sign in sign up
<<
Home , DigiNotar, Heartbleed, Poodle, Timing attack

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University of Illinois at Chicago & BEAST CBC attack. Technische Universiteit Eindhoven Trustwave HTTPS interception. CRIME compression attack. Ancient Chinese curse: “May you Lucky 13 /timing attack. live in interesting times, so that RC4 keystream bias. you have many papers to write.” TLS truncation. gotofail signature-verification bug. Triple Handshake. Related mailing list: buffer overread. boring-crypto+subscribe POODLE padding-oracle attack. @googlegroups.com Winshock buffer overflow. FREAK factorization attack. Logjam discrete-log attack. Boring crypto Some recent TLS failures TLS is not boring crypto. Daniel J. Bernstein Diginotar CA compromise. New attacks! University of Illinois at Chicago & BEAST CBC attack. Disputes about security! Technische Universiteit Eindhoven Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Ancient Chinese curse: “May you Lucky 13 padding/timing attack. Even better attacks! live in interesting times, so that RC4 keystream bias. Emergency upgrades! you have many papers to write.” TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Related mailing list: Heartbleed buffer overread. boring-crypto+subscribe POODLE padding-oracle attack. @googlegroups.com Winshock buffer overflow. FREAK factorization attack. Logjam discrete-log attack. Boring crypto Some recent TLS failures TLS is not boring crypto. Daniel J. Bernstein Diginotar CA compromise. New attacks! University of Illinois at Chicago & BEAST CBC attack. Disputes about security! Technische Universiteit Eindhoven Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Ancient Chinese curse: “May you Lucky 13 padding/timing attack. Even better attacks! live in interesting times, so that RC4 keystream bias. Emergency upgrades! you have many papers to write.” TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Related mailing list: Heartbleed buffer overread. boring-crypto+subscribe POODLE padding-oracle attack. @googlegroups.com Winshock buffer overflow. FREAK factorization attack. Logjam discrete-log attack. Boring crypto Some recent TLS failures TLS is not boring crypto. Daniel J. Bernstein Diginotar CA compromise. New attacks! University of Illinois at Chicago & BEAST CBC attack. Disputes about security! Technische Universiteit Eindhoven Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Ancient Chinese curse: “May you Lucky 13 padding/timing attack. Even better attacks! live in interesting times, so that RC4 keystream bias. Emergency upgrades! you have many papers to write.” TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Related mailing list: Heartbleed buffer overread. boring-crypto+subscribe POODLE padding-oracle attack. @googlegroups.com Winshock buffer overflow. FREAK factorization attack. Logjam discrete-log attack. Some recent TLS failures TLS is not boring crypto. Diginotar CA compromise. New attacks! BEAST CBC attack. Disputes about security! Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Lucky 13 padding/timing attack. Even better attacks! RC4 keystream bias. Emergency upgrades! TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Heartbleed buffer overread. POODLE padding-oracle attack. Winshock buffer overflow. FREAK factorization attack. Logjam discrete-log attack. Some recent TLS failures TLS is not boring crypto. Diginotar CA compromise. New attacks! BEAST CBC attack. Disputes about security! Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Lucky 13 padding/timing attack. Even better attacks! RC4 keystream bias. Emergency upgrades! TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Continual excitement; Heartbleed buffer overread. tons of research papers; POODLE padding-oracle attack. more jobs for cryptographers. Winshock buffer overflow. FREAK factorization attack. Logjam discrete-log attack. Some recent TLS failures TLS is not boring crypto. Diginotar CA compromise. New attacks! BEAST CBC attack. Disputes about security! Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Lucky 13 padding/timing attack. Even better attacks! RC4 keystream bias. Emergency upgrades! TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Continual excitement; Heartbleed buffer overread. tons of research papers; POODLE padding-oracle attack. more jobs for cryptographers. Winshock buffer overflow. FREAK factorization attack. Let’s look at an example. Logjam discrete-log attack. Some recent TLS failures TLS is not boring crypto. The RC4 Diginotar CA compromise. New attacks! 1987: Ron Rivest designs RC4. BEAST CBC attack. Disputes about security! Does not publish it. Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Lucky 13 padding/timing attack. Even better attacks! RC4 keystream bias. Emergency upgrades! TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Continual excitement; Heartbleed buffer overread. tons of research papers; POODLE padding-oracle attack. more jobs for cryptographers. Winshock buffer overflow. FREAK factorization attack. Let’s look at an example. Logjam discrete-log attack. Some recent TLS failures TLS is not boring crypto. The RC4 stream cipher Diginotar CA compromise. New attacks! 1987: Ron Rivest designs RC4. BEAST CBC attack. Disputes about security! Does not publish it. Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Lucky 13 padding/timing attack. Even better attacks! RC4 keystream bias. Emergency upgrades! TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Continual excitement; Heartbleed buffer overread. tons of research papers; POODLE padding-oracle attack. more jobs for cryptographers. Winshock buffer overflow. FREAK factorization attack. Let’s look at an example. Logjam discrete-log attack. Some recent TLS failures TLS is not boring crypto. The RC4 stream cipher Diginotar CA compromise. New attacks! 1987: Ron Rivest designs RC4. BEAST CBC attack. Disputes about security! Does not publish it. Trustwave HTTPS interception. Improved attacks! CRIME compression attack. Proposed fixes! Lucky 13 padding/timing attack. Even better attacks! RC4 keystream bias. Emergency upgrades! TLS truncation. Different attacks! gotofail signature-verification bug. New protocol versions! Triple Handshake. Continual excitement; Heartbleed buffer overread. tons of research papers; POODLE padding-oracle attack. more jobs for cryptographers. Winshock buffer overflow. FREAK factorization attack. Let’s look at an example. Logjam discrete-log attack. TLS is not boring crypto. The RC4 stream cipher New attacks! 1987: Ron Rivest designs RC4. Disputes about security! Does not publish it. Improved attacks! Proposed fixes! Even better attacks! Emergency upgrades! Different attacks! New protocol versions! Continual excitement; tons of research papers; more jobs for cryptographers. Let’s look at an example. TLS is not boring crypto. The RC4 stream cipher New attacks! 1987: Ron Rivest designs RC4. Disputes about security! Does not publish it. Improved attacks! 1992: NSA makes a with Proposed fixes! Software Publishers Association. Even better attacks! Emergency upgrades! “NSA allows ::: Different attacks! The U.S. Department of State New protocol versions! will grant export permission to any program that uses the Continual excitement; RC2 or RC4 data-encryption tons of research papers; algorithm with a size more jobs for cryptographers. of less than 40 bits.” Let’s look at an example. TLS is not boring crypto. The RC4 stream cipher 1994: Someone anonymously posts RC4 source code. New attacks! 1987: Ron Rivest designs RC4. Disputes about security! Does not publish it. New York Times: “Widespread Improved attacks! dissemination could compromise 1992: NSA makes a deal with Proposed fixes! the long-term effectiveness of the Software Publishers Association. Even better attacks! system ::: [RC4] has become Emergency upgrades! “NSA allows encryption ::: the de facto coding standard Different attacks! The U.S. Department of State for many popular software New protocol versions! will grant export permission programs including to any program that uses the Windows, Apple’s Macintosh Continual excitement; RC2 or RC4 data-encryption operating system and Lotus tons of research papers; algorithm with a Notes. ::: ‘I have been told it more jobs for cryptographers. of less than 40 bits.” was part of this deal that RC4 Let’s look at an example. be kept confidential,’ Jim Bidzos, president of RSA, said.” TLS is not boring crypto. The RC4 stream cipher 1994: Someone anonymously posts RC4 source code. New attacks! 1987: Ron Rivest designs RC4. Disputes about security! Does not publish it. New York Times: “Widespread Improved attacks! dissemination could compromise 1992: NSA makes a deal with Proposed fixes! the long-term effectiveness of the Software Publishers Association. Even better attacks! system ::: [RC4] has become Emergency upgrades! “NSA allows encryption ::: the de facto coding standard Different attacks! The U.S. Department of State for many popular software New protocol versions! will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh Continual excitement; RC2 or RC4 data-encryption operating system and Lotus tons of research papers; algorithm with a key size Notes. ::: ‘I have been told it more jobs for cryptographers. of less than 40 bits.” was part of this deal that RC4 Let’s look at an example. be kept confidential,’ Jim Bidzos, president of RSA, said.” TLS is not boring crypto. The RC4 stream cipher 1994: Someone anonymously posts RC4 source code. New attacks! 1987: Ron Rivest designs RC4. Disputes about security! Does not publish it. New York Times: “Widespread Improved attacks! dissemination could compromise 1992: NSA makes a deal with Proposed fixes! the long-term effectiveness of the Software Publishers Association. Even better attacks! system ::: [RC4] has become Emergency upgrades! “NSA allows encryption ::: the de facto coding standard Different attacks! The U.S. Department of State for many popular software New protocol versions! will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh Continual excitement; RC2 or RC4 data-encryption operating system and Lotus tons of research papers; algorithm with a key size Notes. ::: ‘I have been told it more jobs for cryptographers. of less than 40 bits.” was part of this deal that RC4 Let’s look at an example. be kept confidential,’ Jim Bidzos, president of RSA, said.” The RC4 stream cipher 1994: Someone anonymously posts RC4 source code. 1987: Ron Rivest designs RC4. Does not publish it. New York Times: “Widespread dissemination could compromise 1992: NSA makes a deal with the long-term effectiveness of the Software Publishers Association. system ::: [RC4] has become “NSA allows encryption ::: the de facto coding standard The U.S. Department of State for many popular software will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh RC2 or RC4 data-encryption operating system and Lotus algorithm with a key size Notes. ::: ‘I have been told it of less than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” The RC4 stream cipher 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) 1987: Ron Rivest designs RC4. web browser and server “based on Does not publish it. New York Times: “Widespread RSA Data Security technology”. dissemination could compromise 1992: NSA makes a deal with the long-term effectiveness of the SSL supports many options. Software Publishers Association. system ::: [RC4] has become RC4 is fastest cipher in SSL. “NSA allows encryption ::: the de facto coding standard The U.S. Department of State for many popular software will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh RC2 or RC4 data-encryption operating system and Lotus algorithm with a key size Notes. ::: ‘I have been told it of less than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” The RC4 stream cipher 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) 1987: Ron Rivest designs RC4. web browser and server “based on Does not publish it. New York Times: “Widespread RSA Data Security technology”. dissemination could compromise 1992: NSA makes a deal with the long-term effectiveness of the SSL supports many options. Software Publishers Association. system ::: [RC4] has become RC4 is fastest cipher in SSL. “NSA allows encryption ::: the de facto coding standard The U.S. Department of State for many popular software will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh RC2 or RC4 data-encryption operating system and Lotus algorithm with a key size Notes. ::: ‘I have been told it of less than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” The RC4 stream cipher 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) 1987: Ron Rivest designs RC4. web browser and server “based on Does not publish it. New York Times: “Widespread RSA Data Security technology”. dissemination could compromise 1992: NSA makes a deal with the long-term effectiveness of the SSL supports many options. Software Publishers Association. system ::: [RC4] has become RC4 is fastest cipher in SSL. “NSA allows encryption ::: the de facto coding standard The U.S. Department of State for many popular software will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh RC2 or RC4 data-encryption operating system and Lotus algorithm with a key size Notes. ::: ‘I have been told it of less than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard for many popular software programs including , Apple’s Macintosh operating system and Lotus Notes. ::: ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL . programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. ::: ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. ::: ‘I have been told it Fix: RC4-128? was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. ::: ‘I have been told it Fix: RC4-128? Unacceptable: was part of this deal that RC4 1995 Roos shows that RC4 fails a be kept confidential,’ Jim Bidzos, basic definition of cipher security. president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces So the crypto community posts RC4 source code. SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. ::: ‘I have been told it Fix: RC4-128? Unacceptable: was part of this deal that RC4 1995 Roos shows that RC4 fails a be kept confidential,’ Jim Bidzos, basic definition of cipher security. president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces So the crypto community posts RC4 source code. SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. ::: ‘I have been told it Fix: RC4-128? Unacceptable: was part of this deal that RC4 1995 Roos shows that RC4 fails a be kept confidential,’ Jim Bidzos, basic definition of cipher security. president of RSA, said.” 1994: Someone anonymously 1994: Netscape introduces So the crypto community posts RC4 source code. SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system ::: [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. ::: ‘I have been told it Fix: RC4-128? Unacceptable: was part of this deal that RC4 1995 Roos shows that RC4 fails a be kept confidential,’ Jim Bidzos, basic definition of cipher security. president of RSA, said.” 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts.

Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. Here’s what actually happens. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts.

Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. Here’s what actually happens. SSL supports many options. 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. (“Wired Equivalent Privacy”) 1995: Finney posts some for 802.11 wireless networks. examples of SSL ciphertexts. WEP uses RC4 for encryption. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts.

Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. Here’s what actually happens. SSL supports many options. 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. (“Wired Equivalent Privacy”) 1995: Finney posts some for 802.11 wireless networks. examples of SSL ciphertexts. WEP uses RC4 for encryption. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. 1999: TLS (“”), new version of SSL. Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a RC4 is fastest cipher in TLS. basic definition of cipher security. TLS still supports “export keys”. 1994: Netscape introduces So the crypto community More RC4 : SSL (“Secure Sockets Layer”) throws away 40-bit keys? 1995 Wagner, web browser and server “based on And throws away RC4? 1997 Golic, RSA Data Security technology”. Here’s what actually happens. 1998 Knudsen–Meier–Preneel– SSL supports many options. Rijmen–Verdoolaege, 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, 1995: Finney posts some for 802.11 wireless networks. 2001 Mantin–Shamir, examples of SSL ciphertexts. WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, Back–Byers–Young, Doligez, 2001 Stubblefield–Ioannidis– Back–Brooks extract plaintexts. 1999: TLS (“Transport Layer Security”), new version of SSL. Rubin. Fix: RC4-128? Unacceptable: RC4 key-output correlations 1995 Roos shows that RC4 fails a RC4 is fastest cipher in TLS. ⇒ practical attacks on WEP. basic definition of cipher security. TLS still supports “export keys”. 1994: Netscape introduces So the crypto community More RC4 cryptanalysis: SSL (“Secure Sockets Layer”) throws away 40-bit keys? 1995 Wagner, web browser and server “based on And throws away RC4? 1997 Golic, RSA Data Security technology”. Here’s what actually happens. 1998 Knudsen–Meier–Preneel– SSL supports many options. Rijmen–Verdoolaege, 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, 1995: Finney posts some for 802.11 wireless networks. 2001 Mantin–Shamir, examples of SSL ciphertexts. WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, Back–Byers–Young, Doligez, 2001 Stubblefield–Ioannidis– Back–Brooks extract plaintexts. 1999: TLS (“Transport Layer Security”), new version of SSL. Rubin. Fix: RC4-128? Unacceptable: RC4 key-output correlations 1995 Roos shows that RC4 fails a RC4 is fastest cipher in TLS. ⇒ practical attacks on WEP. basic definition of cipher security. TLS still supports “export keys”. 1994: Netscape introduces So the crypto community More RC4 cryptanalysis: SSL (“Secure Sockets Layer”) throws away 40-bit keys? 1995 Wagner, web browser and server “based on And throws away RC4? 1997 Golic, RSA Data Security technology”. Here’s what actually happens. 1998 Knudsen–Meier–Preneel– SSL supports many options. Rijmen–Verdoolaege, 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, 1995: Finney posts some for 802.11 wireless networks. 2001 Mantin–Shamir, examples of SSL ciphertexts. WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, Back–Byers–Young, Doligez, 2001 Stubblefield–Ioannidis– Back–Brooks extract plaintexts. 1999: TLS (“Transport Layer Security”), new version of SSL. Rubin. Fix: RC4-128? Unacceptable: RC4 key-output correlations 1995 Roos shows that RC4 fails a RC4 is fastest cipher in TLS. ⇒ practical attacks on WEP. basic definition of cipher security. TLS still supports “export keys”. So the crypto community More RC4 cryptanalysis: throws away 40-bit keys? 1995 Wagner, And throws away RC4? 1997 Golic, Here’s what actually happens. 1998 Knudsen–Meier–Preneel– Rijmen–Verdoolaege, 1997: IEEE standardizes WEP 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, for 802.11 wireless networks. 2001 Mantin–Shamir, WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, 1999: TLS (“Transport Layer 2001 Stubblefield–Ioannidis– Security”), new version of SSL. Rubin.

RC4 is fastest cipher in TLS. RC4 key-output correlations TLS still supports “export keys”. ⇒ practical attacks on WEP. So the crypto community More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. throws away 40-bit keys? 1995 Wagner, “Applications which pre-process And throws away RC4? 1997 Golic, the encryption key and IV by Here’s what actually happens. 1998 Knudsen–Meier–Preneel– using hashing and/or which Rijmen–Verdoolaege, discard the first 256 bytes of 1997: IEEE standardizes WEP 2000 Golic, pseudo-random output should (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, be considered secure from the for 802.11 wireless networks. 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 1999: TLS (“Transport Layer 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- Security”), new version of SSL. Rubin. random generator. ::: RC4 is likely to remain the algorithm of RC4 key-output correlations RC4 is fastest cipher in TLS. choice for many applications and ⇒ practical attacks on WEP. TLS still supports “export keys”. embedded systems.” So the crypto community More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. throws away 40-bit keys? 1995 Wagner, “Applications which pre-process And throws away RC4? 1997 Golic, the encryption key and IV by Here’s what actually happens. 1998 Knudsen–Meier–Preneel– using hashing and/or which Rijmen–Verdoolaege, discard the first 256 bytes of 1997: IEEE standardizes WEP 2000 Golic, pseudo-random output should (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, be considered secure from the for 802.11 wireless networks. 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 1999: TLS (“Transport Layer 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- Security”), new version of SSL. Rubin. random generator. ::: RC4 is likely to remain the algorithm of RC4 key-output correlations RC4 is fastest cipher in TLS. choice for many applications and ⇒ practical attacks on WEP. TLS still supports “export keys”. embedded systems.” So the crypto community More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. throws away 40-bit keys? 1995 Wagner, “Applications which pre-process And throws away RC4? 1997 Golic, the encryption key and IV by Here’s what actually happens. 1998 Knudsen–Meier–Preneel– using hashing and/or which Rijmen–Verdoolaege, discard the first 256 bytes of 1997: IEEE standardizes WEP 2000 Golic, pseudo-random output should (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, be considered secure from the for 802.11 wireless networks. 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 1999: TLS (“Transport Layer 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- Security”), new version of SSL. Rubin. random generator. ::: RC4 is likely to remain the algorithm of RC4 key-output correlations RC4 is fastest cipher in TLS. choice for many applications and ⇒ practical attacks on WEP. TLS still supports “export keys”. embedded systems.” More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. 1995 Wagner, “Applications which pre-process 1997 Golic, the encryption key and IV by 1998 Knudsen–Meier–Preneel– using hashing and/or which Rijmen–Verdoolaege, discard the first 256 bytes of 2000 Golic, pseudo-random output should 2000 Fluhrer–McGrew, be considered secure from the 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- Rubin. random generator. ::: RC4 is likely to remain the algorithm of RC4 key-output correlations choice for many applications and ⇒ practical attacks on WEP. embedded systems.” More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: 1995 Wagner, “Applications which pre-process 2002 Hulton, 1997 Golic, the encryption key and IV by 2002 Mironov, 1998 Knudsen–Meier–Preneel– using hashing and/or which 2002 Pudovkina, Rijmen–Verdoolaege, discard the first 256 bytes of 2003 Bittau, 2000 Golic, pseudo-random output should 2003 Pudovkina, 2000 Fluhrer–McGrew, be considered secure from the 2004 Paul–Preneel, 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ 2004 KoreK, 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2004 Devine, 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- 2005 Maximov, Rubin. random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, RC4 key-output correlations choice for many applications and 2006 Klein, ⇒ practical attacks on WEP. embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: 1995 Wagner, “Applications which pre-process 2002 Hulton, 1997 Golic, the encryption key and IV by 2002 Mironov, 1998 Knudsen–Meier–Preneel– using hashing and/or which 2002 Pudovkina, Rijmen–Verdoolaege, discard the first 256 bytes of 2003 Bittau, 2000 Golic, pseudo-random output should 2003 Pudovkina, 2000 Fluhrer–McGrew, be considered secure from the 2004 Paul–Preneel, 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ 2004 KoreK, 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2004 Devine, 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- 2005 Maximov, Rubin. random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, RC4 key-output correlations choice for many applications and 2006 Klein, ⇒ practical attacks on WEP. embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: 1995 Wagner, “Applications which pre-process 2002 Hulton, 1997 Golic, the encryption key and IV by 2002 Mironov, 1998 Knudsen–Meier–Preneel– using hashing and/or which 2002 Pudovkina, Rijmen–Verdoolaege, discard the first 256 bytes of 2003 Bittau, 2000 Golic, pseudo-random output should 2003 Pudovkina, 2000 Fluhrer–McGrew, be considered secure from the 2004 Paul–Preneel, 2001 Mantin–Shamir, proposed attacks. ::: The ‘heart’ 2004 KoreK, 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2004 Devine, 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- 2005 Maximov, Rubin. random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, RC4 key-output correlations choice for many applications and 2006 Klein, ⇒ practical attacks on WEP. embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: “Applications which pre-process 2002 Hulton, the encryption key and IV by 2002 Mironov, using hashing and/or which 2002 Pudovkina, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, be considered secure from the 2004 Paul–Preneel, proposed attacks. ::: The ‘heart’ 2004 KoreK, of RC4 is its exceptionally simple 2004 Devine, and extremely efficient pseudo- 2005 Maximov, random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, choice for many applications and 2006 Klein, embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from “Applications which pre-process 2002 Hulton, T. J. Maxx. Subsequent lawsuit the encryption key and IV by 2002 Mironov, settled for $40900000. using hashing and/or which 2002 Pudovkina, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, be considered secure from the 2004 Paul–Preneel, proposed attacks. ::: The ‘heart’ 2004 KoreK, of RC4 is its exceptionally simple 2004 Devine, and extremely efficient pseudo- 2005 Maximov, random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, choice for many applications and 2006 Klein, embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from “Applications which pre-process 2002 Hulton, T. J. Maxx. Subsequent lawsuit the encryption key and IV by 2002 Mironov, settled for $40900000. using hashing and/or which 2002 Pudovkina, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, be considered secure from the 2004 Paul–Preneel, proposed attacks. ::: The ‘heart’ 2004 KoreK, of RC4 is its exceptionally simple 2004 Devine, and extremely efficient pseudo- 2005 Maximov, random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, choice for many applications and 2006 Klein, embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from “Applications which pre-process 2002 Hulton, T. J. Maxx. Subsequent lawsuit the encryption key and IV by 2002 Mironov, settled for $40900000. using hashing and/or which 2002 Pudovkina, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, be considered secure from the 2004 Paul–Preneel, proposed attacks. ::: The ‘heart’ 2004 KoreK, of RC4 is its exceptionally simple 2004 Devine, and extremely efficient pseudo- 2005 Maximov, random generator. ::: RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, choice for many applications and 2006 Klein, embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from 2002 Hulton, T. J. Maxx. Subsequent lawsuit 2002 Mironov, settled for $40900000. 2002 Pudovkina, 2003 Bittau, 2003 Pudovkina, 2004 Paul–Preneel, 2004 KoreK, 2004 Devine, 2005 Maximov, 2005 Mantin, 2005 d’Otreppe, 2006 Klein, 2006 Doroshenko–Ryabko, 2006 Chaabouni. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from 2002 Hulton, T. J. Maxx. Subsequent lawsuit 2002 Mironov, settled for $40900000. 2002 Pudovkina, 2003 Bittau, Cryptanalysis continues: 2003 Pudovkina, 2007 Paul–Maitra–Srivastava, 2004 Paul–Preneel, 2007 Paul–Rathi–Maitra, 2004 KoreK, 2007 Paul–Maitra, 2004 Devine, 2007 Vaudenay–Vuagnoux, 2005 Maximov, 2007 Tews–Weinmann–Pyshkin, 2005 Mantin, 2007 Tomasevic–Bojanic– 2005 d’Otreppe, Nieto-Taladriz, 2006 Klein, 2007 Maitra–Paul, 2006 Doroshenko–Ryabko, 2008 Basu–Ganguly–Maitra–Paul. 2006 Chaabouni. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2002 Hulton, 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2002 Mironov, 2008 Golic–Morgari, settled for $40900000. 2002 Pudovkina, 2008 Maximov–Khovratovich, 2003 Bittau, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, 2003 Pudovkina, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, 2004 Paul–Preneel, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2004 KoreK, 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, 2004 Devine, 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, 2005 Maximov, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2005 Mantin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2005 d’Otreppe, 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, 2006 Klein, 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, 2006 Doroshenko–Ryabko, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. 2006 Chaabouni. 2011 Paul–Maitra book. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2002 Hulton, 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2002 Mironov, 2008 Golic–Morgari, settled for $40900000. 2002 Pudovkina, 2008 Maximov–Khovratovich, 2003 Bittau, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, 2003 Pudovkina, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, 2004 Paul–Preneel, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2004 KoreK, 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, 2004 Devine, 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, 2005 Maximov, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2005 Mantin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2005 d’Otreppe, 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, 2006 Klein, 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, 2006 Doroshenko–Ryabko, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. 2006 Chaabouni. 2011 Paul–Maitra book. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2002 Hulton, 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2002 Mironov, 2008 Golic–Morgari, settled for $40900000. 2002 Pudovkina, 2008 Maximov–Khovratovich, 2003 Bittau, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, 2003 Pudovkina, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, 2004 Paul–Preneel, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2004 KoreK, 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, 2004 Devine, 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, 2005 Maximov, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2005 Mantin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2005 d’Otreppe, 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, 2006 Klein, 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, 2006 Doroshenko–Ryabko, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. 2006 Chaabouni. 2011 Paul–Maitra book. WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2008 Golic–Morgari, settled for $40900000. 2008 Maximov–Khovratovich, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. 2011 Paul–Maitra book. WEP blamed for 2007 theft of 45 And more: 2012 Akamai blog entry: million credit-card numbers from “Up to 75% of SSL-enabled 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit web sites are vulnerable [to 2008 Golic–Morgari, settled for $40900000. BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, is the current version in broad Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, use and it only supports TLS 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, v1.0. ::: the interim fix is to 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, 128 is faster and cheaper in Vuagnoux, 2007 Tews–Weinmann–Pyshkin, processor time ::: approximately 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, RC4 ::: most browsers can Sarkar, 2008 Basu–Ganguly–Maitra–Paul. support the RC4 fix for BEAST.” 2011 Paul–Maitra book. WEP blamed for 2007 theft of 45 And more: 2012 Akamai blog entry: million credit-card numbers from “Up to 75% of SSL-enabled 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit web sites are vulnerable [to 2008 Golic–Morgari, settled for $40900000. BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, is the current version in broad Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, use and it only supports TLS 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, v1.0. ::: the interim fix is to 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, 128 is faster and cheaper in Vuagnoux, 2007 Tews–Weinmann–Pyshkin, processor time ::: approximately 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, RC4 ::: most browsers can Sarkar, 2008 Basu–Ganguly–Maitra–Paul. support the RC4 fix for BEAST.” 2011 Paul–Maitra book. WEP blamed for 2007 theft of 45 And more: 2012 Akamai blog entry: million credit-card numbers from “Up to 75% of SSL-enabled 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit web sites are vulnerable [to 2008 Golic–Morgari, settled for $40900000. BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, is the current version in broad Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, use and it only supports TLS 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, v1.0. ::: the interim fix is to 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, 128 is faster and cheaper in Vuagnoux, 2007 Tews–Weinmann–Pyshkin, processor time ::: approximately 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, RC4 ::: most browsers can Sarkar, 2008 Basu–Ganguly–Maitra–Paul. support the RC4 fix for BEAST.” 2011 Paul–Maitra book. And more: 2012 Akamai blog entry: “Up to 75% of SSL-enabled 2008 Biham–Carmeli, web sites are vulnerable [to 2008 Golic–Morgari, BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, is the current version in broad 2008 Akgun–Kavak–Demirci, use and it only supports TLS 2008 Maitra–Paul. v1.0. ::: the interim fix is to 2008 Beck–Tews, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– 128 is faster and cheaper in Vuagnoux, processor time ::: approximately 2010 Vuagnoux, 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– RC4 ::: most browsers can Sarkar, support the RC4 fix for BEAST.” 2011 Paul–Maitra book. And more: 2012 Akamai blog entry: RC4 cryptanalysis continues: “Up to 75% of SSL-enabled 2008 Biham–Carmeli, 2013 Lv–Zhang–Lin, web sites are vulnerable [to 2008 Golic–Morgari, 2013 Lv–Lin, BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, 2013 Sen Gupta–Maitra–Meier– is the current version in broad 2008 Akgun–Kavak–Demirci, Paul–Sarkar, use and it only supports TLS 2008 Maitra–Paul. 2013 Sarkar–Sen Gupta–Paul– v1.0. ::: the interim fix is to 2008 Beck–Tews, Maitra, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– Morii, 128 is faster and cheaper in Vuagnoux, 2013 AlFardan–Bernstein– processor time ::: approximately 2010 Vuagnoux, Paterson–Poettering– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, Schuldt, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– 2014 Paterson–Strefler, RC4 ::: most browsers can Sarkar, 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” 2011 Paul–Maitra book. Vuagnoux. And more: 2012 Akamai blog entry: RC4 cryptanalysis continues: “Up to 75% of SSL-enabled 2008 Biham–Carmeli, 2013 Lv–Zhang–Lin, web sites are vulnerable [to 2008 Golic–Morgari, 2013 Lv–Lin, BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, 2013 Sen Gupta–Maitra–Meier– is the current version in broad 2008 Akgun–Kavak–Demirci, Paul–Sarkar, use and it only supports TLS 2008 Maitra–Paul. 2013 Sarkar–Sen Gupta–Paul– v1.0. ::: the interim fix is to 2008 Beck–Tews, Maitra, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– Morii, 128 is faster and cheaper in Vuagnoux, 2013 AlFardan–Bernstein– processor time ::: approximately 2010 Vuagnoux, Paterson–Poettering– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, Schuldt, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– 2014 Paterson–Strefler, RC4 ::: most browsers can Sarkar, 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” 2011 Paul–Maitra book. Vuagnoux. And more: 2012 Akamai blog entry: RC4 cryptanalysis continues: “Up to 75% of SSL-enabled 2008 Biham–Carmeli, 2013 Lv–Zhang–Lin, web sites are vulnerable [to 2008 Golic–Morgari, 2013 Lv–Lin, BEAST] ::: OpenSSL v0.9.8w 2008 Maximov–Khovratovich, 2013 Sen Gupta–Maitra–Meier– is the current version in broad 2008 Akgun–Kavak–Demirci, Paul–Sarkar, use and it only supports TLS 2008 Maitra–Paul. 2013 Sarkar–Sen Gupta–Paul– v1.0. ::: the interim fix is to 2008 Beck–Tews, Maitra, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- 2010 Sepehrdad–Vaudenay– Morii, 128 is faster and cheaper in Vuagnoux, 2013 AlFardan–Bernstein– processor time ::: approximately 2010 Vuagnoux, Paterson–Poettering– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, Schuldt, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– 2014 Paterson–Strefler, RC4 ::: most browsers can Sarkar, 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” 2011 Paul–Maitra book. Vuagnoux. 2012 Akamai blog entry: RC4 cryptanalysis continues: “Up to 75% of SSL-enabled 2013 Lv–Zhang–Lin, web sites are vulnerable [to 2013 Lv–Lin, BEAST] ::: OpenSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– is the current version in broad Paul–Sarkar, use and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– v1.0. ::: the interim fix is to Maitra, prefer the RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time ::: approximately Paterson–Poettering– 15% of SSL/TLS negotiations Schuldt, on the Akamai platform use 2014 Paterson–Strefler, RC4 ::: most browsers can 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” Vuagnoux. 2012 Akamai blog entry: RC4 cryptanalysis continues: Maybe the final straws: “Up to 75% of SSL-enabled 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, web sites are vulnerable [to 2013 Lv–Lin, 2015 Garman–Paterson– BEAST] ::: OpenSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– van der Merwe is the current version in broad Paul–Sarkar, “RC4 must die”, use and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens v1.0. ::: the interim fix is to Maitra, “RC4 no more”. prefer the RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time ::: approximately Paterson–Poettering– 15% of SSL/TLS negotiations Schuldt, on the Akamai platform use 2014 Paterson–Strefler, RC4 ::: most browsers can 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” Vuagnoux. 2012 Akamai blog entry: RC4 cryptanalysis continues: Maybe the final straws: “Up to 75% of SSL-enabled 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, web sites are vulnerable [to 2013 Lv–Lin, 2015 Garman–Paterson– BEAST] ::: OpenSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– van der Merwe is the current version in broad Paul–Sarkar, “RC4 must die”, use and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens v1.0. ::: the interim fix is to Maitra, “RC4 no more”. prefer the RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time ::: approximately Paterson–Poettering– 15% of SSL/TLS negotiations Schuldt, on the Akamai platform use 2014 Paterson–Strefler, RC4 ::: most browsers can 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” Vuagnoux. 2012 Akamai blog entry: RC4 cryptanalysis continues: Maybe the final straws: “Up to 75% of SSL-enabled 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, web sites are vulnerable [to 2013 Lv–Lin, 2015 Garman–Paterson– BEAST] ::: OpenSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– van der Merwe is the current version in broad Paul–Sarkar, “RC4 must die”, use and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens v1.0. ::: the interim fix is to Maitra, “RC4 no more”. prefer the RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. ::: RC4- Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time ::: approximately Paterson–Poettering– 15% of SSL/TLS negotiations Schuldt, on the Akamai platform use 2014 Paterson–Strefler, RC4 ::: most browsers can 2015 Sepehrdad–Suˇsil–Vaudenay– support the RC4 fix for BEAST.” Vuagnoux. RC4 cryptanalysis continues: Maybe the final straws: 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2013 Lv–Lin, 2015 Garman–Paterson– 2013 Sen Gupta–Maitra–Meier– van der Merwe Paul–Sarkar, “RC4 must die”, 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Morii, 2013 AlFardan–Bernstein– Paterson–Poettering– Schuldt, 2014 Paterson–Strefler, 2015 Sepehrdad–Suˇsil–Vaudenay– Vuagnoux. RC4 cryptanalysis continues: Maybe the final straws: 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2013 Lv–Lin, 2015 Garman–Paterson– 2013 Sen Gupta–Maitra–Meier– van der Merwe Paul–Sarkar, “RC4 must die”, 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– Schuldt, 2014 Paterson–Strefler, 2015 Sepehrdad–Suˇsil–Vaudenay– Vuagnoux. RC4 cryptanalysis continues: Maybe the final straws: 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2013 Lv–Lin, 2015 Garman–Paterson– 2013 Sen Gupta–Maitra–Meier– van der Merwe Paul–Sarkar, “RC4 must die”, 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– Schuldt, 2015.09.01: , Microsoft, 2014 Paterson–Strefler, say that in 2016 their 2015 Sepehrdad–Suˇsil–Vaudenay– browsers will no longer allow RC4. Vuagnoux. RC4 cryptanalysis continues: Maybe the final straws: Another example: timing attacks 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2013 Lv–Lin, 2015 Garman–Paterson– 65ms to steal Linux AES key 2013 Sen Gupta–Maitra–Meier– van der Merwe used for hard-disk encryption. Paul–Sarkar, “RC4 must die”, Attack process on same CPU 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens but without privileges. Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– Schuldt, 2015.09.01: Google, Microsoft, 2014 Paterson–Strefler, Mozilla say that in 2016 their 2015 Sepehrdad–Suˇsil–Vaudenay– browsers will no longer allow RC4. Vuagnoux. RC4 cryptanalysis continues: Maybe the final straws: Another example: timing attacks 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2013 Lv–Lin, 2015 Garman–Paterson– 65ms to steal Linux AES key 2013 Sen Gupta–Maitra–Meier– van der Merwe used for hard-disk encryption. Paul–Sarkar, “RC4 must die”, Attack process on same CPU 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens but without privileges. Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– Schuldt, 2015.09.01: Google, Microsoft, 2014 Paterson–Strefler, Mozilla say that in 2016 their 2015 Sepehrdad–Suˇsil–Vaudenay– browsers will no longer allow RC4. Vuagnoux. RC4 cryptanalysis continues: Maybe the final straws: Another example: timing attacks 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2013 Lv–Lin, 2015 Garman–Paterson– 65ms to steal Linux AES key 2013 Sen Gupta–Maitra–Meier– van der Merwe used for hard-disk encryption. Paul–Sarkar, “RC4 must die”, Attack process on same CPU 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens but without privileges. Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– Schuldt, 2015.09.01: Google, Microsoft, 2014 Paterson–Strefler, Mozilla say that in 2016 their 2015 Sepehrdad–Suˇsil–Vaudenay– browsers will no longer allow RC4. Vuagnoux. Maybe the final straws: Another example: timing attacks 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2015 Garman–Paterson– 65ms to steal Linux AES key van der Merwe used for hard-disk encryption. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Meanwhile IETF publishes RFC 7465 (“RC4 die die die”), prohibiting RC4 in TLS.

2015.09.01: Google, Microsoft, Mozilla say that in 2016 their browsers will no longer allow RC4. Maybe the final straws: Another example: timing attacks 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2015 Garman–Paterson– 65ms to steal Linux AES key van der Merwe used for hard-disk encryption. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Almost all AES implementations Meanwhile IETF publishes use fast lookup tables. RFC 7465 (“RC4 die die die”), Kernel’s secret AES key prohibiting RC4 in TLS. influences table-load addresses, influencing CPU cache state, 2015.09.01: Google, Microsoft, influencing measurable timings Mozilla say that in 2016 their of the attack process. browsers will no longer allow RC4. 65ms: compute key from timings. Maybe the final straws: Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 2015 Garman–Paterson– 65ms to steal Linux AES key Secret branch conditions van der Merwe used for hard-disk encryption. influence timings. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Almost all AES implementations Meanwhile IETF publishes use fast lookup tables. RFC 7465 (“RC4 die die die”), Kernel’s secret AES key prohibiting RC4 in TLS. influences table-load addresses, influencing CPU cache state, 2015.09.01: Google, Microsoft, influencing measurable timings Mozilla say that in 2016 their of the attack process. browsers will no longer allow RC4. 65ms: compute key from timings. Maybe the final straws: Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 2015 Garman–Paterson– 65ms to steal Linux AES key Secret branch conditions van der Merwe used for hard-disk encryption. influence timings. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Almost all AES implementations Meanwhile IETF publishes use fast lookup tables. RFC 7465 (“RC4 die die die”), Kernel’s secret AES key prohibiting RC4 in TLS. influences table-load addresses, influencing CPU cache state, 2015.09.01: Google, Microsoft, influencing measurable timings Mozilla say that in 2016 their of the attack process. browsers will no longer allow RC4. 65ms: compute key from timings. Maybe the final straws: Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 2015 Garman–Paterson– 65ms to steal Linux AES key Secret branch conditions van der Merwe used for hard-disk encryption. influence timings. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Almost all AES implementations Meanwhile IETF publishes use fast lookup tables. RFC 7465 (“RC4 die die die”), Kernel’s secret AES key prohibiting RC4 in TLS. influences table-load addresses, influencing CPU cache state, 2015.09.01: Google, Microsoft, influencing measurable timings Mozilla say that in 2016 their of the attack process. browsers will no longer allow RC4. 65ms: compute key from timings. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Almost all AES implementations use fast lookup tables. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. 65ms: compute key from timings. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Most cryptographic software has many more small-scale Almost all AES implementations variations in timing: use fast lookup tables. e.g., memcmp for IPsec MACs. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. 65ms: compute key from timings. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Most cryptographic software has many more small-scale Almost all AES implementations variations in timing: use fast lookup tables. e.g., memcmp for IPsec MACs. Kernel’s secret AES key influences table-load addresses, Many more timing attacks: e.g. influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted secret keys of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings. Another example: timing attacks 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a 65ms to steal Linux AES key Secret branch conditions small timing channel, since MAC used for hard-disk encryption. influence timings. performance depends to some Attack process on same CPU extent on the size of the data but without privileges. Most cryptographic software fragment, but it is not believed to has many more small-scale Almost all AES implementations be large enough to be exploitable, variations in timing: use fast lookup tables. due to the large block size of e.g., memcmp for IPsec MACs. Kernel’s secret AES key existing MACs and the small size influences table-load addresses, Many more timing attacks: e.g. of the timing signal.” influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted Bitcoin secret keys of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings. Another example: timing attacks 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a 65ms to steal Linux AES key Secret branch conditions small timing channel, since MAC used for hard-disk encryption. influence timings. performance depends to some Attack process on same CPU extent on the size of the data but without privileges. Most cryptographic software fragment, but it is not believed to has many more small-scale Almost all AES implementations be large enough to be exploitable, variations in timing: use fast lookup tables. due to the large block size of e.g., memcmp for IPsec MACs. Kernel’s secret AES key existing MACs and the small size influences table-load addresses, Many more timing attacks: e.g. of the timing signal.” influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted Bitcoin secret keys of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings. Another example: timing attacks 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a 65ms to steal Linux AES key Secret branch conditions small timing channel, since MAC used for hard-disk encryption. influence timings. performance depends to some Attack process on same CPU extent on the size of the data but without privileges. Most cryptographic software fragment, but it is not believed to has many more small-scale Almost all AES implementations be large enough to be exploitable, variations in timing: use fast lookup tables. due to the large block size of e.g., memcmp for IPsec MACs. Kernel’s secret AES key existing MACs and the small size influences table-load addresses, Many more timing attacks: e.g. of the timing signal.” influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted Bitcoin secret keys of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom extracted Bitcoin secret keys from 25 OpenSSL signatures. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom 2013 AlFardan–Paterson “Lucky extracted Bitcoin secret keys Thirteen: breaking the TLS and from 25 OpenSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport Interesting vs. boring crypto minutes to steal another Layer Security (TLS) Protocol, All of this excitement is machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a wonderful for crypto researchers. Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom 2013 AlFardan–Paterson “Lucky extracted Bitcoin secret keys Thirteen: breaking the TLS and from 25 OpenSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport Interesting vs. boring crypto minutes to steal another Layer Security (TLS) Protocol, All of this excitement is machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a wonderful for crypto researchers. Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom 2013 AlFardan–Paterson “Lucky extracted Bitcoin secret keys Thirteen: breaking the TLS and from 25 OpenSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport Interesting vs. boring crypto minutes to steal another Layer Security (TLS) Protocol, All of this excitement is machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a wonderful for crypto researchers. Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom 2013 AlFardan–Paterson “Lucky extracted Bitcoin secret keys Thirteen: breaking the TLS and from 25 OpenSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is Version 1.2”: “This leaves a wonderful for crypto researchers. small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.” 2013 AlFardan–Paterson “Lucky Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is Version 1.2”: “This leaves a wonderful for crypto researchers. small timing channel, since MAC performance depends to some The only people suffering extent on the size of the data are the crypto users: fragment, but it is not believed to continually forced to panic, be large enough to be exploitable, vulnerable to attacks, due to the large block size of uncertain what to do next. existing MACs and the small size of the timing signal.” 2013 AlFardan–Paterson “Lucky Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is Version 1.2”: “This leaves a wonderful for crypto researchers. small timing channel, since MAC performance depends to some The only people suffering extent on the size of the data are the crypto users: fragment, but it is not believed to continually forced to panic, be large enough to be exploitable, vulnerable to attacks, due to the large block size of uncertain what to do next. existing MACs and the small size The crypto users’ fantasy of the timing signal.” is boring crypto: 2013 AlFardan–Paterson “Lucky crypto that simply works, Thirteen: breaking the TLS and solidly resists attacks, DTLS record protocols”: exploit never needs any upgrades. these timings; steal plaintext. 2008 RFC 5246 “The Transport Interesting vs. boring crypto What will happen if Layer Security (TLS) Protocol, the crypto users convince All of this excitement is Version 1.2”: “This leaves a some crypto researchers to wonderful for crypto researchers. small timing channel, since MAC actually create boring crypto? performance depends to some The only people suffering extent on the size of the data are the crypto users: fragment, but it is not believed to continually forced to panic, be large enough to be exploitable, vulnerable to attacks, due to the large block size of uncertain what to do next. existing MACs and the small size The crypto users’ fantasy of the timing signal.” is boring crypto: 2013 AlFardan–Paterson “Lucky crypto that simply works, Thirteen: breaking the TLS and solidly resists attacks, DTLS record protocols”: exploit never needs any upgrades. these timings; steal plaintext. 2008 RFC 5246 “The Transport Interesting vs. boring crypto What will happen if Layer Security (TLS) Protocol, the crypto users convince All of this excitement is Version 1.2”: “This leaves a some crypto researchers to wonderful for crypto researchers. small timing channel, since MAC actually create boring crypto? performance depends to some The only people suffering extent on the size of the data are the crypto users: fragment, but it is not believed to continually forced to panic, be large enough to be exploitable, vulnerable to attacks, due to the large block size of uncertain what to do next. existing MACs and the small size The crypto users’ fantasy of the timing signal.” is boring crypto: 2013 AlFardan–Paterson “Lucky crypto that simply works, Thirteen: breaking the TLS and solidly resists attacks, DTLS record protocols”: exploit never needs any upgrades. these timings; steal plaintext. 2008 RFC 5246 “The Transport Interesting vs. boring crypto What will happen if Layer Security (TLS) Protocol, the crypto users convince All of this excitement is Version 1.2”: “This leaves a some crypto researchers to wonderful for crypto researchers. small timing channel, since MAC actually create boring crypto? performance depends to some The only people suffering extent on the size of the data are the crypto users: fragment, but it is not believed to continually forced to panic, be large enough to be exploitable, vulnerable to attacks, due to the large block size of uncertain what to do next. existing MACs and the small size The crypto users’ fantasy of the timing signal.” is boring crypto: 2013 AlFardan–Paterson “Lucky crypto that simply works, Thirteen: breaking the TLS and solidly resists attacks, DTLS record protocols”: exploit never needs any upgrades. these timings; steal plaintext. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers. actually create boring crypto? The only people suffering are the crypto users: continually forced to panic, vulnerable to attacks, uncertain what to do next. The crypto users’ fantasy is boring crypto: crypto that simply works, solidly resists attacks, never needs any upgrades. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers. actually create boring crypto? The only people suffering No more real-world attacks. are the crypto users: No more emergency upgrades. continually forced to panic, Limited audience for any vulnerable to attacks, minor attack improvements uncertain what to do next. and for replacement crypto. The crypto users’ fantasy is boring crypto: crypto that simply works, solidly resists attacks, never needs any upgrades. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers. actually create boring crypto? The only people suffering No more real-world attacks. are the crypto users: No more emergency upgrades. continually forced to panic, Limited audience for any vulnerable to attacks, minor attack improvements uncertain what to do next. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto: against future crypto research. crypto that simply works, solidly resists attacks, never needs any upgrades. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers. actually create boring crypto? The only people suffering No more real-world attacks. are the crypto users: No more emergency upgrades. continually forced to panic, Limited audience for any vulnerable to attacks, minor attack improvements uncertain what to do next. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto: against future crypto research. crypto that simply works, solidly resists attacks, Is this the real life? never needs any upgrades. Is this just fantasy? Interesting vs. boring crypto What will happen if Crypto can be boring the crypto users convince All of this excitement is Again consider timing leaks. some crypto researchers to wonderful for crypto researchers. actually create boring crypto? Many interesting questions: The only people suffering How do secrets affect timings? No more real-world attacks. are the crypto users: How can attacker see timings? No more emergency upgrades. continually forced to panic, How can attacker choose inputs Limited audience for any vulnerable to attacks, to influence how secrets minor attack improvements uncertain what to do next. affect timings? Et cetera. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto: against future crypto research. crypto that simply works, solidly resists attacks, Is this the real life? never needs any upgrades. Is this just fantasy? Interesting vs. boring crypto What will happen if Crypto can be boring the crypto users convince All of this excitement is Again consider timing leaks. some crypto researchers to wonderful for crypto researchers. actually create boring crypto? Many interesting questions: The only people suffering How do secrets affect timings? No more real-world attacks. are the crypto users: How can attacker see timings? No more emergency upgrades. continually forced to panic, How can attacker choose inputs Limited audience for any vulnerable to attacks, to influence how secrets minor attack improvements uncertain what to do next. affect timings? Et cetera. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto: against future crypto research. crypto that simply works, solidly resists attacks, Is this the real life? never needs any upgrades. Is this just fantasy? Interesting vs. boring crypto What will happen if Crypto can be boring the crypto users convince All of this excitement is Again consider timing leaks. some crypto researchers to wonderful for crypto researchers. actually create boring crypto? Many interesting questions: The only people suffering How do secrets affect timings? No more real-world attacks. are the crypto users: How can attacker see timings? No more emergency upgrades. continually forced to panic, How can attacker choose inputs Limited audience for any vulnerable to attacks, to influence how secrets minor attack improvements uncertain what to do next. affect timings? Et cetera. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto: against future crypto research. crypto that simply works, solidly resists attacks, Is this the real life? never needs any upgrades. Is this just fantasy? What will happen if Crypto can be boring the crypto users convince Again consider timing leaks. some crypto researchers to actually create boring crypto? Many interesting questions: How do secrets affect timings? No more real-world attacks. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. This is an existential threat against future crypto research. Is this the real life? Is this just fantasy? What will happen if Crypto can be boring the crypto users convince Again consider timing leaks. some crypto researchers to actually create boring crypto? Many interesting questions: How do secrets affect timings? No more real-world attacks. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. The boring-crypto alternative: This is an existential threat crypto software is built from against future crypto research. instructions that have no data Is this the real life? flow from inputs to timings. Is this just fantasy? Obviously constant time. What will happen if Crypto can be boring Another example: the crypto users convince “280 security” is interesting. Again consider timing leaks. some crypto researchers to 280 mults on mass-market GPUs: actually create boring crypto? Many interesting questions: about 222 watt-years. How do secrets affect timings? No more real-world attacks. Bluffdale: 226 watts. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. The boring-crypto alternative: This is an existential threat crypto software is built from against future crypto research. instructions that have no data Is this the real life? flow from inputs to timings. Is this just fantasy? Obviously constant time. What will happen if Crypto can be boring Another example: the crypto users convince “280 security” is interesting. Again consider timing leaks. some crypto researchers to 280 mults on mass-market GPUs: actually create boring crypto? Many interesting questions: about 222 watt-years. How do secrets affect timings? No more real-world attacks. Bluffdale: 226 watts. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. The boring-crypto alternative: This is an existential threat crypto software is built from against future crypto research. instructions that have no data Is this the real life? flow from inputs to timings. Is this just fantasy? Obviously constant time. What will happen if Crypto can be boring Another example: the crypto users convince “280 security” is interesting. Again consider timing leaks. some crypto researchers to 280 mults on mass-market GPUs: actually create boring crypto? Many interesting questions: about 222 watt-years. How do secrets affect timings? No more real-world attacks. Bluffdale: 226 watts. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. The boring-crypto alternative: This is an existential threat crypto software is built from against future crypto research. instructions that have no data Is this the real life? flow from inputs to timings. Is this just fantasy? Obviously constant time. Crypto can be boring Another example: “280 security” is interesting. Again consider timing leaks. 280 mults on mass-market GPUs: Many interesting questions: about 222 watt-years. How do secrets affect timings? Bluffdale: 226 watts. How can attacker see timings? How can attacker choose inputs to influence how secrets affect timings? Et cetera. The boring-crypto alternative: crypto software is built from instructions that have no data flow from inputs to timings. Obviously constant time. Crypto can be boring Another example: “280 security” is interesting. Again consider timing leaks. 280 mults on mass-market GPUs: Many interesting questions: about 222 watt-years. How do secrets affect timings? Bluffdale: 226 watts. How can attacker see timings? How can attacker choose inputs Is “280 security” really 285? 275? to influence how secrets Are the individual ops harder than affect timings? Et cetera. single-precision mults? Easier? Can the attack cost be shared The boring-crypto alternative: across targets, as in Logjam? crypto software is built from Every speedup is important. instructions that have no data flow from inputs to timings. Obviously constant time. Crypto can be boring Another example: “280 security” is interesting. Again consider timing leaks. 280 mults on mass-market GPUs: Many interesting questions: about 222 watt-years. How do secrets affect timings? Bluffdale: 226 watts. How can attacker see timings? How can attacker choose inputs Is “280 security” really 285? 275? to influence how secrets Are the individual ops harder than affect timings? Et cetera. single-precision mults? Easier? Can the attack cost be shared The boring-crypto alternative: across targets, as in Logjam? crypto software is built from Every speedup is important. instructions that have no data flow from inputs to timings. “2128 security” is boring. Obviously constant time. Crypto can be boring Another example: NIST ECC is interesting: “280 security” is interesting. see, e.g., how keys were exposed Again consider timing leaks. in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: Many interesting questions: about 222 watt-years. Ed25519 and X25519: boring. How do secrets affect timings? Bluffdale: 226 watts. How can attacker see timings? How can attacker choose inputs Is “280 security” really 285? 275? to influence how secrets Are the individual ops harder than affect timings? Et cetera. single-precision mults? Easier? Can the attack cost be shared The boring-crypto alternative: across targets, as in Logjam? crypto software is built from Every speedup is important. instructions that have no data flow from inputs to timings. “2128 security” is boring. Obviously constant time. Crypto can be boring Another example: NIST ECC is interesting: “280 security” is interesting. see, e.g., how keys were exposed Again consider timing leaks. in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: Many interesting questions: about 222 watt-years. Ed25519 and X25519: boring. How do secrets affect timings? Bluffdale: 226 watts. How can attacker see timings? How can attacker choose inputs Is “280 security” really 285? 275? to influence how secrets Are the individual ops harder than affect timings? Et cetera. single-precision mults? Easier? Can the attack cost be shared The boring-crypto alternative: across targets, as in Logjam? crypto software is built from Every speedup is important. instructions that have no data flow from inputs to timings. “2128 security” is boring. Obviously constant time. Crypto can be boring Another example: NIST ECC is interesting: “280 security” is interesting. see, e.g., how keys were exposed Again consider timing leaks. in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: Many interesting questions: about 222 watt-years. Ed25519 and X25519: boring. How do secrets affect timings? Bluffdale: 226 watts. How can attacker see timings? How can attacker choose inputs Is “280 security” really 285? 275? to influence how secrets Are the individual ops harder than affect timings? Et cetera. single-precision mults? Easier? Can the attack cost be shared The boring-crypto alternative: across targets, as in Logjam? crypto software is built from Every speedup is important. instructions that have no data flow from inputs to timings. “2128 security” is boring. Obviously constant time. Another example: NIST ECC is interesting: “280 security” is interesting. see, e.g., how keys were exposed in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: about 222 watt-years. Ed25519 and X25519: boring. Bluffdale: 226 watts. Is “280 security” really 285? 275? Are the individual ops harder than single-precision mults? Easier? Can the attack cost be shared across targets, as in Logjam? Every speedup is important. “2128 security” is boring. Another example: NIST ECC is interesting: “280 security” is interesting. see, e.g., how keys were exposed in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: about 222 watt-years. Ed25519 and X25519: boring. Bluffdale: 226 watts. Crypto “agility” is interesting: Is “280 security” really 285? 275? expands the attack surface, Are the individual ops harder than complicates implementations, single-precision mults? Easier? complicates security analysis. Can the attack cost be shared One True Cipher Suite: boring. across targets, as in Logjam? Every speedup is important. “2128 security” is boring. Another example: NIST ECC is interesting: “280 security” is interesting. see, e.g., how keys were exposed in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: about 222 watt-years. Ed25519 and X25519: boring. Bluffdale: 226 watts. Crypto “agility” is interesting: Is “280 security” really 285? 275? expands the attack surface, Are the individual ops harder than complicates implementations, single-precision mults? Easier? complicates security analysis. Can the attack cost be shared One True Cipher Suite: boring. across targets, as in Logjam? Every speedup is important. Incorrect software: interesting. “2128 security” is boring. Correct software: boring. Can boring-crypto researchers actually ensure correctness? Another example: NIST ECC is interesting: Bugs triggered by very rare inputs “280 security” is interesting. see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: about 222 watt-years. Ed25519 and X25519: boring. Bluffdale: 226 watts. Crypto “agility” is interesting: Is “280 security” really 285? 275? expands the attack surface, Are the individual ops harder than complicates implementations, single-precision mults? Easier? complicates security analysis. Can the attack cost be shared One True Cipher Suite: boring. across targets, as in Logjam? Every speedup is important. Incorrect software: interesting. “2128 security” is boring. Correct software: boring. Can boring-crypto researchers actually ensure correctness? Another example: NIST ECC is interesting: Bugs triggered by very rare inputs “280 security” is interesting. see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: about 222 watt-years. Ed25519 and X25519: boring. Bluffdale: 226 watts. Crypto “agility” is interesting: Is “280 security” really 285? 275? expands the attack surface, Are the individual ops harder than complicates implementations, single-precision mults? Easier? complicates security analysis. Can the attack cost be shared One True Cipher Suite: boring. across targets, as in Logjam? Every speedup is important. Incorrect software: interesting. “2128 security” is boring. Correct software: boring. Can boring-crypto researchers actually ensure correctness? Another example: NIST ECC is interesting: Bugs triggered by very rare inputs “280 security” is interesting. see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. 280 mults on mass-market GPUs: about 222 watt-years. Ed25519 and X25519: boring. Bluffdale: 226 watts. Crypto “agility” is interesting: Is “280 security” really 285? 275? expands the attack surface, Are the individual ops harder than complicates implementations, single-precision mults? Easier? complicates security analysis. Can the attack cost be shared One True Cipher Suite: boring. across targets, as in Logjam? Every speedup is important. Incorrect software: interesting. “2128 security” is boring. Correct software: boring. Can boring-crypto researchers actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. Ed25519 and X25519: boring.

Crypto “agility” is interesting: expands the attack surface, complicates implementations, complicates security analysis. One True Cipher Suite: boring. Incorrect software: interesting.

Correct software: boring. Can boring-crypto researchers actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. Block-cipher implementations Ed25519 and X25519: boring. typically have no such bugs. Crypto “agility” is interesting: expands the attack surface, complicates implementations, complicates security analysis. One True Cipher Suite: boring. Incorrect software: interesting.

Correct software: boring. Can boring-crypto researchers actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. Block-cipher implementations Ed25519 and X25519: boring. typically have no such bugs. Crypto “agility” is interesting: Much bigger issue for bigint expands the attack surface, software. Integers are split into complicates implementations, “limbs” stored in CPU words; complicates security analysis. typical tests fail to find extreme values of limbs, fail to catch slight One True Cipher Suite: boring. overflows inside arithmetic. Incorrect software: interesting.

Correct software: boring. Can boring-crypto researchers actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs see, e.g., how keys were exposed usually aren’t caught by testing. in PS3 ECDSA and Java ECDH. Block-cipher implementations Ed25519 and X25519: boring. typically have no such bugs. Crypto “agility” is interesting: Much bigger issue for bigint expands the attack surface, software. Integers are split into complicates implementations, “limbs” stored in CPU words; complicates security analysis. typical tests fail to find extreme values of limbs, fail to catch slight One True Cipher Suite: boring. overflows inside arithmetic. Incorrect software: interesting. 2011 Brumley–Barbosa–Page– Correct software: boring. Vercauteren exploited a Can boring-crypto researchers limb overflow in OpenSSL. actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs Typically these limb overflows see, e.g., how keys were exposed usually aren’t caught by testing. are caught by careful audits. in PS3 ECDSA and Java ECDH. Can this be automated? Block-cipher implementations Ed25519 and X25519: boring. typically have no such bugs. Crypto “agility” is interesting: Much bigger issue for bigint expands the attack surface, software. Integers are split into complicates implementations, “limbs” stored in CPU words; complicates security analysis. typical tests fail to find extreme values of limbs, fail to catch slight One True Cipher Suite: boring. overflows inside arithmetic. Incorrect software: interesting. 2011 Brumley–Barbosa–Page– Correct software: boring. Vercauteren exploited a Can boring-crypto researchers limb overflow in OpenSSL. actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs Typically these limb overflows see, e.g., how keys were exposed usually aren’t caught by testing. are caught by careful audits. in PS3 ECDSA and Java ECDH. Can this be automated? Block-cipher implementations Ed25519 and X25519: boring. typically have no such bugs. Crypto “agility” is interesting: Much bigger issue for bigint expands the attack surface, software. Integers are split into complicates implementations, “limbs” stored in CPU words; complicates security analysis. typical tests fail to find extreme values of limbs, fail to catch slight One True Cipher Suite: boring. overflows inside arithmetic. Incorrect software: interesting. 2011 Brumley–Barbosa–Page– Correct software: boring. Vercauteren exploited a Can boring-crypto researchers limb overflow in OpenSSL. actually ensure correctness? NIST ECC is interesting: Bugs triggered by very rare inputs Typically these limb overflows see, e.g., how keys were exposed usually aren’t caught by testing. are caught by careful audits. in PS3 ECDSA and Java ECDH. Can this be automated? Block-cipher implementations Ed25519 and X25519: boring. typically have no such bugs. Crypto “agility” is interesting: Much bigger issue for bigint expands the attack surface, software. Integers are split into complicates implementations, “limbs” stored in CPU words; complicates security analysis. typical tests fail to find extreme values of limbs, fail to catch slight One True Cipher Suite: boring. overflows inside arithmetic. Incorrect software: interesting. 2011 Brumley–Barbosa–Page– Correct software: boring. Vercauteren exploited a Can boring-crypto researchers limb overflow in OpenSSL. actually ensure correctness? Bugs triggered by very rare inputs Typically these limb overflows usually aren’t caught by testing. are caught by careful audits. Can this be automated? Block-cipher implementations typically have no such bugs. Much bigger issue for bigint software. Integers are split into “limbs” stored in CPU words; typical tests fail to find extreme values of limbs, fail to catch slight overflows inside arithmetic.

2011 Brumley–Barbosa–Page– Vercauteren exploited a limb overflow in OpenSSL. Bugs triggered by very rare inputs Typically these limb overflows usually aren’t caught by testing. are caught by careful audits. Can this be automated? Block-cipher implementations typically have no such bugs. 2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Much bigger issue for bigint Curve25519 software”: proof of software. Integers are split into correctness of thousands of lines “limbs” stored in CPU words; of asm for X25519 main loop. typical tests fail to find extreme values of limbs, fail to catch slight overflows inside arithmetic.

2011 Brumley–Barbosa–Page– Vercauteren exploited a limb overflow in OpenSSL. Bugs triggered by very rare inputs Typically these limb overflows usually aren’t caught by testing. are caught by careful audits. Can this be automated? Block-cipher implementations typically have no such bugs. 2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Much bigger issue for bigint Curve25519 software”: proof of software. Integers are split into correctness of thousands of lines “limbs” stored in CPU words; of asm for X25519 main loop. typical tests fail to find extreme values of limbs, fail to catch slight Still very far from automatic: overflows inside arithmetic. huge portion of proof was checked by computer but written by hand. 2011 Brumley–Barbosa–Page– Vercauteren exploited a Per proof: many hours of CPU limb overflow in OpenSSL. time; many hours of human time. Bugs triggered by very rare inputs Typically these limb overflows 2015 Bernstein–Schwabe usually aren’t caught by testing. are caught by careful audits. gfverif, in progress: Can this be automated? far less time per proof. Block-cipher implementations Usable part of development typically have no such bugs. 2014 Chen–Hsu–Lin–Schwabe– process for ECC software. Tsai–Wang–Yang–Yang “Verifying Much bigger issue for bigint Curve25519 software”: proof of Latest news: finished proving software. Integers are split into correctness of thousands of lines correctness for ref10 “limbs” stored in CPU words; of asm for X25519 main loop. implementation of X25519. typical tests fail to find extreme values of limbs, fail to catch slight Still very far from automatic: CPU time per proof: overflows inside arithmetic. huge portion of proof was checked 141 seconds on my laptop. by computer but written by hand. 2011 Brumley–Barbosa–Page– Human time per proof: Vercauteren exploited a Per proof: many hours of CPU annotations for each field op. limb overflow in OpenSSL. time; many hours of human time. Working on automating this. Bugs triggered by very rare inputs Typically these limb overflows 2015 Bernstein–Schwabe usually aren’t caught by testing. are caught by careful audits. gfverif, in progress: Can this be automated? far less time per proof. Block-cipher implementations Usable part of development typically have no such bugs. 2014 Chen–Hsu–Lin–Schwabe– process for ECC software. Tsai–Wang–Yang–Yang “Verifying Much bigger issue for bigint Curve25519 software”: proof of Latest news: finished proving software. Integers are split into correctness of thousands of lines correctness for ref10 “limbs” stored in CPU words; of asm for X25519 main loop. implementation of X25519. typical tests fail to find extreme values of limbs, fail to catch slight Still very far from automatic: CPU time per proof: overflows inside arithmetic. huge portion of proof was checked 141 seconds on my laptop. by computer but written by hand. 2011 Brumley–Barbosa–Page– Human time per proof: Vercauteren exploited a Per proof: many hours of CPU annotations for each field op. limb overflow in OpenSSL. time; many hours of human time. Working on automating this. Bugs triggered by very rare inputs Typically these limb overflows 2015 Bernstein–Schwabe usually aren’t caught by testing. are caught by careful audits. gfverif, in progress: Can this be automated? far less time per proof. Block-cipher implementations Usable part of development typically have no such bugs. 2014 Chen–Hsu–Lin–Schwabe– process for ECC software. Tsai–Wang–Yang–Yang “Verifying Much bigger issue for bigint Curve25519 software”: proof of Latest news: finished proving software. Integers are split into correctness of thousands of lines correctness for ref10 “limbs” stored in CPU words; of asm for X25519 main loop. implementation of X25519. typical tests fail to find extreme values of limbs, fail to catch slight Still very far from automatic: CPU time per proof: overflows inside arithmetic. huge portion of proof was checked 141 seconds on my laptop. by computer but written by hand. 2011 Brumley–Barbosa–Page– Human time per proof: Vercauteren exploited a Per proof: many hours of CPU annotations for each field op. limb overflow in OpenSSL. time; many hours of human time. Working on automating this. Typically these limb overflows 2015 Bernstein–Schwabe are caught by careful audits. gfverif, in progress: Can this be automated? far less time per proof. Usable part of development 2014 Chen–Hsu–Lin–Schwabe– process for ECC software. Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: proof of Latest news: finished proving correctness of thousands of lines correctness for ref10 of asm for X25519 main loop. implementation of X25519.

Still very far from automatic: CPU time per proof: huge portion of proof was checked 141 seconds on my laptop. by computer but written by hand. Human time per proof: Per proof: many hours of CPU annotations for each field op. time; many hours of human time. Working on automating this.