Horizontal PDF Slides

Horizontal PDF Slides

1 2 Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: “I have a problem where I need to make some University of Illinois at Chicago; cryptography faster, and I’m Ruhr University Bochum setting up a $1000 competition funded from my own pocket for Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 2 3 $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, cryptography faster, and I’m not full collision resistance. setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? work towards the solution.” Not fast enough: Signing H(M), where M is a long message. “[On a] 900MHz Cortex-A7 [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as fast ::: However, this is still a lot slower than I’m happy with.” 2 3 $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, cryptography faster, and I’m not full collision resistance. setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as fast ::: However, this is still a lot slower than I’m happy with.” 2 3 $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, cryptography faster, and I’m not full collision resistance. setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 2 3 4 $1000 TCR hashing competition Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). Crowley: “I have a problem 70%, 23%, 35%, 21% rounds or where I need to make some Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of cryptography faster, and I’m not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 setting up a $1000 competition Does this allow faster H design? are “broken” or “practically broken”. funded from my own pocket for TCR breaks how many rounds? “Inconsistent security margins”. work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 2 3 4 $1000 TCR hashing competition Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). Crowley: “I have a problem 70%, 23%, 35%, 21% rounds or where I need to make some Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of cryptography faster, and I’m not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 setting up a $1000 competition Does this allow faster H design? are “broken” or “practically broken”. funded from my own pocket for TCR breaks how many rounds? “Inconsistent security margins”. work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 2 3 4 $1000 TCR hashing competition Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). Crowley: “I have a problem 70%, 23%, 35%, 21% rounds or where I need to make some Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of cryptography faster, and I’m not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 setting up a $1000 competition Does this allow faster H design? are “broken” or “practically broken”. funded from my own pocket for TCR breaks how many rounds? “Inconsistent security margins”. work towards the solution.” “As far as I know, no-one Not fast enough: Signing H(M), has ever proposed a TCR as a where M is a long message. primitive, designed to be faster than existing hash functions, “[On a] 900MHz Cortex-A7 and that’s what I need.” [SHA-256] takes 28.86 cpb ::: BLAKE2b is nearly twice as More desiderata: tree hash, fast ::: However, this is still a new tweak at each vertex, lot slower than I’m happy with.” multi-message security. 3 4 Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)). 70%, 23%, 35%, 21% rounds or Note that H needs only “TCR”, 50%, 8%, 25%, 20% rounds of not full collision resistance. AES-128/B2b/ChaCha20/SHA-3 Does this allow faster H design? are “broken” or “practically broken”. TCR breaks how many rounds? “Inconsistent security margins”. “As far as I know, no-one has ever proposed a TCR as a primitive, designed to be faster than existing hash functions, and that’s what I need.” More desiderata: tree hash, new tweak at each vertex, multi-message security. 3 4 Instead choose random R Aumasson, “Too much crypto” and sign (R; H(R; M)).

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    55 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us