extending the salsa20 nonce d j bernstein university of
play

Extending the Salsa20 nonce D. J. Bernstein University of Illinois - PowerPoint PPT Presentation

Feb 16, 2023 •159 likes •762 views

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

  1. Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  2. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga D. J. Bernstein “The numb University of Illinois at Chicago to be com session ✿ ✿ ✿ ♥❂ allowed to DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  3. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated session ✿ ✿ ✿ should ♥❂ allowed to approach DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  4. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  5. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

  6. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: D. J. Bernstein “The number of messages University of Illinois at Chicago to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” DES had 64-bit block. Highly troublesome by 1990s. Why do they say this? Answer: Their security proof AES has 128-bit block. fails for #messages ✙ 2 ♥❂ 2 Becoming troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR.

  7. Extending the Salsa20 nonce 2006 Black–Halevi–Hevia– Common Krawczyk–Krovetz–Rogaway: Bernstein 128-bit “master” ❦ “The number of messages produces University of Illinois at Chicago to be communicated in a First session session ✿ ✿ ✿ should not be ❦ allowed to approach 2 ♥❂ 2 .” Second session ❦ had 64-bit block. etc. troublesome by 1990s. Why do they say this? ❦ ✵ Each session Answer: Their security proof has 128-bit block. fails for #messages ✙ 2 ♥❂ 2 for limited Becoming troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use and becomes quantitatively AES-CTR, useless long before that. for at most So what should users do? No advice from 2006 BHHKKR.

  8. Salsa20 nonce 2006 Black–Halevi–Hevia– Common user resp Krawczyk–Krovetz–Rogaway: 128-bit “master” AES ❦ “The number of messages produces 128-bit “session Illinois at Chicago to be communicated in a First session key: AES ❦ session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: ❦ block. etc. troublesome by 1990s. Why do they say this? Each session key ❦ ✵ Answer: Their security proof block. fails for #messages ✙ 2 ♥❂ 2 for limited #messages. troublesome now ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use of session and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 So what should users do? No advice from 2006 BHHKKR.

  9. nonce 2006 Black–Halevi–Hevia– Common user response: Rek Krawczyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ “The number of messages produces 128-bit “session keys”. Chicago to be communicated in a First session key: AES ❦ (1). session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). etc. 1990s. Why do they say this? Each session key ❦ ✵ is used Answer: Their security proof fails for #messages ✙ 2 ♥❂ 2 for limited #messages. w ✿ ✿ ✿ (AES: #messages ✙ 2 64 ), Typical use of session key: and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 40 blocks. So what should users do? No advice from 2006 BHHKKR.

  10. 2006 Black–Halevi–Hevia– Common user response: Rekeying. Krawczyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ “The number of messages produces 128-bit “session keys”. to be communicated in a First session key: AES ❦ (1). session ✿ ✿ ✿ should not be allowed to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). etc. Why do they say this? Each session key ❦ ✵ is used Answer: Their security proof fails for #messages ✙ 2 ♥❂ 2 for limited #messages. (AES: #messages ✙ 2 64 ), Typical use of session key: and becomes quantitatively AES-CTR, GCM, etc. useless long before that. for at most (e.g.) 2 40 blocks. So what should users do? No advice from 2006 BHHKKR.

  11. Black–Halevi–Hevia– Common user response: Rekeying. In other czyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ 128-bit AES ❦ number of messages produces 128-bit “session keys”. AES AES ❦ ❀ ❀ ✿ ✿ ✿ ❦ communicated in a AES AES ❦ ❀ ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ❦ ✿ ✿ ✿ should not be AES AES ❦ ❀ ❀ ✿ ✿ ✿ d to approach 2 ♥❂ 2 .” Second session key: AES ❦ (2). ❦ and so on. etc. do they say this? This is real Each session key ❦ ✵ is used er: Their security proof ( ♠❀ ♥ ) ✼✦ ❦ ♠ ♥ r #messages ✙ 2 ♥❂ 2 for limited #messages. with a double- #messages ✙ 2 64 ), Typical use of session key: ecomes quantitatively AES-CTR, GCM, etc. long before that. for at most (e.g.) 2 40 blocks. what should users do? advice from 2006 BHHKKR.

  12. Black–Halevi–Hevia– Common user response: Rekeying. In other words: czyk–Krovetz–Rogaway: 128-bit “master” AES key ❦ 128-bit AES key ❦ messages produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES ❀ ✿ ✿ ✿ ❦ municated in a AES AES ❦ (2) (1) ❀ AES ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ❦ ✿ ✿ ✿ should not be AES AES ❦ (3) (1) ❀ AES ❀ ✿ ✿ ✿ roach 2 ♥❂ 2 .” Second session key: AES ❦ (2). ❦ and so on. etc. this? This is really a new Each session key ❦ ✵ is used security proof ( ♠❀ ♥ ) ✼✦ AES AES ❦ ♠ ♥ #messages ✙ 2 ♥❂ 2 for limited #messages. with a double-size #messages ✙ 2 64 ), Typical use of session key: quantitatively AES-CTR, GCM, etc. re that. for at most (e.g.) 2 40 blocks. users do? 2006 BHHKKR.

  13. Common user response: Rekeying. In other words: ay: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ First session key: AES ❦ (1). ✿ ✿ ✿ AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ♥❂ .” Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used of ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) ♥❂ for limited #messages. ✙ with a double-size input. ✙ Typical use of session key: quantitatively AES-CTR, GCM, etc. for at most (e.g.) 2 40 blocks. BHHKKR.

  14. Common user response: Rekeying. In other words: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ ; AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ ; First session key: AES ❦ (1). AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ; Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) for limited #messages. with a double-size input. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 2 40 blocks.

  15. Common user response: Rekeying. In other words: 128-bit “master” AES key ❦ 128-bit AES key ❦ produces produces 128-bit “session keys”. AES AES ❦ (1) (1) ❀ AES AES ❦ (1) (2) ❀ ✿ ✿ ✿ ; AES AES ❦ (2) (1) ❀ AES AES ❦ (2) (2) ❀ ✿ ✿ ✿ ; First session key: AES ❦ (1). AES AES ❦ (3) (1) ❀ AES AES ❦ (3) (2) ❀ ✿ ✿ ✿ ; Second session key: AES ❦ (2). and so on. etc. This is really a new cipher Each session key ❦ ✵ is used ( ♠❀ ♥ ) ✼✦ AES AES ❦ ( ♠ ) ( ♥ ) for limited #messages. with a double-size input. Typical use of session key: Alert: User-designed cipher! AES-CTR, GCM, etc. Is this cipher secure? for at most (e.g.) 2 40 blocks.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now 2006 BlackHaleviHevia

626 views • 19 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Note: ChaCha is not an eSTREAM candidate! Post-eSTREAM cryptography. The Salsa20 cipher family Salsa20/20 is faster than AES. I

256 views • 10 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

1 Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression function fixed Block cipher fixed Tweakable block cipher fixed Hash function variable MAC (without nonce) variable MAC (using nonce)

1.08k views • 107 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

521 views • 37 slides
GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

` GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per Byt yte Shay Gueron Yehuda Lindell Bar-Ilan University Haifa Univ. and Intel Appeared at ACM CCS 2015 ` How to Encry rypt wit ith a Blo

684 views • 30 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
On the Salsa20 Core Function Julio Cesar Hernandez-Castro Juan M. E. Tapiador Jean-Jacques

On the Salsa20 Core Function Julio Cesar Hernandez-Castro Juan M. E. Tapiador Jean-Jacques

Introduction Main Results Conclusions On the Salsa20 Core Function Julio Cesar Hernandez-Castro Juan M. E. Tapiador Jean-Jacques Quisquater Crypto Group DICE Universite Catholique de Louvain Computer Science Department Carlos III

781 views • 28 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of

Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of

Extending SymPA with Unsolvability Certificates Bachelor Thesis Claudia Grundke University of Basel Departement of Mathematics and Computer Science 18 September, 2020 Classical Planning A B start I G 1 G 2 C D Extending SymPA with

850 views • 45 slides
Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability 01 Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability 02 Testing for availability Many languages for message-passing concurrency allow programs to test

541 views • 19 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapevad Voorel, 29.0901.10.2006 p. 1/33

760 views • 47 slides
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit at Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . 1

473 views • 28 slides
A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p.

391 views • 36 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

Lecture 4 All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash power) on consensus Who are the miners? Lecture 4.1: The

1.16k views • 99 slides
Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and

Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and

Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and Implementa9on December 12, 2016 Agenda Webinar Instruc5ons (5 minutes) Overview of Requirements (70 minutes) Exports Imports Health

836 views • 55 slides

More recommend