Upload
0x6d1e
View
216
Download
0
Embed Size (px)
Citation preview
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 1/334
Failures of
secret-key cryptography
D. J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
http://xkcd.com/538/
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 2/334
2011 Grigg–Gutmann: In the
past 15 years “no one ever lost
money to an attack on a properlydesigned cryptosystem (meaning
one that didn’t use homebrew
crypto or toy keys) in the Internetor commercial worlds”.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 3/334
2011 Grigg–Gutmann: In the
past 15 years “no one ever lost
money to an attack on a properlydesigned cryptosystem (meaning
one that didn’t use homebrew
crypto or toy keys) in the Internetor commercial worlds”.
2002 Shamir: “Cryptography is
usually bypassed. I am not aware
of any major world-class security
system employing cryptography in
which the hackers penetrated the
system by actually going through
the cryptanalysis.”
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 4/334
Do these people mean that
it’s actually infeasible
to break real-world crypto?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 5/334
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 6/334
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Or are they simply wrong:real-world crypto is breakable;
is in fact being broken;
is one of many ongoingdisaster areas in security?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 7/334
Do these people mean that
it’s actually infeasible
to break real-world crypto?
Or do they mean that
breaks are feasible
but still not worthwhile
for the attackers?
Or are they simply wrong:real-world crypto is breakable;
is in fact being broken;
is one of many ongoingdisaster areas in security?
Let’s look at some examples.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 8/334
Windows code signatures
Flame broke into computers,
spied on audio, keystrokes, etc.
2012.06.03 Microsoft:
“We recently became awareof a complex piece of targeted
malware known as ‘Flame’ and
immediately began examining theissue. : : : We have discovered
through our analysis that some
components of the malware havebeen signed by certificates that
allow software to appear as if it
was produced by Microsoft.”
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 9/334
2012.06.07 Stevens: “A chosen-
prefix collision attack against
MD5 has been used for Flame.More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirelynew and unknown variant.”
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 10/334
2012.06.07 Stevens: “A chosen-
prefix collision attack against
MD5 has been used for Flame.More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirelynew and unknown variant.”
CrySyS: Flame file wavesup3.drv
appeared in logs in 2007; Flame
“may have been active for as long
as five to eight years”.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 11/334
2012.06.07 Stevens: “A chosen-
prefix collision attack against
MD5 has been used for Flame.More interestingly : : : not our
published chosen-prefix collision
attack was used, but an entirelynew and unknown variant.”
CrySyS: Flame file wavesup3.drv
appeared in logs in 2007; Flame
“may have been active for as long
as five to eight years”.
Was MD5 “homebrew crypto”?
No. Standardized, widely used.
Worthwhile to attack? Yes.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 12/334
Compare to 2011 Grigg–Gutmann:
“Cryptosystem failure is orders of
magnitude below any other risk.”
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 13/334
Compare to 2011 Grigg–Gutmann:
“Cryptosystem failure is orders of
magnitude below any other risk.”
http://en.wikipedia.org/wiki
/2003_Mission_Accomplished
_speech
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 14/334
WEP
WEP introduced in 1997
in 802.11 wireless standard.
2001 Borisov–Goldberg–Wagner:
24-bit “nonce” frequently repeats,leaking plaintext xor and
allowing very easy forgeries.
2001 Arbaugh–Shankar–Wan:
this also breaks user auth.
2001 Fluhrer–Mantin–Shamir:WEP builds RC4 key ( k ; n )
from secret k , “nonce” n ;
RC4 outputs leak bytes of k
.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 15/334
Implementations, optimizations
of k -recovery attack: 2001
Stubblefield–Ioannidis–Rubin,2004 KoreK, 2004 Devine, 2005
d’Otreppe, 2006 Klein, 2007
Tews–Weinmann–Pyshkin, 2010Sepehrdad–Vaudenay–Vuagnoux,
2013 S–Susil–V–V, : : :
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 16/334
Implementations, optimizations
of k -recovery attack: 2001
Stubblefield–Ioannidis–Rubin,2004 KoreK, 2004 Devine, 2005
d’Otreppe, 2006 Klein, 2007
Tews–Weinmann–Pyshkin, 2010Sepehrdad–Vaudenay–Vuagnoux,
2013 S–Susil–V–V, : : :
“These are academic papers!
Nobody was actually attacked.”
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 17/334
Implementations, optimizations
of k -recovery attack: 2001
Stubblefield–Ioannidis–Rubin,2004 KoreK, 2004 Devine, 2005
d’Otreppe, 2006 Klein, 2007
Tews–Weinmann–Pyshkin, 2010Sepehrdad–Vaudenay–Vuagnoux,
2013 S–Susil–V–V, : : :
“These are academic papers!
Nobody was actually attacked.”
Fact: WEP blamed for 2007 theftof 45 million credit-card numbers
from T. J. Maxx. Subsequent
lawsuit settled for $40900000.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 18/334
Keeloq
Wikipedia: “KeeLoq is or was
used in many remote keyless
entry systems by such companies
as Chrysler, Daewoo, Fiat,
GM, Honda, Toyota, Volvo,
Volkswagen Group, Clifford,
Shurlok, Jaguar, etc.”
2007 Indesteege–Keller–
Biham–Dunkelman–Preneel
“How to steal cars”:recover 64-bit KeeLoq key
using 216 known plaintexts,
only 244:
5 encryptions.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 19/334
2008 Eisenbarth–Kasper–Moradi–
Paar–Salmasizadeh–Shalmani
recovered system’s master key,allowing practically instantaneous
cloning of KeeLoq keys.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 20/334
2008 Eisenbarth–Kasper–Moradi–
Paar–Salmasizadeh–Shalmani
recovered system’s master key,allowing practically instantaneous
cloning of KeeLoq keys.
1. Setup phase of this attack
watches power consumption
of Keeloq device. Is this
“bypassing” the cryptography?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 21/334
2008 Eisenbarth–Kasper–Moradi–
Paar–Salmasizadeh–Shalmani
recovered system’s master key,allowing practically instantaneous
cloning of KeeLoq keys.
1. Setup phase of this attack
watches power consumption
of Keeloq device. Is this
“bypassing” the cryptography?
2. If all the “ X is weak” press
comes from academics, is it safeto conclude that real attackers
aren’t breaking X ? How often do
real attackers issue press releases?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 22/334
VMWare View
VMWare View is a remote
desktop protocol supported by
many low-cost terminals.
Recommendation from VMWare,Dell, etc.: switch from “AES-128”
to “SALSA20-256” for the “best
user experience”. Apparently AESslows down network graphics.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 23/334
VMWare View
VMWare View is a remote
desktop protocol supported by
many low-cost terminals.
Recommendation from VMWare,Dell, etc.: switch from “AES-128”
to “SALSA20-256” for the “best
user experience”. Apparently AESslows down network graphics.
Closer look at documentation:
“AES-128” and “SALSA20-256”
are actually “AES-128-GCM”
and “Salsa20-256-Round12”.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 24/334
AES-128-GCM includes AES
and message authentication.
No indication that VMWare’s
“Salsa20-256-Round12” includes
any message authentication.
Can attacker forge packets?
One can easily combine Salsa20
with message authentication,
but does VMWare do this?
Salsa20 has speed and security
advantages over AES, butboth Salsa20 and AES are
unauthenticated ciphers.
User needs authenticated cipher.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 25/334
SSL/TLS/HTTPS
Standard AES-CBC encryption
of a packet ( p 0 ; p 1 ; p 2):
send random v ,
c
0= AES
k
( p
0 v ),
c 1 = AESk
( p 1 c 0),
c 2 = AESk
( p 2 c 1).
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 26/334
SSL/TLS/HTTPS
Standard AES-CBC encryption
of a packet ( p 0 ; p 1 ; p 2):
send random v ,
c
0= AES
k
( p
0 v ),
c 1 = AESk
( p 1 c 0),
c 2 = AESk
( p 2 c 1).
AES-CBC encryption in SSL:retrieve last block c
1
from previous ciphertext; send
c 0 = AES k ( p 0 c
1),c 1 = AES
k
( p 1 c 0),
c 2 = AESk
( p 2 c 1).
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 27/334
SSL lets attacker choose p 0
as function of c
1! Very bad.
2002 Moller:
To check a guess g for (e.g.) p
3,
choose p
0= c
1 g c
4,
compare c 0 to c
3.
2006 Bard:
malicious code in browser shouldbe able to carry out this attack,
especially if high-entropy data
is split across blocks.
2011 Duong–Rizzo “BEAST”:
fast attack fully implemented,
including controlled variable split.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 28/334
Countermeasure in browsers:
send a content-free packet
just before sending real packet.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 29/334
Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Attacker can also try to attack
CBC by forging ciphertexts ,
but each SSL packet
includes an authenticator.
“Authenticate-then-encrypt”:SSL appends an authenticator,
pads reversibly to full block,
encrypts with CBC.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 30/334
Countermeasure in browsers:
send a content-free packet
just before sending real packet.
Attacker can also try to attack
CBC by forging ciphertexts ,
but each SSL packet
includes an authenticator.
“Authenticate-then-encrypt”:SSL appends an authenticator,
pads reversibly to full block,
encrypts with CBC.
2001 Krawczyk:
This is provably secure.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 31/334
2001 Vaudenay:
This is completely broken
if attacker can distinguishpadding failure from MAC failure.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 32/334
2001 Vaudenay:
This is completely broken
if attacker can distinguishpadding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 33/334
2001 Vaudenay:
This is completely broken
if attacker can distinguishpadding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Response in OpenSSL etc.:always compute MAC
even if padding fails.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 34/334
2001 Vaudenay:
This is completely broken
if attacker can distinguishpadding failure from MAC failure.
2003 Canvel:
Obtain such a padding oracle
by observing SSL server timing.
Response in OpenSSL etc.:always compute MAC
even if padding fails.
2013.02 AlFardan–Paterson
“Lucky 13”: watch timing
more closely; attack still works.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 35/334
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +(2) the pretense that there
is in fact a backup plan.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 36/334
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesn’t support AES-GCM.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 37/334
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesn’t support AES-GCM.
The software does supportone non-CBC option:
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 38/334
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto
is okay if there’s a backup plan +(2) the pretense that there
is in fact a backup plan.
SSL has a crypto switch
that in theory allows
switching to AES-GCM.
But most SSL software
doesn’t support AES-GCM.
The software does supportone non-CBC option: RC4.
Now widely recommended,
used for 50% of SSL traffic.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 39/334
Not as scary as WEP: SSL uses a
hash to avoid related RC4 keys.
2001 Rivest: “The new attacksdo not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.”
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 40/334
Not as scary as WEP: SSL uses a
hash to avoid related RC4 keys.
2001 Rivest: “The new attacksdo not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.”
Problem: many nasty biases in
RC4 output bytes z
1; z
2; : : : .
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 41/334
Not as scary as WEP: SSL uses a
hash to avoid related RC4 keys.
2001 Rivest: “The new attacksdo not apply to RC4-based SSL.
: : : [protocol] designers [using
RC4] should not be concerned.”
Problem: many nasty biases in
RC4 output bytes z
1; z
2; : : : .
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt,
“On the security of RC4 in TLS”:Force target cookie into many
RC4 sessions. Use RC4 biases
to find cookie from ciphertexts.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 42/334
The single-byte biases:
2001 Mantin–Shamir:
z 2 3 0.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 43/334
The single-byte biases:
2001 Mantin–Shamir:
z 2 3 0.
2002 Mironov:
z 1 T3
0,z 1 T3
1,z 1 3
2, etc.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 44/334
The single-byte biases:
2001 Mantin–Shamir:
z 2 3 0.
2002 Mironov:
z 1 T3
0,z 1 T3
1,z 1 3
2, etc.
2011 Maitra–Paul–Sen Gupta:
z 3 3 0, z 4 3 0, : : : , z 255 3 0,
contrary to Mantin–Shamir claim.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 45/334
The single-byte biases:
2001 Mantin–Shamir:
z 2 3 0.
2002 Mironov:
z 1 T3
0,z 1 T3
1,z 1 3
2, etc.
2011 Maitra–Paul–Sen Gupta:
z 3 3 0, z 4 3 0, : : : , z 255 3 0,
contrary to Mantin–Shamir claim.
2011 Sen Gupta–Maitra–Paul–
Sarkar:z
163
240.(This is specific to 128-bit keys.)
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 46/334
The single-byte biases:
2001 Mantin–Shamir:
z 2 3 0.
2002 Mironov:
z 1 T3
0,z 1 T3
1,z 1 3
2, etc.
2011 Maitra–Paul–Sen Gupta:
z 3 3 0, z 4 3 0, : : : , z 255 3 0,
contrary to Mantin–Shamir claim.
2011 Sen Gupta–Maitra–Paul–
Sarkar:z
163
240.(This is specific to 128-bit keys.)
But wait: there’s more!
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 47/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt:
accurately computed Pr[ z
i = j ]for all i P f 1; : : : ; 256g , all j ;
found % 65536 single-byte biases;
used all of them in SSL attackvia proper Bayesian analysis.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 48/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt:
accurately computed Pr[ z
i = j ]for all i P f 1; : : : ; 256g , all j ;
found % 65536 single-byte biases;
used all of them in SSL attackvia proper Bayesian analysis.
% 256 of these biases were found
independently (slightly earlier)
by 2013 Watanabe–Isobe–
Ohigashi–Morii, 2013 Isobe–
Ohigashi–Watanabe–Morii:
z 32 3 224, z 48 3 208, etc.;
z
33
131;z
i
3 i
;z
256T3
0.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 49/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 50/334
Graph of 256 Pr[z 2 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 51/334
Graph of 256 Pr[z 3 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 52/334
Graph of 256 Pr[z 4 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 53/334
Graph of 256 Pr[z 5 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 54/334
Graph of 256 Pr[z 6 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 55/334
Graph of 256 Pr[z 7 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 56/334
Graph of 256 Pr[z 8 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 57/334
Graph of 256 Pr[z 9 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 58/334
Graph of 256 Pr[z 10 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 59/334
Graph of 256 Pr[z 11 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 60/334
Graph of 256 Pr[z 12 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 61/334
Graph of 256 Pr[z 13 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 62/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 63/334
Graph of 256 Pr[z 15 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 64/334
Graph of 256 Pr[z 16 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 65/334
Graph of 256 Pr[z 17 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 66/334
Graph of 256 Pr[z 18 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 67/334
Graph of 256 Pr[z 19 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 68/334
Graph of 256 Pr[z 20 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 69/334
Graph of 256 Pr[z 21 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 70/334
Graph of 256 Pr[z 22 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 71/334
Graph of 256 Pr[z 23 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 72/334
Graph of 256 Pr[z 24 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 73/334
Graph of 256 Pr[z 25 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 74/334
Graph of 256 Pr[z 26 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 75/334
Graph of 256 Pr[z 27 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 76/334
Graph of 256 Pr[z 28 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 77/334
Graph of 256 Pr[z 29 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 78/334
Graph of 256 Pr[z 30 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 79/334
Graph of 256 Pr[z 31 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 80/334
Graph of 256 Pr[z 32 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 81/334
Graph of 256 Pr[z 33 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 82/334
Graph of 256 Pr[z 34 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 83/334
Graph of 256 Pr[z 35 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 84/334
Graph of 256 Pr[z 36 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 85/334
Graph of 256 Pr[z 37 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 86/334
Graph of 256 Pr[z 38 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 87/334
Graph of 256 Pr[z 39 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 88/334
Graph of 256 Pr[z 40 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 89/334
Graph of 256 Pr[z 41 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 90/334
Graph of 256 Pr[z 42 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 91/334
Graph of 256 Pr[z 43 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 92/334
Graph of 256 Pr[z 44 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 93/334
Graph of 256 Pr[z 45 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 94/334
Graph of 256 Pr[z 46 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 95/334
Graph of 256 Pr[z 47 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 96/334
Graph of 256 Pr[z 48 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 97/334
Graph of 256 Pr[z 49 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 98/334
Graph of 256 Pr[z 50 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 99/334
Graph of 256 Pr[z 51 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 100/334
Graph of 256 Pr[z 52 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 101/334
Graph of 256 Pr[z 53 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 102/334
Graph of 256 Pr[z 54 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 103/334
Graph of 256 Pr[z 55 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 104/334
Graph of 256 Pr[z 56 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 105/334
Graph of 256 Pr[z 57 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 106/334
Graph of 256 Pr[z 58 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 107/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 108/334
Graph of 256 Pr[z 60 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 109/334
Graph of 256 Pr[z 61 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 110/334
Graph of 256 Pr[z 62 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 111/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 112/334
Graph of 256 Pr[z 64 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 113/334
Graph of 256 Pr[z 65 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 114/334
Graph of 256 Pr[z 66 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 115/334
Graph of 256 Pr[z 67 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 116/334
Graph of 256 Pr[z 68 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 117/334
Graph of 256 Pr[z 69 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 118/334
Graph of 256 Pr[z 70 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 119/334
Graph of 256 Pr[z 71 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 120/334
Graph of 256 Pr[z 72 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 121/334
Graph of 256 Pr[z 73 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 122/334
Graph of 256 Pr[z 74 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 123/334
Graph of 256 Pr[z 75 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 124/334
Graph of 256 Pr[z 76 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 125/334
Graph of 256 Pr[z 77 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 126/334
Graph of 256 Pr[z 78 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 127/334
Graph of 256 Pr[z 79 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 128/334
Graph of 256 Pr[z 80 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 129/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 130/334
Graph of 256 Pr[z 82 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 131/334
Graph of 256 Pr[z 83 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 132/334
Graph of 256 Pr[z 84 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 133/334
Graph of 256 Pr[z 85 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 134/334
Graph of 256 Pr[z 86 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 135/334
Graph of 256 Pr[z 87 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 136/334
Graph of 256 Pr[z 88 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 137/334
Graph of 256 Pr[z 89 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 138/334
Graph of 256 Pr[z 90 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 139/334
Graph of 256 Pr[z 91 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 140/334
Graph of 256 Pr[z 92 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 141/334
Graph of 256 Pr[z 93 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 142/334
Graph of 256 Pr[z 94 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 143/334
Graph of 256 Pr[z 95 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 144/334
Graph of 256 Pr[z 96 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 145/334
Graph of 256 Pr[z 97 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 146/334
Graph of 256 Pr[z 98 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 147/334
Graph of 256 Pr[z 99 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 148/334
Graph of 256 Pr[z 100 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 149/334
Graph of 256 Pr[z 101 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 150/334
Graph of 256 Pr[z 102 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 151/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 152/334
Graph of 256 Pr[z 104 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 153/334
Graph of 256 Pr[z 105 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 154/334
Graph of 256 Pr[z 106 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 155/334
Graph of 256 Pr[z 107 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 156/334
Graph of 256 Pr[z 108 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 157/334
Graph of 256 Pr[z 109 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 158/334
Graph of 256 Pr[z 110 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 159/334
Graph of 256 Pr[z 111 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 160/334
Graph of 256 Pr[z 112 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 161/334
Graph of 256 Pr[z 113 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 162/334
Graph of 256 Pr[z 114 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 163/334
Graph of 256 Pr[z 115 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 164/334
Graph of 256 Pr[z 116 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 165/334
Graph of 256 Pr[z 117 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 166/334
Graph of 256 Pr[z 118 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 167/334
Graph of 256 Pr[z 119 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 168/334
Graph of 256 Pr[z 120 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 169/334
Graph of 256 Pr[z 121 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 170/334
Graph of 256 Pr[z 122 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 171/334
Graph of 256 Pr[z 123 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 172/334
Graph of 256 Pr[z 124 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 173/334
Graph of 256 Pr[z 125 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 174/334
Graph of 256 Pr[z 126 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 175/334
Graph of 256 Pr[z 127 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 176/334
Graph of 256 Pr[z 128 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 177/334
Graph of 256 Pr[z 129 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 178/334
Graph of 256 Pr[z 130 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 179/334
Graph of 256 Pr[z 131 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 180/334
Graph of 256 Pr[z 132 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 181/334
Graph of 256 Pr[z 133 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 182/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 183/334
Graph of 256 Pr[z 135 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 184/334
Graph of 256 Pr[z 136 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 185/334
Graph of 256 Pr[z 137 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 186/334
Graph of 256 Pr[z 138 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 187/334
Graph of 256 Pr[z 139 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 188/334
Graph of 256 Pr[z 140 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 189/334
Graph of 256 Pr[z 141 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 190/334
Graph of 256 Pr[z 142 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 191/334
Graph of 256 Pr[z 143 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 192/334
Graph of 256 Pr[z 144 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 193/334
Graph of 256 Pr[z 145 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 194/334
Graph of 256 Pr[z 146 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 195/334
Graph of 256 Pr[z 147 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 196/334
Graph of 256 Pr[z 148 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 197/334
Graph of 256 Pr[z 149 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 198/334
Graph of 256 Pr[z 150 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 199/334
Graph of 256 Pr[z 151 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 200/334
Graph of 256 Pr[z 152 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 201/334
Graph of 256 Pr[z 153 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 202/334
Graph of 256 Pr[z 154 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 203/334
Graph of 256 Pr[z 155 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 204/334
Graph of 256 Pr[z 156 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 205/334
Graph of 256 Pr[z 157 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 206/334
Graph of 256 Pr[z 158 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 207/334
Graph of 256 Pr[z 159 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 208/334
Graph of 256 Pr[z 160 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 209/334
Graph of 256 Pr[z 161 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 210/334
Graph of 256 Pr[z 162 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 211/334
Graph of 256 Pr[z 163 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 212/334
Graph of 256 Pr[z 164 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 213/334
Graph of 256 Pr[z 165 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 214/334
Graph of 256 Pr[z 166 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 215/334
Graph of 256 Pr[z 167 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 216/334
Graph of 256 Pr[z 168 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 217/334
Graph of 256 Pr[z 169 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 218/334
Graph of 256 Pr[z 170 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 219/334
Graph of 256 Pr[z 171 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 220/334
Graph of 256 Pr[z 172 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 221/334
Graph of 256 Pr[z 173 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 222/334
Graph of 256 Pr[z 174 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 223/334
Graph of 256 Pr[z 175 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 224/334
Graph of 256 Pr[z 176 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 225/334
Graph of 256 Pr[z 177 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 226/334
Graph of 256 Pr[z 178 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 227/334
Graph of 256 Pr[z 179 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 228/334
Graph of 256 Pr[z 180 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 229/334
Graph of 256 Pr[z 181 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 230/334
Graph of 256 Pr[z 182 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 231/334
Graph of 256 Pr[z 183 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 232/334
Graph of 256 Pr[z 184 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 233/334
Graph of 256 Pr[z 185 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 234/334
Graph of 256 Pr[z 186 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 235/334
Graph of 256 Pr[z 187 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 236/334
Graph of 256 Pr[z 188 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 237/334
Graph of 256 Pr[z 189 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 238/334
Graph of 256 Pr[z 190 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 239/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 240/334
Graph of 256 Pr[z 192 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 241/334
Graph of 256 Pr[z 193 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 242/334
Graph of 256 Pr[z 194 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 243/334
Graph of 256 Pr[z 195 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 244/334
Graph of 256 Pr[z 196 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 245/334
Graph of 256 Pr[z 197 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 246/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 247/334
Graph of 256 Pr[z 199 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 248/334
Graph of 256 Pr[z 200 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 249/334
Graph of 256 Pr[z 201 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 250/334
Graph of 256 Pr[z 202 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 251/334
Graph of 256 Pr[z 203 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 252/334
Graph of 256 Pr[z 204 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 253/334
Graph of 256 Pr[z 205 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 254/334
Graph of 256 Pr[z 206 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 255/334
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 256/334
Graph of 256 Pr[z 208 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 257/334
Graph of 256 Pr[z 209 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 258/334
Graph of 256 Pr[z 210 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 259/334
Graph of 256 Pr[z 211 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 260/334
Graph of 256 Pr[z 212 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 261/334
Graph of 256 Pr[z 213 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 262/334
Graph of 256 Pr[z 214 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 263/334
Graph of 256 Pr[z 215 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 264/334
Graph of 256 Pr[z 216 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 265/334
Graph of 256 Pr[z 217 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 266/334
Graph of 256 Pr[z 218 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 267/334
Graph of 256 Pr[z 219 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 268/334
Graph of 256 Pr[z 220 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 269/334
Graph of 256 Pr[z 221 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 270/334
Graph of 256 Pr[z 222 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 271/334
Graph of 256 Pr[z 223 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 272/334
Graph of 256 Pr[z 224 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 273/334
Graph of 256 Pr[z 225 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 274/334
Graph of 256 Pr[z 226 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 275/334
Graph of 256 Pr[z 227 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 276/334
Graph of 256 Pr[z 228 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 277/334
Graph of 256 Pr[z 229 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 278/334
Graph of 256 Pr[z 230 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 279/334
Graph of 256 Pr[z 231 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 280/334
Graph of 256 Pr[z 232 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 281/334
Graph of 256 Pr[z 233 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 282/334
Graph of 256 Pr[z 234 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 283/334
Graph of 256 Pr[z 235 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 284/334
Graph of 256 Pr[z 236 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 285/334
Graph of 256 Pr[z 237 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 286/334
Graph of 256 Pr[z 238 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 287/334
Graph of 256 Pr[z 239 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 288/334
Graph of 256 Pr[z 240 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 289/334
Graph of 256 Pr[z 241 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 290/334
Graph of 256 Pr[z 242 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 291/334
Graph of 256 Pr[z 243 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 292/334
Graph of 256 Pr[z 244 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 293/334
Graph of 256 Pr[z 245 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 294/334
Graph of 256 Pr[z 246 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 295/334
Graph of 256 Pr[z 247 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 296/334
Graph of 256 Pr[z 248 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 297/334
Graph of 256 Pr[z 249 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 298/334
Graph of 256 Pr[z 250 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 299/334
Graph of 256 Pr[z 251 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 300/334
Graph of 256 Pr[z 252 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 301/334
Graph of 256 Pr[z 253 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 302/334
Graph of 256 Pr[z 254 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 303/334
Graph of 256 Pr[z 255 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 304/334
Graph of 256 Pr[z 256 = x ]:
0 50 100 150 200 2500.990
0.995
1.000
1.005
1.010
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 305/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 224 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 306/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 225 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 307/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 226 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 308/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 227 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 309/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 228 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 310/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 229 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 311/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 230 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 312/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 231 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 313/334
2013 AlFardan–Bernstein–
Paterson–Poettering–Schuldt
success probability (256 trials)for recovering byte x of plaintext
from 232 ciphertexts (with
no prior plaintext knowledge):
0"
0.2"
0.4"
0.6"
0.8"
1"
1.2"
0" 10" 20" 30" 40" 50" 60" 70" 80" 90" 100" 110" 120" 130" 140" 150" 160" 170" 180" 190" 200" 210" 220" 230" 240" 250"
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 314/334
Why does this happen?
For years we’ve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate thesoftware and hardware engineers
choosing crypto primitives, right?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 315/334
Why does this happen?
For years we’ve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate thesoftware and hardware engineers
choosing crypto primitives, right?
Maybe, maybe not.
Does AES-GCM actually do
what the users need?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 316/334
Why does this happen?
For years we’ve had AES;
AES-GCM; defenses against
various side-channel attacks.
We simply have to educate thesoftware and hardware engineers
choosing crypto primitives, right?
Maybe, maybe not.
Does AES-GCM actually do
what the users need?
Often it doesn’t.
Most obvious issue: performance.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 317/334
e.g. 2001 Rivest: “The ‘heart’ of
RC4 is its exceptionally simple
and extremely efficient pseudo-random generator. : : : RC4 is
likely to remain the algorithm of
choice for many applications andembedded systems.”
e.g. OpenSSL still uses table-
based implementations of AES
for speed on most CPUs,
leaking many key bits; see, e.g.,
2012 Weiß–Heinz–Stumpf .
e.g. RFIDs need small ciphers.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 318/334
Major research direction:
achieve better performance
than AES-GCMwithout sacrificing security.
Fit into low power (watts),
low area (square micrometers),
sometimes low latency (seconds);
minimize area¢ seconds/byte;
minimize energy (joules)/byte.
Many different CPUs, FPGAs,
ASIC manufacturing technologies.
Many different input sizes,
precomputation possibilities, etc.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 319/334
Can one design do very well
in hardware and software?
Some inspirational examples:
Trivium and Keccak
are “hardware” designs
but not bad in software.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 320/334
Can one design do very well
in hardware and software?
Some inspirational examples:
Trivium and Keccak
are “hardware” designs
but not bad in software.
Another approach:
replace ARX with “ORX”.Skein-type mix doesn’t work
but can imitate Salsa20:
compose a^=((b|c)<<<r).Needs a few more rounds,
but friendlier to hardware.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 321/334
Another major research direction:
achieve better security
than AES-GCMwithout sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 322/334
Another major research direction:
achieve better security
than AES-GCMwithout sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Typical 128-bit pipe
is starting to feel too small.
Limit reforgeries? Use wider pipe?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 323/334
Another major research direction:
achieve better security
than AES-GCMwithout sacrificing performance.
Typical 128-bit blocks
are starting to feel too small.
Limit impact of collisions?
Use larger blocks?
Typical 128-bit pipe
is starting to feel too small.
Limit reforgeries? Use wider pipe?
Has anyone tried optimizing
192-bit/256-bit poly hashes?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 324/334
Allow repeated message numbers?
User has to expect that
encrypting ( n ; m ) and (n ; m
H )
will tell attacker whether m = m
H .
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 325/334
Allow repeated message numbers?
User has to expect that
encrypting ( n ; m ) and (n ; m
H )
will tell attacker whether m = m
H .
But user is surprised if repeatedmessage number leaks more
information, allows forgeries, etc.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 326/334
Allow repeated message numbers?
User has to expect that
encrypting ( n ; m ) and (n ; m
H )
will tell attacker whether m = m
H .
But user is surprised if repeatedmessage number leaks more
information, allows forgeries, etc.
2006 Rogaway–Shrimpton:
first authenticate ( n ; m ),
then use the authenticator
as a nonce to encrypt m .
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 327/334
Allow repeated message numbers?
User has to expect that
encrypting ( n ; m ) and (n ; m
H )
will tell attacker whether m = m
H .
But user is surprised if repeatedmessage number leaks more
information, allows forgeries, etc.
2006 Rogaway–Shrimpton:
first authenticate ( n ; m ),
then use the authenticator
as a nonce to encrypt m .
Is this protection compatible
with fast forgery rejection?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 328/334
Many ciphers integrate
“free” message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 329/334
Many ciphers integrate
“free” message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Is this compatible
with fast forgery rejection?
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 330/334
Many ciphers integrate
“free” message authentication:
e.g., AES-OCB, Helix, Phelix.
Is this compatible
with repeated message numbers?
Is this compatible
with fast forgery rejection?
One approach: build
H F F H Feistel block cipher;
reuse first H for fast auth
with repeated message numbers;
reuse last H for another auth
with fast forgery rejection.
But this consumes bandwidth.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 331/334
Many more directions
in authenticated ciphers.
AES-GCM is clearly not
the end of the story.
Can build better modesusing same MAC, cipher.
Can build better MACs,
combine with same cipher.
Can build better
block ciphers, stream ciphers.
Can build better integrated
authenticated ciphers.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 332/334
CAESAR
“Competition for Authenticated
Encryption: Security,
Applicability, and Robustness”
competitions.cr.yp.to
Mailing list: crypto-
competitions+subscribe
@googlegroups.com
NIST is much too busy
to run another competitionbut has generously provided
a $333099 “Cryptographic
competitions” grant to UIC.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 333/334
Competition scheduling
AES schedule:
M0: 15 submissions.
M14: 5 finalists.
M28: 1 winner.
eSTREAM schedule:
M0: 34 submissions.
M11: 27 round-2 ciphers.M24: 16 finalists.
M36: 8 portfolio ciphers.
M41: 7 portfolio ciphers.
7/28/2019 Failures of secret-key cryptography - D. J. Bernstein (March 2013) (cr.yp.to)
http://slidepdf.com/reader/full/failures-of-secret-key-cryptography-d-j-bernstein-march-2013-crypto 334/334
SHA-3 schedule:
M0: 64 submissions.
M9: 14 round-2 functions.M26: 5 finalists.
M48: 1 winner.
Tentative CAESAR schedule:
M0, 2014.01.15: submissions.
M11: round-2 candidates.
M23: round-3 candidates.
M35: finalists.
M47: portfolio.