SLIDE 1 1
Introduction to symmetric crypto
How HTTPS protects connection:
- Public-key encryption system
encrypts one secret message: a random 256-bit session key.
- Public-key signature system
stops NSAITM attacks.
- Fast authenticated cipher
uses the 256-bit session key to protect further messages.
2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard.
SLIDE 2 1
Introduction to symmetric crypto
How HTTPS protects connection:
- Public-key encryption system
encrypts one secret message: a random 256-bit session key.
- Public-key signature system
stops NSAITM attacks.
- Fast authenticated cipher
uses the 256-bit session key to protect further messages.
2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
SLIDE 3 1
Introduction to symmetric crypto
How HTTPS protects connection:
- Public-key encryption system
encrypts one secret message: a random 256-bit session key.
- Public-key signature system
stops NSAITM attacks.
- Fast authenticated cipher
uses the 256-bit session key to protect further messages.
2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”
SLIDE 4 1
duction to symmetric crypto Bernstein HTTPS protects connection: Public-key encryption system encrypts one secret message: random 256-bit session key. Public-key signature system stops NSAITM attacks. authenticated cipher the 256-bit session key rotect further messages.
2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.” 1977: DES 1977: Diffie publish detailed $20,000,000 hundreds
SLIDE 5 1
symmetric crypto rotects connection: encryption system secret message: 256-bit session key. signature system attacks. authenticated cipher 256-bit session key further messages.
2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.” 1977: DES is standa 1977: Diffie and Hellman publish detailed de $20,000,000 machine hundreds of DES k
SLIDE 6 1
crypto nection: system ssage: session key. system cipher key messages.
2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.” 1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per yea
SLIDE 7 2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year.
SLIDE 8 2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”.
SLIDE 9 2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard.
SLIDE 10 2
Some cipher history 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals for a Data Encryption Standard. 1975: NBS publishes IBM DES
- proposal. 64-bit block, 56-bit key.
1976: NSA meets Diffie and Hellman to discuss criticism. Claims “somewhere over $400,000,000” to break a DES key; “I don’t think you can tell any Congressman what’s going to be secure 25 years from now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
SLIDE 11 2
cipher history and again in 1974: National Bureau of Standards solicits proposals Data Encryption Standard. NBS publishes IBM DES
- sal. 64-bit block, 56-bit key.
NSA meets Diffie and Hellman to discuss criticism. “somewhere over $400,000,000” to break a DES “I don’t think you can tell Congressman what’s going to secure 25 years from now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis. 1997: U.S.
(NIST, fo for proposals Encryption block, 128/192/256-bit
SLIDE 12 2
history in 1974: Bureau of solicits proposals Encryption Standard. publishes IBM DES block, 56-bit key. meets Diffie and discuss criticism. ere over to break a DES think you can tell Congressman what’s going to rs from now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis. 1997: U.S. National
(NIST, formerly NBS) for proposals for Advanced Encryption Standa block, 128/192/256-bit
SLIDE 13 2
Standard. DES 56-bit key. and criticism. DES can tell going to now.”
3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis. 1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key.
SLIDE 14 3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key.
SLIDE 15 3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals.
SLIDE 16 3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year.
SLIDE 17 3
1977: DES is standardized. 1977: Diffie and Hellman publish detailed design of $20,000,000 machine to break hundreds of DES keys per year. 1978: Congressional investigation into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
SLIDE 18 3
DES is standardized. Diffie and Hellman detailed design of $20,000,000 machine to break hundreds of DES keys per year. Congressional investigation NSA influence concludes convinced IBM that a reduced key size was sufficient”. 1988, 1993: Government reaffirms DES standard. rchers publish new cipher
- sals and security analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish. 2000: NIST, selects Rijnd “Security factor in
SLIDE 19 3
standardized. Hellman design of machine to break keys per year. Congressional investigation influence concludes IBM that a was sufficient”. 1993: Government standard. publish new cipher ecurity analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish. 2000: NIST, advised selects Rijndael as “Security was the factor in the evaluation”—Really?
SLIDE 20 3
rdized. reak year. investigation concludes a sufficient”. Government cipher analysis.
4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish. 2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most impo factor in the evaluation”—Really?
SLIDE 21 4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really?
SLIDE 22 4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.”
SLIDE 23 4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers.
SLIDE 24 4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition.
SLIDE 25 4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition.
SLIDE 26 4
1997: U.S. National Institute
- f Standards and Technology
(NIST, formerly NBS) calls for proposals for Advanced Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
SLIDE 27
4
U.S. National Institute Standards and Technology (NIST, formerly NBS) calls roposals for Advanced Encryption Standard. 128-bit 128/192/256-bit key. 15 AES proposals. EFF builds “Deep Crack” under $250000 to break hundreds of DES keys per year. NIST selects five finalists: MARS, RC6, Rijndael, Serpent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition. Main op add round apply substitution x → x254 to each b linearly m
SLIDE 28 4
National Institute and Technology NBS) calls Advanced
128/192/256-bit key. roposals. builds “Deep Crack” $250000 to break keys per year. selects five MARS, RC6, ent, Twofish.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition. Main operations in add round key to blo apply substitution x → x254 in F256 to each byte in blo linearly mix bits across
SLIDE 29 4
Institute
calls 128-bit ey. Crack” reak year. RC6, sh.
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition. Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block.
SLIDE 30
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block.
SLIDE 31
5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”.
SLIDE 32 5
2000: NIST, advised by NSA, selects Rijndael as AES. “Security was the most important factor in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end
- f the symmetric-crypto story?
SLIDE 33 5
NIST, advised by NSA, Rijndael as AES. “Security was the most important in the evaluation”—Really? “Rijndael appears to offer an adequate security margin. : : : ent appears to offer a security margin.” 2004–2008: eSTREAM etition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.
6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end
- f the symmetric-crypto story?
SLIDE 34 5
advised by NSA, as AES. the most important evaluation”—Really? rs to offer an y margin. : : : to offer a rgin.” eSTREAM stream ciphers. SHA-3 competition. CAESAR competition. NISTLWC competition.
6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end
- f the symmetric-crypto story?
SLIDE 35 5
NSA, important evaluation”—Really? an : : : ciphers. etition. competition. competition.
6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end
- f the symmetric-crypto story?
SLIDE 36 6
Main operations in AES: add round key to block; apply substitution box x → x254 in F256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end
- f the symmetric-crypto story?
7
SLIDE 37 6
round key to block; substitution box
254 in F256
each byte in block; rly mix bits across block. Extensive security analysis. in a post-quantum world, serious threats to AES-256 strong security model, “multi-target SPRP security”. why isn’t AES-256 the end symmetric-crypto story?
7
SLIDE 38 6
in AES: to block; substitution box block; across block. ecurity analysis.
threats to AES-256 security model, SPRP security”. AES-256 the end symmetric-crypto story?
7
SLIDE 39 6
ck. analysis.
AES-256 del, security”. end story?
7
SLIDE 40
7 8
SLIDE 41
7 8
SLIDE 42
7 8
SLIDE 43
7 8
SLIDE 44
8 9
SLIDE 45
8 9
SLIDE 46
8 9
SLIDE 47
8 9
SLIDE 48
9 10
SLIDE 49
9 10
SLIDE 50
9 10
SLIDE 51
9 10
SLIDE 52
10 11
SLIDE 53
10 11
SLIDE 54
10 11
. . .
SLIDE 55
10 11
. . .
SLIDE 56
11 12
. . .
SLIDE 57
11 12
. . . AES perfo in both ha by small heavy S-b
SLIDE 58
11 12
. . . AES performance seems in both hardware and by small 128-bit blo heavy S-box design
SLIDE 59
11 12
. . . AES performance seems limited in both hardware and softwa by small 128-bit block size, heavy S-box design strategy.
SLIDE 60
12
. . .
13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy.
SLIDE 61 12
. . .
13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing.
SLIDE 62 12
. . .
13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
SLIDE 63 12
. . .
13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit. ChaCha with much
SLIDE 64 12
. . .
13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit. ChaCha creates safe with much less wo
SLIDE 65 12 13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit. ChaCha creates safe systems with much less work than AES.
SLIDE 66 13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
14
ChaCha creates safe systems with much less work than AES.
SLIDE 67 13
AES performance seems limited in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations
secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.
14
ChaCha creates safe systems with much less work than AES. More examples of how symmetric primitives have been improving speed, simplicity, security: PRESENT is better than DES. Skinny is better than Simon and Speck. Keccak, BLAKE2, Ascon are better than MD5, SHA-0, SHA-1, SHA-256, SHA-512.
SLIDE 68 13
erformance seems limited
small 128-bit block size, S-box design strategy. software ecosystem is complicated and dangerous. software implementations S-box often leak through timing. Picture is worse for high-security authenticated ciphers. 128-bit size limits “PRF” security. rounds are hard to audit.
14
ChaCha creates safe systems with much less work than AES. More examples of how symmetric primitives have been improving speed, simplicity, security: PRESENT is better than DES. Skinny is better than Simon and Speck. Keccak, BLAKE2, Ascon are better than MD5, SHA-0, SHA-1, SHA-256, SHA-512. Authentication Standardize Assume uniform r1 ∈ {0; 1 r2 ∈ {0; 1 . . . r5 ∈ {0; 1 s1 ∈ {0; . . . s100 ∈ {0
SLIDE 69 13
rmance seems limited re and software block size, design strategy. ecosystem is dangerous. implementations
timing. for high-security
“PRF” security. hard to audit.
14
ChaCha creates safe systems with much less work than AES. More examples of how symmetric primitives have been improving speed, simplicity, security: PRESENT is better than DES. Skinny is better than Simon and Speck. Keccak, BLAKE2, Ascon are better than MD5, SHA-0, SHA-1, SHA-256, SHA-512. Authentication details Standardize a prime Assume sender kno uniform random secrets r1 ∈ {0; 1; : : : ; 999999 r2 ∈ {0; 1; : : : ; 999999 . . . r5 ∈ {0; 1; : : : ; 999999 s1 ∈ {0; 1; : : : ; 999999 . . . s100 ∈ {0; 1; : : : ; 999999
SLIDE 70
13
limited ware size, strategy. s. implementations high-security 128-bit security. audit.
14
ChaCha creates safe systems with much less work than AES. More examples of how symmetric primitives have been improving speed, simplicity, security: PRESENT is better than DES. Skinny is better than Simon and Speck. Keccak, BLAKE2, Ascon are better than MD5, SHA-0, SHA-1, SHA-256, SHA-512. Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}.
SLIDE 71
14
ChaCha creates safe systems with much less work than AES. More examples of how symmetric primitives have been improving speed, simplicity, security: PRESENT is better than DES. Skinny is better than Simon and Speck. Keccak, BLAKE2, Ascon are better than MD5, SHA-0, SHA-1, SHA-256, SHA-512.
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}.
SLIDE 72
14
ChaCha creates safe systems much less work than AES. examples of how symmetric rimitives have been improving simplicity, security: PRESENT is better than DES. is better than and Speck. Keccak, BLAKE2, Ascon etter than MD5, SHA-0, SHA-1, SHA-256, SHA-512.
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}. Assume secrets r
SLIDE 73 14
safe systems
- rk than AES.
- f how symmetric
een improving , security: etter than DES. than eck. BLAKE2, Ascon MD5, SHA-0, SHA-256, SHA-512.
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}. Assume receiver kno secrets r1; r2; : : : ; r
SLIDE 74
14
systems AES. symmetric roving DES. SHA-0, SHA-512.
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}. Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s
SLIDE 75
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}.
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100.
SLIDE 76
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}.
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}.
SLIDE 77
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r1 ∈ {0; 1; : : : ; 999999}, r2 ∈ {0; 1; : : : ; 999999}, . . . r5 ∈ {0; 1; : : : ; 999999}, s1 ∈ {0; 1; : : : ; 999999}, . . . s100 ∈ {0; 1; : : : ; 999999}.
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n.
SLIDE 78
15
Authentication details Standardize a prime p = 1000003. Assume sender knows independent random secrets 0; 1; : : : ; 999999}, 0; 1; : : : ; 999999}, 0; 1; : : : ; 999999}, 0; 1; : : : ; 999999}, {0; 1; : : : ; 999999}.
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. e.g. r1 = r3 = 979323 r5 = 338327 m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵
SLIDE 79
15
details rime p = 1000003. knows independent secrets 999999}, 999999}, 999999}, 999999}, 999999}.
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. e.g. r1 = 314159, r r3 = 979323, r4 = r5 = 338327, s10 = m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵
SLIDE 80
15
1000003. independent
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. e.g. r1 = 314159, r2 = 265358 r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵
SLIDE 81
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n.
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵:
SLIDE 82
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n.
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739.
SLIDE 83
16
Assume receiver knows the same secrets r1; r2; : : : ; r5; s1; : : : ; s100. Later: Sender wants to send 100 messages m1; : : : ; m100, each mn having 5 components mn;1; mn;2; mn;3; mn;4; mn;5 with mn;i ∈ {0; 1; : : : ; 999999}. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n.
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾.
SLIDE 84
16
Assume receiver knows the same r1; r2; : : : ; r5; s1; : : : ; s100. Sender wants to send messages m1; : : : ; m100,
n having 5 components n;2; mn;3; mn;4; mn;5 n;i ∈ {0; 1; : : : ; 999999}.
Sender transmits 30-digit
n;2; mn;3; mn;4; mn;5
together with an authenticator + · · · + mn;5r5 mod p) mod 1000000 the message number n.
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾. A MAC using Instead of r1; r2; : : : choose r
SLIDE 85
16
knows the same ; r5; s1; : : : ; s100. ants to send ; : : : ; m100, 5 components mn;4; mn;5 ; : : : ; 999999}. transmits 30-digit mn;4; mn;5 authenticator mn;5r5 mod p) 1000000 number n.
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾. A MAC using fewer Instead of choosing r1; r2; : : : ; r5; s1; : : : choose r; s1; s2; : : :
SLIDE 86 16
the same : ; s100. send
100,
999999}. authenticator d p) n.
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾. A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100.
SLIDE 87
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾.
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100.
SLIDE 88
17
e.g. r1 = 314159, r2 = 265358, r3 = 979323, r4 = 846264, r5 = 338327, s10 = 950288, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r1 + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾.
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000.
SLIDE 89
17
= 314159, r2 = 265358, 979323, r4 = 846264, 338327, s10 = 950288, ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator 7r2 mod p)
10 mod 1000000 =
314159 + 7 · 265358 d 1000003) 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾.
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000. e.g. r = m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵
SLIDE 90
17
, r2 = 265358, = 846264, = 950288, ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: computes authenticator ) 1000000 = · 265358 1000003) d 1000000 = 950288 mod 1000000 = transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾.
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000. e.g. r = 314159, s10 m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵
SLIDE 91
17
265358, , 950288, ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: authenticator = 1000000 = ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾.
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000. e.g. r = 314159, s10 = 265358 m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵
SLIDE 92
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000.
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵:
SLIDE 93
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000.
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669.
SLIDE 94
18
A MAC using fewer secrets Instead of choosing independent r1; r2; : : : ; r5; s1; : : : ; s100, choose r; s1; s2; : : : ; s100. Sender transmits 30-digit mn;1; mn;2; mn;3; mn;4; mn;5 together with an authenticator (mn;1r + · · · + mn;5r5 mod p) + sn mod 1000000 and the message number n. i.e.: take ri = ri in previous (mn;1r1 + · · · + mn;5r5 mod p) + sn mod 1000000.
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
SLIDE 95
18
C using fewer secrets Instead of choosing independent : : : ; r5; s1; : : : ; s100, r; s1; s2; : : : ; s100. Sender transmits 30-digit
n;2; mn;3; mn;4; mn;5
together with an authenticator + · · · + mn;5r5 mod p) mod 1000000 the message number n. take ri = ri in previous + · · · + mn;5r5 mod p) mod 1000000.
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Security Attacker Find n′; m m′ = mn (m′(r) mo Here m′(
SLIDE 96 18
fewer secrets
: : : ; s100, : : ; s100. transmits 30-digit mn;4; mn;5 authenticator
n;5r5 mod p)
1000000 number n. in previous mn;5r5 mod p) 1000000.
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Security analysis Attacker’s goal: Find n′; m′; a′ such m′ = mn′ but a′ = (m′(r) mod p) + sn Here m′(x) = P
i m
SLIDE 97
18
secrets endent authenticator d p) n. revious d p)
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
SLIDE 98
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
SLIDE 99
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000.
SLIDE 100
19
e.g. r = 314159, s10 = 265358, m10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod p) + s10 mod 1000000 = (6 · 314159 + 7 · 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted.
SLIDE 101
19
= 314159, s10 = 265358, ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator 7r2 mod p)
10 mod 1000000 =
314159 + 7 · 3141592 d 1000003) 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted. More subtle Choose m the polynomial has 5 distinct x ∈ {0; 1 modulo p
SLIDE 102
19
, s10 = 265358, ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: computes authenticator ) 1000000 = · 3141592 1000003) d 1000000 = 265358 mod 1000000 = transmits message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted. More subtle attack: Choose m′ = m1 so the polynomial m′( has 5 distinct roots x ∈ {0; 1; : : : ; 999999 modulo p. Choose
SLIDE 103
19
265358, ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: authenticator = 1000000 = ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted. More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a.
SLIDE 104
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted.
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a.
SLIDE 105
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted.
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144.
SLIDE 106
20
Security analysis Attacker’s goal: Find n′; m′; a′ such that m′ = mn′ but a′ = (m′(r) mod p) + sn′ mod 1000000. Here m′(x) = P
i m′[i]xi.
Obvious attack: Choose any m′ = m1. Choose uniform random a′. Success chance 1=1000000. Can repeat attack. Each forgery has chance 1=1000000 of being accepted.
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000.
SLIDE 107 20
Security analysis er’s goal:
′; m′; a′ such that n′ but a′ =
mod p) + sn′ mod 1000000.
′(x) = P i m′[i]xi.
Obvious attack:
- se any m′ = m1.
- se uniform random a′.
Success chance 1=1000000. repeat attack. forgery has chance 1000000 of being accepted.
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000. Actually, can be ab
SLIDE 108 20
such that = sn′ mod 1000000.
i m′[i]xi.
random a′. 1=1000000. attack. chance eing accepted.
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000. Actually, success chance can be above 5=1000000.
SLIDE 109
20
1000000.
′.
1000000. accepted.
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000. Actually, success chance can be above 5=1000000.
SLIDE 110
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000.
22
Actually, success chance can be above 5=1000000.
SLIDE 111
21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000.
22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000.
SLIDE 112 21
More subtle attack: Choose m′ = m1 so that the polynomial m′(x) − m1(x) has 5 distinct roots x ∈ {0; 1; : : : ; 999999} modulo p. Choose a′ = a. e.g. m1 = (100; 0; 0; 0; 0), m′ = (125; 1; 0; 0; 1): m′(x) − m1(x) = x5 + x2 + 25x which has five roots mod p: 0; 299012; 334447; 631403; 735144. Success chance 5=1000000.
22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000).
SLIDE 113 21
subtle attack:
- se m′ = m1 so that
- lynomial m′(x) − m1(x)
distinct roots ; 1; : : : ; 999999} dulo p. Choose a′ = a.
1 = (100; 0; 0; 0; 0),
(125; 1; 0; 0; 1): − m1(x) = x5 + x2 + 25x has five roots mod p: 299012; 334447; 631403; 735144. Success chance 5=1000000.
22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000). Do better
SLIDE 114 21
attack: so that
′(x) − m1(x)
999999}
0; 0; 0; 0), 0; 1): x5 + x2 + 25x
334447; 631403; 735144. 5=1000000.
22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000). Do better by varying
SLIDE 115 21
(x) + 25x p: ; 735144. 1000000.
22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000). Do better by varying a′?
SLIDE 116 22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000).
23
Do better by varying a′?
SLIDE 117 22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000).
23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
SLIDE 118 22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000).
23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106).
SLIDE 119 22
Actually, success chance can be above 5=1000000. Example: If m1(334885) mod p ∈ {1000000; 1000001; 1000002} then a forgery (1; m′; a1) with m′(x) = m1(x) + x5 + x2 + 25x also succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of m′(x) − m1(x) + 1000000. Can have as many as 15 roots
(m′(x) − m1(x) + 1000000) · (m′(x) − m1(x) − 1000000).
23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1.
SLIDE 120 22
Actually, success chance above 5=1000000. Example: If m1(334885) mod p 1000000; 1000001; 1000002} forgery (1; m′; a1) with = m1(x) + x5 + x2 + 25x succeeds for r = 334885; success chance 6=1000000. Reason: 334885 is a root of − m1(x) + 1000000. have as many as 15 roots (x) − m1(x)) · − m1(x) + 1000000) · − m1(x) − 1000000).
23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1. Scaled up Poly1305 with 22 bits Adds sn
SLIDE 121 22
chance 1000000. (334885) mod p 1000001; 1000002} ; m′; a1) with x5 + x2 + 25x r r = 334885; =1000000. is a root of 1000000. many as 15 roots x)) · + 1000000) · − 1000000).
23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1. Scaled up for serious Poly1305 uses 128-bit with 22 bits cleared Adds sn mod 2128.
SLIDE 122 22
mod p 1000002} with + 25x 334885; 1000000.
1000000. roots 1000000) · 1000000).
23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1. Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128.
SLIDE 123 23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128.
SLIDE 124 23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106.
SLIDE 125 23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106.
SLIDE 126 23
Do better by varying a′?
- No. Easy to prove: Every choice
- f (n′; m′; a′) with m′ = mn′
has chance ≤ 15=1000000
- f being accepted by receiver.
Underlying fact: ≤ 15 roots
- f (m′(x) − m1(x) − a′ + a1) ·
(m′(x) − m1(x) − a′ + a1 + 106) · (m′(x) − m1(x) − a′ + a1 − 106). Warning: very easy to break the oversimplified authenticator (mn[1] + · · · + mn[5]r4 mod p) + sn mod 1000000: solve m′(x) − m1(x) = a′ − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106. e.g. 264 forgeries, L = 1536: Pr[all rejected] ≥ 0:9999999998.
SLIDE 127 23
etter by varying a′? Easy to prove: Every choice m′; a′) with m′ = mn′ chance ≤ 15=1000000 eing accepted by receiver. Underlying fact: ≤ 15 roots (x) − m1(x) − a′ + a1) · − m1(x) − a′ + a1 + 106) · − m1(x) − a′ + a1 − 106). rning: very easy to break
- versimplified authenticator
[1] + · · · + mn[5]r4 mod p) mod 1000000:
′(x) − m1(x) = a′ − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106. e.g. 264 forgeries, L = 1536: Pr[all rejected] ≥ 0:9999999998. Authenticato for variable-length if different different
SLIDE 128 23
rying a′? rove: Every choice with m′ = mn′ =1000000 accepted by receiver. ≤ 15 roots x) − a′ + a1) · − a′ + a1 + 106) · − a′ + a1 − 106). easy to break
- versimplified authenticator
n[5]r4 mod p)
1000000:
1(x) = a′ − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106. e.g. 264 forgeries, L = 1536: Pr[all rejected] ≥ 0:9999999998. Authenticator is still for variable-length if different messages different polynomials
SLIDE 129 23
choice
n′
receiver.
a1) · + 106) · − 106). reak authenticator d p) − a1.
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106. e.g. 264 forgeries, L = 1536: Pr[all rejected] ≥ 0:9999999998. Authenticator is still secure for variable-length messages, if different messages are different polynomials mod p.
SLIDE 130
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106. e.g. 264 forgeries, L = 1536: Pr[all rejected] ≥ 0:9999999998.
25
Authenticator is still secure for variable-length messages, if different messages are different polynomials mod p.
SLIDE 131
24
Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds sn mod 2128. Assuming ≤ L-byte messages: Each forgery succeeds for ≤ 8 ⌈L=16⌉ choices of r. Probability ≤ 8 ⌈L=16⌉ =2106. D forgeries are all rejected with probability ≥ 1 − 8D ⌈L=16⌉ =2106. e.g. 264 forgeries, L = 1536: Pr[all rejected] ≥ 0:9999999998.
25
Authenticator is still secure for variable-length messages, if different messages are different polynomials mod p. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ˘ 1; 2; 3; : : : ; 2129¯ . Multiply first chunk by r, add next chunk, multiply by r, etc., last chunk, multiply by r, mod 2130 − 5, add sn mod 2128.
