Page 1
Failures of
secret-key cryptography
D. J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
http://xkcd.com/538/
Page 2
2011 Grigg–Gutmann: In the
past 15 years “no one ever lost
money to an attack on a properly
designed cryptosystem (meaning
one that didn’t use homebrew
crypto or toy keys) in the Internet
or commercial worlds”.
Page 3
2011 Grigg–Gutmann: In the
past 15 years “no one ever lost
money to an attack on a properly
designed cryptosystem (meaning
one that didn’t use homebrew
crypto or toy keys) in the Internet
or commercial worlds”.
2002 Shamir: “Cryptography is
usually bypassed. I am not aware
of any major world-class security
system employing cryptography in
which the hackers penetrated the
system by actually going through
the cryptanalysis.”
Page 4
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Page 5
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Page 6
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Or are they simply wrong:
real-world crypto is breakable;
is in fact being broken;
is one of many ongoing
disaster areas in security?
Page 7
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Or are they simply wrong:
real-world crypto is breakable;
is in fact being broken;
is one of many ongoing
disaster areas in security?
Let’s look at some examples.
Page 8
Windows code signatures
Flame broke into computers,
spied on audio, keystrokes, etc.
2012.06.03 Microsoft:
“We recently became aware
of a complex piece of targeted
malware known as ‘Flame’ and
immediately began examining the
issue. : : : We have discovered
through our analysis that some
components of the malware have
been signed by certificates that
allow software to appear as if it
was produced by Microsoft.”
Page 9
2012.06.07 Stevens: “A chosen-
prefix collision attack against
MD5 has been used for Flame.
More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirely
new and unknown variant.”
Page 10
2012.06.07 Stevens: “A chosen-
prefix collision attack against
MD5 has been used for Flame.
More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirely
new and unknown variant.”
CrySyS: Flame file wavesup3.drv
appeared in logs in 2007; Flame
“may have been active for as long
as five to eight years”.
Page 11
2012.06.07 Stevens: “A chosen-
prefix collision attack against
MD5 has been used for Flame.
More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirely
new and unknown variant.”
CrySyS: Flame file wavesup3.drv
appeared in logs in 2007; Flame
“may have been active for as long
as five to eight years”.
Was MD5 “homebrew crypto”?
No. Standardized, widely used.
Worthwhile to attack? Yes.
Page 12
Compare to 2011 Grigg–Gutmann:
“Cryptosystem failure is orders of
magnitude below any other risk.”
Page 13
Compare to 2011 Grigg–Gutmann:
“Cryptosystem failure is orders of
magnitude below any other risk.”
http://en.wikipedia.org/wiki
/2003_Mission_Accomplished
_speech
Page 14
WEP
WEP introduced in 1997
in 802.11 wireless standard.
2001 Borisov–Goldberg–Wagner:
24-bit “nonce” frequently repeats,
leaking plaintext xor and
allowing very easy forgeries.
2001 Arbaugh–Shankar–Wan:
this also breaks user auth.
2001 Fluhrer–Mantin–Shamir:
WEP builds RC4 key (k; n)
from secret k, “nonce” n;
RC4 outputs leak bytes of k.
Page 15
Implementations, optimizations
of k-recovery attack: 2001
Stubblefield–Ioannidis–Rubin,
2004 KoreK, 2004 Devine, 2005
d’Otreppe, 2006 Klein, 2007
Tews–Weinmann–Pyshkin, 2010
Sepehrdad–Vaudenay–Vuagnoux,
2013 S–Susil–V–V, : : :
Page 16
Implementations, optimizations
of k-recovery attack: 2001
Stubblefield–Ioannidis–Rubin,
2004 KoreK, 2004 Devine, 2005
d’Otreppe, 2006 Klein, 2007
Tews–Weinmann–Pyshkin, 2010
Sepehrdad–Vaudenay–Vuagnoux,
2013 S–Susil–V–V, : : :
“These are academic papers!
Nobody was actually attacked.”
Page 17
Implementations, optimizations
of k-recovery attack: 2001
Stubblefield–Ioannidis–Rubin,
2004 KoreK, 2004 Devine, 2005
d’Otreppe, 2006 Klein, 2007
Tews–Weinmann–Pyshkin, 2010
Sepehrdad–Vaudenay–Vuagnoux,
2013 S–Susil–V–V, : : :
“These are academic papers!
Nobody was actually attacked.”
Fact: WEP blamed for 2007 theft
of 45 million credit-card numbers
from T. J. Maxx. Subsequent
lawsuit settled for $40900000.
Page 18
Keeloq
Wikipedia: “KeeLoq is or was
used in many remote keyless
entry systems by such companies
as Chrysler, Daewoo, Fiat,
GM, Honda, Toyota, Volvo,
Volkswagen Group, Clifford,
Shurlok, Jaguar, etc.”
2007 Indesteege–Keller–
Biham–Dunkelman–Preneel
“How to steal cars”:
recover 64-bit KeeLoq key
using 216 known plaintexts,
only 244:5 encryptions.
Page 19
2008 Eisenbarth–Kasper–Moradi–
Paar–Salmasizadeh–Shalmani
recovered system’s master key,
allowing practically instantaneous
cloning of KeeLoq keys.
Page 20
2008 Eisenbarth–Kasper–Moradi–
Paar–Salmasizadeh–Shalmani
recovered system’s master key,
allowing practically instantaneous
cloning of KeeLoq keys.
1. Setup phase of this attack
watches power consumption
of Keeloq device. Is this
“bypassing” the cryptography?
Page 21
2008 Eisenbarth–Kasper–Moradi–
Paar–Salmasizadeh–Shalmani
recovered system’s master key,
allowing practically instantaneous
cloning of KeeLoq keys.
1. Setup phase of this attack
watches power consumption
of Keeloq device. Is this
“bypassing” the cryptography?
2. If all the “X is weak” press
comes from academics, is it safe
to conclude that real attackers
aren’t breaking X? How often do
real attackers issue press releases?
Page 22
VMWare View
VMWare View is a remote
desktop protocol supported by
many low-cost terminals.
Recommendation from VMWare,
Dell, etc.: switch from “AES-128”
to “SALSA20-256” for the “best
user experience”. Apparently AES
slows down network graphics.
Page 23
VMWare View
VMWare View is a remote
desktop protocol supported by
many low-cost terminals.
Recommendation from VMWare,
Dell, etc.: switch from “AES-128”
to “SALSA20-256” for the “best
user experience”. Apparently AES
slows down network graphics.
Closer look at documentation:
“AES-128” and “SALSA20-256”
are actually “AES-128-GCM”
and “Salsa20-256-Round12”.
Page 24
AES-128-GCM includes AES
and message authentication.
No indication that VMWare’s
“Salsa20-256-Round12” includes
any message authentication.
Can attacker forge packets?
One can easily combine Salsa20
with message authentication,
but does VMWare do this?
Salsa20 has speed and security
advantages over AES, but
both Salsa20 and AES are
unauthenticated ciphers.
User needs authenticated cipher.
Page 25
SSL/TLS/HTTPS
Standard AES-CBC encryption
of a packet (p0; p1; p2):
send random v,
c0 = AESk(p0 � v),
c1 = AESk(p1 � c0),
c2 = AESk(p2 � c1).
Page 26
SSL/TLS/HTTPS
Standard AES-CBC encryption
of a packet (p0; p1; p2):
send random v,
c0 = AESk(p0 � v),
c1 = AESk(p1 � c0),
c2 = AESk(p2 � c1).
AES-CBC encryption in SSL:
retrieve last block c�1
from previous ciphertext; send
c0 = AESk(p0 � c�1),
c1 = AESk(p1 � c0),
c2 = AESk(p2 � c1).
Page 27
SSL lets attacker choose p0
as function of c�1! Very bad.
2002 Moller:
To check a guess g for (e.g.) p�3,
choose p0 = c�1 � g � c�4,
compare c0 to c�3.
2006 Bard:
malicious code in browser should
be able to carry out this attack,
especially if high-entropy data
is split across blocks.
2011 Duong–Rizzo “BEAST”:
fast attack fully implemented,
including controlled variable split.
Page 28
Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Page 29
Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Attacker can also try to attack
CBC by forging ciphertexts,
but each SSL packet
includes an authenticator.
“Authenticate-then-encrypt”:
SSL appends an authenticator,
pads reversibly to full block,
encrypts with CBC.
Page 30
Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Attacker can also try to attack
CBC by forging ciphertexts,
but each SSL packet
includes an authenticator.
“Authenticate-then-encrypt”:
SSL appends an authenticator,
pads reversibly to full block,
encrypts with CBC.
2001 Krawczyk:
This is provably secure.
Page 31
2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
Page 32
2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Page 33
2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Response in OpenSSL etc.:
always compute MAC
even if padding fails.
Page 34
2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Response in OpenSSL etc.:
always compute MAC
even if padding fails.
2013.02 AlFardan–Paterson
“Lucky 13”: watch timing
more closely; attack still works.
Page 35
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +
(2) the pretense that there
is in fact a backup plan.
Page 36
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +
(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesn’t support AES-GCM.
Page 37
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +
(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesn’t support AES-GCM.
The software does support
one non-CBC option:
Page 38
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +
(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesn’t support AES-GCM.
The software does support
one non-CBC option: RC4.
Now widely recommended,
used for 50% of SSL traffic.
Page 39
Not as scary as WEP: SSL uses a
hash to avoid related RC4 keys.
2001 Rivest: “The new attacks
do not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.”
Page 40
Not as scary as WEP: SSL uses a
hash to avoid related RC4 keys.
2001 Rivest: “The new attacks
do not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.”
Problem: many nasty biases in
RC4 output bytes z1; z2; : : :.
Page 41
Not as scary as WEP: SSL uses a
hash to avoid related RC4 keys.
2001 Rivest: “The new attacks
do not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.”
Problem: many nasty biases in
RC4 output bytes z1; z2; : : :.
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt,
“On the security of RC4 in TLS”:
Force target cookie into many
RC4 sessions. Use RC4 biases
to find cookie from ciphertexts.
Page 42
The single-byte biases:
2001 Mantin–Shamir:
z2 ! 0.
Page 43
The single-byte biases:
2001 Mantin–Shamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1 ! 2, etc.
Page 44
The single-byte biases:
2001 Mantin–Shamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1 ! 2, etc.
2011 Maitra–Paul–Sen Gupta:
z3 ! 0, z4 ! 0, : : : , z255 ! 0,
contrary to Mantin–Shamir claim.
Page 45
The single-byte biases:
2001 Mantin–Shamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1 ! 2, etc.
2011 Maitra–Paul–Sen Gupta:
z3 ! 0, z4 ! 0, : : : , z255 ! 0,
contrary to Mantin–Shamir claim.
2011 Sen Gupta–Maitra–Paul–
Sarkar: z16 ! 240.
(This is specific to 128-bit keys.)
Page 46
The single-byte biases:
2001 Mantin–Shamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1 ! 2, etc.
2011 Maitra–Paul–Sen Gupta:
z3 ! 0, z4 ! 0, : : : , z255 ! 0,
contrary to Mantin–Shamir claim.
2011 Sen Gupta–Maitra–Paul–
Sarkar: z16 ! 240.
(This is specific to 128-bit keys.)
But wait: there’s more!
Page 47
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt:
accurately computed Pr[zi = j]
for all i 2 f1; : : : ; 256g, all j;
found �65536 single-byte biases;
used all of them in SSL attack
via proper Bayesian analysis.
Page 48
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt:
accurately computed Pr[zi = j]
for all i 2 f1; : : : ; 256g, all j;
found �65536 single-byte biases;
used all of them in SSL attack
via proper Bayesian analysis.
�256 of these biases were found
independently (slightly earlier)
by 2013 Watanabe–Isobe–
Ohigashi–Morii, 2013 Isobe–
Ohigashi–Watanabe–Morii:
z32 ! 224, z48 ! 208, etc.;
z3 ! 131; zi ! i; z256 6! 0.
Page 49
Graph of 256 Pr[z1 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 50
Graph of 256 Pr[z2 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 51
Graph of 256 Pr[z3 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 52
Graph of 256 Pr[z4 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 53
Graph of 256 Pr[z5 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 54
Graph of 256 Pr[z6 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 55
Graph of 256 Pr[z7 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 56
Graph of 256 Pr[z8 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 57
Graph of 256 Pr[z9 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 58
Graph of 256 Pr[z10 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 59
Graph of 256 Pr[z11 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 60
Graph of 256 Pr[z12 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 61
Graph of 256 Pr[z13 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 62
Graph of 256 Pr[z14 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 63
Graph of 256 Pr[z15 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 64
Graph of 256 Pr[z16 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 65
Graph of 256 Pr[z17 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 66
Graph of 256 Pr[z18 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 67
Graph of 256 Pr[z19 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 68
Graph of 256 Pr[z20 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 69
Graph of 256 Pr[z21 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 70
Graph of 256 Pr[z22 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 71
Graph of 256 Pr[z23 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 72
Graph of 256 Pr[z24 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 73
Graph of 256 Pr[z25 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 74
Graph of 256 Pr[z26 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 75
Graph of 256 Pr[z27 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 76
Graph of 256 Pr[z28 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 77
Graph of 256 Pr[z29 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 78
Graph of 256 Pr[z30 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 79
Graph of 256 Pr[z31 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 80
Graph of 256 Pr[z32 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 81
Graph of 256 Pr[z33 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 82
Graph of 256 Pr[z34 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 83
Graph of 256 Pr[z35 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 84
Graph of 256 Pr[z36 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 85
Graph of 256 Pr[z37 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 86
Graph of 256 Pr[z38 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 87
Graph of 256 Pr[z39 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 88
Graph of 256 Pr[z40 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 89
Graph of 256 Pr[z41 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 90
Graph of 256 Pr[z42 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 91
Graph of 256 Pr[z43 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 92
Graph of 256 Pr[z44 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 93
Graph of 256 Pr[z45 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 94
Graph of 256 Pr[z46 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 95
Graph of 256 Pr[z47 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 96
Graph of 256 Pr[z48 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 97
Graph of 256 Pr[z49 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 98
Graph of 256 Pr[z50 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 99
Graph of 256 Pr[z51 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 100
Graph of 256 Pr[z52 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 101
Graph of 256 Pr[z53 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 102
Graph of 256 Pr[z54 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 103
Graph of 256 Pr[z55 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 104
Graph of 256 Pr[z56 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 105
Graph of 256 Pr[z57 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 106
Graph of 256 Pr[z58 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 107
Graph of 256 Pr[z59 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 108
Graph of 256 Pr[z60 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 109
Graph of 256 Pr[z61 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 110
Graph of 256 Pr[z62 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 111
Graph of 256 Pr[z63 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 112
Graph of 256 Pr[z64 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 113
Graph of 256 Pr[z65 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 114
Graph of 256 Pr[z66 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 115
Graph of 256 Pr[z67 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 116
Graph of 256 Pr[z68 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 117
Graph of 256 Pr[z69 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 118
Graph of 256 Pr[z70 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 119
Graph of 256 Pr[z71 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 120
Graph of 256 Pr[z72 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 121
Graph of 256 Pr[z73 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 122
Graph of 256 Pr[z74 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 123
Graph of 256 Pr[z75 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 124
Graph of 256 Pr[z76 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 125
Graph of 256 Pr[z77 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 126
Graph of 256 Pr[z78 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 127
Graph of 256 Pr[z79 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 128
Graph of 256 Pr[z80 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 129
Graph of 256 Pr[z81 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 130
Graph of 256 Pr[z82 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 131
Graph of 256 Pr[z83 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 132
Graph of 256 Pr[z84 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 133
Graph of 256 Pr[z85 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 134
Graph of 256 Pr[z86 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 135
Graph of 256 Pr[z87 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 136
Graph of 256 Pr[z88 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 137
Graph of 256 Pr[z89 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 138
Graph of 256 Pr[z90 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 139
Graph of 256 Pr[z91 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 140
Graph of 256 Pr[z92 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 141
Graph of 256 Pr[z93 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 142
Graph of 256 Pr[z94 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 143
Graph of 256 Pr[z95 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 144
Graph of 256 Pr[z96 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 145
Graph of 256 Pr[z97 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 146
Graph of 256 Pr[z98 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 147
Graph of 256 Pr[z99 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 148
Graph of 256 Pr[z100 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 149
Graph of 256 Pr[z101 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 150
Graph of 256 Pr[z102 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 151
Graph of 256 Pr[z103 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 152
Graph of 256 Pr[z104 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 153
Graph of 256 Pr[z105 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 154
Graph of 256 Pr[z106 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 155
Graph of 256 Pr[z107 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 156
Graph of 256 Pr[z108 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 157
Graph of 256 Pr[z109 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 158
Graph of 256 Pr[z110 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 159
Graph of 256 Pr[z111 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 160
Graph of 256 Pr[z112 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 161
Graph of 256 Pr[z113 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 162
Graph of 256 Pr[z114 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 163
Graph of 256 Pr[z115 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 164
Graph of 256 Pr[z116 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 165
Graph of 256 Pr[z117 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 166
Graph of 256 Pr[z118 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 167
Graph of 256 Pr[z119 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 168
Graph of 256 Pr[z120 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 169
Graph of 256 Pr[z121 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 170
Graph of 256 Pr[z122 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 171
Graph of 256 Pr[z123 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 172
Graph of 256 Pr[z124 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 173
Graph of 256 Pr[z125 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 174
Graph of 256 Pr[z126 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 175
Graph of 256 Pr[z127 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 176
Graph of 256 Pr[z128 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 177
Graph of 256 Pr[z129 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 178
Graph of 256 Pr[z130 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 179
Graph of 256 Pr[z131 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 180
Graph of 256 Pr[z132 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 181
Graph of 256 Pr[z133 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 182
Graph of 256 Pr[z134 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 183
Graph of 256 Pr[z135 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 184
Graph of 256 Pr[z136 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 185
Graph of 256 Pr[z137 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 186
Graph of 256 Pr[z138 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 187
Graph of 256 Pr[z139 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 188
Graph of 256 Pr[z140 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 189
Graph of 256 Pr[z141 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 190
Graph of 256 Pr[z142 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 191
Graph of 256 Pr[z143 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 192
Graph of 256 Pr[z144 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 193
Graph of 256 Pr[z145 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 194
Graph of 256 Pr[z146 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 195
Graph of 256 Pr[z147 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 196
Graph of 256 Pr[z148 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 197
Graph of 256 Pr[z149 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 198
Graph of 256 Pr[z150 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 199
Graph of 256 Pr[z151 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 200
Graph of 256 Pr[z152 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 201
Graph of 256 Pr[z153 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 202
Graph of 256 Pr[z154 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 203
Graph of 256 Pr[z155 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 204
Graph of 256 Pr[z156 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 205
Graph of 256 Pr[z157 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 206
Graph of 256 Pr[z158 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 207
Graph of 256 Pr[z159 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 208
Graph of 256 Pr[z160 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 209
Graph of 256 Pr[z161 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 210
Graph of 256 Pr[z162 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 211
Graph of 256 Pr[z163 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 212
Graph of 256 Pr[z164 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 213
Graph of 256 Pr[z165 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 214
Graph of 256 Pr[z166 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 215
Graph of 256 Pr[z167 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 216
Graph of 256 Pr[z168 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 217
Graph of 256 Pr[z169 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 218
Graph of 256 Pr[z170 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 219
Graph of 256 Pr[z171 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 220
Graph of 256 Pr[z172 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 221
Graph of 256 Pr[z173 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 222
Graph of 256 Pr[z174 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 223
Graph of 256 Pr[z175 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 224
Graph of 256 Pr[z176 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 225
Graph of 256 Pr[z177 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 226
Graph of 256 Pr[z178 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 227
Graph of 256 Pr[z179 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 228
Graph of 256 Pr[z180 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 229
Graph of 256 Pr[z181 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 230
Graph of 256 Pr[z182 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 231
Graph of 256 Pr[z183 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 232
Graph of 256 Pr[z184 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 233
Graph of 256 Pr[z185 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 234
Graph of 256 Pr[z186 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 235
Graph of 256 Pr[z187 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 236
Graph of 256 Pr[z188 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 237
Graph of 256 Pr[z189 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 238
Graph of 256 Pr[z190 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 239
Graph of 256 Pr[z191 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 240
Graph of 256 Pr[z192 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 241
Graph of 256 Pr[z193 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 242
Graph of 256 Pr[z194 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 243
Graph of 256 Pr[z195 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 244
Graph of 256 Pr[z196 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 245
Graph of 256 Pr[z197 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 246
Graph of 256 Pr[z198 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 247
Graph of 256 Pr[z199 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 248
Graph of 256 Pr[z200 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 249
Graph of 256 Pr[z201 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 250
Graph of 256 Pr[z202 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 251
Graph of 256 Pr[z203 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 252
Graph of 256 Pr[z204 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 253
Graph of 256 Pr[z205 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 254
Graph of 256 Pr[z206 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 255
Graph of 256 Pr[z207 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 256
Graph of 256 Pr[z208 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 257
Graph of 256 Pr[z209 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 258
Graph of 256 Pr[z210 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 259
Graph of 256 Pr[z211 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 260
Graph of 256 Pr[z212 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 261
Graph of 256 Pr[z213 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 262
Graph of 256 Pr[z214 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 263
Graph of 256 Pr[z215 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 264
Graph of 256 Pr[z216 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 265
Graph of 256 Pr[z217 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 266
Graph of 256 Pr[z218 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 267
Graph of 256 Pr[z219 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 268
Graph of 256 Pr[z220 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 269
Graph of 256 Pr[z221 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 270
Graph of 256 Pr[z222 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 271
Graph of 256 Pr[z223 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 272
Graph of 256 Pr[z224 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 273
Graph of 256 Pr[z225 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 274
Graph of 256 Pr[z226 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 275
Graph of 256 Pr[z227 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 276
Graph of 256 Pr[z228 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 277
Graph of 256 Pr[z229 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 278
Graph of 256 Pr[z230 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 279
Graph of 256 Pr[z231 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 280
Graph of 256 Pr[z232 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 281
Graph of 256 Pr[z233 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 282
Graph of 256 Pr[z234 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 283
Graph of 256 Pr[z235 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 284
Graph of 256 Pr[z236 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 285
Graph of 256 Pr[z237 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 286
Graph of 256 Pr[z238 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 287
Graph of 256 Pr[z239 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 288
Graph of 256 Pr[z240 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 289
Graph of 256 Pr[z241 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 290
Graph of 256 Pr[z242 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 291
Graph of 256 Pr[z243 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 292
Graph of 256 Pr[z244 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 293
Graph of 256 Pr[z245 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 294
Graph of 256 Pr[z246 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 295
Graph of 256 Pr[z247 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 296
Graph of 256 Pr[z248 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 297
Graph of 256 Pr[z249 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 298
Graph of 256 Pr[z250 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 299
Graph of 256 Pr[z251 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 300
Graph of 256 Pr[z252 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 301
Graph of 256 Pr[z253 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 302
Graph of 256 Pr[z254 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 303
Graph of 256 Pr[z255 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 304
Graph of 256 Pr[z256 = x]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
Page 305
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 224 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 306
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 225 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 307
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 226 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 308
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 227 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 309
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 228 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 310
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 229 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 311
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 230 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 312
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 231 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 313
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)
for recovering byte x of plaintext
from 232 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
Page 314
Why does this happen?
For years we’ve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate the
software and hardware engineers
choosing crypto primitives, right?
Page 315
Why does this happen?
For years we’ve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate the
software and hardware engineers
choosing crypto primitives, right?
Maybe, maybe not.
Does AES-GCM actually do
what the users need?
Page 316
Why does this happen?
For years we’ve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate the
software and hardware engineers
choosing crypto primitives, right?
Maybe, maybe not.
Does AES-GCM actually do
what the users need?
Often it doesn’t.
Most obvious issue: performance.
Page 317
e.g. 2001 Rivest: “The ‘heart’ of
RC4 is its exceptionally simple
and extremely efficient pseudo-
random generator. : : : RC4 is
likely to remain the algorithm of
choice for many applications and
embedded systems.”
e.g. OpenSSL still uses table-
based implementations of AES
for speed on most CPUs,
leaking many key bits; see, e.g.,
2012 Weiß–Heinz–Stumpf.
e.g. RFIDs need small ciphers.
Page 318
Major research direction:
achieve better performance
than AES-GCM
without sacrificing security.
Fit into low power (watts),
low area (square micrometers),
sometimes low latency (seconds);
minimize area�seconds/byte;
minimize energy (joules)/byte.
Many different CPUs, FPGAs,
ASIC manufacturing technologies.
Many different input sizes,
precomputation possibilities, etc.
Page 319
Can one design do very well
in hardware and software?
Some inspirational examples:
Trivium and Keccak
are “hardware” designs
but not bad in software.
Page 320
Can one design do very well
in hardware and software?
Some inspirational examples:
Trivium and Keccak
are “hardware” designs
but not bad in software.
Another approach:
replace ARX with “ORX”.
Skein-type mix doesn’t work
but can imitate Salsa20:
compose a^=((b|c)<<<r).
Needs a few more rounds,
but friendlier to hardware.
Page 321
Another major research direction:
achieve better security
than AES-GCM
without sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Page 322
Another major research direction:
achieve better security
than AES-GCM
without sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Typical 128-bit pipe
is starting to feel too small.
Limit reforgeries? Use wider pipe?
Page 323
Another major research direction:
achieve better security
than AES-GCM
without sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Typical 128-bit pipe
is starting to feel too small.
Limit reforgeries? Use wider pipe?
Has anyone tried optimizing
192-bit/256-bit poly hashes?
Page 324
Allow repeated message numbers?
User has to expect that
encrypting (n;m) and (n;m0)
will tell attacker whether m = m0.
Page 325
Allow repeated message numbers?
User has to expect that
encrypting (n;m) and (n;m0)
will tell attacker whether m = m0.
But user is surprised if repeated
message number leaks more
information, allows forgeries, etc.
Page 326
Allow repeated message numbers?
User has to expect that
encrypting (n;m) and (n;m0)
will tell attacker whether m = m0.
But user is surprised if repeated
message number leaks more
information, allows forgeries, etc.
2006 Rogaway–Shrimpton:
first authenticate (n;m),
then use the authenticator
as a nonce to encrypt m.
Page 327
Allow repeated message numbers?
User has to expect that
encrypting (n;m) and (n;m0)
will tell attacker whether m = m0.
But user is surprised if repeated
message number leaks more
information, allows forgeries, etc.
2006 Rogaway–Shrimpton:
first authenticate (n;m),
then use the authenticator
as a nonce to encrypt m.
Is this protection compatible
with fast forgery rejection?
Page 328
Many ciphers integrate
“free” message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Page 329
Many ciphers integrate
“free” message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Is this compatible
with fast forgery rejection?
Page 330
Many ciphers integrate
“free” message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Is this compatible
with fast forgery rejection?
One approach: build
HFFH Feistel block cipher;
reuse first H for fast auth
with repeated message numbers;
reuse last H for another auth
with fast forgery rejection.
But this consumes bandwidth.
Page 331
Many more directions
in authenticated ciphers.
AES-GCM is clearly not
the end of the story.
Can build better modes
using same MAC, cipher.
Can build better MACs,
combine with same cipher.
Can build better
block ciphers, stream ciphers.
Can build better integrated
authenticated ciphers.
Page 332
CAESAR
“Competition for Authenticated
Encryption: Security,
Applicability, and Robustness”
competitions.cr.yp.to
Mailing list: crypto-
competitions+subscribe
@googlegroups.com
NIST is much too busy
to run another competition
but has generously provided
a $333099 “Cryptographic
competitions” grant to UIC.
Page 333
Competition scheduling
AES schedule:
M0: 15 submissions.
M14: 5 finalists.
M28: 1 winner.
eSTREAM schedule:
M0: 34 submissions.
M11: 27 round-2 ciphers.
M24: 16 finalists.
M36: 8 portfolio ciphers.
M41: 7 portfolio ciphers.
Page 334
SHA-3 schedule:
M0: 64 submissions.
M9: 14 round-2 functions.
M26: 5 finalists.
M48: 1 winner.
Tentative CAESAR schedule:
M0, 2014.01.15: submissions.
M11: round-2 candidates.
M23: round-3 candidates.
M35: finalists.
M47: portfolio.
Page 335
Workshops
2012.07.05–06, Stockholm:
ECRYPT workshop on Directions
in Authenticated Ciphers.
DIAC 2013 in Chicago,
maybe 2013.08.12–13,
maybe 2013.08.26–27.
2013.08.14–16 is SAC;
2013.08.18–22 is Crypto;
2013.08.20–23 is CHES.
DIAC 2014: maybe San Diego?
DIAC 2015, 2016, 2017: TBA.