Goals of Encryption authenticated encryption sender - - PowerPoint PPT Presentation

Goals of authenticated encryption Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven More details, credits: competitions.cr.yp.to /features.html Encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext.

• f

authenticated encryption

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven details, credits: competitions.cr.yp.to /features.html Encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Authenticated sender

• m
• c
• network

k: secret m: variable-length c: variable-length

encryption Bernstein Illinois at Chicago & Universiteit Eindhoven credits: competitions.cr.yp.to Encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length c: variable-length

Chicago & Eindhoven Encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext.

Encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext.

Encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Same picture! But now c is slightly longer than m: includes an “authentication tag”.

Encryption sender k rk secret key. riable-length plaintext. riable-length ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Same picture! But now c is slightly longer than m: includes an “authentication tag”. Message

• n

k: secret n: public m: variable-length c: variable-length Changes hide repetitions

riable-length plaintext. riable-length ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Same picture! But now c is slightly longer than m: includes an “authentication tag”. Message numbers sender

• n
• m
• c
• network

k: secret key. n: public message m: variable-length c: variable-length Changes in message hide repetitions of

plaintext. ciphertext. Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Same picture! But now c is slightly longer than m: includes an “authentication tag”. Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext.

Authenticated encryption sender

• m
• c
• k
• network

k: secret key. m: variable-length plaintext. c: variable-length ciphertext. Same picture! But now c is slightly longer than m: includes an “authentication tag”. Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext.

Authenticated encryption sender k rk secret key. riable-length plaintext. riable-length ciphertext. picture! But now slightly longer than m: includes an “authentication tag”. Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext. Associated

• n

k: secret n: public a: variable-length m: variable-length c: variable-length

encryption riable-length plaintext. riable-length ciphertext. But now longer than m: “authentication tag”. Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext. Associated data sender

• n
• m
• c
• network

k: secret key. n: public message a: variable-length m: variable-length c: variable-length

plaintext. ciphertext. : ation tag”. Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext. Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated m: variable-length plaintext. c: variable-length ciphertext.

Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext. Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext.

Message numbers sender

• n
• m
• c
• k
• network

k: secret key. n: public message number. m: variable-length plaintext. c: variable-length ciphertext. Changes in message number hide repetitions of plaintext. Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. No problem repeating a.

Message numbers sender

• m
• c
• k
• network

secret key. public message number. riable-length plaintext. riable-length ciphertext. Changes in message number repetitions of plaintext. Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. No problem repeating a. Secret me

• n

k: secret n: secret a: variable-length m: variable-length c: variable-length

ers k message number. riable-length plaintext. riable-length ciphertext. message number

• f plaintext.

Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. No problem repeating a. Secret message numb sender

• n
• m
• c
• network

k: secret key. n: secret message a: variable-length m: variable-length c: variable-length

er. plaintext. ciphertext. er plaintext. Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. No problem repeating a. Secret message numbers sender

• n
• m
• a
• c
• k
• network

k: secret key. n: secret message number. a: variable-length associated m: variable-length plaintext. c: variable-length ciphertext.

Associated data sender

• n
• m
• a
• c
• k
• network

k: secret key. n: public message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. No problem repeating a. Secret message numbers sender

• n
• m
• a
• c
• k
• network

k: secret key. n: secret message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext.

ciated data sender

• m
• a
• c
• k
• network

secret key. public message number. riable-length associated data. riable-length plaintext. riable-length ciphertext. roblem repeating a. Secret message numbers sender

• n
• m
• a
• c
• k
• network

k: secret key. n: secret message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. What is Plaintext associat message-numb Forge (n receiver legitimate “INT-PTXT” (integrity protection Stronger Forge at

a k message number. riable-length associated data. riable-length plaintext. riable-length ciphertext. eating a. Secret message numbers sender

• n
• m
• a
• c
• k
• network

k: secret key. n: secret message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. What is the attack Plaintext corruption, associated-data co message-number Forge (n; m; a) that receiver accepts but legitimate sender never “INT-PTXT” (integrity of plaintexts) protection against Stronger goal: Forge at least f messages.

er. ciated data. plaintext. ciphertext. Secret message numbers sender

• n
• m
• a
• c
• k
• network

k: secret key. n: secret message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages.

Secret message numbers sender

• n
• m
• a
• c
• k
• network

k: secret key. n: secret message number. a: variable-length associated data. m: variable-length plaintext. c: variable-length ciphertext. What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages.

message numbers sender

• m
• a
• c
• k
• network

secret key. secret message number. riable-length associated data. riable-length plaintext. riable-length ciphertext. What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages. Ciphertext Forge c receiver legitimate “INT-CTXT” (integrity protection

numbers a k ssage number. riable-length associated data. riable-length plaintext. riable-length ciphertext. What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages. Ciphertext corruption. Forge c that receiver accepts but legitimate sender never “INT-CTXT” (integrity of ciphertexts) protection against

er. ciated data. plaintext. ciphertext. What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks.

What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks.

What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string.

What is the attacker’s goal? Plaintext corruption, associated-data corruption, message-number corruption. Forge (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means protection against such attacks. Stronger goal: Forge at least f messages. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits?

is the attacker’s goal? Plaintext corruption, ciated-data corruption, message-number corruption. (n; m; a) that receiver accepts but that legitimate sender never encrypted. “INT-PTXT” (integrity of plaintexts) means rotection against such attacks. Stronger goal: at least f messages. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince legitimate than legitimate

attacker’s goal? rruption, data corruption, er corruption. that but that der never encrypted. plaintexts) means nst such attacks. messages. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince receiver to legitimate (n; m; a) than legitimate sender

goal? rruption, rruption. encrypted. means attacks. Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it.

Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it.

Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order.

Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc.

Ciphertext corruption. Forge c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means protection against such attacks. Ciphertext prediction. Distinguish c from uniform random string. Is it better to randomly pad or zero-pad a strong 112-bit MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal?

Ciphertext corruption. c that receiver accepts but that legitimate sender never produced. “INT-CTXT” (integrity of ciphertexts) means rotection against such attacks. Ciphertext prediction. Distinguish c from random string. etter to randomly pad or zero-pad a 112-bit MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext Figure out

rruption. but that der never produced. ciphertexts) means nst such attacks. rediction. from string. r zero-pad a MAC to 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext espionage. Figure out user’s secret

roduced. means attacks. a 128 bits? Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext espionage. Figure out user’s secret message.

Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext espionage. Figure out user’s secret message.

Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number.

Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway.

Replay. Convince receiver to accept legitimate (n; m; a) more times than legitimate sender sent it. Reordering. Convince receiver to accept legitimate messages out of order. Sabotage. Prevent receiver from seeing (n; m; a) as often as sender sent it: flood radio, switch, CPU, etc. Typically delegate solutions to higher-level protocols, but is this optimal? Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default.

y. Convince receiver to accept legitimate (n; m; a) more times legitimate sender sent it. dering. Convince receiver to accept legitimate messages out of order.

• tage.

Prevent receiver from seeing a) as often as sender sent

• d radio, switch, CPU, etc.

ypically delegate solutions higher-level protocols, this optimal? Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default. What are Extensive Are 80-bit Are 128-bit

r to accept ; a) more times sender sent it. r to accept ssages out of order. from seeing

• ften as sender sent

switch, CPU, etc. delegate solutions rotocols,

• ptimal?

Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default. What are the attack Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate?

accept times sent it. accept

• f order.

seeing sender sent CPU, etc. solutions Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate?

Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate?

Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.

Plaintext espionage. Figure out user’s secret message. Message-number espionage. Figure out user’s secret message number. Traditional crypto view: It’s okay to use a counter as a message number. Count is public anyway. Counterarguments: Did attacker see everything? Maybe timestamp is better, but how much does it leak? Should encrypt by default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough.

Plaintext espionage.

• ut user’s secret message.

Message-number espionage.

• ut user’s secret

message number. raditional crypto view: ay to use a counter message number. is public anyway. Counterarguments: attacker see everything? timestamp is better, w much does it leak? encrypt by default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough. Main countera

• 1. Larger

User doesn’t better perfo

espionage. user’s secret message. er espionage. user’s secret er. crypto view: a counter number. anyway. rguments: everything? timestamp is better, does it leak? by default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough. Main counterarguments

• 1. Larger keys are

User doesn’t actually better performance.

message. espionage. everything? etter, leak? default. What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

What are the attacker’s resources? Extensive computation. Are 80-bit keys adequate? Are 128-bit keys adequate? Main arguments for small keys:

• 1. Smaller keys are cheaper.
• 2. Attack cost outweighs

economic benefit of breaking key, so no sensible attacker will carry out a 280 attack. Maybe 64-bit keys are enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

• 3. Some attackers carry out

attacks that are feasible but not economically rational. What attacks are feasible?

are the attacker’s resources? Extensive computation. 80-bit keys adequate? 128-bit keys adequate? arguments for small keys: Smaller keys are cheaper. ttack cost outweighs economic benefit of breaking key, sensible attacker will

• ut a 280 attack.

64-bit keys are enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

• 3. Some attackers carry out

attacks that are feasible but not economically rational. What attacks are feasible? Back-of-the-envelop 257 watts: atmosphere 244 watts: 226 watts: costing 2 1 watt: p 268 bit op using mass-ma

attacker’s resources? computation. adequate? adequate? for small keys: are cheaper.

• utweighs

enefit of breaking key, attacker will attack. eys are enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

• 3. Some attackers carry out

attacks that are feasible but not economically rational. What attacks are feasible? Back-of-the-envelop 257 watts: received atmosphere from the 244 watts: world p 226 watts: one computer costing 230 dollars. 1 watt: power for 268 bit operations using mass-market

resources? adequate? keys: er. reaking key, will enough. Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

• 3. Some attackers carry out

attacks that are feasible but not economically rational. What attacks are feasible? Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs.

Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

• 3. Some attackers carry out

attacks that are feasible but not economically rational. What attacks are feasible? Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs.

Main counterarguments:

• 1. Larger keys are cheap enough.

User doesn’t actually need better performance.

• 2. Attacker’s cost-benefit ratio

is improved by multiple-user attacks, multiple forgeries, etc.

• 3. Some attackers carry out

attacks that are feasible but not economically rational. What attacks are feasible? Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs. Scalable quantum computers. 264 simple quantum operations to find a 128-bit key using Grover’s algorithm.

counterarguments: rger keys are cheap enough. doesn’t actually need performance. ttacker’s cost-benefit ratio roved by multiple-user attacks, multiple forgeries, etc. Some attackers carry out attacks that are feasible not economically rational. attacks are feasible? Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs. Scalable quantum computers. 264 simple quantum operations to find a 128-bit key using Grover’s algorithm. Many messages. Some designers “switch k Other designers eliminating adds robustness.

rguments: re cheap enough. actually need rmance. cost-benefit ratio attacks, rgeries, etc. ers carry out feasible economically rational. re feasible? Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs. Scalable quantum computers. 264 simple quantum operations to find a 128-bit key using Grover’s algorithm. Many messages. Some designers blame “switch keys after Other designers argue eliminating such requirements adds robustness.

enough. ratio

• ut

rational. Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs. Scalable quantum computers. 264 simple quantum operations to find a 128-bit key using Grover’s algorithm. Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness.

Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs. Scalable quantum computers. 264 simple quantum operations to find a 128-bit key using Grover’s algorithm. Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness.

Back-of-the-envelope figures: 257 watts: received by Earth’s atmosphere from the Sun. 244 watts: world power usage. 226 watts: one computer center costing 230 dollars. 1 watt: power for 268 bit operations per year using mass-market GPUs. Scalable quantum computers. 264 simple quantum operations to find a 128-bit key using Grover’s algorithm. Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. All ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks.

Back-of-the-envelope figures: atts: received by Earth’s atmosphere from the Sun. atts: world power usage. atts: one computer center costing 230 dollars. att: power for bit operations per year mass-market GPUs. Scalable quantum computers. simple quantum operations a 128-bit key Grover’s algorithm. Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. All ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks. Many users. degrade

Back-of-the-envelope figures: received by Earth’s the Sun. power usage. computer center rs. r erations per year et GPUs. quantum computers. quantum operations key algorithm. Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. All ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks. Many users. How degrade with numb

figures: rth’s usage. center r computers. erations Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. All ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks. Many users. How does securit degrade with number of keys?

Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. All ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks. Many users. How does security degrade with number of keys?

Many messages. Some designers blame the user: “switch keys after 220 messages”. Other designers argue that eliminating such requirements adds robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. All ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks. Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′.

messages. designers blame the user: “switch keys after 220 messages”. designers argue that eliminating such requirements robustness. Chosen plaintexts, chosen ciphertexts, chosen message numbers. Consensus: Unacceptable to blame the user. ciphers must be safe against chosen-plaintext attacks and against chosen-ciphertext attacks. Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software Typical culp secret branches, secret m Also, on secret m

messages. blame the user: after 220 messages”. argue that requirements robustness. plaintexts, ciphertexts, message numbers. blame the user. be safe against attacks and chosen-ciphertext attacks. Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication

user: messages”. that requirements ers. the user. against and attacks. Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs.

Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs.

Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

• Faults. Flip bits in computation.

Many users. How does security degrade with number of keys? Repeated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact for many ciphers: Leak number of shared initial blocks of plaintext. Leak xor of first non-shared block. Allow forgery under this n. Allow forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

• Faults. Flip bits in computation.

Thefts and monitors. Attacker steals secret keys. Can we still protect past communication?

• users. How does security

degrade with number of keys? eated message numbers. Minimum impact: Attacker sees whether (n; m; a) is repeated. Examples of larger impact ny ciphers: number of shared initial

• f plaintext.

xor of first non-shared block. forgery under this n. forgery under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

• Faults. Flip bits in computation.

Thefts and monitors. Attacker steals secret keys. Can we still protect past communication? What perfo Typical p for ASICs: Low energy Low pow Low area loosely p “gate equivalents”). High throughput (bytes per Low latency very loosely

How does security number of keys? message numbers. impact: Attacker sees ) is repeated. rger impact ciphers: shared initial plaintext. non-shared block. under this n. under any n′. Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

• Faults. Flip bits in computation.

Thefts and monitors. Attacker steals secret keys. Can we still protect past communication? What performance Typical performance for ASICs: Low energy (joules) Low power (watts). Low area (square m loosely predicted b “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted

security eys? numbers. er sees eated. initial red block. . . Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

• Faults. Flip bits in computation.

Thefts and monitors. Attacker steals secret keys. Can we still protect past communication? What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles).

Software side channels. Typical culprits: secret branches, secret memory addresses. Also, on some CPUs, secret multiplication inputs. Hardware side channels. Power consumption, electromagnetic radiation, etc.

• Faults. Flip bits in computation.

Thefts and monitors. Attacker steals secret keys. Can we still protect past communication? What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte. Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles).

are side channels. ypical culprits: branches, memory addresses.

• n some CPUs,

multiplication inputs. are side channels. consumption, electromagnetic radiation, etc.

• ts. Flip bits in computation.

Thefts and monitors. er steals secret keys. e still protect communication? What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte. Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles). Similar m FPGAs and For ASICs throughput is not a useful without Parallelize

• r across

for arbitra

channels. addresses. CPUs, plication inputs. channels. consumption, radiation, etc. in computation. monitors. secret keys. rotect communication? What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte. Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles). Similar metrics for FPGAs and softwa For ASICs and FPGAs, throughput per se is not a useful metric without limit on area Parallelize across blo

• r across independent

for arbitrarily high

inputs. etc. computation. eys. What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte. Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles). Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or pow Parallelize across blocks

• r across independent messages

for arbitrarily high throughput.

What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte. Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles). Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput.

What performance is measured? Typical performance metrics for ASICs: Low energy (joules) per byte. Low power (watts). Low area (square micrometers; loosely predicted by “gate equivalents”). High throughput (bytes per second). Low latency (seconds; very loosely predicted by cycles). Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput. Fix: measure ratio of area and throughput, i.e., product of area and time per byte.

performance is measured? ypical performance metrics ASICs: energy (joules) per byte.

• wer (watts).

rea (square micrometers; predicted by equivalents”). throughput per second). latency (seconds;

• sely predicted by cycles).

Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput. Fix: measure ratio of area and throughput, i.e., product of area and time per byte. What op Authenticate encrypt Cost per far below Send valid data, or “Encrypt cost of decryption

rmance is measured? rmance metrics (joules) per byte. atts). re micrometers; by equivalents”). throughput second). (seconds; redicted by cycles). Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput. Fix: measure ratio of area and throughput, i.e., product of area and time per byte. What operations a Authenticate only encrypt and authenticate? Cost per byte of a far below cost per Send valid data, data, or receive invalid “Encrypt then MA cost of decryption

measured? metrics yte. icrometers; cycles). Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput. Fix: measure ratio of area and throughput, i.e., product of area and time per byte. What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries.

Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput. Fix: measure ratio of area and throughput, i.e., product of area and time per byte. What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries.

Similar metrics for FPGAs and software. For ASICs and FPGAs, throughput per se is not a useful metric without limit on area (or power). Parallelize across blocks

• r across independent messages

for arbitrarily high throughput. Fix: measure ratio of area and throughput, i.e., product of area and time per byte. What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries. Different area targets: encryption/authentication circuit; verification/decryption circuit; circuit that can dynamically select either operation.

r metrics for FPGAs and software. ASICs and FPGAs, throughput per se a useful metric without limit on area (or power). rallelize across blocks ross independent messages rbitrarily high throughput. measure

• f area and throughput, i.e.,

duct of area and time per byte. What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries. Different area targets: encryption/authentication circuit; verification/decryption circuit; circuit that can dynamically select either operation. Plaintext and asso Huge impact Warning: “overhead” Cipher with can be consiste

for ware. FPGAs, se metric area (or power). across blocks endent messages high throughput. throughput, i.e., and time per byte. What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries. Different area targets: encryption/authentication circuit; verification/decryption circuit; circuit that can dynamically select either operation. Plaintext length and associated-data Huge impact on perfo Warning: Do not solely “overhead” of two Cipher with larger can be consistently

• wer).

messages throughput. throughput, i.e., per byte. What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries. Different area targets: encryption/authentication circuit; verification/decryption circuit; circuit that can dynamically select either operation. Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compa “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster.

What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries. Different area targets: encryption/authentication circuit; verification/decryption circuit; circuit that can dynamically select either operation. Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster.

What operations are measured? Authenticate only, or encrypt and authenticate? Cost per byte of a can be far below cost per byte of m. Send valid data, receive valid data, or receive invalid data? “Encrypt then MAC” skips cost of decryption for forgeries. Different area targets: encryption/authentication circuit; verification/decryption circuit; circuit that can dynamically select either operation. Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster. Number of inputs. e.g. reduce latency by processing several AES-CBC messages in parallel. Simplest if many messages have the same length.

• perations are measured?

Authenticate only, or encrypt and authenticate? er byte of a can be elow cost per byte of m. valid data, receive valid

• r receive invalid data?

“Encrypt then MAC” skips

• f decryption for forgeries.

Different area targets: encryption/authentication circuit; verification/decryption circuit; that can dynamically select

• peration.

Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster. Number of inputs. e.g. reduce latency by processing several AES-CBC messages in parallel. Simplest if many messages have the same length. Number Most (not expect p “expanded Warning: “agility” Cipher with can be consiste

are measured?

• nly, or

authenticate? a can be er byte of m. data, receive valid receive invalid data? MAC” skips decryption for forgeries. rgets: encryption/authentication circuit; verification/decryption circuit; dynamically select eration. Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster. Number of inputs. e.g. reduce latency by processing several AES-CBC messages in parallel. Simplest if many messages have the same length. Number of times Most (not all) ciphers expect precomputation “expanded keys”. Warning: Do not solely “agility” of two ciphers. Cipher with better can be consistently

measured? authenticate? m. valid data? skips rgeries. circuit; circuit; dynamically select Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster. Number of inputs. e.g. reduce latency by processing several AES-CBC messages in parallel. Simplest if many messages have the same length. Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compa “agility” of two ciphers. Cipher with better “agility” can be consistently slower.

Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster. Number of inputs. e.g. reduce latency by processing several AES-CBC messages in parallel. Simplest if many messages have the same length. Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower.

Plaintext length and associated-data length. Huge impact on performance. Warning: Do not solely compare “overhead” of two ciphers. Cipher with larger “overhead” can be consistently faster. Number of inputs. e.g. reduce latency by processing several AES-CBC messages in parallel. Simplest if many messages have the same length. Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower. General input scheduling. Reduce latency by processing key and nonce before seeing associated data; associated data before plaintext.

Plaintext length associated-data length. impact on performance. rning: Do not solely compare “overhead” of two ciphers. with larger “overhead” consistently faster. er of inputs. reduce latency by cessing several AES-CBC messages in parallel. Simplest if many messages the same length. Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower. General input scheduling. Reduce latency by processing key and nonce before seeing associated data; associated data before plaintext. Scheduling scheduling Typically to right. processing (“Incrementalit Update output when input

length ciated-data length. performance. not solely compare

• ciphers.

rger “overhead” ntly faster. inputs. latency by ral AES-CBC rallel. messages length. Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower. General input scheduling. Reduce latency by processing key and nonce before seeing associated data; associated data before plaintext. Scheduling within scheduling within Typically receive data to right. Reduce latency processing earlier pa (“Incrementality”: Update output efficiently when input is modified.)

length. rmance. compare ciphers. “overhead” AES-CBC messages Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower. General input scheduling. Reduce latency by processing key and nonce before seeing associated data; associated data before plaintext. Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.)

Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower. General input scheduling. Reduce latency by processing key and nonce before seeing associated data; associated data before plaintext. Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.)

Number of times a key is used. Most (not all) ciphers expect precomputation of “expanded keys”. Warning: Do not solely compare “agility” of two ciphers. Cipher with better “agility” can be consistently slower. General input scheduling. Reduce latency by processing key and nonce before seeing associated data; associated data before plaintext. Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext.

er of times a key is used. (not all) ciphers precomputation of “expanded keys”. rning: Do not solely compare y” of two ciphers. with better “agility” consistently slower. General input scheduling. Reduce latency by cessing key and nonce seeing associated data; ciated data before plaintext. Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext. Intermediate Higher-level long plaintext each sepa ⇒ small Do better similar featu

times a key is used. ciphers tation of ys”. not solely compare ciphers. etter “agility” ntly slower. scheduling. by and nonce associated data; before plaintext. Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext. Intermediate tags. Higher-level protocol long plaintext into each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into

is used. compare y” er. scheduling. data; plaintext. Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher?

Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher?

Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc.

Scheduling within plaintext; scheduling within ciphertext. Typically receive data from left to right. Reduce latency by processing earlier parts first. (“Incrementality”: Update output efficiently when input is modified.) Also save area if large plaintext does not need large buffer. Warning: Large ciphertext needs large buffer or analysis of security impact of releasing unverified plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory?

Scheduling within plaintext; scheduling within ciphertext. ypically receive data from left

• right. Reduce latency by

cessing earlier parts first. (“Incrementality”: date output efficiently input is modified.) save area if large plaintext not need large buffer. rning: Large ciphertext large buffer or analysis of security impact of releasing unverified plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory? Support Simplicit Cryptanalysts that are

within plaintext; within ciphertext. data from left latency by rlier parts first. y”: efficiently modified.) large plaintext rge buffer. ciphertext buffer or security impact of unverified plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory? Support for cryptanalysis Simplicity. Cryptanalysts prioritize that are easy to understand.

plaintext; ciphertext. left y first. plaintext buffer.

• f

plaintext. Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory? Support for cryptanalysis Simplicity. Cryptanalysts prioritize targets that are easy to understand.

Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory? Support for cryptanalysis Simplicity. Cryptanalysts prioritize targets that are easy to understand.

Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory? Support for cryptanalysis Simplicity. Cryptanalysts prioritize targets that are easy to understand. Scalability. Reduced-round targets, reduced-word targets, etc.

Intermediate tags. Higher-level protocol splits long plaintext into packets, each separately authenticated. ⇒ small buffer is safe. Do better by integrating similar feature into cipher? Other operations. Single circuit for, e.g., hash and authenticated cipher; for different key sizes; etc. Cache context. How well does the system fit into fast memory? Support for cryptanalysis Simplicity. Cryptanalysts prioritize targets that are easy to understand. Scalability. Reduced-round targets, reduced-word targets, etc. Proofs. The phrase “proof of security” is almost always fraudulent. Proof says that attacks meeting certain constraints are difficult, or as difficult as another problem. Can be useful for cryptanalysts.