Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)

7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)

http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 1/334

Failures of

secret-key cryptography

D. J. Bernstein

University of Illinois at Chicago &

Technische Universiteit Eindhoven

http://xkcd.com/538/

http://xkcd.com/538/



2011 Grigg–Gutmann: In the

past 15 years “no one ever lost

money to an attack on a properlydesigned cryptosystem (meaning

one that didn’t use homebrew

crypto or toy keys) in the Internetor commercial worlds”.

http://iang.org/ssl/grigg-gutmann-cryptographic-numerology.pdf



2011 Grigg–Gutmann: In the

past 15 years “no one ever lost

money to an attack on a properlydesigned cryptosystem (meaning

one that didn’t use homebrew

crypto or toy keys) in the Internetor commercial worlds”.

2002 Shamir: “Cryptography is

usually bypassed. I am not aware

of any major world-class security

system employing cryptography in

which the hackers penetrated the

system by actually going through

the cryptanalysis.”

http://www.youtube.com/watch?v=KUHaLQFJ6Cc

http://iang.org/ssl/grigg-gutmann-cryptographic-numerology.pdf



Do these people mean that

it’s actually infeasible

to break real-world crypto?






Or do they mean that

breaks are feasible

but still not worthwhile

for the attackers?







breaks are feasible


for the attackers?

Or are they simply wrong:real-world crypto is breakable;

is in fact being broken;

is one of many ongoingdisaster areas in security?







breaks are feasible


for the attackers?

Or are they simply wrong:real-world crypto is breakable;

is in fact being broken;

is one of many ongoingdisaster areas in security?

Let’s look at some examples.



Windows code signatures

Flame broke into computers,

spied on audio, keystrokes, etc.

2012.06.03 Microsoft:

“We recently became awareof a complex piece of targeted

malware known as ‘Flame’ and

immediately began examining theissue. : : : We have discovered

through our analysis that some

components of the malware havebeen signed by certificates that

allow software to appear as if it

was produced by Microsoft.”

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx



2012.06.07 Stevens: “A chosen-

prefix collision attack against

MD5 has been used for Flame.More interestingly : : : not our

published chosen-prefix collision

attack was used, but an entirelynew and unknown variant.”

http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware








CrySyS: Flame file wavesup3.drv

appeared in logs in 2007; Flame

“may have been active for as long

as five to eight years”.

http://www.crysys.hu/skywiper/skywiper.pdf









CrySyS: Flame file wavesup3.drv

appeared in logs in 2007; Flame

“may have been active for as long

as five to eight years”.

Was MD5 “homebrew crypto”?

No. Standardized, widely used.

Worthwhile to attack? Yes.

http://www.crysys.hu/skywiper/skywiper.pdf




Compare to 2011 Grigg–Gutmann:

“Cryptosystem failure is orders of

magnitude below any other risk.”



Compare to 2011 Grigg–Gutmann:

“Cryptosystem failure is orders of

magnitude below any other risk.”

http://en.wikipedia.org/wiki

/2003_Mission_Accomplished

_speech

http://en.wikipedia.org/wiki/2003_Mission_Accomplished_speech








WEP

WEP introduced in 1997

in 802.11 wireless standard.

2001 Borisov–Goldberg–Wagner:

24-bit “nonce” frequently repeats,leaking plaintext xor and

allowing very easy forgeries.

2001 Arbaugh–Shankar–Wan:

this also breaks user auth.

2001 Fluhrer–Mantin–Shamir:WEP builds RC4 key ( k ; n )

from secret k , “nonce” n ;

RC4 outputs leak bytes of k

.

http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/rc4_wep.ps

http://www.cs.umd.edu/~waa/wireless.pdf

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html



Implementations, optimizations

of k -recovery attack: 2001

Stubblefield–Ioannidis–Rubin,2004 KoreK, 2004 Devine, 2005

d’Otreppe, 2006 Klein, 2007

Tews–Weinmann–Pyshkin, 2010Sepehrdad–Vaudenay–Vuagnoux,

2013 S–Susil–V–V, : : :








2013 S–Susil–V–V, : : :

“These are academic papers!

Nobody was actually attacked.”








2013 S–Susil–V–V, : : :

“These are academic papers!

Nobody was actually attacked.”

Fact: WEP blamed for 2007 theftof 45 million credit-card numbers

from T. J. Maxx. Subsequent

lawsuit settled for $40900000.

http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20071130005355&newsLang=en

http://arstechnica.com/security/2007/05/blame-for-record-breaking-credit-card-data-theft-laid-at-the-feet-of-wep/



Keeloq

Wikipedia: “KeeLoq is or was

used in many remote keyless

entry systems by such companies

as Chrysler, Daewoo, Fiat,

GM, Honda, Toyota, Volvo,

Volkswagen Group, Clifford,

Shurlok, Jaguar, etc.”

2007 Indesteege–Keller–

Biham–Dunkelman–Preneel

“How to steal cars”:recover 64-bit KeeLoq key

using 216 known plaintexts,

only 244:

5 encryptions.

http://www.cosic.esat.kuleuven.be/keeloq/

http://www.cosic.esat.kuleuven.be/keeloq/



2008 Eisenbarth–Kasper–Moradi–

Paar–Salmasizadeh–Shalmani

recovered system’s master key,allowing practically instantaneous

cloning of KeeLoq keys.

http://www.emsec.rub.de/keeloq








1. Setup phase of this attack

watches power consumption

of Keeloq device. Is this

“bypassing” the cryptography?









1. Setup phase of this attack

watches power consumption

of Keeloq device. Is this

“bypassing” the cryptography?

2. If all the “ X is weak” press

comes from academics, is it safeto conclude that real attackers

aren’t breaking X ? How often do

real attackers issue press releases?





VMWare View

VMWare View is a remote

desktop protocol supported by

many low-cost terminals.

Recommendation from VMWare,Dell, etc.: switch from “AES-128”

to “SALSA20-256” for the “best

user experience”. Apparently AESslows down network graphics.

http://www.dell.com/support/drivers/us/en/19/DriverDetails/DriverFileFormats?c=&l=&s=&cs=&DriverId=R253175

http://www.vmware.com/files/pdf/VMware-View-PCoIP-Zero-Client-Optimization-Guide-TN-EN.pdf



VMWare View

VMWare View is a remote

desktop protocol supported by

many low-cost terminals.

Recommendation from VMWare,Dell, etc.: switch from “AES-128”

to “SALSA20-256” for the “best

user experience”. Apparently AESslows down network graphics.

Closer look at documentation:

“AES-128” and “SALSA20-256”

are actually “AES-128-GCM”

and “Salsa20-256-Round12”.

http://www.dell.com/support/drivers/us/en/19/DriverDetails/DriverFileFormats?c=&l=&s=&cs=&DriverId=R253175

http://www.vmware.com/files/pdf/VMware-View-PCoIP-Zero-Client-Optimization-Guide-TN-EN.pdf



AES-128-GCM includes AES

and message authentication.

No indication that VMWare’s

“Salsa20-256-Round12” includes

any message authentication.

Can attacker forge packets?

One can easily combine Salsa20

with message authentication,

but does VMWare do this?

Salsa20 has speed and security

advantages over AES, butboth Salsa20 and AES are

unauthenticated ciphers.

User needs authenticated cipher.



SSL/TLS/HTTPS

Standard AES-CBC encryption

of a packet ( p 0 ; p 1 ; p 2):

send random v ,

c

0= AES

k

( p

0 v ),

c 1 = AESk

( p 1 c 0),

c 2 = AESk

( p 2 c 1).



SSL/TLS/HTTPS

Standard AES-CBC encryption

of a packet ( p 0 ; p 1 ; p 2):

send random v ,

c

0= AES

k

( p

0 v ),

c 1 = AESk

( p 1 c 0),

c 2 = AESk

( p 2 c 1).

AES-CBC encryption in SSL:retrieve last block c

1

from previous ciphertext; send

c 0 = AES k ( p 0 c

1),c 1 = AES

k

( p 1 c 0),

c 2 = AESk

( p 2 c 1).



SSL lets attacker choose p 0

as function of c

1! Very bad.

2002 Moller:

To check a guess g for (e.g.) p

3,

choose p

0= c

1 g c

4,

compare c 0 to c

3.

2006 Bard:

malicious code in browser shouldbe able to carry out this attack,

especially if high-entropy data

is split across blocks.

2011 Duong–Rizzo “BEAST”:

fast attack fully implemented,

including controlled variable split.

http://eprint.iacr.org/2006/136

http://www.openssl.org/~bodo/tls-cbc.txt



Countermeasure in browsers:

send a content-free packet

just before sending real packet.






Attacker can also try to attack

CBC by forging ciphertexts ,

but each SSL packet

includes an authenticator.

“Authenticate-then-encrypt”:SSL appends an authenticator,

pads reversibly to full block,

encrypts with CBC.






Attacker can also try to attack

CBC by forging ciphertexts ,

but each SSL packet

includes an authenticator.

“Authenticate-then-encrypt”:SSL appends an authenticator,

pads reversibly to full block,

encrypts with CBC.

2001 Krawczyk:

This is provably secure.






2001 Vaudenay:

This is completely broken

if attacker can distinguishpadding failure from MAC failure.

http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf



2001 Vaudenay:



2003 Canvel:

Obtain such a padding oracle

by observing SSL server timing.

http://lasec.epfl.ch/php_code/publications/search.php?ref=CHVV03




2001 Vaudenay:



2003 Canvel:



Response in OpenSSL etc.:always compute MAC

even if padding fails.





2001 Vaudenay:



2003 Canvel:



Response in OpenSSL etc.:always compute MAC

even if padding fails.

2013.02 AlFardan–Paterson

“Lucky 13”: watch timing

more closely; attack still works.

http://www.isg.rhul.ac.uk/tls/







“Cryptographic algorithm agility”:

(1) the pretense that bad crypto

is okay if there’s a backup plan +(2) the pretense that there

is in fact a backup plan.







SSL has a crypto switch

that in theory allows

switching to AES-GCM.

But most SSL software

doesn’t support AES-GCM.












The software does supportone non-CBC option:












The software does supportone non-CBC option: RC4.

Now widely recommended,

used for 50% of SSL traffic.



Not as scary as WEP: SSL uses a

hash to avoid related RC4 keys.

2001 Rivest: “The new attacksdo not apply to RC4-based SSL.

: : : [protocol] designers [using

RC4] should not be concerned.”

http://www.rsa.com/rsalabs/node.asp?id=2009








Problem: many nasty biases in

RC4 output bytes z

1; z

2; : : : .









Problem: many nasty biases in

RC4 output bytes z

1; z

2; : : : .

2013 AlFardan–Bernstein–

Paterson–Poettering–Schuldt,

“On the security of RC4 in TLS”:Force target cookie into many

RC4 sessions. Use RC4 biases

to find cookie from ciphertexts.




The single-byte biases:

2001 Mantin–Shamir:

z 2 3 0.

http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/bc_rc4.ps





z 2 3 0.

2002 Mironov:

z 1 T3

0,z 1 T3

1,z 1 3

2, etc.







z 2 3 0.

2002 Mironov:

z 1 T3

0,z 1 T3

1,z 1 3

2, etc.

2011 Maitra–Paul–Sen Gupta:

z 3 3 0, z 4 3 0, : : : , z 255 3 0,

contrary to Mantin–Shamir claim.







z 2 3 0.

2002 Mironov:

z 1 T3

0,z 1 T3

1,z 1 3

2, etc.


z 3 3 0, z 4 3 0, : : : , z 255 3 0,


2011 Sen Gupta–Maitra–Paul–

Sarkar:z

163

240.(This is specific to 128-bit keys.)







z 2 3 0.

2002 Mironov:

z 1 T3

0,z 1 T3

1,z 1 3

2, etc.


z 3 3 0, z 4 3 0, : : : , z 255 3 0,


2011 Sen Gupta–Maitra–Paul–

Sarkar:z

163

240.(This is specific to 128-bit keys.)

But wait: there’s more!






Paterson–Poettering–Schuldt:

accurately computed Pr[ z

i = j ]for all i P f 1; : : : ; 256g , all j ;

found % 65536 single-byte biases;

used all of them in SSL attackvia proper Bayesian analysis.




Paterson–Poettering–Schuldt:

accurately computed Pr[ z

i = j ]for all i P f 1; : : : ; 256g , all j ;

found % 65536 single-byte biases;

used all of them in SSL attackvia proper Bayesian analysis.

% 256 of these biases were found

independently (slightly earlier)

by 2013 Watanabe–Isobe–

Ohigashi–Morii, 2013 Isobe–

Ohigashi–Watanabe–Morii:

z 32 3 224, z 48 3 208, etc.;

z

33

131;z

i

3 i

;z

256T3

0.



Graph of 256 Pr[z 2 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010




0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 100 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 101 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 102 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 104 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 105 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 106 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 107 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 108 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 109 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 110 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 111 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 112 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 113 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 114 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 115 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 116 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 117 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 118 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 119 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 120 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 121 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 122 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 123 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 124 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 125 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 126 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 127 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 128 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 129 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 130 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 131 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 132 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 133 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 135 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 136 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 137 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 138 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 139 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 140 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 141 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 142 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 143 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 144 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 145 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 146 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 147 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 148 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 149 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 150 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 151 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 152 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 153 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 154 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 155 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 156 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 157 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 158 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 159 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 160 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 161 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 162 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 163 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 164 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 165 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 166 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 167 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 168 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 169 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 170 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 171 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 172 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 173 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 174 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 175 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 176 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 177 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 178 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 179 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 180 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 181 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 182 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 183 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 184 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 185 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 186 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 187 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 188 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 189 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 190 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 192 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 193 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 194 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 195 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 196 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 197 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 199 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 200 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 201 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 202 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 203 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 204 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 205 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 206 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 208 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 209 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 210 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 211 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 212 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 213 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 214 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 215 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 216 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 217 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 218 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 219 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 220 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 221 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 222 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 223 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 224 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 225 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 226 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 227 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 228 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 229 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 230 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 231 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 232 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 233 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 234 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 235 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 236 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 237 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 238 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 239 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 240 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 241 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 242 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 243 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 244 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 245 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 246 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 247 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 248 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 249 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 250 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 251 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 252 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 253 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 254 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 255 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010



Graph of 256 Pr[z 256 = x ]:

0 50 100 150 200 2500.990

0.995

1.000

1.005

1.010




Paterson–Poettering–Schuldt

success probability (256 trials)for recovering byte x of plaintext

from 224 ciphertexts (with

no prior plaintext knowledge):

0"

0.2"

0.4"

0.6"

0.8"

1"

1.2"

0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"








0"

0.2"

0.4"

0.6"

0.8"

1"

1.2"

0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"



Why does this happen?

For years we’ve had AES;

AES-GCM; defenses against

various side-channel attacks.

We simply have to educate thesoftware and hardware engineers

choosing crypto primitives, right?









Maybe, maybe not.

Does AES-GCM actually do

what the users need?









Maybe, maybe not.

Does AES-GCM actually do

what the users need?

Often it doesn’t.

Most obvious issue: performance.



e.g. 2001 Rivest: “The ‘heart’ of

RC4 is its exceptionally simple

and extremely efficient pseudo-random generator. : : : RC4 is

likely to remain the algorithm of

choice for many applications andembedded systems.”

e.g. OpenSSL still uses table-

based implementations of AES

for speed on most CPUs,

leaking many key bits; see, e.g.,

2012 Weiß–Heinz–Stumpf .

e.g. RFIDs need small ciphers.

http://fc12.ifca.ai/pre-proceedings/paper_70.pdf





Major research direction:

achieve better performance

than AES-GCMwithout sacrificing security.

Fit into low power (watts),

low area (square micrometers),

sometimes low latency (seconds);

minimize area¢ seconds/byte;

minimize energy (joules)/byte.

Many different CPUs, FPGAs,

ASIC manufacturing technologies.

Many different input sizes,

precomputation possibilities, etc.



Can one design do very well

in hardware and software?

Some inspirational examples:

Trivium and Keccak

are “hardware” designs

but not bad in software.



Can one design do very well

in hardware and software?

Some inspirational examples:

Trivium and Keccak

are “hardware” designs

but not bad in software.

Another approach:

replace ARX with “ORX”.Skein-type mix doesn’t work

but can imitate Salsa20:

compose a^=((b|c)<<<r).Needs a few more rounds,

but friendlier to hardware.



Another major research direction:

achieve better security

than AES-GCMwithout sacrificing performance.

Typical 128-bit blocks

are starting to feel too small.

Limit impact of collisions?

Use larger blocks?









Use larger blocks?

Typical 128-bit pipe

is starting to feel too small.

Limit reforgeries? Use wider pipe?









Use larger blocks?

Typical 128-bit pipe

is starting to feel too small.

Limit reforgeries? Use wider pipe?

Has anyone tried optimizing

192-bit/256-bit poly hashes?



Allow repeated message numbers?

User has to expect that

encrypting ( n ; m ) and (n ; m

H )

will tell attacker whether m = m

H .






H )


H .

But user is surprised if repeatedmessage number leaks more

information, allows forgeries, etc.






H )


H .



2006 Rogaway–Shrimpton:

first authenticate ( n ; m ),

then use the authenticator

as a nonce to encrypt m .

http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html






H )


H .



2006 Rogaway–Shrimpton:

first authenticate ( n ; m ),

then use the authenticator

as a nonce to encrypt m .

Is this protection compatible

with fast forgery rejection?

http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html



Many ciphers integrate

“free” message authentication:

e.g., AES-OCB, Helix, Phelix.

Is this compatible

with repeated message numbers?






Is this compatible


Is this compatible







Is this compatible


Is this compatible


One approach: build

H F F H Feistel block cipher;

reuse first H for fast auth

with repeated message numbers;

reuse last H for another auth

with fast forgery rejection.

But this consumes bandwidth.



Many more directions

in authenticated ciphers.

AES-GCM is clearly not

the end of the story.

Can build better modesusing same MAC, cipher.

Can build better MACs,

combine with same cipher.

Can build better

block ciphers, stream ciphers.

Can build better integrated

authenticated ciphers.



CAESAR

“Competition for Authenticated

Encryption: Security,

Applicability, and Robustness”

competitions.cr.yp.to

Mailing list: crypto-

competitions+subscribe

@googlegroups.com

NIST is much too busy

to run another competitionbut has generously provided

a $333099 “Cryptographic

competitions” grant to UIC.

mailto:[email protected]



http://competitions.cr.yp.to/



Competition scheduling

AES schedule:

M0: 15 submissions.

M14: 5 finalists.

M28: 1 winner.

eSTREAM schedule:

M0: 34 submissions.

M11: 27 round-2 ciphers.M24: 16 finalists.

M36: 8 portfolio ciphers.

M41: 7 portfolio ciphers.



SHA-3 schedule:

M0: 64 submissions.

M9: 14 round-2 functions.M26: 5 finalists.

M48: 1 winner.

Tentative CAESAR schedule:

M0, 2014.01.15: submissions.

M11: round-2 candidates.

M23: round-3 candidates.

M35: finalists.

M47: portfolio.

Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)

Documents

Transcript of Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)