On the design of When we design message-authentication codes hash - - PowerPoint PPT Presentation

On the design of message-authentication codes

• D. J. Bernstein

University of Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32❀ 32 ✦ 32 xor; 32 ✦ 8 byte extraction; and 8 ✦ 32 inversion box. IDEA uses 16❀ 16 ✦ 16 xor; 16❀ 16 ✦ 16 addition; and 16❀ 16 ✦ 16 multiplication.

the design of message-authentication codes Bernstein University of Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32❀ 32 ✦ 32 xor; 32 ✦ 8 byte extraction; and 8 ✦ 32 inversion box. IDEA uses 16❀ 16 ✦ 16 xor; 16❀ 16 ✦ 16 addition; and 16❀ 16 ✦ 16 multiplication. Rabbit uses ✦ 32❀ 32 ✦ 32❀ 32 ✦ 32❀ 32 ✦ ❀ RC6 uses ❀ ✦ 32❀ 32 ✦ 32❀ 32 ✦ 32❀ 32 ✦ Salsa20 uses ✦ 32❀ 32 ✦ 32❀ 32 ✦

• f

message-authentication codes Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32❀ 32 ✦ 32 xor; 32 ✦ 8 byte extraction; and 8 ✦ 32 inversion box. IDEA uses 16❀ 16 ✦ 16 xor; 16❀ 16 ✦ 16 addition; and 16❀ 16 ✦ 16 multiplication. Rabbit uses 32 ✦ 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor.

des Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32❀ 32 ✦ 32 xor; 32 ✦ 8 byte extraction; and 8 ✦ 32 inversion box. IDEA uses 16❀ 16 ✦ 16 xor; 16❀ 16 ✦ 16 addition; and 16❀ 16 ✦ 16 multiplication. Rabbit uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; and 32❀ 32 ✦ 32 xor.

When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32❀ 32 ✦ 32 xor; 32 ✦ 8 byte extraction; and 8 ✦ 32 inversion box. IDEA uses 16❀ 16 ✦ 16 xor; 16❀ 16 ✦ 16 addition; and 16❀ 16 ✦ 16 multiplication. Rabbit uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; and 32❀ 32 ✦ 32 xor.

we design functions, stream ciphers,

• ther secret-key primitives,

we use integer multiplication? uses 32❀ 32 ✦ 32 xor; ✦ 8 byte extraction; ✦ 32 inversion box. uses 16❀ 16 ✦ 16 xor; ❀ ✦ 16 addition; and ❀ ✦ 16 multiplication. Rabbit uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; and 32❀ 32 ✦ 32 xor. “Multiplication ❃ 10✂ as as addition. Countera “Multiplication is surpris Has many so CPU big multiplication Typical CPUs new multiplication

stream ciphers, secret-key primitives, multiplication? ❀ ✦ 32 xor; ✦ extraction; ✦ inversion box. ❀ 16 ✦ 16 xor; ❀ ✦ addition; and ❀ ✦ multiplication. Rabbit uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; and 32❀ 32 ✦ 32 xor. “Multiplication is slo ❃ 10✂ as many bit as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can new multiplication

ciphers, rimitives, ❀ ✦ ; ✦ ✦ ❀ ✦ r; ❀ ✦ ❀ ✦ multiplication. Rabbit uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; and 32❀ 32 ✦ 32 xor. “Multiplication is slow!” ❃ 10✂ as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle.

Rabbit uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32❀ 32 multiplication. RC6 uses 32❀ 8 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; 32❀ 32 ✦ 32 xor; and 32❀ 32 ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; 32❀ 32 ✦ 32 addition; and 32❀ 32 ✦ 32 xor. “Multiplication is slow!” ❃ 10✂ as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle.

uses 32 ✦ 32 rotation; ❀ ✦ 32 addition; ❀ ✦ 32 xor; and ❀ ✦ 32❀ 32 multiplication. uses 32❀ 8 ✦ 32 rotation; ❀ ✦ 32 addition; ❀ ✦ 32 xor; and ❀ ✦ 32 multiplication. Salsa20 uses 32 ✦ 32 rotation; ❀ ✦ 32 addition; and ❀ ✦ 32 xor. “Multiplication is slow!” ❃ 10✂ as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle. “Multiplication scrambles as thorou several simple “No, it do Look at Need many to achieve What if that multiplication the securit

✦ 32 rotation; ❀ ✦ addition; ❀ ✦ r; and ❀ ✦ ❀ multiplication. ❀ ✦ 32 rotation; ❀ ✦ addition; ❀ ✦ r; and ❀ ✦ multiplication. ✦ 32 rotation; ❀ ✦ addition; and ❀ ✦ r. “Multiplication is slow!” ❃ 10✂ as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle. “Multiplication scrambles its output as thoroughly as several simple opera “No, it doesn’t! Look at these scary Need many multiplications to achieve confidence.” What if we can prove that multiplication the security we need?

✦ rotation; ❀ ✦ ❀ ✦ ❀ ✦ ❀ multiplication. ❀ ✦ rotation; ❀ ✦ ❀ ✦ ❀ ✦ multiplication. ✦ rotation; ❀ ✦ ❀ ✦ “Multiplication is slow!” ❃ 10✂ as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle. “Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need?

“Multiplication is slow!” ❃ 10✂ as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle. “Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need?

“Multiplication is slow!” ❃ ✂ as many bit operations addition. Counterargument: “Multiplication risingly fast!” many applications, CPU designers include multiplication circuits. ypical CPUs can start a multiplication every cycle. “Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need? An authentication Let’s use to authenticate Standardize ♣ Sender rolls to generate uniform r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ❣ s1 ✷ ❢0❀ ❀ ✿ ✿ ✿ ❀ ❣ s2 ✷ ❢0❀ ❀ ✿ ✿ ✿ ❀ ❣ ✿ ✿ ✿, s100 ✷ ❢0❀ ❀ ✿ ✿ ✿ ❀ ❣

is slow!” ❃ ✂ bit operations rgument: fast!” applications, designers include multiplication circuits. can start a multiplication every cycle. “Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need? An authentication Let’s use multiplication to authenticate messages. Standardize a prime ♣ Sender rolls 10-sided to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣

❃ ✂ erations cycle. “Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need? An authentication system Let’s use multiplication to authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣.

“Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need? An authentication system Let’s use multiplication to authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣.

“Multiplication scrambles its output roughly as several simple operations!” it doesn’t! at these scary attacks. many multiplications achieve confidence.” if we can prove multiplication provides security we need? An authentication system Let’s use multiplication to authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender meets and tells secrets r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s Later: Sender 100 mess ♠ ❀ ✿ ✿ ✿ ❀ ♠ each having ♠♥[1]❀ ♠♥ ❀ ♠♥ ❀ ♠♥ ❀ ♠♥ with ♠♥ ✐ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ Sender transmits ♠♥[1]❀ ♠♥ ❀ ♠♥ ❀ ♠♥ ❀ ♠♥ together (♠♥[1]r ✁ ✁ ✁ ♠♥ r ♣ + s♥ and the ♥

• utput
• perations!”

scary attacks. multiplications confidence.” prove multiplication provides need? An authentication system Let’s use multiplication to authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender meets receiver and tells receiver the secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s Later: Sender wants 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠ each having 5 comp ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥ ❀ ♠♥ with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ❣ Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥ ❀ ♠♥ together with an authenticato (♠♥[1]r + ✁ ✁ ✁ + ♠♥ r ♣ + s♥ mod 1000000 and the message numb ♥

attacks. rovides An authentication system Let’s use multiplication to authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender meets receiver in private and tells receiver the same secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Later: Sender wants to send 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, each having 5 components ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥ with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥ together with an authenticato (♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mo ♣ + s♥ mod 1000000 and the message number ♥.

An authentication system Let’s use multiplication to authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die to generate independent uniform random secrets r ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s2 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿, s100 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender meets receiver in private and tells receiver the same secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Later: Sender wants to send 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, each having 5 components ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] together with an authenticator (♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mod ♣) + s♥ mod 1000000 and the message number ♥.

authentication system use multiplication authenticate messages. Standardize a prime ♣ = 1000003. Sender rolls 10-sided die generate independent random secrets r ✷ ❢ ❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, s ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿ s ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender meets receiver in private and tells receiver the same secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Later: Sender wants to send 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, each having 5 components ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] together with an authenticator (♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mod ♣) + s♥ mod 1000000 and the message number ♥. e.g. r = s ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Sender computes (6r + 7r ♣ + s10 (6 ✁ 314159 ✁ mod 1000003) + 265358 953311 + 218669. Sender transmits authenticated ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾

authentication system multiplication messages. rime ♣ = 1000003. 10-sided die independent secrets r ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999❣, s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999❣, s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999❣, ✿ ✿ ✿ s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999❣. Sender meets receiver in private and tells receiver the same secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Later: Sender wants to send 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, each having 5 components ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] together with an authenticator (♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mod ♣) + s♥ mod 1000000 and the message number ♥. e.g. r = 314159, s ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Sender computes authenticato (6r + 7r2 mod ♣) + s10 mod 1000000 (6 ✁ 314159 + 7 ✁ 314159 mod 1000003) + 265358 mod 1000000 953311 + 265358 mo 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾

♣ 1000003. r ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ ✿ ✿ ✿ s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ Sender meets receiver in private and tells receiver the same secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Later: Sender wants to send 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, each having 5 components ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] together with an authenticator (♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mod ♣) + s♥ mod 1000000 and the message number ♥. e.g. r = 314159, s10 = 265358 ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ Sender computes authenticato (6r + 7r2 mod ♣) + s10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾

Sender meets receiver in private and tells receiver the same secrets r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Later: Sender wants to send 100 messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, each having 5 components ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] with ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender transmits 30-digit ♠♥[1]❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] together with an authenticator (♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mod ♣) + s♥ mod 1000000 and the message number ♥. e.g. r = 314159, s10 = 265358, ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod ♣) + s10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾.

Sender meets receiver in private tells receiver the same r❀ s1❀ s2❀ ✿ ✿ ✿ ❀ s100. Sender wants to send messages ♠1❀ ✿ ✿ ✿ ❀ ♠100, having 5 components ♠♥ ❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] ♠♥[✐] ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. Sender transmits 30-digit ♠♥ ❀ ♠♥[2]❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] together with an authenticator ♠♥[1]r + ✁ ✁ ✁ + ♠♥[5]r5 mod ♣) s♥ mod 1000000 the message number ♥. e.g. r = 314159, s10 = 265358, ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod ♣) + s10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥ ① P ♠♥ ✐ ①✐ To compute ♠♥ r ♣ multiply ♠♥ r add ♠♥[4], r add ♠♥[3], r add ♠♥[2], r add ♠♥[1], r Reduce mo ♣ Slightly mo compute ❛♥ (♠♥(r) mo ♣ s♥

receiver in private receiver the same r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s100. ants to send ♠1❀ ✿ ✿ ✿ ❀ ♠100, components ♠♥ ❀ ♠♥ ❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] ♠♥ ✐ ✷ ❢ ❀ 1❀ ✿ ✿ ✿ ❀ 999999❣. transmits 30-digit ♠♥ ❀ ♠♥ ❀ ♠♥[3]❀ ♠♥[4]❀ ♠♥[5] authenticator ♠♥ r ✁ ✁ ✁ ♠♥[5]r5 mod ♣) s♥ 1000000 number ♥. e.g. r = 314159, s10 = 265358, ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod ♣) + s10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥(①) = P ♠♥ ✐ ①✐ To compute ♠♥(r ♣ multiply ♠♥[5] by r add ♠♥[4], multiply r add ♠♥[3], multiply r add ♠♥[2], multiply r add ♠♥[1], multiply r Reduce mod ♣ after Slightly more time compute authenticato ❛♥ (♠♥(r) mod ♣) + s♥

rivate r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s send ♠ ❀ ✿ ✿ ✿ ❀ ♠100, ♠♥ ❀ ♠♥ ❀ ♠♥ ❀ ♠♥[4]❀ ♠♥[5] ♠♥ ✐ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999❣. ♠♥ ❀ ♠♥ ❀ ♠♥ ❀ ♠♥[4]❀ ♠♥[5] authenticator ♠♥ r ✁ ✁ ✁ ♠♥ r mod ♣) s♥ ♥. e.g. r = 314159, s10 = 265358, ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod ♣) + s10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥(①) = P ♠♥[✐ ①✐ To compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, add ♠♥[4], multiply by r, add ♠♥[3], multiply by r, add ♠♥[2], multiply by r, add ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = (♠♥(r) mod ♣) + s♥ mod 1000000.

e.g. r = 314159, s10 = 265358, ♠10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator (6r + 7r2 mod ♣) + s10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 3141592 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥(①) = P ♠♥[✐]①✐. To compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, add ♠♥[4], multiply by r, add ♠♥[3], multiply by r, add ♠♥[2], multiply by r, add ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = (♠♥(r) mod ♣) + s♥ mod 1000000.

r = 314159, s10 = 265358, ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: Sender computes authenticator r 7r2 mod ♣) s10 mod 1000000 = ✁ 314159 + 7 ✁ 3141592 d 1000003) 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥(①) = P ♠♥[✐]①✐. To compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, add ♠♥[4], multiply by r, add ♠♥[3], multiply by r, add ♠♥[2], multiply by r, add ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = (♠♥(r) mod ♣) + s♥ mod 1000000. Reducing e.g., 240881099091 240881 ✁ ✑ 240881( 722643 623552. Easily adjust ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ ❣ by adding/subtracting ♣ (Beware Speedup: extra ♣’s subsequent

r , s10 = 265358, ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: computes authenticator r r ♣) s 1000000 = ✁ ✁ 3141592 1000003) d 1000000 = 265358 mod 1000000 = transmits message ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥(①) = P ♠♥[✐]①✐. To compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, add ♠♥[4], multiply by r, add ♠♥[3], multiply by r, add ♠♥[2], multiply by r, add ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = (♠♥(r) mod ♣) + s♥ mod 1000000. Reducing mod 1000003 e.g., 240881099091 240881 ✁ 1000000 + ✑ 240881(3) + 99091 722643 + 99091 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting ♣ (Beware timing attacks!) Speedup: Delay the extra ♣’s won’t damage subsequent field op

r s 265358, ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵: authenticator r r ♣ s ✁ ✁ = 1000000 = ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾. Speed analysis Notation: ♠♥(①) = P ♠♥[✐]①✐. To compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, add ♠♥[4], multiply by r, add ♠♥[3], multiply by r, add ♠♥[2], multiply by r, add ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = (♠♥(r) mod ♣) + s♥ mod 1000000. Reducing mod 1000003 is easy: e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣ (Beware timing attacks!) Speedup: Delay the adjustment; extra ♣’s won’t damage subsequent field operations.

Speed analysis Notation: ♠♥(①) = P ♠♥[✐]①✐. To compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, add ♠♥[4], multiply by r, add ♠♥[3], multiply by r, add ♠♥[2], multiply by r, add ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = (♠♥(r) mod ♣) + s♥ mod 1000000. Reducing mod 1000003 is easy: e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s. (Beware timing attacks!) Speedup: Delay the adjustment; extra ♣’s won’t damage subsequent field operations.

analysis Notation: ♠♥(①) = P ♠♥[✐]①✐. compute ♠♥(r) mod ♣: multiply ♠♥[5] by r, ♠♥[4], multiply by r, ♠♥[3], multiply by r, ♠♥[2], multiply by r, ♠♥[1], multiply by r. Reduce mod ♣ after each mult. Slightly more time to compute authenticator ❛♥ = ♠♥ r) mod ♣) + s♥ mod 1000000. Reducing mod 1000003 is easy: e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s. (Beware timing attacks!) Speedup: Delay the adjustment; extra ♣’s won’t damage subsequent field operations. Main wo For each have to do

• f the 6-digit

r into an a ♣ Scaled up “Poly1305” ♣

• For each

have to do

• f a 128-bit

r into an a

• ✙ 5 cycles

depending

♠♥ ①) = P ♠♥[✐]①✐. ♠♥(r) mod ♣: ♠♥ by r, ♠♥ multiply by r, ♠♥ multiply by r, ♠♥ multiply by r, ♠♥ multiply by r. ♣ after each mult. time to authenticator ❛♥ = ♠♥ r ♣ + s♥ mod 1000000. Reducing mod 1000003 is easy: e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s. (Beware timing attacks!) Speedup: Delay the adjustment; extra ♣’s won’t damage subsequent field operations. Main work is multiplication. For each 6-digit me have to do one multiplication

• f the 6-digit secret r

into an accumulato ♣ Scaled up for serious “Poly1305” uses ♣

• For each 128-bit me

have to do one multiplication

• f a 128-bit secret r

into an accumulato

• ✙ 5 cycles per message

depending on the CPU.

♠♥ ① P ♠♥[✐]①✐. ♠♥ r ♣: ♠♥ r ♠♥ r ♠♥ r ♠♥ r ♠♥ r ♣ mult. ❛♥ = ♠♥ r ♣ s♥ 1000000. Reducing mod 1000003 is easy: e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s. (Beware timing attacks!) Speedup: Delay the adjustment; extra ♣’s won’t damage subsequent field operations. Main work is multiplication. For each 6-digit message chunk, have to do one multiplication

• f the 6-digit secret r

into an accumulator mod ♣. Scaled up for serious security: “Poly1305” uses ♣ = 2130 For each 128-bit message chunk, have to do one multiplication

• f a 128-bit secret r

into an accumulator mod 2130 ✙ 5 cycles per message byte, depending on the CPU.

Reducing mod 1000003 is easy: e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. Easily adjust to range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s. (Beware timing attacks!) Speedup: Delay the adjustment; extra ♣’s won’t damage subsequent field operations. Main work is multiplication. For each 6-digit message chunk, have to do one multiplication

• f the 6-digit secret r

into an accumulator mod ♣. Scaled up for serious security: “Poly1305” uses ♣ = 2130 5. For each 128-bit message chunk, have to do one multiplication

• f a 128-bit secret r

into an accumulator mod 2130 5. ✙ 5 cycles per message byte, depending on the CPU.

Reducing mod 1000003 is easy: 240881099091 = 240881 ✁ 1000000 + 99091 ✑ 240881(3) + 99091 = 722643 + 99091 = 623552. adjust to range ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣ ding/subtracting a few ♣’s. re timing attacks!) eedup: Delay the adjustment; ♣’s won’t damage subsequent field operations. Main work is multiplication. For each 6-digit message chunk, have to do one multiplication

• f the 6-digit secret r

into an accumulator mod ♣. Scaled up for serious security: “Poly1305” uses ♣ = 2130 5. For each 128-bit message chunk, have to do one multiplication

• f a 128-bit secret r

into an accumulator mod 2130 5. ✙ 5 cycles per message byte, depending on the CPU. Security Attacker Find ♥✵❀ ♠✵❀ ❛✵ ♠✵ ✻= ♠♥✵ ❛✵ (♠✵(r) mo ♣ s♥✵ Here ♠✵(① P

✐ ♠✵ ✐ ①✐

Obvious Choose any ♠✵ ✻ ♠ Choose unifo ❛✵ Success ❂ Can repeat Each for 1❂1000000

1000003 is easy: 240881099091 = ✁ 1000000 + 99091 ✑

• 99091 =
• 99091 =
• range

❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣ ding/subtracting a few ♣’s. attacks!) the adjustment; ♣ damage

• perations.

Main work is multiplication. For each 6-digit message chunk, have to do one multiplication

• f the 6-digit secret r

into an accumulator mod ♣. Scaled up for serious security: “Poly1305” uses ♣ = 2130 5. For each 128-bit message chunk, have to do one multiplication

• f a 128-bit secret r

into an accumulator mod 2130 5. ✙ 5 cycles per message byte, depending on the CPU. Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ Here ♠✵(①) = P

✐ ♠✵ ✐ ①✐

Obvious attack: Choose any ♠✵ ✻= ♠ Choose uniform ran ❛✵ Success chance 1❂ Can repeat attack. Each forgery has chance 1❂1000000 of being

easy: ✁ ✑

• ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣

few ♣’s. tment; ♣ erations. Main work is multiplication. For each 6-digit message chunk, have to do one multiplication

• f the 6-digit secret r

into an accumulator mod ♣. Scaled up for serious security: “Poly1305” uses ♣ = 2130 5. For each 128-bit message chunk, have to do one multiplication

• f a 128-bit secret r

into an accumulator mod 2130 5. ✙ 5 cycles per message byte, depending on the CPU. Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ mod 1000000. Here ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack: Choose any ♠✵ ✻= ♠1. Choose uniform random ❛✵. Success chance 1❂1000000. Can repeat attack. Each forgery has chance 1❂1000000 of being accepted.

Main work is multiplication. For each 6-digit message chunk, have to do one multiplication

• f the 6-digit secret r

into an accumulator mod ♣. Scaled up for serious security: “Poly1305” uses ♣ = 2130 5. For each 128-bit message chunk, have to do one multiplication

• f a 128-bit secret r

into an accumulator mod 2130 5. ✙ 5 cycles per message byte, depending on the CPU. Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ mod 1000000. Here ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack: Choose any ♠✵ ✻= ♠1. Choose uniform random ❛✵. Success chance 1❂1000000. Can repeat attack. Each forgery has chance 1❂1000000 of being accepted.

work is multiplication. each 6-digit message chunk, to do one multiplication 6-digit secret r an accumulator mod ♣. up for serious security:

• ly1305” uses ♣ = 2130 5.

each 128-bit message chunk, to do one multiplication 128-bit secret r an accumulator mod 2130 5. ✙ cycles per message byte, ending on the CPU. Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ mod 1000000. Here ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack: Choose any ♠✵ ✻= ♠1. Choose uniform random ❛✵. Success chance 1❂1000000. Can repeat attack. Each forgery has chance 1❂1000000 of being accepted. More subtle Choose ♠✵ ✻ ♠ the polynomial ♠✵ ① ♠ ① has 5 distinct ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ❣ modulo ♣ ❛✵ ❛ e.g. ♠1 ❀ ❀ ❀ ❀ ♠✵ = (125❀ ❀ ❀ ❀ ♠✵(①) ♠ ① ① ① ① which has ♣ 0❀ 299012❀ ❀ ❀ Success ❂

multiplication. message chunk, multiplication secret r cumulator mod ♣. serious security: ♣ = 2130 5. message chunk, multiplication secret r cumulator mod 2130 5. ✙ message byte, the CPU. Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ mod 1000000. Here ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack: Choose any ♠✵ ✻= ♠1. Choose uniform random ❛✵. Success chance 1❂1000000. Can repeat attack. Each forgery has chance 1❂1000000 of being accepted. More subtle attack: Choose ♠✵ ✻= ♠1 so the polynomial ♠✵ ① ♠ ① has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ ❛ e.g. ♠1 = (100❀ 0❀ ❀ ❀ ♠✵ = (125❀ 1❀ 0❀ 0❀ ♠✵(①) ♠1(①) = ① ① ① which has five roots ♣ 0❀ 299012❀ 334447❀ ❀ Success chance 5❂

multiplication. chunk, multiplication r ♣. security: ♣ 5. chunk, multiplication r 2130 5. ✙ yte, Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ mod 1000000. Here ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack: Choose any ♠✵ ✻= ♠1. Choose uniform random ❛✵. Success chance 1❂1000000. Can repeat attack. Each forgery has chance 1❂1000000 of being accepted. More subtle attack: Choose ♠✵ ✻= ♠1 so that the polynomial ♠✵(①) ♠1(① has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ = ❛. e.g. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ = (125❀ 1❀ 0❀ 0❀ 1): ♠✵(①) ♠1(①) = ①5 + ①2 + ① which has five roots mod ♣: 0❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000.

Security analysis Attacker’s goal: Find ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻= ♠♥✵ but ❛✵ = (♠✵(r) mod ♣)+s♥✵ mod 1000000. Here ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack: Choose any ♠✵ ✻= ♠1. Choose uniform random ❛✵. Success chance 1❂1000000. Can repeat attack. Each forgery has chance 1❂1000000 of being accepted. More subtle attack: Choose ♠✵ ✻= ♠1 so that the polynomial ♠✵(①) ♠1(①) has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ = ❛. e.g. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ = (125❀ 1❀ 0❀ 0❀ 1): ♠✵(①) ♠1(①) = ①5 + ①2 + 25① which has five roots mod ♣: 0❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000.

Security analysis er’s goal: ♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻ ♠♥✵ but ❛✵ = ♠✵ r) mod ♣)+s♥✵ mod 1000000. ♠✵(①) = P

✐ ♠✵[✐]①✐.

Obvious attack:

• se any ♠✵ ✻= ♠1.
• se uniform random ❛✵.

Success chance 1❂1000000. repeat attack. forgery has chance ❂1000000 of being accepted. More subtle attack: Choose ♠✵ ✻= ♠1 so that the polynomial ♠✵(①) ♠1(①) has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ = ❛. e.g. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ = (125❀ 1❀ 0❀ 0❀ 1): ♠✵(①) ♠1(①) = ①5 + ①2 + 25① which has five roots mod ♣: 0❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000. Actually, can be ab ❂ Example: ♠ ♣ ✷ ❢1000000❀ ❀ ❣ then a fo ❀ ♠✵❀ ❛ ♠✵(①) = ♠ ① ① ① ① also succeeds r success chan ❂ Reason: ♠✵(①) ♠ ① Can have

• f (♠✵(① ♠

① ✁ (♠✵(①) ♠ ① ✁ (♠✵(①) ♠ ①

♥✵❀ ♠✵❀ ❛✵ such that ♠✵ ✻ ♠♥✵ ❛✵ = ♠✵ r ♣ s♥✵ mod 1000000. ♠✵ ① P

✐ ♠✵[✐]①✐.

♠✵ ✻= ♠1. random ❛✵. 1❂1000000. attack. chance ❂ eing accepted. More subtle attack: Choose ♠✵ ✻= ♠1 so that the polynomial ♠✵(①) ♠1(①) has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ = ❛. e.g. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ = (125❀ 1❀ 0❀ 0❀ 1): ♠✵(①) ♠1(①) = ①5 + ①2 + 25① which has five roots mod ♣: 0❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000. Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) ♣ ✷ ❢1000000❀ 1000001❀ ❣ then a forgery (1❀ ♠✵❀ ❛ ♠✵(①) = ♠1(①) + ① ① ① also succeeds for r success chance 6❂1000000. Reason: 334885 is ♠✵(①) ♠1(①) + Can have as many

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + ✁ (♠✵(①) ♠1(①)

♥✵❀ ♠✵❀ ❛✵ ♠✵ ✻ ♠♥✵ ❛✵ ♠✵ r ♣ s♥✵ 1000000. ♠✵ ① P

✐ ♠✵ ✐ ①✐.

♠✵ ✻ ♠ ❛✵. ❂1000000. ❂ accepted. More subtle attack: Choose ♠✵ ✻= ♠1 so that the polynomial ♠✵(①) ♠1(①) has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ = ❛. e.g. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ = (125❀ 1❀ 0❀ 0❀ 1): ♠✵(①) ♠1(①) = ①5 + ①2 + 25① which has five roots mod ♣: 0❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000. Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) mo ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ then a forgery (1❀ ♠✵❀ ❛1) with ♠✵(①) = ♠1(①) + ①5 + ①2 + ① also succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵(①) ♠1(①) + 1000000. Can have as many as 15 roots

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + 1000000) ✁ (♠✵(①) ♠1(①) 1000000).

More subtle attack: Choose ♠✵ ✻= ♠1 so that the polynomial ♠✵(①) ♠1(①) has 5 distinct roots ① ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ modulo ♣. Choose ❛✵ = ❛. e.g. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ = (125❀ 1❀ 0❀ 0❀ 1): ♠✵(①) ♠1(①) = ①5 + ①2 + 25① which has five roots mod ♣: 0❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000. Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) mod ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ then a forgery (1❀ ♠✵❀ ❛1) with ♠✵(①) = ♠1(①) + ①5 + ①2 + 25① also succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵(①) ♠1(①) + 1000000. Can have as many as 15 roots

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + 1000000) ✁ (♠✵(①) ♠1(①) 1000000).

subtle attack:

• se ♠✵ ✻= ♠1 so that
• lynomial ♠✵(①) ♠1(①)

distinct roots ① ✷ ❢ ❀ 1❀ ✿ ✿ ✿ ❀ 999999❣ dulo ♣. Choose ❛✵ = ❛. ♠1 = (100❀ 0❀ 0❀ 0❀ 0), ♠✵ (125❀ 1❀ 0❀ 0❀ 1): ♠✵ ① ♠1(①) = ①5 + ①2 + 25① has five roots mod ♣: ❀ 299012❀ 334447❀ 631403❀ 735144. Success chance 5❂1000000. Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) mod ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ then a forgery (1❀ ♠✵❀ ❛1) with ♠✵(①) = ♠1(①) + ①5 + ①2 + 25① also succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵(①) ♠1(①) + 1000000. Can have as many as 15 roots

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + 1000000) ✁ (♠✵(①) ♠1(①) 1000000). Do better ❛✵

• No. Easy
• f (♥✵❀ ♠✵❀ ❛✵

♠✵ ✻ ♠♥✵ has chance ✔ ❂

• f being

Underlying ✔

• f (♠✵(① ♠

① ❛✵ ❛ ✁ (♠✵(①) ♠ ① ❛✵ ❛ ✁ (♠✵(①) ♠ ① ❛✵ ❛ Warning: the oversimplified (♠♥[1] + ✁ ✁ ✁ ♠♥ r ♣ + s♥ solve ♠✵ ① ♠ ① ❛✵ ❛

attack: ♠✵ ✻ ♠1 so that ♠✵(①) ♠1(①)

• ts

① ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999❣ ♣

• se ❛✵ = ❛.

♠ ❀ 0❀ 0❀ 0❀ 0), ♠✵ ❀ ❀ ❀ 0❀ 1): ♠✵ ① ♠ ① = ①5 + ①2 + 25①

• ts mod ♣:

❀ ❀ 334447❀ 631403❀ 735144. 5❂1000000. Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) mod ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ then a forgery (1❀ ♠✵❀ ❛1) with ♠✵(①) = ♠1(①) + ①5 + ①2 + 25① also succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵(①) ♠1(①) + 1000000. Can have as many as 15 roots

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + 1000000) ✁ (♠✵(①) ♠1(①) 1000000). Do better by varying ❛✵

• No. Easy to prove:
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻

♠♥✵ has chance ✔ 15❂1000000

• f being accepted

Underlying fact: ✔

• f (♠✵(①) ♠1(①) ❛✵

❛ ✁ (♠✵(①) ♠1(①) ❛✵ ❛ ✁ (♠✵(①) ♠1(①) ❛✵ ❛ Warning: very easy the oversimplified (♠♥[1] + ✁ ✁ ✁ + ♠♥ r ♣ + s♥ mod 1000000: solve ♠✵(①) ♠1(① ❛✵ ❛

♠✵ ✻ ♠ ♠✵ ① ♠1(①) ① ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ ♣ ❛✵ ❛. ♠ ❀ ❀ ❀ ❀ ♠✵ ❀ ❀ ❀ ❀ ♠✵ ① ♠ ① ① ① + 25① ♣: ❀ ❀ ❀ ❀ 735144. ❂1000000. Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) mod ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ then a forgery (1❀ ♠✵❀ ❛1) with ♠✵(①) = ♠1(①) + ①5 + ①2 + 25① also succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵(①) ♠1(①) + 1000000. Can have as many as 15 roots

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + 1000000) ✁ (♠✵(①) ♠1(①) 1000000). Do better by varying ❛✵?

• No. Easy to prove: Every choice
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵

has chance ✔ 15❂1000000

• f being accepted by receiver.

Underlying fact: ✔ 15 roots

• f (♠✵(①) ♠1(①) ❛✵ + ❛

✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 + ✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 Warning: very easy to break the oversimplified authenticato (♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣ + s♥ mod 1000000: solve ♠✵(①) ♠1(①) = ❛✵ ❛

Actually, success chance can be above 5❂1000000. Example: If ♠1(334885) mod ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ then a forgery (1❀ ♠✵❀ ❛1) with ♠✵(①) = ♠1(①) + ①5 + ①2 + 25① also succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵(①) ♠1(①) + 1000000. Can have as many as 15 roots

• f (♠✵(①) ♠1(①)) ✁

(♠✵(①) ♠1(①) + 1000000) ✁ (♠✵(①) ♠1(①) 1000000). Do better by varying ❛✵?

• No. Easy to prove: Every choice
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵

has chance ✔ 15❂1000000

• f being accepted by receiver.

Underlying fact: ✔ 15 roots

• f (♠✵(①) ♠1(①) ❛✵ + ❛1) ✁

(♠✵(①) ♠1(①) ❛✵ + ❛1 + 106) ✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 106). Warning: very easy to break the oversimplified authenticator (♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣) + s♥ mod 1000000: solve ♠✵(①) ♠1(①) = ❛✵ ❛1.

Actually, success chance above 5❂1000000. Example: If ♠1(334885) mod ♣ ✷ ❢1000000❀ 1000001❀ 1000002❣ forgery (1❀ ♠✵❀ ❛1) with ♠✵ ① = ♠1(①) + ①5 + ①2 + 25① succeeds for r = 334885; success chance 6❂1000000. Reason: 334885 is a root of ♠✵ ① ♠1(①) + 1000000. have as many as 15 roots ♠✵(①) ♠1(①)) ✁ ♠✵ ①) ♠1(①) + 1000000) ✁ ♠✵ ①) ♠1(①) 1000000). Do better by varying ❛✵?

• No. Easy to prove: Every choice
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵

has chance ✔ 15❂1000000

• f being accepted by receiver.

Underlying fact: ✔ 15 roots

• f (♠✵(①) ♠1(①) ❛✵ + ❛1) ✁

(♠✵(①) ♠1(①) ❛✵ + ❛1 + 106) ✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 106). Warning: very easy to break the oversimplified authenticator (♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣) + s♥ mod 1000000: solve ♠✵(①) ♠1(①) = ❛✵ ❛1. Scaled up Poly1305 r with 22 bits Adds s♥ Assuming ✔ ▲ Each for ✔ 8 ❞▲❂16❡ r Probabilit ✔ ❞▲❂ ❡ ❂ ❉ forgeries with prob ✕ 1 8❉ ❞▲❂ ❡ ❂ e.g. 264 ▲ Pr[all rejected] ✕ ✿

chance ❂1000000. ♠ (334885) mod ♣ ✷ ❢ ❀ 1000001❀ 1000002❣ ❀ ♠✵❀ ❛1) with ♠✵ ① ♠ ① + ①5 + ①2 + 25① r r = 334885; ❂1000000. is a root of ♠✵ ① ♠ ① + 1000000. many as 15 roots ♠✵ ① ♠ (①)) ✁ ♠✵ ① ♠ ① + 1000000) ✁ ♠✵ ① ♠ ① 1000000). Do better by varying ❛✵?

• No. Easy to prove: Every choice
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵

has chance ✔ 15❂1000000

• f being accepted by receiver.

Underlying fact: ✔ 15 roots

• f (♠✵(①) ♠1(①) ❛✵ + ❛1) ✁

(♠✵(①) ♠1(①) ❛✵ + ❛1 + 106) ✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 106). Warning: very easy to break the oversimplified authenticator (♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣) + s♥ mod 1000000: solve ♠✵(①) ♠1(①) = ❛✵ ❛1. Scaled up for serious Poly1305 uses 128-bit r with 22 bits cleared Adds s♥ mod 2128 Assuming ✔ ▲-byte Each forgery succeeds ✔ 8 ❞▲❂16❡ choices r Probability ✔ 8 ❞▲❂ ❡ ❂ ❉ forgeries are all with probability ✕ 1 8❉ ❞▲❂16❡ ❂ e.g. 264 forgeries, ▲ Pr[all rejected] ✕ 0✿

❂ ♠ mod ♣ ✷ ❢ ❀ ❀ 1000002❣ ❀ ♠✵❀ ❛ with ♠✵ ① ♠ ① ① ① + 25① r 334885; ❂1000000.

• f

♠✵ ① ♠ ① 1000000. roots ♠✵ ① ♠ ① ✁ ♠✵ ① ♠ ① 1000000) ✁ ♠✵ ① ♠ ① 1000000). Do better by varying ❛✵?

• No. Easy to prove: Every choice
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵

has chance ✔ 15❂1000000

• f being accepted by receiver.

Underlying fact: ✔ 15 roots

• f (♠✵(①) ♠1(①) ❛✵ + ❛1) ✁

(♠✵(①) ♠1(①) ❛✵ + ❛1 + 106) ✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 106). Warning: very easy to break the oversimplified authenticator (♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣) + s♥ mod 1000000: solve ♠✵(①) ♠1(①) = ❛✵ ❛1. Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds s♥ mod 2128. Assuming ✔ ▲-byte messages: Each forgery succeeds for ✔ 8 ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106 ❉ forgeries are all rejected with probability ✕ 1 8❉ ❞▲❂16❡ ❂2106. e.g. 264 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0✿9999999998.

Do better by varying ❛✵?

• No. Easy to prove: Every choice
• f (♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵

has chance ✔ 15❂1000000

• f being accepted by receiver.

Underlying fact: ✔ 15 roots

• f (♠✵(①) ♠1(①) ❛✵ + ❛1) ✁

(♠✵(①) ♠1(①) ❛✵ + ❛1 + 106) ✁ (♠✵(①) ♠1(①) ❛✵ + ❛1 106). Warning: very easy to break the oversimplified authenticator (♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣) + s♥ mod 1000000: solve ♠✵(①) ♠1(①) = ❛✵ ❛1. Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds s♥ mod 2128. Assuming ✔ ▲-byte messages: Each forgery succeeds for ✔ 8 ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106. ❉ forgeries are all rejected with probability ✕ 1 8❉ ❞▲❂16❡ ❂2106. e.g. 264 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0✿9999999998.

etter by varying ❛✵? Easy to prove: Every choice ♥✵❀ ♠✵❀ ❛✵) with ♠✵ ✻= ♠♥✵ chance ✔ 15❂1000000 eing accepted by receiver. Underlying fact: ✔ 15 roots ♠✵(①) ♠1(①) ❛✵ + ❛1) ✁ ♠✵ ①) ♠1(①) ❛✵ + ❛1 + 106) ✁ ♠✵ ①) ♠1(①) ❛✵ + ❛1 106). rning: very easy to break

• versimplified authenticator

♠♥[1] + ✁ ✁ ✁ + ♠♥[5]r4 mod ♣) s♥ mod 1000000: ♠✵(①) ♠1(①) = ❛✵ ❛1. Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds s♥ mod 2128. Assuming ✔ ▲-byte messages: Each forgery succeeds for ✔ 8 ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106. ❉ forgeries are all rejected with probability ✕ 1 8❉ ❞▲❂16❡ ❂2106. e.g. 264 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0✿9999999998. Authenticato for variable-length if different different ♣ Split string maybe with append 1 view as little-endian in ✟ 1❀ 2❀ ❀ ✿ ✿ ✿ ❀ ✠ Multiply r add next r etc., last r mod 2130 s♥

rying ❛✵? rove: Every choice ♥✵❀ ♠✵❀ ❛✵ with ♠✵ ✻= ♠♥✵ ✔ ❂1000000 accepted by receiver. ✔ 15 roots ♠✵ ① ♠ (①) ❛✵ + ❛1) ✁ ♠✵ ① ♠ ① ❛✵ + ❛1 + 106) ✁ ♠✵ ① ♠ ① ❛✵ + ❛1 106). easy to break

• versimplified authenticator

♠♥ ✁ ✁ ✁ ♠♥[5]r4 mod ♣) s♥ 1000000: ♠✵ ① ♠1(①) = ❛✵ ❛1. Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds s♥ mod 2128. Assuming ✔ ▲-byte messages: Each forgery succeeds for ✔ 8 ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106. ❉ forgeries are all rejected with probability ✕ 1 8❉ ❞▲❂16❡ ❂2106. e.g. 264 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0✿9999999998. Authenticator is still for variable-length if different messages different polynomials ♣ Split string into 16-b maybe with smaller append 1 to each chunk; view as little-endian in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ Multiply first chunk r add next chunk, multiply r etc., last chunk, multiply r mod 2130 5, add s♥

❛✵ choice ♥✵❀ ♠✵❀ ❛✵ ♠✵ ✻ ♠♥✵ ✔ ❂ receiver. ✔

• ts

♠✵ ① ♠ ① ❛✵ ❛1) ✁ ♠✵ ① ♠ ① ❛✵ ❛ + 106) ✁ ♠✵ ① ♠ ① ❛✵ ❛ 106). reak authenticator ♠♥ ✁ ✁ ✁ ♠♥ r mod ♣) s♥ ♠✵ ① ♠ ① ❛✵ ❛1. Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds s♥ mod 2128. Assuming ✔ ▲-byte messages: Each forgery succeeds for ✔ 8 ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106. ❉ forgeries are all rejected with probability ✕ 1 8❉ ❞▲❂16❡ ❂2106. e.g. 264 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0✿9999999998. Authenticator is still secure for variable-length messages, if different messages are different polynomials mod ♣. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, add next chunk, multiply by r etc., last chunk, multiply by r mod 2130 5, add s♥ mod 2

Scaled up for serious security: Poly1305 uses 128-bit r’s, with 22 bits cleared for speed. Adds s♥ mod 2128. Assuming ✔ ▲-byte messages: Each forgery succeeds for ✔ 8 ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106. ❉ forgeries are all rejected with probability ✕ 1 8❉ ❞▲❂16❡ ❂2106. e.g. 264 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0✿9999999998. Authenticator is still secure for variable-length messages, if different messages are different polynomials mod ♣. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, add next chunk, multiply by r, etc., last chunk, multiply by r, mod 2130 5, add s♥ mod 2128.

up for serious security:

• ly1305 uses 128-bit r’s,

22 bits cleared for speed. s♥ mod 2128. Assuming ✔ ▲-byte messages: forgery succeeds for ✔ ❞▲❂16❡ choices of r. Probability ✔ 8 ❞▲❂16❡ ❂2106. ❉ rgeries are all rejected robability ✕ 8❉ ❞▲❂16❡ ❂2106.

64 forgeries, ▲ = 1536:

rejected] ✕ 0✿9999999998. Authenticator is still secure for variable-length messages, if different messages are different polynomials mod ♣. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, add next chunk, multiply by r, etc., last chunk, multiply by r, mod 2130 5, add s♥ mod 2128. Reducing Like the this authentication has a securit One-time ▲ shared to encrypt ▲ Authentication 16 shared to authenticate ▲ Each new new shared used only How to handle

serious security: 128-bit r’s, red for speed. s♥

128.

✔ ▲ yte messages: succeeds for ✔ ❞▲❂ ❡ choices of r. ✔ ❞▲❂16❡ ❂2106. ❉ all rejected ✕ ❉ ❞▲❂ ❡ ❂2106. rgeries, ▲ = 1536: ✕ 0✿9999999998. Authenticator is still secure for variable-length messages, if different messages are different polynomials mod ♣. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, add next chunk, multiply by r, etc., last chunk, multiply by r, mod 2130 5, add s♥ mod 2128. Reducing the key length Like the one-time this authentication has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message Authentication system 16 shared secret byte to authenticate ▲ message Each new message new shared secret used only once. How to handle many

security: r eed. s♥ ✔ ▲ messages: ✔ ❞▲❂ ❡ r ✔ ❞▲❂ ❡ ❂ 106. ❉ ✕ ❉ ❞▲❂ ❡ ❂ ▲ 1536: ✕ ✿9999999998. Authenticator is still secure for variable-length messages, if different messages are different polynomials mod ♣. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, add next chunk, multiply by r, etc., last chunk, multiply by r, mod 2130 5, add s♥ mod 2128. Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message bytes. Authentication system needs 16 shared secret bytes to authenticate ▲ message b Each new message needs new shared secret bytes, used only once. How to handle many messages?

Authenticator is still secure for variable-length messages, if different messages are different polynomials mod ♣. Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; view as little-endian integers in ✟ 1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, add next chunk, multiply by r, etc., last chunk, multiply by r, mod 2130 5, add s♥ mod 2128. Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message bytes. Authentication system needs 16 shared secret bytes to authenticate ▲ message bytes. Each new message needs new shared secret bytes, used only once. How to handle many messages?

Authenticator is still secure riable-length messages, different messages are different polynomials mod ♣. string into 16-byte chunks, with smaller final chunk; end 1 to each chunk; as little-endian integers ✟ ❀ 2❀ 3❀ ✿ ✿ ✿ ❀ 2129✠ . Multiply first chunk by r, next chunk, multiply by r, last chunk, multiply by r,

130 5, add s♥ mod 2128.

Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message bytes. Authentication system needs 16 shared secret bytes to authenticate ▲ message bytes. Each new message needs new shared secret bytes, used only once. How to handle many messages? Authenticato ♠♥ r ♣ encrypted s♥ Can replace with stream-cipher Typical stream AES in counter Sender, receiver r❀ ❦ where ❦ compute s♥

❦ ♥

Security since s♥’s but can attack on implies attack

still secure riable-length messages, messages are

• lynomials mod ♣.

16-byte chunks, smaller final chunk; each chunk; little-endian integers ✟ ❀ ❀ ❀ ✿ ✿ ✿ ❀

129✠

. chunk by r, multiply by r, multiply by r,

• add s♥ mod 2128.

Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message bytes. Authentication system needs 16 shared secret bytes to authenticate ▲ message bytes. Each new message needs new shared secret bytes, used only once. How to handle many messages? Authenticator is ♠♥ r ♣ encrypted with one-time s♥ Can replace one-time with stream-cipher Typical stream cipher: AES in counter mo Sender, receiver sha r❀ ❦ where ❦ is 16-byte compute s♥ = AES❦ ♥ Security proof breaks since s♥’s are dependent, but can still prove attack on authenticato implies attack on AES.

secure messages, ♣. chunks, chunk; integers ✟ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ✠ r by r, by r,

• s♥

d 2128. Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message bytes. Authentication system needs 16 shared secret bytes to authenticate ▲ message bytes. Each new message needs new shared secret bytes, used only once. How to handle many messages? Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥ Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. Sender, receiver share (r❀ ❦) where ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down since s♥’s are dependent, but can still prove that attack on authenticator implies attack on AES.

Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs ▲ shared secret bytes to encrypt ▲ message bytes. Authentication system needs 16 shared secret bytes to authenticate ▲ message bytes. Each new message needs new shared secret bytes, used only once. How to handle many messages? Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥. Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. Sender, receiver share (r❀ ❦) where ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down since s♥’s are dependent, but can still prove that attack on authenticator implies attack on AES.

Reducing the key length the one-time pad, authentication system security guarantee. One-time pad needs ▲ red secret bytes encrypt ▲ message bytes. Authentication system needs red secret bytes authenticate ▲ message bytes. new message needs shared secret bytes,

• nly once.

to handle many messages? Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥. Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. Sender, receiver share (r❀ ❦) where ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down since s♥’s are dependent, but can still prove that attack on authenticator implies attack on AES.

unsigned int mpz_class rbar for (j = 0;j rbar += ((mpz_class) mpz_class h mpz_class p while (mlen mpz_class for (j = c += ((mpz_class) c += ((mpz_class) m += j; mlen h = ((h + } unsigned char aes(aeskn,k,n); for (j = 0;j h += ((mpz_class) for (j = 0;j mpz_class h >>= 8;

• ut[j] =

}

ey length

• ne-time pad,

authentication system guarantee. needs ▲ bytes ▲ message bytes. system needs bytes ▲ message bytes. message needs secret bytes, many messages? Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥. Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. Sender, receiver share (r❀ ❦) where ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down since s♥’s are dependent, but can still prove that attack on authenticator implies attack on AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) mpz_class h = 0; mpz_class p = (((mpz_class) while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && c += ((mpz_class) m[j]) c += ((mpz_class) 1) << m += j; mlen -= j; h = ((h + c) * rbar) % } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

▲ ▲ ytes. needs ▲ bytes. ssages? Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥. Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. Sender, receiver share (r❀ ❦) where ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down since s♥’s are dependent, but can still prove that attack on authenticator implies attack on AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥. Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. Sender, receiver share (r❀ ❦) where ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down since s♥’s are dependent, but can still prove that attack on authenticator implies attack on AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

Authenticator is ♠♥(r) mod ♣ encrypted with one-time pad s♥. replace one-time pad stream-cipher output. ypical stream cipher: counter mode. Sender, receiver share (r❀ ❦) ❦ is 16-byte AES key; compute s♥ = AES❦(♥). Security proof breaks down s♥’s are dependent, can still prove that

• n authenticator

implies attack on AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

Another ❋❦(♥) = ❦❀ ♥ Somewhat “Hasn’t Distinct ❦❀ ♥ ❀ ❦✵❀ ♥✵ with MD5(❦❀ ♥ ❦✵❀ ♥✵ (2004 W Still not ♥ ✼✦ MD5(❦❀ ♥ ❦ We know Many other are unbrok

♠♥(r) mod ♣

• ne-time pad s♥.
• ne-time pad

stream-cipher output. cipher: mode. share (r❀ ❦) ❦ yte AES key; s♥ AES❦(♥). reaks down s♥ dependent, rove that nticator

• n AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥ Somewhat slower than “Hasn’t MD5 been Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵ with MD5(❦❀ ♥) = ❦✵❀ ♥✵ (2004 Wang) Still not obvious ho ♥ ✼✦ MD5(❦❀ ♥) fo ❦ We know AES collisions Many other stream are unbroken, faster

♠♥ r mod ♣ pad s♥.

• utput.

r❀ ❦) ❦ ey; s♥

❦ ♥

wn s♥

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are kno with MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵ (2004 Wang) Still not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦ We know AES collisions too! Many other stream ciphers are unbroken, faster than AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8;

• ut[j] = c.get_ui();

}

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are known with MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵). (2004 Wang) Still not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦. We know AES collisions too! Many other stream ciphers are unbroken, faster than AES.

int j; rbar = 0; 0;j < 16;++j) ((mpz_class) r[j]) << (8 * j); h = 0; p = (((mpz_class) 1) << 130) - 5; (mlen > 0) { mpz_class c = 0; 0;(j < 16) && (j < mlen);++j) ((mpz_class) m[j]) << (8 * j); ((mpz_class) 1) << (8 * j); mlen -= j; + c) * rbar) % p; char aeskn[16]; aes(aeskn,k,n); 0;j < 16;++j) ((mpz_class) aeskn[j]) << (8 * j); 0;j < 16;++j) { mpz_class c = h % 256; c.get_ui();

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are known with MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵). (2004 Wang) Still not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦. We know AES collisions too! Many other stream ciphers are unbroken, faster than AES. Alternatives Use ✁ ✁ ✁ ✟

❦ ♥

instead of ✁ ✁ ✁

❦ ♥

No! Destro might allo even if AES Use AES❦ ✁ ✁ ✁ ♥ No! Brok using ❁ But ok fo Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁ Seems to

r[j]) << (8 * j); (((mpz_class) 1) << 130) - 5; (j < mlen);++j) m[j]) << (8 * j); << (8 * j); p; aeskn[j]) << (8 * j);

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are known with MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵). (2004 Wang) Still not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦. We know AES collisions too! Many other stream ciphers are unbroken, faster than AES. Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦ ♥ No! Destroys securit might allow successful even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥ No! Broken by kno using ❁ 264 authenticato But ok for small # Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁ Seems to be massive

j); 130) - 5; mlen);++j) j); j);

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are known with MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵). (2004 Wang) Still not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦. We know AES collisions too! Many other stream ciphers are unbroken, faster than AES. Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦(♥)? No! Destroys security analysis; might allow successful forgeries even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥? No! Broken by known attacks using ❁ 264 authenticators. But ok for small # messages. Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? Seems to be massive overkill.

Another stream cipher: ❋❦(♥) = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are known with MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵). (2004 Wang) Still not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦. We know AES collisions too! Many other stream ciphers are unbroken, faster than AES. Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦(♥)? No! Destroys security analysis; might allow successful forgeries even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥? No! Broken by known attacks using ❁ 264 authenticators. But ok for small # messages. Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? Seems to be massive overkill.

Another stream cipher: ❋❦ ♥ = MD5(❦❀ ♥). Somewhat slower than AES. “Hasn’t MD5 been broken?” Distinct (❦❀ ♥)❀ (❦✵❀ ♥✵) are known MD5(❦❀ ♥) = MD5(❦✵❀ ♥✵). Wang) not obvious how to predict ♥ ✼✦ MD5(❦❀ ♥) for secret ❦. know AES collisions too!

• ther stream ciphers

broken, faster than AES. Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦(♥)? No! Destroys security analysis; might allow successful forgeries even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥? No! Broken by known attacks using ❁ 264 authenticators. But ok for small # messages. Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? Seems to be massive overkill. Alternatives Notation:

r ♠

(♠(r) mo

• For all distinct

♠❀ ♠✵ Pr[Poly1305r ♠ Poly1305r ♠✵ “Small collision For all distinct ♠❀ ♠✵ and all 16- Pr[Poly1305r ♠ Poly1305r ♠✵ is very small. “Small differential

cipher: ❋❦ ♥ ❦❀ ♥). er than AES. een broken?” ❦❀ ♥ ❀ ❦✵❀ ♥✵) are known ❦❀ ♥ = MD5(❦✵❀ ♥✵). how to predict ♥ ✼✦ ❦❀ ♥ for secret ❦. collisions too! stream ciphers faster than AES. Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦(♥)? No! Destroys security analysis; might allow successful forgeries even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥? No! Broken by known attacks using ❁ 264 authenticators. But ok for small # messages. Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? Seems to be massive overkill. Alternatives to Poly1305 Notation: Poly1305r ♠ (♠(r) mod 2130 For all distinct mess ♠❀ ♠✵ Pr[Poly1305r(♠) = Poly1305r(♠✵)] “Small collision probabilities.” For all distinct mess ♠❀ ♠✵ and all 16-byte sequences Pr[Poly1305r(♠) = Poly1305r(♠✵) is very small. “Small differential

❋❦ ♥ ❦❀ ♥ AES. en?” ❦❀ ♥ ❀ ❦✵❀ ♥✵ known ❦❀ ♥ ❦✵❀ ♥✵). redict ♥ ✼✦ ❦❀ ♥ ❦.

• !

ciphers AES. Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦(♥)? No! Destroys security analysis; might allow successful forgeries even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥? No! Broken by known attacks using ❁ 264 authenticators. But ok for small # messages. Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? Seems to be massive overkill. Alternatives to Poly1305 Notation: Poly1305r(♠) = (♠(r) mod 2130 5) mod 2128 For all distinct messages ♠❀ ♠✵ Pr[Poly1305r(♠) = Poly1305r(♠✵)] is very small. “Small collision probabilities.” For all distinct messages ♠❀ ♠✵ and all 16-byte sequences ∆: Pr[Poly1305r(♠) = Poly1305r(♠✵) + ∆ mod is very small. “Small differential probabilities.”

Alternatives to + Use ✁ ✁ ✁ ✟ AES❦(♥) instead of ✁ ✁ ✁ + AES❦(♥)? No! Destroys security analysis; might allow successful forgeries even if AES is secure. Use AES❦(✁ ✁ ✁), omitting ♥? No! Broken by known attacks using ❁ 264 authenticators. But ok for small # messages. Use Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? Seems to be massive overkill. Alternatives to Poly1305 Notation: Poly1305r(♠) = (♠(r) mod 2130 5) mod 2128. For all distinct messages ♠❀ ♠✵: Pr[Poly1305r(♠) = Poly1305r(♠✵)] is very small. “Small collision probabilities.” For all distinct messages ♠❀ ♠✵ and all 16-byte sequences ∆: Pr[Poly1305r(♠) = Poly1305r(♠✵) + ∆ mod 2128] is very small. “Small differential probabilities.”

Alternatives to + ✁ ✁ ✁ ✟ AES❦(♥)

• f ✁ ✁ ✁ + AES❦(♥)?

Destroys security analysis; allow successful forgeries if AES is secure. AES❦(✁ ✁ ✁), omitting ♥? Broken by known attacks ❁ 264 authenticators. for small # messages. Salsa20(❦❀ ♥❀ ✁ ✁ ✁)? to be massive overkill. Alternatives to Poly1305 Notation: Poly1305r(♠) = (♠(r) mod 2130 5) mod 2128. For all distinct messages ♠❀ ♠✵: Pr[Poly1305r(♠) = Poly1305r(♠✵)] is very small. “Small collision probabilities.” For all distinct messages ♠❀ ♠✵ and all 16-byte sequences ∆: Pr[Poly1305r(♠) = Poly1305r(♠✵) + ∆ mod 2128] is very small. “Small differential probabilities.” Easy to build that satisfy Embed messages polynomial ① ❀ ① ❀ ① ❀ ✿ ✿ ✿ Use ♠ ✼✦ ♠ r r is a random Small differential means that ♠ ♠✵ is divisible r when ♠ ✻ ♠✵ (Addition mod 2128

✁ ✁ ✁ ✟

❦ ♥)

✁ ✁ ✁ AES❦(♥)? security analysis; successful forgeries secure.

❦ ✁ ✁ ✁

• mitting ♥?

known attacks ❁ authenticators. # messages. ❦❀ ♥❀ ✁ ✁ ✁)? massive overkill. Alternatives to Poly1305 Notation: Poly1305r(♠) = (♠(r) mod 2130 5) mod 2128. For all distinct messages ♠❀ ♠✵: Pr[Poly1305r(♠) = Poly1305r(♠✵)] is very small. “Small collision probabilities.” For all distinct messages ♠❀ ♠✵ and all 16-byte sequences ∆: Pr[Poly1305r(♠) = Poly1305r(♠✵) + ∆ mod 2128] is very small. “Small differential probabilities.” Easy to build other that satisfy these p Embed messages and polynomial ring Z[① ❀ ① ❀ ① ❀ ✿ ✿ ✿ Use ♠ ✼✦ ♠ mod r r is a random prime Small differential p means that ♠ ♠✵ is divisible by very r when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.

✁ ✁ ✁ ✟

❦ ♥

✁ ✁ ✁

❦ ♥

analysis; rgeries

❦ ✁ ✁ ✁

♥? attacks ❁ rs. messages. ❦❀ ♥❀ ✁ ✁ ✁

• verkill.

Alternatives to Poly1305 Notation: Poly1305r(♠) = (♠(r) mod 2130 5) mod 2128. For all distinct messages ♠❀ ♠✵: Pr[Poly1305r(♠) = Poly1305r(♠✵)] is very small. “Small collision probabilities.” For all distinct messages ♠❀ ♠✵ and all 16-byte sequences ∆: Pr[Poly1305r(♠) = Poly1305r(♠✵) + ∆ mod 2128] is very small. “Small differential probabilities.” Easy to build other functions that satisfy these properties. Embed messages and outputs polynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿ Use ♠ ✼✦ ♠ mod r where r is a random prime ideal. Small differential probability means that ♠ ♠✵ ∆ is divisible by very few r’s when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.)

Alternatives to Poly1305 Notation: Poly1305r(♠) = (♠(r) mod 2130 5) mod 2128. For all distinct messages ♠❀ ♠✵: Pr[Poly1305r(♠) = Poly1305r(♠✵)] is very small. “Small collision probabilities.” For all distinct messages ♠❀ ♠✵ and all 16-byte sequences ∆: Pr[Poly1305r(♠) = Poly1305r(♠✵) + ∆ mod 2128] is very small. “Small differential probabilities.” Easy to build other functions that satisfy these properties. Embed messages and outputs into polynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿]. Use ♠ ✼✦ ♠ mod r where r is a random prime ideal. Small differential probability means that ♠ ♠✵ ∆ is divisible by very few r’s when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.)

Alternatives to Poly1305 Notation: Poly1305r(♠) = ♠ r mod 2130 5) mod 2128. distinct messages ♠❀ ♠✵:

• ly1305r(♠) =
• ly1305r(♠✵)] is very small.

“Small collision probabilities.” distinct messages ♠❀ ♠✵ all 16-byte sequences ∆:

• ly1305r(♠) =
• ly1305r(♠✵) + ∆ mod 2128]

small. “Small differential probabilities.” Easy to build other functions that satisfy these properties. Embed messages and outputs into polynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿]. Use ♠ ✼✦ ♠ mod r where r is a random prime ideal. Small differential probability means that ♠ ♠✵ ∆ is divisible by very few r’s when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.) Example: View mes ♠ specifically Outputs: ✟ ❀ ❀ ✿ ✿ ✿ ❀

• ✠

Reduce ♠ random p r between (Problem: r Low differential if ♠ ✻= ♠✵ ♠ ♠✵ ✻ so ♠ ♠✵ by very few

• ly1305
• ly1305r(♠) =

♠ r 5) mod 2128. messages ♠❀ ♠✵:

r ♠) = r ♠✵)] is very small.

probabilities.” messages ♠❀ ♠✵ sequences ∆:

r ♠) = r ♠✵) + ∆ mod 2128]

differential probabilities.” Easy to build other functions that satisfy these properties. Embed messages and outputs into polynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿]. Use ♠ ✼✦ ♠ mod r where r is a random prime ideal. Small differential probability means that ♠ ♠✵ ∆ is divisible by very few r’s when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.) Example: (1981 Ka View messages ♠ specifically multiples Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀

• ✠

Reduce ♠ modulo random prime numb r between 2120 and (Problem: generating r Low differential probabilit if ♠ ✻= ♠✵ then ♠ ♠✵ ✻ so ♠ ♠✵ ∆ is by very few prime

r ♠

♠ r

• 2128.

♠❀ ♠✵:

r ♠ r ♠✵

small. robabilities.” ♠❀ ♠✵ ∆:

r ♠ r ♠✵

d 2128] robabilities.” Easy to build other functions that satisfy these properties. Embed messages and outputs into polynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿]. Use ♠ ✼✦ ♠ mod r where r is a random prime ideal. Small differential probability means that ♠ ♠✵ ∆ is divisible by very few r’s when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.) Example: (1981 Karp Rabin) View messages ♠ as integers, specifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ Reduce ♠ modulo a uniform random prime number r between 2120 and 2128. (Problem: generating r is slo Low differential probability: if ♠ ✻= ♠✵ then ♠ ♠✵ ∆ ✻ so ♠ ♠✵ ∆ is divisible by very few prime numbers.

Easy to build other functions that satisfy these properties. Embed messages and outputs into polynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿]. Use ♠ ✼✦ ♠ mod r where r is a random prime ideal. Small differential probability means that ♠ ♠✵ ∆ is divisible by very few r’s when ♠ ✻= ♠✵. (Addition of ∆ is mod 2128; be careful.) Example: (1981 Karp Rabin) View messages ♠ as integers, specifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . Reduce ♠ modulo a uniform random prime number r between 2120 and 2128. (Problem: generating r is slow.) Low differential probability: if ♠ ✻= ♠✵ then ♠ ♠✵ ∆ ✻= 0 so ♠ ♠✵ ∆ is divisible by very few prime numbers.

to build other functions satisfy these properties. messages and outputs into

• lynomial ring Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿].

♠ ✼✦ ♠ mod r where r random prime ideal. differential probability that ♠ ♠✵ ∆ divisible by very few r’s ♠ ✻= ♠✵. (Addition of ∆ is

128; be careful.)

Example: (1981 Karp Rabin) View messages ♠ as integers, specifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . Reduce ♠ modulo a uniform random prime number r between 2120 and 2128. (Problem: generating r is slow.) Low differential probability: if ♠ ✻= ♠✵ then ♠ ♠✵ ∆ ✻= 0 so ♠ ♠✵ ∆ is divisible by very few prime numbers. Variant that ✟ View mes ♠ ♠128①128 ♠ ① ✁ ✁ ✁ with each ♠✐ ❢ ❀ ❣ Outputs: ♦ ♦ ① ✁ ✁ ✁ ♦ ① with each ♦✐ ❢ ❀ ❣ Reduce ♠ ❀ r r is a uni degree-128 ❂ (Problem: r typical CPU for polynomial

• ther functions

these properties. messages and outputs into Z[①1❀ ①2❀ ①3❀ ✿ ✿ ✿]. ♠ ✼✦ ♠ d r where r rime ideal. differential probability ♠ ♠✵ ∆ very few r’s ♠ ✻ ♠✵ is reful.) Example: (1981 Karp Rabin) View messages ♠ as integers, specifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . Reduce ♠ modulo a uniform random prime number r between 2120 and 2128. (Problem: generating r is slow.) Low differential probability: if ♠ ✻= ♠✵ then ♠ ♠✵ ∆ ✻= 0 so ♠ ♠✵ ∆ is divisible by very few prime numbers. Variant that works ✟ View messages ♠ ♠128①128 + ♠129① ✁ ✁ ✁ with each ♠✐ in ❢0❀ ❣ Outputs: ♦0 +♦1① ✁ ✁ ✁ ♦ ① with each ♦✐ in ❢0❀ ❣ Reduce ♠ modulo ❀ r r is a uniform random degree-128 polynomial ❂ (Problem: division r typical CPU has no for polynomial multip

functions erties.

• utputs into

① ❀ ① ❀ ①3❀ ✿ ✿ ✿]. ♠ ✼✦ ♠ r r robability ♠ ♠✵ r ♠ ✻ ♠✵ Example: (1981 Karp Rabin) View messages ♠ as integers, specifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . Reduce ♠ modulo a uniform random prime number r between 2120 and 2128. (Problem: generating r is slow.) Low differential probability: if ♠ ✻= ♠✵ then ♠ ♠✵ ∆ ✻= 0 so ♠ ♠✵ ∆ is divisible by very few prime numbers. Variant that works with ✟: View messages ♠ as polynomials ♠128①128 + ♠129①129 + ✁ ✁ ✁ with each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127① with each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r is a uniform random irreducible degree-128 polynomial over Z❂ (Problem: division by r is slo typical CPU has no big circuit for polynomial multiplication.)

Example: (1981 Karp Rabin) View messages ♠ as integers, specifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . Reduce ♠ modulo a uniform random prime number r between 2120 and 2128. (Problem: generating r is slow.) Low differential probability: if ♠ ✻= ♠✵ then ♠ ♠✵ ∆ ✻= 0 so ♠ ♠✵ ∆ is divisible by very few prime numbers. Variant that works with ✟: View messages ♠ as polynomials ♠128①128 + ♠129①129 + ✁ ✁ ✁ with each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127①127 with each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r is a uniform random irreducible degree-128 polynomial over Z❂2. (Problem: division by r is slow; typical CPU has no big circuit for polynomial multiplication.)

Example: (1981 Karp Rabin) messages ♠ as integers, ecifically multiples of 2128. Outputs: ✟ 0❀ 1❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . Reduce ♠ modulo a uniform prime number r een 2120 and 2128. (Problem: generating r is slow.) differential probability: ♠ ✻ ♠✵ then ♠ ♠✵ ∆ ✻= 0 ♠ ♠✵ ∆ is divisible very few prime numbers. Variant that works with ✟: View messages ♠ as polynomials ♠128①128 + ♠129①129 + ✁ ✁ ✁ with each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127①127 with each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r is a uniform random irreducible degree-128 polynomial over Z❂2. (Problem: division by r is slow; typical CPU has no big circuit for polynomial multiplication.) Example: MacWilliams Choose p ♣ ✙ View mes ♠ polys ♠1① ♠ ① ♠ ① ♠1❀ ♠2❀ ♠ ✷ ❢ ❀ ✿ ✿ ✿ ❀ ♣ ❣ Outputs: ❢ ❀ ✿ ✿ ✿ ❀ ♣ ❣ Reduce ♠ ♣❀ ①1 r ❀ ① r ❀ ① r to ♠1r1 ♠ r ♠ r ♣ (Problem: ♠ r

Karp Rabin) ♠ as integers, multiples of 2128. ✟ ❀ ❀ ✿ ✿ ✿ ❀ 2128 1 ✠ . ♠ dulo a uniform number r and 2128. generating r is slow.) probability: ♠ ✻ ♠✵ ♠ ♠✵ ∆ ✻= 0 ♠ ♠✵ is divisible rime numbers. Variant that works with ✟: View messages ♠ as polynomials ♠128①128 + ♠129①129 + ✁ ✁ ✁ with each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127①127 with each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r is a uniform random irreducible degree-128 polynomial over Z❂2. (Problem: division by r is slow; typical CPU has no big circuit for polynomial multiplication.) Example: (1974 Gilb MacWilliams Sloane) Choose prime numb ♣ ✙ View messages ♠ polys ♠1①1 + ♠2① ♠ ① ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ ❣ Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ ❣ Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ① r to ♠1r1 + ♠2r2 + ♠ r ♣ (Problem: long ♠ r

Rabin) ♠ integers,

128.

✟ ❀ ❀ ✿ ✿ ✿ ❀ 1 ✠ . ♠ rm r r slow.) y: ♠ ✻ ♠✵ ♠ ♠✵ ∆ ✻= 0 ♠ ♠✵ divisible rs. Variant that works with ✟: View messages ♠ as polynomials ♠128①128 + ♠129①129 + ✁ ✁ ✁ with each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127①127 with each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r is a uniform random irreducible degree-128 polynomial over Z❂2. (Problem: division by r is slow; typical CPU has no big circuit for polynomial multiplication.) Example: (1974 Gilbert MacWilliams Sloane) Choose prime number ♣ ✙ 2 View messages ♠ as linear polys ♠1①1 + ♠2①2 + ♠3①3 ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣ Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ①3 r3 to ♠1r1 + ♠2r2 + ♠3r3 mo ♣ (Problem: long ♠ needs long r

Variant that works with ✟: View messages ♠ as polynomials ♠128①128 + ♠129①129 + ✁ ✁ ✁ with each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127①127 with each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r is a uniform random irreducible degree-128 polynomial over Z❂2. (Problem: division by r is slow; typical CPU has no big circuit for polynomial multiplication.) Example: (1974 Gilbert MacWilliams Sloane) Choose prime number ♣ ✙ 2128. View messages ♠ as linear polys ♠1①1 + ♠2①2 + ♠3①3 with ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ①3 r3 to ♠1r1 + ♠2r2 + ♠3r3 mod ♣. (Problem: long ♠ needs long r.)

riant that works with ✟: messages ♠ as polynomials ♠ ①128 + ♠129①129 + ✁ ✁ ✁ each ♠✐ in ❢0❀ 1❣. Outputs: ♦0 +♦1①+✁ ✁ ✁+♦127①127 each ♦✐ in ❢0❀ 1❣. Reduce ♠ modulo 2❀ r where r uniform random irreducible degree-128 polynomial over Z❂2. (Problem: division by r is slow; ypical CPU has no big circuit

• lynomial multiplication.)

Example: (1974 Gilbert MacWilliams Sloane) Choose prime number ♣ ✙ 2128. View messages ♠ as linear polys ♠1①1 + ♠2①2 + ♠3①3 with ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ①3 r3 to ♠1r1 + ♠2r2 + ♠3r3 mod ♣. (Problem: long ♠ needs long r.) Example: independently independently Johansson Choose p ♣ ✙ View mes ♠ ♠1① + ♠ ① ♠ ① ✁ ✁ ✁ ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣ Outputs: ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣ Reduce ♠ ♣❀ ① r where r element ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣ compute ♠ r ♠ r ✁ ✁ ✁ ♣

rks with ✟: ♠ as polynomials ♠ ① ♠129①129 + ✁ ✁ ✁ ♠✐ ❢0❀ 1❣. ♦ ♦ ①+✁ ✁ ✁+♦127①127 ♦✐ ❢0❀ 1❣. ♠ dulo 2❀ r where r random irreducible

• lynomial over Z❂2.

division by r is slow; no big circuit multiplication.) Example: (1974 Gilbert MacWilliams Sloane) Choose prime number ♣ ✙ 2128. View messages ♠ as linear polys ♠1①1 + ♠2①2 + ♠3①3 with ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ①3 r3 to ♠1r1 + ♠2r2 + ♠3r3 mod ♣. (Problem: long ♠ needs long r.) Example: (1993 den independently 1994 independently 1994 Johansson Kabatianskii Choose prime numb ♣ ✙ View messages ♠ ♠1① + ♠2①2 + ♠ ① ✁ ✁ ✁ ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ ❣ Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ ❣ Reduce ♠ modulo ♣❀ ① r where r is a uniform element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ ❣ compute ♠1r+♠ r ✁ ✁ ✁ ♣

✟: ♠

• lynomials

♠ ① ♠ ① ✁ ✁ ✁ ♠✐ ❢ ❀ ❣ ♦ ♦ ① ✁ ✁ ✁ ♦127①127 ♦✐ ❢ ❀ ❣ ♠ ❀ r where r irreducible r Z❂2. r slow; circuit tion.) Example: (1974 Gilbert MacWilliams Sloane) Choose prime number ♣ ✙ 2128. View messages ♠ as linear polys ♠1①1 + ♠2①2 + ♠3①3 with ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ①3 r3 to ♠1r1 + ♠2r2 + ♠3r3 mod ♣. (Problem: long ♠ needs long r.) Example: (1993 den Boer; independently 1994 Taylor; independently 1994 Bierbrauer Johansson Kabatianskii Sme Choose prime number ♣ ✙ 2 View messages ♠ as polynomials ♠1① + ♠2①2 + ♠3①3 + ✁ ✁ ✁ ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ ❣ Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r where r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; compute ♠1r+♠2r2 +✁ ✁ ✁ mo ♣

Example: (1974 Gilbert MacWilliams Sloane) Choose prime number ♣ ✙ 2128. View messages ♠ as linear polys ♠1①1 + ♠2①2 + ♠3①3 with ♠1❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ①1 r1❀ ①2 r2❀ ①3 r3 to ♠1r1 + ♠2r2 + ♠3r3 mod ♣. (Problem: long ♠ needs long r.) Example: (1993 den Boer; independently 1994 Taylor; independently 1994 Bierbrauer Johansson Kabatianskii Smeets) Choose prime number ♣ ✙ 2128. View messages ♠ as polynomials ♠1① + ♠2①2 + ♠3①3 + ✁ ✁ ✁ with ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r where r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., compute ♠1r+♠2r2 +✁ ✁ ✁ mod ♣.

Example: (1974 Gilbert MacWilliams Sloane)

• se prime number ♣ ✙ 2128.

messages ♠ as linear ♠1①1 + ♠2①2 + ♠3①3 with ♠ ❀ ♠2❀ ♠3 ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r1❀ ①2 r2❀ ①3 r3 ♠ r1 + ♠2r2 + ♠3r3 mod ♣. (Problem: long ♠ needs long r.) Example: (1993 den Boer; independently 1994 Taylor; independently 1994 Bierbrauer Johansson Kabatianskii Smeets) Choose prime number ♣ ✙ 2128. View messages ♠ as polynomials ♠1① + ♠2①2 + ♠3①3 + ✁ ✁ ✁ with ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r where r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., compute ♠1r+♠2r2 +✁ ✁ ✁ mod ♣. “hash127”: ♠✐ ♣ = 2127 “PolyR”: ♠✐ ♣ = 264 ♠✐ between ♣

• to achieve

(2000 Krovetz “Poly1305”: ♠✐ ♣ = 2130 fully develop “CWC”: ♠✐ ♣

• (2003 Kohno

Gilbert Sloane) number ♣ ✙ 2128. ♠ as linear ♠ ① ♠2①2 + ♠3①3 with ♠ ❀ ♠ ❀ ♠ ✷ ❢0❀ ✿ ✿ ✿ ❀ ♣ 1❣. ❢ ❀ ✿ ✿ ✿ ❀ ♣ 1❣. ♠ dulo ♣❀ ① r ❀ ① r2❀ ①3 r3 ♠ r ♠ r + ♠3r3 mod ♣. ♠ needs long r.) Example: (1993 den Boer; independently 1994 Taylor; independently 1994 Bierbrauer Johansson Kabatianskii Smeets) Choose prime number ♣ ✙ 2128. View messages ♠ as polynomials ♠1① + ♠2①2 + ♠3①3 + ✁ ✁ ✁ with ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r where r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., compute ♠1r+♠2r2 +✁ ✁ ✁ mod ♣. “hash127”: 32-bit ♠✐ ♣ = 2127 1. (1999 “PolyR”: 64-bit ♠✐ ♣ = 264 59; re-enco ♠✐ between ♣ and 264 to achieve reasonable (2000 Krovetz Roga “Poly1305”: 128-bit ♠✐ ♣ = 2130 5. (2002 fully developed in 2004–2005) “CWC”: 96-bit ♠✐ ♣

• (2003 Kohno Viega

♣ ✙ 2128. ♠ r ♠ ① ♠ ① ♠ ①3 with ♠ ❀ ♠ ❀ ♠ ✷ ❢ ❀ ✿ ✿ ✿ ❀ ♣ 1❣. ❢ ❀ ✿ ✿ ✿ ❀ ♣ ❣ ♠ ♣❀ ① r ❀ ① r ❀ ① r ♠ r ♠ r ♠ r mod ♣. ♠ long r.) Example: (1993 den Boer; independently 1994 Taylor; independently 1994 Bierbrauer Johansson Kabatianskii Smeets) Choose prime number ♣ ✙ 2128. View messages ♠ as polynomials ♠1① + ♠2①2 + ♠3①3 + ✁ ✁ ✁ with ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r where r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., compute ♠1r+♠2r2 +✁ ✁ ✁ mod ♣. “hash127”: 32-bit ♠✐’s, ♣ = 2127 1. (1999 Bernstein) “PolyR”: 64-bit ♠✐’s, ♣ = 264 59; re-encode ♠✐’s between ♣ and 264 1; run to achieve reasonable securit (2000 Krovetz Rogaway) “Poly1305”: 128-bit ♠✐’s, ♣ = 2130 5. (2002 Bernstein, fully developed in 2004–2005) “CWC”: 96-bit ♠✐’s, ♣ = 2127 (2003 Kohno Viega Whiting)

Example: (1993 den Boer; independently 1994 Taylor; independently 1994 Bierbrauer Johansson Kabatianskii Smeets) Choose prime number ♣ ✙ 2128. View messages ♠ as polynomials ♠1① + ♠2①2 + ♠3①3 + ✁ ✁ ✁ with ♠1❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r where r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., compute ♠1r+♠2r2 +✁ ✁ ✁ mod ♣. “hash127”: 32-bit ♠✐’s, ♣ = 2127 1. (1999 Bernstein) “PolyR”: 64-bit ♠✐’s, ♣ = 264 59; re-encode ♠✐’s between ♣ and 264 1; run twice to achieve reasonable security. (2000 Krovetz Rogaway) “Poly1305”: 128-bit ♠✐’s, ♣ = 2130 5. (2002 Bernstein, fully developed in 2004–2005) “CWC”: 96-bit ♠✐’s, ♣ = 21271. (2003 Kohno Viega Whiting)

Example: (1993 den Boer; endently 1994 Taylor; endently 1994 Bierbrauer Johansson Kabatianskii Smeets)

• se prime number ♣ ✙ 2128.

messages ♠ as polynomials ♠ ① ♠2①2 + ♠3①3 + ✁ ✁ ✁ with ♠ ❀ ♠2❀ ✿ ✿ ✿ ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Outputs: ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. Reduce ♠ modulo ♣❀ ① r r is a uniform random element of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., compute ♠1r+♠2r2 +✁ ✁ ✁ mod ♣. “hash127”: 32-bit ♠✐’s, ♣ = 2127 1. (1999 Bernstein) “PolyR”: 64-bit ♠✐’s, ♣ = 264 59; re-encode ♠✐’s between ♣ and 264 1; run twice to achieve reasonable security. (2000 Krovetz Rogaway) “Poly1305”: 128-bit ♠✐’s, ♣ = 2130 5. (2002 Bernstein, fully developed in 2004–2005) “CWC”: 96-bit ♠✐’s, ♣ = 21271. (2003 Kohno Viega Whiting) There ar build functions proven o differential Example: (“CBC”: Conjecturally ♠ ❀ ♠ ❀ ♠ ✼✦ AESr(AESr

r ♠

✟♠ ✟♠ has small True if AES (Much slo

den Boer; 1994 Taylor; 1994 Bierbrauer Kabatianskii Smeets) number ♣ ✙ 2128. ♠ as polynomials ♠ ① ♠ ① ♠3①3 + ✁ ✁ ✁ with ♠ ❀ ♠ ❀ ✿ ✿ ✿ ✷ ❢ ❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣. ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣. ♠ dulo ♣❀ ① r r uniform random ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣; i.e., ♠ r ♠2r2 +✁ ✁ ✁ mod ♣. “hash127”: 32-bit ♠✐’s, ♣ = 2127 1. (1999 Bernstein) “PolyR”: 64-bit ♠✐’s, ♣ = 264 59; re-encode ♠✐’s between ♣ and 264 1; run twice to achieve reasonable security. (2000 Krovetz Rogaway) “Poly1305”: 128-bit ♠✐’s, ♣ = 2130 5. (2002 Bernstein, fully developed in 2004–2005) “CWC”: 96-bit ♠✐’s, ♣ = 21271. (2003 Kohno Viega Whiting) There are other wa build functions with proven or conjectured differential probabilities. Example: (“CBC”: “cipher blo Conjecturally ♠1❀ ♠ ❀ ♠ ✼✦ AESr(AESr(AESr(♠ ✟♠ ✟♠ has small differential True if AES is secure. (Much slower than

er; r; rauer Smeets) ♣ ✙ 2128. ♠

• lynomials

♠ ① ♠ ① ♠ ① ✁ ✁ ✁ with ♠ ❀ ♠ ❀ ✿ ✿ ✿ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣. ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣. ♠ ♣❀ ① r r random ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣; i.e., ♠ r ♠ r ✁ ✁ ✁ mod ♣. “hash127”: 32-bit ♠✐’s, ♣ = 2127 1. (1999 Bernstein) “PolyR”: 64-bit ♠✐’s, ♣ = 264 59; re-encode ♠✐’s between ♣ and 264 1; run twice to achieve reasonable security. (2000 Krovetz Rogaway) “Poly1305”: 128-bit ♠✐’s, ♣ = 2130 5. (2002 Bernstein, fully developed in 2004–2005) “CWC”: 96-bit ♠✐’s, ♣ = 21271. (2003 Kohno Viega Whiting) There are other ways to build functions with small proven or conjectured differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(AESr(AESr(♠1)✟♠2 ✟♠ has small differential probabilities. True if AES is secure. (Much slower than Poly1305.)

“hash127”: 32-bit ♠✐’s, ♣ = 2127 1. (1999 Bernstein) “PolyR”: 64-bit ♠✐’s, ♣ = 264 59; re-encode ♠✐’s between ♣ and 264 1; run twice to achieve reasonable security. (2000 Krovetz Rogaway) “Poly1305”: 128-bit ♠✐’s, ♣ = 2130 5. (2002 Bernstein, fully developed in 2004–2005) “CWC”: 96-bit ♠✐’s, ♣ = 21271. (2003 Kohno Viega Whiting) There are other ways to build functions with small proven or conjectured differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(AESr(AESr(♠1)✟♠2)✟♠3) has small differential probabilities. True if AES is secure. (Much slower than Poly1305.)

“hash127”: 32-bit ♠✐’s, ♣

127 1. (1999 Bernstein)

• lyR”: 64-bit ♠✐’s,

♣

64 59; re-encode ♠✐’s

een ♣ and 264 1; run twice achieve reasonable security. Krovetz Rogaway)

• ly1305”: 128-bit ♠✐’s,

♣

130 5. (2002 Bernstein,

developed in 2004–2005) C”: 96-bit ♠✐’s, ♣ = 21271. Kohno Viega Whiting) There are other ways to build functions with small proven or conjectured differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(AESr(AESr(♠1)✟♠2)✟♠3) has small differential probabilities. True if AES is secure. (Much slower than Poly1305.) Example: Conjecturally ♠ ❀ ♠ ❀ ♠ ✼✦ AESr(1❀ ♠ ✟ AESr(2❀ ♠ ✟ AESr(3❀ ♠ has small (Even slo Example: ♠ ✼✦ r❀ ♠ is conjectured small collision (Faster tha but not as and “small”

32-bit ♠✐’s, ♣

• (1999 Bernstein)

♠✐’s, ♣

• re-encode ♠✐’s

♣

64 1; run twice

reasonable security. Rogaway) 128-bit ♠✐’s, ♣

• (2002 Bernstein,

in 2004–2005) ♠✐’s, ♣ = 21271. Viega Whiting) There are other ways to build functions with small proven or conjectured differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(AESr(AESr(♠1)✟♠2)✟♠3) has small differential probabilities. True if AES is secure. (Much slower than Poly1305.) Example: (1970 Zob Conjecturally ♠1❀ ♠ ❀ ♠ ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠ is conjectured to have small collision probabilities. (Faster than AES, but not as fast as and “small” is debatable.)

♠✐ ♣

• Bernstein)

♠✐ ♣

• ♠✐’s

♣

• run twice

security. ♠✐’s, ♣

• Bernstein,

2004–2005) ♠✐ ♣ 21271. Whiting) There are other ways to build functions with small proven or conjectured differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(AESr(AESr(♠1)✟♠2)✟♠3) has small differential probabilities. True if AES is secure. (Much slower than Poly1305.) Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential probabilities. (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠) is conjectured to have small collision probabilities. (Faster than AES, but not as fast as Poly1305, and “small” is debatable.)

There are other ways to build functions with small proven or conjectured differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(AESr(AESr(♠1)✟♠2)✟♠3) has small differential probabilities. True if AES is secure. (Much slower than Poly1305.) Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential probabilities. (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠) is conjectured to have small collision probabilities. (Faster than AES, but not as fast as Poly1305, and “small” is debatable.)

are other ways to functions with small

• r conjectured

differential probabilities. Example: (“CBC”: “cipher block chaining”) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦

r(AESr(AESr(♠1)✟♠2)✟♠3)

small differential probabilities. if AES is secure. slower than Poly1305.) Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential probabilities. (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠) is conjectured to have small collision probabilities. (Faster than AES, but not as fast as Poly1305, and “small” is debatable.) How to build

• 1. Choose

❤(♠) + ❢ ♥ ❤ ♠ ✟ ❢ ♥

• r ❢(❤(♠
• r ❢(♥❀ ❤ ♠

❢

• 2. Choose

❤ where the (+-differential ✟

• r collision

e.g., Poly1305r

• 3. Choose

❢ that seems from unifo

❦

ways to ith small conjectured

• babilities.

“cipher block chaining”) ♠ ❀ ♠2❀ ♠3 ✼✦

r r(AESr(♠1)✟♠2)✟♠3)

differential probabilities. secure. than Poly1305.) Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential probabilities. (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠) is conjectured to have small collision probabilities. (Faster than AES, but not as fast as Poly1305, and “small” is debatable.) How to build your

• 1. Choose a comb

❤(♠) + ❢(♥) or ❤ ♠ ✟ ❢ ♥

• r ❢(❤(♠))—wors
• r ❢(♥❀ ❤(♠))—bigger ❢
• 2. Choose a random

❤ where the appropriate (+-differential or ✟

• r collision or collision)

e.g., Poly1305r.

• 3. Choose a random

❢ that seems indistinguishable from uniform: e.g.,

❦

chaining”) ♠ ❀ ♠ ❀ ♠ ✼✦

r r r ♠

✟♠2)✟♠3) robabilities.

• ly1305.)

Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential probabilities. (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠) is conjectured to have small collision probabilities. (Faster than AES, but not as fast as Poly1305, and “small” is debatable.) How to build your own MAC

• 1. Choose a combination metho

❤(♠) + ❢(♥) or ❤(♠) ✟ ❢(♥

• r ❢(❤(♠))—worse security—
• r ❢(♥❀ ❤(♠))—bigger ❢ input.
• 2. Choose a random function ❤

where the appropriate probabilit (+-differential or ✟-differential

• r collision or collision) is small:

e.g., Poly1305r.

• 3. Choose a random function ❢

that seems indistinguishable from uniform: e.g., AES❦.

Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦ AESr(1❀ ♠1) ✟ AESr(2❀ ♠2) ✟ AESr(3❀ ♠3) has small differential probabilities. (Even slower.) Example: ♠ ✼✦ MD5(r❀ ♠) is conjectured to have small collision probabilities. (Faster than AES, but not as fast as Poly1305, and “small” is debatable.) How to build your own MAC

• 1. Choose a combination method:

❤(♠) + ❢(♥) or ❤(♠) ✟ ❢(♥)

• r ❢(❤(♠))—worse security—
• r ❢(♥❀ ❤(♠))—bigger ❢ input.
• 2. Choose a random function ❤

where the appropriate probability (+-differential or ✟-differential

• r collision or collision) is small:

e.g., Poly1305r.

• 3. Choose a random function ❢

that seems indistinguishable from uniform: e.g., AES❦.

Example: (1970 Zobrist, adapted) Conjecturally ♠1❀ ♠2❀ ♠3 ✼✦

r(1❀ ♠1) ✟ r(2❀ ♠2) ✟ r(3❀ ♠3)

small differential probabilities. slower.) Example: ♠ ✼✦ MD5(r❀ ♠) conjectured to have collision probabilities. aster than AES, not as fast as Poly1305, “small” is debatable.) How to build your own MAC

• 1. Choose a combination method:

❤(♠) + ❢(♥) or ❤(♠) ✟ ❢(♥)

• r ❢(❤(♠))—worse security—
• r ❢(♥❀ ❤(♠))—bigger ❢ input.
• 2. Choose a random function ❤

where the appropriate probability (+-differential or ✟-differential

• r collision or collision) is small:

e.g., Poly1305r.

• 3. Choose a random function ❢

that seems indistinguishable from uniform: e.g., AES❦.

• 4. Optional

Generate ❦❀ r e.g., ❦ =

s

r

s

• r ❦ = MD5(s

r s ✟ many mo

• 5. Choose

for your

• 6. Put it
• 7. Publish!

Zobrist, adapted) ♠ ❀ ♠2❀ ♠3 ✼✦

r

❀ ♠ ✟

r

❀ ♠ ✟

r

❀ ♠ differential probabilities. ♠ ✼✦ MD5(r❀ ♠) have robabilities. AES, as Poly1305, debatable.) How to build your own MAC

• 1. Choose a combination method:

❤(♠) + ❢(♥) or ❤(♠) ✟ ❢(♥)

• r ❢(❤(♠))—worse security—
• r ❢(♥❀ ❤(♠))—bigger ❢ input.
• 2. Choose a random function ❤

where the appropriate probability (+-differential or ✟-differential

• r collision or collision) is small:

e.g., Poly1305r.

• 3. Choose a random function ❢

that seems indistinguishable from uniform: e.g., AES❦.

• 4. Optional complication:

Generate ❦❀ r from e.g., ❦ = AESs(0), r

s

• r ❦ = MD5(s), r

s ✟ many more possibilities.

• 5. Choose a Googleable

for your MAC.

• 6. Put it all together.
• 7. Publish!

adapted) ♠ ❀ ♠ ❀ ♠ ✼✦

r

❀ ♠ ✟

r

❀ ♠ ✟

r

❀ ♠ robabilities. ♠ ✼✦ r❀ ♠) robabilities.

• ly1305,

How to build your own MAC

• 1. Choose a combination method:

❤(♠) + ❢(♥) or ❤(♠) ✟ ❢(♥)

• r ❢(❤(♠))—worse security—
• r ❢(♥❀ ❤(♠))—bigger ❢ input.
• 2. Choose a random function ❤

where the appropriate probability (+-differential or ✟-differential

• r collision or collision) is small:

e.g., Poly1305r.

• 3. Choose a random function ❢

that seems indistinguishable from uniform: e.g., AES❦.

• 4. Optional complication:

Generate ❦❀ r from a shorter e.g., ❦ = AESs(0), r = AESs

• r ❦ = MD5(s), r = MD5(s ✟

many more possibilities.

• 5. Choose a Googleable name

for your MAC.

• 6. Put it all together.
• 7. Publish!

How to build your own MAC

• 1. Choose a combination method:

❤(♠) + ❢(♥) or ❤(♠) ✟ ❢(♥)

• r ❢(❤(♠))—worse security—
• r ❢(♥❀ ❤(♠))—bigger ❢ input.
• 2. Choose a random function ❤

where the appropriate probability (+-differential or ✟-differential

• r collision or collision) is small:

e.g., Poly1305r.

• 3. Choose a random function ❢

that seems indistinguishable from uniform: e.g., AES❦.

• 4. Optional complication:

Generate ❦❀ r from a shorter key; e.g., ❦ = AESs(0), r = AESs(1);

• r ❦ = MD5(s), r = MD5(s ✟ 1);

many more possibilities.

• 5. Choose a Googleable name

for your MAC.

• 6. Put it all together.
• 7. Publish!

to build your own MAC Choose a combination method: ❤ ♠ + ❢(♥) or ❤(♠) ✟ ❢(♥) ❢ ❤(♠))—worse security— ❢ ♥❀ ❤(♠))—bigger ❢ input. Choose a random function ❤ the appropriate probability (+-differential or ✟-differential collision or collision) is small:

• ly1305r.

Choose a random function ❢ seems indistinguishable uniform: e.g., AES❦.

• 4. Optional complication:

Generate ❦❀ r from a shorter key; e.g., ❦ = AESs(0), r = AESs(1);

• r ❦ = MD5(s), r = MD5(s ✟ 1);

many more possibilities.

• 5. Choose a Googleable name

for your MAC.

• 6. Put it all together.
• 7. Publish!

Example:

• 1. Combination: ❢ ❤ ♠
• 2. Low collision

AESr

r ♠

✟ ♠

• 3. Unpredictable:

❦

• 4. Optional
• 5. Name:
• 6. EMAC❦❀r ♠ ❀ ♠

AES❦

r r ♠

✟♠

• 7. (2000

• ur own MAC

bination method: ❤ ♠ ❢ ♥ ❤(♠) ✟ ❢(♥) ❢ ❤ ♠ rse security— ❢ ♥❀ ❤ ♠))—bigger ❢ input. random function ❤ ropriate probability r ✟-differential collision) is small:

r

random function ❢ indistinguishable e.g., AES❦.

• 4. Optional complication:

Generate ❦❀ r from a shorter key; e.g., ❦ = AESs(0), r = AESs(1);

• r ❦ = MD5(s), r = MD5(s ✟ 1);

many more possibilities.

• 5. Choose a Googleable name

for your MAC.

• 6. Put it all together.
• 7. Publish!

Example:

• 1. Combination: ❢ ❤ ♠
• 2. Low collision probabilit

AESr(AESr(♠1 ✟ ♠

• 3. Unpredictable:

❦

• 4. Optional complication:
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠

AES❦(AESr(AESr ♠ ✟♠

• 7. (2000 Petrank Rack

MAC method: ❤ ♠ ❢ ♥ ❤ ♠ ✟ ❢(♥) ❢ ❤ ♠ security— ❢ ♥❀ ❤ ♠ ❢ input. function ❤ robability ✟-differential small:

r

function ❢ indistinguishable

❦

• 4. Optional complication:

Generate ❦❀ r from a shorter key; e.g., ❦ = AESs(0), r = AESs(1);

• r ❦ = MD5(s), r = MD5(s ✟ 1);

many more possibilities.

• 5. Choose a Googleable name

for your MAC.

• 6. Put it all together.
• 7. Publish!

Example:

• 1. Combination: ❢(❤(♠)).
• 2. Low collision probability:

AESr(AESr(♠1) ✟ ♠2).

• 3. Unpredictable: AES❦.
• 4. Optional complication: No.
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠2) =

AES❦(AESr(AESr(♠1)✟♠

• 7. (2000 Petrank Rackoff)

• 4. Optional complication:

Generate ❦❀ r from a shorter key; e.g., ❦ = AESs(0), r = AESs(1);

• r ❦ = MD5(s), r = MD5(s ✟ 1);

many more possibilities.

• 5. Choose a Googleable name

for your MAC.

• 6. Put it all together.
• 7. Publish!

Example:

• 1. Combination: ❢(❤(♠)).
• 2. Low collision probability:

AESr(AESr(♠1) ✟ ♠2).

• 3. Unpredictable: AES❦.
• 4. Optional complication: No.
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠2) =

AES❦(AESr(AESr(♠1)✟♠2)).

• 7. (2000 Petrank Rackoff)

Optional complication: Generate ❦❀ r from a shorter key; ❦ = AESs(0), r = AESs(1); ❦ MD5(s), r = MD5(s ✟ 1); more possibilities. Choose a Googleable name

• ur MAC.

Put it all together. Publish! Example:

• 1. Combination: ❢(❤(♠)).
• 2. Low collision probability:

AESr(AESr(♠1) ✟ ♠2).

• 3. Unpredictable: AES❦.
• 4. Optional complication: No.
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠2) =

AES❦(AESr(AESr(♠1)✟♠2)).

• 7. (2000 Petrank Rackoff)

Example: MD5(❦❀ MD5(r❀ ♠ “HMAC-MD5” plus the (1996 Bella claiming treatment Stronger: ❦❀ ♥❀ r❀ ♠ Stronger MD5(❦❀ ♥❀

r ♠

Wow, I’ve new MA

complication: ❦❀ r from a shorter key; ❦

s(0), r = AESs(1);

❦ s r = MD5(s ✟ 1);

• ssibilities.
• gleable name

together. Example:

• 1. Combination: ❢(❤(♠)).
• 2. Low collision probability:

AESr(AESr(♠1) ✟ ♠2).

• 3. Unpredictable: AES❦.
• 4. Optional complication: No.
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠2) =

AES❦(AESr(AESr(♠1)✟♠2)).

• 7. (2000 Petrank Rackoff)

Example: “NMAC-MD5” MD5(❦❀ MD5(r❀ ♠ “HMAC-MD5” is NMA plus the optional complication. (1996 Bellare Canetti claiming “the first treatment of the subject”) Stronger: MD5(❦❀ ♥❀ r❀ ♠ Stronger and faster: MD5(❦❀ ♥❀ Poly1305r ♠ Wow, I’ve just invented new MACs! Time

❦❀ r rter key; ❦

s

r AESs(1); ❦ s r MD5(s ✟ 1); name Example:

• 1. Combination: ❢(❤(♠)).
• 2. Low collision probability:

AESr(AESr(♠1) ✟ ♠2).

• 3. Unpredictable: AES❦.
• 4. Optional complication: No.
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠2) =

AES❦(AESr(AESr(♠1)✟♠2)).

• 7. (2000 Petrank Rackoff)

Example: “NMAC-MD5” is MD5(❦❀ MD5(r❀ ♠)). “HMAC-MD5” is NMAC-MD5 plus the optional complication. (1996 Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠ Stronger and faster: MD5(❦❀ ♥❀ Poly1305r(♠)). Wow, I’ve just invented two new MACs! Time to publish!

Example:

• 1. Combination: ❢(❤(♠)).
• 2. Low collision probability:

AESr(AESr(♠1) ✟ ♠2).

• 3. Unpredictable: AES❦.
• 4. Optional complication: No.
• 5. Name: “EMAC.”
• 6. EMAC❦❀r(♠1❀ ♠2) =

AES❦(AESr(AESr(♠1)✟♠2)).

• 7. (2000 Petrank Rackoff)

Example: “NMAC-MD5” is MD5(❦❀ MD5(r❀ ♠)). “HMAC-MD5” is NMAC-MD5 plus the optional complication. (1996 Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠)). Stronger and faster: MD5(❦❀ ♥❀ Poly1305r(♠)). Wow, I’ve just invented two new MACs! Time to publish!

Example: Combination: ❢(❤(♠)). collision probability: AESr(AESr(♠1) ✟ ♠2). Unpredictable: AES❦. Optional complication: No. Name: “EMAC.” EMAC❦❀r(♠1❀ ♠2) = AES❦(AESr(AESr(♠1)✟♠2)). (2000 Petrank Rackoff) Example: “NMAC-MD5” is MD5(❦❀ MD5(r❀ ♠)). “HMAC-MD5” is NMAC-MD5 plus the optional complication. (1996 Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠)). Stronger and faster: MD5(❦❀ ♥❀ Poly1305r(♠)). Wow, I’ve just invented two new MACs! Time to publish! State-of-the-a Cycles p authenticate Athlon Pentium Pentium SPARC PPC bytes/k UMAC reall Similar:

Combination: ❢(❤(♠)). probability:

r r ♠1) ✟ ♠2).

redictable: AES❦. complication: No. C.”

❦❀r ♠ ❀ ♠2) = ❦ r(AESr(♠1)✟♠2)).

etrank Rackoff) Example: “NMAC-MD5” is MD5(❦❀ MD5(r❀ ♠)). “HMAC-MD5” is NMAC-MD5 plus the optional complication. (1996 Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠)). Stronger and faster: MD5(❦❀ ♥❀ Poly1305r(♠)). Wow, I’ve just invented two new MACs! Time to publish! State-of-the-art MA Cycles per byte to authenticate 1024-b Poly 1305

• AES

Athlon 3.75 Pentium M 4.50 Pentium 4 5.33 SPARC III 5.47 PPC G4 8.27 bytes/key 32 UMAC really likes Similar: VMAC lik

❢ ❤ ♠)). y:

r r ♠

✟ ♠ ).

❦

No.

❦❀r ♠ ❀ ♠ ❦ r r ♠

✟♠2)). ) Example: “NMAC-MD5” is MD5(❦❀ MD5(r❀ ♠)). “HMAC-MD5” is NMAC-MD5 plus the optional complication. (1996 Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠)). Stronger and faster: MD5(❦❀ ♥❀ Poly1305r(♠)). Wow, I’ve just invented two new MACs! Time to publish! State-of-the-art MACs Cycles per byte to authenticate 1024-byte pack Poly UMAC 1305

• 128
• AES

Athlon 3.75 7.38 Pentium M 4.50 8.48 Pentium 4 5.33 3.12 SPARC III 5.47 51.06 PPC G4 8.27 21.72 bytes/key 32 1600 UMAC really likes the P4. Similar: VMAC likes Athlon

Example: “NMAC-MD5” is MD5(❦❀ MD5(r❀ ♠)). “HMAC-MD5” is NMAC-MD5 plus the optional complication. (1996 Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠)). Stronger and faster: MD5(❦❀ ♥❀ Poly1305r(♠)). Wow, I’ve just invented two new MACs! Time to publish! State-of-the-art MACs Cycles per byte to authenticate 1024-byte packet: Poly UMAC 1305

• 128
• AES

Athlon 3.75 7.38 Pentium M 4.50 8.48 Pentium 4 5.33 3.12 SPARC III 5.47 51.06 PPC G4 8.27 21.72 bytes/key 32 1600 UMAC really likes the P4. Similar: VMAC likes Athlon 64.

Example: “NMAC-MD5” is ❦❀ MD5(r❀ ♠)). C-MD5” is NMAC-MD5 the optional complication. Bellare Canetti Krawczyk, claiming “the first rigorous treatment of the subject”) Stronger: MD5(❦❀ ♥❀ MD5(r❀ ♠)). Stronger and faster: ❦❀ ♥❀ Poly1305r(♠)). I’ve just invented two MACs! Time to publish! State-of-the-art MACs Cycles per byte to authenticate 1024-byte packet: Poly UMAC 1305

• 128
• AES

Athlon 3.75 7.38 Pentium M 4.50 8.48 Pentium 4 5.33 3.12 SPARC III 5.47 51.06 PPC G4 8.27 21.72 bytes/key 32 1600 UMAC really likes the P4. Similar: VMAC likes Athlon 64. Some imp

• 1. Implemento

Poly1305 split into convenient UMAC uses and suffers

• 2. Key agilit

Poly1305

• f simultaneous

and remains keys are UMAC needs

C-MD5” is ❦❀ r❀ ♠)). is NMAC-MD5

• ptional complication.

Canetti Krawczyk, first rigorous subject”) ❦❀ ♥❀ MD5(r❀ ♠)). faster: ❦❀ ♥❀ oly1305r(♠)). invented two Time to publish! State-of-the-art MACs Cycles per byte to authenticate 1024-byte packet: Poly UMAC 1305

• 128
• AES

Athlon 3.75 7.38 Pentium M 4.50 8.48 Pentium 4 5.33 3.12 SPARC III 5.47 51.06 PPC G4 8.27 21.72 bytes/key 32 1600 UMAC really likes the P4. Similar: VMAC likes Athlon 64. Some important sp

• 1. Implementor flexibilit

Poly1305 uses 128-bit split into whatever convenient for the UMAC uses P4-size and suffers on other

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys

and remains fast even keys are out of cache. UMAC needs big expanded

is ❦❀ r❀ ♠ C-MD5 complication. wczyk, rous ❦❀ ♥❀ MD5(r❀ ♠)). ❦❀ ♥❀

r ♠)).

• publish!

State-of-the-art MACs Cycles per byte to authenticate 1024-byte packet: Poly UMAC 1305

• 128
• AES

Athlon 3.75 7.38 Pentium M 4.50 8.48 Pentium 4 5.33 3.12 SPARC III 5.47 51.06 PPC G4 8.27 21.72 bytes/key 32 1600 UMAC really likes the P4. Similar: VMAC likes Athlon 64. Some important speed issues:

• 1. Implementor flexibility.

Poly1305 uses 128-bit integers, split into whatever sizes are convenient for the CPU. UMAC uses P4-size integers and suffers on other CPUs.

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys into cache,

and remains fast even when keys are out of cache. UMAC needs big expanded k

State-of-the-art MACs Cycles per byte to authenticate 1024-byte packet: Poly UMAC 1305

• 128
• AES

Athlon 3.75 7.38 Pentium M 4.50 8.48 Pentium 4 5.33 3.12 SPARC III 5.47 51.06 PPC G4 8.27 21.72 bytes/key 32 1600 UMAC really likes the P4. Similar: VMAC likes Athlon 64. Some important speed issues:

• 1. Implementor flexibility.

Poly1305 uses 128-bit integers, split into whatever sizes are convenient for the CPU. UMAC uses P4-size integers and suffers on other CPUs.

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys into cache,

and remains fast even when keys are out of cache. UMAC needs big expanded keys.

State-of-the-art MACs per byte to authenticate 1024-byte packet: Poly UMAC 1305

• 128
• AES

thlon 3.75 7.38 entium M 4.50 8.48 entium 4 5.33 3.12 ARC III 5.47 51.06 PPC G4 8.27 21.72 ytes/key 32 1600 really likes the P4. r: VMAC likes Athlon 64. Some important speed issues:

• 1. Implementor flexibility.

Poly1305 uses 128-bit integers, split into whatever sizes are convenient for the CPU. UMAC uses P4-size integers and suffers on other CPUs.

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys into cache,

and remains fast even when keys are out of cache. UMAC needs big expanded keys.

• 3. Numb

den Boer (♠1r + ♠ r ✁ ✁ ✁ Each chunk: Gilbert-MacWilliams-Sloane: ♠1r1 + ♠ r ✁ ✁ ✁ Each chunk: Winograd; (♠1 + r1 ♠ r ✁ ✁ ✁ Each chunk: ✿ ✿

MACs to 1024-byte packet:

• ly

UMAC 1305

• 128
• AES

3.75 7.38 4.50 8.48 5.33 3.12 5.47 51.06 8.27 21.72 1600 es the P4. likes Athlon 64. Some important speed issues:

• 1. Implementor flexibility.

Poly1305 uses 128-bit integers, split into whatever sizes are convenient for the CPU. UMAC uses P4-size integers and suffers on other CPUs.

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys into cache,

and remains fast even when keys are out of cache. UMAC needs big expanded keys.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁ Each chunk: mult, Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁ Each chunk: mult, Winograd; UMAC; (♠1 + r1)(♠2 + r ✁ ✁ ✁ Each chunk: 0✿5 mults, ✿

packet:

• 128

7.38 8.48 3.12 51.06 21.72 thlon 64. Some important speed issues:

• 1. Implementor flexibility.

Poly1305 uses 128-bit integers, split into whatever sizes are convenient for the CPU. UMAC uses P4-size integers and suffers on other CPUs.

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys into cache,

and remains fast even when keys are out of cache. UMAC needs big expanded keys.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁. Each chunk: mult, add. Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁. Each chunk: mult, add. Winograd; UMAC; VMAC: (♠1 + r1)(♠2 + r2) + ✁ ✁ ✁. Each chunk: 0✿5 mults, 1✿5 adds.

Some important speed issues:

• 1. Implementor flexibility.

Poly1305 uses 128-bit integers, split into whatever sizes are convenient for the CPU. UMAC uses P4-size integers and suffers on other CPUs.

• 2. Key agility.

Poly1305 can fit thousands

• f simultaneous keys into cache,

and remains fast even when keys are out of cache. UMAC needs big expanded keys.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁. Each chunk: mult, add. Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁. Each chunk: mult, add. Winograd; UMAC; VMAC: (♠1 + r1)(♠2 + r2) + ✁ ✁ ✁. Each chunk: 0✿5 mults, 1✿5 adds.

important speed issues: Implementor flexibility.

• ly1305 uses 128-bit integers,

into whatever sizes are convenient for the CPU. uses P4-size integers suffers on other CPUs. agility.

• ly1305 can fit thousands

simultaneous keys into cache, remains fast even when re out of cache. needs big expanded keys.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁. Each chunk: mult, add. Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁. Each chunk: mult, add. Winograd; UMAC; VMAC: (♠1 + r1)(♠2 + r2) + ✁ ✁ ✁. Each chunk: 0✿5 mults, 1✿5 adds. Does small r 0✿5 mults Yes! Another (((♠1 + r ♠ r (♠3 + r ♠ r ((♠5 + r ♠ r (♠7 + r ♠ r ✁ ✁ ✁ times a final ♠♥ times r. “MAC1071,”

speed issues: flexibility. 128-bit integers, whatever sizes are the CPU. P4-size integers

• ther CPUs.

thousands keys into cache, even when cache. expanded keys.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁. Each chunk: mult, add. Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁. Each chunk: mult, add. Winograd; UMAC; VMAC: (♠1 + r1)(♠2 + r2) + ✁ ✁ ✁. Each chunk: 0✿5 mults, 1✿5 adds. Does small key r allo 0✿5 mults per message Yes! Another old trick of (((♠1 + r)(♠2 + r (♠3 + r))(♠4 + r ((♠5 + r)(♠6 + r (♠7 + r)))(♠8 + r ✁ ✁ ✁ times a final nonzero ♠♥ times r. “MAC1071,” coming

issues: integers, re integers CPUs. thousands cache, when expanded keys.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁. Each chunk: mult, add. Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁. Each chunk: mult, add. Winograd; UMAC; VMAC: (♠1 + r1)(♠2 + r2) + ✁ ✁ ✁. Each chunk: 0✿5 mults, 1✿5 adds. Does small key r allow 0✿5 mults per message chunk? Yes! Another old trick of Winograd: (((♠1 + r)(♠2 + r2) + (♠3 + r))(♠4 + r4) + ((♠5 + r)(♠6 + r2) + (♠7 + r)))(♠8 + r8) + ✁ ✁ ✁ times a final nonzero ♠♥ times r. “MAC1071,” coming soon.

• 3. Number of multiplications.

den Boer et al.; Poly1305: (♠1r + ♠2)r + ✁ ✁ ✁. Each chunk: mult, add. Gilbert-MacWilliams-Sloane: ♠1r1 + ♠2r2 + ✁ ✁ ✁. Each chunk: mult, add. Winograd; UMAC; VMAC: (♠1 + r1)(♠2 + r2) + ✁ ✁ ✁. Each chunk: 0✿5 mults, 1✿5 adds. Does small key r allow 0✿5 mults per message chunk? Yes! Another old trick of Winograd: (((♠1 + r)(♠2 + r2) + (♠3 + r))(♠4 + r4) + ((♠5 + r)(♠6 + r2) + (♠7 + r)))(♠8 + r8) + ✁ ✁ ✁ times a final nonzero ♠♥ times r. “MAC1071,” coming soon.