Failures of

secret-key cryptography
D. J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven

http://xkcd.com/538/

2011 GriggGutmann: In the

past 15 years no one ever lost
money to an attack on a properly
designed cryptosystem (meaning
one that didnt use homebrew
crypto or toy keys) in the Internet
or commercial worlds.

2011 GriggGutmann: In the

past 15 years no one ever lost
money to an attack on a properly
designed cryptosystem (meaning
one that didnt use homebrew
crypto or toy keys) in the Internet
or commercial worlds.
2002 Shamir: Cryptography is
usually bypassed. I am not aware
of any major world-class security
system employing cryptography in
which the hackers penetrated the
system by actually going through
the cryptanalysis.

Do these people mean that

its actually infeasible
to break real-world crypto?

Do these people mean that

its actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?

Do these people mean that

its actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Or are they simply wrong:
real-world crypto is breakable;
is in fact being broken;
is one of many ongoing
disaster areas in security?

Do these people mean that

its actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Or are they simply wrong:
real-world crypto is breakable;
is in fact being broken;
is one of many ongoing
disaster areas in security?
Lets look at some examples.

Windows code signatures

Flame broke into computers,
spied on audio, keystrokes, etc.
2012.06.03 Microsoft:
We recently became aware
of a complex piece of targeted
malware known as Flame and
immediately began examining the
issue. : : : We have discovered
through our analysis that some
components of the malware have
been signed by certificates that
allow software to appear as if it
was produced by Microsoft.

2012.06.07 Stevens: A chosenprefix collision attack against

MD5 has been used for Flame.
More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirely
new and unknown variant.

2012.06.07 Stevens: A chosenprefix collision attack against

MD5 has been used for Flame.
More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirely
new and unknown variant.
CrySyS: Flame file wavesup3.drv
appeared in logs in 2007; Flame
may have been active for as long
as five to eight years.

2012.06.07 Stevens: A chosenprefix collision attack against

MD5 has been used for Flame.
More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirely
new and unknown variant.
CrySyS: Flame file wavesup3.drv
appeared in logs in 2007; Flame
may have been active for as long
as five to eight years.
Was MD5 homebrew crypto?
No. Standardized, widely used.
Worthwhile to attack? Yes.

Compare to 2011 GriggGutmann:

Cryptosystem failure is orders of
magnitude below any other risk.

Compare to 2011 GriggGutmann:

Cryptosystem failure is orders of
magnitude below any other risk.

http://en.wikipedia.org/wiki
/2003_Mission_Accomplished
_speech

WEP
WEP introduced in 1997
in 802.11 wireless standard.
2001 BorisovGoldbergWagner:
24-bit nonce frequently repeats,
leaking plaintext xor and
allowing very easy forgeries.
2001 ArbaughShankarWan:
this also breaks user auth.
2001 FluhrerMantinShamir:
WEP builds RC4 key (k; n)
from secret k, nonce n;
RC4 outputs leak bytes of k.

Implementations, optimizations
of k-recovery attack: 2001
StubblefieldIoannidisRubin,
2004 KoreK, 2004 Devine, 2005
dOtreppe, 2006 Klein, 2007
TewsWeinmannPyshkin, 2010
SepehrdadVaudenayVuagnoux,
2013 SSusilVV, : : :

Implementations, optimizations
of k-recovery attack: 2001
StubblefieldIoannidisRubin,
2004 KoreK, 2004 Devine, 2005
dOtreppe, 2006 Klein, 2007
TewsWeinmannPyshkin, 2010
SepehrdadVaudenayVuagnoux,
2013 SSusilVV, : : :
These are academic papers!
Nobody was actually attacked.

Implementations, optimizations
of k-recovery attack: 2001
StubblefieldIoannidisRubin,
2004 KoreK, 2004 Devine, 2005
dOtreppe, 2006 Klein, 2007
TewsWeinmannPyshkin, 2010
SepehrdadVaudenayVuagnoux,
2013 SSusilVV, : : :
These are academic papers!
Nobody was actually attacked.
Fact: WEP blamed for 2007 theft
of 45 million credit-card numbers
from T. J. Maxx. Subsequent
lawsuit settled for $40900000.

Keeloq
Wikipedia: KeeLoq is or was
used in many remote keyless
entry systems by such companies
as Chrysler, Daewoo, Fiat,
GM, Honda, Toyota, Volvo,
Volkswagen Group, Clifford,
Shurlok, Jaguar, etc.
2007 IndesteegeKeller
BihamDunkelmanPreneel
How to steal cars:
recover 64-bit KeeLoq key
using 216 known plaintexts,
only 244:5 encryptions.

2008 EisenbarthKasperMoradi
PaarSalmasizadehShalmani
recovered systems master key,
allowing practically instantaneous
cloning of KeeLoq keys.

2008 EisenbarthKasperMoradi
PaarSalmasizadehShalmani
recovered systems master key,
allowing practically instantaneous
cloning of KeeLoq keys.
1. Setup phase of this attack
watches power consumption
of Keeloq device. Is this
bypassing the cryptography?

2008 EisenbarthKasperMoradi
PaarSalmasizadehShalmani
recovered systems master key,
allowing practically instantaneous
cloning of KeeLoq keys.
1. Setup phase of this attack
watches power consumption
of Keeloq device. Is this
bypassing the cryptography?
2. If all the X is weak press
comes from academics, is it safe
to conclude that real attackers
arent breaking X ? How often do
real attackers issue press releases?

VMWare View
VMWare View is a remote
desktop protocol supported by
many low-cost terminals.
Recommendation from VMWare,
Dell, etc.: switch from AES-128
to SALSA20-256 for the best
user experience. Apparently AES
slows down network graphics.

VMWare View
VMWare View is a remote
desktop protocol supported by
many low-cost terminals.
Recommendation from VMWare,
Dell, etc.: switch from AES-128
to SALSA20-256 for the best
user experience. Apparently AES
slows down network graphics.
Closer look at documentation:
AES-128 and SALSA20-256
are actually AES-128-GCM
and Salsa20-256-Round12.

AES-128-GCM includes AES

and message authentication.
No indication that VMWares
Salsa20-256-Round12 includes
any message authentication.
Can attacker forge packets?
One can easily combine Salsa20
with message authentication,
but does VMWare do this?
Salsa20 has speed and security
advantages over AES, but
both Salsa20 and AES are
unauthenticated ciphers.
User needs authenticated cipher.

SSL/TLS/HTTPS
Standard AES-CBC encryption
of a packet (p0 ; p1 ; p2 ):
send random v ,
c0 = AESk (p0  v ),
c1 = AESk (p1  c0 ),
c2 = AESk (p2  c1 ).

SSL/TLS/HTTPS
Standard AES-CBC encryption
of a packet (p0 ; p1 ; p2 ):
send random v ,
c0 = AESk (p0  v ),
c1 = AESk (p1  c0 ),
c2 = AESk (p2  c1 ).
AES-CBC encryption in SSL:
retrieve last block c 1
from previous ciphertext; send
c0 = AESk (p0  c 1 ),
c1 = AESk (p1  c0 ),
c2 = AESk (p2  c1 ).

SSL lets attacker choose p0

as function of c 1 ! Very bad.
2002 M
oller:
To check a guess g for (e.g.)
choose p0 = c 1  g  c 4 ,
compare c0 to c 3 .

3,

2006 Bard:
malicious code in browser should
be able to carry out this attack,
especially if high-entropy data
is split across blocks.
2011 DuongRizzo BEAST:
fast attack fully implemented,
including controlled variable split.

Countermeasure in browsers:
send a content-free packet
just before sending real packet.

Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Attacker can also try to attack
CBC by forging ciphertexts,
but each SSL packet
includes an authenticator.
Authenticate-then-encrypt:
SSL appends an authenticator,
pads reversibly to full block,
encrypts with CBC.

Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Attacker can also try to attack
CBC by forging ciphertexts,
but each SSL packet
includes an authenticator.
Authenticate-then-encrypt:
SSL appends an authenticator,
pads reversibly to full block,
encrypts with CBC.
2001 Krawczyk:
This is provably secure.

2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.

2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.

2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Response in OpenSSL etc.:
always compute MAC
even if padding fails.

2001 Vaudenay:
This is completely broken
if attacker can distinguish
padding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Response in OpenSSL etc.:
always compute MAC
even if padding fails.
2013.02 AlFardanPaterson
Lucky 13: watch timing
more closely; attack still works.

Cryptographic algorithm agility:

(1) the pretense that bad crypto
is okay if theres a backup plan +
(2) the pretense that there
is in fact a backup plan.

Cryptographic algorithm agility:

(1) the pretense that bad crypto
is okay if theres a backup plan +
(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesnt support AES-GCM.

Cryptographic algorithm agility:

(1) the pretense that bad crypto
is okay if theres a backup plan +
(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesnt support AES-GCM.
The software does support
one non-CBC option:

Cryptographic algorithm agility:

(1) the pretense that bad crypto
is okay if theres a backup plan +
(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesnt support AES-GCM.
The software does support
one non-CBC option: RC4.
Now widely recommended,
used for 50% of SSL traffic.

Not as scary as WEP: SSL uses a

hash to avoid related RC4 keys.
2001 Rivest: The new attacks
do not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.

Not as scary as WEP: SSL uses a

hash to avoid related RC4 keys.
2001 Rivest: The new attacks
do not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.
Problem: many nasty biases in
RC4 output bytes z1 ; z2 ; : : :.

Not as scary as WEP: SSL uses a

hash to avoid related RC4 keys.
2001 Rivest: The new attacks
do not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.
Problem: many nasty biases in
RC4 output bytes z1 ; z2 ; : : :.
2013 AlFardanBernstein
PatersonPoetteringSchuldt,
On the security of RC4 in TLS:
Force target cookie into many
RC4 sessions. Use RC4 biases
to find cookie from ciphertexts.

The single-byte biases:

2001 MantinShamir:
z2 ! 0.

The single-byte biases:

2001 MantinShamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1

! 2, etc.

The single-byte biases:

2001 MantinShamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1

! 2, etc.

2011 MaitraPaulSen Gupta:

z3 ! 0, z4 ! 0, : : : , z255 ! 0,
contrary to MantinShamir claim.

The single-byte biases:

2001 MantinShamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1

! 2, etc.

2011 MaitraPaulSen Gupta:

z3 ! 0, z4 ! 0, : : : , z255 ! 0,
contrary to MantinShamir claim.
2011 Sen GuptaMaitraPaul
Sarkar: z16 ! 240.
(This is specific to 128-bit keys.)

The single-byte biases:

2001 MantinShamir:
z2 ! 0.
2002 Mironov:
z1 6! 0, z1 6! 1, z1

! 2, etc.

2011 MaitraPaulSen Gupta:

z3 ! 0, z4 ! 0, : : : , z255 ! 0,
contrary to MantinShamir claim.
2011 Sen GuptaMaitraPaul
Sarkar: z16 ! 240.
(This is specific to 128-bit keys.)
But wait: theres more!

2013 AlFardanBernstein
PatersonPoetteringSchuldt:
accurately computed Pr[zi = j ]
for all i 2 f1; : : : ; 256g, all j ;
found 65536 single-byte biases;
used all of them in SSL attack
via proper Bayesian analysis.

2013 AlFardanBernstein
PatersonPoetteringSchuldt:
accurately computed Pr[zi = j ]
for all i 2 f1; : : : ; 256g, all j ;
found 65536 single-byte biases;
used all of them in SSL attack
via proper Bayesian analysis.

256 of these biases were found

independently (slightly earlier)
by 2013 WatanabeIsobe
OhigashiMorii, 2013 Isobe
OhigashiWatanabeMorii:
z32 ! 224, z48 ! 208, etc.;
z3 ! 131; zi ! i; z256 6! 0.

Graph of 256 Pr[z1 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z2 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z3 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z4 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z5 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z6 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z7 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z8 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z9 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z10 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z11 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z12 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z13 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z14 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z15 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z16 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z17 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z18 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z19 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z20 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z21 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z22 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z23 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z24 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z25 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z26 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z27 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z28 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z29 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z30 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z31 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z32 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z33 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z34 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z35 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z36 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z37 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z38 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z39 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z40 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z41 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z42 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z43 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z44 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z45 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z46 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z47 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z48 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z49 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z50 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z51 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z52 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z53 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z54 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z55 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z56 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z57 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z58 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z59 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z60 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z61 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z62 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z63 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z64 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z65 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z66 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z67 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z68 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z69 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z70 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z71 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z72 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z73 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z74 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z75 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z76 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z77 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z78 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z79 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z80 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z81 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z82 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z83 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z84 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z85 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z86 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z87 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z88 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z89 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z90 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z91 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z92 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z93 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z94 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z95 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z96 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z97 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z98 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z99 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z100 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z101 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z102 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z103 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z104 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z105 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z106 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z107 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z108 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z109 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z110 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z111 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z112 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z113 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z114 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z115 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z116 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z117 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z118 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z119 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z120 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z121 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z122 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z123 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z124 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z125 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z126 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z127 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z128 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z129 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z130 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z131 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z132 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z133 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z134 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z135 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z136 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z137 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z138 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z139 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z140 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z141 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z142 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z143 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z144 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z145 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z146 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z147 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z148 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z149 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z150 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z151 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z152 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z153 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z154 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z155 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z156 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z157 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z158 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z159 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z160 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z161 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z162 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z163 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z164 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z165 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z166 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z167 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z168 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z169 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z170 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z171 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z172 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z173 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z174 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z175 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z176 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z177 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z178 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z179 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z180 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z181 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z182 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z183 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z184 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z185 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z186 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z187 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z188 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z189 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z190 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z191 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z192 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z193 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z194 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z195 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z196 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z197 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z198 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z199 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z200 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z201 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z202 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z203 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z204 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z205 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z206 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z207 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z208 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z209 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z210 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z211 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z212 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z213 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z214 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z215 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z216 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z217 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z218 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z219 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z220 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z221 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z222 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z223 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z224 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z225 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z226 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z227 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z228 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z229 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z230 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z231 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z232 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z233 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z234 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z235 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z236 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z237 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z238 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z239 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z240 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z241 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z242 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z243 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z244 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z245 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z246 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z247 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z248 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z249 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z250 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z251 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z252 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z253 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z254 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z255 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

Graph of 256 Pr[z256 = x]:

1.010

1.005

1.000

0.995

0.990

50

100

150

200

250

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 224 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 225 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 226 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 227 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 228 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 229 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 230 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 231 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

2013 AlFardanBernstein
PatersonPoetteringSchuldt
success probability (256 trials)
for recovering byte x of plaintext
from 232 ciphertexts (with
no prior plaintext knowledge):
1.2"

1"

0.8"

0.6"

0.4"

0.2"

0"
0"

10"

20"

30"

40"

50"

60"

70"

80"

90"

100"

110"

120"

130"

140"

150"

160"

170"

180"

190"

200"

210"

220"

230"

240"

250"

Why does this happen?

For years weve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate the
software and hardware engineers
choosing crypto primitives, right?

Why does this happen?

For years weve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate the
software and hardware engineers
choosing crypto primitives, right?
Maybe, maybe not.
Does AES-GCM actually do
what the users need?

Why does this happen?

For years weve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate the
software and hardware engineers
choosing crypto primitives, right?
Maybe, maybe not.
Does AES-GCM actually do
what the users need?
Often it doesnt.
Most obvious issue: performance.

e.g. 2001 Rivest: The heart of

RC4 is its exceptionally simple
and extremely efficient pseudorandom generator. : : : RC4 is
likely to remain the algorithm of
choice for many applications and
embedded systems.
e.g. OpenSSL still uses tablebased implementations of AES
for speed on most CPUs,
leaking many key bits; see, e.g.,
2012 WeiHeinzStumpf.
e.g. RFIDs need small ciphers.

Major research direction:

achieve better performance
than AES-GCM
without sacrificing security.
Fit into low power (watts),
low area (square micrometers),
sometimes low latency (seconds);
minimize areaseconds/byte;
minimize energy (joules)/byte.
Many different CPUs, FPGAs,
ASIC manufacturing technologies.
Many different input sizes,
precomputation possibilities, etc.

Can one design do very well

in hardware and software?
Some inspirational examples:
Trivium and Keccak
are hardware designs
but not bad in software.

Can one design do very well

in hardware and software?
Some inspirational examples:
Trivium and Keccak
are hardware designs
but not bad in software.
Another approach:
replace ARX with ORX.
Skein-type mix doesnt work
but can imitate Salsa20:
compose a^=((b|c)<<<r).
Needs a few more rounds,
but friendlier to hardware.

Another major research direction:

achieve better security
than AES-GCM
without sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?

Another major research direction:

achieve better security
than AES-GCM
without sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Typical 128-bit pipe
is starting to feel too small.
Limit reforgeries? Use wider pipe?

Another major research direction:

achieve better security
than AES-GCM
without sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Typical 128-bit pipe
is starting to feel too small.
Limit reforgeries? Use wider pipe?
Has anyone tried optimizing
192-bit/256-bit poly hashes?

Allow repeated message numbers?

User has to expect that
encrypting (n; m) and (n; m0 )
will tell attacker whether m = m0 .

Allow repeated message numbers?

User has to expect that
encrypting (n; m) and (n; m0 )
will tell attacker whether m = m0 .
But user is surprised if repeated
message number leaks more
information, allows forgeries, etc.

Allow repeated message numbers?

User has to expect that
encrypting (n; m) and (n; m0 )
will tell attacker whether m = m0 .
But user is surprised if repeated
message number leaks more
information, allows forgeries, etc.
2006 RogawayShrimpton:
first authenticate (n; m),
then use the authenticator
as a nonce to encrypt m.

Allow repeated message numbers?

User has to expect that
encrypting (n; m) and (n; m0 )
will tell attacker whether m = m0 .
But user is surprised if repeated
message number leaks more
information, allows forgeries, etc.
2006 RogawayShrimpton:
first authenticate (n; m),
then use the authenticator
as a nonce to encrypt m.
Is this protection compatible
with fast forgery rejection?

Many ciphers integrate

free message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?

Many ciphers integrate

free message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Is this compatible
with fast forgery rejection?

Many ciphers integrate

free message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Is this compatible
with fast forgery rejection?
One approach: build
HF F H Feistel block cipher;
reuse first H for fast auth
with repeated message numbers;
reuse last H for another auth
with fast forgery rejection.
But this consumes bandwidth.

Many more directions

in authenticated ciphers.
AES-GCM is clearly not
the end of the story.
Can build better modes
using same MAC, cipher.
Can build better MACs,
combine with same cipher.
Can build better
block ciphers, stream ciphers.
Can build better integrated
authenticated ciphers.

CAESAR
Competition for Authenticated
Encryption: Security,
Applicability, and Robustness
competitions.cr.yp.to
Mailing list: cryptocompetitions+subscribe
@googlegroups.com
NIST is much too busy
to run another competition
but has generously provided
a $333099 Cryptographic
competitions grant to UIC.

Competition scheduling
AES schedule:
M0: 15 submissions.
M14: 5 finalists.
M28: 1 winner.
eSTREAM schedule:
M0: 34 submissions.
M11: 27 round-2 ciphers.
M24: 16 finalists.
M36: 8 portfolio ciphers.
M41: 7 portfolio ciphers.

SHA-3 schedule:
M0: 64 submissions.
M9: 14 round-2 functions.
M26: 5 finalists.
M48: 1 winner.
Tentative CAESAR schedule:
M0, 2014.01.15: submissions.
M11: round-2 candidates.
M23: round-3 candidates.
M35: finalists.
M47: portfolio.

Workshops
2012.07.0506, Stockholm:
ECRYPT workshop on Directions
in Authenticated Ciphers.
DIAC 2013 in Chicago,
maybe 2013.08.1213,
maybe 2013.08.2627.
2013.08.1416 is SAC;
2013.08.1822 is Crypto;
2013.08.2023 is CHES.
DIAC 2014: maybe San Diego?
DIAC 2015, 2016, 2017: TBA.