nonce generators and the nonce reset problem
play

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical - PowerPoint PPT Presentation

Jan 06, 2023 •17 likes •337 views

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

  1. Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29

  2. Everyone knows... Everyone knows what a nonce is: A nonce is a cryptographic value that is used only once. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 2 / 29

  3. Everyone knows... Everyone knows what a nonce is: A nonce is a cryptographic value that is used only once. Everyone knows what a nonce is used for: A nonce ensures that the cryptographic output for two identical key/message pairs looks different. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 2 / 29

  4. Everyone knows... Everyone knows what a nonce is: A nonce is a cryptographic value that is used only once. Everyone knows what a nonce is used for: A nonce ensures that the cryptographic output for two identical key/message pairs looks different. Everyone knows how to generate a nonce: The simplest way to generate a nonce is to use a counter. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 2 / 29

  5. So... ... can we go home now? Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 3 / 29

  6. In theory... In theory, the problem of nonces is solved. Theory vs. practice: In theory, there is no difference between theory and practice. In practice, there is. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 4 / 29

  7. Outline Formalisation 1 Nonce Reset Problem 2 Nonce Solutions 3 Comparison 4 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 5 / 29

  8. Formalisation Outline Formalisation 1 Nonce Reset Problem 2 Nonce Solutions 3 Comparison 4 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 6 / 29

  9. Formalisation Strictly speaking... Strictly speaking, a nonce does not exist. Is the number 213 a nonce? Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 7 / 29

  10. Formalisation Strictly speaking... Strictly speaking, a nonce does not exist. Is the number 213 a nonce? Being non-repeating is not a property of a number, but of a sequence of numbers or of the algorithm generating this sequence. Nonce Generator (NG): A nonce generator is a (deterministic or probabilistic) algorithm that out- puts a sequence of numbers such that each number occurs at most once. Note the similarities to random numbers! Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 7 / 29

  11. Formalisation What nonces aren’t The only property of the nonce is to be the output of a nonce generator. A nonce may be a public value. A nonce may be completely predictable. A nonce may have a lot of structure. Formalisation (Rogaway, FSE 2004): A nonce-respecting adversary is allowed to freely choose the nonces for his queries, as long as he does not choose the same nonce twice under the same key. ⇒ If you need anything stronger than that, don’t call it a nonce! ⇒ It’s also out of scope for this paper/talk. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 8 / 29

  12. Formalisation Deterministic vs. probabilistic NGs Deterministic nonce generator: The clean solution. All sequences output by this generator are nonce sequences. Classical example: Counter. Probabilistic nonce generator: Behaves like a nonce generator most of the time. Some (few) sequences output by this generator contain repeating elements. Classical example: Random numbers. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 9 / 29

  13. Nonce Reset Problem Outline Formalisation 1 Nonce Reset Problem 2 Nonce Solutions 3 Comparison 4 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 10 / 29

  14. Nonce Reset Problem Motivational example From a real-world consulting project: Low-cost sensor network system. Very little non-volatile memory available: Enough to store the key. Not enough to store the nonce. Frequent battery shut-down to save energy ⇒ Nonce state gets lost. ⇒ Counter-based system not feasible. ⇒ RNG-based nonces might save the day, (c) Zensys A/S but... Bandwidth is also very expensive: ⇒ Long nonces are prohibited. ⇒ RNG-based system not feasible. How to solve this problem? Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 11 / 29

  15. Nonce Reset Problem The nonce reset problem Nonces have to be stored somewhere: Volatile Non-volatile Memory Memory Examples Registers, RAM Harddisk, Flash Speed Fast Slow Available Always Sometimes State loss? Yes No Consequences: Nonces are generated and used in vol. memory Not always possible to store them in NV memory Vol. memory can lose state due to (voluntary or accidential) power-down Re-using same nonce after loss of nonce state can destroy cryptographic security! Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 12 / 29

  16. Nonce Reset Problem Known solutions Counter (deterministic): No randomness involved Keeping counter state is crucial If state is lost, the full nonce sequence is repeated ⇒ Risk of complete security break-down Clock (deterministic): Special case of counter Random nonces (probabilistic): RNG required Risk of collisions (birthday paradox) Larger nonce length ℓ required ⇒ Problematic if RNG not available or ℓ restricted Other solutions? Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 13 / 29

  17. Nonce Solutions Outline Formalisation 1 Nonce Reset Problem 2 Nonce Solutions 3 Comparison 4 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 14 / 29

  18. Nonce Solutions Listing nonce generators In the following: Give some sample nonce generators Not new, but knowledge badly documentet: Google “random number generator” + cryptography: 124,000 hits Google “nonce generator” + cryptography: 624 hits (mainly mailing lists and patent applications) List of nonce generators not exhaustive In the paper: Mathematics for choosing parameters Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 15 / 29

  19. Nonce Solutions Counter with randomised reset (1) Counter with randomised reset: Minor modification of counter solution: Initialise to random value Upon reset, a new starting state is assumed Advantages: No automatic repetition of nonce sequence upon reset Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 16 / 29

  20. Nonce Solutions Counter with randomised reset (2) Disadvantages: Requires an RNG If repetition happens: Partial sequence overlap Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 17 / 29

  21. Nonce Solutions Mixed solution 1 (1) Mixed solution 1: Known hybrid technique: Compose nonce of a counter and a random value Reset counter to random value Advantages: Guaranteed no repetitions between two resets Collisions across two resets very unlikely No sequence overlap Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 18 / 29

  22. Nonce Solutions Mixed solution 1 (2) Disadvantages: Requires an RNG Nonce longer than pure counter, but shorter than random solution (for detailed mathematics: see the paper) Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 19 / 29

  23. Nonce Solutions Mixed solution 2 (1) Mixed solution 2: Enhancement of mixed solution 1: Update the random value only upon reset. Set counter to 0 upon reset. Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 20 / 29

  24. Nonce Solutions Mixed solution 2 (2) Advantages: Collision probability for random part much smaller Random part can be kept small (again: see the paper for the maths) Total nonce size smaller than mixed solution 1 Disadvantages: Requires an RNG If RNG collision happens: Full sequence overlap Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 21 / 29

  25. Nonce Solutions Reset points (1) Counter with reset points: If some NV memory is available: Use pure counter solution Store a larger counter value on NV memory Upon reset, continue from this larger counter Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 22 / 29

  26. Nonce Solutions Reset points (2) Advantages: With proper parameters: no collisions possible No RNG required Disadvantages: Requires NV memory (can be smaller than nonce size) Nonce size slightly larger than for pure counter Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 23 / 29

  27. Comparison Outline Formalisation 1 Nonce Reset Problem 2 Nonce Solutions 3 Comparison 4 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 24 / 29

  28. Comparison How to compare? In order to choose, be clear about your system requirements: Acceptable collision probability Acceptable nonce length Max. number of nonces required Max. number of system resets RNG available (how fast?) NV memory available (how fast?) Sequences overlap relevant? Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 25 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

762 views • 59 slides
NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

521 views • 37 slides
GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

` GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per Byt yte Shay Gueron Yehuda Lindell Bar-Ilan University Haifa Univ. and Intel Appeared at ACM CCS 2015 ` How to Encry rypt wit ith a Blo

684 views • 30 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza Reyhanitabar 2 Phillip Rogaway 3 Damian Vizr 4 1 UC, Santa Barbara 2 NEC Laboratories Europe, Germany 3 UC Davis 4 EPFL, Switzerland 6th Asian Workshop

730 views • 50 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now 2006 BlackHaleviHevia

626 views • 19 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

679 views • 63 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

1.17k views • 68 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

845 views • 67 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT

580 views • 45 slides
Statistics, Measures of Central Tendency I We are considering a random variable X with a

Statistics, Measures of Central Tendency I We are considering a random variable X with a

Statistics, Measures of Central Tendency I We are considering a random variable X with a probability distribution which has some parameters. We want to get an idea what these parameters are. We perfom an experiment n times and record the outcome.

415 views • 24 slides
CS 473: Algorithms Chandra Chekuri Ruta Mehta University of Illinois, Urbana-Champaign Fall

CS 473: Algorithms Chandra Chekuri Ruta Mehta University of Illinois, Urbana-Champaign Fall

CS 473: Algorithms Chandra Chekuri Ruta Mehta University of Illinois, Urbana-Champaign Fall 2016 Chandra & Ruta (UIUC) CS473 1 Fall 2016 1 / 41 CS 473: Algorithms, Fall 2016 High Probability Analysis & Universal Hashing Lecture

1.09k views • 105 slides
OLAP and Data Mining Chapter 17 OLTP Compared With OLAP On Line Transaction Processing

OLAP and Data Mining Chapter 17 OLTP Compared With OLAP On Line Transaction Processing

OLAP and Data Mining Chapter 17 OLTP Compared With OLAP On Line Transaction Processing OLTP OLTP Maintains a database that is an accurate model of some real- world enterprise. Supports day-to-day operations. Characteristics:

929 views • 46 slides
Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz,

Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz,

Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz, Oregon State University Presented by Muslum Ozgur Ozmen Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security |

138 views • 10 slides
Stochastic Simulation Generation of random variables Discrete sample space Bo Friis Nielsen

Stochastic Simulation Generation of random variables Discrete sample space Bo Friis Nielsen

Stochastic Simulation Generation of random variables Discrete sample space Bo Friis Nielsen Applied Mathematics and Computer Science Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfn@imm.dtu.dk Plan W1.1-2 Plan W1.1-2

467 views • 19 slides
Random Numbers Computational Randomness is Hard The best known academic computer scientist at

Random Numbers Computational Randomness is Hard The best known academic computer scientist at

Eric Roberts Handout #23 CS 106A January 22, 2010 Random Numbers Computational Randomness is Hard The best known academic computer scientist at Random Numbers Stanfordand probably in the worldis Don Knuth, who has now been retired for

56 views • 4 slides
How not to generate random numbers Nadia Heninger University of Pennsylvania May 13, 2015

How not to generate random numbers Nadia Heninger University of Pennsylvania May 13, 2015

How not to generate random numbers Nadia Heninger University of Pennsylvania May 13, 2015 Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption d decryption exponent ( d = e 1 mod ( p

716 views • 69 slides
Generation Stephen Booth David Henty Introduction Random numbers are frequently used in many

Generation Stephen Booth David Henty Introduction Random numbers are frequently used in many

Random Number Generation Stephen Booth David Henty Introduction Random numbers are frequently used in many types of computer simulation Frequently as part of a sampling process: Generate a representative sample of a large

311 views • 28 slides

More recommend