0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/417 Thanks! 1 00:00:09,440 --> 00:00:11,899 So hello, good morning. 2 00:00:11,900 --> 00:00:14,029 I know it's 4:00, but I still felt this 3 00:00:14,030 --> 00:00:16,128 morning, and 4 00:00:16,129 --> 00:00:19,389 I'm very happy to be in Himbo ATCC 5 00:00:19,390 --> 00:00:21,349 to talk about Krypto again. 6 00:00:21,350 --> 00:00:24,439 So talk about a project called SESAR 7 00:00:24,440 --> 00:00:27,499 that's project initiated by by GIBI about 8 00:00:27,500 --> 00:00:29,489 new finding new cryptograms. 9 00:00:29,490 --> 00:00:30,739 I don't know how many of you have heard 10 00:00:30,740 --> 00:00:32,719 about the competition. 11 00:00:32,720 --> 00:00:34,159 Yeah, quite a few. 12 00:00:34,160 --> 00:00:35,990 How many of you have heard about Norks. 13 00:00:37,230 --> 00:00:38,389 Yes. 14 00:00:38,390 --> 00:00:39,949 That's good. That's good. 15 00:00:39,950 --> 00:00:42,199 So the thing is, Norks 16 00:00:42,200 --> 00:00:44,329 may or may not be the the future 17 00:00:44,330 --> 00:00:46,249 of authenticate and encryption, but 18 00:00:46,250 --> 00:00:48,479 anyway, SISA will develop will select 19 00:00:48,480 --> 00:00:50,359 the future of authentic encryption. 20 00:00:50,360 --> 00:00:53,119 And we also here to convince you, 21 00:00:53,120 --> 00:00:55,009 because we hear a lot about encryption, 22 00:00:55,010 --> 00:00:57,079 ATCC, about how important it is to 23 00:00:57,080 --> 00:00:58,999 protect your privacy and so on. 24 00:00:59,000 --> 00:01:00,859 So we hope to convince you maybe to just 25 00:01:00,860 --> 00:01:02,449 stop using encryption. 26 00:01:02,450 --> 00:01:04,729 And do you think the encryption instead 27 00:01:04,730 --> 00:01:07,039 of encryption? 28 00:01:07,040 --> 00:01:08,509 So Philip will start with an 29 00:01:08,510 --> 00:01:09,709 introduction. 30 00:01:09,710 --> 00:01:11,599 The very basics, no many questions, no 31 00:01:11,600 --> 00:01:13,879 matter what premise, and then will give 32 00:01:13,880 --> 00:01:15,260 all the details about these two guys. 33 00:01:17,570 --> 00:01:19,609 OK, so who are we? 34 00:01:19,610 --> 00:01:21,679 We are a team of three people. 35 00:01:21,680 --> 00:01:23,209 You've already met Philip. 36 00:01:23,210 --> 00:01:25,339 My name is Philip. 37 00:01:25,340 --> 00:01:27,049 And there is a third guy who 38 00:01:27,050 --> 00:01:29,329 unfortunately cannot be here, 39 00:01:29,330 --> 00:01:31,459 is not here today, Samuel, but I'm sure 40 00:01:31,460 --> 00:01:32,359 he's watching the stream. 41 00:01:32,360 --> 00:01:34,849 So, Samuel, um, 42 00:01:34,850 --> 00:01:37,159 so and I want to start 43 00:01:37,160 --> 00:01:39,169 the talk with a quote from a 44 00:01:39,170 --> 00:01:41,179 cryptographer, Matthew Green. 45 00:01:41,180 --> 00:01:43,369 And he said, Nearly all of the symmetric 46 00:01:43,370 --> 00:01:44,779 encryption modes you learned about in 47 00:01:44,780 --> 00:01:46,939 school textbooks and Wikipedia are 48 00:01:46,940 --> 00:01:48,260 potentially insecure. 49 00:01:49,670 --> 00:01:52,219 So this is a quote from 50 00:01:52,220 --> 00:01:53,989 one of his blog posts about choosing 51 00:01:53,990 --> 00:01:56,119 authenticated encryption modes. 52 00:01:56,120 --> 00:01:58,549 But before we are going to dove 53 00:01:58,550 --> 00:02:01,159 into authenticated encryption, we will 54 00:02:01,160 --> 00:02:04,099 see what he meant with this quote. 55 00:02:04,100 --> 00:02:06,349 So question to the audience, 56 00:02:06,350 --> 00:02:08,448 what should not miss in any talk 57 00:02:08,449 --> 00:02:10,159 about symmetric crypto? 58 00:02:11,840 --> 00:02:13,999 Yes, I heard it right. 59 00:02:14,000 --> 00:02:15,229 That used to be Penguin. 60 00:02:16,610 --> 00:02:18,739 So most of you have already 61 00:02:18,740 --> 00:02:19,969 heard about it. 62 00:02:19,970 --> 00:02:21,979 What is the problem here with the ECB? 63 00:02:21,980 --> 00:02:24,679 Moad ECB is a block for mode 64 00:02:24,680 --> 00:02:26,749 where you that you can you you 65 00:02:26,750 --> 00:02:28,729 plug in a block cipher and you can use it 66 00:02:28,730 --> 00:02:31,399 to encrypt multiple blocks 67 00:02:31,400 --> 00:02:33,799 that are then compose your message. 68 00:02:33,800 --> 00:02:36,579 Um, but ECB mode 69 00:02:36,580 --> 00:02:38,569 it does it block y so you take the first 70 00:02:38,570 --> 00:02:40,879 block, put it through 71 00:02:40,880 --> 00:02:43,099 your blocks for the next, the next 72 00:02:43,100 --> 00:02:44,989 block and so on and so forth. 73 00:02:44,990 --> 00:02:47,149 So when you the problem here 74 00:02:47,150 --> 00:02:49,279 is when you give the two 75 00:02:49,280 --> 00:02:51,409 same blocks to the block cipher you 76 00:02:51,410 --> 00:02:54,139 will get the same uh 77 00:02:54,140 --> 00:02:55,459 ciphertext. 78 00:02:55,460 --> 00:02:58,009 And what that results to 79 00:02:58,010 --> 00:02:59,990 you can see here very, very well. 80 00:03:01,430 --> 00:03:03,529 You can still see the shape of the 81 00:03:03,530 --> 00:03:05,299 penguin at this point. 82 00:03:05,300 --> 00:03:07,639 I also want to thank all Bettini 83 00:03:07,640 --> 00:03:09,889 for doing all this great 84 00:03:09,890 --> 00:03:11,509 pictures. 85 00:03:11,510 --> 00:03:13,520 He's also somewhere here in the audience. 86 00:03:15,300 --> 00:03:17,419 Um, so but he did 87 00:03:17,420 --> 00:03:19,279 not only do this picture, but also the 88 00:03:19,280 --> 00:03:20,280 next one. 89 00:03:21,080 --> 00:03:23,239 Uh, this is the CBC mode, which 90 00:03:23,240 --> 00:03:25,279 is also widely used today. 91 00:03:26,510 --> 00:03:28,639 And the problem here with CBC mode 92 00:03:28,640 --> 00:03:30,859 is that it takes in, uh, and 93 00:03:30,860 --> 00:03:33,019 so-called IVI and initialization 94 00:03:33,020 --> 00:03:33,919 vector. 95 00:03:33,920 --> 00:03:36,769 Uh, but the thing here is when you 96 00:03:36,770 --> 00:03:39,079 encrypt, uh, your 97 00:03:39,080 --> 00:03:41,239 message or two messages with the same 98 00:03:41,240 --> 00:03:43,309 IV, then you might also run 99 00:03:43,310 --> 00:03:45,469 into problems that you 100 00:03:45,470 --> 00:03:47,689 can see here. For example, the 101 00:03:47,690 --> 00:03:49,879 left pinguin here is missing one, 102 00:03:49,880 --> 00:03:52,639 the left eye and the other the right eye. 103 00:03:52,640 --> 00:03:54,709 And when you encrypt both of them, you 104 00:03:54,710 --> 00:03:57,379 get perfectly fine ciphertext. 105 00:03:57,380 --> 00:03:59,749 But when you throw them together, 106 00:03:59,750 --> 00:04:01,309 you'll see that the first. 107 00:04:01,310 --> 00:04:03,469 So the head of the penguin where 108 00:04:03,470 --> 00:04:05,899 no differences are, are encrypted 109 00:04:05,900 --> 00:04:07,879 to the same ciphertext again. 110 00:04:07,880 --> 00:04:10,429 So what's really important for CBC is 111 00:04:10,430 --> 00:04:13,279 that your IP is random 112 00:04:13,280 --> 00:04:15,409 and this especially means that it 113 00:04:15,410 --> 00:04:17,869 cannot be, uh, counter. 114 00:04:17,870 --> 00:04:20,028 So as soon as your V 115 00:04:20,029 --> 00:04:21,499 is predictable, you also run into 116 00:04:21,500 --> 00:04:22,500 problems. 117 00:04:24,110 --> 00:04:26,449 The next mode here is Khyam 118 00:04:26,450 --> 00:04:28,729 or mode or counter mode. 119 00:04:28,730 --> 00:04:30,829 It also uses a N. 120 00:04:30,830 --> 00:04:32,989 This is something quite 121 00:04:32,990 --> 00:04:35,149 similar to an initialization vector, 122 00:04:35,150 --> 00:04:37,789 but it has to be just unique. 123 00:04:37,790 --> 00:04:40,129 Nunc means no used once 124 00:04:40,130 --> 00:04:42,799 so you can use a simple counter. 125 00:04:42,800 --> 00:04:45,109 But again, when you use the same 126 00:04:45,110 --> 00:04:47,389 counter and keep here to encrypt two 127 00:04:47,390 --> 00:04:49,489 different messages, you also run into 128 00:04:49,490 --> 00:04:51,589 problems because you get to 129 00:04:51,590 --> 00:04:53,749 cipher text and you throw them together 130 00:04:53,750 --> 00:04:55,639 and you suddenly end up with getting 131 00:04:55,640 --> 00:04:57,589 information about your plaintext. 132 00:04:59,090 --> 00:05:01,219 Can also see it here again with 133 00:05:01,220 --> 00:05:03,169 the penguin on the bottom. 134 00:05:03,170 --> 00:05:04,969 So when you sort of them, you don't see 135 00:05:04,970 --> 00:05:06,739 anything. But then you can again see the 136 00:05:06,740 --> 00:05:08,720 shape in some sense of the. 137 00:05:10,950 --> 00:05:13,169 So these blogsite remotes, they were 138 00:05:13,170 --> 00:05:15,599 designed in the 70s 139 00:05:15,600 --> 00:05:17,939 and they were meant to be used 140 00:05:17,940 --> 00:05:20,549 with the back then brand new Deetz 141 00:05:20,550 --> 00:05:22,019 algorithm. 142 00:05:22,020 --> 00:05:23,459 So there were a bunch of 143 00:05:24,780 --> 00:05:25,859 those blocks for modes. 144 00:05:25,860 --> 00:05:28,149 It was SBX 145 00:05:28,150 --> 00:05:30,329 and C TTR and the 146 00:05:30,330 --> 00:05:32,099 Goldsworthy's blogsite promotes. 147 00:05:32,100 --> 00:05:33,959 There were, in some sense, a little bit 148 00:05:33,960 --> 00:05:36,419 different from what we want to 149 00:05:36,420 --> 00:05:38,219 from what we expect now from 150 00:05:38,220 --> 00:05:39,779 cryptography. 151 00:05:39,780 --> 00:05:42,179 So famous quote from 152 00:05:42,180 --> 00:05:44,549 one of from Bruce Schneier in his 153 00:05:44,550 --> 00:05:46,769 book, Applied Cryptography from nineteen 154 00:05:46,770 --> 00:05:49,529 ninety six is a third consideration 155 00:05:49,530 --> 00:05:51,059 is fault tolerance. 156 00:05:51,060 --> 00:05:53,219 Some applications need to parallelize 157 00:05:53,220 --> 00:05:55,499 encryption or decryption, while others 158 00:05:55,500 --> 00:05:57,779 need to be able to preprocess as much 159 00:05:57,780 --> 00:05:59,489 as much as possible. 160 00:05:59,490 --> 00:06:00,449 And still others. 161 00:06:00,450 --> 00:06:02,879 It is important that the encryption 162 00:06:02,880 --> 00:06:05,039 process is able to recover from 163 00:06:05,040 --> 00:06:07,019 errors in the ciphertext stream or it 164 00:06:07,020 --> 00:06:08,909 dropped or edit bits. 165 00:06:08,910 --> 00:06:11,009 So the concern of the time was 166 00:06:11,010 --> 00:06:13,379 error, propagation and also how to 167 00:06:13,380 --> 00:06:15,809 recover from those error propagations. 168 00:06:15,810 --> 00:06:17,789 This is something that you don't expect 169 00:06:17,790 --> 00:06:19,949 from an crypto algorithm, right? 170 00:06:21,750 --> 00:06:22,750 So. 171 00:06:25,190 --> 00:06:27,709 The thing that people somehow 172 00:06:27,710 --> 00:06:30,109 don't had on their radar was a term 173 00:06:30,110 --> 00:06:32,179 called malleability or 174 00:06:32,180 --> 00:06:34,339 in German form, Buchheit, this 175 00:06:34,340 --> 00:06:36,469 means that an 176 00:06:36,470 --> 00:06:38,959 attacker that is intercepting 177 00:06:38,960 --> 00:06:41,089 ciphertext passages, cipher text 178 00:06:41,090 --> 00:06:43,489 messages, can somehow modify 179 00:06:43,490 --> 00:06:45,679 these and then also modify 180 00:06:45,680 --> 00:06:47,779 plaintext in some predictable way. 181 00:06:47,780 --> 00:06:49,939 We already saw this for the ECB penguin, 182 00:06:49,940 --> 00:06:52,819 where you can basically 183 00:06:52,820 --> 00:06:54,889 the order of the the how 184 00:06:54,890 --> 00:06:57,529 the blocks are encrypted is not a part 185 00:06:57,530 --> 00:06:59,869 of the encryption process itself. 186 00:06:59,870 --> 00:07:02,309 So you can rearrange or even replay 187 00:07:02,310 --> 00:07:04,399 blocks or you can also replace 188 00:07:04,400 --> 00:07:06,739 entire blocks without that, 189 00:07:06,740 --> 00:07:08,539 the communication partners. 190 00:07:08,540 --> 00:07:10,789 So the true communication partners will 191 00:07:10,790 --> 00:07:11,790 ever notice. 192 00:07:13,610 --> 00:07:15,769 The same problem is also with Keitaro 193 00:07:15,770 --> 00:07:18,169 of remote, which in some sense 194 00:07:18,170 --> 00:07:20,389 generate the ciphertext in 195 00:07:20,390 --> 00:07:22,159 a streamside profession. 196 00:07:22,160 --> 00:07:25,099 And you can do bitwise modifications 197 00:07:25,100 --> 00:07:27,349 to also change the plain 198 00:07:27,350 --> 00:07:28,729 text at the same positions. 199 00:07:30,650 --> 00:07:33,049 Also, the CBC that we were already 200 00:07:33,050 --> 00:07:35,149 talking about has 201 00:07:35,150 --> 00:07:37,579 some problems because in decryption, 202 00:07:37,580 --> 00:07:39,709 when you change one 203 00:07:39,710 --> 00:07:42,319 ciphertext, you can predictably 204 00:07:42,320 --> 00:07:44,449 change the next plain text, which 205 00:07:44,450 --> 00:07:45,709 is also bad. 206 00:07:45,710 --> 00:07:48,019 So again, the 207 00:07:48,020 --> 00:07:49,969 two communication partners, they have no 208 00:07:49,970 --> 00:07:52,939 way to detect if somebody 209 00:07:52,940 --> 00:07:54,919 fiddled with the ciphertext on the 210 00:07:54,920 --> 00:07:57,109 transportation way, then 211 00:07:57,110 --> 00:07:58,669 there are other problems like Chozen 212 00:07:58,670 --> 00:08:00,859 Boundary A, they also apply to some 213 00:08:00,860 --> 00:08:03,079 of these modes like CBC, CBC or 214 00:08:03,080 --> 00:08:05,209 CFP, which can be 215 00:08:05,210 --> 00:08:07,369 used to decrypt messages. 216 00:08:07,370 --> 00:08:08,259 Bye bye. 217 00:08:08,260 --> 00:08:09,799 Bye bye bye. 218 00:08:09,800 --> 00:08:12,259 For example, there is a paper called 219 00:08:12,260 --> 00:08:14,599 Here Come the X or Ninja's, which 220 00:08:14,600 --> 00:08:16,909 show which shows how 221 00:08:16,910 --> 00:08:19,249 to decrypt encrypted 222 00:08:19,250 --> 00:08:22,249 cookies that were encrypted with a CBC. 223 00:08:22,250 --> 00:08:24,379 And this is also the issue because 224 00:08:24,380 --> 00:08:26,569 of these partial 225 00:08:26,570 --> 00:08:27,800 chozen plaintext control. 226 00:08:29,870 --> 00:08:31,969 So what you really want to have is 227 00:08:31,970 --> 00:08:34,048 authenticated encryption. 228 00:08:34,049 --> 00:08:36,319 Um, we 229 00:08:36,320 --> 00:08:38,269 already saw two days ago a very nice 230 00:08:38,270 --> 00:08:40,519 introduction about I.C.C.. 231 00:08:40,520 --> 00:08:42,619 And unfortunately, I don't have 232 00:08:42,620 --> 00:08:44,749 a clock example here, but I will 233 00:08:44,750 --> 00:08:46,909 try to do my best to convince 234 00:08:46,910 --> 00:08:48,799 you or to explain authenticated 235 00:08:48,800 --> 00:08:49,800 encryption to you. 236 00:08:51,220 --> 00:08:52,639 So what is it? 237 00:08:52,640 --> 00:08:54,369 Imagine you have an algorithm that is an 238 00:08:54,370 --> 00:08:56,379 authenticated encryption scheme and it 239 00:08:56,380 --> 00:08:58,449 takes as input a key announce and a 240 00:08:58,450 --> 00:09:00,909 message, and it uses 241 00:09:00,910 --> 00:09:03,159 the key to the nonce to encrypt 242 00:09:03,160 --> 00:09:05,109 the message to a cipher text and 243 00:09:05,110 --> 00:09:07,359 authentication text and 244 00:09:07,360 --> 00:09:08,289 the ciphertext. 245 00:09:08,290 --> 00:09:11,139 It protects the confidentiality 246 00:09:11,140 --> 00:09:12,729 and the authentication tech. 247 00:09:12,730 --> 00:09:14,829 It protects the integrity and 248 00:09:14,830 --> 00:09:16,269 authenticity. 249 00:09:16,270 --> 00:09:18,729 So authenticated encryption is basically 250 00:09:18,730 --> 00:09:21,669 the when you as 251 00:09:21,670 --> 00:09:23,439 you already said, when we when we are 252 00:09:23,440 --> 00:09:25,569 talking about encryption these days, we 253 00:09:25,570 --> 00:09:27,939 usually mean authenticated encryption, 254 00:09:27,940 --> 00:09:30,099 because once you send 255 00:09:30,100 --> 00:09:32,379 data out over an unprotected 256 00:09:32,380 --> 00:09:34,659 line, you want to also make sure 257 00:09:34,660 --> 00:09:36,789 that the data is not 258 00:09:36,790 --> 00:09:38,739 modified along the way. 259 00:09:38,740 --> 00:09:40,269 So and this is what authenticated 260 00:09:40,270 --> 00:09:42,129 encryption is needed for. 261 00:09:42,130 --> 00:09:44,799 And it is used in many, many 262 00:09:44,800 --> 00:09:47,199 protocols, IP addresses, tools 263 00:09:47,200 --> 00:09:48,640 and so on and so forth. 264 00:09:50,440 --> 00:09:52,509 And then there is a second variant, which 265 00:09:52,510 --> 00:09:54,489 is called authenticated encryption, with 266 00:09:54,490 --> 00:09:55,490 additional data 267 00:09:56,980 --> 00:09:59,049 where you take 268 00:09:59,050 --> 00:10:00,879 a message, but now you also have some 269 00:10:00,880 --> 00:10:03,009 additional data as an input, 270 00:10:03,010 --> 00:10:05,349 which is here symbolized as the 271 00:10:05,350 --> 00:10:06,350 age. 272 00:10:07,030 --> 00:10:10,029 And this data, again, 273 00:10:10,030 --> 00:10:12,579 goes through the through the 274 00:10:12,580 --> 00:10:14,409 year scheme and the cipher text. 275 00:10:14,410 --> 00:10:16,299 An attack is produced. 276 00:10:16,300 --> 00:10:18,369 But now the tech not only 277 00:10:18,370 --> 00:10:20,649 protects the site, the message, 278 00:10:20,650 --> 00:10:22,809 but also the header that 279 00:10:22,810 --> 00:10:25,359 the header is communicated 280 00:10:25,360 --> 00:10:26,529 in clear over the line. 281 00:10:26,530 --> 00:10:28,659 So this is, for example, 282 00:10:28,660 --> 00:10:30,849 important when you want to protect some 283 00:10:30,850 --> 00:10:31,850 parts of your data. 284 00:10:32,890 --> 00:10:34,989 That needs to remain clear. 285 00:10:34,990 --> 00:10:36,939 For example, some routing information in 286 00:10:36,940 --> 00:10:38,679 IP and IP packets. 287 00:10:42,110 --> 00:10:44,269 There are a bunch of ways 288 00:10:44,270 --> 00:10:46,189 how you can realize authenticated 289 00:10:46,190 --> 00:10:47,190 encryption. 290 00:10:48,110 --> 00:10:50,359 The first is so-called generic 291 00:10:50,360 --> 00:10:51,709 competition. 292 00:10:51,710 --> 00:10:54,019 And what you do here is you take 293 00:10:54,020 --> 00:10:57,289 a symmetric cipher like a block cipher 294 00:10:57,290 --> 00:10:59,719 in a certain mode, and you use a Mac 295 00:10:59,720 --> 00:11:01,999 with a message authentication code 296 00:11:02,000 --> 00:11:04,429 and you combine these two to form 297 00:11:04,430 --> 00:11:06,499 an A or a 298 00:11:06,500 --> 00:11:07,500 deconstruction. 299 00:11:08,630 --> 00:11:10,399 And there are three ways to do it. 300 00:11:10,400 --> 00:11:12,619 It is the three are encrypted 301 00:11:12,620 --> 00:11:15,469 Mac Macs and encrypt and then Mac 302 00:11:15,470 --> 00:11:17,870 encrypt. And Mac is basically you encrypt 303 00:11:19,790 --> 00:11:22,399 plain text and you make your plain text 304 00:11:22,400 --> 00:11:25,009 and then you send both along the way. 305 00:11:25,010 --> 00:11:27,439 Mac then encrypt is your 306 00:11:27,440 --> 00:11:29,569 first Mac, your plain 307 00:11:29,570 --> 00:11:32,239 text, and then you encrypt the 308 00:11:32,240 --> 00:11:34,399 Mac and the and 309 00:11:34,400 --> 00:11:36,059 the plain text to form the ciphertext. 310 00:11:36,060 --> 00:11:38,239 So the the text is 311 00:11:38,240 --> 00:11:41,209 a part of the ciphertext which 312 00:11:41,210 --> 00:11:43,729 lets led also to some problems. 313 00:11:43,730 --> 00:11:46,039 And the third one is encrypt 314 00:11:46,040 --> 00:11:48,529 then Mac, where you first encrypt your 315 00:11:48,530 --> 00:11:50,629 plain text to the ciphertext and then you 316 00:11:50,630 --> 00:11:53,719 compute the Mac over the ciphertext. 317 00:11:53,720 --> 00:11:56,269 And over the years 318 00:11:56,270 --> 00:11:58,609 it was shown time 319 00:11:58,610 --> 00:12:00,889 and again that the first two options 320 00:12:00,890 --> 00:12:01,729 are not good. 321 00:12:01,730 --> 00:12:03,919 So don't use them in your applications. 322 00:12:03,920 --> 00:12:06,109 Use encryption Mac when you have to use 323 00:12:06,110 --> 00:12:07,999 generic competition. 324 00:12:08,000 --> 00:12:10,759 And examples of such constructions 325 00:12:10,760 --> 00:12:12,769 are for example, is one hundred twenty 326 00:12:12,770 --> 00:12:15,079 eight CBC plus H.M.S. 327 00:12:15,080 --> 00:12:17,329 two fifty six and Choucha 20 328 00:12:17,330 --> 00:12:19,070 plus probably thirty five. 329 00:12:23,420 --> 00:12:26,179 Another way to to construct 330 00:12:26,180 --> 00:12:28,819 aid aid schemes 331 00:12:28,820 --> 00:12:30,979 are dedicated methods, so 332 00:12:30,980 --> 00:12:33,379 we already saw blogsite remote 333 00:12:33,380 --> 00:12:35,599 way that enable you to 334 00:12:35,600 --> 00:12:37,849 encrypt multiple 335 00:12:37,850 --> 00:12:39,529 blocks with a block cipher. 336 00:12:39,530 --> 00:12:42,349 And there are also blogsite cipher modes 337 00:12:42,350 --> 00:12:44,479 where that transform 338 00:12:44,480 --> 00:12:46,429 your blocks effort into an authenticated 339 00:12:46,430 --> 00:12:48,619 mode. So you don't need a separate Mac 340 00:12:48,620 --> 00:12:49,620 for it. 341 00:12:50,600 --> 00:12:53,299 And four well-known 342 00:12:53,300 --> 00:12:55,789 variants are AKM OCB, 343 00:12:55,790 --> 00:12:58,369 an ex, the first to schemin 344 00:12:58,370 --> 00:13:00,619 GCM are those that 345 00:13:00,620 --> 00:13:02,809 were standardized by NYST and 346 00:13:02,810 --> 00:13:04,999 GCM is the one that is 347 00:13:05,000 --> 00:13:07,069 mostly used these days. 348 00:13:07,070 --> 00:13:09,589 But both of them have minor issues. 349 00:13:09,590 --> 00:13:11,719 J-P will later tell you a little 350 00:13:11,720 --> 00:13:12,720 bit about that. 351 00:13:13,640 --> 00:13:16,189 OCB is another block of integrated 352 00:13:16,190 --> 00:13:18,289 encryption block for Mode, which is very 353 00:13:18,290 --> 00:13:20,539 nice, but unfortunately 354 00:13:20,540 --> 00:13:21,559 it is Paternot 355 00:13:23,090 --> 00:13:24,090 and. 356 00:13:25,050 --> 00:13:27,299 In recent years, the patterns 357 00:13:27,300 --> 00:13:29,309 were somehow weakened a little bit. 358 00:13:29,310 --> 00:13:31,499 So for I think for open 359 00:13:31,500 --> 00:13:33,749 source software, you can use stuff 360 00:13:33,750 --> 00:13:35,519 without problems, know the military can 361 00:13:35,520 --> 00:13:37,589 use it for free as long as 362 00:13:37,590 --> 00:13:39,069 you don't use it for military. 363 00:13:39,070 --> 00:13:40,070 And I don't know what. 364 00:13:41,130 --> 00:13:44,129 And the fourth one is yes. 365 00:13:44,130 --> 00:13:47,069 Then there are other possibilities 366 00:13:47,070 --> 00:13:49,289 where you basically have just 367 00:13:49,290 --> 00:13:51,599 one primitive. So it's some kind 368 00:13:51,600 --> 00:13:53,939 of mixture also of usually 369 00:13:53,940 --> 00:13:55,769 it's a mixture of a streamside four plus 370 00:13:55,770 --> 00:13:56,819 a mech. 371 00:13:56,820 --> 00:13:59,159 And for variants are grainne 372 00:13:59,160 --> 00:14:01,259 one hundred twenty eight a which was 373 00:14:01,260 --> 00:14:03,179 for Grainne one hundred and twenty eight, 374 00:14:03,180 --> 00:14:05,459 was a finalist of 375 00:14:05,460 --> 00:14:07,589 the second last crypto competition 376 00:14:07,590 --> 00:14:10,229 that Ustream project. 377 00:14:10,230 --> 00:14:12,209 Then there is Helix and Felix and 378 00:14:12,210 --> 00:14:13,739 Hummingbird one or two. 379 00:14:13,740 --> 00:14:16,019 But the last one is the last 380 00:14:16,020 --> 00:14:17,160 two are broken. 381 00:14:18,510 --> 00:14:20,939 And a very new 382 00:14:20,940 --> 00:14:23,189 way to construct ADR 383 00:14:23,190 --> 00:14:24,839 schemes are response functions. 384 00:14:24,840 --> 00:14:27,059 We will also see later what this means. 385 00:14:30,200 --> 00:14:32,509 So but also using 386 00:14:32,510 --> 00:14:34,669 authenticated encryption modes is not 387 00:14:34,670 --> 00:14:36,259 without risks, so you have to 388 00:14:36,260 --> 00:14:38,629 nevertheless be really careful 389 00:14:38,630 --> 00:14:40,219 what you do with your scheme because 390 00:14:40,220 --> 00:14:41,629 otherwise you run into problems. 391 00:14:42,980 --> 00:14:45,169 So, for example, in the 392 00:14:45,170 --> 00:14:46,759 case where you have this generic 393 00:14:46,760 --> 00:14:49,189 competition where you combine a symmetric 394 00:14:49,190 --> 00:14:50,190 cipher and a Mac, 395 00:14:52,130 --> 00:14:54,049 it's not so easy to get the interaction 396 00:14:54,050 --> 00:14:55,579 between those two primitives. 397 00:14:55,580 --> 00:14:58,369 Right. So, for example, for 398 00:14:58,370 --> 00:14:59,630 the Mac then encrypt 399 00:15:01,700 --> 00:15:03,889 option, there was time and again, 400 00:15:03,890 --> 00:15:05,839 it's the variant that is used in tools. 401 00:15:05,840 --> 00:15:07,219 And there was time and again, there were 402 00:15:07,220 --> 00:15:10,279 problems due to this Mac then encrypt 403 00:15:10,280 --> 00:15:11,689 option that was used. 404 00:15:11,690 --> 00:15:13,639 For example, if they would have used 405 00:15:13,640 --> 00:15:15,379 encryption, Mac, then probably most of 406 00:15:15,380 --> 00:15:16,909 the problems that we saw in the last 407 00:15:16,910 --> 00:15:19,819 years would would have never been 408 00:15:19,820 --> 00:15:20,929 a real problem. 409 00:15:22,430 --> 00:15:24,709 So another thing is that we 410 00:15:24,710 --> 00:15:26,869 already saw that SCM and GCM 411 00:15:26,870 --> 00:15:29,359 are the only two real standards 412 00:15:29,360 --> 00:15:31,519 out there that were standardized by NYST. 413 00:15:31,520 --> 00:15:33,829 And if those two 414 00:15:33,830 --> 00:15:36,619 variants do not fit your, 415 00:15:36,620 --> 00:15:37,909 for example, for your product or 416 00:15:37,910 --> 00:15:40,129 something, then often people invent 417 00:15:40,130 --> 00:15:42,589 their own schemes and ciphers, 418 00:15:42,590 --> 00:15:44,689 which is obviously also not the best 419 00:15:44,690 --> 00:15:45,690 idea. 420 00:15:47,390 --> 00:15:49,639 Then there is another thing 421 00:15:49,640 --> 00:15:51,239 which is called misuse. 422 00:15:51,240 --> 00:15:53,479 We also saw that in the very beginning 423 00:15:53,480 --> 00:15:55,909 when you, for example, use twice 424 00:15:55,910 --> 00:15:58,699 the same Nunc to encrypt your 425 00:15:58,700 --> 00:16:00,769 encrypt your data, then 426 00:16:00,770 --> 00:16:02,809 you can all run in these problems that 427 00:16:02,810 --> 00:16:03,979 you showed you in the beginning, for 428 00:16:03,980 --> 00:16:05,869 example, with your remote. 429 00:16:05,870 --> 00:16:08,299 And then there are also bad parameter 430 00:16:08,300 --> 00:16:10,639 choices, which, for example, also apply 431 00:16:10,640 --> 00:16:11,639 to GSM. 432 00:16:11,640 --> 00:16:13,909 J-P will also tell you about 433 00:16:13,910 --> 00:16:16,489 that in a few moments. 434 00:16:16,490 --> 00:16:19,129 And this led to all kinds of problems, 435 00:16:19,130 --> 00:16:21,259 which all I'm sure have 436 00:16:21,260 --> 00:16:22,789 heard about. 437 00:16:22,790 --> 00:16:24,049 So what are those problems? 438 00:16:24,050 --> 00:16:25,050 Let's have a look. 439 00:16:27,490 --> 00:16:29,469 I probably don't have to say much about 440 00:16:29,470 --> 00:16:30,470 that. 441 00:16:30,910 --> 00:16:33,459 It's the Oracle ATEX 442 00:16:33,460 --> 00:16:34,460 it was. 443 00:16:35,200 --> 00:16:37,269 It was invented by a search 444 00:16:37,270 --> 00:16:38,950 warrant in 2002 445 00:16:40,180 --> 00:16:43,299 and it targeted the Mac then encrypt. 446 00:16:43,300 --> 00:16:44,979 Remember, this is the Batmobile that I 447 00:16:44,980 --> 00:16:46,779 explained earlier from the genetic 448 00:16:46,780 --> 00:16:48,909 composition, and especially when it is 449 00:16:48,910 --> 00:16:50,500 used together with CBC mode, 450 00:16:51,580 --> 00:16:53,289 because you have some weird interaction 451 00:16:53,290 --> 00:16:55,359 between the the the 452 00:16:55,360 --> 00:16:57,489 cipher, the authentication tag 453 00:16:57,490 --> 00:17:00,129 and the padding that is used to fill up, 454 00:17:00,130 --> 00:17:02,619 uh, uh, blocks 455 00:17:02,620 --> 00:17:04,809 that are not the same size as 456 00:17:04,810 --> 00:17:07,269 the block size of your block cipher. 457 00:17:07,270 --> 00:17:09,399 And in 2002, 458 00:17:09,400 --> 00:17:11,199 people thought, yeah, OK, this is a 459 00:17:11,200 --> 00:17:13,029 theoretical attack and 460 00:17:14,200 --> 00:17:16,509 we cannot use this really to to 461 00:17:16,510 --> 00:17:18,699 it against anything that 462 00:17:18,700 --> 00:17:20,139 is in production. 463 00:17:20,140 --> 00:17:22,269 But in 12 years, 464 00:17:22,270 --> 00:17:24,578 from 2002 to 2004 465 00:17:24,579 --> 00:17:27,608 14, it was repeatedly exploited, 466 00:17:27,609 --> 00:17:29,589 for example, to mount attacks until 467 00:17:29,590 --> 00:17:31,809 you've all heard about Beast 468 00:17:31,810 --> 00:17:33,249 and Lucky 13. 469 00:17:33,250 --> 00:17:35,049 And the latest variant is also depicted 470 00:17:35,050 --> 00:17:37,239 here, its poodle, the padding 471 00:17:37,240 --> 00:17:40,149 or on downgrade legacy encryption, 472 00:17:40,150 --> 00:17:42,249 where you can attack 473 00:17:42,250 --> 00:17:44,649 SLV three and Tlas, 474 00:17:44,650 --> 00:17:45,650 basically. 475 00:17:48,110 --> 00:17:50,629 I guess about this, you also have 476 00:17:50,630 --> 00:17:53,359 already heard a lot, it's an attack 477 00:17:53,360 --> 00:17:55,999 on the WP standard, 478 00:17:56,000 --> 00:17:58,219 which is was used to 479 00:17:58,220 --> 00:17:59,719 protect your Wi-Fi connection. 480 00:18:00,890 --> 00:18:02,989 And in 2007, some 481 00:18:02,990 --> 00:18:03,990 researchers. 482 00:18:04,950 --> 00:18:07,079 Presented a key recovery attack where 483 00:18:07,080 --> 00:18:09,149 you can within minutes really 484 00:18:09,150 --> 00:18:11,279 decrypt the entire key stream 485 00:18:11,280 --> 00:18:13,679 by reconstructing the secret key 486 00:18:13,680 --> 00:18:15,959 and it exploits biases in the RC 487 00:18:15,960 --> 00:18:18,029 four streams over that is 488 00:18:18,030 --> 00:18:19,469 used there. 489 00:18:19,470 --> 00:18:21,719 And then after 490 00:18:21,720 --> 00:18:23,849 after a while, there was a tool which is 491 00:18:23,850 --> 00:18:26,069 called and and everybody can download 492 00:18:26,070 --> 00:18:27,959 that and correct their own. 493 00:18:29,040 --> 00:18:30,299 Yeah. WI fi connection. 494 00:18:31,870 --> 00:18:33,030 So try this at home, 495 00:18:34,750 --> 00:18:37,329 then another attack 496 00:18:37,330 --> 00:18:39,969 in to the 12 and 13 497 00:18:39,970 --> 00:18:42,670 also targeted hours before where 498 00:18:43,960 --> 00:18:46,479 so-called biases were detected 499 00:18:46,480 --> 00:18:48,669 in the in the in 500 00:18:48,670 --> 00:18:49,899 the ciphertext three. 501 00:18:49,900 --> 00:18:51,969 I mean, it was already known that RC 502 00:18:51,970 --> 00:18:54,159 four is not the best streamside 503 00:18:54,160 --> 00:18:56,349 for out there, but 504 00:18:56,350 --> 00:18:58,479 there in 2013, they 505 00:18:58,480 --> 00:19:00,459 really showed. Yeah, you can really use 506 00:19:00,460 --> 00:19:01,299 these biases. 507 00:19:01,300 --> 00:19:03,279 So these are the spikes here in this 508 00:19:03,280 --> 00:19:04,280 graph 509 00:19:05,650 --> 00:19:08,379 to partially decrypt 510 00:19:08,380 --> 00:19:10,989 a stream that is, for example, 511 00:19:10,990 --> 00:19:13,569 encryption was used in Tlas 512 00:19:13,570 --> 00:19:14,920 to decrypt your data. 513 00:19:17,400 --> 00:19:19,589 So and another attack 514 00:19:19,590 --> 00:19:21,719 on our CIFOR was just from this 515 00:19:21,720 --> 00:19:24,209 year, where Kenny Patterson 516 00:19:24,210 --> 00:19:27,059 from the University of London tweeted, 517 00:19:27,060 --> 00:19:29,639 Folks really need to stop using our C4 518 00:19:29,640 --> 00:19:31,699 we just broke and other 519 00:19:31,700 --> 00:19:33,839 RC dependent system, which is called 520 00:19:33,840 --> 00:19:35,909 high from next week's attacks. 521 00:19:35,910 --> 00:19:38,249 So hiw is a hidden 522 00:19:38,250 --> 00:19:39,959 volume encryption system. 523 00:19:39,960 --> 00:19:42,179 And it was some in some 524 00:19:42,180 --> 00:19:44,399 sense perfectly fine designed and also 525 00:19:44,400 --> 00:19:47,039 came along with a with a security proof. 526 00:19:47,040 --> 00:19:49,199 But the problem was that they were using 527 00:19:49,200 --> 00:19:51,539 for the sort of random number generator, 528 00:19:51,540 --> 00:19:53,909 the RC, for a strange cipher, and 529 00:19:53,910 --> 00:19:56,129 that enabled the people 530 00:19:56,130 --> 00:19:58,169 around Kennyi Pettersen to mount an 531 00:19:58,170 --> 00:20:01,499 attack on this hiw system. 532 00:20:01,500 --> 00:20:03,869 Yeah, so but who cares 533 00:20:03,870 --> 00:20:06,149 about security when 534 00:20:06,150 --> 00:20:07,619 our C4 is fast and swift? 535 00:20:07,620 --> 00:20:08,620 Right. 536 00:20:09,480 --> 00:20:11,789 So this is from this year's 537 00:20:11,790 --> 00:20:13,469 keynote from Apple where they showed, 538 00:20:13,470 --> 00:20:16,739 yeah, swift is the best and fastest 539 00:20:16,740 --> 00:20:18,869 language when you use it with AC4 540 00:20:18,870 --> 00:20:19,870 encryption. 541 00:20:22,110 --> 00:20:24,209 So and now we will 542 00:20:24,210 --> 00:20:26,609 see a bunch of things, what the crypto 543 00:20:26,610 --> 00:20:29,219 community came up with to, uh, 544 00:20:30,270 --> 00:20:32,129 somehow get rid of all these problems 545 00:20:32,130 --> 00:20:33,509 that it was talking about earlier. 546 00:20:35,040 --> 00:20:35,999 All right. 547 00:20:36,000 --> 00:20:38,039 So I think it's pretty clear that we need 548 00:20:38,040 --> 00:20:39,389 better ciphers. 549 00:20:39,390 --> 00:20:41,099 And some people started to do something 550 00:20:41,100 --> 00:20:43,589 about it. It's called SESAR. 551 00:20:43,590 --> 00:20:45,749 So CCRC Crypto Competition is stands 552 00:20:45,750 --> 00:20:47,309 for competition for authenticated 553 00:20:47,310 --> 00:20:49,469 encryption, security applicability 554 00:20:49,470 --> 00:20:50,470 and robustness. 555 00:20:51,750 --> 00:20:52,979 First of all, what is a crypto 556 00:20:52,980 --> 00:20:54,099 competition? 557 00:20:54,100 --> 00:20:56,339 So you may have heard about a yes in 558 00:20:56,340 --> 00:20:58,559 the 2000 Shastri 559 00:20:58,560 --> 00:21:00,989 2010 around this time. 560 00:21:00,990 --> 00:21:02,429 The concept, it's pretty simple. 561 00:21:02,430 --> 00:21:04,409 So you are going to an organization, you 562 00:21:04,410 --> 00:21:06,539 want to find a new cipher and you 563 00:21:06,540 --> 00:21:09,089 hash function and you block cipher and 564 00:21:09,090 --> 00:21:10,259 you don't have much time. You're not a 565 00:21:10,260 --> 00:21:12,389 crypto expert. So you will ask people all 566 00:21:12,390 --> 00:21:14,369 over the world, you guys are the expert 567 00:21:14,370 --> 00:21:16,889 and you will work for free for us. 568 00:21:16,890 --> 00:21:18,959 You will create your own cipher. 569 00:21:18,960 --> 00:21:20,130 You will submit it to us. 570 00:21:21,390 --> 00:21:24,449 Typically, we are honest and trustworthy. 571 00:21:24,450 --> 00:21:26,639 So academics, people 572 00:21:26,640 --> 00:21:28,199 from industry, people from government, 573 00:21:28,200 --> 00:21:30,779 they walk maybe one year to 574 00:21:30,780 --> 00:21:31,709 several teams of people. 575 00:21:31,710 --> 00:21:33,119 They create a new cipher from scratch 576 00:21:33,120 --> 00:21:35,969 specification and it is like 577 00:21:35,970 --> 00:21:37,319 100 pages document. 578 00:21:37,320 --> 00:21:39,389 And they do this for free from 579 00:21:39,390 --> 00:21:41,819 the organizers and then 580 00:21:41,820 --> 00:21:43,469 it publishes the designs. 581 00:21:43,470 --> 00:21:45,659 And now everyone tries to break the other 582 00:21:45,660 --> 00:21:47,969 guy's candidates because your incentive 583 00:21:47,970 --> 00:21:49,379 is to want to win. 584 00:21:49,380 --> 00:21:51,239 So you need to break the others like a 585 00:21:51,240 --> 00:21:52,619 demolition derby. 586 00:21:52,620 --> 00:21:54,839 And at the end of the competition, before 587 00:21:54,840 --> 00:21:56,879 the end, the organizers, they maybe do 588 00:21:56,880 --> 00:21:59,159 some shortly, some round of selection, 589 00:21:59,160 --> 00:22:01,349 like we have 50 candidates list down 590 00:22:01,350 --> 00:22:03,269 to 30, and then between now and then and 591 00:22:03,270 --> 00:22:04,649 then we pick one. 592 00:22:04,650 --> 00:22:05,819 So that's the idea. 593 00:22:05,820 --> 00:22:08,159 That's how we select and that's how 594 00:22:08,160 --> 00:22:09,059 she was selected. 595 00:22:09,060 --> 00:22:10,289 And it was very well, because it's 596 00:22:10,290 --> 00:22:11,699 completely transparent. 597 00:22:11,700 --> 00:22:13,409 Everyone can contribute security, 598 00:22:13,410 --> 00:22:15,629 analyzes implementations, 599 00:22:15,630 --> 00:22:18,509 and this is much better than obscure 600 00:22:18,510 --> 00:22:20,429 things like some other countries are 601 00:22:20,430 --> 00:22:21,689 doing. 602 00:22:21,690 --> 00:22:24,029 But that's the thing with SESAR. 603 00:22:24,030 --> 00:22:26,129 So typically the goal is to replace 604 00:22:26,130 --> 00:22:28,589 some old send on a yes was missing this. 605 00:22:28,590 --> 00:22:30,749 She was replacing Shewan 606 00:22:30,750 --> 00:22:32,909 and landing Shatto and she's 607 00:22:32,910 --> 00:22:35,309 always about replacing 608 00:22:35,310 --> 00:22:38,129 or doing better than a years GCM. 609 00:22:38,130 --> 00:22:40,469 So GCM is essentially 610 00:22:40,470 --> 00:22:42,629 the single authentication encryption 611 00:22:42,630 --> 00:22:44,889 standard that we have. 612 00:22:44,890 --> 00:22:47,189 So it's a yes, GCM stands 613 00:22:47,190 --> 00:22:48,839 for Gaulois counter mod. 614 00:22:48,840 --> 00:22:50,779 It's a mode where you do essentially 615 00:22:50,780 --> 00:22:52,679 Niasse. Yes, counterparts. 616 00:22:52,680 --> 00:22:54,959 And in parallel to this, you do some 617 00:22:54,960 --> 00:22:56,359 putting them on multiplications 618 00:22:57,480 --> 00:22:59,729 over a to characteristic to feel 619 00:22:59,730 --> 00:23:01,649 and you compute an authentication tag 620 00:23:01,650 --> 00:23:03,449 that depends on all the blocks that you 621 00:23:03,450 --> 00:23:04,450 have processed. 622 00:23:05,430 --> 00:23:07,319 So I will come back to this in the way we 623 00:23:07,320 --> 00:23:08,889 want to be able to do better. 624 00:23:08,890 --> 00:23:11,399 And GCM, some 625 00:23:11,400 --> 00:23:12,479 details on CCAR. 626 00:23:12,480 --> 00:23:14,819 So it started 2014 627 00:23:14,820 --> 00:23:16,589 and March. Well, actually for scimitars, 628 00:23:16,590 --> 00:23:18,929 it started one year before because they 629 00:23:18,930 --> 00:23:21,839 published a call for submissions 2013, 630 00:23:21,840 --> 00:23:24,389 but submissions were published 631 00:23:24,390 --> 00:23:25,469 this year. 632 00:23:25,470 --> 00:23:26,939 You can look them up online on this 633 00:23:26,940 --> 00:23:29,009 webpage and it's 634 00:23:29,010 --> 00:23:32,279 expected to finish in 2017. 635 00:23:32,280 --> 00:23:34,139 So before that, there would have been 636 00:23:34,140 --> 00:23:35,399 several rounds of selection. 637 00:23:35,400 --> 00:23:37,469 I think the next one is of should 638 00:23:37,470 --> 00:23:38,639 do fifteenth of January. 639 00:23:40,020 --> 00:23:42,929 So it's initiated by Daniel Bersin. 640 00:23:42,930 --> 00:23:44,099 We're a committee of twenty two 641 00:23:44,100 --> 00:23:46,799 cryptographers and it's sponsored 642 00:23:46,800 --> 00:23:48,059 by Nyst. 643 00:23:48,060 --> 00:23:50,159 But this is not concerning the thing and 644 00:23:50,160 --> 00:23:51,749 this is just giving the money. 645 00:23:52,920 --> 00:23:54,989 So the winner will not necessarily be a 646 00:23:54,990 --> 00:23:55,979 new standard. 647 00:23:55,980 --> 00:23:57,509 Then this might care about what is going 648 00:23:57,510 --> 00:23:59,579 on. But it's not 649 00:23:59,580 --> 00:24:01,469 US government competition. 650 00:24:01,470 --> 00:24:04,019 It's the Mensing. 651 00:24:04,020 --> 00:24:06,089 All right, GCM. 652 00:24:06,090 --> 00:24:07,799 So like I said, is use everywhere it's 653 00:24:07,800 --> 00:24:09,329 in. These should be of ethnicity. 654 00:24:10,770 --> 00:24:12,719 You may have heard about this recently. 655 00:24:12,720 --> 00:24:14,849 And the use of a yes is 656 00:24:14,850 --> 00:24:15,850 one of the. 657 00:24:16,880 --> 00:24:18,319 For specifying in these special 658 00:24:18,320 --> 00:24:20,319 publications, since using some it's 659 00:24:20,320 --> 00:24:22,779 standard for Pisek deserted 660 00:24:22,780 --> 00:24:25,009 SNH, only a few 661 00:24:25,010 --> 00:24:27,139 items, not as well. 662 00:24:27,140 --> 00:24:29,429 So it's already has the monopoly of 663 00:24:30,430 --> 00:24:31,549 to get encryption. 664 00:24:33,140 --> 00:24:34,910 So what's wrong with GCM? 665 00:24:36,170 --> 00:24:38,989 One thing is that 666 00:24:38,990 --> 00:24:40,609 if one of your cryptographers, it's a 667 00:24:40,610 --> 00:24:42,679 necessary complex, it does 668 00:24:42,680 --> 00:24:44,839 that the operation and use some 669 00:24:44,840 --> 00:24:46,939 and multiplication and you can do 670 00:24:46,940 --> 00:24:48,889 the same thing, the same, the same 671 00:24:48,890 --> 00:24:50,719 functionality without using this 672 00:24:50,720 --> 00:24:52,069 relatively complex mathematics. 673 00:24:53,270 --> 00:24:55,309 So it's fast if you have a set of 674 00:24:55,310 --> 00:24:57,529 instructions, if you have your 675 00:24:57,530 --> 00:24:59,579 intel in the chips, you have this. 676 00:24:59,580 --> 00:25:00,499 Yes. 677 00:25:00,500 --> 00:25:02,629 And I say things that make a considerably 678 00:25:02,630 --> 00:25:04,999 faster than normal implementation. 679 00:25:05,000 --> 00:25:07,009 But if you don't have a hardware 680 00:25:07,010 --> 00:25:10,279 accelerators and it's much, much slower, 681 00:25:10,280 --> 00:25:12,739 so nothing is performance. 682 00:25:12,740 --> 00:25:15,649 And also another issue is 683 00:25:15,650 --> 00:25:18,079 sensational. And timing leaks 684 00:25:18,080 --> 00:25:19,219 because if you don't have hardware 685 00:25:19,220 --> 00:25:21,109 support, you want to have a fast a yes. 686 00:25:21,110 --> 00:25:22,909 And typically what you will do, you will 687 00:25:22,910 --> 00:25:25,039 create a huge table lookups. 688 00:25:25,040 --> 00:25:27,289 And instead of doing the textbook, 689 00:25:27,290 --> 00:25:29,439 yes, you can make a run by 690 00:25:29,440 --> 00:25:31,429 doing essentially a few table lookups. 691 00:25:31,430 --> 00:25:32,430 And as you may know, 692 00:25:33,560 --> 00:25:36,139 this may lead to timing leaks and 693 00:25:36,140 --> 00:25:38,569 eventually to recovery, depending on 694 00:25:38,570 --> 00:25:40,759 on your model, on the attack capability. 695 00:25:42,080 --> 00:25:44,599 Nothing is really talk about Misuzu. 696 00:25:44,600 --> 00:25:46,369 What happens if you reuse the knowledge 697 00:25:46,370 --> 00:25:48,049 that you're not supposed to use? 698 00:25:48,050 --> 00:25:50,269 So what happens in HCM is that you 699 00:25:50,270 --> 00:25:53,269 can recover the authentication key 700 00:25:53,270 --> 00:25:54,949 to the thing, the secret thing that is 701 00:25:54,950 --> 00:25:57,309 used to authenticate your message. 702 00:25:57,310 --> 00:25:59,689 If you find this guy, then you can forge 703 00:25:59,690 --> 00:26:02,329 watchdogs and you can compromise 704 00:26:02,330 --> 00:26:04,429 authentication completely in 705 00:26:04,430 --> 00:26:05,929 some cases. 706 00:26:05,930 --> 00:26:07,939 All right. So what I talk about GCM. 707 00:26:07,940 --> 00:26:10,429 I didn't talk about A-s yesterday. 708 00:26:10,430 --> 00:26:12,989 People saying NSA is compromising. 709 00:26:12,990 --> 00:26:15,109 Yes. And you've seen this 710 00:26:15,110 --> 00:26:16,759 small screenshot. 711 00:26:16,760 --> 00:26:18,979 So as far as I understood, I'm 712 00:26:18,980 --> 00:26:21,499 I don't have access to the Snowden stock. 713 00:26:21,500 --> 00:26:23,089 But my understanding is that this is an 714 00:26:23,090 --> 00:26:25,099 undergrad project proposal, something 715 00:26:25,100 --> 00:26:27,199 similar in terms of NSA 716 00:26:27,200 --> 00:26:29,299 about applying some 717 00:26:29,300 --> 00:26:31,489 very old statistical 718 00:26:31,490 --> 00:26:33,199 techniques to. 719 00:26:33,200 --> 00:26:35,089 Yes, but it's not a billion dollar 720 00:26:35,090 --> 00:26:36,919 project aiming to break the record. 721 00:26:36,920 --> 00:26:37,849 Yes. 722 00:26:37,850 --> 00:26:39,979 And actually, it's no surprise that NSA 723 00:26:39,980 --> 00:26:42,109 is trying to do understand or 724 00:26:42,110 --> 00:26:44,209 to break. Yes, it's 725 00:26:44,210 --> 00:26:46,339 part of the job. And I expect them as 726 00:26:46,340 --> 00:26:48,169 well to try to break Shastri to 727 00:26:48,170 --> 00:26:50,309 understand how securities and they're not 728 00:26:50,310 --> 00:26:52,399 the only one to do this. 729 00:26:52,400 --> 00:26:54,619 Academic researchers, every year 730 00:26:54,620 --> 00:26:57,229 they publish very sophisticated research 731 00:26:57,230 --> 00:26:59,469 where we get new insight about how 732 00:26:59,470 --> 00:27:01,129 yes is working. 733 00:27:01,130 --> 00:27:03,199 And what we get out of 734 00:27:03,200 --> 00:27:04,849 this is that we better understand why a 735 00:27:04,850 --> 00:27:06,439 yes is secure. 736 00:27:06,440 --> 00:27:07,999 So the bottom line is, don't worry, it's 737 00:27:08,000 --> 00:27:09,139 not broken. 738 00:27:09,140 --> 00:27:10,699 Implementations may be broken, but the 739 00:27:10,700 --> 00:27:11,700 algorithm, 740 00:27:14,150 --> 00:27:15,379 it probably can be broken. 741 00:27:15,380 --> 00:27:17,909 And that's my personal opinion. 742 00:27:17,910 --> 00:27:19,569 So let's go back to Caesar. 743 00:27:19,570 --> 00:27:22,909 There's has been exactly 57 submissions, 744 00:27:22,910 --> 00:27:25,429 so it's less than three that received 745 00:27:25,430 --> 00:27:27,859 the 63 or 64 submissions, 746 00:27:27,860 --> 00:27:30,169 but many more than 747 00:27:30,170 --> 00:27:31,369 than, uh, yes. 748 00:27:31,370 --> 00:27:33,889 Well, they were only 15. 749 00:27:33,890 --> 00:27:35,279 So one submissions. 750 00:27:35,280 --> 00:27:37,449 There's acorn ey ey ey 751 00:27:37,450 --> 00:27:39,829 ey ey ey ey C.A.C. 752 00:27:39,830 --> 00:27:41,899 ey ey Escobar, 753 00:27:41,900 --> 00:27:43,969 FBI, Shambu a yes or 754 00:27:43,970 --> 00:27:45,490 a Z Artemia asking to 755 00:27:46,550 --> 00:27:48,739 see the offices and 756 00:27:48,740 --> 00:27:50,949 so on and so forth that 757 00:27:50,950 --> 00:27:53,059 you might have heard the the what a yes. 758 00:27:53,060 --> 00:27:55,429 And several times some e-mails 759 00:27:55,430 --> 00:27:57,649 that a couple of those are based on the 760 00:27:57,650 --> 00:28:00,229 block cipher and just 761 00:28:00,230 --> 00:28:02,809 a submission of a mode of operation 762 00:28:02,810 --> 00:28:04,939 that the proposed insensate with the 763 00:28:04,940 --> 00:28:07,139 cipher is in some cases they do 764 00:28:07,140 --> 00:28:08,329 some modifications to where. 765 00:28:08,330 --> 00:28:11,329 Yes, but it's also espace. 766 00:28:11,330 --> 00:28:12,979 So the motivation obviously here is to 767 00:28:12,980 --> 00:28:14,959 take advantage of the high speed of a yes 768 00:28:14,960 --> 00:28:16,489 in mainstream CPU's. 769 00:28:18,170 --> 00:28:19,969 I think I counted yesterday. 770 00:28:19,970 --> 00:28:21,289 That's approximate twenty five 771 00:28:21,290 --> 00:28:22,219 submissions. 772 00:28:22,220 --> 00:28:24,109 That use was a yes or some variant of a 773 00:28:24,110 --> 00:28:25,069 yes. 774 00:28:25,070 --> 00:28:27,169 Intisar towards the others. 775 00:28:27,170 --> 00:28:29,749 Uh I don't know, 776 00:28:29,750 --> 00:28:32,629 mambo kitty shall use. 777 00:28:32,630 --> 00:28:34,739 I don't know how, how 778 00:28:34,740 --> 00:28:36,859 are they working. But there is a 779 00:28:36,860 --> 00:28:39,829 new block cipher created from scratch 780 00:28:39,830 --> 00:28:42,319 or some, some sort of cipher 781 00:28:42,320 --> 00:28:44,809 that uh has this authentication 782 00:28:44,810 --> 00:28:46,939 feature or something 783 00:28:46,940 --> 00:28:47,989 based on the function. 784 00:28:47,990 --> 00:28:50,149 That's what Philip mentioned before. 785 00:28:50,150 --> 00:28:52,359 I'll this punch function in exercise. 786 00:28:53,420 --> 00:28:54,619 So how your day? 787 00:28:54,620 --> 00:28:56,569 So some people have already tried to 788 00:28:56,570 --> 00:28:57,769 break them. 789 00:28:57,770 --> 00:28:59,839 We counted certain that have 790 00:28:59,840 --> 00:29:02,239 been meaningful compromise. 791 00:29:02,240 --> 00:29:03,829 And five, for which 792 00:29:05,030 --> 00:29:06,679 imperfections or a little bit more 793 00:29:06,680 --> 00:29:07,940 imperfections have been found 794 00:29:09,140 --> 00:29:11,209 and thirty nine for which no 795 00:29:11,210 --> 00:29:12,619 flow has been published. 796 00:29:12,620 --> 00:29:13,849 So it doesn't mean there is nothing at 797 00:29:13,850 --> 00:29:16,039 all but that nobody. 798 00:29:16,040 --> 00:29:18,149 Nobody published it, so we see that 799 00:29:18,150 --> 00:29:19,739 there's this guy Norks in blue. 800 00:29:19,740 --> 00:29:21,299 So fortunately for us, it's not been 801 00:29:21,300 --> 00:29:23,129 broken yet. 802 00:29:23,130 --> 00:29:25,379 I'll try to convince you that it's 803 00:29:25,380 --> 00:29:26,519 secure. 804 00:29:26,520 --> 00:29:27,520 All right. 805 00:29:28,290 --> 00:29:30,669 So before is any Norks I created, 806 00:29:30,670 --> 00:29:32,969 um, which is a lot of people hash 807 00:29:32,970 --> 00:29:34,439 function called Blak. 808 00:29:34,440 --> 00:29:37,349 It was one of the finance industry. 809 00:29:37,350 --> 00:29:39,479 And every time I presented Blake, 810 00:29:39,480 --> 00:29:41,459 I talked about it. People had only one 811 00:29:41,460 --> 00:29:42,809 very single question. 812 00:29:42,810 --> 00:29:43,810 It was. 813 00:29:44,230 --> 00:29:46,329 Why the name Blake, and it 814 00:29:46,330 --> 00:29:47,829 was ridiculous because there was no real 815 00:29:47,830 --> 00:29:49,889 good reason, but here I'm happy to to 816 00:29:49,890 --> 00:29:52,059 have some explanation behind the name 817 00:29:52,060 --> 00:29:53,060 Norks. 818 00:29:54,010 --> 00:29:56,469 It's actually comes from not a 819 00:29:56,470 --> 00:29:57,639 X. 820 00:29:57,640 --> 00:30:00,429 So where does it stand for audition 821 00:30:00,430 --> 00:30:02,709 or date X or it's 822 00:30:02,710 --> 00:30:04,989 a type of cryptographic algorithm 823 00:30:04,990 --> 00:30:06,969 where you just use this person. 824 00:30:06,970 --> 00:30:08,250 So integer audition 825 00:30:09,310 --> 00:30:11,439 rotation, of course, and XOL, and that's 826 00:30:11,440 --> 00:30:13,149 sufficient to Brexit to make something 827 00:30:13,150 --> 00:30:14,150 that is unbreakable 828 00:30:15,610 --> 00:30:18,309 in terms of complexity or it's universal 829 00:30:18,310 --> 00:30:20,359 so you can implement any function and any 830 00:30:20,360 --> 00:30:22,659 computable functionality 831 00:30:22,660 --> 00:30:24,729 using this for provisions. 832 00:30:25,900 --> 00:30:28,059 Why did we choose to not 833 00:30:28,060 --> 00:30:30,269 be IREX that we removed the 834 00:30:30,270 --> 00:30:31,510 AI? You remove the addition. 835 00:30:32,770 --> 00:30:34,929 So we use the with zero and only 836 00:30:34,930 --> 00:30:35,889 bitwise operations. 837 00:30:35,890 --> 00:30:37,619 So logical and logical all 838 00:30:38,620 --> 00:30:40,779 there is, and it's not that that is 839 00:30:40,780 --> 00:30:42,699 intrinsically more secure, is that it's 840 00:30:42,700 --> 00:30:45,309 just easier to analyze, it's easier 841 00:30:45,310 --> 00:30:47,859 to find mathematical results. 842 00:30:47,860 --> 00:30:49,749 For example, for example, bones under 843 00:30:49,750 --> 00:30:52,089 security, quantitative bounds 844 00:30:52,090 --> 00:30:53,949 on the security of the cipher. 845 00:30:53,950 --> 00:30:56,799 It's also much simpler to implement 846 00:30:56,800 --> 00:30:58,539 in low. And Sebou is if you have like 847 00:30:58,540 --> 00:31:00,849 eight or 16 resistors, 848 00:31:00,850 --> 00:31:03,159 you don't have to care about the carries. 849 00:31:03,160 --> 00:31:05,049 And it's much simpler to implement in 850 00:31:05,050 --> 00:31:07,359 hardware. You don't have to 851 00:31:07,360 --> 00:31:09,129 do is others to choose the right type of 852 00:31:09,130 --> 00:31:11,319 others much more simpler in terms 853 00:31:11,320 --> 00:31:12,519 of implementation. 854 00:31:13,690 --> 00:31:15,889 All right. So what were our design goals? 855 00:31:15,890 --> 00:31:18,159 So like in every engineering project 856 00:31:18,160 --> 00:31:20,319 before starting doing things, we think 857 00:31:20,320 --> 00:31:21,999 about what we'll be doing, what the 858 00:31:22,000 --> 00:31:23,469 what's the objective? 859 00:31:23,470 --> 00:31:25,629 So when it's safer to be secure, 860 00:31:25,630 --> 00:31:28,539 obviously the most important criterion 861 00:31:28,540 --> 00:31:30,759 to be fast in our platform. 862 00:31:30,760 --> 00:31:33,219 So we did optimize specifically for 863 00:31:33,220 --> 00:31:35,379 this model of cheap or for this 864 00:31:35,380 --> 00:31:36,729 specific FPGA. 865 00:31:36,730 --> 00:31:38,439 We want to be constantly fast across our 866 00:31:38,440 --> 00:31:41,079 platforms because we want to be use 867 00:31:41,080 --> 00:31:43,179 by any by any user 868 00:31:43,180 --> 00:31:44,180 simplicity. 869 00:31:44,890 --> 00:31:46,389 So people are sometimes impressed when 870 00:31:46,390 --> 00:31:47,829 it's complex. We have a lot of questions 871 00:31:47,830 --> 00:31:49,539 and great letters and stuff. 872 00:31:49,540 --> 00:31:51,789 We want to make simple things as simple 873 00:31:51,790 --> 00:31:54,399 as possible with the specification 874 00:31:54,400 --> 00:31:55,449 or the code. 875 00:31:55,450 --> 00:31:57,159 And we want people we're not experts in 876 00:31:57,160 --> 00:31:59,289 cryptography. Why not crypto PhDs 877 00:31:59,290 --> 00:32:01,359 to take this back and to implement it 878 00:32:01,360 --> 00:32:04,149 in maybe one afternoon? 879 00:32:04,150 --> 00:32:06,309 Simplicity also means some notions 880 00:32:06,310 --> 00:32:08,439 of symmetry in the sense that if 881 00:32:08,440 --> 00:32:10,659 you look at the NOx encryption and 882 00:32:10,660 --> 00:32:11,799 the decryption, it's almost the same 883 00:32:11,800 --> 00:32:14,049 function. You have just small tweaks, 884 00:32:14,050 --> 00:32:15,489 but you don't have to implement something 885 00:32:15,490 --> 00:32:16,659 completely different if you want to 886 00:32:16,660 --> 00:32:18,729 decrypt or encrypt its 887 00:32:18,730 --> 00:32:21,189 online one pass. So you have your data, 888 00:32:21,190 --> 00:32:22,539 you process it once. 889 00:32:22,540 --> 00:32:23,799 You don't have to process it to one for 890 00:32:23,800 --> 00:32:25,839 encryption and one for indication. 891 00:32:25,840 --> 00:32:28,029 I think the data 892 00:32:28,030 --> 00:32:30,669 scalability in terms of prioritizing 893 00:32:30,670 --> 00:32:33,129 horizontal scalability and 894 00:32:33,130 --> 00:32:35,919 running credulity, 895 00:32:35,920 --> 00:32:38,259 it means that unlike a yes, we don't have 896 00:32:38,260 --> 00:32:41,109 a Slowikowski, we don't know where cycles 897 00:32:41,110 --> 00:32:42,679 expanding the key and then starting in 898 00:32:42,680 --> 00:32:44,829 the expanded Glenton, 899 00:32:44,830 --> 00:32:47,499 we just inject the key very simply 900 00:32:47,500 --> 00:32:49,629 and we try to minimize such analytics so 901 00:32:49,630 --> 00:32:51,069 we can only do so much on the algorithm 902 00:32:51,070 --> 00:32:53,199 level. But we try to make something 903 00:32:53,200 --> 00:32:55,339 that is easy to implement in 904 00:32:55,340 --> 00:32:57,809 Constantine, for example. 905 00:32:57,810 --> 00:33:00,089 All right, so this is not 906 00:33:00,090 --> 00:33:01,529 a single cipher. It's actually a family 907 00:33:01,530 --> 00:33:03,959 of ciphers with a few parameters, 908 00:33:03,960 --> 00:33:06,159 a few dimensions, and you can tune this 909 00:33:06,160 --> 00:33:08,459 parameters to find the instance 910 00:33:08,460 --> 00:33:09,729 that best suits your application. 911 00:33:09,730 --> 00:33:11,399 Obligation to the first parameters is the 912 00:33:11,400 --> 00:33:12,990 world size dimension to what size 913 00:33:14,100 --> 00:33:16,409 32 or 64? 914 00:33:16,410 --> 00:33:18,569 32 typically means that you will, 915 00:33:18,570 --> 00:33:20,729 uh, make sure to be a tradition 916 00:33:20,730 --> 00:33:22,169 started to be exhausting. 917 00:33:22,170 --> 00:33:24,989 But obviously you can use to version 918 00:33:24,990 --> 00:33:27,089 on a 64 bit CPU and the other way 919 00:33:27,090 --> 00:33:29,219 around like 920 00:33:29,220 --> 00:33:30,959 minutes in May, say first you can to the 921 00:33:30,960 --> 00:33:33,179 number difference, the degree 922 00:33:33,180 --> 00:33:34,619 of partizan. 923 00:33:34,620 --> 00:33:36,689 So how many calls 924 00:33:36,690 --> 00:33:39,209 do you have available for Knox 925 00:33:39,210 --> 00:33:40,619 in order to take advantage 926 00:33:42,040 --> 00:33:45,509 of your sleep? You can feel the taxes. 927 00:33:45,510 --> 00:33:47,579 So there's a huge design space 928 00:33:47,580 --> 00:33:49,649 for Knox. But for the sake of of 929 00:33:49,650 --> 00:33:51,569 Caesar, we only submitted a few to 930 00:33:51,570 --> 00:33:53,279 exactly five proposals. 931 00:33:53,280 --> 00:33:54,929 We have No. 64 bit. 932 00:33:54,930 --> 00:33:56,999 Also tidbit with four 933 00:33:57,000 --> 00:33:59,279 rounds or six rounds 934 00:33:59,280 --> 00:34:01,049 and one DeQuan one. 935 00:34:01,050 --> 00:34:03,419 So when the Burzum degrees 936 00:34:03,420 --> 00:34:04,950 one, it means it's completely surreal. 937 00:34:06,500 --> 00:34:08,119 And you might ask the question, why did 938 00:34:08,120 --> 00:34:09,649 you choose to have four hours and six 939 00:34:09,650 --> 00:34:10,650 rounds? 940 00:34:12,300 --> 00:34:14,539 I have no simple answer to this, but 941 00:34:14,540 --> 00:34:17,059 let's say that we make we try to break n 942 00:34:17,060 --> 00:34:18,019 we try to break one. 943 00:34:18,020 --> 00:34:20,169 We're on around. And it's 944 00:34:20,170 --> 00:34:22,069 a trade off between security, margin 945 00:34:22,070 --> 00:34:24,709 between security and 946 00:34:24,710 --> 00:34:25,710 efficiency. 947 00:34:26,389 --> 00:34:27,559 All right. 948 00:34:27,560 --> 00:34:29,869 So we have a version with 128 949 00:34:29,870 --> 00:34:31,939 bickie or 256 950 00:34:31,940 --> 00:34:32,940 bit. 951 00:34:33,290 --> 00:34:35,749 So the demo is essentially 952 00:34:35,750 --> 00:34:37,819 what we call a domain 953 00:34:37,820 --> 00:34:39,019 extender. 954 00:34:39,020 --> 00:34:41,178 In other words, a combination 955 00:34:41,179 --> 00:34:43,549 of the core function to process 956 00:34:43,550 --> 00:34:46,009 input a viable size from something 957 00:34:46,010 --> 00:34:48,619 that takes input of fixes. 958 00:34:48,620 --> 00:34:50,738 So here we have this function f 959 00:34:50,739 --> 00:34:53,119 like something of a fixed size 960 00:34:53,120 --> 00:34:55,279 and we combine it with it in such a way 961 00:34:55,280 --> 00:34:57,679 that we can process messages of any 962 00:34:57,680 --> 00:34:58,680 reasonable size 963 00:34:59,870 --> 00:35:01,939 is derived from the response 964 00:35:01,940 --> 00:35:04,109 function of shock, which is now 965 00:35:04,110 --> 00:35:06,619 Szary and more specifically 966 00:35:06,620 --> 00:35:08,749 what they call the monkey duplex and ask 967 00:35:08,750 --> 00:35:10,699 me why we chose this name. 968 00:35:10,700 --> 00:35:12,859 But the idea is to take a hash function 969 00:35:12,860 --> 00:35:14,929 model and modify a bit so 970 00:35:14,930 --> 00:35:16,879 that you can make an order to get a 971 00:35:16,880 --> 00:35:19,879 cipher out of this hash function mode. 972 00:35:19,880 --> 00:35:21,949 Yeah, if it's extremely simple, you 973 00:35:21,950 --> 00:35:22,969 have this function F, which is a 974 00:35:22,970 --> 00:35:25,339 permutation, so that's an input. 975 00:35:25,340 --> 00:35:27,649 You transform it in some complicated 976 00:35:27,650 --> 00:35:29,779 way and it creates something 977 00:35:29,780 --> 00:35:32,389 of the same size and it is a permutation. 978 00:35:32,390 --> 00:35:33,390 You can invert it. 979 00:35:34,340 --> 00:35:37,009 It's hard to insert a bit contradictory 980 00:35:37,010 --> 00:35:39,079 because you don't want to invert 981 00:35:39,080 --> 00:35:41,839 things, materials. 982 00:35:41,840 --> 00:35:43,699 That's really what we need. 983 00:35:43,700 --> 00:35:46,339 So you see a bunch of examples. 984 00:35:46,340 --> 00:35:47,809 What we're doing, we're inventing, 985 00:35:47,810 --> 00:35:49,369 injecting the message and injecting 986 00:35:49,370 --> 00:35:50,839 parameters. 987 00:35:50,840 --> 00:35:52,939 So the message injection is very 988 00:35:52,940 --> 00:35:54,769 simple. You just ignore the message. 989 00:35:54,770 --> 00:35:56,959 Here is speech, for example. 990 00:35:56,960 --> 00:35:58,849 You just up to the state and then you 991 00:35:58,850 --> 00:36:00,769 transform the state at some point, which 992 00:36:00,770 --> 00:36:02,959 or H which is the header, for 993 00:36:02,960 --> 00:36:03,949 example. 994 00:36:03,950 --> 00:36:06,109 So something that's not encrypted, we 995 00:36:06,110 --> 00:36:07,549 inject it to the state. It would modify 996 00:36:07,550 --> 00:36:09,619 the state, then you would get 997 00:36:09,620 --> 00:36:10,579 a different state. 998 00:36:10,580 --> 00:36:13,189 So all this is about 999 00:36:13,190 --> 00:36:14,929 modifying the state in such a way that 1000 00:36:14,930 --> 00:36:17,029 you get something that's secure 1001 00:36:17,030 --> 00:36:19,189 for for some definition of security. 1002 00:36:20,660 --> 00:36:21,719 So I don't give all the details. 1003 00:36:21,720 --> 00:36:23,959 You can look like in the paper, 1004 00:36:23,960 --> 00:36:26,059 in the current mode, 1005 00:36:26,060 --> 00:36:27,349 it's essentially the same. 1006 00:36:27,350 --> 00:36:29,449 So you you Auxilium messages to 1007 00:36:29,450 --> 00:36:31,849 the state, you get a ciphertext 1008 00:36:31,850 --> 00:36:33,859 out, but different. 1009 00:36:33,860 --> 00:36:35,539 You have two branches in Portland that 1010 00:36:35,540 --> 00:36:37,279 are completely independent. 1011 00:36:37,280 --> 00:36:39,739 So like if you have to sepulchers, 1012 00:36:39,740 --> 00:36:41,329 you can own one branch on the turf, on 1013 00:36:41,330 --> 00:36:43,279 the first call and the other one on the 1014 00:36:43,280 --> 00:36:45,469 second go. And if you have 50, 60 1015 00:36:45,470 --> 00:36:47,829 course, you can make Sixten branching 1016 00:36:47,830 --> 00:36:49,879 in parallel and then optimize the 1017 00:36:49,880 --> 00:36:52,279 efficiency through 1018 00:36:52,280 --> 00:36:54,049 NOx. It's really about transforming a 1019 00:36:54,050 --> 00:36:56,599 state using a permutation. 1020 00:36:56,600 --> 00:36:58,939 So state is just a string of 1021 00:36:58,940 --> 00:37:01,129 bits and the string of bits 1022 00:37:01,130 --> 00:37:03,559 is seen as 16 1023 00:37:03,560 --> 00:37:05,809 words of either 32 or 1024 00:37:05,810 --> 00:37:07,039 64 bits. 1025 00:37:07,040 --> 00:37:09,259 And we view this array of words 1026 00:37:09,260 --> 00:37:11,809 as a matrix of four times four 1027 00:37:11,810 --> 00:37:14,029 four typed on four words 1028 00:37:14,030 --> 00:37:16,279 that might remind you at times to remind 1029 00:37:16,280 --> 00:37:18,439 you that at 20 your child 1030 00:37:18,440 --> 00:37:20,509 Cobbly two and we 1031 00:37:20,510 --> 00:37:21,769 have two different types of words. 1032 00:37:21,770 --> 00:37:23,269 So the words where we will inject the 1033 00:37:23,270 --> 00:37:25,130 message, which are the blue words here, 1034 00:37:26,330 --> 00:37:28,489 which we call the right words and 1035 00:37:28,490 --> 00:37:30,589 engrain the capacity words which we 1036 00:37:30,590 --> 00:37:31,590 never touch. 1037 00:37:32,330 --> 00:37:34,939 So if an adversary you can control 1038 00:37:34,940 --> 00:37:36,649 to some extent the blue words by choosing 1039 00:37:36,650 --> 00:37:38,449 your message words, but you can't control 1040 00:37:38,450 --> 00:37:39,829 the the green words. 1041 00:37:39,830 --> 00:37:42,179 And that's where the security comes from. 1042 00:37:42,180 --> 00:37:43,619 Simplify things. 1043 00:37:43,620 --> 00:37:45,319 The more green words you have, the more 1044 00:37:45,320 --> 00:37:47,689 capacity. Once you have, the more secure 1045 00:37:47,690 --> 00:37:50,149 in theory is the algorithm. 1046 00:37:50,150 --> 00:37:51,859 So we didn't make this was operating 1047 00:37:51,860 --> 00:37:54,799 capacities, external terminology from the 1048 00:37:54,800 --> 00:37:57,019 functional literature to 1049 00:37:57,020 --> 00:37:59,239 our two versions. The state is of 1050 00:37:59,240 --> 00:38:01,489 either fibrin 512 1051 00:38:01,490 --> 00:38:03,769 bits or one key. 1052 00:38:03,770 --> 00:38:07,309 And you said the right is adapted 1053 00:38:07,310 --> 00:38:08,569 accordingly. 1054 00:38:08,570 --> 00:38:10,699 So it's been you how we transform this 1055 00:38:10,700 --> 00:38:12,949 state to encrypt messages into 1056 00:38:12,950 --> 00:38:13,950 it and to get messages. 1057 00:38:15,310 --> 00:38:17,599 OK, so we already met 1058 00:38:17,600 --> 00:38:18,709 this guy. 1059 00:38:18,710 --> 00:38:20,989 And what you haven't seen 1060 00:38:20,990 --> 00:38:23,469 yet is that there are I mean, 1061 00:38:23,470 --> 00:38:24,859 he mentioned it, but there are a couple 1062 00:38:24,860 --> 00:38:26,959 of different faces, how the algorithm 1063 00:38:26,960 --> 00:38:28,969 works. And now we will have a look at the 1064 00:38:28,970 --> 00:38:30,709 different faces. 1065 00:38:30,710 --> 00:38:32,899 The first one is initialization 1066 00:38:32,900 --> 00:38:35,059 and it's in the Red Square over there. 1067 00:38:36,230 --> 00:38:38,299 So let's see how this works. 1068 00:38:38,300 --> 00:38:40,099 So at some point, you have to do 1069 00:38:40,100 --> 00:38:41,689 something with your secret key, right? 1070 00:38:41,690 --> 00:38:44,029 Because we have a symmetric key 1071 00:38:44,030 --> 00:38:45,019 algorithm. 1072 00:38:45,020 --> 00:38:47,179 And how it works is you take your 1073 00:38:47,180 --> 00:38:49,249 four by four matrix and you load 1074 00:38:49,250 --> 00:38:51,529 your key and the yellow part here. 1075 00:38:51,530 --> 00:38:54,109 OK, that's all the nonce, 1076 00:38:54,110 --> 00:38:55,759 the number used once that you need to 1077 00:38:55,760 --> 00:38:57,829 increase with every message that 1078 00:38:57,830 --> 00:39:00,049 you encrypt is 1079 00:39:00,050 --> 00:39:02,599 loaded into the green part and 1080 00:39:02,600 --> 00:39:05,419 the blue part. These are just constant. 1081 00:39:05,420 --> 00:39:06,420 Nothing else. 1082 00:39:07,340 --> 00:39:09,709 So and what else do you do after 1083 00:39:09,710 --> 00:39:12,199 you've loaded those basic 1084 00:39:12,200 --> 00:39:14,389 elements is you integrate 1085 00:39:14,390 --> 00:39:16,669 somehow your parameters into the initial 1086 00:39:16,670 --> 00:39:19,009 state because you want to make sure 1087 00:39:19,010 --> 00:39:21,229 that you already saw that Norks 1088 00:39:21,230 --> 00:39:24,019 is a huge family of cyphers 1089 00:39:24,020 --> 00:39:26,689 and you want to make sure that each of 1090 00:39:26,690 --> 00:39:28,879 each instance of such of 1091 00:39:28,880 --> 00:39:31,099 the family produces a unique 1092 00:39:31,100 --> 00:39:32,149 history. 1093 00:39:32,150 --> 00:39:34,429 And for this, we use the parameters to 1094 00:39:34,430 --> 00:39:37,429 and integrate them into the first 1095 00:39:37,430 --> 00:39:38,689 into the first state. 1096 00:39:38,690 --> 00:39:40,309 Because afterwards, when we transformed 1097 00:39:40,310 --> 00:39:42,679 the state, we ensure this way that 1098 00:39:43,850 --> 00:39:46,399 that the key stream that is produced 1099 00:39:46,400 --> 00:39:48,559 afterwards is really unique. 1100 00:39:48,560 --> 00:39:51,239 And the final step in the 1101 00:39:51,240 --> 00:39:54,049 in the initialization is just you apply 1102 00:39:54,050 --> 00:39:56,269 the round permutation after 1103 00:39:56,270 --> 00:39:57,379 the power of our. 1104 00:39:57,380 --> 00:39:59,899 This means just apply 1105 00:39:59,900 --> 00:40:01,729 the function f r times. 1106 00:40:01,730 --> 00:40:04,219 OK, this is the notation for that 1107 00:40:04,220 --> 00:40:06,349 to the initial state and you get a 1108 00:40:06,350 --> 00:40:08,580 new updated state here again. 1109 00:40:10,070 --> 00:40:12,379 So and this was the first 1110 00:40:12,380 --> 00:40:14,029 version of initialization. 1111 00:40:14,030 --> 00:40:16,099 But you see here this parameter 1112 00:40:16,100 --> 00:40:18,649 integration is a little bit 1113 00:40:18,650 --> 00:40:19,819 kind of a mess. 1114 00:40:19,820 --> 00:40:21,919 So we decided we make it much more 1115 00:40:21,920 --> 00:40:24,589 easier and now we integrate 1116 00:40:24,590 --> 00:40:26,689 the parameters just on the 1117 00:40:26,690 --> 00:40:29,449 lower row of the matrix. 1118 00:40:29,450 --> 00:40:31,699 So this is basically the same, but 1119 00:40:31,700 --> 00:40:33,919 the parameters now get integrated 1120 00:40:33,920 --> 00:40:35,329 into the initial state. 1121 00:40:35,330 --> 00:40:37,489 And in another way and 1122 00:40:37,490 --> 00:40:39,679 again, the final 1123 00:40:39,680 --> 00:40:40,729 step is also here. 1124 00:40:40,730 --> 00:40:43,489 Apply the round permutation. 1125 00:40:43,490 --> 00:40:45,019 So and that's it. 1126 00:40:45,020 --> 00:40:46,759 That's initialization. 1127 00:40:46,760 --> 00:40:49,009 The next part is absorbing header or 1128 00:40:49,010 --> 00:40:51,679 trailer data. So usually 1129 00:40:51,680 --> 00:40:53,449 authenticated encryption schemes that 1130 00:40:53,450 --> 00:40:55,669 they support additional data 1131 00:40:55,670 --> 00:40:58,069 and additional data here means usually 1132 00:40:58,070 --> 00:40:59,449 the support header data. 1133 00:40:59,450 --> 00:41:01,939 So which you usually process before 1134 00:41:01,940 --> 00:41:04,129 you process your ciphertext, 1135 00:41:04,130 --> 00:41:06,469 your plaintext. Sorry, but 1136 00:41:06,470 --> 00:41:08,599 in some protocols it's also useful to 1137 00:41:08,600 --> 00:41:10,669 have also a trailer which you 1138 00:41:10,670 --> 00:41:13,219 can somehow process 1139 00:41:13,220 --> 00:41:15,109 after your plaintext. 1140 00:41:15,110 --> 00:41:17,359 And Nortel's here these two phases 1141 00:41:17,360 --> 00:41:18,979 first for the header and then for the 1142 00:41:18,980 --> 00:41:21,169 trailer again and the red squares, 1143 00:41:21,170 --> 00:41:23,569 which basically work exactly 1144 00:41:23,570 --> 00:41:24,570 identical 1145 00:41:26,000 --> 00:41:28,129 except for a small constant, 1146 00:41:28,130 --> 00:41:29,929 which is called the domain separation 1147 00:41:29,930 --> 00:41:30,919 constant. 1148 00:41:30,920 --> 00:41:33,079 So the domain separation contents, 1149 00:41:33,080 --> 00:41:35,749 which is here 01 or 04. 1150 00:41:35,750 --> 00:41:38,089 And Hex just says, 1151 00:41:38,090 --> 00:41:39,290 OK, now I produce. 1152 00:41:40,850 --> 00:41:42,919 Now I absorb header data, which is the 1153 00:41:42,920 --> 00:41:45,469 014 or I 1154 00:41:45,470 --> 00:41:47,629 absorb trailor data, which is the 1155 00:41:47,630 --> 00:41:48,630 zero four four. 1156 00:41:49,820 --> 00:41:52,219 So after you have absorbed the 1157 00:41:52,220 --> 00:41:54,109 domain separation content, you again 1158 00:41:54,110 --> 00:41:55,939 apply your own permutation. 1159 00:41:55,940 --> 00:41:57,439 This is the middle part. 1160 00:41:57,440 --> 00:41:59,689 And then finally you take your 1161 00:41:59,690 --> 00:42:01,099 header or trailer block. 1162 00:42:01,100 --> 00:42:03,209 This is here, the yellow part and 1163 00:42:03,210 --> 00:42:05,419 exhausted on the blue part. 1164 00:42:05,420 --> 00:42:07,819 And what you get is the orange part. 1165 00:42:07,820 --> 00:42:10,099 And here you already see the important 1166 00:42:10,100 --> 00:42:12,319 thing is that the green part is not 1167 00:42:12,320 --> 00:42:14,600 touched by the data processing. 1168 00:42:16,340 --> 00:42:18,260 And that's it for headend trailer. 1169 00:42:21,290 --> 00:42:23,709 How to encrypt payload is 1170 00:42:23,710 --> 00:42:25,790 the in the middle here. 1171 00:42:27,020 --> 00:42:29,269 This is basically, again, very 1172 00:42:29,270 --> 00:42:31,249 similar to absorbing header and trailer 1173 00:42:31,250 --> 00:42:33,479 data. But now the domain, 1174 00:42:33,480 --> 00:42:35,679 uh, separation concept changes to 1175 00:42:35,680 --> 00:42:37,759 a zero two. 1176 00:42:37,760 --> 00:42:39,439 Then you apply again the the round 1177 00:42:39,440 --> 00:42:41,519 permutation absorb 1178 00:42:41,520 --> 00:42:42,439 your data. 1179 00:42:42,440 --> 00:42:44,569 Again, here, the message is now 1180 00:42:44,570 --> 00:42:45,619 the yellow part. 1181 00:42:45,620 --> 00:42:47,899 But what you also do is now you extract 1182 00:42:47,900 --> 00:42:50,029 your data, which is now the red part. 1183 00:42:50,030 --> 00:42:52,129 And you said this a red part 1184 00:42:52,130 --> 00:42:54,469 is the new ciphertext block 1185 00:42:54,470 --> 00:42:55,470 and that's it. 1186 00:42:57,020 --> 00:42:59,269 And the final the final 1187 00:42:59,270 --> 00:43:01,549 step in in your 1188 00:43:01,550 --> 00:43:03,619 data processing is to generate the 1189 00:43:03,620 --> 00:43:04,999 authentication tech. 1190 00:43:05,000 --> 00:43:06,980 This is here the last phase. 1191 00:43:08,300 --> 00:43:10,459 And again, you X or in 1192 00:43:10,460 --> 00:43:12,589 a domain separation concept, then 1193 00:43:12,590 --> 00:43:14,869 you apply the round permutation twice 1194 00:43:14,870 --> 00:43:16,969 and extract a part of your 1195 00:43:16,970 --> 00:43:19,519 state, which is again in this red part 1196 00:43:19,520 --> 00:43:21,769 or in the in the green blue 1197 00:43:21,770 --> 00:43:23,089 part that I showed you before. 1198 00:43:23,090 --> 00:43:24,949 And that this is tech here. 1199 00:43:24,950 --> 00:43:27,349 We usually use the first four words 1200 00:43:27,350 --> 00:43:29,119 of our state to set as tech. 1201 00:43:31,990 --> 00:43:34,389 So what I now you somehow 1202 00:43:34,390 --> 00:43:36,459 got a feeling how the the 1203 00:43:36,460 --> 00:43:38,799 mode itself works, but what I haven't 1204 00:43:38,800 --> 00:43:40,959 said yet is how does the permutation 1205 00:43:40,960 --> 00:43:43,119 work the after the power of our and 1206 00:43:43,120 --> 00:43:45,249 this basically transforms the 1207 00:43:45,250 --> 00:43:47,649 state. So one application of F transforms 1208 00:43:47,650 --> 00:43:49,419 the state into steps. 1209 00:43:49,420 --> 00:43:50,379 First, a column step. 1210 00:43:50,380 --> 00:43:53,019 This is here on the left and 1211 00:43:53,020 --> 00:43:55,779 where you apply a function G 1212 00:43:55,780 --> 00:43:57,939 onto the columns and then you 1213 00:43:57,940 --> 00:43:59,949 use the same function t afterwards to 1214 00:43:59,950 --> 00:44:02,380 apply to the to the diagonals. 1215 00:44:04,120 --> 00:44:06,429 So the chief 1216 00:44:06,430 --> 00:44:08,619 function is the 1217 00:44:08,620 --> 00:44:10,719 real core of our algorithm, and 1218 00:44:10,720 --> 00:44:13,149 it just as we said before, it's 1219 00:44:13,150 --> 00:44:15,369 not ARC's construction where you 1220 00:44:15,370 --> 00:44:18,489 use logical bitwise operations. 1221 00:44:18,490 --> 00:44:20,679 And you see here the eight 1222 00:44:20,680 --> 00:44:23,019 steps that are done in one application 1223 00:44:23,020 --> 00:44:25,419 of CZI and you see the H is 1224 00:44:25,420 --> 00:44:28,179 in some sense the the nonlinear function, 1225 00:44:28,180 --> 00:44:30,249 then the green one, the 1226 00:44:30,250 --> 00:44:31,059 ROTC. 1227 00:44:31,060 --> 00:44:33,189 There is a rotation. 1228 00:44:33,190 --> 00:44:34,399 Right. 1229 00:44:34,400 --> 00:44:36,099 You can see it here on the bottom where 1230 00:44:36,100 --> 00:44:38,289 you just use you rotate your 1231 00:44:38,290 --> 00:44:40,719 word to the right by a constant 1232 00:44:40,720 --> 00:44:41,829 R zero. 1233 00:44:41,830 --> 00:44:43,719 Then you do again the nonlinear 1234 00:44:43,720 --> 00:44:45,819 operation, a rotation, nonlinear 1235 00:44:45,820 --> 00:44:47,349 operation rotation and so on and so 1236 00:44:47,350 --> 00:44:49,689 forth. And the only thing that differs 1237 00:44:49,690 --> 00:44:52,149 here is that you use four 1238 00:44:52,150 --> 00:44:54,249 different rotation operations for 1239 00:44:54,250 --> 00:44:55,809 different rotation offsets. 1240 00:44:55,810 --> 00:44:58,239 OK, here, the red ones 1241 00:44:58,240 --> 00:45:00,489 and depending on the word 1242 00:45:00,490 --> 00:45:01,699 size, they also differ. 1243 00:45:01,700 --> 00:45:03,819 So for 32 bit, it's eleven, sixteen, 1244 00:45:03,820 --> 00:45:05,079 thirty one and four. 1245 00:45:05,080 --> 00:45:06,159 Sixty four. But it's eight. 1246 00:45:06,160 --> 00:45:07,659 Nineteen forty, sixty three. 1247 00:45:08,710 --> 00:45:10,239 And that's it basically. 1248 00:45:10,240 --> 00:45:12,519 And the here the the H 1249 00:45:12,520 --> 00:45:13,239 function. 1250 00:45:13,240 --> 00:45:15,099 This is the function that replaces 1251 00:45:15,100 --> 00:45:17,319 integer addition. OK, just to be clear 1252 00:45:17,320 --> 00:45:18,320 here. 1253 00:45:20,290 --> 00:45:22,629 So as we also already 1254 00:45:22,630 --> 00:45:24,729 mentioned, the properties 1255 00:45:24,730 --> 00:45:27,009 of these permutations, they were inspired 1256 00:45:27,010 --> 00:45:29,329 by Blake, too, and the Austrian cipher. 1257 00:45:30,550 --> 00:45:32,619 And as I also said, 1258 00:45:32,620 --> 00:45:34,689 the age replaces 1259 00:45:34,690 --> 00:45:36,909 integer addition and 1260 00:45:36,910 --> 00:45:39,219 in fact, it's almost an integer 1261 00:45:39,220 --> 00:45:41,349 edition. So a funny story here 1262 00:45:41,350 --> 00:45:44,079 is when we designed this permutation, 1263 00:45:44,080 --> 00:45:46,149 this core permutation, we 1264 00:45:46,150 --> 00:45:48,429 went along and we 1265 00:45:48,430 --> 00:45:50,349 already knew we wanted to somehow replace 1266 00:45:50,350 --> 00:45:52,479 integer additions, but we we didn't 1267 00:45:52,480 --> 00:45:53,799 know what to use. 1268 00:45:53,800 --> 00:45:56,259 So we used really, really many 1269 00:45:56,260 --> 00:45:58,239 bitwise logical operations and tried them 1270 00:45:58,240 --> 00:46:00,519 out on the cryptographic properties. 1271 00:46:00,520 --> 00:46:02,529 And at some point we were frustrated 1272 00:46:02,530 --> 00:46:04,599 because we couldn't find anything that 1273 00:46:04,600 --> 00:46:08,049 was really good for our for our purpose 1274 00:46:08,050 --> 00:46:09,759 until I think it was Samuel. 1275 00:46:09,760 --> 00:46:12,069 He came up with this 1276 00:46:12,070 --> 00:46:14,259 H function, which is basically 1277 00:46:14,260 --> 00:46:16,479 an approximation of integer edition. 1278 00:46:16,480 --> 00:46:18,639 So what he what he did is he found in an 1279 00:46:18,640 --> 00:46:21,159 old notebook, he found 1280 00:46:21,160 --> 00:46:23,589 this equation for 1281 00:46:23,590 --> 00:46:24,789 Integer Edition. 1282 00:46:24,790 --> 00:46:27,039 And you see it's X, X or Y 1283 00:46:27,040 --> 00:46:29,139 plus is here again, Integer Edition. 1284 00:46:29,140 --> 00:46:31,309 And then this part here. 1285 00:46:31,310 --> 00:46:33,109 The non-linear part in all that we did in 1286 00:46:33,110 --> 00:46:35,329 our function is just replace this 1287 00:46:35,330 --> 00:46:37,699 plus by an XOR and 1288 00:46:37,700 --> 00:46:39,439 suddenly there's also had very nice 1289 00:46:39,440 --> 00:46:40,759 cryptographic properties. 1290 00:46:40,760 --> 00:46:42,439 And so we went with this. 1291 00:46:45,060 --> 00:46:47,399 The nice thing is, as I 1292 00:46:47,400 --> 00:46:49,499 said, it is only bitwise operations you 1293 00:46:49,500 --> 00:46:51,299 have you don't have to worry about 1294 00:46:51,300 --> 00:46:53,129 KARIUS. You also don't have to worry 1295 00:46:53,130 --> 00:46:55,199 about lookups 1296 00:46:55,200 --> 00:46:56,789 in iceboxes. 1297 00:46:56,790 --> 00:46:59,009 It's easier 1298 00:46:59,010 --> 00:47:01,259 to get Konstantinov 1299 00:47:01,260 --> 00:47:02,309 operations out of this. 1300 00:47:02,310 --> 00:47:04,379 It's very hardware friendly and it's also 1301 00:47:04,380 --> 00:47:07,199 software friendly because of these, uh, 1302 00:47:07,200 --> 00:47:08,879 the layout of the functions. 1303 00:47:08,880 --> 00:47:11,189 You if you remember, you have four 1304 00:47:11,190 --> 00:47:12,899 parallel applications of each of the 1305 00:47:12,900 --> 00:47:14,969 columns and then to the diagonals, 1306 00:47:14,970 --> 00:47:17,069 which is very good for for software. 1307 00:47:19,200 --> 00:47:21,389 So the great question, of 1308 00:47:21,390 --> 00:47:23,219 course, is, is north secure 1309 00:47:24,600 --> 00:47:27,449 and here the main threat is 1310 00:47:27,450 --> 00:47:29,279 a technique called differential 1311 00:47:29,280 --> 00:47:30,419 cryptanalysis. 1312 00:47:30,420 --> 00:47:32,190 I won't go into the details here, 1313 00:47:33,810 --> 00:47:36,209 but it's basically the first 1314 00:47:36,210 --> 00:47:38,069 type of attack every cryptographic 1315 00:47:38,070 --> 00:47:41,369 primitive has to somehow 1316 00:47:41,370 --> 00:47:43,709 be resistant against. 1317 00:47:43,710 --> 00:47:46,319 And we did a lot of experiments 1318 00:47:46,320 --> 00:47:48,389 in our evaluation of the cryptographic 1319 00:47:48,390 --> 00:47:50,189 security of Norks. 1320 00:47:50,190 --> 00:47:52,529 And we found here 1321 00:47:52,530 --> 00:47:54,659 that for one round 1322 00:47:54,660 --> 00:47:56,129 there are characteristics which you 1323 00:47:56,130 --> 00:47:57,779 somehow can. 1324 00:47:57,780 --> 00:48:00,059 It's an analogy for these biases. 1325 00:48:00,060 --> 00:48:01,739 Remember this RC four picture where you 1326 00:48:01,740 --> 00:48:05,249 have these spikes and basically 1327 00:48:05,250 --> 00:48:07,739 a characteristic is in some sense 1328 00:48:07,740 --> 00:48:08,739 one of those spikes. 1329 00:48:08,740 --> 00:48:11,039 OK, and in one round of talks 1330 00:48:11,040 --> 00:48:13,139 only, there are those 1331 00:48:13,140 --> 00:48:15,659 biases appear with a probability 1332 00:48:15,660 --> 00:48:17,939 of greater than two to the power of minus 1333 00:48:17,940 --> 00:48:19,019 sixty four. 1334 00:48:19,020 --> 00:48:21,539 And in the 31 troubador version 1335 00:48:21,540 --> 00:48:23,639 and with a probability of 1336 00:48:23,640 --> 00:48:25,769 greater than two to the 1337 00:48:25,770 --> 00:48:28,169 power of minus or three in the 64 1338 00:48:28,170 --> 00:48:29,369 bit version. So there are no 1339 00:48:29,370 --> 00:48:31,109 characteristics that have a higher 1340 00:48:31,110 --> 00:48:32,879 probability than this. 1341 00:48:32,880 --> 00:48:35,159 And in four rounds 1342 00:48:35,160 --> 00:48:37,559 we found characteristics that are even 1343 00:48:37,560 --> 00:48:40,229 more insane, which have a probability 1344 00:48:40,230 --> 00:48:42,329 of two to the power of minus five hundred 1345 00:48:42,330 --> 00:48:44,549 eighty four and in the 1346 00:48:44,550 --> 00:48:46,679 two bit version and probability of 1347 00:48:46,680 --> 00:48:48,329 two to the power of minus eight hundred 1348 00:48:48,330 --> 00:48:50,489 something, which is really you 1349 00:48:50,490 --> 00:48:52,259 cannot exploit that. 1350 00:48:52,260 --> 00:48:54,479 And what I also want to mention here 1351 00:48:54,480 --> 00:48:56,669 is that in order to 1352 00:48:56,670 --> 00:48:58,859 find an attack on Norks, you 1353 00:48:58,860 --> 00:49:01,019 somehow have to get through 1354 00:49:01,020 --> 00:49:04,139 the initialization and 1355 00:49:04,140 --> 00:49:06,299 the initialization here uses at 1356 00:49:06,300 --> 00:49:08,519 least eight rounds and we already saw 1357 00:49:08,520 --> 00:49:10,589 that already for four rounds. 1358 00:49:10,590 --> 00:49:12,749 There are the probabilities of those 1359 00:49:12,750 --> 00:49:14,199 biases are really, really low. 1360 00:49:14,200 --> 00:49:16,229 So we are somewhat confident that it's 1361 00:49:16,230 --> 00:49:18,719 really hard to find good characteristics 1362 00:49:18,720 --> 00:49:21,659 or differentials in the initialization. 1363 00:49:21,660 --> 00:49:22,710 And also 1364 00:49:24,300 --> 00:49:27,029 kind of recent results there are 1365 00:49:27,030 --> 00:49:29,099 where we found out that the 1366 00:49:29,100 --> 00:49:31,319 the parameter choices that we had 1367 00:49:31,320 --> 00:49:33,599 were very conservative and we 1368 00:49:33,600 --> 00:49:35,729 even could trade some of those 1369 00:49:35,730 --> 00:49:38,249 capacity words, the security words, 1370 00:49:38,250 --> 00:49:40,889 to get to some rightwards, 1371 00:49:40,890 --> 00:49:42,329 to get a 60 percent speed up. 1372 00:49:42,330 --> 00:49:44,579 So this is also 1373 00:49:44,580 --> 00:49:46,829 included in the security margin 1374 00:49:46,830 --> 00:49:47,830 of Norks. 1375 00:49:49,940 --> 00:49:51,949 All right, so less than 10 minutes left 1376 00:49:51,950 --> 00:49:54,169 before concluding Michael must 1377 00:49:54,170 --> 00:49:55,699 have a very boring assignment. 1378 00:49:55,700 --> 00:49:56,700 My daughter is asleep. 1379 00:49:58,520 --> 00:50:00,259 I'm sorry. I must have brought everyone 1380 00:50:00,260 --> 00:50:03,169 in there. But amazing. 1381 00:50:03,170 --> 00:50:05,689 Very quickly, performance 1382 00:50:05,690 --> 00:50:07,759 on the next 86 in 64 1383 00:50:07,760 --> 00:50:09,919 with my Tipu as 1384 00:50:09,920 --> 00:50:11,989 fast as five hundred and ninety 1385 00:50:11,990 --> 00:50:13,699 three, maybe bytes per second. 1386 00:50:13,700 --> 00:50:15,979 So, Ben, one more than one 1387 00:50:15,980 --> 00:50:17,479 gigabyte per second. 1388 00:50:17,480 --> 00:50:19,789 You have the clock cycles figures here 1389 00:50:19,790 --> 00:50:21,829 is for the optimized implementations, 1390 00:50:21,830 --> 00:50:24,169 which means the one that you are 1391 00:50:24,170 --> 00:50:26,359 affixed to insertion extensions 1392 00:50:26,360 --> 00:50:27,979 or internship's. 1393 00:50:27,980 --> 00:50:30,109 What is great with NOx is the 1394 00:50:30,110 --> 00:50:33,499 reference code. So the simple portable 1395 00:50:33,500 --> 00:50:35,869 easy to read record is not 1396 00:50:35,870 --> 00:50:37,789 much lower than the optimized one on the 1397 00:50:37,790 --> 00:50:39,499 first case. On the left side, it's about 1398 00:50:39,500 --> 00:50:41,659 50 percent lower and about 80 percent 1399 00:50:41,660 --> 00:50:43,819 slower on the VIX to you and your husband 1400 00:50:43,820 --> 00:50:44,820 machine. 1401 00:50:45,380 --> 00:50:47,809 Yes, it's very different. 1402 00:50:47,810 --> 00:50:49,249 So in our platform. 1403 00:50:49,250 --> 00:50:51,379 So in the eight, which is 1404 00:50:51,380 --> 00:50:53,749 a non V seven architecture CPU, 1405 00:50:53,750 --> 00:50:56,179 it's about one hundred maybe bytes. 1406 00:50:56,180 --> 00:50:58,279 So the frequency is just one 1407 00:50:58,280 --> 00:51:00,589 gig. It uses the neon, 1408 00:51:00,590 --> 00:51:03,079 uh, the extension. 1409 00:51:03,080 --> 00:51:04,739 What is surprising here is you look at 1410 00:51:04,740 --> 00:51:06,889 the the A7 from up from the 1411 00:51:06,890 --> 00:51:10,309 by this number, the eight architecture, 1412 00:51:10,310 --> 00:51:12,139 the Fuster code is not the neon God, it's 1413 00:51:12,140 --> 00:51:13,489 the reference God. 1414 00:51:13,490 --> 00:51:15,859 Why. Because they have four parallel 1415 00:51:15,860 --> 00:51:18,109 integer arithmetic units 1416 00:51:18,110 --> 00:51:20,209 and this makes the code a little 1417 00:51:20,210 --> 00:51:22,039 bit faster than the neon God. 1418 00:51:23,090 --> 00:51:25,279 Uh, so how does NOx compare 1419 00:51:25,280 --> 00:51:28,219 to the other Caesar 1420 00:51:28,220 --> 00:51:29,239 constants? 1421 00:51:29,240 --> 00:51:31,339 So each column here is a 1422 00:51:31,340 --> 00:51:33,409 machine, a difference if you, 1423 00:51:33,410 --> 00:51:35,539 uh and the colored boxes 1424 00:51:35,540 --> 00:51:37,369 are NOx instances. 1425 00:51:37,370 --> 00:51:39,469 So you see that in many cases knocks on 1426 00:51:39,470 --> 00:51:41,629 the top in a couple of cases 1427 00:51:41,630 --> 00:51:43,579 noctis in the in the middle. 1428 00:51:43,580 --> 00:51:45,829 So these are the machines that have a set 1429 00:51:45,830 --> 00:51:48,199 of instructions and basically 1430 00:51:48,200 --> 00:51:50,569 that are much faster than us. 1431 00:51:50,570 --> 00:51:53,569 But so is not only very fast 1432 00:51:53,570 --> 00:51:54,799 compared to the others where you don't 1433 00:51:54,800 --> 00:51:56,929 have a yes instructions, it's 1434 00:51:56,930 --> 00:51:58,939 also the fastest sponged Bashkim. 1435 00:51:58,940 --> 00:52:01,009 It's even faster than the submissions 1436 00:52:01,010 --> 00:52:03,139 are based on get stuck in most 1437 00:52:03,140 --> 00:52:04,399 in most cases. 1438 00:52:04,400 --> 00:52:06,079 And like I said, the reference guide is 1439 00:52:06,080 --> 00:52:08,779 about as fast as the optimize one 1440 00:52:08,780 --> 00:52:10,489 if you compared to a year GCM that I 1441 00:52:10,490 --> 00:52:12,979 mentioned before, HCM 1442 00:52:12,980 --> 00:52:15,109 Reference Guide versus optimize code 1443 00:52:15,110 --> 00:52:16,669 and not reference God Rossotti. 1444 00:52:16,670 --> 00:52:18,919 Moscoso in some cases are a reference 1445 00:52:18,920 --> 00:52:20,989 guide is even faster 1446 00:52:20,990 --> 00:52:22,429 than the optimized. 1447 00:52:22,430 --> 00:52:23,430 Yes, GCM. 1448 00:52:24,470 --> 00:52:26,539 We do the opposite of Russian, 1449 00:52:26,540 --> 00:52:29,059 uh something similar on, on, uh 1450 00:52:29,060 --> 00:52:31,819 platforms from different regions. 1451 00:52:31,820 --> 00:52:33,799 Um so we see that for a yes you have to 1452 00:52:33,800 --> 00:52:34,699 work hard. 1453 00:52:34,700 --> 00:52:37,819 Right. Assembly use hardware accelerators 1454 00:52:37,820 --> 00:52:39,919 in NOx you can take the portable easy 1455 00:52:39,920 --> 00:52:41,839 to read God and you get competitive 1456 00:52:41,840 --> 00:52:42,840 speed. 1457 00:52:43,610 --> 00:52:45,499 We have another implementation. 1458 00:52:45,500 --> 00:52:47,929 So not a not just a simulation 1459 00:52:47,930 --> 00:52:50,599 and uh, in software but an actual chip 1460 00:52:50,600 --> 00:52:52,459 that was made by our friends from it. 1461 00:52:52,460 --> 00:52:54,289 So thank you for our connection. 1462 00:52:54,290 --> 00:52:56,689 And we students, uh, 1463 00:52:56,690 --> 00:52:58,999 it's been done on, 1464 00:52:59,000 --> 00:53:00,949 uh, um, see nanometer 1465 00:53:02,030 --> 00:53:04,279 Chip and Knox. 1466 00:53:04,280 --> 00:53:05,929 It goes up to about one hundred twenty 1467 00:53:05,930 --> 00:53:07,729 five megahertz and the aurora is 1468 00:53:07,730 --> 00:53:10,069 approximately sixty, sixty eight 1469 00:53:10,070 --> 00:53:11,510 which is good, which is. 1470 00:53:12,560 --> 00:53:14,619 And what is 1471 00:53:14,620 --> 00:53:15,619 this performance figures. 1472 00:53:15,620 --> 00:53:17,749 It reaches a throughput of 1473 00:53:17,750 --> 00:53:20,269 then gigabits Rustigan 1474 00:53:20,270 --> 00:53:22,549 which is much more than you need in any 1475 00:53:22,550 --> 00:53:23,550 application. 1476 00:53:24,380 --> 00:53:26,239 It's time to conclude. 1477 00:53:26,240 --> 00:53:28,499 So first, maybe if you've 1478 00:53:28,500 --> 00:53:30,319 said for all the talks, you may want to 1479 00:53:30,320 --> 00:53:32,479 remember that CSR is a new crypto 1480 00:53:32,480 --> 00:53:34,939 competition that started this year, 1481 00:53:34,940 --> 00:53:37,699 really did that in seventeen. 1482 00:53:37,700 --> 00:53:39,499 Oh, it's about to get an encryption or 1483 00:53:39,500 --> 00:53:42,109 dedicated deciphers and 1484 00:53:42,110 --> 00:53:44,479 there's been fifty seven submissions. 1485 00:53:44,480 --> 00:53:46,369 So in a few in a few weeks 1486 00:53:47,720 --> 00:53:50,479 they will submit, they will publish 1487 00:53:50,480 --> 00:53:52,679 the second round section. 1488 00:53:52,680 --> 00:53:53,689 So I don't know how many will be 1489 00:53:53,690 --> 00:53:56,749 selected, but it would be interesting. 1490 00:53:56,750 --> 00:53:58,339 You're going go to the official webpage, 1491 00:53:58,340 --> 00:54:00,649 to the non official Web pages and 1492 00:54:00,650 --> 00:54:02,599 some uh, personal blog. 1493 00:54:02,600 --> 00:54:04,639 There is another competition called See 1494 00:54:04,640 --> 00:54:06,829 about rushing with the URL 1495 00:54:06,830 --> 00:54:07,830 here. 1496 00:54:08,240 --> 00:54:10,369 Um, finally, the NOCs. 1497 00:54:10,370 --> 00:54:12,739 So it's a candidate in the 1498 00:54:12,740 --> 00:54:14,119 competition. I mentioned before 1499 00:54:16,130 --> 00:54:17,449 the main post about noctis. 1500 00:54:17,450 --> 00:54:19,069 Uh, it's quite innovative. 1501 00:54:19,070 --> 00:54:21,439 It's ARC's in a different way. 1502 00:54:21,440 --> 00:54:23,599 It's Producible was the 1503 00:54:23,600 --> 00:54:25,159 first one on purchasable. 1504 00:54:25,160 --> 00:54:27,289 We tried to minimize such and such 1505 00:54:27,290 --> 00:54:28,609 and leaks. 1506 00:54:28,610 --> 00:54:29,989 We don't need you to have a yes 1507 00:54:29,990 --> 00:54:31,189 instructions. 1508 00:54:31,190 --> 00:54:33,559 Obviously, if you're if you don't trust 1509 00:54:33,560 --> 00:54:35,899 NSA using this as a backdoor 1510 00:54:35,900 --> 00:54:38,539 yes. In some way, then 1511 00:54:38,540 --> 00:54:40,399 we don't use it. Yes. 1512 00:54:40,400 --> 00:54:42,679 Uh, it's straightforward to implement. 1513 00:54:42,680 --> 00:54:44,899 I think that I asked Philip why we don't 1514 00:54:44,900 --> 00:54:46,799 we need a better implementation and in 1515 00:54:46,800 --> 00:54:48,689 the couple of hours to get them to. 1516 00:54:48,690 --> 00:54:51,059 And walking, we have a website 1517 00:54:51,060 --> 00:54:53,189 now that I know we 1518 00:54:53,190 --> 00:54:55,289 have got available in C C++ go up 1519 00:54:55,290 --> 00:54:56,639 by the unrest. 1520 00:54:56,640 --> 00:54:58,659 It's completely free to use. 1521 00:54:58,660 --> 00:55:00,539 I don't recommend you to use it, but if 1522 00:55:00,540 --> 00:55:02,249 you want to use it is free. 1523 00:55:02,250 --> 00:55:03,299 There is no button, no, but an 1524 00:55:03,300 --> 00:55:04,259 application. 1525 00:55:04,260 --> 00:55:06,419 And our reference code is under zero 1526 00:55:06,420 --> 00:55:08,399 license. So which essentially means do 1527 00:55:08,400 --> 00:55:10,099 whatever you want with 1528 00:55:11,340 --> 00:55:13,769 one very last thing. 1529 00:55:13,770 --> 00:55:16,079 So we maybe will convince you that Knox 1530 00:55:16,080 --> 00:55:18,479 is the greatest life on earth, but 1531 00:55:18,480 --> 00:55:19,709 we wouldn't recommend you to use it 1532 00:55:19,710 --> 00:55:21,809 because we only publish it this year. 1533 00:55:21,810 --> 00:55:23,889 It takes time to gain confidence in a 1534 00:55:23,890 --> 00:55:26,049 or maybe it will be broken next week. 1535 00:55:26,050 --> 00:55:27,299 I don't know. 1536 00:55:27,300 --> 00:55:29,489 We're pretty confident, but really we 1537 00:55:29,490 --> 00:55:31,589 need to do it 1538 00:55:31,590 --> 00:55:34,369 a couple months or years before 1539 00:55:34,370 --> 00:55:36,659 it's been used in a very sensitive 1540 00:55:36,660 --> 00:55:37,660 applications. 1541 00:55:38,460 --> 00:55:40,509 So at least for now. 1542 00:55:40,510 --> 00:55:42,029 OK, so thank you very much. 1543 00:55:42,030 --> 00:55:43,030 Happy done some. 1544 00:55:48,070 --> 00:55:50,349 OK, so, Allan, thanks so far 1545 00:55:50,350 --> 00:55:52,509 for to speakers, we have 1546 00:55:52,510 --> 00:55:54,819 a few, maybe five minutes 1547 00:55:54,820 --> 00:55:55,749 left for questions. 1548 00:55:55,750 --> 00:55:57,369 So you have a question. 1549 00:55:57,370 --> 00:55:59,079 Just quickly line up at one of the 1550 00:55:59,080 --> 00:56:01,269 microphones and please be precise 1551 00:56:01,270 --> 00:56:02,229 and short. 1552 00:56:02,230 --> 00:56:03,550 So we'll just start with you. 1553 00:56:05,610 --> 00:56:07,299 I go, yeah. 1554 00:56:07,300 --> 00:56:08,819 Is it working? Yeah. 1555 00:56:08,820 --> 00:56:10,809 So I was just looking at your ABCs versus 1556 00:56:10,810 --> 00:56:11,709 Avista. 1557 00:56:11,710 --> 00:56:13,899 Uh, uh, difference there. 1558 00:56:13,900 --> 00:56:15,419 And I'm just sorry to interrupt. 1559 00:56:15,420 --> 00:56:17,559 If you're leaving the room, please 1560 00:56:17,560 --> 00:56:20,109 be quiet and maybe just stay for the last 1561 00:56:20,110 --> 00:56:22,119 four remaining minutes so we can have a 1562 00:56:22,120 --> 00:56:23,800 quiet Q&A session, please. 1563 00:56:25,570 --> 00:56:27,429 Yes, I was just looking at your ABCs 1564 00:56:27,430 --> 00:56:30,099 versus ABCs to, uh, implementation. 1565 00:56:30,100 --> 00:56:32,619 And I was the other day, I was struggling 1566 00:56:32,620 --> 00:56:34,059 with, I think, the same problem that you 1567 00:56:34,060 --> 00:56:35,619 were having, that the interviewer is not 1568 00:56:35,620 --> 00:56:37,839 the maybe X, which is completely dumb, 1569 00:56:37,840 --> 00:56:39,229 as we all know. 1570 00:56:39,230 --> 00:56:41,559 Um, but so I was doing 1571 00:56:41,560 --> 00:56:43,959 a B slicing of a cipher that shall 1572 00:56:43,960 --> 00:56:44,960 remain 1573 00:56:46,140 --> 00:56:47,859 and unmentioned. 1574 00:56:47,860 --> 00:56:50,019 But I realized 1575 00:56:50,020 --> 00:56:52,299 that actually ABC's original and ABC's 1576 00:56:52,300 --> 00:56:54,909 One has X or not. 1577 00:56:54,910 --> 00:56:57,009 And so basically everything I need 1578 00:56:57,010 --> 00:56:58,989 and I'm wondering why you don't have 1579 00:56:58,990 --> 00:57:01,269 that. So basically X2 1580 00:57:01,270 --> 00:57:03,159 is like maybe one if you all you need is 1581 00:57:03,160 --> 00:57:04,599 X or not. 1582 00:57:04,600 --> 00:57:04,989 Yeah. 1583 00:57:04,990 --> 00:57:07,119 And and or when 1584 00:57:07,120 --> 00:57:08,709 you're that extra would eventually come 1585 00:57:08,710 --> 00:57:10,149 out and when. 1586 00:57:10,150 --> 00:57:12,069 Well if not happens to be selected 1587 00:57:13,660 --> 00:57:15,729 in the suppose will have to on top 1588 00:57:15,730 --> 00:57:18,039 of X they didn't make much sense 1589 00:57:18,040 --> 00:57:20,079 to uh to optimize for a voice which has a 1590 00:57:20,080 --> 00:57:22,209 much more suited, I mean I 1591 00:57:22,210 --> 00:57:24,349 actually it's just an shit I'll send you. 1592 00:57:24,350 --> 00:57:26,209 It's a, it's a header file and basically 1593 00:57:26,210 --> 00:57:28,329 just use the ABC's OK one as 1594 00:57:28,330 --> 00:57:30,319 if it was ok. 1595 00:57:30,320 --> 00:57:31,320 OK, 1596 00:57:32,710 --> 00:57:33,069 OK. 1597 00:57:33,070 --> 00:57:34,959 So we'll do a quick question from the 1598 00:57:34,960 --> 00:57:36,339 IOC. We have one 1599 00:57:37,600 --> 00:57:38,619 because they can't ask it. 1600 00:57:38,620 --> 00:57:39,969 Person just go ahead. 1601 00:57:48,400 --> 00:57:49,400 No question. 1602 00:57:50,550 --> 00:57:51,550 Yeah, it's all 1603 00:57:53,020 --> 00:57:54,020 you. 1604 00:57:56,160 --> 00:57:57,689 I would be happy to take questions 1605 00:57:57,690 --> 00:58:00,389 offline anyway, so, yes, we can also 1606 00:58:00,390 --> 00:58:02,549 send us emails or via 1607 00:58:02,550 --> 00:58:04,079 Twitter or wherever you want 1608 00:58:09,990 --> 00:58:10,990 to 1609 00:58:13,530 --> 00:58:16,229 get the microphone is working just OK. 1610 00:58:16,230 --> 00:58:18,389 Let's just put it a little bit closer 1611 00:58:18,390 --> 00:58:19,499 to your mouth, please. 1612 00:58:23,130 --> 00:58:25,319 How many of these outside your team 1613 00:58:25,320 --> 00:58:27,599 have analyzed Norks for vulnerabilities? 1614 00:58:28,800 --> 00:58:29,869 How many? 1615 00:58:29,870 --> 00:58:31,629 Well, we only know the ones who publish 1616 00:58:31,630 --> 00:58:32,630 something. 1617 00:58:33,120 --> 00:58:35,099 We don't know the ones who did not find 1618 00:58:35,100 --> 00:58:35,849 anything. 1619 00:58:35,850 --> 00:58:38,069 But there's been there's there 1620 00:58:38,070 --> 00:58:40,349 was one work that we that we also 1621 00:58:40,350 --> 00:58:42,869 did together with some people from, uh, 1622 00:58:42,870 --> 00:58:45,689 from London, from, uh, and 1623 00:58:45,690 --> 00:58:47,759 where we basically showed this what I 1624 00:58:47,760 --> 00:58:50,369 meant before, that the parameters 1625 00:58:50,370 --> 00:58:53,519 are chosen very, uh, 1626 00:58:53,520 --> 00:58:55,799 uh, so that you can get a 60 1627 00:58:55,800 --> 00:58:58,399 percent speed up by trading this capacity 1628 00:58:58,400 --> 00:59:01,199 versus, uh, rightwards. 1629 00:59:01,200 --> 00:59:03,809 And this was basically done with 1630 00:59:03,810 --> 00:59:05,969 some people from somewhere where you 1631 00:59:05,970 --> 00:59:08,159 showed also security proofs for the mode 1632 00:59:08,160 --> 00:59:09,749 and so on and so forth. 1633 00:59:09,750 --> 00:59:12,599 I mean, targeted, uh, cryptanalysis 1634 00:59:12,600 --> 00:59:14,879 was not done yet by at least not 1635 00:59:14,880 --> 00:59:17,129 that we know of maybe is coming 1636 00:59:17,130 --> 00:59:18,999 something out in the next weeks. 1637 00:59:19,000 --> 00:59:21,359 Uh, so basically the results 1638 00:59:21,360 --> 00:59:23,429 that we showed until now were 1639 00:59:23,430 --> 00:59:24,539 our own that. 1640 00:59:24,540 --> 00:59:25,259 Yeah, that's it. 1641 00:59:25,260 --> 00:59:27,419 Basically, just 1642 00:59:27,420 --> 00:59:29,729 to my question is, 1643 00:59:29,730 --> 00:59:31,929 was the failure mode of Norks, if you 1644 00:59:31,930 --> 00:59:34,259 reuse key NIV 1645 00:59:34,260 --> 00:59:36,389 so you can keep the same 1646 00:59:36,390 --> 00:59:38,609 different plaintext with the same same 1647 00:59:38,610 --> 00:59:39,610 KNTV, 1648 00:59:40,830 --> 00:59:41,759 you know? 1649 00:59:41,760 --> 00:59:44,089 Well, if you reuse the the 1650 00:59:44,090 --> 00:59:46,619 the same I've, uh, you 1651 00:59:46,620 --> 00:59:48,059 don't recover the key. 1652 00:59:48,060 --> 00:59:50,249 But if you have two 1653 00:59:50,250 --> 00:59:51,779 different two different messages with the 1654 00:59:51,780 --> 00:59:53,939 same prefix, then you will be 1655 00:59:53,940 --> 00:59:55,409 able to figure out that you have the 1656 00:59:55,410 --> 00:59:56,430 same, the same prefix. 1657 00:59:57,580 --> 01:00:00,039 So it's it's a big security issue. 1658 01:00:00,040 --> 01:00:01,799 It doesn't compromise a cipher. 1659 01:00:01,800 --> 01:00:03,899 We try to minimize the compromise. 1660 01:00:03,900 --> 01:00:04,900 But, uh, 1661 01:00:06,370 --> 01:00:08,609 so what you basically get is you 1662 01:00:08,610 --> 01:00:10,799 can xor the ciphertext 1663 01:00:10,800 --> 01:00:13,289 blocks then and you get basically the 1664 01:00:13,290 --> 01:00:14,729 the X or off the plain text blocks. 1665 01:00:14,730 --> 01:00:16,979 That's what what's happening when you 1666 01:00:16,980 --> 01:00:19,229 uh, when you reuse key 1667 01:00:19,230 --> 01:00:22,049 and I v4 for two different messages. 1668 01:00:22,050 --> 01:00:23,939 So the failure mode is almost the same as 1669 01:00:23,940 --> 01:00:25,979 in the in the control mode. 1670 01:00:25,980 --> 01:00:26,980 Yeah. 1671 01:00:27,420 --> 01:00:29,849 So for uh for confidentiality, 1672 01:00:29,850 --> 01:00:32,279 how is this better than 1673 01:00:32,280 --> 01:00:34,379 you were asking will 1674 01:00:34,380 --> 01:00:34,499 this. 1675 01:00:34,500 --> 01:00:35,880 Because it is kind of like 1676 01:00:37,290 --> 01:00:39,509 OK, so we're just 1677 01:00:39,510 --> 01:00:40,499 one minute over time. 1678 01:00:40,500 --> 01:00:42,749 So we'll have to, uh, just stop the Q&A 1679 01:00:42,750 --> 01:00:43,769 session. 1680 01:00:43,770 --> 01:00:45,689 You're the two guys are gonna stick 1681 01:00:45,690 --> 01:00:47,139 around and are reachable via email. 1682 01:00:47,140 --> 01:00:48,869 So if you have remaining questions, just 1683 01:00:48,870 --> 01:00:49,839 let them know. 1684 01:00:49,840 --> 01:00:51,269 Uh, thanks so much for attending. 1685 01:00:51,270 --> 01:00:53,130 Please take your empty bottles with you.