standardization for the black hat includes joint work
play

Standardization for the black hat Includes joint work with (in - PowerPoint PPT Presentation

Mar 24, 2024 •252 likes •1.3k views

1 2 Standardization for the black hat Includes joint work with (in alphabetical order): Daniel J. Bernstein Tung Chou 1 University of Illinois at Chicago & Chitchanok Chuengsatiansup 1 Technische Universiteit Eindhoven Andreas H

  1. 3 4 Random nonces in DSA/ECDSA Denial of service via flooding 1992 Rivest: “The poor user is Suspected terrorists Alice and given enough rope with which Bob are aided and abetted b to hang himself—something “auditors” (= “cryptanalysts” a standard should not do.” = “reviewers”) checking for NSA+NBS: exploitable security problems Standardize anyway. in cryptographic systems. enough! 2010 Bushing–Marcan–Segher– Example: SHA-3 competition it! Sven “PS3 epic fail”: PS3 involved 200 cryptographers forgeries—Sony hung itself. continues to around the world and took decades, Add complicated options years of sustained public effo for deterministic nonces, How can we slip a security while preserving old options. problem past all of them?

  2. 4 5 Random nonces in DSA/ECDSA Denial of service via flooding 1992 Rivest: “The poor user is Suspected terrorists Alice and given enough rope with which Bob are aided and abetted by to hang himself—something “auditors” (= “cryptanalysts” a standard should not do.” = “reviewers”) checking for exploitable security problems Standardize anyway. in cryptographic systems. 2010 Bushing–Marcan–Segher– Example: SHA-3 competition Sven “PS3 epic fail”: PS3 involved 200 cryptographers forgeries—Sony hung itself. around the world and took Add complicated options years of sustained public effort. for deterministic nonces, How can we slip a security while preserving old options. problem past all of them?

  3. 4 5 Random nonces in DSA/ECDSA Denial of service via flooding During the NIST also Rivest: “The poor user is Suspected terrorists Alice and FIPS 186-3 enough rope with which Bob are aided and abetted by FIPS 198-1 hang himself—something “auditors” (= “cryptanalysts” SP 800-38E standard should not do.” = “reviewers”) checking for SP 800-38F exploitable security problems Standardize anyway. SP 800-56C in cryptographic systems. SP 800-57 Bushing–Marcan–Segher– Example: SHA-3 competition SP 800-67 “PS3 epic fail”: PS3 involved 200 cryptographers SP 800-108 rgeries—Sony hung itself. around the world and took SP 800-131A complicated options years of sustained public effort. SP 800-133 terministic nonces, How can we slip a security SP 800-152 preserving old options. problem past all of them? and related such as SP

  4. 4 5 in DSA/ECDSA Denial of service via flooding During the same p NIST also published “The poor user is Suspected terrorists Alice and FIPS 186-3 (signatures), rope with which Bob are aided and abetted by FIPS 198-1 (authentication), himself—something “auditors” (= “cryptanalysts” SP 800-38E (disk should not do.” = “reviewers”) checking for SP 800-38F (key wrapping), exploitable security problems anyway. SP 800-56C (key derivation), in cryptographic systems. SP 800-57 (key management), Bushing–Marcan–Segher– Example: SHA-3 competition SP 800-67 (block encryption), fail”: PS3 involved 200 cryptographers SP 800-108 (key derivation), hung itself. around the world and took SP 800-131A (key options years of sustained public effort. SP 800-133 (key generation), nonces, How can we slip a security SP 800-152 (key management), old options. problem past all of them? and related protoc such as SP 800-81r1.

  5. 4 5 DSA/ECDSA Denial of service via flooding During the same period, NIST also published user is Suspected terrorists Alice and FIPS 186-3 (signatures), which Bob are aided and abetted by FIPS 198-1 (authentication), himself—something “auditors” (= “cryptanalysts” SP 800-38E (disk encryption), do.” = “reviewers”) checking for SP 800-38F (key wrapping), exploitable security problems SP 800-56C (key derivation), in cryptographic systems. SP 800-57 (key management), rcan–Segher– Example: SHA-3 competition SP 800-67 (block encryption), involved 200 cryptographers SP 800-108 (key derivation), itself. around the world and took SP 800-131A (key lengths), years of sustained public effort. SP 800-133 (key generation), How can we slip a security SP 800-152 (key management), options. problem past all of them? and related protocol documents such as SP 800-81r1.

  6. 5 6 Denial of service via flooding During the same period, NIST also published Suspected terrorists Alice and FIPS 186-3 (signatures), Bob are aided and abetted by FIPS 198-1 (authentication), “auditors” (= “cryptanalysts” SP 800-38E (disk encryption), = “reviewers”) checking for SP 800-38F (key wrapping), exploitable security problems SP 800-56C (key derivation), in cryptographic systems. SP 800-57 (key management), Example: SHA-3 competition SP 800-67 (block encryption), involved 200 cryptographers SP 800-108 (key derivation), around the world and took SP 800-131A (key lengths), years of sustained public effort. SP 800-133 (key generation), How can we slip a security SP 800-152 (key management), problem past all of them? and related protocol documents such as SP 800-81r1.

  7. 5 6 of service via flooding During the same period, Attention NIST also published not entirely ected terrorists Alice and FIPS 186-3 (signatures), re aided and abetted by Auditors FIPS 198-1 (authentication), “auditors” (= “cryptanalysts” security SP 800-38E (disk encryption), “reviewers”) checking for just befo SP 800-38F (key wrapping), exploitable security problems SP 800-56C (key derivation), cryptographic systems. SP 800-57 (key management), Example: SHA-3 competition SP 800-67 (block encryption), involved 200 cryptographers SP 800-108 (key derivation), the world and took SP 800-131A (key lengths), of sustained public effort. SP 800-133 (key generation), can we slip a security SP 800-152 (key management), roblem past all of them? and related protocol documents such as SP 800-81r1.

  8. 5 6 via flooding During the same period, Attention of audito NIST also published not entirely on SHA-3. rists Alice and FIPS 186-3 (signatures), and abetted by Auditors caught a FIPS 198-1 (authentication), “cryptanalysts” security flaw in EAX SP 800-38E (disk encryption), checking for just before NIST standa SP 800-38F (key wrapping), security problems SP 800-56C (key derivation), systems. SP 800-57 (key management), competition SP 800-67 (block encryption), cryptographers SP 800-108 (key derivation), and took SP 800-131A (key lengths), sustained public effort. SP 800-133 (key generation), a security SP 800-152 (key management), of them? and related protocol documents such as SP 800-81r1.

  9. 5 6 ding During the same period, Attention of auditors was NIST also published not entirely on SHA-3. and FIPS 186-3 (signatures), by Auditors caught a severe FIPS 198-1 (authentication), “cryptanalysts” security flaw in EAX Prime SP 800-38E (disk encryption), for just before NIST standardization. SP 800-38F (key wrapping), roblems SP 800-56C (key derivation), SP 800-57 (key management), etition SP 800-67 (block encryption), cryptographers SP 800-108 (key derivation), SP 800-131A (key lengths), effort. SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

  10. 6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), SP 800-56C (key derivation), SP 800-57 (key management), SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

  11. 6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), Also a troublesome flaw in SP 800-56C (key derivation), the GCM security “proofs” SP 800-57 (key management), years after NIST standardization. SP 800-67 (block encryption), SP 800-108 (key derivation), SP 800-131A (key lengths), SP 800-133 (key generation), SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

  12. 6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), Also a troublesome flaw in SP 800-56C (key derivation), the GCM security “proofs” SP 800-57 (key management), years after NIST standardization. SP 800-67 (block encryption), SP 800-108 (key derivation), Why did this take years? SP 800-131A (key lengths), Scientific advances? No! SP 800-133 (key generation), We successfully denied service. SP 800-152 (key management), and related protocol documents such as SP 800-81r1.

  13. 6 7 During the same period, Attention of auditors was NIST also published not entirely on SHA-3. FIPS 186-3 (signatures), Auditors caught a severe FIPS 198-1 (authentication), security flaw in EAX Prime SP 800-38E (disk encryption), just before NIST standardization. SP 800-38F (key wrapping), Also a troublesome flaw in SP 800-56C (key derivation), the GCM security “proofs” SP 800-57 (key management), years after NIST standardization. SP 800-67 (block encryption), SP 800-108 (key derivation), Why did this take years? SP 800-131A (key lengths), Scientific advances? No! SP 800-133 (key generation), We successfully denied service. SP 800-152 (key management), And NIST is just the tip of the and related protocol documents crypto standardization iceberg. such as SP 800-81r1.

  14. 6 7 the same period, Attention of auditors was Flooding also published not entirely on SHA-3. If we were 186-3 (signatures), Auditors caught a severe would tell 198-1 (authentication), security flaw in EAX Prime ciphers/hashes 800-38E (disk encryption), just before NIST standardization. 800-38F (key wrapping), Also a troublesome flaw in 800-56C (key derivation), the GCM security “proofs” 800-57 (key management), years after NIST standardization. 800-67 (block encryption), 800-108 (key derivation), Why did this take years? 800-131A (key lengths), Scientific advances? No! 800-133 (key generation), We successfully denied service. 800-152 (key management), And NIST is just the tip of the related protocol documents crypto standardization iceberg. as SP 800-81r1.

  15. 6 7 period, Attention of auditors was Flooding via dishonest lished not entirely on SHA-3. If we were honest then (signatures), Auditors caught a severe would tell Alice+Bob (authentication), security flaw in EAX Prime ciphers/hashes as (disk encryption), just before NIST standardization. wrapping), Also a troublesome flaw in ey derivation), the GCM security “proofs” management), years after NIST standardization. ck encryption), derivation), Why did this take years? ey lengths), Scientific advances? No! generation), We successfully denied service. management), And NIST is just the tip of the rotocol documents crypto standardization iceberg. 800-81r1.

  16. 6 7 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse (authentication), security flaw in EAX Prime ciphers/hashes as PRNGs. encryption), just before NIST standardization. wrapping), Also a troublesome flaw in derivation), the GCM security “proofs” management), years after NIST standardization. encryption), derivation), Why did this take years? lengths), Scientific advances? No! generation), We successfully denied service. management), And NIST is just the tip of the cuments crypto standardization iceberg.

  17. 7 8 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse security flaw in EAX Prime ciphers/hashes as PRNGs. just before NIST standardization. Also a troublesome flaw in the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.

  18. 7 8 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse security flaw in EAX Prime ciphers/hashes as PRNGs. just before NIST standardization. But why should we be honest? Also a troublesome flaw in Let’s build PRNGs from scratch! the GCM security “proofs” years after NIST standardization. Why did this take years? Scientific advances? No! We successfully denied service. And NIST is just the tip of the crypto standardization iceberg.

  19. 7 8 Attention of auditors was Flooding via dishonesty not entirely on SHA-3. If we were honest then we Auditors caught a severe would tell Alice+Bob to reuse security flaw in EAX Prime ciphers/hashes as PRNGs. just before NIST standardization. But why should we be honest? Also a troublesome flaw in Let’s build PRNGs from scratch! the GCM security “proofs” 2004: Number-theoretic RNGs years after NIST standardization. provide “increased assurance.” Why did this take years? 2006: Dual EC Scientific advances? No! “is the only DRBG mechanism We successfully denied service. in this Recommendation And NIST is just the tip of the whose security is related to a crypto standardization iceberg. hard problem in number theory.”

  20. 7 8 ttention of auditors was Flooding via dishonesty Denial of entirely on SHA-3. If we were honest then we 2006 Gjøsteen, rs caught a severe would tell Alice+Bob to reuse 2006 Scho y flaw in EAX Prime ciphers/hashes as PRNGs. Dual EC efore NIST standardization. definition But why should we be honest? troublesome flaw in Let’s build PRNGs from scratch! GCM security “proofs” 2004: Number-theoretic RNGs after NIST standardization. provide “increased assurance.” did this take years? 2006: Dual EC Scientific advances? No! “is the only DRBG mechanism successfully denied service. in this Recommendation NIST is just the tip of the whose security is related to a standardization iceberg. hard problem in number theory.”

  21. 7 8 auditors was Flooding via dishonesty Denial of service via SHA-3. If we were honest then we 2006 Gjøsteen, indep a severe would tell Alice+Bob to reuse 2006 Schoenmakers–Sido EAX Prime ciphers/hashes as PRNGs. Dual EC flunks well-established standardization. definition of PRNG But why should we be honest? troublesome flaw in Let’s build PRNGs from scratch! y “proofs” 2004: Number-theoretic RNGs standardization. provide “increased assurance.” e years? 2006: Dual EC advances? No! “is the only DRBG mechanism successfully denied service. in this Recommendation just the tip of the whose security is related to a rdization iceberg. hard problem in number theory.”

  22. 7 8 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenk Prime ciphers/hashes as PRNGs. Dual EC flunks well-established rdization. definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs rdization. provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism service. in this Recommendation of the whose security is related to a iceberg. hard problem in number theory.”

  23. 8 9 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: ciphers/hashes as PRNGs. Dual EC flunks well-established definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”

  24. 8 9 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: ciphers/hashes as PRNGs. Dual EC flunks well-established definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! Are all applications broken? Obviously not! Standardize! 2004: Number-theoretic RNGs provide “increased assurance.” 2006: Dual EC “is the only DRBG mechanism in this Recommendation whose security is related to a hard problem in number theory.”

  25. 8 9 Flooding via dishonesty Denial of service via hoops If we were honest then we 2006 Gjøsteen, independently would tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: ciphers/hashes as PRNGs. Dual EC flunks well-established definition of PRNG security. But why should we be honest? Let’s build PRNGs from scratch! Are all applications broken? Obviously not! Standardize! 2004: Number-theoretic RNGs provide “increased assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have 2006: Dual EC been easy to build Q with the key. “is the only DRBG mechanism in this Recommendation 2007 Schneier: Never use Dual whose security is related to a EC. “Both NIST and the NSA hard problem in number theory.” have some explaining to do.”

  26. 8 9 ding via dishonesty Denial of service via hoops Did Shumo show us ere honest then we 2006 Gjøsteen, independently tell Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: Maintain ciphers/hashes as PRNGs. Dual EC flunks well-established standard. definition of PRNG security. why should we be honest? 2008.07–2014.03: build PRNGs from scratch! Are all applications broken? 73 validation Obviously not! Standardize! for Dual Number-theoretic RNGs rovide “increased assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have Dual EC been easy to build Q with the key. only DRBG mechanism Recommendation 2007 Schneier: Never use Dual security is related to a EC. “Both NIST and the NSA roblem in number theory.” have some explaining to do.”

  27. 8 9 dishonesty Denial of service via hoops Did Shumow and F show us the key? No! t then we 2006 Gjøsteen, independently Alice+Bob to reuse 2006 Schoenmakers–Sidorenko: Maintain and promote as PRNGs. Dual EC flunks well-established standard. Pay people definition of PRNG security. we be honest? 2008.07–2014.03: PRNGs from scratch! Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. er-theoretic RNGs reased assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. DRBG mechanism Recommendation 2007 Schneier: Never use Dual is related to a EC. “Both NIST and the NSA number theory.” have some explaining to do.”

  28. 8 9 Denial of service via hoops Did Shumow and Ferguson show us the key? No! 2006 Gjøsteen, independently reuse 2006 Schoenmakers–Sidorenko: Maintain and promote Dual Dual EC flunks well-established standard. Pay people to use definition of PRNG security. est? 2008.07–2014.03: NIST issues scratch! Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. NGs assurance.” 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. mechanism 2007 Schneier: Never use Dual to a EC. “Both NIST and the NSA theory.” have some explaining to do.”

  29. 9 10 Denial of service via hoops Did Shumow and Ferguson show us the key? No! 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Maintain and promote Dual EC Dual EC flunks well-established standard. Pay people to use it. definition of PRNG security. 2008.07–2014.03: NIST issues Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. 2007 Shumow–Ferguson: Dual EC has a back door. Would have been easy to build Q with the key. 2007 Schneier: Never use Dual EC. “Both NIST and the NSA have some explaining to do.”

  30. 9 10 Denial of service via hoops Did Shumow and Ferguson show us the key? No! 2006 Gjøsteen, independently 2006 Schoenmakers–Sidorenko: Maintain and promote Dual EC Dual EC flunks well-established standard. Pay people to use it. definition of PRNG security. 2008.07–2014.03: NIST issues Are all applications broken? 73 validation certificates Obviously not! Standardize! for Dual EC implementations. 2007 Shumow–Ferguson: Dual Even after being caught, EC has a back door. Would have continue to burn auditors’ time by been easy to build Q with the key. demanding that they jump higher. 2007 Schneier: Never use Dual NSA’s Dickie George, 2014: Gee, EC. “Both NIST and the NSA Dual EC is really hard to exploit! have some explaining to do.”

  31. 9 10 of service via hoops Did Shumow and Ferguson System vs. show us the key? No! Gjøsteen, independently Traditiona Schoenmakers–Sidorenko: Maintain and promote Dual EC Auditor lo EC flunks well-established standard. Pay people to use it. an RNG. definition of PRNG security. 2008.07–2014.03: NIST issues Auditor’s all applications broken? 73 validation certificates random numb Obviously not! Standardize! for Dual EC implementations. Bob are Shumow–Ferguson: Dual Even after being caught, has a back door. Would have continue to burn auditors’ time by easy to build Q with the key. demanding that they jump higher. Schneier: Never use Dual NSA’s Dickie George, 2014: Gee, “Both NIST and the NSA Dual EC is really hard to exploit! some explaining to do.”

  32. 9 10 via hoops Did Shumow and Ferguson System vs. ecosystem show us the key? No! independently Traditional RNG auditing: enmakers–Sidorenko: Maintain and promote Dual EC Auditor looks at one well-established standard. Pay people to use it. an RNG. Tries to find PRNG security. 2008.07–2014.03: NIST issues Auditor’s starting assumption: applications broken? 73 validation certificates random numbers fo Standardize! for Dual EC implementations. Bob are created by erguson: Dual Even after being caught, door. Would have continue to burn auditors’ time by build Q with the key. demanding that they jump higher. Never use Dual NSA’s Dickie George, 2014: Gee, and the NSA Dual EC is really hard to exploit! explaining to do.”

  33. 9 10 ops Did Shumow and Ferguson System vs. ecosystem show us the key? No! endently Traditional RNG auditing: renko: Maintain and promote Dual EC Auditor looks at one system, ell-established standard. Pay people to use it. an RNG. Tries to find weakness. y. 2008.07–2014.03: NIST issues Auditor’s starting assumption: en? 73 validation certificates random numbers for Alice and rdize! for Dual EC implementations. Bob are created by an RNG. Dual Even after being caught, ould have continue to burn auditors’ time by the key. demanding that they jump higher. Dual NSA’s Dickie George, 2014: Gee, NSA Dual EC is really hard to exploit! do.”

  34. 10 11 Did Shumow and Ferguson System vs. ecosystem show us the key? No! Traditional RNG auditing: Maintain and promote Dual EC Auditor looks at one system, standard. Pay people to use it. an RNG. Tries to find weakness. 2008.07–2014.03: NIST issues Auditor’s starting assumption: 73 validation certificates random numbers for Alice and for Dual EC implementations. Bob are created by an RNG. Even after being caught, continue to burn auditors’ time by demanding that they jump higher. NSA’s Dickie George, 2014: Gee, Dual EC is really hard to exploit!

  35. 10 11 Did Shumow and Ferguson System vs. ecosystem show us the key? No! Traditional RNG auditing: Maintain and promote Dual EC Auditor looks at one system, standard. Pay people to use it. an RNG. Tries to find weakness. 2008.07–2014.03: NIST issues Auditor’s starting assumption: 73 validation certificates random numbers for Alice and for Dual EC implementations. Bob are created by an RNG. Even after being caught, Reality: random numbers continue to burn auditors’ time by are created by a much more demanding that they jump higher. complicated ecosystem that designs, evaluates, standardizes, NSA’s Dickie George, 2014: Gee, selects, implements, and deploys Dual EC is really hard to exploit! RNGs. (Same for other crypto.)

  36. 10 11 Shumow and Ferguson System vs. ecosystem This is a us the key? No! perspective. Traditional RNG auditing: defending Maintain and promote Dual EC Auditor looks at one system, rd. Pay people to use it. an RNG. Tries to find weakness. The ecosyste weaknesses 2008.07–2014.03: NIST issues Auditor’s starting assumption: inside any validation certificates random numbers for Alice and al EC implementations. Bob are created by an RNG. e.g. Easily after being caught, Reality: random numbers continue to burn auditors’ time by are created by a much more demanding that they jump higher. complicated ecosystem that designs, evaluates, standardizes, Dickie George, 2014: Gee, selects, implements, and deploys EC is really hard to exploit! RNGs. (Same for other crypto.)

  37. 10 11 and Ferguson System vs. ecosystem This is a critical change ? No! perspective. Audito Traditional RNG auditing: defending the wrong romote Dual EC Auditor looks at one system, eople to use it. an RNG. Tries to find weakness. The ecosystem has weaknesses that are 2008.07–2014.03: NIST issues Auditor’s starting assumption: inside any particula ertificates random numbers for Alice and implementations. Bob are created by an RNG. e.g. Easily take control caught, Reality: random numbers auditors’ time by are created by a much more they jump higher. complicated ecosystem that designs, evaluates, standardizes, George, 2014: Gee, selects, implements, and deploys hard to exploit! RNGs. (Same for other crypto.)

  38. 10 11 erguson System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Dual EC Auditor looks at one system, use it. an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible issues Auditor’s starting assumption: inside any particular system. random numbers for Alice and implementations. Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers time by are created by a much more higher. complicated ecosystem that designs, evaluates, standardizes, 2014: Gee, selects, implements, and deploys exploit! RNGs. (Same for other crypto.)

  39. 11 12 System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Auditor looks at one system, an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible Auditor’s starting assumption: inside any particular system. random numbers for Alice and Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers are created by a much more complicated ecosystem that designs, evaluates, standardizes, selects, implements, and deploys RNGs. (Same for other crypto.)

  40. 11 12 System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Auditor looks at one system, an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible Auditor’s starting assumption: inside any particular system. random numbers for Alice and Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers e.g. Propose 20 weak standards. are created by a much more Some will survive auditing. complicated ecosystem that Then manipulate selection. designs, evaluates, standardizes, selects, implements, and deploys RNGs. (Same for other crypto.)

  41. 11 12 System vs. ecosystem This is a critical change in perspective. Auditor is stuck Traditional RNG auditing: defending the wrong targets! Auditor looks at one system, an RNG. Tries to find weakness. The ecosystem has many weaknesses that are not visible Auditor’s starting assumption: inside any particular system. random numbers for Alice and Bob are created by an RNG. e.g. Easily take control of ISO. Reality: random numbers e.g. Propose 20 weak standards. are created by a much more Some will survive auditing. complicated ecosystem that Then manipulate selection. designs, evaluates, standardizes, Deter publication of weaknesses: selects, implements, and deploys “This attack is trivial. Reject.” RNGs. (Same for other crypto.)

  42. � � 11 12 vs. ecosystem Textbook This is a critical change in perspective. Auditor is stuck using standa raditional RNG auditing: defending the wrong targets! on a standa r looks at one system, Alice’s RNG. Tries to find weakness. The ecosystem has many secret weaknesses that are not visible r’s starting assumption: inside any particular system. numbers for Alice and Alice’s re created by an RNG. e.g. Easily take control of ISO. public aP y: random numbers e.g. Propose 20 weak standards. created by a much more Some will survive auditing. { Alice ; Bob complicated ecosystem that Then manipulate selection. shared designs, evaluates, standardizes, abP Deter publication of weaknesses: selects, implements, and deploys “This attack is trivial. Reject.” (Same for other crypto.)

  43. � � 11 12 ecosystem Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point auditing: defending the wrong targets! on a standard elliptic one system, Alice’s to find weakness. The ecosystem has many secret key a weaknesses that are not visible rting assumption: inside any particular system. ers for Alice and Alice’s by an RNG. e.g. Easily take control of ISO. public key aP ▲ numbers e.g. Propose 20 weak standards. ▲ ▲ � rrrrr ▲ ▲ much more Some will survive auditing. { Alice ; Bob } ’s osystem that Then manipulate selection. = shared secret evaluates, standardizes, abP Deter publication of weaknesses: implements, and deploys “This attack is trivial. Reject.” r other crypto.)

  44. � � � � 11 12 Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E system, Alice’s Bob’s eakness. The ecosystem has many secret key a secret k weaknesses that are not visible assumption: inside any particular system. and Alice’s Bob’s RNG. e.g. Easily take control of ISO. public key public aP bP ▲ e.g. Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ re Some will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice that Then manipulate selection. shared secret shared sec rdizes, abP baP Deter publication of weaknesses: deploys “This attack is trivial. Reject.” crypto.)

  45. � � � � � 12 13 Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E : Alice’s Bob’s The ecosystem has many secret key a secret key b weaknesses that are not visible inside any particular system. Alice’s Bob’s e.g. Easily take control of ISO. public key public key aP bP ▲ e.g. Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ Some will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s Then manipulate selection. shared secret shared secret abP baP Deter publication of weaknesses: “This attack is trivial. Reject.”

  46. � � � � � 12 13 Textbook key exchange This is a critical change in perspective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E : Alice’s Bob’s The ecosystem has many secret key a secret key b weaknesses that are not visible inside any particular system. Alice’s Bob’s e.g. Easily take control of ISO. public key public key aP bP ▲ e.g. Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ Some will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s Then manipulate selection. shared secret shared secret abP baP Deter publication of weaknesses: “This attack is trivial. Reject.” Security depends on choice of E .

  47. � � � � � � � 12 13 Textbook key exchange Our is a critical change in ective. Auditor is stuck using standard point P defending the wrong targets! on a standard elliptic curve E : Alice’s Bob’s Alice’s ecosystem has many secret key a secret key b secret eaknesses that are not visible any particular system. Alice’s Bob’s Alice’s Easily take control of ISO. public key public key public aP bP aP ▲ Propose 20 weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ will survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob manipulate selection. shared secret shared secret shared abP baP abP publication of weaknesses: attack is trivial. Reject.” Security depends on choice of E . This is not

  48. � � � � � � � � 12 13 Textbook key exchange Our partner critical change in choice of Auditor is stuck using standard point P wrong targets! on a standard elliptic curve E : Alice’s Bob’s Alice’s has many secret key a secret key b secret key a are not visible rticular system. Alice’s Bob’s Alice’s control of ISO. public key public key public key aP bP aP ▲ ▲ weak standards. � rrrrrrr ▲ ▲ ▲ ▲ ▲ � rrrrr ▲ ▲ ▲ ▲ survive auditing. ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s manipulate selection. = shared secret shared secret shared secret abP baP abP publication of weaknesses: trivial. Reject.” Security depends on choice of E . This is not the same

  49. � � � � � � � � � � � 12 13 Textbook key exchange Our partner Jerry’s in choice of E; P stuck using standard point P rgets! on a standard elliptic curve E : Alice’s Bob’s Alice’s Bob’s secret key a secret key b secret key a secret k visible system. Alice’s Bob’s Alice’s Bob’s ISO. public key public key public key public aP bP aP bP ▲ ▲ standards. � rrrrrrr ▲ � rrrrrrr ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ auditing. ▲ ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice election. shared secret shared secret shared secret shared sec abP baP abP baP eaknesses: Reject.” Security depends on choice of E . This is not the same picture!

  50. � � � � � � � � � � � � 13 14 Textbook key exchange Our partner Jerry’s choice of E; P using standard point P on a standard elliptic curve E : Alice’s Bob’s Alice’s Bob’s secret key a secret key b secret key a secret key b Alice’s Bob’s Alice’s Bob’s public key public key public key public key aP bP aP bP ▲ ▲ � rrrrrrr ▲ � rrrrrrr ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ { Alice ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s shared secret shared secret shared secret shared secret abP baP abP baP Security depends on choice of E . This is not the same picture!

  51. � � � � � � � � � � � 13 14 ok key exchange Our partner Jerry’s One final choice of E; P standard point P 2005 Brainp standard elliptic curve E : “The choice Alice’s Bob’s Alice’s Bob’s from which secret key a secret key b secret key a secret key b parameters not motivated part of the Alice’s Bob’s Alice’s Bob’s public key public key public key public key : : : Verifiably aP bP aP bP ▲ ▲ � rrrrrrr ▲ � rrrrrrr ▲ The [Brainp ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ generated ; Bob } ’s = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using red secret shared secret shared secret shared secret generated bP baP abP baP comprehensive Security depends on choice of E . This is not the same picture!

  52. � � � � � � � � � � 13 14 exchange Our partner Jerry’s One final example choice of E; P oint P 2005 Brainpool standa elliptic curve E : “The choice of the Bob’s Alice’s Bob’s from which the [NIST] secret key b secret key a secret key b parameters have b not motivated leaving part of the security Bob’s Alice’s Bob’s public key public key public key : : : Verifiably pseudo-random. bP aP bP ▲ rrrr � rrrrrrr ▲ The [Brainpool] curves ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ generated in a pseudo-random = { Bob ; Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using seeds shared secret shared secret shared secret generated in a systematic baP abP baP comprehensive way ends on choice of E . This is not the same picture!

  53. � � � � � � � � 13 14 Our partner Jerry’s One final example choice of E; P 2005 Brainpool standard: curve E : “The choice of the seeds Bob’s Alice’s Bob’s from which the [NIST] curve key b secret key a secret key b parameters have been derived not motivated leaving an essential part of the security analysis Bob’s Alice’s Bob’s public key public key public key : : : Verifiably pseudo-random. P aP bP ▲ � rrrrrrr ▲ The [Brainpool] curves shall ▲ ▲ ▲ ▲ ▲ generated in a pseudo-random Alice } ’s { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using seeds that are secret shared secret shared secret generated in a systematic and aP abP baP comprehensive way.” choice of E . This is not the same picture!

  54. � � � � � � � 14 15 Our partner Jerry’s One final example choice of E; P 2005 Brainpool standard: “The choice of the seeds Alice’s Bob’s from which the [NIST] curve secret key a secret key b parameters have been derived is not motivated leaving an essential part of the security analysis open. Alice’s Bob’s public key public key : : : Verifiably pseudo-random. aP bP ▲ � rrrrrrr ▲ The [Brainpool] curves shall be ▲ ▲ ▲ ▲ ▲ generated in a pseudo-random { Alice ; Bob } ’s = { Bob ; Alice } ’s manner using seeds that are shared secret shared secret generated in a systematic and abP baP comprehensive way.” This is not the same picture!

  55. � � � � � � 14 15 Our partner Jerry’s One final example import hashlib def hash(seed): h choice of E; P seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = “The choice of the seeds def secure(A,B): if k(B).is_square(): Alice’s Bob’s from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and secret key a secret key b and Integers(n)(p).multiplicative_order() parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. Alice’s Bob’s def update(seed): public key public key return int2str(str2int(seed) : : : Verifiably pseudo-random. def fullhash(seed): aP bP ▲ return str2int(hash(seed) � rrrrrrr ▲ The [Brainpool] curves shall be ▲ ▲ ▲ def real2str(seed,bytes): ▲ ▲ generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) ; Bob } ’s = { Bob ; Alice } ’s nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] red secret shared secret while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): bP baP S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): print ’p’,hex(p).upper() is not the same picture! print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  56. � � � � 14 15 rtner Jerry’s One final example import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); of E; P seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] “The choice of the seeds def secure(A,B): if k(B).is_square(): return False Bob’s from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() secret key b and Integers(n)(p).multiplicative_order() parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. Bob’s def update(seed): public key return int2str(str2int(seed) + 1,len(seed)) : : : Verifiably pseudo-random. def fullhash(seed): bP return str2int(hash(seed) + hash(update(seed))) rrrr The [Brainpool] curves shall be ▲ def real2str(seed,bytes): ▲ ▲ generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) = { Bob ; Alice } ’s nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] shared secret while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); baP S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() same picture! print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  57. � 14 15 Jerry’s One final example import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] “The choice of the seeds def secure(A,B): if k(B).is_square(): return False Bob’s from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() key b and Integers(n)(p).multiplicative_order() * 100 >= n-1) parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. Bob’s def update(seed): public key return int2str(str2int(seed) + 1,len(seed)) : : : Verifiably pseudo-random. def fullhash(seed): P return str2int(hash(seed) + hash(update(seed))) % 2^223 The [Brainpool] curves shall be def real2str(seed,bytes): generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) Alice } ’s nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] secret while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue aP S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() picture! print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  58. 15 16 One final example import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() seedbytes = 20 2005 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF k = GF(p); R.<x> = k[] “The choice of the seeds def secure(A,B): if k(B).is_square(): return False from which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) parameters have been derived is def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) not motivated leaving an essential def str2int(seed): return Integer(seed.encode(’hex’),16) part of the security analysis open. def update(seed): return int2str(str2int(seed) + 1,len(seed)) : : : Verifiably pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 The [Brainpool] curves shall be def real2str(seed,bytes): generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) comprehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  59. 15 16 final example 2015: W import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-gene seedbytes = 20 Brainpool standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the k = GF(p); R.<x> = k[] choice of the seeds def secure(A,B): Previous if k(B).is_square(): return False which the [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) rameters have been derived is Output of def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) motivated leaving an essential p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E return Integer(seed.encode(’hex’),16) of the security analysis open. B 68AEC4BFE84C659E def update(seed): return int2str(str2int(seed) + 1,len(seed)) erifiably pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 [Brainpool] curves shall be def real2str(seed,bytes): generated in a pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) manner using seeds that are S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) generated in a systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) rehensive way.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  60. 15 16 example 2015: We carefully import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation seedbytes = 20 standard: p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool k = GF(p); R.<x> = k[] the seeds def secure(A,B): Previous slide: 224-bit if k(B).is_square(): return False [NIST] curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) been derived is Output of this pro def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) leaving an essential p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E return Integer(seed.encode(’hex’),16) security analysis open. B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 curves shall be def real2str(seed,bytes): pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) seeds that are S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) systematic and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) ay.” if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  61. 15 16 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False curve n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) derived is Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) essential p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) analysis open. B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) pseudo-random. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 shall be def real2str(seed,bytes): pseudo-random return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) re S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) and if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  62. 16 17 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  63. 16 17 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) The standard 224-bit Brainpool def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 curve is not the same curve : def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF S = nums[2*seedbytes:3*seedbytes] A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 while True: B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  64. 16 17 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. if k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF def str2int(seed): A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E return Integer(seed.encode(’hex’),16) B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D def update(seed): return int2str(str2int(seed) + 1,len(seed)) The standard 224-bit Brainpool def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 curve is not the same curve : def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF S = nums[2*seedbytes:3*seedbytes] A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 while True: B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue S = update(S) B = fullhash(S) Next slide: a procedure if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() that does generate print ’A’,hex(A).upper() print ’B’,hex(B).upper() break the standard Brainpool curve.

  65. 16 17 2015: We carefully implemented import hashlib = hashlib.sha1(); h.update(seed); return h.digest() def hash(seed): h the curve-generation procedure seedbytes = 20 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. = k[] k = GF(p); R.<x> = def secure(A,B): Previous slide: 224-bit procedure. k(B).is_square(): return False n = EllipticCurve([k(A),k(B)]).cardinality() EllipticCurve([k(A),k(B)]).cardinality() return (n < p and and n.is_prime() and Integers(n)(p).multiplicative_order() Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF str2int(seed): return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E Integer(seed.encode(’hex’),16) def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool fullhash(seed): return str2int(hash(seed) str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF nums[2*seedbytes:3*seedbytes] while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure secure(A,B): S = update(S); continue if not k(B).is_square(): ’p’,hex(p).upper() if not secure(A,B): that does generate ’A’,hex(A).upper() print ’p’,hex(p).upper() ’B’,hex(B).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break

  66. 16 17 2015: We carefully implemented import hashlib h.update(seed); return h.digest() def hash(seed): h = hashlib.sha1(); h.update(seed); the curve-generation procedure seedbytes = 20 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E Integer(seed.encode(’hex’),16) def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure continue if not k(B).is_square(): break if not secure(A,B): S = update(S); continue that does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break

  67. 16 17 2015: We carefully implemented import hashlib h.digest() def hash(seed): h = hashlib.sha1(); h.update(seed); return the curve-generation procedure seedbytes = 20 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue that does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break

  68. 17 18 2015: We carefully implemented import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() the curve-generation procedure seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF from the Brainpool standard. k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) def str2int(seed): p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) A 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E def update(seed): B 68AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) def fullhash(seed): The standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] p D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: A 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) B 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) Next slide: a procedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue that does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() the standard Brainpool curve. break

  69. 17 18 We carefully implemented Did Brainp import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() curve-generation procedure publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF the Brainpool standard. Did they k = GF(p); R.<x> = k[] def secure(A,B): Previous slide: 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) Output of this procedure: advertised def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, def str2int(seed): D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E transparent”, def update(seed): 8AEC4BFE84C659EBB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) say the same def fullhash(seed): standard 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): is not the same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) slide: a procedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue does generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() standard Brainpool curve. break

  70. 17 18 refully implemented Did Brainpool check import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() ation procedure publication? After seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF ool standard. Did they know befo k = GF(p); R.<x> = k[] def secure(A,B): 224-bit procedure. n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) rocedure: advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) 2B98B906DC245F2916C03A2F953EA9AE565C3253E8AEC4BFE84C659E transparent”, etc. def update(seed): BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) say the same for b def fullhash(seed): 224-bit Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): same curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) cedure if not k(B).is_square(): break if not secure(A,B): S = update(S); continue generate print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() Brainpool curve. break

  71. 17 18 implemented Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() cedure publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF rd. Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): cedure. n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF return Integer(seed.encode(’hex’),16) 8AEC4BFE84C659E transparent”, etc. Surely we def update(seed): BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): Brainpool return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): curve : return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF while True: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 A = fullhash(S) 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() curve. break

  72. 18 19 Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can def update(seed): return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  73. 18 19 Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can def update(seed): return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): Can quietly manipulate choice return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue while True: S = update(S) B = fullhash(S) if not k(B).is_square(): break if not secure(A,B): S = update(S); continue print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  74. 18 19 Did Brainpool check before import hashlib def hash(seed): h = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? seedbytes = 20 p = 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? k = GF(p); R.<x> = k[] def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is return (n < p and n.is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can def update(seed): return int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. def fullhash(seed): return str2int(hash(seed) + hash(update(seed))) % 2^223 def real2str(seed,bytes): Can quietly manipulate choice return int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) nums = real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. S = nums[2*seedbytes:3*seedbytes] while True: A = fullhash(S) if not (k(A)*x^4+3).roots(): S = update(S); continue Interesting Brainpool quote: “It while True: S = update(S) B = fullhash(S) is envisioned to provide additional if not k(B).is_square(): break if not secure(A,B): S = update(S); continue curves on a regular basis.” print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() break

  75. 18 19 Did Brainpool check before We made = hashlib.sha1(); h.update(seed); return h.digest() publication? After publication? using standa 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? = k[] To avoid EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is complications and n.is_prime() Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, hash outputs: int2str(seed,bytes): ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely from SHA-1 str2int(seed): Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can maximum-securit int2str(str2int(seed) + 1,len(seed)) say the same for both procedures. Also upgraded fullhash(seed): str2int(hash(seed) + hash(update(seed))) % 2^223 maximum real2str(seed,bytes): Can quietly manipulate choice int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. Brainpool nums[2*seedbytes:3*seedbytes] and arctan(1) (k(A)*x^4+3).roots(): S = update(S); continue Interesting Brainpool quote: “It uses sin(1), fullhash(S) is envisioned to provide additional k(B).is_square(): break We also secure(A,B): S = update(S); continue curves on a regular basis.” ’p’,hex(p).upper() ’A’,hex(A).upper() pattern of ’B’,hex(B).upper()

  76. 18 19 Did Brainpool check before We made a new 224- h.update(seed); return h.digest() publication? After publication? using standard NIST 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? To avoid Brainpool’s EllipticCurve([k(A),k(B)]).cardinality() Brainpool procedure is complications of concatenating Integers(n)(p).multiplicative_order() * 100 >= n-1) advertised as “systematic”, hash outputs: We ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “comprehensive”, “completely from SHA-1 to state-of-the-a Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can maximum-security 1,len(seed)) say the same for both procedures. Also upgraded to requiring hash(update(seed))) % 2^223 maximum twist securit Can quietly manipulate choice int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) real2str(exp(1)/16,7*seedbytes) to take the weaker procedure. Brainpool uses exp(1) and arctan(1) = ı update(S); continue Interesting Brainpool quote: “It uses sin(1), so we is envisioned to provide additional We also used much continue curves on a regular basis.” pattern of searching

  77. 18 19 Did Brainpool check before We made a new 224-bit curve h.digest() publication? After publication? using standard NIST P-224 p 0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF Did they know before 2015? To avoid Brainpool’s Brainpool procedure is complications of concatenating n-1) advertised as “systematic”, hash outputs: We upgraded reversed(range(bytes))]) “comprehensive”, “completely from SHA-1 to state-of-the-a transparent”, etc. Surely we can maximum-security SHA3-512. say the same for both procedures. Also upgraded to requiring maximum twist security. Can quietly manipulate choice int2str(Integer(floor(RealField(8*bytes+8)(seed)*256^bytes)),bytes) to take the weaker procedure. Brainpool uses exp(1) = e and arctan(1) = ı= 4, and M Interesting Brainpool quote: “It uses sin(1), so we used cos(1). is envisioned to provide additional We also used much simpler curves on a regular basis.” pattern of searching for seeds.

  78. 19 20 Did Brainpool check before We made a new 224-bit curve publication? After publication? using standard NIST P-224 prime. Did they know before 2015? To avoid Brainpool’s Brainpool procedure is complications of concatenating advertised as “systematic”, hash outputs: We upgraded “comprehensive”, “completely from SHA-1 to state-of-the-art transparent”, etc. Surely we can maximum-security SHA3-512. say the same for both procedures. Also upgraded to requiring maximum twist security. Can quietly manipulate choice to take the weaker procedure. Brainpool uses exp(1) = e and arctan(1) = ı= 4, and MD5 Interesting Brainpool quote: “It uses sin(1), so we used cos(1). is envisioned to provide additional We also used much simpler curves on a regular basis.” pattern of searching for seeds.

  79. 19 20 Brainpool check before We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 publication? After publication? using standard NIST P-224 prime. p = 2^224 - 2^96 + k = GF(p) they know before 2015? seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() ool procedure is complications of concatenating return (n.is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() advertised as “systematic”, hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) rehensive”, “completely from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) transparent”, etc. Surely we can maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) the same for both procedures. Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. quietly manipulate choice sizeofint = 4 nums = real2str(cos(1),seedbytes for counter in xrange(0,256^sizeofint): e the weaker procedure. Brainpool uses exp(1) = e S = int2str(counter,sizeofint) T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) Interesting Brainpool quote: “It if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() envisioned to provide additional print ’B’,hex(B).upper() We also used much simpler break on a regular basis.” pattern of searching for seeds.

  80. 19 20 check before We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 After publication? using standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) efore 2015? seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() cedure is complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() and Integers(2*p+2-n)(p).multiplicative_order() “systematic”, hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) rehensive”, “completely from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) etc. Surely we can maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for both procedures. Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. manipulate choice sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): er procedure. Brainpool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) Brainpool quote: “It if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() provide additional print ’B’,hex(B).upper() We also used much simpler break regular basis.” pattern of searching for seeds.

  81. 19 20 re We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 publication? using standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) 2015? seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= “systematic”, hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) “completely from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) we can maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) cedures. Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. choice sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): cedure. Brainpool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) quote: “It if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() additional print ’B’,hex(B).upper() We also used much simpler break pattern of searching for seeds.

  82. 20 21 We made a new 224-bit curve import simplesha3 hash = simplesha3.sha3512 using standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 To avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) hash outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) from SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) Also upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): Brainpool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) and arctan(1) = ı= 4, and MD5 B = str2int(hash(T)) if secure(A,B): uses sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() We also used much simpler break pattern of searching for seeds.

  83. 20 21 made a new 224-bit curve Output: import simplesha3 hash = simplesha3.sha3512 standard NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 avoid Brainpool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() complications of concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) outputs: We upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) SHA-1 to state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) upgraded to requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) maximum twist security. sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): ool uses exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) rctan(1) = ı= 4, and MD5 B = str2int(hash(T)) if secure(A,B): sin(1), so we used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() also used much simpler break pattern of searching for seeds.

  84. 20 21 224-bit curve Output: 7144BA12CE8A0C3BEFA053ED import simplesha3 hash = simplesha3.sha3512 NIST P-224 prime. p = 2^224 - 2^96 + 1 k = GF(p) seedbytes = 20 ool’s def secure(A,B): n = EllipticCurve([k(A),k(B)]).cardinality() concatenating return (n.is_prime() and (2*p+2-n).is_prime() and Integers(n)(p).multiplicative_order() * 100 >= n-1 and Integers(2*p+2-n)(p).multiplicative_order() * 100 >= 2*p+2-n-1) e upgraded def int2str(seed,bytes): return ’’.join([chr((seed//256^i)%256) for i in reversed(range(bytes))]) state-of-the-art def str2int(seed): return Integer(seed.encode(’hex’),16) maximum-security SHA3-512. def complement(seed): return ’’.join([chr(255-ord(s)) for s in seed]) o requiring def real2str(seed,bytes): return int2str(Integer(RealField(8*bytes)(seed)*256^bytes),bytes) security. sizeofint = 4 nums = real2str(cos(1),seedbytes - sizeofint) for counter in xrange(0,256^sizeofint): exp(1) = e S = int2str(counter,sizeofint) + nums T = complement(S) A = str2int(hash(S)) ı= 4, and MD5 B = str2int(hash(T)) if secure(A,B): e used cos(1). print ’p’,hex(p).upper() print ’A’,hex(A).upper() print ’B’,hex(B).upper() much simpler break rching for seeds.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &amp;

Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &amp;

1 Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven 1 bada55.cr.yp.to BADA55 Crypto including How to manipulate curve standards: a white paper for the

879 views • 45 slides
The Fingerprints of Black Holes - Shadows and their Degeneracies Claudio Paganini joint work

The Fingerprints of Black Holes - Shadows and their Degeneracies Claudio Paganini joint work

The Fingerprints of Black Holes - Shadows and their Degeneracies Claudio Paganini joint work with: Marius Oancea , Marc Mars Albert Einstein Institute, Potsdam, Germany Instituto de F sica Fundamental y Matem aticas,

704 views • 51 slides
Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s Brand ao Joint work with: Apostol Vassilev, Nicky Mouha, Michael Davidson The red dancing devil is from clker.com/clipart-13643.html National

2.04k views • 175 slides
Self ish Rout ing Tim Roughgarden Cornell Universit y Includes joint work with va Tardos 1

Self ish Rout ing Tim Roughgarden Cornell Universit y Includes joint work with va Tardos 1

Self ish Rout ing Tim Roughgarden Cornell Universit y Includes joint work with va Tardos 1 Traf f ic in Congest ed Net works The Model: A dir ect ed gr aph G = (V,E) k source-dest inat ion pair s (s 1 ,t 1 ), , (s k ,t k )

487 views • 20 slides
Robustness in GANs and in Black-box Optimization Stefanie Jegelka MIT CSAIL joint work with

Robustness in GANs and in Black-box Optimization Stefanie Jegelka MIT CSAIL joint work with

Robustness in GANs and in Black-box Optimization Stefanie Jegelka MIT CSAIL joint work with Zhi Xu, Chengtao Li, Ilija Bogunovic, Jonathan Scarlett and Volkan Cevher Robustness in ML noise Generator One unit is enough! Critic

636 views • 15 slides
The Task Diachronics Dan Klein UC Berkeley Includes joint work with Alex Bouchard Cote,

The Task Diachronics Dan Klein UC Berkeley Includes joint work with Alex Bouchard Cote,

12/1/2014 Natural Language Processing The Task Diachronics Dan Klein UC Berkeley Includes joint work with Alex Bouchard Cote, Tom Griffiths, and David Hall Lexical Reconstruction Tree of Languages Latin focus We assume the phylogeny

336 views • 8 slides
Standardization Using Output Goal Tables Standardization Concepts The purpose of

Standardization Using Output Goal Tables Standardization Concepts The purpose of

Standardization Using Output Goal Tables Standardization Concepts The purpose of standardization is to reduce variability in fish catchability (q); a more constant q helps CPUE data track population trends more accurately Components to

413 views • 13 slides
The ISO Standardization Process of PLAID: A Cryptographers Perspective Real World Cryptography

The ISO Standardization Process of PLAID: A Cryptographers Perspective Real World Cryptography

The ISO Standardization Process of PLAID: A Cryptographers Perspective Real World Cryptography Workshop 2015 Arno Mittelbach based on joint work with Jean Paul Degabriele, Victoria Fehr, Marc Fischlin, Tommaso Gagliardoni, Felix Gnther,

488 views • 24 slides
Adaptive Multilevel BDDC Jan Mandel Includes joint work with Clark Dohrmann, Bed rich Soused

Adaptive Multilevel BDDC Jan Mandel Includes joint work with Clark Dohrmann, Bed rich Soused

Adaptive Multilevel BDDC Jan Mandel Includes joint work with Clark Dohrmann, Bed rich Soused k, Jakub stek, Pavel Burda, Marta S Cert kov a, and Jaroslav Novotn y. Center for Computational Mathematics and

955 views • 49 slides
Natural Language Processing Diachronics Dan Klein UC Berkeley Includes joint work with Alex

Natural Language Processing Diachronics Dan Klein UC Berkeley Includes joint work with Alex

12/1/2014 Natural Language Processing Diachronics Dan Klein UC Berkeley Includes joint work with Alex Bouchard Cote, Tom Griffiths, and David Hall 1 12/1/2014 The Task 2 12/1/2014 Lexical Reconstruction Latin focus French Spanish

1.09k views • 47 slides
Actual Causality: A Survey Joe Halpern Cornell University Includes joint work with Judea Pearl

Actual Causality: A Survey Joe Halpern Cornell University Includes joint work with Judea Pearl

Actual Causality: A Survey Joe Halpern Cornell University Includes joint work with Judea Pearl (UCLA), Hana Chockler (UCL), and Chris Hitchcock (Cal Tech) The Big Picture Defining causality is notoriously difficult. Many approaches have

353 views • 33 slides
Effjcient Computation of Change-Graph Scores David Eppstein (includes joint work with Emma Spiro,

Effjcient Computation of Change-Graph Scores David Eppstein (includes joint work with Emma Spiro,

Effjcient Computation of Change-Graph Scores David Eppstein (includes joint work with Emma Spiro, Mike Goodrich, Darren Strash, Lowell Trott, and Maarten Lffmer) Context: analysis of social networks Represent interactions among people and

372 views • 18 slides
Finding Cliques Quickly: An Update David Eppstein (includes joint work with Darren Strash and

Finding Cliques Quickly: An Update David Eppstein (includes joint work with Darren Strash and

Finding Cliques Quickly: An Update David Eppstein (includes joint work with Darren Strash and Maarten Lffmer) Clique: subset of vertices in a social network that are all pairwise connected Maximal clique: cant add any more vertices and

221 views • 7 slides
TEST STANDARDIZATION: SOME PRACTICAL GUIDANCE Why standardization matters: a review LEARNING

TEST STANDARDIZATION: SOME PRACTICAL GUIDANCE Why standardization matters: a review LEARNING

TEST STANDARDIZATION: SOME PRACTICAL GUIDANCE Why standardization matters: a review LEARNING Impact of the testing setting POL and de-centralized testing on standardization examples considerations OBJECTIVES Systematically managing the

558 views • 20 slides
IEEE-1788 standardization of interval arithmetic: work in progress (a personal view) Nathalie

IEEE-1788 standardization of interval arithmetic: work in progress (a personal view) Nathalie

Motivating example Standardization of interval arithmetic: IEEE P1788 Conclusion IEEE-1788 standardization of interval arithmetic: work in progress (a personal view) Nathalie Revol INRIA - Universit e de Lyon LIP (UMR 5668 CNRS - ENS Lyon

849 views • 68 slides
The stability of Kerr-de Sitter black holes Andr as Vasy (joint work with Peter Hintz) July

The stability of Kerr-de Sitter black holes Andr as Vasy (joint work with Peter Hintz) July

Setup and results Idea of proofs The stability of Kerr-de Sitter black holes Andr as Vasy (joint work with Peter Hintz) July 2018, Montr eal Setup and results Idea of proofs This talk is about the stability of Kerr-de Sitter (KdS) black

923 views • 14 slides
The Pre-History of P -partitions Ira M. Gessel Department of Mathematics Brandeis University

The Pre-History of P -partitions Ira M. Gessel Department of Mathematics Brandeis University

The Pre-History of P -partitions Ira M. Gessel Department of Mathematics Brandeis University Stanley@70 Massachusetts Institute of Technology June 24, 2014 Introduction Let P be a partially ordered set. Then a P -partition is an

839 views • 59 slides
Foundations of Artificial Intelligence 24. Constraint Satisfaction Problems: Backtracking Malte

Foundations of Artificial Intelligence 24. Constraint Satisfaction Problems: Backtracking Malte

Foundations of Artificial Intelligence 24. Constraint Satisfaction Problems: Backtracking Malte Helmert and Thomas Keller University of Basel April 8, 2020 CSP Algorithms Naive Backtracking Variable and Value Orders Summary Constraint

1.13k views • 37 slides
Section 2.5 Section Summary ! Cardinality ! Countable Sets ! Computability Cardinality Definition

Section 2.5 Section Summary ! Cardinality ! Countable Sets ! Computability Cardinality Definition

Section 2.5 Section Summary ! Cardinality ! Countable Sets ! Computability Cardinality Definition : The cardinality of a set A is equal to the cardinality of a set B , denoted |A| = | B |, if and only if there is a one-to-one correspondence ( i.e.

388 views • 14 slides
Term Project Presentations 09:30am -11:20am on Monday, Dec 11 State Hall (STAT) 0315

Term Project Presentations 09:30am -11:20am on Monday, Dec 11 State Hall (STAT) 0315

Term Project Presentations 09:30am -11:20am on Monday, Dec 11 State Hall (STAT) 0315 Each Project will have 18 minutes to present and 4 minutes for Q&amp;A Wayne State University CSC 6991 Topics in Computer Security 1 Term Project

36 views • 3 slides
Summary of our Sharp activities Catherine Plaisant Ben Shneiderman Sureyya Tarkan, Darya

Summary of our Sharp activities Catherine Plaisant Ben Shneiderman Sureyya Tarkan, Darya

Summary of our Sharp activities Catherine Plaisant Ben Shneiderman Sureyya Tarkan, Darya Filippova, Sumit Arora University of Maryland December 8 th , 2010 Houston Started in September 3 topics: Medication reconciliation Lab tracking

679 views • 52 slides
ECE 4524 Artificial Intelligence and Engineering Applications Meeting 8: Searching for Constraint

ECE 4524 Artificial Intelligence and Engineering Applications Meeting 8: Searching for Constraint

ECE 4524 Artificial Intelligence and Engineering Applications Meeting 8: Searching for Constraint Satisfaction Reading: AIAMA 6.3-6.4 Todays Schedule: Backtracking Search Ordering Heuristics Local Search Searching on CSPs When

360 views • 15 slides
CS 134: Operating Systems Scheduling 1 / 52 Scheduling Process Switching CS34 Process

CS 134: Operating Systems Scheduling 1 / 52 Scheduling Process Switching CS34 Process

CS34 2013-05-17 CS 134: Operating Systems Scheduling CS 134: Operating Systems Scheduling 1 / 52 Scheduling Process Switching CS34 Process Switching 2013-05-17 Scheduling Class Exercise When can/do we switch processes (or threads)?

675 views • 52 slides
MIR-Canon: Improving Code Diff Through Canonical Transformation Puyan Lotfi Apple Inc. 1

MIR-Canon: Improving Code Diff Through Canonical Transformation Puyan Lotfi Apple Inc. 1

MIR-Canon: Improving Code Diff Through Canonical Transformation Puyan Lotfi Apple Inc. 1 What is MIR? MIR (Machine IR) is the newer IR form for MachineInstrs. 2 What is MIR? bb.0: liveins: $w0, $x1, $x2 %1:gpr64 = COPY $x1

1.27k views • 72 slides

More recommend