1 2 Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: “I have a problem where I need to make some University of Illinois at Chicago; cryptography faster, and I’m Ruhr University Bochum setting up a $1000 competition funded from my own pocket for Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 2 3 $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, cryptography faster, and I’m not full collision resistance. setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? work towards the solution.” Not fast enough: Signing H(M), where M is a long message. “[On a] 900MHz Cortex-A7 [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as fast ::: However, this is still a lot slower than I’m happy with.” 2 3 $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, cryptography faster, and I’m not full collision resistance. setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as fast ::: However, this is still a lot slower than I’m happy with.” 2 3 $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, cryptography faster, and I’m not full collision resistance. setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 2 3 4 $1000 TCR hashing competition Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). Crowley: “I have a problem 70%, 23%, 35%, 21% rounds or where I need to make some Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of cryptography faster, and I’m not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 setting up a $1000 competition Does this allow faster H design? are “broken” or “practically broken”. funded from my own pocket for TCR breaks how many rounds? “Inconsistent security margins”. work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 2 3 4 $1000 TCR hashing competition Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). Crowley: “I have a problem 70%, 23%, 35%, 21% rounds or where I need to make some Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of cryptography faster, and I’m not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 setting up a $1000 competition Does this allow faster H design? are “broken” or “practically broken”. funded from my own pocket for TCR breaks how many rounds? “Inconsistent security margins”. work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 2 3 4 $1000 TCR hashing competition Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). Crowley: “I have a problem 70%, 23%, 35%, 21% rounds or where I need to make some Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of cryptography faster, and I’m not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 setting up a $1000 competition Does this allow faster H design? are “broken” or “practically broken”. funded from my own pocket for TCR breaks how many rounds? “Inconsistent security margins”. work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 3 4 Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). 70%, 23%, 35%, 21% rounds or Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 Does this allow faster H design? are “broken” or “practically broken”. TCR breaks how many rounds? “Inconsistent security margins”. “As far as I know, no-one has ever proposed a TCR as a primitive, designed to be faster than existing hash functions, and that’s what I need.” More desiderata: tree hash, new tweak at each vertex, multi-message security. 3 4 Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages55 Page
-
File Size-