Extending the Salsa20 nonce D. J. Bernstein University of Illinois - - PowerPoint PPT Presentation

Extending the Salsa20 nonce

• D. J. Bernstein

University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿

Extending the Salsa20 nonce

• D. J. Bernstein

University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga “The numb to be com session ✿ ✿ ✿ allowed to

♥❂

Extending the Salsa20 nonce

• D. J. Bernstein

University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Roga “The number of messages to be communicated session ✿ ✿ ✿ should allowed to approach

♥❂

Extending the Salsa20 nonce

• D. J. Bernstein

University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.”

Extending the Salsa20 nonce

• D. J. Bernstein

University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.”

Extending the Salsa20 nonce

• D. J. Bernstein

University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.” Why do they say this? Answer: Their security proof fails for #messages ✙ 2♥❂2 (AES: #messages ✙ 264), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR.

Extending the Salsa20 nonce Bernstein University of Illinois at Chicago had 64-bit block. troublesome by 1990s. has 128-bit block. Becoming troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.” Why do they say this? Answer: Their security proof fails for #messages ✙ 2♥❂2 (AES: #messages ✙ 264), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR. Common 128-bit “master” ❦ produces First session

❦

Second session

❦

etc. Each session ❦✵ for limited Typical use AES-CTR, for at most

Salsa20 nonce Illinois at Chicago block. troublesome by 1990s. block. troublesome now ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.” Why do they say this? Answer: Their security proof fails for #messages ✙ 2♥❂2 (AES: #messages ✙ 264), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR. Common user resp 128-bit “master” AES ❦ produces 128-bit “session First session key: AES❦ Second session key:

❦

etc. Each session key ❦✵ for limited #messages. Typical use of session AES-CTR, GCM, etc. for at most (e.g.) 2

nonce Chicago 1990s. w ✿ ✿ ✿ 2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.” Why do they say this? Answer: Their security proof fails for #messages ✙ 2♥❂2 (AES: #messages ✙ 264), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR. Common user response: Rek 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks.

2006 Black–Halevi–Hevia– Krawczyk–Krovetz–Rogaway: “The number of messages to be communicated in a session ✿ ✿ ✿ should not be allowed to approach 2♥❂2.” Why do they say this? Answer: Their security proof fails for #messages ✙ 2♥❂2 (AES: #messages ✙ 264), and becomes quantitatively useless long before that. So what should users do? No advice from 2006 BHHKKR. Common user response: Rekeying. 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks.

Black–Halevi–Hevia– czyk–Krovetz–Rogaway: number of messages communicated in a ✿ ✿ ✿ should not be d to approach 2♥❂2.” do they say this? er: Their security proof r #messages ✙ 2♥❂2 #messages ✙ 264), ecomes quantitatively long before that. what should users do? advice from 2006 BHHKKR. Common user response: Rekeying. 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks. In other 128-bit AES ❦ AESAES❦ ❀

❦

❀ ✿ ✿ ✿ AESAES❦ ❀

❦

❀ ✿ ✿ ✿ AESAES❦ ❀

❦

❀ ✿ ✿ ✿ and so on. This is real (♠❀ ♥) ✼✦

❦ ♠ ♥

with a double-

Black–Halevi–Hevia– czyk–Krovetz–Rogaway: messages municated in a ✿ ✿ ✿ should not be roach 2♥❂2.” this? security proof #messages ✙ 2♥❂2 #messages ✙ 264), quantitatively re that. users do? 2006 BHHKKR. Common user response: Rekeying. 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks. In other words: 128-bit AES key ❦ AESAES❦(1)(1)❀ AES

❦

❀ ✿ ✿ ✿ AESAES❦(2)(1)❀ AES

❦

❀ ✿ ✿ ✿ AESAES❦(3)(1)❀ AES

❦

❀ ✿ ✿ ✿ and so on. This is really a new (♠❀ ♥) ✼✦ AESAES❦ ♠ ♥ with a double-size

ay: ✿ ✿ ✿

♥❂ .”

• f

✙

♥❂

✙ quantitatively BHHKKR. Common user response: Rekeying. 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks. In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿ AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿ AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿ and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input.

Common user response: Rekeying. 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks. In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input.

Common user response: Rekeying. 128-bit “master” AES key ❦ produces 128-bit “session keys”. First session key: AES❦(1). Second session key: AES❦(2). etc. Each session key ❦✵ is used for limited #messages. Typical use of session key: AES-CTR, GCM, etc. for at most (e.g.) 240 blocks. In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input. Alert: User-designed cipher! Is this cipher secure?

Common user response: Rekeying. 128-bit “master” AES key ❦ duces 128-bit “session keys”. session key: AES❦(1). Second session key: AES❦(2). session key ❦✵ is used ited #messages. ypical use of session key: AES-CTR, GCM, etc. most (e.g.) 240 blocks. In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input. Alert: User-designed cipher! Is this cipher secure? Not really Collect AES

❦ ♥

for 240 inputs ♥❀ Build 240 each computing iterates of ❦✵ ✼✦

❦✵

Good chance ❦✵ = AES❦ ♥ ♥❀ ❦✵ Find via Then trivially AESAES❦ ♥ Current ❁ 1 year, ❁

response: Rekeying. “master” AES key ❦ 128-bit “session keys”. ey: AES❦(1). ey: AES❦(2). ❦✵ is used #messages. session key: GCM, etc. (e.g.) 240 blocks. In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input. Alert: User-designed cipher! Is this cipher secure? Not really. Feasible Collect AESAES❦(♥ for 240 inputs (♥❀ 0). Build 240 tiny search each computing 248 iterates of ❦✵ ✼✦ AES❦✵ Good chance of collision ❦✵ = AES❦(♥) for ♥❀ ❦✵ Find via distinguish Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD.

Rekeying. ❦ keys”.

❦(1). ❦(2).

❦✵ cks. In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input. Alert: User-designed cipher! Is this cipher secure? Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵ Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD.

In other words: 128-bit AES key ❦ produces AESAES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AESAES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AESAES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; and so on. This is really a new cipher (♠❀ ♥) ✼✦ AESAES❦(♠)(♥) with a double-size input. Alert: User-designed cipher! Is this cipher secure? Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵. Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD.

• ther words:

128-bit AES key ❦ produces

AES❦(1)(1)❀ AESAES❦(1)(2)❀ ✿ ✿ ✿; AES❦(2)(1)❀ AESAES❦(2)(2)❀ ✿ ✿ ✿; AES❦(3)(1)❀ AESAES❦(3)(2)❀ ✿ ✿ ✿;

• n.

really a new cipher ♠❀ ♥ ✼✦ AESAES❦(♠)(♥) double-size input. User-designed cipher! cipher secure? Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵. Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD. Two different stopping

• 1. “Use

Attack relies same input by many ❦✵ ✿ ✿ ✿ but randomization leaves many and raises

❦ produces

❦

❀ AESAES❦(1)(2)❀ ✿ ✿ ✿;

❦

❀ AESAES❦(2)(2)❀ ✿ ✿ ✿;

❦

❀ AESAES❦(3)(2)❀ ✿ ✿ ✿; new cipher ♠❀ ♥ ✼✦

AES❦(♠)(♥)

size input. User-designed cipher! secure? Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵. Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD. Two different philosophies stopping this type

• 1. “Use random nonces.”

Attack relies critically same input 0 being by many session key ❦✵ ✿ ✿ ✿ but randomization leaves many securit and raises usability

❦ duces

❦

❀

❦(1)(2)❀ ✿ ✿ ✿; ❦

❀

❦(2)(2)❀ ✿ ✿ ✿; ❦

❀

❦(3)(2)❀ ✿ ✿ ✿;

♠❀ ♥ ✼✦

❦ ♠ ♥

cipher! Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵. Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD. Two different philosophies fo stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵. Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD. Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

Not really. Feasible attack: Collect AESAES❦(♥)(0) for 240 inputs (♥❀ 0). Build 240 tiny search units, each computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). Good chance of collision ❦✵ = AES❦(♥) for some ♥❀ ❦✵. Find via distinguished points. Then trivially compute AESAES❦(♥)(1) etc. Current chip technology: ❁ 1 year, ❁ 1010 USD. Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

• 2. “Use longer keys.”

Master key produces 256-bit output block, used as 256-bit session key. We have good 256-bit ciphers!

• really. Feasible attack:

Collect AESAES❦(♥)(0) inputs (♥❀ 0). 240 tiny search units, computing 248 iterates of ❦✵ ✼✦ AES❦✵(0). chance of collision ❦✵ AES❦(♥) for some ♥❀ ❦✵. via distinguished points. trivially compute

AES❦(♥)(1) etc.

Current chip technology: ❁ ear, ❁ 1010 USD. Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

• 2. “Use longer keys.”

Master key produces 256-bit output block, used as 256-bit session key. We have good 256-bit ciphers! I’ll focus Could generate ❦✵ = (AES❦ ♥ ❀

❦

♥ Use ❦✵ as

easible attack:

❦(♥)(0)

♥❀ 0). search units, 248 ❦✵ ✼✦ AES❦✵(0). collision ❦✵

❦ ♥

r some ♥❀ ❦✵. distinguished points. compute

❦ ♥

etc. technology: ❁ ❁ USD. Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

• 2. “Use longer keys.”

Master key produces 256-bit output block, used as 256-bit session key. We have good 256-bit ciphers! I’ll focus on strategy Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦ ♥ Use ❦✵ as key for 256-bit

attack:

❦ ♥

♥❀ units, ❦✵ ✼✦

❦✵(0).

❦✵

❦ ♥

♥❀ ❦✵.

• ints.

❦ ♥

❁ ❁ Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

• 2. “Use longer keys.”

Master key produces 256-bit output block, used as 256-bit session key. We have good 256-bit ciphers! I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + Use ❦✵ as key for 256-bit AES.

Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

• 2. “Use longer keys.”

Master key produces 256-bit output block, used as 256-bit session key. We have good 256-bit ciphers! I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + 1)). Use ❦✵ as key for 256-bit AES.

Two different philosophies for stopping this type of attack:

• 1. “Use random nonces.”

Attack relies critically on same input 0 being encrypted by many session keys ❦✵. ✿ ✿ ✿ but randomization still leaves many security questions and raises usability questions.

• 2. “Use longer keys.”

Master key produces 256-bit output block, used as 256-bit session key. We have good 256-bit ciphers! I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + 1)). Use ❦✵ as key for 256-bit AES. But AES isn’t a great cipher: ✎ Small block, so distinguishable. ✎ Not much security margin. ✎ Uninspiring key schedule. ✎ Invites cache-timing attacks. ✎ Slow on most CPUs. ✎ Mediocre speed in hardware. ✎ Even slower with key expansion.

different philosophies for stopping this type of attack: “Use random nonces.” relies critically on input 0 being encrypted many session keys ❦✵. ✿ ✿ ✿ randomization still many security questions raises usability questions. “Use longer keys.” Master key produces 256-bit output block, as 256-bit session key. ve good 256-bit ciphers! I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + 1)). Use ❦✵ as key for 256-bit AES. But AES isn’t a great cipher: ✎ Small block, so distinguishable. ✎ Not much security margin. ✎ Uninspiring key schedule. ✎ Invites cache-timing attacks. ✎ Slow on most CPUs. ✎ Mediocre speed in hardware. ✎ Even slower with key expansion. How about ✎ Large blo ✎ 150% ✎ Key at ✎ Naturally ✎ Fast across ✎ Better ✎ No key Can generate ❦✵ first 256 using 64-bit ♥ ❦ Use ❦✵ as

philosophies for e of attack: nonces.” critically on eing encrypted keys ❦✵. ✿ ✿ ✿ randomization still security questions ility questions. eys.” duces block, session key. 256-bit ciphers! I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + 1)). Use ❦✵ as key for 256-bit AES. But AES isn’t a great cipher: ✎ Small block, so distinguishable. ✎ Not much security margin. ✎ Uninspiring key schedule. ✎ Invites cache-timing attacks. ✎ Slow on most CPUs. ✎ Mediocre speed in hardware. ✎ Even slower with key expansion. How about Salsa20? ✎ Large block; aim ✎ 150% security ma ✎ Key at top, not ✎ Naturally constant ✎ Fast across CPUs. ✎ Better than AES ✎ No key expansion. Can generate 256-bit ❦✵ first 256 bits of Salsa20 using 64-bit nonce ♥ ❦ Use ❦✵ as Salsa20

for attack: encrypted ❦✵ ✿ ✿ ✿ questions questions. ey. ciphers! I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + 1)). Use ❦✵ as key for 256-bit AES. But AES isn’t a great cipher: ✎ Small block, so distinguishable. ✎ Not much security margin. ✎ Uninspiring key schedule. ✎ Invites cache-timing attacks. ✎ Slow on most CPUs. ✎ Mediocre speed in hardware. ✎ Even slower with key expansion. How about Salsa20? ✎ Large block; aims to be PRF. ✎ 150% security margin. ✎ Key at top, not on side. ✎ Naturally constant time. ✎ Fast across CPUs. ✎ Better than AES in hardwa ✎ No key expansion. Can generate 256-bit ❦✵ as first 256 bits of Salsa20 stream using 64-bit nonce ♥, key ❦. Use ❦✵ as Salsa20 session key

I’ll focus on strategy #2. Could generate 256-bit ❦✵ = (AES❦(2♥)❀ AES❦(2♥ + 1)). Use ❦✵ as key for 256-bit AES. But AES isn’t a great cipher: ✎ Small block, so distinguishable. ✎ Not much security margin. ✎ Uninspiring key schedule. ✎ Invites cache-timing attacks. ✎ Slow on most CPUs. ✎ Mediocre speed in hardware. ✎ Even slower with key expansion. How about Salsa20? ✎ Large block; aims to be PRF. ✎ 150% security margin. ✎ Key at top, not on side. ✎ Naturally constant time. ✎ Fast across CPUs. ✎ Better than AES in hardware. ✎ No key expansion. Can generate 256-bit ❦✵ as first 256 bits of Salsa20 stream using 64-bit nonce ♥, key ❦. Use ❦✵ as Salsa20 session key.

cus on strategy #2. generate 256-bit ❦✵ (AES❦(2♥)❀ AES❦(2♥ + 1)). ❦✵ as key for 256-bit AES. AES isn’t a great cipher: ✎ Small block, so distinguishable. ✎ much security margin. ✎ Uninspiring key schedule. ✎ Invites cache-timing attacks. ✎

• n most CPUs.

✎ Mediocre speed in hardware. ✎ slower with key expansion. How about Salsa20? ✎ Large block; aims to be PRF. ✎ 150% security margin. ✎ Key at top, not on side. ✎ Naturally constant time. ✎ Fast across CPUs. ✎ Better than AES in hardware. ✎ No key expansion. Can generate 256-bit ❦✵ as first 256 bits of Salsa20 stream using 64-bit nonce ♥, key ❦. Use ❦✵ as Salsa20 session key. Improvement Salsa20 is producing 256-bit k Conventionally is interpreted and 64-bit (so output but function to be fast giving random So allow ♥ Generate ❦✵ as half of

strategy #2. 256-bit ❦✵

❦

♥ ❀ AES❦(2♥ + 1)). ❦✵ r 256-bit AES. great cipher: ✎ so distinguishable. ✎ security margin. ✎ ey schedule. ✎ cache-timing attacks. ✎ CPUs. ✎ eed in hardware. ✎ with key expansion. How about Salsa20? ✎ Large block; aims to be PRF. ✎ 150% security margin. ✎ Key at top, not on side. ✎ Naturally constant time. ✎ Fast across CPUs. ✎ Better than AES in hardware. ✎ No key expansion. Can generate 256-bit ❦✵ as first 256 bits of Salsa20 stream using 64-bit nonce ♥, key ❦. Use ❦✵ as Salsa20 session key. Improvement #1: Salsa20 is actually producing 512-bit 256-bit key, 128-bit Conventionally 128-bit is interpreted as 64-bit and 64-bit block counter (so output blocks but function is designed to be fast and secure giving random access So allow 128 bits in ♥ Generate 256-bit ❦✵ as half of 512-bit blo

❦✵

❦

♥ ❀

❦

♥ + 1)). ❦✵ AES. cipher: ✎ distinguishable. ✎ rgin. ✎ schedule. ✎ attacks. ✎ ✎ are. ✎ expansion. How about Salsa20? ✎ Large block; aims to be PRF. ✎ 150% security margin. ✎ Key at top, not on side. ✎ Naturally constant time. ✎ Fast across CPUs. ✎ Better than AES in hardware. ✎ No key expansion. Can generate 256-bit ❦✵ as first 256 bits of Salsa20 stream using 64-bit nonce ♥, key ❦. Use ❦✵ as Salsa20 session key. Improvement #1: Salsa20 is actually a function producing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input is interpreted as 64-bit nonce and 64-bit block counter (so output blocks are a strea but function is designed to be fast and secure giving random access to blocks. So allow 128 bits in ♥. Generate 256-bit ❦✵ as half of 512-bit block.

How about Salsa20? ✎ Large block; aims to be PRF. ✎ 150% security margin. ✎ Key at top, not on side. ✎ Naturally constant time. ✎ Fast across CPUs. ✎ Better than AES in hardware. ✎ No key expansion. Can generate 256-bit ❦✵ as first 256 bits of Salsa20 stream using 64-bit nonce ♥, key ❦. Use ❦✵ as Salsa20 session key. Improvement #1: Salsa20 is actually a function producing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input is interpreted as 64-bit nonce and 64-bit block counter (so output blocks are a stream), but function is designed to be fast and secure giving random access to blocks. So allow 128 bits in ♥. Generate 256-bit ❦✵ as half of 512-bit block.

about Salsa20? ✎ rge block; aims to be PRF. ✎ security margin. ✎ at top, not on side. ✎ Naturally constant time. ✎ across CPUs. ✎ Better than AES in hardware. ✎ ey expansion. generate 256-bit ❦✵ as 256 bits of Salsa20 stream 64-bit nonce ♥, key ❦. ❦✵ as Salsa20 session key. Improvement #1: Salsa20 is actually a function producing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input is interpreted as 64-bit nonce and 64-bit block counter (so output blocks are a stream), but function is designed to be fast and secure giving random access to blocks. So allow 128 bits in ♥. Generate 256-bit ❦✵ as half of 512-bit block. Improvement Look mo at how Salsa20 initializes publicly ♥ adds 256-bit ❦ applies many adds 256-bit ❦ Take ❦✵ as ✮ Skip final ❦ Important block is ❦ Compare

Salsa20? ✎ aims to be PRF. ✎ margin. ✎ not on side. ✎ constant time. ✎ CPUs. ✎ AES in hardware. ✎ expansion. 256-bit ❦✵ as Salsa20 stream nonce ♥, key ❦. ❦✵ Salsa20 session key. Improvement #1: Salsa20 is actually a function producing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input is interpreted as 64-bit nonce and 64-bit block counter (so output blocks are a stream), but function is designed to be fast and secure giving random access to blocks. So allow 128 bits in ♥. Generate 256-bit ❦✵ as half of 512-bit block. Improvement #2: Look more closely at how Salsa20 wo initializes 512-bit blo publicly from input ♥ adds 256-bit key ❦ applies many unkey adds 256-bit key ❦ Take ❦✵ as the other ✮ Skip final ❦ addition. Important here that block is much bigger ❦ Compare to Even–Mansour

✎ PRF. ✎ ✎ ✎ time. ✎ ✎ rdware. ✎ ❦✵ as stream ♥ ❦. ❦✵ key. Improvement #1: Salsa20 is actually a function producing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input is interpreted as 64-bit nonce and 64-bit block counter (so output blocks are a stream), but function is designed to be fast and secure giving random access to blocks. So allow 128 bits in ♥. Generate 256-bit ❦✵ as half of 512-bit block. Improvement #2: Look more closely at how Salsa20 works: initializes 512-bit block publicly from input ♥; adds 256-bit key ❦; applies many unkeyed rounds; adds 256-bit key ❦. Take ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. Important here that block is much bigger than ❦. Compare to Even–Mansour etc.

Improvement #1: Salsa20 is actually a function producing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input is interpreted as 64-bit nonce and 64-bit block counter (so output blocks are a stream), but function is designed to be fast and secure giving random access to blocks. So allow 128 bits in ♥. Generate 256-bit ❦✵ as half of 512-bit block. Improvement #2: Look more closely at how Salsa20 works: initializes 512-bit block publicly from input ♥; adds 256-bit key ❦; applies many unkeyed rounds; adds 256-bit key ❦. Take ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. Important here that block is much bigger than ❦. Compare to Even–Mansour etc.

rovement #1: Salsa20 is actually a function ducing 512-bit block from 256-bit key, 128-bit input. Conventionally 128-bit input interpreted as 64-bit nonce 64-bit block counter

• utput blocks are a stream),

function is designed fast and secure random access to blocks. w 128 bits in ♥. Generate 256-bit ❦✵ half of 512-bit block. Improvement #2: Look more closely at how Salsa20 works: initializes 512-bit block publicly from input ♥; adds 256-bit key ❦; applies many unkeyed rounds; adds 256-bit key ❦. Take ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. Important here that block is much bigger than ❦. Compare to Even–Mansour etc. What ab Recall feasible Moving from puts attack Could there 1996 Bella Can convert q into simila attack on factor ✔ q Warning: “theorem” q Corrected

#1: actually a function 512-bit block from 128-bit input. 128-bit input 64-bit nonce counter cks are a stream), designed secure ccess to blocks. bits in ♥. 256-bit ❦✵ 512-bit block. Improvement #2: Look more closely at how Salsa20 works: initializes 512-bit block publicly from input ♥; adds 256-bit key ❦; applies many unkeyed rounds; adds 256-bit key ❦. Take ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. Important here that block is much bigger than ❦. Compare to Even–Mansour etc. What about securit Recall feasible 128-bit Moving from 128 bits puts attack very fa Could there be bet 1996 Bellare–Cane Can convert any q into similarly efficient attack on original factor ✔ 2q in success Warning: FOCS 1996 “theorem” omits facto q Corrected in 2005

function from ut nonce tream), blocks. ♥ ❦✵ Improvement #2: Look more closely at how Salsa20 works: initializes 512-bit block publicly from input ♥; adds 256-bit key ❦; applies many unkeyed rounds; adds 256-bit key ❦. Take ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. Important here that block is much bigger than ❦. Compare to Even–Mansour etc. What about security? Recall feasible 128-bit attack. Moving from 128 bits to 256 puts attack very far out of reach. Could there be better attacks? 1996 Bellare–Canetti–Krawczyk: Can convert any q-query attack into similarly efficient single-k attack on original cipher, losing factor ✔ 2q in success probabilit Warning: FOCS 1996 “theorem” omits factor q. Corrected in 2005 online ver

Improvement #2: Look more closely at how Salsa20 works: initializes 512-bit block publicly from input ♥; adds 256-bit key ❦; applies many unkeyed rounds; adds 256-bit key ❦. Take ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. Important here that block is much bigger than ❦. Compare to Even–Mansour etc. What about security? Recall feasible 128-bit attack. Moving from 128 bits to 256 bits puts attack very far out of reach. Could there be better attacks? 1996 Bellare–Canetti–Krawczyk: Can convert any q-query attack into similarly efficient single-key attack on original cipher, losing factor ✔ 2q in success probability. Warning: FOCS 1996 “theorem” omits factor q. Corrected in 2005 online version.

rovement #2: more closely Salsa20 works: initializes 512-bit block publicly from input ♥; 256-bit key ❦; applies many unkeyed rounds; 256-bit key ❦. ❦✵ as the other 256 bits. ✮ Skip final ❦ addition. rtant here that is much bigger than ❦. Compare to Even–Mansour etc. What about security? Recall feasible 128-bit attack. Moving from 128 bits to 256 bits puts attack very far out of reach. Could there be better attacks? 1996 Bellare–Canetti–Krawczyk: Can convert any q-query attack into similarly efficient single-key attack on original cipher, losing factor ✔ 2q in success probability. Warning: FOCS 1996 “theorem” omits factor q. Corrected in 2005 online version. Better sec

• 1. Loss facto ✔ q

✔ (❵ 1)q ❵ Compare ❵q

• 2. Allow

for master Attack success ✔ ✎ vs. master ✔ ✎✵ vs. ✮ ✔ ✎ + q✎✵ Combining deduce ❵ immediately

#2: closely works: 512-bit block ut ♥; ❦; unkeyed rounds; ❦. ❦✵

• ther 256 bits.

✮ ❦ addition. that bigger than ❦. Even–Mansour etc. What about security? Recall feasible 128-bit attack. Moving from 128 bits to 256 bits puts attack very far out of reach. Could there be better attacks? 1996 Bellare–Canetti–Krawczyk: Can convert any q-query attack into similarly efficient single-key attack on original cipher, losing factor ✔ 2q in success probability. Warning: FOCS 1996 “theorem” omits factor q. Corrected in 2005 online version. Better security pro

• 1. Loss factor ✔ q

✔ (❵ 1)q + 1 for ❵ Compare to ❵q from

• 2. Allow independent

for master key, session Attack success probabilit ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded Combining 1 and 2: deduce ❵-level secu immediately from 2-level

♥ ❦ rounds; ❦ ❦✵ bits. ✮ ❦ ❦. Even–Mansour etc. What about security? Recall feasible 128-bit attack. Moving from 128 bits to 256 bits puts attack very far out of reach. Could there be better attacks? 1996 Bellare–Canetti–Krawczyk: Can convert any q-query attack into similarly efficient single-key attack on original cipher, losing factor ✔ 2q in success probability. Warning: FOCS 1996 “theorem” omits factor q. Corrected in 2005 online version. Better security proof, this pap

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level securit

What about security? Recall feasible 128-bit attack. Moving from 128 bits to 256 bits puts attack very far out of reach. Could there be better attacks? 1996 Bellare–Canetti–Krawczyk: Can convert any q-query attack into similarly efficient single-key attack on original cipher, losing factor ✔ 2q in success probability. Warning: FOCS 1996 “theorem” omits factor q. Corrected in 2005 online version. Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security.

about security? feasible 128-bit attack. Moving from 128 bits to 256 bits attack very far out of reach. there be better attacks? Bellare–Canetti–Krawczyk: convert any q-query attack similarly efficient single-key

• n original cipher, losing

✔ 2q in success probability. rning: FOCS 1996 rem” omits factor q. rrected in 2005 online version. Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES 240 queries, Is 1-level

security? 128-bit attack. 128 bits to 256 bits far out of reach. etter attacks? netti–Krawczyk: q-query attack efficient single-key riginal cipher, losing ✔ q success probability. 1996

• mits factor q.

2005 online version. Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES is break 240 queries, space Is 1-level AES really

attack. 256 bits

• f reach.

attacks? czyk: q attack single-key losing ✔ q robability. q version. Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES is breakable with 240 queries, space 240, time Is 1-level AES really more secure?

Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure?

Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure? No! 1996 Biham “key collisions” break 240-user 1-level AES in exactly the same way. Traditional 1-user metric: Breaking AES using q queries costs 2128 by best attack known. Biham’s multi-user metric: 2128❂q by best attack known.

Better security proof, this paper:

• 1. Loss factor ✔ q + 1.

✔ (❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK.

• 2. Allow independent ciphers

for master key, session keys. Attack success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure? No! 1996 Biham “key collisions” break 240-user 1-level AES in exactly the same way. Traditional 1-user metric: Breaking AES using q queries costs 2128 by best attack known. Biham’s multi-user metric: 2128❂q by best attack known. Loss factor ✔ 2 between 2-level AES and 1-level AES in this multi-user metric.

security proof, this paper: Loss factor ✔ q + 1. ✔ ❵ 1)q + 1 for ❵ levels. Compare to ❵q from 2005 BCK. w independent ciphers aster key, session keys. success probability ✔ ✎ vs. master cipher, ✔ ✎✵ vs. session cipher ✮ ✔ ✎ + q✎✵ vs. cascaded cipher. Combining 1 and 2: deduce ❵-level security immediately from 2-level security. 2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure? No! 1996 Biham “key collisions” break 240-user 1-level AES in exactly the same way. Traditional 1-user metric: Breaking AES using q queries costs 2128 by best attack known. Biham’s multi-user metric: 2128❂q by best attack known. Loss factor ✔ 2 between 2-level AES and 1-level AES in this multi-user metric.

roof, this paper: ✔ q + 1. ✔ ❵ q

• r ❵ levels.

❵q from 2005 BCK. endent ciphers session keys. robability ✔ ✎ cipher, ✔ ✎✵ cipher ✮ ✔ ✎ q✎✵ cascaded cipher. and 2: ❵ security 2-level security. 2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure? No! 1996 Biham “key collisions” break 240-user 1-level AES in exactly the same way. Traditional 1-user metric: Breaking AES using q queries costs 2128 by best attack known. Biham’s multi-user metric: 2128❂q by best attack known. Loss factor ✔ 2 between 2-level AES and 1-level AES in this multi-user metric.

paper: ✔ q ✔ ❵ q ❵ levels. ❵q BCK. ciphers eys. ✔ ✎ ✔ ✎✵ ✮ ✔ ✎ q✎✵ cipher. ❵ security. 2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure? No! 1996 Biham “key collisions” break 240-user 1-level AES in exactly the same way. Traditional 1-user metric: Breaking AES using q queries costs 2128 by best attack known. Biham’s multi-user metric: 2128❂q by best attack known. Loss factor ✔ 2 between 2-level AES and 1-level AES in this multi-user metric.

2-level AES is breakable with 240 queries, space 240, time 248. Is 1-level AES really more secure? No! 1996 Biham “key collisions” break 240-user 1-level AES in exactly the same way. Traditional 1-user metric: Breaking AES using q queries costs 2128 by best attack known. Biham’s multi-user metric: 2128❂q by best attack known. Loss factor ✔ 2 between 2-level AES and 1-level AES in this multi-user metric.