introduction to symmetric crypto d j bernstein how https
play

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects - PDF document

Dec 17, 2023 •386 likes •1.03k views

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

  1. 1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: • Public-key encryption system encrypts one secret message: a random 256-bit session key. • Public-key signature system stops NSAITM attacks. • Fast authenticated cipher uses the 256-bit session key to protect further messages.

  2. 2 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard.

  3. 2 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES proposal. 64-bit block, 56-bit key.

  4. 2 Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES proposal. 64-bit block, 56-bit key. 1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”

  5. 3 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year.

  6. 3 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”.

  7. 3 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard.

  8. 3 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.

  9. 4 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key.

  10. 4 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals.

  11. 4 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year.

  12. 4 1997: U.S. National Institute of Standards and Technology (NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  13. 5 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really?

  14. 5 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.”

  15. 5 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers.

  16. 5 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition.

  17. 5 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition.

  18. 5 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.

  19. 6 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block.

  20. 6 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”.

  21. 6 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end of the symmetric-crypto story?

  22. 7

  23. 8

  24. 9

  25. 10

  26. 11

  27. 12 . . .

  28. 13 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy.

  29. 13 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing.

  30. 13 AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.

  31. 14 ChaCha creates safe systems with much less work than AES.

  32. 14 ChaCha creates safe systems with much less work than AES. More examples of how symmetric primitives have been improving speed, simplicity, security: PRESENT is better than DES. Skinny is better than Simon and Speck. Keccak, BLAKE2, Ascon are better than MD5, SHA-0, SHA-1, SHA-256, SHA-512.

  33. 15 Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . s 100 ∈ { 0 ; 1 ; : : : ; 999999 } .

  34. 16 Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 .

  35. 16 Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Later: Sender wants to send 100 messages m 1 ; : : : ; m 100 , each m n having 5 components m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } .

  36. 16 Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Later: Sender wants to send 100 messages m 1 ; : : : ; m 100 , each m n having 5 components m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n .

  37. 17 e.g. r 1 = 314159, r 2 = 265358, r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ :

  38. 17 e.g. r 1 = 314159, r 2 = 265358, r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Sender computes authenticator (6 r 1 + 7 r 2 mod p ) + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739.

  39. 17 e.g. r 1 = 314159, r 2 = 265358, r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Sender computes authenticator (6 r 1 + 7 r 2 mod p ) + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University of Illinois at Chicago & BEAST CBC attack. Technische Universiteit Eindhoven Trustwave HTTPS interception. CRIME compression attack. Lucky 13

1.3k views • 128 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo

Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo

Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo Research Professor, to handle Internet mail; University of Illinois at Chicago tinydns , used by Facebook Hoogleraar, to publish server

625 views • 43 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

882 views • 72 slides
Boring crypto Daniel J. Bernstein University of Illinois at Chicago & Technische

Boring crypto Daniel J. Bernstein University of Illinois at Chicago & Technische

Boring crypto Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Ancient Chinese curse: May you live in interesting times, so that you have many papers to write. Related mailing list:

871 views • 57 slides
Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

844 views • 52 slides
NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

874 views • 50 slides
Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Terrorist in Hong Kong prepares to throw deadly weapon at Chinese government workers. Image credit: Reuters.

739 views • 54 slides
Roo2ng SIM cards The SRLabs Team SRLabs Template v12 SIM

Roo2ng SIM cards The SRLabs Team SRLabs Template v12 SIM

Roo2ng SIM cards The SRLabs Team SRLabs Template v12 SIM cards are fully programmable computer systems Applica'ons on modern SIM card Smartcard with

1k views • 21 slides
DTTF/NB479: Dszquphsbqiz Day 12 Announcements: Homework 2 returned Monday: Written

DTTF/NB479: Dszquphsbqiz Day 12 Announcements: Homework 2 returned Monday: Written

DTTF/NB479: Dszquphsbqiz Day 12 Announcements: Homework 2 returned Monday: Written (concept and small calculations) exam on breaking ch 2 ciphers HW 3 due date pushed back to Tuesday Next 2 weeks: Data Encryption Standard (DES)

358 views • 11 slides
HOST DES ECE 495/595 DES Block Cipher DES: A remarkable well-engineered algorithm, thats old

HOST DES ECE 495/595 DES Block Cipher DES: A remarkable well-engineered algorithm, thats old

HOST DES ECE 495/595 DES Block Cipher DES: A remarkable well-engineered algorithm, thats old but had a powerful influ- ence on cryptography (still used in ATM machines) In 1972, NBS (now NIST) solicited for an encryption algorithm -- IBM

320 views • 4 slides
Annou ouncem cements ts Homework 1 is released Available on the course website Due

Annou ouncem cements ts Homework 1 is released Available on the course website Due

Annou ouncem cements ts Homework 1 is released Available on the course website Due in two weeks : 10/22/19 11:59pm Submit through GradeScope TA Sam gave a tutorial last Wednesday 1 Lecture 4 Encryption II Suggested

560 views • 34 slides
DES in 10 minutes DES in 7 minutes, Balrog in 3 minutes Megan Splettstoesser Fermilab New

DES in 10 minutes DES in 7 minutes, Balrog in 3 minutes Megan Splettstoesser Fermilab New

FERMILAB-SLIDES-18-099-E DES in 10 minutes DES in 7 minutes, Balrog in 3 minutes Megan Splettstoesser Fermilab New Perspectives June 18, 2018 This document was prepared by [DES Collaboration] using the resources of the Fermi National

506 views • 28 slides
6.2 Series solutions about ordinary points a lesson for MATH F302 Differential Equations Ed

6.2 Series solutions about ordinary points a lesson for MATH F302 Differential Equations Ed

6.2 Series solutions about ordinary points a lesson for MATH F302 Differential Equations Ed Bueler, Dept. of Mathematics and Statistics, UAF March 5, 2019 for textbook: D. Zill, A First Course in Differential Equations with Modeling Applications

291 views • 17 slides
Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative systems,

495 views • 27 slides
Developmental Evaluations March 2020 This presentation is made possible by the support of the

Developmental Evaluations March 2020 This presentation is made possible by the support of the

Evaluation Caf: A Study of Three Developmental Evaluations March 2020 This presentation is made possible by the support of the American People through the United States Agency for International Development (USAID.) The contents of this

429 views • 28 slides

More recommend