introduction to symmetric crypto some cipher history d j
play

Introduction to symmetric crypto Some cipher history D. J. - PowerPoint PPT Presentation

Jan 14, 2023 •345 likes •1.67k views

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

  1. 3 4 1977: DES is standardized. 1997: U.S. National Institute of Standards and Technology 1977: Diffie and Hellman (NIST, formerly NBS) calls publish detailed design of for proposals for Advanced $20,000,000 machine to break Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. 1978: Congressional investigation 1998: 15 AES proposals. into NSA influence concludes “NSA convinced IBM that a reduced key size was sufficient”. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.

  2. 3 4 1977: DES is standardized. 1997: U.S. National Institute of Standards and Technology 1977: Diffie and Hellman (NIST, formerly NBS) calls publish detailed design of for proposals for Advanced $20,000,000 machine to break Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. 1978: Congressional investigation 1998: 15 AES proposals. into NSA influence concludes “NSA convinced IBM that a 1998: EFF builds “Deep Crack” reduced key size was sufficient”. for under $250000 to break hundreds of DES keys per year. 1983, 1988, 1993: Government reaffirms DES standard. Researchers publish new cipher proposals and security analysis.

  3. 3 4 1977: DES is standardized. 1997: U.S. National Institute of Standards and Technology 1977: Diffie and Hellman (NIST, formerly NBS) calls publish detailed design of for proposals for Advanced $20,000,000 machine to break Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. 1978: Congressional investigation 1998: 15 AES proposals. into NSA influence concludes “NSA convinced IBM that a 1998: EFF builds “Deep Crack” reduced key size was sufficient”. for under $250000 to break hundreds of DES keys per year. 1983, 1988, 1993: Government reaffirms DES standard. 1999: NIST selects five AES finalists: MARS, RC6, Researchers publish new cipher Rijndael, Serpent, Twofish. proposals and security analysis.

  4. 3 4 DES is standardized. 1997: U.S. National Institute 2000: NIST, of Standards and Technology selects Rijnd Diffie and Hellman (NIST, formerly NBS) calls detailed design of “Security for proposals for Advanced $20,000,000 machine to break factor in Encryption Standard. 128-bit hundreds of DES keys per year. block, 128/192/256-bit key. Congressional investigation 1998: 15 AES proposals. NSA influence concludes convinced IBM that a 1998: EFF builds “Deep Crack” reduced key size was sufficient”. for under $250000 to break hundreds of DES keys per year. 1988, 1993: Government reaffirms DES standard. 1999: NIST selects five AES finalists: MARS, RC6, rchers publish new cipher Rijndael, Serpent, Twofish. osals and security analysis.

  5. 3 4 standardized. 1997: U.S. National Institute 2000: NIST, advised of Standards and Technology selects Rijndael as Hellman (NIST, formerly NBS) calls design of “Security was the for proposals for Advanced machine to break factor in the evaluation”—Really? Encryption Standard. 128-bit keys per year. block, 128/192/256-bit key. Congressional investigation 1998: 15 AES proposals. influence concludes IBM that a 1998: EFF builds “Deep Crack” was sufficient”. for under $250000 to break hundreds of DES keys per year. 1993: Government standard. 1999: NIST selects five AES finalists: MARS, RC6, publish new cipher Rijndael, Serpent, Twofish. ecurity analysis.

  6. 3 4 rdized. 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most impo for proposals for Advanced reak factor in the evaluation”—Really? Encryption Standard. 128-bit year. block, 128/192/256-bit key. investigation 1998: 15 AES proposals. concludes a 1998: EFF builds “Deep Crack” sufficient”. for under $250000 to break hundreds of DES keys per year. Government 1999: NIST selects five AES finalists: MARS, RC6, cipher Rijndael, Serpent, Twofish. analysis.

  7. 4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit block, 128/192/256-bit key. 1998: 15 AES proposals. 1998: EFF builds “Deep Crack” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  8. 4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break hundreds of DES keys per year. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  9. 4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  10. 4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five 2007–2012: SHA-3 competition. AES finalists: MARS, RC6, Rijndael, Serpent, Twofish.

  11. 4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five 2007–2012: SHA-3 competition. AES finalists: MARS, RC6, 2013–2019: CAESAR competition. Rijndael, Serpent, Twofish.

  12. 4 5 1997: U.S. National Institute 2000: NIST, advised by NSA, of Standards and Technology selects Rijndael as AES. (NIST, formerly NBS) calls “Security was the most important for proposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit “Rijndael appears to offer an block, 128/192/256-bit key. adequate security margin. : : : 1998: 15 AES proposals. Serpent appears to offer a 1998: EFF builds “Deep Crack” high security margin.” for under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. 1999: NIST selects five 2007–2012: SHA-3 competition. AES finalists: MARS, RC6, 2013–2019: CAESAR competition. Rijndael, Serpent, Twofish. 2019–now: NISTLWC competition.

  13. 4 5 U.S. National Institute 2000: NIST, advised by NSA, Main op Standards and Technology selects Rijndael as AES. add round (NIST, formerly NBS) calls apply substitution “Security was the most important x �→ x 254 roposals for Advanced factor in the evaluation”—Really? Encryption Standard. 128-bit to each b “Rijndael appears to offer an 128/192/256-bit key. linearly m adequate security margin. : : : 15 AES proposals. Serpent appears to offer a EFF builds “Deep Crack” high security margin.” under $250000 to break 2004–2008: eSTREAM hundreds of DES keys per year. competition for stream ciphers. NIST selects five 2007–2012: SHA-3 competition. finalists: MARS, RC6, 2013–2019: CAESAR competition. Rijndael, Serpent, Twofish. 2019–now: NISTLWC competition.

  14. 4 5 National Institute 2000: NIST, advised by NSA, Main operations in and Technology selects Rijndael as AES. add round key to blo NBS) calls apply substitution “Security was the most important x �→ x 254 in F 256 Advanced factor in the evaluation”—Really? Standard. 128-bit to each byte in blo “Rijndael appears to offer an 128/192/256-bit key. linearly mix bits across adequate security margin. : : : roposals. Serpent appears to offer a builds “Deep Crack” high security margin.” $250000 to break 2004–2008: eSTREAM keys per year. competition for stream ciphers. selects five 2007–2012: SHA-3 competition. MARS, RC6, 2013–2019: CAESAR competition. ent, Twofish. 2019–now: NISTLWC competition.

  15. 4 5 Institute 2000: NIST, advised by NSA, Main operations in AES: ology selects Rijndael as AES. add round key to block; calls apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? 128-bit to each byte in block; “Rijndael appears to offer an ey. linearly mix bits across block. adequate security margin. : : : Serpent appears to offer a Crack” high security margin.” reak 2004–2008: eSTREAM year. competition for stream ciphers. 2007–2012: SHA-3 competition. RC6, 2013–2019: CAESAR competition. sh. 2019–now: NISTLWC competition.

  16. 5 6 2000: NIST, advised by NSA, Main operations in AES: selects Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Serpent appears to offer a high security margin.” 2004–2008: eSTREAM competition for stream ciphers. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.

  17. 5 6 2000: NIST, advised by NSA, Main operations in AES: selects Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Extensive security analysis. Serpent appears to offer a Even in a post-quantum world, high security margin.” no serious threats to AES-256 2004–2008: eSTREAM in a strong security model, competition for stream ciphers. “multi-target SPRP security”. 2007–2012: SHA-3 competition. 2013–2019: CAESAR competition. 2019–now: NISTLWC competition.

  18. 5 6 2000: NIST, advised by NSA, Main operations in AES: selects Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 factor in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Extensive security analysis. Serpent appears to offer a Even in a post-quantum world, high security margin.” no serious threats to AES-256 2004–2008: eSTREAM in a strong security model, competition for stream ciphers. “multi-target SPRP security”. 2007–2012: SHA-3 competition. So why isn’t AES-256 the end 2013–2019: CAESAR competition. of the symmetric-crypto story? 2019–now: NISTLWC competition.

  19. 5 6 NIST, advised by NSA, Main operations in AES: Rijndael as AES. add round key to block; apply substitution box “Security was the most important x �→ x 254 in F 256 in the evaluation”—Really? to each byte in block; “Rijndael appears to offer an linearly mix bits across block. adequate security margin. : : : Extensive security analysis. ent appears to offer a Even in a post-quantum world, security margin.” no serious threats to AES-256 2004–2008: eSTREAM in a strong security model, etition for stream ciphers. “multi-target SPRP security”. 2007–2012: SHA-3 competition. So why isn’t AES-256 the end 2013–2019: CAESAR competition. of the symmetric-crypto story? 2019–now: NISTLWC competition.

  20. 5 6 advised by NSA, Main operations in AES: as AES. add round key to block; apply substitution box the most important x �→ x 254 in F 256 evaluation”—Really? to each byte in block; rs to offer an linearly mix bits across block. y margin. : : : Extensive security analysis. to offer a Even in a post-quantum world, rgin.” no serious threats to AES-256 eSTREAM in a strong security model, stream ciphers. “multi-target SPRP security”. SHA-3 competition. So why isn’t AES-256 the end CAESAR competition. of the symmetric-crypto story? NISTLWC competition.

  21. 5 6 NSA, Main operations in AES: add round key to block; apply substitution box important x �→ x 254 in F 256 evaluation”—Really? to each byte in block; an linearly mix bits across block. : : : Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, ciphers. “multi-target SPRP security”. etition. So why isn’t AES-256 the end competition. of the symmetric-crypto story? competition.

  22. 6 7 Main operations in AES: add round key to block; apply substitution box x �→ x 254 in F 256 to each byte in block; linearly mix bits across block. Extensive security analysis. Even in a post-quantum world, no serious threats to AES-256 in a strong security model, “multi-target SPRP security”. So why isn’t AES-256 the end of the symmetric-crypto story?

  23. 6 7 operations in AES: round key to block; substitution box 254 in F 256 each byte in block; rly mix bits across block. Extensive security analysis. in a post-quantum world, serious threats to AES-256 strong security model, “multi-target SPRP security”. why isn’t AES-256 the end symmetric-crypto story?

  24. 6 7 in AES: to block; substitution box block; across block. ecurity analysis. ost-quantum world, threats to AES-256 security model, SPRP security”. AES-256 the end symmetric-crypto story?

  25. 6 7 ck. analysis. orld, AES-256 del, security”. end story?

  26. 7 8

  27. 7 8

  28. 7 8

  29. 7 8

  30. 8 9

  31. 8 9

  32. 8 9

  33. 8 9

  34. 9 10

  35. 9 10

  36. 9 10

  37. 9 10

  38. 10 11

  39. 10 11

  40. 10 11 . . .

  41. 10 11 . . .

  42. 11 12 . . .

  43. 11 12 . AES perfo . . in both ha by small heavy S-b

  44. 11 12 . AES performance seems . . in both hardware and by small 128-bit blo heavy S-box design

  45. 11 12 . AES performance seems limited . . in both hardware and softwa by small 128-bit block size, heavy S-box design strategy.

  46. 12 13 . AES performance seems limited . . in both hardware and software by small 128-bit block size, heavy S-box design strategy.

  47. 12 13 . AES performance seems limited . . in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing.

  48. 12 13 . AES performance seems limited . . in both hardware and software by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.

  49. 12 13 . AES performance seems limited ChaCha . . in both hardware and software with much by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.

  50. 12 13 . AES performance seems limited ChaCha creates safe . . in both hardware and software with much less wo by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.

  51. 12 13 AES performance seems limited ChaCha creates safe systems in both hardware and software with much less work than AES. by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.

  52. 13 14 AES performance seems limited ChaCha creates safe systems in both hardware and software with much less work than AES. by small 128-bit block size, heavy S-box design strategy. AES software ecosystem is complicated and dangerous. Fast software implementations of AES S-box often leak secrets through timing. Picture is worse for high-security authenticated ciphers. 128-bit block size limits “PRF” security. Workarounds are hard to audit.

  53. 13 14 AES performance seems limited ChaCha creates safe systems in both hardware and software with much less work than AES. by small 128-bit block size, More examples of how symmetric heavy S-box design strategy. primitives have been improving AES software ecosystem is speed, simplicity, security: complicated and dangerous. PRESENT is better than DES. Fast software implementations Skinny is better than of AES S-box often leak Simon and Speck. secrets through timing. Keccak, BLAKE2, Ascon Picture is worse for high-security are better than MD5, SHA-0, authenticated ciphers. 128-bit SHA-1, SHA-256, SHA-512. block size limits “PRF” security. Workarounds are hard to audit.

  54. 13 14 erformance seems limited ChaCha creates safe systems Authentication oth hardware and software with much less work than AES. Standardize small 128-bit block size, More examples of how symmetric Assume S-box design strategy. primitives have been improving uniform software ecosystem is speed, simplicity, security: r 1 ∈ { 0 ; 1 complicated and dangerous. PRESENT is better than DES. r 2 ∈ { 0 ; 1 software implementations . . . Skinny is better than S-box often leak r 5 ∈ { 0 ; 1 Simon and Speck. through timing. s 1 ∈ { 0 ; Keccak, BLAKE2, Ascon Picture is worse for high-security . . . are better than MD5, SHA-0, authenticated ciphers. 128-bit s 100 ∈ { 0 SHA-1, SHA-256, SHA-512. size limits “PRF” security. rounds are hard to audit.

  55. 13 14 rmance seems limited ChaCha creates safe systems Authentication details re and software with much less work than AES. Standardize a prime block size, More examples of how symmetric Assume sender kno design strategy. primitives have been improving uniform random secrets ecosystem is speed, simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 dangerous. PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 implementations . . . Skinny is better than often leak r 5 ∈ { 0 ; 1 ; : : : ; 999999 Simon and Speck. timing. s 1 ∈ { 0 ; 1 ; : : : ; 999999 Keccak, BLAKE2, Ascon for high-security . . . are better than MD5, SHA-0, ciphers. 128-bit s 100 ∈ { 0 ; 1 ; : : : ; 999999 SHA-1, SHA-256, SHA-512. “PRF” security. hard to audit.

  56. 13 14 limited ChaCha creates safe systems Authentication details ware with much less work than AES. Standardize a prime p = 1000003. size, More examples of how symmetric Assume sender knows independent strategy. primitives have been improving uniform random secrets speed, simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , s. PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , implementations . . . Skinny is better than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , Simon and Speck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , Keccak, BLAKE2, Ascon high-security . . . are better than MD5, SHA-0, 128-bit s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-1, SHA-256, SHA-512. security. audit.

  57. 14 15 ChaCha creates safe systems Authentication details with much less work than AES. Standardize a prime p = 1000003. More examples of how symmetric Assume sender knows independent primitives have been improving uniform random secrets speed, simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . Skinny is better than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , Simon and Speck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , Keccak, BLAKE2, Ascon . . . are better than MD5, SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-1, SHA-256, SHA-512.

  58. 14 15 ChaCha creates safe systems Authentication details Assume much less work than AES. secrets r Standardize a prime p = 1000003. examples of how symmetric Assume sender knows independent rimitives have been improving uniform random secrets simplicity, security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , PRESENT is better than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . is better than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , and Speck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , Keccak, BLAKE2, Ascon . . . etter than MD5, SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-1, SHA-256, SHA-512.

  59. 14 15 safe systems Authentication details Assume receiver kno ork than AES. secrets r 1 ; r 2 ; : : : ; r Standardize a prime p = 1000003. of how symmetric Assume sender knows independent een improving uniform random secrets , security: r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , etter than DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . than r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , eck. s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , BLAKE2, Ascon . . . MD5, SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-256, SHA-512.

  60. 14 15 systems Authentication details Assume receiver knows the same AES. secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s Standardize a prime p = 1000003. symmetric Assume sender knows independent roving uniform random secrets r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , DES. r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . SHA-0, s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . SHA-512.

  61. 15 16 Authentication details Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Standardize a prime p = 1000003. Assume sender knows independent uniform random secrets r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . s 100 ∈ { 0 ; 1 ; : : : ; 999999 } .

  62. 15 16 Authentication details Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Standardize a prime p = 1000003. Later: Sender wants to send Assume sender knows independent 100 messages m 1 ; : : : ; m 100 , uniform random secrets each m n having 5 components r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . . . . r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , . . . s 100 ∈ { 0 ; 1 ; : : : ; 999999 } .

  63. 15 16 Authentication details Assume receiver knows the same secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . Standardize a prime p = 1000003. Later: Sender wants to send Assume sender knows independent 100 messages m 1 ; : : : ; m 100 , uniform random secrets each m n having 5 components r 1 ∈ { 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 r 2 ∈ { 0 ; 1 ; : : : ; 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . . . . Sender transmits 30-digit r 5 ∈ { 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 s 1 ∈ { 0 ; 1 ; : : : ; 999999 } , together with an authenticator . . . ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) s 100 ∈ { 0 ; 1 ; : : : ; 999999 } . + s n mod 1000000 and the message number n .

  64. 15 16 Authentication details Assume receiver knows the same e.g. r 1 = secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323 Standardize a prime p = 1000003. r 5 = 338327 Later: Sender wants to send Assume sender knows independent m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ 100 messages m 1 ; : : : ; m 100 , random secrets each m n having 5 components 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 0 ; 1 ; : : : ; 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit 0 ; 1 ; : : : ; 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 0 ; 1 ; : : : ; 999999 } , together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) { 0 ; 1 ; : : : ; 999999 } . + s n mod 1000000 and the message number n .

  65. 15 16 details Assume receiver knows the same e.g. r 1 = 314159, r secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = rime p = 1000003. r 5 = 338327, s 10 = Later: Sender wants to send knows independent m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ 100 messages m 1 ; : : : ; m 100 , secrets each m n having 5 components 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 999999 } , with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit 999999 } , m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 999999 } , together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) 999999 } . + s n mod 1000000 and the message number n .

  66. 15 16 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358 secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, 1000003. r 5 = 338327, s 10 = 950288, Later: Sender wants to send independent m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ 100 messages m 1 ; : : : ; m 100 , each m n having 5 components m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n .

  67. 16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, Later: Sender wants to send m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 messages m 1 ; : : : ; m 100 , each m n having 5 components m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n .

  68. 16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, Later: Sender wants to send m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 messages m 1 ; : : : ; m 100 , each m n having 5 components Sender computes authenticator m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 Sender transmits 30-digit mod 1000003) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + 950288 mod 1000000 = together with an authenticator 742451 + 950288 mod 1000000 = ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) 692739. + s n mod 1000000 and the message number n .

  69. 16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, secrets r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, Later: Sender wants to send m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 messages m 1 ; : : : ; m 100 , each m n having 5 components Sender computes authenticator m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) with m n;i ∈ { 0 ; 1 ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 Sender transmits 30-digit mod 1000003) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + 950288 mod 1000000 = together with an authenticator 742451 + 950288 mod 1000000 = ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) 692739. + s n mod 1000000 and the message number n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  70. 16 17 Assume receiver knows the same e.g. r 1 = 314159, r 2 = 265358, A MAC using r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, Instead of r 5 = 338327, s 10 = 950288, Sender wants to send r 1 ; r 2 ; : : : m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : messages m 1 ; : : : ; m 100 , choose r n having 5 components Sender computes authenticator n; 2 ; m n; 3 ; m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) n;i ∈ { 0 ; 1 ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 Sender transmits 30-digit mod 1000003) n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + 950288 mod 1000000 = together with an authenticator 742451 + 950288 mod 1000000 = + · · · + m n; 5 r 5 mod p ) 692739. mod 1000000 the message number n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  71. 16 17 knows the same e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer ; r 5 ; s 1 ; : : : ; s 100 . r 3 = 979323, r 4 = 846264, Instead of choosing r 5 = 338327, s 10 = 950288, ants to send r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : ; : : : ; m 100 , choose r; s 1 ; s 2 ; : : : 5 components Sender computes authenticator m n; 4 ; m n; 5 (6 r 1 + 7 r 2 mod p ) ; : : : ; 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 transmits 30-digit mod 1000003) m n; 4 ; m n; 5 + 950288 mod 1000000 = authenticator 742451 + 950288 mod 1000000 = m n; 5 r 5 mod p ) 692739. 1000000 number n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  72. 16 17 the same e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer secrets : ; s 100 . r 3 = 979323, r 4 = 846264, Instead of choosing independent r 5 = 338327, s 10 = 950288, send r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : 100 , choose r; s 1 ; s 2 ; : : : ; s 100 . onents Sender computes authenticator (6 r 1 + 7 r 2 mod p ) 999999 } . + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = authenticator 742451 + 950288 mod 1000000 = d p ) 692739. n . Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  73. 17 18 e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer secrets r 3 = 979323, r 4 = 846264, Instead of choosing independent r 5 = 338327, s 10 = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . Sender computes authenticator (6 r 1 + 7 r 2 mod p ) + s 10 mod 1000000 = (6 · 314159 + 7 · 265358 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  74. 17 18 e.g. r 1 = 314159, r 2 = 265358, A MAC using fewer secrets r 3 = 979323, r 4 = 846264, Instead of choosing independent r 5 = 338327, s 10 = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . Sender computes authenticator Sender transmits 30-digit (6 r 1 + 7 r 2 mod p ) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 + s 10 mod 1000000 = together with an authenticator (6 · 314159 + 7 · 265358 ( m n; 1 r + · · · + m n; 5 r 5 mod p ) mod 1000003) + s n mod 1000000 + 950288 mod 1000000 = and the message number n . 742451 + 950288 mod 1000000 = i.e.: take r i = r i in previous 692739. ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) Sender transmits + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  75. 17 18 = 314159, r 2 = 265358, A MAC using fewer secrets e.g. r = 979323, r 4 = 846264, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Instead of choosing independent 338327, s 10 = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . Sender computes authenticator Sender transmits 30-digit 7 r 2 mod p ) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 10 mod 1000000 = together with an authenticator 314159 + 7 · 265358 ( m n; 1 r + · · · + m n; 5 r 5 mod p ) d 1000003) + s n mod 1000000 950288 mod 1000000 = and the message number n . 742451 + 950288 mod 1000000 = i.e.: take r i = r i in previous 692739. ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) Sender transmits + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  76. 17 18 , r 2 = 265358, A MAC using fewer secrets e.g. r = 314159, s 10 = 846264, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Instead of choosing independent = 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . computes authenticator Sender transmits 30-digit ) m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 1000000 = together with an authenticator · 265358 ( m n; 1 r + · · · + m n; 5 r 5 mod p ) 1000003) + s n mod 1000000 d 1000000 = and the message number n . 950288 mod 1000000 = i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) transmits + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  77. 17 18 265358, A MAC using fewer secrets e.g. r = 314159, s 10 = 265358 , m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Instead of choosing independent 950288, r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : choose r; s 1 ; s 2 ; : : : ; s 100 . authenticator Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 = and the message number n . 1000000 = i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✻✾✷✼✸✾ .

  78. 18 19 A MAC using fewer secrets e.g. r = 314159, s 10 = 265358, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , choose r; s 1 ; s 2 ; : : : ; s 100 . Sender transmits 30-digit m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 together with an authenticator ( m n; 1 r + · · · + m n; 5 r 5 mod p ) + s n mod 1000000 and the message number n . i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000.

  79. 18 19 A MAC using fewer secrets e.g. r = 314159, s 10 = 265358, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) choose r; s 1 ; s 2 ; : : : ; s 100 . + s 10 mod 1000000 = Sender transmits 30-digit (6 · 314159 + 7 · 314159 2 m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 mod 1000003) together with an authenticator + 265358 mod 1000000 = ( m n; 1 r + · · · + m n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = + s n mod 1000000 218669. and the message number n . i.e.: take r i = r i in previous ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) + s n mod 1000000.

  80. 18 19 A MAC using fewer secrets e.g. r = 314159, s 10 = 265358, m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) choose r; s 1 ; s 2 ; : : : ; s 100 . + s 10 mod 1000000 = Sender transmits 30-digit (6 · 314159 + 7 · 314159 2 m n; 1 ; m n; 2 ; m n; 3 ; m n; 4 ; m n; 5 mod 1000003) together with an authenticator + 265358 mod 1000000 = ( m n; 1 r + · · · + m n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = + s n mod 1000000 218669. and the message number n . Sender transmits i.e.: take r i = r i in previous authenticated message ( m n; 1 r 1 + · · · + m n; 5 r 5 mod p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . + s n mod 1000000.

  81. 18 19 C using fewer secrets e.g. r = 314159, s 10 = 265358, Security m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Instead of choosing independent Attacker Find n ′ ; m : : : ; r 5 ; s 1 ; : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n r; s 1 ; s 2 ; : : : ; s 100 . ( m ′ ( r ) mo + s 10 mod 1000000 = Sender transmits 30-digit (6 · 314159 + 7 · 314159 2 Here m ′ ( n; 2 ; m n; 3 ; m n; 4 ; m n; 5 mod 1000003) together with an authenticator + 265358 mod 1000000 = + · · · + m n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = mod 1000000 218669. the message number n . Sender transmits take r i = r i in previous authenticated message + · · · + m n; 5 r 5 mod p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . mod 1000000.

  82. 18 19 fewer secrets e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : osing independent Attacker’s goal: Find n ′ ; m ′ ; a ′ such : : : ; s 100 , Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = : : ; s 100 . ( m ′ ( r ) mod p ) + s n + s 10 mod 1000000 = transmits 30-digit (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m m n; 4 ; m n; 5 mod 1000003) authenticator + 265358 mod 1000000 = n; 5 r 5 mod p ) 953311 + 265358 mod 1000000 = 1000000 218669. number n . Sender transmits in previous authenticated message m n; 5 r 5 mod p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . 1000000.

  83. 18 19 secrets e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : endent Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) authenticator + 265358 mod 1000000 = d p ) 953311 + 265358 mod 1000000 = 218669. n . Sender transmits revious authenticated message d p ) ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .

  84. 19 20 e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .

  85. 19 20 e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) Obvious attack: + 265358 mod 1000000 = Choose any m ′ � = m 1 . 953311 + 265358 mod 1000000 = Choose uniform random a ′ . 218669. Success chance 1 = 1000000. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .

  86. 19 20 e.g. r = 314159, s 10 = 265358, Security analysis m 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Attacker’s goal: Find n ′ ; m ′ ; a ′ such that Sender computes authenticator (6 r + 7 r 2 mod p ) m ′ � = m n ′ but a ′ = ( m ′ ( r ) mod p ) + s n ′ mod 1000000. + s 10 mod 1000000 = (6 · 314159 + 7 · 314159 2 Here m ′ ( x ) = P i m ′ [ i ] x i . mod 1000003) Obvious attack: + 265358 mod 1000000 = Choose any m ′ � = m 1 . 953311 + 265358 mod 1000000 = Choose uniform random a ′ . 218669. Success chance 1 = 1000000. Sender transmits Can repeat attack. authenticated message Each forgery has chance ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . 1 = 1000000 of being accepted.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

251 views • 12 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

426 views • 13 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

882 views • 72 slides
Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher PRG from One-Way RECALL

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher PRG from One-Way RECALL

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher PRG from One-Way RECALL Permutations One-bit stretch PRG, G k : {0,1} k {0,1} k+1 k k G R 1 Increasing the stretch Can use part of the PRG output as a new seed

1.31k views • 107 slides
Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m (stream) Enc G is a PRG if {G k (x)} x {0,1}k U n(k) and G PPT A PRG can be used to obtain a one-time SC PRG K CPA-secure SKE Stream

555 views • 10 slides
Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m

Symmetric-Key Encryption: constructions Lecture 5 PRF , Block Cipher RECALL PRG m (stream) Enc G is a PRG if {G k (x)} x {0,1}k U n(k) and G PPT A PRG can be used to obtain a one-time SC PRG K CPA-secure SKE Stream

320 views • 11 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Spark Overview / High-level Architecture Indexing from Spark Reading data from Solr + term

Spark Overview / High-level Architecture Indexing from Spark Reading data from Solr + term

Spark Overview / High-level Architecture Indexing from Spark Reading data from Solr + term vectors & Spark SQL Document Matching user since 2010, committer since April 2014, work for SolrCloud features and bin/solr! Release manager

569 views • 22 slides
Overview of the PEBBL and PICO Projects: Massively Parallel Branch and Bound Jonathan Eckstein

Overview of the PEBBL and PICO Projects: Massively Parallel Branch and Bound Jonathan Eckstein

Overview of the PEBBL and PICO Projects: Massively Parallel Branch and Bound Jonathan Eckstein Business School and RUTCOR Rutgers University Joint work with a large team, mostly from Sandia National Laboratories, and in particular William E.

507 views • 28 slides
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

646 views • 52 slides
Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model

Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model

Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model development is a major barrier to effective delivery of value Complexity leads to models that are late, over budget, and of substandard

918 views • 36 slides
TRECVID-2013 Semantic Indexing task: Overview Georges Qunot Laboratoire d'Informatique de

TRECVID-2013 Semantic Indexing task: Overview Georges Qunot Laboratoire d'Informatique de

TRECVID-2013 Semantic Indexing task: Overview Georges Qunot Laboratoire d'Informatique de Grenoble George Awad Dakota Consulting, Inc Outline Task summary Evaluation details Inferred average precision Participants

735 views • 39 slides
CPSC 121: Mode els of Computation Un nit 6 Rewriting Predicat te Logic Statements Based on

CPSC 121: Mode els of Computation Un nit 6 Rewriting Predicat te Logic Statements Based on

CPSC 121: Mode els of Computation Un nit 6 Rewriting Predicat te Logic Statements Based on slides by Patrice Be Based on slides by Patrice Be lleville and Steve Wolfman lleville and Steve Wolfman Pre-Class Learning Pre-Class Learning

479 views • 14 slides
MARKETING AND SELLING THE DRUPAL COMMERCE ECOSYSTEM Ryan Szrama, Commerce Guys COMMERCE GUYS

MARKETING AND SELLING THE DRUPAL COMMERCE ECOSYSTEM Ryan Szrama, Commerce Guys COMMERCE GUYS

MARKETING AND SELLING THE DRUPAL COMMERCE ECOSYSTEM Ryan Szrama, Commerce Guys COMMERCE GUYS TODAY Creators of Drupal Commerce, now a team of 7 after refocusing the business. Commerce 2.x development led by Bojan with Matt as

483 views • 13 slides
Ocean-Atmosphere Interactions & Modelling: A General Overview 8 th ICTP Workshop on the

Ocean-Atmosphere Interactions & Modelling: A General Overview 8 th ICTP Workshop on the

Motivation for using coupled models Posing the coupled model problem Basics on (Low-Frequency) Variability Mesoscale/regional examples Ocean-Atmosphere Interactions & Modelling: A General Overview 8 th ICTP Workshop on the Theory and Use

1.09k views • 54 slides

More recommend