on the design of when we design message authentication
play

On the design of When we design message-authentication codes hash - PowerPoint PPT Presentation

Jul 11, 2023 •257 likes •1.76k views

On the design of When we design message-authentication codes hash functions, stream ciphers, and other secret-key primitives, D. J. Bernstein should we use University of Illinois at Chicago integer multiplication? AES uses 32 32 32

  1. is slow!” “Multiplication An authentication ❃ ✂ bit operations scrambles its output Let’s use multiplication as thoroughly as to authenticate messages. several simple operations!” rgument: Standardize a prime ♣ “No, it doesn’t! Sender rolls 10-sided fast!” Look at these scary attacks. to generate independent applications, Need many multiplications uniform random secrets designers include to achieve confidence.” r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ multiplication circuits. What if we can prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ can start a that multiplication provides s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ multiplication every cycle. the security we need? ✿ ✿ ✿ , s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣

  2. “Multiplication An authentication system ❃ ✂ erations scrambles its output Let’s use multiplication as thoroughly as to authenticate messages. several simple operations!” Standardize a prime ♣ = 1000003. “No, it doesn’t! Sender rolls 10-sided die Look at these scary attacks. to generate independent Need many multiplications uniform random secrets to achieve confidence.” r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , What if we can prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , that multiplication provides s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , cycle. the security we need? ✿ ✿ ✿ , s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ .

  3. “Multiplication An authentication system scrambles its output Let’s use multiplication as thoroughly as to authenticate messages. several simple operations!” Standardize a prime ♣ = 1000003. “No, it doesn’t! Sender rolls 10-sided die Look at these scary attacks. to generate independent Need many multiplications uniform random secrets to achieve confidence.” r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , What if we can prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , that multiplication provides s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , the security we need? ✿ ✿ ✿ , s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ .

  4. “Multiplication An authentication system Sender meets scrambles its output and tells Let’s use multiplication roughly as secrets r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s to authenticate messages. several simple operations!” Later: Sender Standardize a prime ♣ = 1000003. it doesn’t! 100 mess ♠ ❀ ✿ ✿ ✿ ❀ ♠ Sender rolls 10-sided die at these scary attacks. each having to generate independent many multiplications ♠ ♥ [1] ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ uniform random secrets achieve confidence.” with ♠ ♥ ✐ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , if we can prove Sender transmits s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , multiplication provides ♠ ♥ [1] ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , security we need? together ✿ ✿ ✿ , ( ♠ ♥ [1] r ✁ ✁ ✁ ♠ ♥ r ♣ s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ and the ♥

  5. An authentication system Sender meets receiver output and tells receiver the Let’s use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s to authenticate messages. operations!” Later: Sender wants Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ Sender rolls 10-sided die scary attacks. each having 5 comp to generate independent multiplications ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ ❀ ♠ ♥ uniform random secrets confidence.” with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ❣ r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , Sender transmits 30-digit prove s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , multiplication provides ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ ❀ ♠ ♥ s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , need? together with an authenticato ✿ ✿ ✿ , ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ r ♣ s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 and the message numb ♥

  6. An authentication system Sender meets receiver in private and tells receiver the same Let’s use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . to authenticate messages. Later: Sender wants to send Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , Sender rolls 10-sided die attacks. each having 5 components to generate independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ uniform random secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , Sender transmits 30-digit s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , rovides ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticato ✿ ✿ ✿ , ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mo ♣ s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 and the message number ♥ .

  7. An authentication system Sender meets receiver in private and tells receiver the same Let’s use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . to authenticate messages. Later: Sender wants to send Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , Sender rolls 10-sided die each having 5 components to generate independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] uniform random secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . r ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , Sender transmits 30-digit s 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s 2 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticator ✿ ✿ ✿ , ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) s 100 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 and the message number ♥ .

  8. authentication system Sender meets receiver in private e.g. r = s and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ use multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . authenticate messages. Sender computes Later: Sender wants to send (6 r + 7 r ♣ Standardize a prime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 Sender rolls 10-sided die each having 5 components (6 ✁ 314159 ✁ generate independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) random secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 r ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 953311 + Sender transmits 30-digit s ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticator Sender transmits ✿ ✿ ✿ ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated s ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ and the message number ♥ .

  9. authentication system Sender meets receiver in private e.g. r = 314159, s and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ multiplication secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . messages. Sender computes authenticato (6 r + 7 r 2 mod ♣ ) Later: Sender wants to send rime ♣ = 1000003. 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 10-sided die each having 5 components (6 ✁ 314159 + 7 ✁ 314159 independent ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) secrets with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 r ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 953311 + 265358 mo Sender transmits 30-digit s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ , 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ , together with an authenticator Sender transmits ✿ ✿ ✿ ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ and the message number ♥ .

  10. Sender meets receiver in private e.g. r = 314159, s 10 = 265358 and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticato (6 r + 7 r 2 mod ♣ ) Later: Sender wants to send 1000003. ♣ 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 314159 2 each having 5 components ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = r ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ 953311 + 265358 mod 1000000 Sender transmits 30-digit s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ together with an authenticator Sender transmits ✿ ✿ ✿ ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message s ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ and the message number ♥ .

  11. Sender meets receiver in private e.g. r = 314159, s 10 = 265358, and tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : secrets r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticator (6 r + 7 r 2 mod ♣ ) Later: Sender wants to send 100 messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = (6 ✁ 314159 + 7 ✁ 314159 2 each having 5 components ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) with ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = Sender transmits 30-digit 218669. ♠ ♥ [1] ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] together with an authenticator Sender transmits ( ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message + s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . and the message number ♥ .

  12. Sender meets receiver in private e.g. r = 314159, s 10 = 265358, Speed analysis P ♠ ♥ ✐ ① ✐ tells receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Notation: ♠ ♥ ① r❀ s 1 ❀ s 2 ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticator To compute ♠ ♥ r ♣ (6 r + 7 r 2 mod ♣ ) Sender wants to send multiply ♠ ♥ r messages ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = add ♠ ♥ [4], r (6 ✁ 314159 + 7 ✁ 314159 2 having 5 components add ♠ ♥ [3], r ♠ ♥ ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) add ♠ ♥ [2], r ♠ ♥ [ ✐ ] ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = add ♠ ♥ [1], r 953311 + 265358 mod 1000000 = Sender transmits 30-digit Reduce mo ♣ 218669. ♠ ♥ ❀ ♠ ♥ [2] ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] Slightly mo together with an authenticator Sender transmits compute ❛ ♥ ♠ ♥ [1] r + ✁ ✁ ✁ + ♠ ♥ [5] r 5 mod ♣ ) authenticated message ( ♠ ♥ ( r ) mo ♣ s ♥ s ♥ mod 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . the message number ♥ .

  13. receiver in private e.g. r = 314159, s 10 = 265358, Speed analysis Notation: ♠ ♥ ( ① ) = P ♠ ♥ ✐ ① ✐ receiver the same ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s 100 . Sender computes authenticator To compute ♠ ♥ ( r ♣ (6 r + 7 r 2 mod ♣ ) ants to send multiply ♠ ♥ [5] by r ♠ 1 ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = add ♠ ♥ [4], multiply r (6 ✁ 314159 + 7 ✁ 314159 2 components add ♠ ♥ [3], multiply r ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) add ♠ ♥ [2], multiply r ♠ ♥ ✐ ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = add ♠ ♥ [1], multiply r 953311 + 265358 mod 1000000 = transmits 30-digit Reduce mod ♣ after 218669. ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [3] ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] Slightly more time Sender transmits authenticator compute authenticato ❛ ♥ ♠ ♥ [5] r 5 mod ♣ ) authenticated message ♠ ♥ r ✁ ✁ ✁ ( ♠ ♥ ( r ) mod ♣ ) + s ♥ s ♥ 1000000 ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . number ♥ .

  14. rivate e.g. r = 314159, s 10 = 265358, Speed analysis Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ① ✐ ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : r❀ s ❀ s ❀ ✿ ✿ ✿ ❀ s Sender computes authenticator To compute ♠ ♥ ( r ) mod ♣ : (6 r + 7 r 2 mod ♣ ) send multiply ♠ ♥ [5] by r , ♠ ❀ ✿ ✿ ✿ ❀ ♠ 100 , + s 10 mod 1000000 = add ♠ ♥ [4], multiply by r , (6 ✁ 314159 + 7 ✁ 314159 2 add ♠ ♥ [3], multiply by r , ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] mod 1000003) add ♠ ♥ [2], multiply by r , ♠ ♥ ✐ ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ . + 265358 mod 1000000 = add ♠ ♥ [1], multiply by r . 953311 + 265358 mod 1000000 = Reduce mod ♣ after each mult. 218669. ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ ❀ ♠ ♥ [4] ❀ ♠ ♥ [5] Slightly more time to Sender transmits authenticator compute authenticator ❛ ♥ = r mod ♣ ) authenticated message ♠ ♥ r ✁ ✁ ✁ ♠ ♥ ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. s ♥ ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . ♥ .

  15. e.g. r = 314159, s 10 = 265358, Speed analysis Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ 10 = ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : Sender computes authenticator To compute ♠ ♥ ( r ) mod ♣ : (6 r + 7 r 2 mod ♣ ) multiply ♠ ♥ [5] by r , + s 10 mod 1000000 = add ♠ ♥ [4], multiply by r , (6 ✁ 314159 + 7 ✁ 314159 2 add ♠ ♥ [3], multiply by r , mod 1000003) add ♠ ♥ [2], multiply by r , + 265358 mod 1000000 = add ♠ ♥ [1], multiply by r . 953311 + 265358 mod 1000000 = Reduce mod ♣ after each mult. 218669. Slightly more time to Sender transmits compute authenticator ❛ ♥ = authenticated message ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ .

  16. r = 314159, s 10 = 265358, Speed analysis Reducing Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : e.g., 240881099091 240881 ✁ ✑ Sender computes authenticator To compute ♠ ♥ ( r ) mod ♣ : 240881( � 7 r 2 mod ♣ ) r multiply ♠ ♥ [5] by r , � 722643 s 10 mod 1000000 = add ♠ ♥ [4], multiply by r , � 623552. ✁ 314159 + 7 ✁ 314159 2 add ♠ ♥ [3], multiply by r , d 1000003) Easily adjust add ♠ ♥ [2], multiply by r , 265358 mod 1000000 = ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � ❣ add ♠ ♥ [1], multiply by r . 953311 + 265358 mod 1000000 = by adding/subtracting ♣ Reduce mod ♣ after each mult. 218669. (Beware Slightly more time to Sender transmits Speedup: compute authenticator ❛ ♥ = authenticated message extra ♣ ’s ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . subsequent

  17. r , s 10 = 265358, Speed analysis Reducing mod 1000003 Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : e.g., 240881099091 240881 ✁ 1000000 + ✑ computes authenticator To compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 r r ♣ ) multiply ♠ ♥ [5] by r , � 722643 + 99091 s 1000000 = add ♠ ♥ [4], multiply by r , � 623552. ✁ 314159 2 ✁ add ♠ ♥ [3], multiply by r , 1000003) Easily adjust to range add ♠ ♥ [2], multiply by r , d 1000000 = ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ add ♠ ♥ [1], multiply by r . 265358 mod 1000000 = by adding/subtracting ♣ Reduce mod ♣ after each mult. (Beware timing attacks!) Slightly more time to transmits Speedup: Delay the compute authenticator ❛ ♥ = message extra ♣ ’s won’t damage ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . subsequent field op

  18. r s 265358, Speed analysis Reducing mod 1000003 is easy: Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . ♠ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ : e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ authenticator To compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = r r ♣ multiply ♠ ♥ [5] by r , � 722643 + 99091 = s add ♠ ♥ [4], multiply by r , � 623552. ✁ ✁ add ♠ ♥ [3], multiply by r , Easily adjust to range add ♠ ♥ [2], multiply by r , = ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ add ♠ ♥ [1], multiply by r . 1000000 = by adding/subtracting a few ♣ Reduce mod ♣ after each mult. (Beware timing attacks!) Slightly more time to Speedup: Delay the adjustment; compute authenticator ❛ ♥ = extra ♣ ’s won’t damage ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. ✶✵ ✵✵✵✵✵✻ ✵✵✵✵✵✼ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✵✵✵✵✵✵ ✷✶✽✻✻✾ . subsequent field operations.

  19. Speed analysis Reducing mod 1000003 is easy: Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = 240881 ✁ 1000000 + 99091 ✑ To compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = multiply ♠ ♥ [5] by r , � 722643 + 99091 = add ♠ ♥ [4], multiply by r , � 623552. add ♠ ♥ [3], multiply by r , Easily adjust to range add ♠ ♥ [2], multiply by r , ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ add ♠ ♥ [1], multiply by r . by adding/subtracting a few ♣ ’s. Reduce mod ♣ after each mult. (Beware timing attacks!) Slightly more time to Speedup: Delay the adjustment; compute authenticator ❛ ♥ = extra ♣ ’s won’t damage ( ♠ ♥ ( r ) mod ♣ ) + s ♥ mod 1000000. subsequent field operations.

  20. analysis Reducing mod 1000003 is easy: Main wo Notation: ♠ ♥ ( ① ) = P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = For each 240881 ✁ 1000000 + 99091 ✑ have to do compute ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = of the 6-digit r multiply ♠ ♥ [5] by r , � 722643 + 99091 = into an a ♣ ♠ ♥ [4], multiply by r , � 623552. Scaled up ♠ ♥ [3], multiply by r , Easily adjust to range “Poly1305” ♣ � ♠ ♥ [2], multiply by r , ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each ♠ ♥ [1], multiply by r . by adding/subtracting a few ♣ ’s. have to do Reduce mod ♣ after each mult. (Beware timing attacks!) of a 128-bit r Slightly more time to into an a � Speedup: Delay the adjustment; compute authenticator ❛ ♥ = ✙ 5 cycles extra ♣ ’s won’t damage ♠ ♥ r ) mod ♣ ) + s ♥ mod 1000000. depending subsequent field operations.

  21. Reducing mod 1000003 is easy: Main work is multiplication. ♠ ♥ ① ) = P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = For each 6-digit me 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication ♠ ♥ ( r ) mod ♣ : 240881( � 3) + 99091 = of the 6-digit secret r by r , ♠ ♥ � 722643 + 99091 = into an accumulato ♣ ♠ ♥ multiply by r , � 623552. Scaled up for serious ♠ ♥ multiply by r , Easily adjust to range “Poly1305” uses ♣ � ♠ ♥ multiply by r , ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit me ♠ ♥ multiply by r . by adding/subtracting a few ♣ ’s. have to do one multiplication ♣ after each mult. (Beware timing attacks!) of a 128-bit secret r time to into an accumulato � Speedup: Delay the adjustment; authenticator ❛ ♥ = ✙ 5 cycles per message extra ♣ ’s won’t damage ♠ ♥ r ♣ + s ♥ mod 1000000. depending on the CPU. subsequent field operations.

  22. Reducing mod 1000003 is easy: Main work is multiplication. P ♠ ♥ [ ✐ ] ① ✐ . e.g., 240881099091 = For each 6-digit message chunk, ♠ ♥ ① 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication ♠ ♥ r ♣ : 240881( � 3) + 99091 = of the 6-digit secret r ♠ ♥ r � 722643 + 99091 = into an accumulator mod ♣ . ♠ ♥ r � 623552. Scaled up for serious security: ♠ ♥ r “Poly1305” uses ♣ = 2 130 � Easily adjust to range ♠ ♥ r ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit message chunk, ♠ ♥ r by adding/subtracting a few ♣ ’s. have to do one multiplication ♣ mult. (Beware timing attacks!) of a 128-bit secret r into an accumulator mod 2 130 � Speedup: Delay the adjustment; ❛ ♥ = ✙ 5 cycles per message byte, extra ♣ ’s won’t damage ♠ ♥ r ♣ s ♥ 1000000. depending on the CPU. subsequent field operations.

  23. Reducing mod 1000003 is easy: Main work is multiplication. e.g., 240881099091 = For each 6-digit message chunk, 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication 240881( � 3) + 99091 = of the 6-digit secret r � 722643 + 99091 = into an accumulator mod ♣ . � 623552. Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. Easily adjust to range ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit message chunk, by adding/subtracting a few ♣ ’s. have to do one multiplication (Beware timing attacks!) of a 128-bit secret r into an accumulator mod 2 130 � 5. Speedup: Delay the adjustment; ✙ 5 cycles per message byte, extra ♣ ’s won’t damage depending on the CPU. subsequent field operations.

  24. Reducing mod 1000003 is easy: Main work is multiplication. Security 240881099091 = For each 6-digit message chunk, Attacker 240881 ✁ 1000000 + 99091 ✑ have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ 240881( � 3) + 99091 = of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ ❛ ✵ � 722643 + 99091 = into an accumulator mod ♣ . ( ♠ ✵ ( r ) mo ♣ s ♥ ✵ � 623552. ✐ ♠ ✵ ✐ ① ✐ Here ♠ ✵ ( ① P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. adjust to range Obvious ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ For each 128-bit message chunk, Choose any ♠ ✵ ✻ ♠ ding/subtracting a few ♣ ’s. have to do one multiplication ❛ ✵ Choose unifo re timing attacks!) of a 128-bit secret r Success ❂ into an accumulator mod 2 130 � 5. eedup: Delay the adjustment; Can repeat ✙ 5 cycles per message byte, ♣ ’s won’t damage Each for depending on the CPU. subsequent field operations. 1 ❂ 1000000

  25. 1000003 is easy: Main work is multiplication. Security analysis 240881099091 = For each 6-digit message chunk, Attacker’s goal: ✁ 1000000 + 99091 ✑ have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such � 99091 = of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = � 99091 = into an accumulator mod ♣ . ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ � ✐ ♠ ✵ ✐ ① ✐ Here ♠ ✵ ( ① ) = P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. range Obvious attack: ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ For each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ ding/subtracting a few ♣ ’s. have to do one multiplication ❛ ✵ Choose uniform ran attacks!) of a 128-bit secret r Success chance 1 ❂ into an accumulator mod 2 130 � 5. the adjustment; Can repeat attack. ✙ 5 cycles per message byte, damage ♣ Each forgery has chance depending on the CPU. operations. 1 ❂ 1000000 of being

  26. easy: Main work is multiplication. Security analysis For each 6-digit message chunk, Attacker’s goal: ✁ ✑ have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that � of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = � into an accumulator mod ♣ . ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. � ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. Obvious attack: ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ For each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . few ♣ ’s. have to do one multiplication Choose uniform random ❛ ✵ . of a 128-bit secret r Success chance 1 ❂ 1000000. into an accumulator mod 2 130 � 5. tment; Can repeat attack. ✙ 5 cycles per message byte, ♣ Each forgery has chance depending on the CPU. erations. 1 ❂ 1000000 of being accepted.

  27. Main work is multiplication. Security analysis For each 6-digit message chunk, Attacker’s goal: have to do one multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that of the 6-digit secret r ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = into an accumulator mod ♣ . ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P Scaled up for serious security: “Poly1305” uses ♣ = 2 130 � 5. Obvious attack: For each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . have to do one multiplication Choose uniform random ❛ ✵ . of a 128-bit secret r Success chance 1 ❂ 1000000. into an accumulator mod 2 130 � 5. Can repeat attack. ✙ 5 cycles per message byte, Each forgery has chance depending on the CPU. 1 ❂ 1000000 of being accepted.

  28. work is multiplication. Security analysis More subtle Choose ♠ ✵ ✻ each 6-digit message chunk, ♠ Attacker’s goal: the polynomial ♠ ✵ ① � ♠ to do one multiplication ① Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that 6-digit secret r has 5 distinct ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = an accumulator mod ♣ . ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. ❛ ✵ modulo ♣ ❛ ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P up for serious security: oly1305” uses ♣ = 2 130 � 5. e.g. ♠ 1 ❀ ❀ ❀ ❀ Obvious attack: ♠ ✵ = (125 ❀ ❀ ❀ ❀ each 128-bit message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ to do one multiplication ① ① ① ① Choose uniform random ❛ ✵ . 128-bit secret r which has ♣ Success chance 1 ❂ 1000000. an accumulator mod 2 130 � 5. 0 ❀ 299012 ❀ ❀ ❀ Can repeat attack. ✙ cycles per message byte, Success ❂ Each forgery has chance ending on the CPU. 1 ❂ 1000000 of being accepted.

  29. multiplication. Security analysis More subtle attack: Choose ♠ ✵ ✻ = ♠ 1 so message chunk, Attacker’s goal: the polynomial ♠ ✵ ① � ♠ multiplication ① Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that secret r has 5 distinct roots ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = cumulator mod ♣ . ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ ❛ ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P serious security: ♣ = 2 130 � 5. e.g. ♠ 1 = (100 ❀ 0 ❀ ❀ ❀ Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ message chunk, Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① multiplication ① ① Choose uniform random ❛ ✵ . secret r which has five roots ♣ Success chance 1 ❂ 1000000. cumulator mod 2 130 � 5. 0 ❀ 299012 ❀ 334447 ❀ ❀ Can repeat attack. ✙ message byte, Success chance 5 ❂ Each forgery has chance the CPU. 1 ❂ 1000000 of being accepted.

  30. multiplication. Security analysis More subtle attack: Choose ♠ ✵ ✻ = ♠ 1 so that chunk, Attacker’s goal: the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① multiplication Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that r has 5 distinct roots ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = ♣ . ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P security: ♣ � 5. e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): chunk, Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + multiplication ① Choose uniform random ❛ ✵ . r which has five roots mod ♣ : Success chance 1 ❂ 1000000. 2 130 � 5. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can repeat attack. ✙ yte, Success chance 5 ❂ 1000000. Each forgery has chance 1 ❂ 1000000 of being accepted.

  31. Security analysis More subtle attack: Choose ♠ ✵ ✻ = ♠ 1 so that Attacker’s goal: the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) Find ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that has 5 distinct roots ♠ ✵ ✻ = ♠ ♥ ✵ but ❛ ✵ = ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ( ♠ ✵ ( r ) mod ♣ )+ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ✐ ♠ ✵ [ ✐ ] ① ✐ . Here ♠ ✵ ( ① ) = P e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): Choose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Choose uniform random ❛ ✵ . which has five roots mod ♣ : Success chance 1 ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can repeat attack. Success chance 5 ❂ 1000000. Each forgery has chance 1 ❂ 1000000 of being accepted.

  32. Security analysis More subtle attack: Actually, Choose ♠ ✵ ✻ = ♠ 1 so that can be ab ❂ er’s goal: the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that Example: ♠ ♣ has 5 distinct roots ♠ ✵ ✻ ♠ ♥ ✵ but ❛ ✵ = ✷ ❢ 1000000 ❀ ❀ ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ♠ ✵ r ) mod ♣ )+ s ♥ ✵ mod 1000000. ❀ ♠ ✵ ❀ ❛ then a fo modulo ♣ . Choose ❛ ✵ = ❛ . ✐ ♠ ✵ [ ✐ ] ① ✐ . ♠ ✵ ( ① ) = P ♠ ✵ ( ① ) = ♠ ① ① ① ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds r Obvious attack: ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chan ❂ ose any ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: ose uniform random ❛ ✵ . ♠ ✵ ( ① ) � ♠ which has five roots mod ♣ : ① Success chance 1 ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have repeat attack. of ( ♠ ✵ ( ① � ♠ Success chance 5 ❂ 1000000. ① ✁ forgery has chance ( ♠ ✵ ( ① ) � ♠ ① ✁ ❂ 1000000 of being accepted. ( ♠ ✵ ( ① ) � ♠ ① �

  33. More subtle attack: Actually, success chance Choose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ such that Example: If ♠ 1 (334885) ♣ has 5 distinct roots ♠ ✵ ✻ ❛ ✵ = ♠ ♥ ✵ ✷ ❢ 1000000 ❀ 1000001 ❀ ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ♠ ✵ r then a forgery (1 ❀ ♠ ✵ ❀ ❛ ♣ s ♥ ✵ mod 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ① ✐ ♠ ✵ [ ✐ ] ① ✐ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① P ① ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ♠ ✵ ✻ = ♠ 1 . ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is random ❛ ✵ . ♠ ✵ ( ① ) � ♠ 1 ( ① ) + which has five roots mod ♣ : 1 ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many attack. of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. chance ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + ✁ ❂ eing accepted. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) �

  34. More subtle attack: Actually, success chance Choose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ Example: If ♠ 1 (334885) mo ♣ has 5 distinct roots ♠ ✵ ✻ ❛ ✵ ♠ ♥ ✵ ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ ♠ ✵ r then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with ♣ s ♥ ✵ 1000000. modulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ① ✐ ♠ ✵ ✐ ① ✐ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + P ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ♠ ✵ ✻ ♠ ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ❛ ✵ . ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. which has five roots mod ♣ : ❂ 1000000. 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ ❂ accepted. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000).

  35. More subtle attack: Actually, success chance Choose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. the polynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) Example: If ♠ 1 (334885) mod ♣ has 5 distinct roots ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ ① ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with modulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① e.g. ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; ♠ ✵ = (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. which has five roots mod ♣ : 0 ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000).

  36. ❛ ✵ subtle attack: Actually, success chance Do better ose ♠ ✵ ✻ = ♠ 1 so that can be above 5 ❂ 1000000. No. Easy olynomial ♠ ✵ ( ① ) � ♠ 1 ( ① ) ♠ ✵ ✻ of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ Example: If ♠ 1 (334885) mod ♣ ♠ ♥ ✵ distinct roots ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ ❂ ① ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ 999999 ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being dulo ♣ . Choose ❛ ✵ = ❛ . ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying ✔ ♠ 1 = (100 ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; of ( ♠ ✵ ( ① � ♠ ① � ❛ ✵ ❛ ✁ ♠ ✵ (125 ❀ 1 ❀ 0 ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ ① � ❛ ✵ ❛ ✁ ♠ ✵ ① � ♠ 1 ( ① ) = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ ① � ❛ ✵ ❛ � ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. has five roots mod ♣ : Warning: ❀ 299012 ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots the oversimplified of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ Success chance 5 ❂ 1000000. ( ♠ ♥ [1] + ✁ ✁ ✁ ♠ ♥ r ♣ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). solve ♠ ✵ ① � ♠ ❛ ✵ � ❛ ①

  37. Do better by varying ❛ ✵ attack: Actually, success chance ♠ ✵ ✻ ♠ 1 so that can be above 5 ❂ 1000000. No. Easy to prove: ♠ ✵ ( ① ) � ♠ 1 ( ① ) of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ Example: If ♠ 1 (334885) mod ♣ ♠ ♥ ✵ ots ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ① ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 999999 ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted ose ❛ ✵ = ❛ . ♣ ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ ♠ ❀ 0 ❀ 0 ❀ 0 ❀ 0), also succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ ❛ ✁ ♠ ✵ ❀ ❀ ❀ 0 ❀ 1): success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ ❛ ✁ ♠ ✵ ① � ♠ ① = ① 5 + ① 2 + 25 ① Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ ❛ � ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. ots mod ♣ : Warning: very easy ❀ ❀ 334447 ❀ 631403 ❀ 735144. Can have as many as 15 roots the oversimplified of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ 5 ❂ 1000000. ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ r ♣ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ mod 1000000: ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). ❛ ✵ � ❛ solve ♠ ✵ ( ① ) � ♠ 1 ( ①

  38. Do better by varying ❛ ✵ ? Actually, success chance ♠ ✵ ✻ ♠ can be above 5 ❂ 1000000. No. Easy to prove: Every choice ♠ ✵ ① � ♠ 1 ( ① ) of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ Example: If ♠ 1 (334885) mod ♣ ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ① ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. ❛ ✵ ❛ . ♣ ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ 15 roots ♠ ❀ ❀ ❀ ❀ also succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ ✁ ♠ ✵ ❀ ❀ ❀ ❀ success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + ✁ ♠ ✵ ① � ♠ ① + 25 ① Reason: 334885 is a root of ① ① ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. ♣ : Warning: very easy to break ❀ ❀ ❀ ❀ 735144. Can have as many as 15 roots the oversimplified authenticato of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ ❂ 1000000. ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ mod 1000000: ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛

  39. Do better by varying ❛ ✵ ? Actually, success chance can be above 5 ❂ 1000000. No. Easy to prove: Every choice of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ Example: If ♠ 1 (334885) mod ♣ ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 then a forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. ♠ ✵ ( ① ) = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ 15 roots also succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000. Warning: very easy to break Can have as many as 15 roots the oversimplified authenticator of ( ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) + 1000000) ✁ + s ♥ mod 1000000: ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  40. Do better by varying ❛ ✵ ? Actually, success chance Scaled up above 5 ❂ 1000000. No. Easy to prove: Every choice Poly1305 r of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ Example: If ♠ 1 (334885) mod ♣ with 22 bits ✷ ❢ 1000000 ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 Adds s ♥ forgery (1 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. Assuming ✔ ▲ ♠ ✵ ① = ♠ 1 ( ① ) + ① 5 + ① 2 + 25 ① Underlying fact: ✔ 15 roots Each for succeeds for r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ r success chance 6 ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probabilit ✔ ❞ ▲❂ ❡ ❂ Reason: 334885 is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ① � ♠ 1 ( ① ) + 1000000. ❉ forgeries Warning: very easy to break with prob have as many as 15 roots the oversimplified authenticator ✕ 1 � 8 ❉ ❞ ▲❂ ❡ ❂ ♠ ✵ ( ① ) � ♠ 1 ( ① )) ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 ♠ ✵ ① ) � ♠ 1 ( ① ) + 1000000) ✁ ▲ + s ♥ mod 1000000: ♠ ✵ ① ) � ♠ 1 ( ① ) � 1000000). Pr[all rejected] ✕ ✿ solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  41. Do better by varying ❛ ✵ ? chance Scaled up for serious ❂ 1000000. No. Easy to prove: Every choice Poly1305 uses 128-bit r of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ ♠ (334885) mod ♣ with 22 bits cleared Adds s ♥ mod 2 128 ✷ ❢ ❀ 1000001 ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ❀ ♠ ✵ ❀ ❛ 1 ) with of being accepted by receiver. Assuming ✔ ▲ -byte ♠ ✵ ① ① + ① 5 + ① 2 + 25 ① ♠ Underlying fact: ✔ 15 roots Each forgery succeeds r r = 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices r ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ ❡ ❂ is a root of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ① � ♠ ❉ forgeries are all ① + 1000000. Warning: very easy to break with probability many as 15 roots the oversimplified authenticator ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ ♠ ✵ ① � ♠ ( ① )) ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 forgeries, ▲ ♠ ✵ ① � ♠ ① + 1000000) ✁ + s ♥ mod 1000000: ♠ ✵ ① � ♠ Pr[all rejected] ✕ 0 ✿ ① � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  42. Do better by varying ❛ ✵ ? Scaled up for serious security: ❂ No. Easy to prove: Every choice Poly1305 uses 128-bit r ’s, of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ ♠ mod ♣ with 22 bits cleared for speed. Adds s ♥ mod 2 128 . ✷ ❢ ❀ ❀ 1000002 ❣ has chance ✔ 15 ❂ 1000000 ❀ ♠ ✵ ❀ ❛ with of being accepted by receiver. Assuming ✔ ▲ -byte messages: ♠ ✵ ① ♠ ① ① ① + 25 ① Underlying fact: ✔ 15 roots Each forgery succeeds for r 334885; of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . ❂ 1000000. ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ♠ ✵ ① � ♠ ❉ forgeries are all rejected ① 1000000. Warning: very easy to break with probability roots ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . the oversimplified authenticator ♠ ✵ ① � ♠ ① ✁ ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 forgeries, ▲ = 1536: ♠ ✵ ① � ♠ ① 1000000) ✁ + s ♥ mod 1000000: ♠ ✵ ① � ♠ Pr[all rejected] ✕ 0 ✿ 9999999998. ① � 1000000). solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  43. Do better by varying ❛ ✵ ? Scaled up for serious security: No. Easy to prove: Every choice Poly1305 uses 128-bit r ’s, of ( ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ with 22 bits cleared for speed. Adds s ♥ mod 2 128 . has chance ✔ 15 ❂ 1000000 of being accepted by receiver. Assuming ✔ ▲ -byte messages: Underlying fact: ✔ 15 roots Each forgery succeeds for of ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . ( ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ❉ forgeries are all rejected Warning: very easy to break with probability ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . the oversimplified authenticator ( ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) e.g. 2 64 forgeries, ▲ = 1536: + s ♥ mod 1000000: Pr[all rejected] ✕ 0 ✿ 9999999998. solve ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  44. etter by varying ❛ ✵ ? Scaled up for serious security: Authenticato for variable-length Easy to prove: Every choice Poly1305 uses 128-bit r ’s, if different ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ) with ♠ ✵ ✻ = ♠ ♥ ✵ with 22 bits cleared for speed. different ♣ Adds s ♥ mod 2 128 . chance ✔ 15 ❂ 1000000 eing accepted by receiver. Split string Assuming ✔ ▲ -byte messages: maybe with Underlying fact: ✔ 15 roots Each forgery succeeds for append 1 ♠ ✵ ( ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian ♠ ✵ ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . ✟ ✠ in 1 ❀ 2 ❀ ❀ ✿ ✿ ✿ ❀ ♠ ✵ ① ) � ♠ 1 ( ① ) � ❛ ✵ + ❛ 1 � 10 6 ). ❉ forgeries are all rejected Multiply r rning: very easy to break with probability add next r ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . oversimplified authenticator etc., last r ♠ ♥ [1] + ✁ ✁ ✁ + ♠ ♥ [5] r 4 mod ♣ ) mod 2 130 � s ♥ e.g. 2 64 forgeries, ▲ = 1536: s ♥ mod 1000000: Pr[all rejected] ✕ 0 ✿ 9999999998. ♠ ✵ ( ① ) � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  45. rying ❛ ✵ ? Scaled up for serious security: Authenticator is still for variable-length rove: Every choice Poly1305 uses 128-bit r ’s, if different messages ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ with ♠ ✵ ✻ = ♠ ♥ ✵ with 22 bits cleared for speed. different polynomials ♣ Adds s ♥ mod 2 128 . ✔ ❂ 1000000 accepted by receiver. Split string into 16-b Assuming ✔ ▲ -byte messages: maybe with smaller ✔ 15 roots Each forgery succeeds for append 1 to each chunk; ♠ ✵ ① � ♠ ( ① ) � ❛ ✵ + ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian ♠ ✵ ① � ♠ ① � ❛ ✵ + ❛ 1 + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in ♠ ✵ ① � ♠ ① � ❛ ✵ + ❛ 1 � 10 6 ). ❉ forgeries are all rejected Multiply first chunk r easy to break with probability add next chunk, multiply r ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . oversimplified authenticator etc., last chunk, multiply r ♠ ♥ [5] r 4 mod ♣ ) mod 2 130 � 5, add s ♥ ♠ ♥ ✁ ✁ ✁ e.g. 2 64 forgeries, ▲ = 1536: s ♥ 1000000: Pr[all rejected] ✕ 0 ✿ 9999999998. ♠ ✵ ① � ♠ 1 ( ① ) = ❛ ✵ � ❛ 1 .

  46. ❛ ✵ Scaled up for serious security: Authenticator is still secure for variable-length messages, choice Poly1305 uses 128-bit r ’s, if different messages are ♠ ✵ ✻ ♥ ✵ ❀ ♠ ✵ ❀ ❛ ✵ ♠ ♥ ✵ with 22 bits cleared for speed. different polynomials mod ♣ . Adds s ♥ mod 2 128 . ✔ ❂ receiver. Split string into 16-byte chunks, Assuming ✔ ▲ -byte messages: maybe with smaller final chunk; ✔ ots Each forgery succeeds for append 1 to each chunk; ♠ ✵ ① � ♠ ① � ❛ ✵ ❛ 1 ) ✁ ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian integers ♠ ✵ ① � ♠ ❛ + 10 6 ) ✁ Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . ① � ❛ ✵ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . ♠ ✵ ① � ♠ ❛ � 10 6 ). ① � ❛ ✵ ❉ forgeries are all rejected Multiply first chunk by r , reak with probability add next chunk, multiply by r ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . authenticator etc., last chunk, multiply by r mod 2 130 � 5, add s ♥ mod 2 ♠ ♥ ✁ ✁ ✁ ♠ ♥ r mod ♣ ) e.g. 2 64 forgeries, ▲ = 1536: s ♥ Pr[all rejected] ✕ 0 ✿ 9999999998. ♠ ✵ ① � ♠ ❛ ✵ � ❛ 1 . ①

  47. Scaled up for serious security: Authenticator is still secure for variable-length messages, Poly1305 uses 128-bit r ’s, if different messages are with 22 bits cleared for speed. different polynomials mod ♣ . Adds s ♥ mod 2 128 . Split string into 16-byte chunks, Assuming ✔ ▲ -byte messages: maybe with smaller final chunk; Each forgery succeeds for append 1 to each chunk; ✔ 8 ❞ ▲❂ 16 ❡ choices of r . view as little-endian integers Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . ❉ forgeries are all rejected Multiply first chunk by r , with probability add next chunk, multiply by r , ✕ 1 � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . etc., last chunk, multiply by r , mod 2 130 � 5, add s ♥ mod 2 128 . e.g. 2 64 forgeries, ▲ = 1536: Pr[all rejected] ✕ 0 ✿ 9999999998.

  48. up for serious security: Authenticator is still secure Reducing for variable-length messages, Like the oly1305 uses 128-bit r ’s, if different messages are this authentication 22 bits cleared for speed. different polynomials mod ♣ . s ♥ mod 2 128 . has a securit Split string into 16-byte chunks, One-time Assuming ✔ ▲ -byte messages: maybe with smaller final chunk; ▲ shared forgery succeeds for append 1 to each chunk; to encrypt ▲ ✔ ❞ ▲❂ 16 ❡ choices of r . view as little-endian integers Probability ✔ 8 ❞ ▲❂ 16 ❡ ❂ 2 106 . Authentication 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared ❉ rgeries are all rejected Multiply first chunk by r , to authenticate ▲ robability add next chunk, multiply by r , � 8 ❉ ❞ ▲❂ 16 ❡ ❂ 2 106 . ✕ etc., last chunk, multiply by r , Each new mod 2 130 � 5, add s ♥ mod 2 128 . 64 forgeries, ▲ = 1536: new shared used only rejected] ✕ 0 ✿ 9999999998. How to handle

  49. serious security: Authenticator is still secure Reducing the key length for variable-length messages, Like the one-time 128-bit r ’s, if different messages are this authentication red for speed. different polynomials mod ♣ . 128 . has a security guarantee. s ♥ Split string into 16-byte chunks, One-time pad needs ✔ ▲ yte messages: maybe with smaller final chunk; ▲ shared secret bytes succeeds for append 1 to each chunk; to encrypt ▲ message ✔ ❞ ▲❂ ❡ choices of r . view as little-endian integers ❞ ▲❂ 16 ❡ ❂ 2 106 . ✔ Authentication system 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared secret byte ❉ all rejected Multiply first chunk by r , to authenticate ▲ message add next chunk, multiply by r , ❡ ❂ 2 106 . ✕ � ❉ ❞ ▲❂ etc., last chunk, multiply by r , Each new message mod 2 130 � 5, add s ♥ mod 2 128 . new shared secret rgeries, ▲ = 1536: used only once. ✕ 0 ✿ 9999999998. How to handle many

  50. security: Authenticator is still secure Reducing the key length for variable-length messages, Like the one-time pad, r if different messages are this authentication system eed. different polynomials mod ♣ . has a security guarantee. s ♥ Split string into 16-byte chunks, One-time pad needs ✔ ▲ messages: maybe with smaller final chunk; ▲ shared secret bytes append 1 to each chunk; to encrypt ▲ message bytes. ✔ ❞ ▲❂ ❡ r view as little-endian integers ❡ ❂ 106 . ✔ ❞ ▲❂ Authentication system needs 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared secret bytes ❉ Multiply first chunk by r , to authenticate ▲ message b add next chunk, multiply by r , ✕ � ❉ ❞ ▲❂ ❡ ❂ etc., last chunk, multiply by r , Each new message needs mod 2 130 � 5, add s ♥ mod 2 128 . new shared secret bytes, ▲ 1536: used only once. ✕ ✿ 9999999998. How to handle many messages?

  51. Authenticator is still secure Reducing the key length for variable-length messages, Like the one-time pad, if different messages are this authentication system different polynomials mod ♣ . has a security guarantee. Split string into 16-byte chunks, One-time pad needs maybe with smaller final chunk; ▲ shared secret bytes append 1 to each chunk; to encrypt ▲ message bytes. view as little-endian integers Authentication system needs 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ in . 16 shared secret bytes Multiply first chunk by r , to authenticate ▲ message bytes. add next chunk, multiply by r , etc., last chunk, multiply by r , Each new message needs mod 2 130 � 5, add s ♥ mod 2 128 . new shared secret bytes, used only once. How to handle many messages?

  52. Authenticator is still secure Reducing the key length Authenticato ♠ ♥ r ♣ riable-length messages, encrypted s ♥ Like the one-time pad, different messages are this authentication system Can replace different polynomials mod ♣ . has a security guarantee. with stream-cipher string into 16-byte chunks, One-time pad needs Typical stream with smaller final chunk; ▲ shared secret bytes AES in counter end 1 to each chunk; to encrypt ▲ message bytes. Sender, receiver r❀ ❦ as little-endian integers where ❦ Authentication system needs ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ 2 129 ✠ ✟ . compute s ♥ ❦ ♥ 16 shared secret bytes Multiply first chunk by r , to authenticate ▲ message bytes. Security next chunk, multiply by r , since s ♥ ’s last chunk, multiply by r , Each new message needs 130 � 5, add s ♥ mod 2 128 . but can new shared secret bytes, attack on used only once. implies attack How to handle many messages?

  53. still secure Reducing the key length Authenticator is ♠ ♥ r ♣ riable-length messages, encrypted with one-time s ♥ Like the one-time pad, messages are this authentication system Can replace one-time olynomials mod ♣ . has a security guarantee. with stream-cipher 16-byte chunks, One-time pad needs Typical stream cipher: smaller final chunk; ▲ shared secret bytes AES in counter mo each chunk; to encrypt ▲ message bytes. Sender, receiver sha r❀ ❦ little-endian integers where ❦ is 16-byte Authentication system needs 129 ✠ ✟ . ❀ ❀ ❀ ✿ ✿ ✿ ❀ compute s ♥ = AES ❦ ♥ 16 shared secret bytes chunk by r , to authenticate ▲ message bytes. Security proof breaks multiply by r , since s ♥ ’s are dependent, multiply by r , Each new message needs add s ♥ mod 2 128 . but can still prove � new shared secret bytes, attack on authenticato used only once. implies attack on AES. How to handle many messages?

  54. secure Reducing the key length Authenticator is ♠ ♥ ( r ) mod ♣ messages, encrypted with one-time pad s ♥ Like the one-time pad, this authentication system Can replace one-time pad ♣ . has a security guarantee. with stream-cipher output. chunks, One-time pad needs Typical stream cipher: chunk; ▲ shared secret bytes AES in counter mode. to encrypt ▲ message bytes. Sender, receiver share ( r❀ ❦ ) integers where ❦ is 16-byte AES key; Authentication system needs ✟ ✠ ❀ ❀ ❀ ✿ ✿ ✿ ❀ compute s ♥ = AES ❦ ( ♥ ). 16 shared secret bytes r to authenticate ▲ message bytes. Security proof breaks down by r , since s ♥ ’s are dependent, by r , Each new message needs d 2 128 . but can still prove that � s ♥ new shared secret bytes, attack on authenticator used only once. implies attack on AES. How to handle many messages?

  55. Reducing the key length Authenticator is ♠ ♥ ( r ) mod ♣ encrypted with one-time pad s ♥ . Like the one-time pad, this authentication system Can replace one-time pad has a security guarantee. with stream-cipher output. One-time pad needs Typical stream cipher: ▲ shared secret bytes AES in counter mode. to encrypt ▲ message bytes. Sender, receiver share ( r❀ ❦ ) where ❦ is 16-byte AES key; Authentication system needs compute s ♥ = AES ❦ ( ♥ ). 16 shared secret bytes to authenticate ▲ message bytes. Security proof breaks down since s ♥ ’s are dependent, Each new message needs but can still prove that new shared secret bytes, attack on authenticator used only once. implies attack on AES. How to handle many messages?

  56. Reducing the key length Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int mpz_class rbar encrypted with one-time pad s ♥ . for (j = 0;j the one-time pad, rbar += ((mpz_class) mpz_class h authentication system Can replace one-time pad mpz_class p while (mlen security guarantee. with stream-cipher output. mpz_class for (j = c += ((mpz_class) One-time pad needs Typical stream cipher: c += ((mpz_class) m += j; mlen ▲ red secret bytes AES in counter mode. h = ((h + } encrypt ▲ message bytes. Sender, receiver share ( r❀ ❦ ) unsigned char aes(aeskn,k,n); where ❦ is 16-byte AES key; Authentication system needs for (j = 0;j h += ((mpz_class) compute s ♥ = AES ❦ ( ♥ ). red secret bytes for (j = 0;j mpz_class authenticate ▲ message bytes. h >>= 8; Security proof breaks down out[j] = } since s ♥ ’s are dependent, new message needs but can still prove that shared secret bytes, attack on authenticator only once. implies attack on AES. to handle many messages?

  57. ey length Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . for (j = 0;j < 16;++j) one-time pad, rbar += ((mpz_class) r[j]) mpz_class h = 0; authentication system Can replace one-time pad mpz_class p = (((mpz_class) while (mlen > 0) { guarantee. with stream-cipher output. mpz_class c = 0; for (j = 0;(j < 16) && c += ((mpz_class) m[j]) needs Typical stream cipher: c += ((mpz_class) 1) << m += j; mlen -= j; ▲ bytes AES in counter mode. h = ((h + c) * rbar) % } ▲ message bytes. Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; aes(aeskn,k,n); where ❦ is 16-byte AES key; system needs for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) compute s ♥ = AES ❦ ( ♥ ). bytes for (j = 0;j < 16;++j) { mpz_class c = h % 256; ▲ message bytes. h >>= 8; Security proof breaks down out[j] = c.get_ui(); } since s ♥ ’s are dependent, message needs but can still prove that secret bytes, attack on authenticator implies attack on AES. many messages?

  58. Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; Can replace one-time pad mpz_class p = (((mpz_class) 1) << 130) while (mlen > 0) { with stream-cipher output. mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); Typical stream cipher: c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; ▲ AES in counter mode. h = ((h + c) * rbar) % p; } ▲ ytes. Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; aes(aeskn,k,n); where ❦ is 16-byte AES key; needs for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * compute s ♥ = AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { mpz_class c = h % 256; ▲ bytes. h >>= 8; Security proof breaks down out[j] = c.get_ui(); } since s ♥ ’s are dependent, but can still prove that attack on authenticator implies attack on AES. ssages?

  59. Authenticator is ♠ ♥ ( r ) mod ♣ unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; Can replace one-time pad mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { with stream-cipher output. mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); Typical stream cipher: c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; AES in counter mode. h = ((h + c) * rbar) % p; } Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; aes(aeskn,k,n); where ❦ is 16-byte AES key; for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); compute s ♥ = AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8; Security proof breaks down out[j] = c.get_ui(); } since s ♥ ’s are dependent, but can still prove that attack on authenticator implies attack on AES.

  60. Authenticator is ♠ ♥ ( r ) mod ♣ Another unsigned int j; mpz_class rbar = 0; encrypted with one-time pad s ♥ . ❋ ❦ ( ♥ ) = ❦❀ ♥ for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat mpz_class h = 0; replace one-time pad mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { stream-cipher output. “Hasn’t mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ❦❀ ♥ ❀ ❦ ✵ ❀ ♥ ✵ c += ((mpz_class) m[j]) << (8 * j); ypical stream cipher: c += ((mpz_class) 1) << (8 * j); ❦ ✵ ❀ ♥ ✵ with MD5( ❦❀ ♥ m += j; mlen -= j; counter mode. h = ((h + c) * rbar) % p; (2004 W } Sender, receiver share ( r❀ ❦ ) unsigned char aeskn[16]; Still not aes(aeskn,k,n); ❦ is 16-byte AES key; for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ❦ h += ((mpz_class) aeskn[j]) << (8 * j); compute s ♥ = AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { We know mpz_class c = h % 256; h >>= 8; Security proof breaks down out[j] = c.get_ui(); Many other } s ♥ ’s are dependent, are unbrok can still prove that on authenticator implies attack on AES.

  61. ♠ ♥ ( r ) mod ♣ Another stream cipher: unsigned int j; mpz_class rbar = 0; one-time pad s ♥ . ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat slower than mpz_class h = 0; one-time pad mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { stream-cipher output. “Hasn’t MD5 been mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ c += ((mpz_class) m[j]) << (8 * j); cipher: c += ((mpz_class) 1) << (8 * j); ❦ ✵ ❀ ♥ ✵ with MD5( ❦❀ ♥ ) = m += j; mlen -= j; mode. h = ((h + c) * rbar) % p; (2004 Wang) } share ( r❀ ❦ ) unsigned char aeskn[16]; Still not obvious ho aes(aeskn,k,n); ❦ yte AES key; for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) fo ❦ h += ((mpz_class) aeskn[j]) << (8 * j); s ♥ AES ❦ ( ♥ ). for (j = 0;j < 16;++j) { We know AES collisions mpz_class c = h % 256; h >>= 8; reaks down out[j] = c.get_ui(); Many other stream } s ♥ dependent, are unbroken, faster rove that nticator on AES.

  62. ♠ ♥ r mod ♣ Another stream cipher: unsigned int j; mpz_class rbar = 0; pad s ♥ . ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat slower than AES. mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { output. “Hasn’t MD5 been broken?” mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are kno c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ m += j; mlen -= j; h = ((h + c) * rbar) % p; (2004 Wang) } r❀ ❦ ) unsigned char aeskn[16]; Still not obvious how to predict aes(aeskn,k,n); ❦ ey; for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ h += ((mpz_class) aeskn[j]) << (8 * j); s ♥ ❦ ♥ for (j = 0;j < 16;++j) { We know AES collisions too! mpz_class c = h % 256; h >>= 8; wn out[j] = c.get_ui(); Many other stream ciphers } s ♥ are unbroken, faster than AES.

  63. Another stream cipher: unsigned int j; mpz_class rbar = 0; ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); Somewhat slower than AES. mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { “Hasn’t MD5 been broken?” mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). m += j; mlen -= j; h = ((h + c) * rbar) % p; (2004 Wang) } unsigned char aeskn[16]; Still not obvious how to predict aes(aeskn,k,n); for (j = 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { We know AES collisions too! mpz_class c = h % 256; h >>= 8; out[j] = c.get_ui(); Many other stream ciphers } are unbroken, faster than AES.

  64. Another stream cipher: Alternatives int j; rbar = 0; ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). 0;j < 16;++j) Use ✁ ✁ ✁ ✟ ❦ ♥ ((mpz_class) r[j]) << (8 * j); Somewhat slower than AES. h = 0; instead of ✁ ✁ ✁ ❦ ♥ p = (((mpz_class) 1) << 130) - 5; (mlen > 0) { “Hasn’t MD5 been broken?” No! Destro mpz_class c = 0; 0;(j < 16) && (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allo ((mpz_class) m[j]) << (8 * j); ((mpz_class) 1) << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES mlen -= j; + c) * rbar) % p; (2004 Wang) Use AES ❦ ✁ ✁ ✁ ♥ char aeskn[16]; Still not obvious how to predict aes(aeskn,k,n); No! Brok 0;j < 16;++j) ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . ((mpz_class) aeskn[j]) << (8 * j); using ❁ 0;j < 16;++j) { We know AES collisions too! mpz_class c = h % 256; But ok fo c.get_ui(); Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ are unbroken, faster than AES. Seems to

  65. Another stream cipher: Alternatives to + ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) r[j]) << (8 * j); Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ♥ (((mpz_class) 1) << 130) - 5; “Hasn’t MD5 been broken?” No! Destroys securit (j < mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful m[j]) << (8 * j); << (8 * j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. p; (2004 Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ Still not obvious how to predict No! Broken by kno ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticato aeskn[j]) << (8 * j); We know AES collisions too! But ok for small # Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ are unbroken, faster than AES. Seems to be massive

  66. Another stream cipher: Alternatives to + ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) j); Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? 130) - 5; “Hasn’t MD5 been broken?” No! Destroys security analysis; mlen);++j) Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries j); with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. (2004 Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? Still not obvious how to predict No! Broken by known attacks ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticators. j); We know AES collisions too! But ok for small # messages. Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? are unbroken, faster than AES. Seems to be massive overkill.

  67. Another stream cipher: Alternatives to + ❋ ❦ ( ♥ ) = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? “Hasn’t MD5 been broken?” No! Destroys security analysis; Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries with MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. (2004 Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? Still not obvious how to predict No! Broken by known attacks ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticators. We know AES collisions too! But ok for small # messages. Many other stream ciphers Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? are unbroken, faster than AES. Seems to be massive overkill.

  68. Another stream cipher: Alternatives to + Alternatives ❋ ❦ ♥ = MD5( ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: r ♠ Somewhat slower than AES. instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? ( ♠ ( r ) mo � “Hasn’t MD5 been broken?” No! Destroys security analysis; ♠❀ ♠ ✵ For all distinct Distinct ( ❦❀ ♥ ) ❀ ( ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries Pr[Poly1305 r ♠ MD5( ❦❀ ♥ ) = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. Poly1305 r ♠ ✵ Wang) Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision not obvious how to predict No! Broken by known attacks ♠❀ ♠ ✵ For all distinct ♥ ✼✦ MD5( ❦❀ ♥ ) for secret ❦ . using ❁ 2 64 authenticators. and all 16- know AES collisions too! But ok for small # messages. Pr[Poly1305 r ♠ other stream ciphers Poly1305 r ♠ ✵ Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? broken, faster than AES. Seems to be massive overkill. is very small. “Small differential

  69. cipher: Alternatives to + Alternatives to Poly1305 ❋ ❦ ♥ ❦❀ ♥ ). Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ♠ er than AES. ( ♠ ( r ) mod 2 130 � instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? een broken?” No! Destroys security analysis; ♠❀ ♠ ✵ For all distinct mess ❦❀ ♥ ❀ ❦ ✵ ❀ ♥ ✵ ) are known might allow successful forgeries Pr[Poly1305 r ( ♠ ) = ❦❀ ♥ = MD5( ❦ ✵ ❀ ♥ ✵ ). even if AES is secure. Poly1305 r ( ♠ ✵ )] Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” how to predict No! Broken by known attacks ♠❀ ♠ ✵ For all distinct mess ❦❀ ♥ for secret ❦ . ♥ ✼✦ using ❁ 2 64 authenticators. and all 16-byte sequences collisions too! But ok for small # messages. Pr[Poly1305 r ( ♠ ) = stream ciphers Poly1305 r ( ♠ ✵ ) Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? faster than AES. Seems to be massive overkill. is very small. “Small differential

  70. Alternatives to + Alternatives to Poly1305 ❋ ❦ ♥ ❦❀ ♥ Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ( ♠ ) = AES. ( ♠ ( r ) mod 2 130 � 5) mod 2 128 instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? en?” No! Destroys security analysis; For all distinct messages ♠❀ ♠ ✵ ❦❀ ♥ ❀ ❦ ✵ ❀ ♥ ✵ known might allow successful forgeries Pr[Poly1305 r ( ♠ ) = ❦ ✵ ❀ ♥ ✵ ). ❦❀ ♥ even if AES is secure. Poly1305 r ( ♠ ✵ )] is very small. Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” redict No! Broken by known attacks For all distinct messages ♠❀ ♠ ✵ ❦ . ♥ ✼✦ ❦❀ ♥ using ❁ 2 64 authenticators. and all 16-byte sequences ∆: o! But ok for small # messages. Pr[Poly1305 r ( ♠ ) = ciphers Poly1305 r ( ♠ ✵ ) + ∆ mod Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? AES. Seems to be massive overkill. is very small. “Small differential probabilities.”

  71. Alternatives to + Alternatives to Poly1305 Use ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . instead of ✁ ✁ ✁ + AES ❦ ( ♥ )? No! Destroys security analysis; For all distinct messages ♠❀ ♠ ✵ : might allow successful forgeries Pr[Poly1305 r ( ♠ ) = even if AES is secure. Poly1305 r ( ♠ ✵ )] is very small. Use AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” No! Broken by known attacks For all distinct messages ♠❀ ♠ ✵ using ❁ 2 64 authenticators. and all 16-byte sequences ∆: But ok for small # messages. Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] Use Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? Seems to be massive overkill. is very small. “Small differential probabilities.”

  72. Alternatives to + Alternatives to Poly1305 Easy to build that satisfy ✁ ✁ ✁ ✟ AES ❦ ( ♥ ) Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . of ✁ ✁ ✁ + AES ❦ ( ♥ )? Embed messages Destroys security analysis; polynomial ① ❀ ① ❀ ① ❀ ✿ ✿ ✿ For all distinct messages ♠❀ ♠ ✵ : allow successful forgeries Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ r if AES is secure. Poly1305 r ( ♠ ✵ )] is very small. r is a random AES ❦ ( ✁ ✁ ✁ ), omitting ♥ ? “Small collision probabilities.” Small differential Broken by known attacks means that ♠ � ♠ ✵ � For all distinct messages ♠❀ ♠ ✵ ❁ 2 64 authenticators. and all 16-byte sequences ∆: is divisible r for small # messages. ♠ ✵ Pr[Poly1305 r ( ♠ ) = when ♠ ✻ Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] Salsa20( ❦❀ ♥❀ ✁ ✁ ✁ )? (Addition to be massive overkill. is very small. mod 2 128 “Small differential probabilities.”

  73. Alternatives to Poly1305 Easy to build other that satisfy these p ✁ ✁ ✁ ✟ ❦ ♥ ) Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . ✁ ✁ ✁ AES ❦ ( ♥ )? Embed messages and security analysis; polynomial ring Z [ ① ❀ ① ❀ ① ❀ ✿ ✿ ✿ For all distinct messages ♠❀ ♠ ✵ : successful forgeries Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r secure. Poly1305 r ( ♠ ✵ )] is very small. r is a random prime ❦ ✁ ✁ ✁ omitting ♥ ? “Small collision probabilities.” Small differential p known attacks means that ♠ � ♠ ✵ � For all distinct messages ♠❀ ♠ ✵ ❁ authenticators. and all 16-byte sequences ∆: is divisible by very r # messages. when ♠ ✻ = ♠ ✵ . Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] ❦❀ ♥❀ ✁ ✁ ✁ )? (Addition of ∆ is massive overkill. is very small. mod 2 128 ; be careful. “Small differential probabilities.”

  74. Alternatives to Poly1305 Easy to build other functions that satisfy these properties. ✁ ✁ ✁ ✟ ❦ ♥ Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . ✁ ✁ ✁ ❦ ♥ Embed messages and outputs analysis; polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ For all distinct messages ♠❀ ♠ ✵ : rgeries Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r where Poly1305 r ( ♠ ✵ )] is very small. r is a random prime ideal. ❦ ✁ ✁ ✁ ♥ ? “Small collision probabilities.” Small differential probability attacks means that ♠ � ♠ ✵ � ∆ For all distinct messages ♠❀ ♠ ✵ ❁ rs. and all 16-byte sequences ∆: is divisible by very few r ’s messages. when ♠ ✻ = ♠ ✵ . Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] ❦❀ ♥❀ ✁ ✁ ✁ (Addition of ∆ is overkill. is very small. mod 2 128 ; be careful.) “Small differential probabilities.”

  75. Alternatives to Poly1305 Easy to build other functions that satisfy these properties. Notation: Poly1305 r ( ♠ ) = ( ♠ ( r ) mod 2 130 � 5) mod 2 128 . Embed messages and outputs into polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. For all distinct messages ♠❀ ♠ ✵ : Pr[Poly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r where Poly1305 r ( ♠ ✵ )] is very small. r is a random prime ideal. “Small collision probabilities.” Small differential probability means that ♠ � ♠ ✵ � ∆ For all distinct messages ♠❀ ♠ ✵ and all 16-byte sequences ∆: is divisible by very few r ’s when ♠ ✻ = ♠ ✵ . Pr[Poly1305 r ( ♠ ) = Poly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] (Addition of ∆ is is very small. mod 2 128 ; be careful.) “Small differential probabilities.”

  76. ✻ Alternatives to Poly1305 Easy to build other functions Example: that satisfy these properties. Notation: Poly1305 r ( ♠ ) = View mes ♠ ♠ r mod 2 130 � 5) mod 2 128 . Embed messages and outputs into specifically ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: ❀ ❀ ✿ ✿ ✿ ❀ � distinct messages ♠❀ ♠ ✵ : oly1305 r ( ♠ ) = Use ♠ ✼✦ ♠ mod r where Reduce ♠ oly1305 r ( ♠ ✵ )] is very small. r is a random prime ideal. random p r “Small collision probabilities.” between Small differential probability (Problem: r means that ♠ � ♠ ✵ � ∆ distinct messages ♠❀ ♠ ✵ all 16-byte sequences ∆: is divisible by very few r ’s Low differential ♠ � ♠ ✵ � when ♠ ✻ = ♠ ✵ . if ♠ ✻ = ♠ ✵ oly1305 r ( ♠ ) = so ♠ � ♠ ✵ � oly1305 r ( ♠ ✵ ) + ∆ mod 2 128 ] (Addition of ∆ is small. by very few mod 2 128 ; be careful.) “Small differential probabilities.”

  77. ✻ oly1305 Easy to build other functions Example: (1981 Ka that satisfy these properties. oly1305 r ( ♠ ) = View messages ♠ � 5) mod 2 128 . ♠ r Embed messages and outputs into specifically multiples ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ � messages ♠❀ ♠ ✵ : r ♠ ) = Use ♠ ✼✦ ♠ mod r where Reduce ♠ modulo r ♠ ✵ )] is very small. r is a random prime ideal. random prime numb r between 2 120 and probabilities.” Small differential probability (Problem: generating r means that ♠ � ♠ ✵ � ∆ messages ♠❀ ♠ ✵ sequences ∆: is divisible by very few r ’s Low differential probabilit if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � when ♠ ✻ = ♠ ✵ . r ♠ ) = so ♠ � ♠ ✵ � ∆ is r ♠ ✵ ) + ∆ mod 2 128 ] (Addition of ∆ is by very few prime mod 2 128 ; be careful.) differential probabilities.”

  78. Easy to build other functions Example: (1981 Karp Rabin) that satisfy these properties. r ♠ View messages ♠ as integers, 2 128 . specifically multiples of 2 128 . ♠ r � Embed messages and outputs into 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: ♠❀ ♠ ✵ : r ♠ Use ♠ ✼✦ ♠ mod r where Reduce ♠ modulo a uniform r ♠ ✵ small. r is a random prime ideal. random prime number r between 2 120 and 2 128 . robabilities.” Small differential probability (Problem: generating r is slo means that ♠ � ♠ ✵ � ∆ ♠❀ ♠ ✵ ∆: is divisible by very few r ’s Low differential probability: if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ when ♠ ✻ = ♠ ✵ . r ♠ so ♠ � ♠ ✵ � ∆ is divisible d 2 128 ] r ♠ ✵ (Addition of ∆ is by very few prime numbers. mod 2 128 ; be careful.) robabilities.”

  79. Easy to build other functions Example: (1981 Karp Rabin) that satisfy these properties. View messages ♠ as integers, specifically multiples of 2 128 . Embed messages and outputs into 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ polynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . Use ♠ ✼✦ ♠ mod r where Reduce ♠ modulo a uniform r is a random prime ideal. random prime number r between 2 120 and 2 128 . Small differential probability (Problem: generating r is slow.) means that ♠ � ♠ ✵ � ∆ is divisible by very few r ’s Low differential probability: if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 when ♠ ✻ = ♠ ✵ . so ♠ � ♠ ✵ � ∆ is divisible (Addition of ∆ is by very few prime numbers. mod 2 128 ; be careful.)

  80. to build other functions Example: (1981 Karp Rabin) Variant that ✟ satisfy these properties. View messages ♠ as integers, View mes ♠ specifically multiples of 2 128 . ♠ 128 ① 128 messages and outputs into ♠ ① ✁ ✁ ✁ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ olynomial ring Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . with each ♠ ✐ ❢ ❀ ❣ ♠ ✼✦ ♠ mod r where Reduce ♠ modulo a uniform Outputs: ♦ ♦ ① ✁ ✁ ✁ ♦ ① r random prime ideal. random prime number r with each ♦ ✐ ❢ ❀ ❣ between 2 120 and 2 128 . differential probability Reduce ♠ ❀ r (Problem: generating r is slow.) that ♠ � ♠ ✵ � ∆ r is a uni divisible by very few r ’s Low differential probability: degree-128 ❂ if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✻ = ♠ ✵ . (Problem: r so ♠ � ♠ ✵ � ∆ is divisible typical CPU (Addition of ∆ is by very few prime numbers. for polynomial 128 ; be careful.)

  81. other functions Example: (1981 Karp Rabin) Variant that works ✟ these properties. View messages ♠ as integers, View messages ♠ ♠ 128 ① 128 + ♠ 129 ① specifically multiples of 2 128 . messages and outputs into ✁ ✁ ✁ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ Z [ ① 1 ❀ ① 2 ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . with each ♠ ✐ in ❢ 0 ❀ ❣ ♠ ✼✦ ♠ d r where Reduce ♠ modulo a uniform Outputs: ♦ 0 + ♦ 1 ① ✁ ✁ ✁ ♦ ① r rime ideal. random prime number r with each ♦ ✐ in ❢ 0 ❀ ❣ between 2 120 and 2 128 . differential probability Reduce ♠ modulo ❀ r (Problem: generating r is slow.) ♠ � ♠ ✵ � ∆ r is a uniform random very few r ’s Low differential probability: degree-128 polynomial ❂ if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division r so ♠ � ♠ ✵ � ∆ is divisible typical CPU has no is by very few prime numbers. for polynomial multip reful.)

  82. functions Example: (1981 Karp Rabin) Variant that works with ✟ : erties. View messages ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ specifically multiples of 2 128 . outputs into 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ ① ❀ ① ❀ ① 3 ❀ ✿ ✿ ✿ ]. Outputs: . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . ♠ ✼✦ ♠ r Reduce ♠ modulo a uniform Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① r random prime number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . between 2 120 and 2 128 . robability Reduce ♠ modulo 2 ❀ r where (Problem: generating r is slow.) ♠ � ♠ ✵ � r is a uniform random irreducible r Low differential probability: degree-128 polynomial over Z ❂ if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division by r is slo so ♠ � ♠ ✵ � ∆ is divisible typical CPU has no big circuit by very few prime numbers. for polynomial multiplication.)

  83. Example: (1981 Karp Rabin) Variant that works with ✟ : View messages ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ specifically multiples of 2 128 . 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ Outputs: . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 Reduce ♠ modulo a uniform random prime number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . between 2 120 and 2 128 . Reduce ♠ modulo 2 ❀ r where (Problem: generating r is slow.) r is a uniform random irreducible Low differential probability: degree-128 polynomial over Z ❂ 2. if ♠ ✻ = ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 (Problem: division by r is slow; so ♠ � ♠ ✵ � ∆ is divisible typical CPU has no big circuit by very few prime numbers. for polynomial multiplication.)

  84. Example: (1981 Karp Rabin) Variant that works with ✟ : Example: MacWilliams messages ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ ecifically multiples of 2 128 . Choose p ♣ ✙ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ Outputs: . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . View mes ♠ polys ♠ 1 ① ♠ ① ♠ ① Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 Reduce ♠ modulo a uniform ♠ 1 ❀ ♠ 2 ❀ ♠ ✷ ❢ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ prime number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ❢ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ een 2 120 and 2 128 . Reduce ♠ modulo 2 ❀ r where (Problem: generating r is slow.) Reduce ♠ r is a uniform random irreducible ♣❀ ① 1 � r ❀ ① � r ❀ ① � r differential probability: degree-128 polynomial over Z ❂ 2. to ♠ 1 r 1 ♠ r ♠ r ♣ ♠ ✵ then ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✻ (Problem: division by r is slow; (Problem: ♠ r ♠ � ♠ ✵ � ∆ is divisible typical CPU has no big circuit very few prime numbers. for polynomial multiplication.)

  85. Karp Rabin) Variant that works with ✟ : Example: (1974 Gilb MacWilliams Sloane) ♠ as integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ multiples of 2 128 . Choose prime numb ♣ ✙ ❀ ❀ ✿ ✿ ✿ ❀ 2 128 � 1 ✟ ✠ . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . View messages ♠ polys ♠ 1 ① 1 + ♠ 2 ① ♠ ① Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 ♠ dulo a uniform ♠ 1 ❀ ♠ 2 ❀ ♠ 3 ✷ ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � ❣ number r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � ❣ and 2 128 . Reduce ♠ modulo 2 ❀ r where generating r is slow.) Reduce ♠ modulo r is a uniform random irreducible ♣❀ ① 1 � r 1 ❀ ① 2 � r 2 ❀ ① � r probability: degree-128 polynomial over Z ❂ 2. to ♠ 1 r 1 + ♠ 2 r 2 + ♠ r ♣ ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division by r is slow; (Problem: long ♠ r ♠ � ♠ ✵ � is divisible typical CPU has no big circuit rime numbers. for polynomial multiplication.)

  86. Rabin) Variant that works with ✟ : Example: (1974 Gilbert MacWilliams Sloane) ♠ integers, View messages ♠ as polynomials ♠ 128 ① 128 + ♠ 129 ① 129 + ✁ ✁ ✁ 128 . Choose prime number ♣ ✙ 2 ✟ ✠ ❀ ❀ ✿ ✿ ✿ ❀ � 1 . with each ♠ ✐ in ❢ 0 ❀ 1 ❣ . View messages ♠ as linear polys ♠ 1 ① 1 + ♠ 2 ① 2 + ♠ 3 ① 3 Outputs: ♦ 0 + ♦ 1 ① + ✁ ✁ ✁ + ♦ 127 ① 127 ♠ rm ♠ 1 ❀ ♠ 2 ❀ ♠ 3 ✷ ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ r with each ♦ ✐ in ❢ 0 ❀ 1 ❣ . Outputs: ❢ 0 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . Reduce ♠ modulo 2 ❀ r where r slow.) Reduce ♠ modulo r is a uniform random irreducible ♣❀ ① 1 � r 1 ❀ ① 2 � r 2 ❀ ① 3 � r 3 y: degree-128 polynomial over Z ❂ 2. to ♠ 1 r 1 + ♠ 2 r 2 + ♠ 3 r 3 mo ♣ ♠ � ♠ ✵ � ∆ ✻ = 0 ♠ ✵ ♠ ✻ (Problem: division by r is slow; (Problem: long ♠ needs long r ♠ � ♠ ✵ � divisible typical CPU has no big circuit rs. for polynomial multiplication.)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32 ; 32 ! 32 xor;

634 views • 39 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee Department of Computer Science University of Calgary March 4, 2020 Outline Password hashing 1 SHA-3 2 Design strategy Details MACs 3 Properties of

519 views • 39 slides
Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

512 views • 48 slides
References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar &amp; Pelzl Jim Royer Message

224 views • 3 slides
Message authentication and digital signatures &quot; Message authentication verify that the

Message authentication and digital signatures &quot; Message authentication verify that the

Message authentication and digital signatures &quot; Message authentication verify that the message is from the right sender, and not modified (incl message sequence) &quot; Digital signatures in addition, non ! repudiation &quot; Two

439 views • 23 slides
Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming identity of

982 views • 46 slides
Message from Marli Foundation, Inc. GD Design Studio, LLC www.gdDesignStudio.com

Message from Marli Foundation, Inc. GD Design Studio, LLC www.gdDesignStudio.com

DESIGN STUDIO R GRAPHIC/WEB DESIGN &amp; MARKETING Presentation Proposal for: Message from Marli Foundation, Inc. GD Design Studio, LLC www.gdDesignStudio.com info@gdDesignStudio.com 1.800.789.8732 Logo GD Design

369 views • 9 slides
Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob

1.3k views • 68 slides
Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE Approaches to Message Authentication Secure Hash Functions (SHA) and Keyed- Hash Message Authentication Code (HMAC) Public-Key Cryptography

458 views • 29 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient

ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient

ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient IGG 04-04-2012 Recipient ID in Message must match the physical Message recipient Background Message routing in the new Tibco-based environment will

79 views • 3 slides
Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
+ Design of Parallel Algorithms Introduction to the Message Passing Interface MPI + Principles

+ Design of Parallel Algorithms Introduction to the Message Passing Interface MPI + Principles

+ Design of Parallel Algorithms Introduction to the Message Passing Interface MPI + Principles of Message-Passing Programming n The logical view of a machine supporting the message-passing paradigm consists of p processes, each with its own

683 views • 39 slides
Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2 Christof J. Budnik 2 Michael Golm 2 e Platzer 1 Andr 1 Computer Science Department, Carnegie Mellon University 2 Siemens Corporate Technology, Princeton,

731 views • 52 slides
CSCE 990 Lecture 7: SVMs for Classification Stephen D. Scott February 14, 2006 Most

CSCE 990 Lecture 7: SVMs for Classification Stephen D. Scott February 14, 2006 Most

CSCE 990 Lecture 7: SVMs for Classification Stephen D. Scott February 14, 2006 Most figures c 2002 MIT Press, Bernhard Sch olkopf, and Alex Smola. 1 Introduction Finally, we get to put everything together! Much of this

575 views • 35 slides
SC2011 International Conference Scientific Computing on S. Margherita di Pula, Sardinia, Italy

SC2011 International Conference Scientific Computing on S. Margherita di Pula, Sardinia, Italy

EXTENSIONS OF PAD E-TYPE APPROXIMANTS Ernst Joachim Weniger Theoretical Chemistry University of Regensburg, Germany joachim.weniger@chemie.uni-regensburg.de SC2011 International Conference Scientific Computing on S. Margherita di Pula,

496 views • 26 slides
Basic Framework [This lecture adapted from Sutton &amp; Barto and Russell &amp; Norvig] The

Basic Framework [This lecture adapted from Sutton &amp; Barto and Russell &amp; Norvig] The

Basic Framework [This lecture adapted from Sutton &amp; Barto and Russell &amp; Norvig] The world evolves over time. We describe it with certain state variables. These variables About this class exist at each time period. For now well

351 views • 7 slides
We Have a DREAM: Distributed Reac5ve Programming with

We Have a DREAM: Distributed Reac5ve Programming with

We Have a DREAM: Distributed Reac5ve Programming with Consistency Guarantees Alessandro Margara, Guido Salvaneschi Presented by Wilfried Daniels Introduc5on

428 views • 42 slides
INVARIANT GRAPH SUBSPACES OF A J -SELF-ADJOINT OPERATOR IN THE FESHBACH CASE Alexander K.

INVARIANT GRAPH SUBSPACES OF A J -SELF-ADJOINT OPERATOR IN THE FESHBACH CASE Alexander K.

INVARIANT GRAPH SUBSPACES OF A J -SELF-ADJOINT OPERATOR IN THE FESHBACH CASE Alexander K. Motovilov Joint Institute for Nuclear Research and Dubna University, Dubna, Russia Workshop on Operator Theory and Indefinite Inner Product Spaces

295 views • 18 slides
Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Proposal Michael Denkowski

Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Proposal Michael Denkowski

Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Proposal Michael Denkowski Language Technologies Institute School of Computer Science Carnegie Mellon University May 30, 2013 Thesis Committee: Alon Lavie (chair),

1.51k views • 135 slides
Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Michael Denkowski

Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Michael Denkowski

Machine Translation for Human Translators Carnegie Mellon Ph.D. Thesis Michael Denkowski Language Technologies Institute School of Computer Science Carnegie Mellon University April 20, 2015 Thesis Committee: Alon Lavie (chair), Carnegie

1.63k views • 128 slides

More recommend