McMambo V1: A new kind of Latin Dance Mambo Watson Ladd University - - PowerPoint PPT Presentation

mcmambo v1 a new kind of latin dance
SMART_READER_LITE
LIVE PREVIEW

McMambo V1: A new kind of Latin Dance Mambo Watson Ladd University - - PowerPoint PPT Presentation

Aug 12, 2023 465 likes •579 views

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation McMambo V1: A new kind of Latin Dance Mambo Watson Ladd University of California, Berkeley August 12, 2013 Outline McMambo V1: A new kind of Latin Dance Watson Ladd

slide-1
SLIDE 1

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

McMambo V1: A new kind of Latin Dance

Watson Ladd

University of California, Berkeley

August 12, 2013

slide-2
SLIDE 2

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Outline

1 Motivation 2 Mambo

slide-3
SLIDE 3

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

From Tweakable Cipher to Authenticated Encryption

OCB3 can be seen as taking a tweakable cipher to an AEAD scheme McOE: avoids problems of counter reuse We have tweakable ciphers: Threefish, standard constructions So done?

slide-4
SLIDE 4

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Size Matters

McOE requires a tweak the size of a block Can use AES-128 plus standard construction Inherits problems of AES plus key agility issues Threefish doesn’t have a big enough tweak

slide-5
SLIDE 5

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Mambo

Tweakable Block cipher: 512 bit block and tweak, 256 bit key State organized as 4x4 array of 32-bit words Key is 8 32-bit words Tweak is 16 32-bit words

slide-6
SLIDE 6

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Mambo Structure

Similar to Salsa Reversable transformation of four words Repeated on rows and columns Alternates with xoring in key and round counter Key in checkerboard, round counter down diagonal Tweak is xored into entire state midway through encryption

slide-7
SLIDE 7

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

The Quarterround Transformation

y1 = x1 ⊕ R(x0 ∧ x2, 7) y2 = x2 ⊕ R(x0 ∨ x3, 9) y3 = x3 ⊕ R(y1 ↑ x0, 13) y0 = x0 ⊕ R(y1 ↓ y2, 18)

slide-8
SLIDE 8

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

From Transformation to Mode

Ci = E(Pi, Ni) Ni+1 = Ci ⊕ Pi Initialize with message number Add in tag as encryption of message number 512 bit nonce and tag

slide-9
SLIDE 9

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Cryptographic properties

Given ideal tweakable cipher McOE has nice properties Leaks only common prefixes if message number fixed Online computation State size one block Tag ridiculously big: truncation possible but uninvestigated

slide-10
SLIDE 10

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Performance

12 cycles per byte on modern Intel hardware 25 for AES (From recent OpenSSL) Complete implementation 20 kilobytes executable Note: aggressively optimizing compiler only trick used

slide-11
SLIDE 11

McMambo V1: A new kind of Latin Dance Watson Ladd Motivation Mambo

Where to focus

McOE paper: If tweaked cipher is secure, so is the mode Impact of truncation of tag Security means commonality of prefix revealed: implications Attacks on Mambo Faster, smaller, better software Hardware size and implementations: what choices exist