the salsa20 stream cipher salsa20 additive stream cipher
play

The Salsa20 stream cipher Salsa20: additive stream cipher, - PowerPoint PPT Presentation

Apr 08, 2024 •265 likes •714 views

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

  1. The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR–9983950 Same speed either way, Alfred P. Sloan Foundation simplifying hardware. � : 8 bytes. Nonce Can send 2 64 messages under one key. � ): Stream Salsa20 ✁ ( 2 70 bytes for each message.

  2. � � ☎ ✁ ✄ � � stream cipher Salsa20: additive stream cipher, For authentication, expanding key and nonce combine Salsa20 with into long stream of bytes http://cr.yp.to/mac.html to add to plaintext. Given message Illinois at Chicago � Poly1305 �✂✁ �✆☎ Key : 16 or 32 bytes. Send ( CCR–9983950 �✝✁ ) = Salsa20 Same speed either way, ( ✁ ( Foundation simplifying hardware. �✟✞ Very fast; short secret � : 8 bytes. Nonce provably secure if Salsa20 Can send 2 64 messages better than encrypt-then-MA under one key. Easily adapt to “AEAD,” � ): Stream Salsa20 ✁ ( i.e., allow unencrypted 2 70 bytes for each message.

  3. � ☎ ✁ � Salsa20: additive stream cipher, For authentication, expanding key and nonce combine Salsa20 with Poly1305, into long stream of bytes http://cr.yp.to/mac.html . to add to plaintext. � : Given message with nonce � Poly1305 �✆☎ )) where �✂✁ Key : 16 or 32 bytes. Send ( ✄ ( �✝✁ ) = Salsa20 � ) Same speed either way, ( ✁ ( (0 ). simplifying hardware. �✟✞ ); Very fast; short secret key ( � : 8 bytes. Nonce provably secure if Salsa20 is secure; Can send 2 64 messages better than encrypt-then-MAC. under one key. Easily adapt to “AEAD,” � ): Stream Salsa20 ✁ ( i.e., allow unencrypted header. 2 70 bytes for each message.

  4. � � � � � � � � ☎ � � � � ✁ � additive stream cipher, For authentication, Let’s watch how Salsa20 and nonce combine Salsa20 with Poly1305, generates block of � 2 � 3 of bytes http://cr.yp.to/mac.html . from key (1 � 227 � 11 plaintext. nonce (255 � : Given message with nonce � Poly1305 �✆☎ )) where �✂✁ bytes. Send ( ✄ ( Notation: means �✝✁ ) = Salsa20 � ) either way, ( ✁ ( (0 ). Little-endian everywhere. are. �✟✞ ); Very fast; short secret key ( Key: ytes. provably secure if Salsa20 is secure; messages better than encrypt-then-MAC. Easily adapt to “AEAD,” Nonce: � ): ✁ ( i.e., allow unencrypted header. each message.

  5. � ✁ � � � � ☎ � For authentication, Let’s watch how Salsa20 combine Salsa20 with Poly1305, generates block of 64 bytes � 2 � 3 � 16), http://cr.yp.to/mac.html . from key (1 � 227 � 11 � 84 � 2 � 0 � 0 � 0). nonce (255 � : Given message with nonce � Poly1305 �✆☎ )) where �✂✁ Send ( ✄ ( Notation: means 1 + 2 + 16. �✝✁ ) = Salsa20 � ) ( ✁ ( (0 ). Little-endian everywhere. �✟✞ ); Very fast; short secret key ( Key: provably secure if Salsa20 is secure; better than encrypt-then-MAC. . Easily adapt to “AEAD,” Nonce: i.e., allow unencrypted header. .

  6. � � � � � � � ✁ � ☎ authentication, Let’s watch how Salsa20 Build 4 4 array of with Poly1305, generates block of 64 bytes � 2 � 3 � 16), http://cr.yp.to/mac.html . from key (1 � 227 � 11 � 84 � 2 � 0 � 0 � 0). nonce (255 � : with nonce �✆☎ )) where �✂✁ oly1305 ✄ ( Notation: means 1 + 2 + 16. � ) �✝✁ ✁ ( (0 ). Little-endian everywhere. Diagonal entries are �✟✞ ); secret key ( Key: if Salsa20 is secure; Other entries are k encrypt-then-MAC. . “AEAD,” Nonce: ; blo unencrypted header. . ; key

  7. � � � � � Let’s watch how Salsa20 Build 4 4 array of 4-byte words: generates block of 64 bytes � 2 � 3 � 16), from key (1 � 227 � 11 � 84 � 2 � 0 � 0 � 0). nonce (255 Notation: means 1 + 2 + 16. Little-endian everywhere. Diagonal entries are constants: Key: Other entries are key . ; nonce Nonce: ; block counter . ; key again.

  8. � � � � � � � � Salsa20 Build 4 4 array of 4-byte words: Modify one word using of 64 bytes � 16), � 11 � 84 � 2 � 0 � 0 � 0). means 1 + 2 + 16. everywhere. Diagonal entries are constants: The modification is add two underlined rotate left by 7 bits; Other entries are key . xor into next word ; nonce ; block counter x[9] ^= (x[1]+x[5]) . ; key again. Will do long series simple modifications,

  9. � Build 4 4 array of 4-byte words: Modify one word using two others: Diagonal entries are constants: The modification is very simple: add two underlined words; rotate left by 7 bits; Other entries are key xor into next word down. ; nonce ; block counter x[9] ^= (x[1]+x[5]) <<< 7 ; key again. Will do long series of these simple modifications, as in TEA.

  10. � y of 4-byte words: Modify one word using two others: Modify other columns: are constants: The modification is very simple: Columns wrap around add two underlined words; from bottom to top. rotate left by 7 bits; key x[4] ^= (x[12]+x[0]) xor into next word down. ; nonce x[14] ^= (x[6]+x[10]) block counter x[9] ^= (x[1]+x[5]) <<< 7 x[3] ^= (x[11]+x[15]) key again. Will do long series of these Total: 4 modifications. simple modifications, as in TEA.

  11. Modify one word using two others: Modify other columns: The modification is very simple: Columns wrap around add two underlined words; from bottom to top. rotate left by 7 bits; x[4] ^= (x[12]+x[0]) <<< 7 xor into next word down. x[14] ^= (x[6]+x[10]) <<< 7 x[9] ^= (x[1]+x[5]) <<< 7 x[3] ^= (x[11]+x[15]) <<< 7 Will do long series of these Total: 4 modifications. simple modifications, as in TEA.

  12. using two others: Modify other columns: Modify each column is very simple: Columns wrap around This time rotate by underlined words; from bottom to top. x[8] ^= (x[0]+x[4]) bits; x[4] ^= (x[12]+x[0]) <<< 7 x[13] ^= (x[5]+x[9]) rd down. x[14] ^= (x[6]+x[10]) <<< 7 x[2] ^= (x[10]+x[14]) (x[1]+x[5]) <<< 7 x[3] ^= (x[11]+x[15]) <<< 7 x[7] ^= (x[15]+x[3]) series of these Total: 4 modifications. Total: 8 modifications. difications, as in TEA.

  13. Modify other columns: Modify each column again: Columns wrap around This time rotate by 9 bits. from bottom to top. x[8] ^= (x[0]+x[4]) <<< 9 x[4] ^= (x[12]+x[0]) <<< 7 x[13] ^= (x[5]+x[9]) <<< 9 x[14] ^= (x[6]+x[10]) <<< 7 x[2] ^= (x[10]+x[14]) <<< 9 x[3] ^= (x[11]+x[15]) <<< 7 x[7] ^= (x[15]+x[3]) <<< 9 Total: 4 modifications. Total: 8 modifications.

  14. columns: Modify each column again: Modify each column round This time rotate by 9 bits. This time rotate by top. x[8] ^= (x[0]+x[4]) <<< 9 x[12] ^= (x[4]+x[8]) (x[12]+x[0]) <<< 7 x[13] ^= (x[5]+x[9]) <<< 9 x[1] ^= (x[9]+x[13]) (x[6]+x[10]) <<< 7 x[2] ^= (x[10]+x[14]) <<< 9 x[6] ^= (x[14]+x[2]) (x[11]+x[15]) <<< 7 x[7] ^= (x[15]+x[3]) <<< 9 x[11] ^= (x[3]+x[7]) difications. Total: 8 modifications. Total: 12 modifications.

  15. Modify each column again: Modify each column again: This time rotate by 9 bits. This time rotate by 13 bits. x[8] ^= (x[0]+x[4]) <<< 9 x[12] ^= (x[4]+x[8]) <<< 13 x[13] ^= (x[5]+x[9]) <<< 9 x[1] ^= (x[9]+x[13]) <<< 13 x[2] ^= (x[10]+x[14]) <<< 9 x[6] ^= (x[14]+x[2]) <<< 13 x[7] ^= (x[15]+x[3]) <<< 9 x[11] ^= (x[3]+x[7]) <<< 13 Total: 8 modifications. Total: 12 modifications.

  16. column again: Modify each column again: Modify each column by 9 bits. This time rotate by 13 bits. This time rotate by (x[0]+x[4]) <<< 9 x[12] ^= (x[4]+x[8]) <<< 13 x[0] ^= (x[8]+x[12]) (x[5]+x[9]) <<< 9 x[1] ^= (x[9]+x[13]) <<< 13 x[5] ^= (x[13]+x[1]) (x[10]+x[14]) <<< 9 x[6] ^= (x[14]+x[2]) <<< 13 x[10] ^= (x[2]+x[6]) (x[15]+x[3]) <<< 9 x[11] ^= (x[3]+x[7]) <<< 13 x[15] ^= (x[7]+x[11]) difications. Total: 12 modifications. Total: 16 modifications.

  17. Modify each column again: Modify each column again: This time rotate by 13 bits. This time rotate by 18 bits. x[12] ^= (x[4]+x[8]) <<< 13 x[0] ^= (x[8]+x[12]) <<< 18 x[1] ^= (x[9]+x[13]) <<< 13 x[5] ^= (x[13]+x[1]) <<< 18 x[6] ^= (x[14]+x[2]) <<< 13 x[10] ^= (x[2]+x[6]) <<< 18 x[11] ^= (x[3]+x[7]) <<< 13 x[15] ^= (x[7]+x[11]) <<< 18 Total: 12 modifications. Total: 16 modifications.

  18. � � � column again: Modify each column again: Modify rows by 7 by 13 bits. This time rotate by 18 bits. Now every word has been modified (x[4]+x[8]) <<< 13 x[0] ^= (x[8]+x[12]) <<< 18 Total: 32 modifications. (x[9]+x[13]) <<< 13 x[5] ^= (x[13]+x[1]) <<< 18 (x[14]+x[2]) <<< 13 x[10] ^= (x[2]+x[6]) <<< 18 That’s 2 rounds of (x[3]+x[7]) <<< 13 x[15] ^= (x[7]+x[11]) <<< 18 difications. Total: 16 modifications.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF

ChaCha, a variant of Salsa20 D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Note: ChaCha is not an eSTREAM candidate! Post-eSTREAM cryptography. The Salsa20 cipher family Salsa20/20 is faster than AES. I

256 views • 10 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB 2019 October 21st 23rd, 2019 Casa Convalescncia, Barcelona, Spain Authors: Hassan Noura, Raphal Couturier, CongDuc Pham and Ali Chehab

149 views • 13 slides
Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with B.Preneel and G. Sekar) Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering-ESAT Katholieke Universiteit

655 views • 16 slides
MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng

MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng

MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng The City University of New York Contents Motivation Algorithm Details Key Scheduling State Initialization Keystream Generation

383 views • 17 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&amp;D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

359 views • 15 slides
Goal: To familiarize students with microprocessor-based circuit design. The course deals

Goal: To familiarize students with microprocessor-based circuit design. The course deals

Course Outline Goal: To familiarize students with microprocessor-based circuit design. The course deals with the applications, SYSC3601 organization, architecture, and design of Microprocessor Systems microprocessor systems.

320 views • 10 slides
Decompiler internals: microcode Hex-Rays Ilfak Guilfanov Presentation Outline Presentation

Decompiler internals: microcode Hex-Rays Ilfak Guilfanov Presentation Outline Presentation

Decompiler internals: microcode Hex-Rays Ilfak Guilfanov Presentation Outline Presentation Outline Decompiler architecture Overview of the microcode Opcodes and operands Stack and registers Data flow analysis, aliasibility Microcode

847 views • 58 slides
CSE 351 Section 2 1/12/12 Agenda Review memory and data representation NAND Gate

CSE 351 Section 2 1/12/12 Agenda Review memory and data representation NAND Gate

CSE 351 Section 2 1/12/12 Agenda Review memory and data representation NAND Gate Binary/Decimal/Hex Memory Organization and Pointers Endianness NAND Gate Output is always high (1) except when both inputs are high

694 views • 19 slides
CPSC 213 Introduction to Computer Systems Unit 1a Numbers and Memory 1 The Big Picture

CPSC 213 Introduction to Computer Systems Unit 1a Numbers and Memory 1 The Big Picture

CPSC 213 Introduction to Computer Systems Unit 1a Numbers and Memory 1 The Big Picture Build machine model of execution for Java and C programs by examining language features and deciding how they are implemented by the

348 views • 23 slides
CS155 Project 1 Gary Luu Spring 2009 Setting up the Environment Download VMware Player

CS155 Project 1 Gary Luu Spring 2009 Setting up the Environment Download VMware Player

CS155 Project 1 Gary Luu Spring 2009 Setting up the Environment Download VMware Player http://www.vmware.com/products/player If prompted, click I copied it Should be configured with NAT, check w/ ifconfig Demo target1.c

397 views • 13 slides
Power and Bandwidth Optimization in 360-Degree Immersive Mobile Video Streaming Sheng Wei,

Power and Bandwidth Optimization in 360-Degree Immersive Mobile Video Streaming Sheng Wei,

Power and Bandwidth Optimization in 360-Degree Immersive Mobile Video Streaming Sheng Wei, Assistant Professor Rutgers ECE May 2019 Context: Research Paths Hardware Security . . Mobile Video Systems Assistant Professor Assistant Professor

709 views • 23 slides
CS 528 Mobile and Ubiquitous Computing Lecture 5a: Playing Sound and Video Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 5a: Playing Sound and Video Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 5a: Playing Sound and Video Emmanuel Agu Multimedia Networking: Basic Concepts Multimedia networking: 3 application types Multimedia refers to audio and video streaming, stored audio, video

357 views • 31 slides
CS 528 Mobile and Ubiquitous Computing Lecture 4a: Playing Sound and Video Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 4a: Playing Sound and Video Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 4a: Playing Sound and Video Emmanuel Agu Reminder: Final Project 1-slide from group in 2 weeks Thursday October 11: 2/30 of final project grade Slide should cover 3 aspects Problem

529 views • 35 slides

More recommend