Schneier–Wagner: Fancier relationship between k; k ′ has chance 2 − 11 of producing a particular output equation. No evidence in literature that this helps brute-force attack, or otherwise affects PRP security. No challenge to security analysis of TEA-CTR-XCBC-MAC.

  35. 30 1997 Kelsey–Schneier–Wagner: Fancier relationship between k; k ′ has chance 2 − 11 of producing a particular output equation. No evidence in literature that this helps brute-force attack, or otherwise affects PRP security. No challenge to security analysis of TEA-CTR-XCBC-MAC. But advertised as “related-key cryptanalysis” and claimed to justify recommendations for designers regarding key scheduling.

  36. 31 Some ways to learn more about cipher attacks, hash-function attacks, etc.: Take upcoming course “Selected areas in cryptology”. Includes symmetric attacks. Read attack papers, especially from FSE conference. Try to break ciphers yourself: e.g., find attacks on FEAL. Reasonable starting point: 2000 Schneier “Self-study course in block-cipher cryptanalysis”.

  37. 32 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard.

  38. 32 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES proposal. 64-bit block, 56-bit key.

  39. 32 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES proposal. 64-bit block, 56-bit key. 1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”

  40. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year.

  41. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”.

  42. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard.

  43. 33 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20000000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.

  44. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key.

  45. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals.

  46. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year.

  47. 34 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  48. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really?

  49. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.”

  50. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers.

  51. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition.

  52. 35 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–now: CAESAR competition.

  53. 36 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block.

  54. 36 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. No serious threats to AES-256 multi-target SPRP security (which implies PRP security), even in a post-quantum world.

  55. 36 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. No serious threats to AES-256 multi-target SPRP security (which implies PRP security), even in a post-quantum world. So why isn’t AES-256 the end of the symmetric-crypto story?

  56. 37

  57. 38

  58. 39

  59. 40 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy.

  60. 40 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing.

  61. 40 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits PRF security. Workarounds are hard to audit.

  62. 41 ChaCha creates safe systems with much less work than AES.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32 ; 32 ! 32 xor;

634 views • 39 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
New MILP Modelings for Symmetric-Key Primitives Christina Boura (Joint-work with Daniel Coggia)

New MILP Modelings for Symmetric-Key Primitives Christina Boura (Joint-work with Daniel Coggia)

New MILP Modelings for Symmetric-Key Primitives Christina Boura (Joint-work with Daniel Coggia) University of Versailles and Inria de Paris August 6, 2020 1 / 43 Symmetric-key encryption Alice and Bob share the same secret key for encryption

983 views • 47 slides
Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives

Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives

Minimalism of Software Implementation Extensive Performance Analysis of Symmetric Primitives on the RL78 Microcontroller - Mitsuru Matsui and Yumiko Murakami Information Technology R&amp;D Center Mitsubishi Electric Corporation Agenda 1.

719 views • 32 slides
Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU Compute, DTU March 7, 2017 Based on Joint Work With David Derler Claudio Orlandi Sebastian Ramacher Daniel Slamanig TU Graz Aarhus University TU

187 views • 14 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

779 views • 47 slides
On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers, and other secret-key primitives, D. J. Bernstein should we use University of Illinois at Chicago integer multiplication? AES uses 32 32 32

1.76k views • 149 slides
MPC-Friendly Symmetric Key Primitives Lorenzo Grassi 1 Christian Rechberger 1 s Rotaru 2 Drago

MPC-Friendly Symmetric Key Primitives Lorenzo Grassi 1 Christian Rechberger 1 s Rotaru 2 Drago

MPC-Friendly Symmetric Key Primitives Lorenzo Grassi 1 Christian Rechberger 1 s Rotaru 2 Drago Peter Scholl 2 Nigel P. Smart 2 1 Graz University of Technology 2 University of Bristol October 25, 2016 What is Multiparty Computation? What is

1.32k views • 64 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois

The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation The AES function (Rijndael 1998 Daemen Rijmen; 2001

867 views • 29 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
Interprocess Communication Primitives Message Passing: issues Communication

Interprocess Communication Primitives Message Passing: issues Communication

CPSC-662 Distributed Computing Interprocess Communication Interprocess Communication Primitives Message Passing: issues Communication Schemes Reading: Colouris, Chapter 4 Interprocess Communication (IPC) communicate by

372 views • 6 slides
Aperiodic Tilings: Notions and Properties Michael Baake &amp; Uwe Grimm Faculty of Mathematics

Aperiodic Tilings: Notions and Properties Michael Baake &amp; Uwe Grimm Faculty of Mathematics

Aperiodic Tilings: Notions and Properties Michael Baake &amp; Uwe Grimm Faculty of Mathematics University of Bielefeld, Germany Department of Mathematics and Statistics The Open University, Milton Keynes, UK Fields Institute, Toronto, 20

883 views • 48 slides
UNSUPERWISED LABELLING OF EMAILS By: Vishal Kumawat 10818 Dibya Ranjan 10243 MOTIVATION

UNSUPERWISED LABELLING OF EMAILS By: Vishal Kumawat 10818 Dibya Ranjan 10243 MOTIVATION

UNSUPERWISED LABELLING OF EMAILS By: Vishal Kumawat 10818 Dibya Ranjan 10243 MOTIVATION Classify a large number of emails Labelling the email according to their semantics. Many time we have large number of documents like articles

893 views • 10 slides
Mark Balaguer Department of Philosophy California State University, Los Angeles What

Mark Balaguer Department of Philosophy California State University, Los Angeles What

Mark Balaguer Department of Philosophy California State University, Los Angeles What Mathematicians Need to Know to Understand Philosophers of Mathematics I. Introduction II. Clearing Up Some Confusions About the Philosophy of Mathematics 1.

61 views • 4 slides
Evolution 02-715 Advanced Topics in Computa8onal Genomics

Evolution 02-715 Advanced Topics in Computa8onal Genomics

Evolution 02-715 Advanced Topics in Computa8onal Genomics Ascertainment Bias SNP discovery phase Assume SNPs have been ascertained in an alignment of

960 views • 31 slides
Advanced UNIX CIS 218 Advanced UNIX Regular Expressions See also: www.regex101.com

Advanced UNIX CIS 218 Advanced UNIX Regular Expressions See also: www.regex101.com

Advanced UNIX CIS 218 Advanced UNIX Regular Expressions See also: www.regex101.com www.regexr.com 1 CIS 218 Advanced UNIX Why Regular Expressions? To locate text To change text To delineate metacharacters from ordinary characters

224 views • 21 slides
Exploring Knowledge Bases for Similarity Eneko Agirre , Montse Cuadros German Rigau ,

Exploring Knowledge Bases for Similarity Eneko Agirre , Montse Cuadros German Rigau ,

Exploring Knowledge Bases for Similarity Eneko Agirre , Montse Cuadros German Rigau , Aitor Soroa IXA NLP Group, University of the Basque Country, Donostia, Basque Country, e.agirre@ehu.es, german.rigau@ehu.es, a.soroa@ehu.es

649 views • 40 slides
Case Method and Integration of Academic Activities T. Grandon Gill Professor grandon@usf.edu

Case Method and Integration of Academic Activities T. Grandon Gill Professor grandon@usf.edu

Case Method and Integration of Academic Activities T. Grandon Gill Professor grandon@usf.edu Overview What is the case method? Pedagogy Different types of case study and how they are used Facilitating case discussions in the

731 views • 30 slides
3 rd Quarter 2013 Analyst/Investor Briefing 18 Nov 2013 5.00pm TH PLANTATIONS BERHAD (Company

3 rd Quarter 2013 Analyst/Investor Briefing 18 Nov 2013 5.00pm TH PLANTATIONS BERHAD (Company

3 rd Quarter 2013 Analyst/Investor Briefing 18 Nov 2013 5.00pm TH PLANTATIONS BERHAD (Company No: 12696-M) Presented by: Dato Zainal Azwar Zainal Aminuddin Chief Executive Officer 1 TH PLANTATIONS BERHAD (Company No: 12696-M)

291 views • 25 slides

More recommend