0:00:00.000,0:00:04.010 In this segment, I want to give a few[br]examples of stream ciphers that are used in practice. 0:00:04.010,0:00:07.072 I'm gonna start with two old[br]examples that actually are not 0:00:07.072,0:00:11.017 supposed to be used in new systems.[br]But nevertheless, they're still fairly 0:00:11.017,0:00:14.164 widely used, and so I just want to mention[br]the names so that you're familiar with 0:00:14.164,0:00:19.087 these concepts. The first stream cipher I[br]want to talk about is called RC4, designed 0:00:19.087,0:00:23.429 back in 1987. And I'm only gonna give you[br]the high-level description of it, and then 0:00:23.429,0:00:27.818 we'll talk about some weaknesses of RC4[br]and leave it at that. So RC4 takes a 0:00:27.818,0:00:32.702 variable size seed, here I just gave[br]as an example where it would take 128 0:00:32.702,0:00:36.980 bits as the seed size, which would then[br]be used as the key for the stream cipher. 0:00:36.980,0:00:41.738 The first thing it does, is it expands the[br]128-bit secret key into 2,048 bits, which 0:00:41.738,0:00:46.382 are gonna be used as the internal state[br]for the generator. And then, once it's done 0:00:46.382,0:00:51.197 this expansion, it basically executes a[br]very simple loop, where every iteration of 0:00:51.197,0:00:55.898 this loop outputs one byte of output. So,[br]essentially, you can run the generator for 0:00:55.898,0:01:00.653 as long as you want, and generate one byte[br]at a time. Now RC4 is actually, as I said, 0:01:00.653,0:01:05.205 fairly popular. It's used in the HTTPS[br]protocol quite commonly actually. 0:01:05.205,0:01:11.888 These days, for example, Google uses RC4 in its[br]HTTPS. It's also used in WEP as we 0:01:11.888,0:01:15.686 discussed in the last segment, but of[br]course in WEP, it's used incorrectly and 0:01:15.686,0:01:18.861 it's completely insecure the way it's used[br]inside of WEP. So over the years, 0:01:18.861,0:01:23.886 some weaknesses have been found in RC4, and as a[br]result, it's recommended that new projects 0:01:23.886,0:01:28.793 actually not use RC4 but rather use a more[br]modern pseudo-random generator as we'll 0:01:28.793,0:01:34.059 discuss toward the end of the segment. So[br]let me just mention two of the weaknesses. 0:01:34.059,0:01:39.561 So the first one is, it's kind of bizarre[br]basically, if you look at the second byte 0:01:39.561,0:01:44.630 of the output of RC4. It turns out the[br]second byte is slightly biased. If RC4 was 0:01:44.630,0:01:49.780 completely random, the probability that the[br]second byte happens to be equal to zero 0:01:49.780,0:01:54.744 would be exactly one over 256. There are[br]256 possible bytes, the probability that 0:01:54.744,0:01:59.646 it's zero should be one over 256. It so[br]happens that for RC4 the probability is 0:01:59.646,0:02:04.486 actually two over 256, which means that if[br]you use the RC4 output to encrypt a 0:02:04.486,0:02:09.574 message the second byte is likely to not[br]be encrypted at all. In other words it'll 0:02:09.574,0:02:14.575 be XOR-ed with zero with twice the[br]probability that it's supposed to. 0:02:14.575,0:02:19.436 So two over 256, instead of one over 256.[br]And by the way I should say that there's 0:02:19.436,0:02:22.849 nothing special about the second byte. It[br]turns out the first and the third bytes 0:02:22.849,0:02:27.818 are also biased. And in fact it's now[br]recommended that if you're gonna use RC4, 0:02:27.818,0:02:32.800 what you should do is ignore basically the[br]first 256 bytes of the output and just 0:02:32.800,0:02:37.246 start using the output of the generator[br]starting from byte 257. The first couple 0:02:37.246,0:02:41.241 of bytes turned out to be biased, so you[br]just ignore them. The second attack that 0:02:41.241,0:02:48.482 was discovered is that in fact if you look[br]at a very long output of RC4 it so happens 0:02:48.482,0:02:53.863 that you're more likely to get the[br]sequence 00. In other words, you're more 0:02:53.863,0:02:58.970 likely to get sixteen bits, two bytes of[br]zero, zero, than you should. Again, if RC4 0:02:58.970,0:03:03.948 was completely random the probability of[br]seeing zero, zero would be exactly 1/256 0:03:03.948,0:03:08.556 squared. It turns out RC4 is a little[br]biased and the bias is 1/256 cubed. It 0:03:08.556,0:03:13.718 turns out this bias actually starts after[br]several gigabytes of data are produced by 0:03:13.718,0:03:18.634 RC4. But nevertheless, this is something[br]that can be used to predict the generator 0:03:18.634,0:03:23.120 and definitely it can be used to[br]distinguish the output of the generator 0:03:23.120,0:03:28.097 from a truly random sequence. Basically the[br]fact that zero, zero appears more often 0:03:28.097,0:03:32.414 than it should is the distinguisher. And[br]then in the last segment we talked about 0:03:32.414,0:03:36.313 related-key attacks that were used to[br]attack WEP, that basically say that 0:03:36.313,0:03:41.078 if one uses keys that are closely related[br]to one another then it's actually possible 0:03:41.078,0:03:45.732 to recover the root key. So these are the[br]weaknesses that are known of RC4 and, as a 0:03:45.732,0:03:50.217 result, it's recommended that new systems[br]actually not use RC4 and instead use a 0:03:50.217,0:03:54.421 modern pseudo-random generator. Okay,[br]second example I want to give you is a 0:03:54.421,0:03:59.131 badly broken stream cipher that's used for[br]encrypting DVD movies. When you buy a DVD 0:03:59.131,0:04:03.504 in the store, the actual movie is[br]encrypted using a stream cipher called the 0:04:03.504,0:04:07.933 content scrambling system, CSS. CSS turns[br]out to be a badly broken stream cipher, 0:04:07.933,0:04:12.523 and we can very easily break it, and I[br]want to show you how the attack algorithm 0:04:12.523,0:04:16.894 works. We're doing it so you can see an[br]example of an attack algorithm, but in 0:04:16.894,0:04:21.435 fact, there are many systems out there[br]that basically use this attack to decrypt 0:04:21.435,0:04:25.749 encrypted DVDs. So the CSS stream cipher[br]is based on something that hardware 0:04:25.749,0:04:30.291 designers like. It's designed to be a[br]hardware stream cipher that is supposed to 0:04:30.291,0:04:34.491 be easy to implement in hardware, and is[br]based on a mechanism called a linear 0:04:34.491,0:04:38.749 feedback shift register. So a linear[br]feedback shift register is basically a register 0:04:38.749,0:04:43.801 that consists of cells where[br]each cell contains one bit. Then basically 0:04:43.801,0:04:49.046 what happens is there are these taps into[br]certain cells, not all the cells, certain 0:04:49.046,0:04:54.134 positions are called taps. And then these[br]taps feed into an XOR and then at 0:04:54.134,0:04:59.053 every clock cycle, the shift register[br]shifts to the left. The last bit falls off 0:04:59.053,0:05:04.345 and then the first bit becomes the result[br]of this XOR. So you can see that 0:05:04.345,0:05:08.703 this is a very simple mechanism to implement, and in hardware takes very few 0:05:08.703,0:05:13.622 transistors. Just the shift right, the[br]last bit falls off and the first bit just 0:05:13.622,0:05:18.541 becomes the XOR of the previous[br]bits. So the seed for this LFSR 0:05:18.541,0:05:23.460 basically, is the initial state of the[br]LFSR. 0:05:23.650,0:05:28.538 And it is the basis of a number of stream[br]ciphers. So here are some examples. So, as 0:05:28.538,0:05:33.362 I said, DVD encryption uses two LFSRs.[br]I'll show you how that works in just a 0:05:33.362,0:05:38.060 second. GSM encryption, these are[br]algorithms called A51 and A52. And that 0:05:38.060,0:05:43.456 uses three LFSRs. Bluetooth encryption is[br]an algorithm called, E zero. These are all 0:05:43.456,0:05:48.534 stream ciphers, and that uses four LFSRs.[br]Turns out all of these are badly broken, 0:05:48.534,0:05:53.245 and actually really should not be trusted[br]for encrypting traffic, but they're all 0:05:53.245,0:05:56.705 implemented in hardware, so it's a little[br]difficult now to change what the hardware 0:05:56.705,0:06:01.047 does. But the simplest of these, CSS,[br]actually has a cute attack on it, so let 0:06:01.047,0:06:05.459 me show you how the attack works. So,[br]let's describe how CSS actually works. So, 0:06:05.459,0:06:11.073 the key for CSS is five bytes, namely 40[br]bits, five times eight is 40 bits. The 0:06:11.073,0:06:15.587 reason they had to limit themselves to[br]only 40 bits is that DVD encryption was 0:06:15.587,0:06:19.941 designed at a time where U.S. Export[br]regulations only allowed for export of 0:06:19.941,0:06:25.086 crpyto algorithms where the key was[br]only 40 bits. So the designers of CSS were 0:06:25.086,0:06:30.206 already limited to very, very short keys.[br]Just 40 bit keys. So, their design works 0:06:30.206,0:06:35.398 as follows. Basically, CSS uses two[br]LFSR's. One is a 17-bit LFSR. In other words, 0:06:35.398,0:06:40.806 the register contains[br]17 bits. And the other one is a 25-bit LFSR, 0:06:40.806,0:06:46.647 it's a little bit longer, 25-bit[br]LFSR. And the way these LFSRs are seeded 0:06:46.647,0:06:51.870 is as follows. So the key for the[br]encryption, basically looks as follows. 0:06:51.870,0:06:57.669 You start off with a one, and you concatenate to it the first two bytes of 0:06:57.669,0:07:02.947 the key. And that's the initial state of the LFSR. 0:07:02.947,0:07:08.256 And then the second LFSR basically is intitialized the same way. 0:07:08.256,0:07:14.012 One concatenated the last three bytes of[br]the key. And that's 0:07:14.012,0:07:19.889 loaded into the initial state of the LFSR.[br]You can see that the first two bytes are 0:07:19.889,0:07:25.411 sixteen bits, plus leading one, that's[br]seventeen bits overall, whereas the second 0:07:25.411,0:07:31.217 LFSR is 24 bits plus one which is 25 bits.[br]And you notice we used all five bits of 0:07:31.217,0:07:36.881 the key. So then these LFSRs are basically[br]run for eight cycles, so they generate 0:07:36.881,0:07:42.333 eight bits of output. And then they go[br]through this adder that does basically 0:07:42.333,0:07:48.197 addition modulo 256. Yeah so this is an[br]addition box, modulo 256. There's one more 0:07:48.197,0:07:54.325 technical thing that happens. In fact let's[br]actually—also added is the carry from the 0:07:54.325,0:07:59.723 previous block. But that is not so[br]important. That's a detail that's not so 0:07:59.723,0:08:04.761 relevant. OK, so every block, you notice[br]we're doing addition modulo 256 and 0:08:04.761,0:08:09.982 we're ignoring the carry, but the carry is[br]basically added as a zero or a one to the 0:08:09.982,0:08:15.147 addition of the next block. Okay? And then[br]basically this output one byte per round. 0:08:15.147,0:08:20.411 Okay, and then this byte is then of course[br]used, XOR-ed with the appropriate 0:08:20.411,0:08:25.167 byte of the movie that's being encrypted.[br]Okay, so it's a very simple stream 0:08:25.167,0:08:29.986 cipher, it takes very little hardware to[br]implement. It will run fast, even on very 0:08:29.986,0:08:35.830 cheap hardware and it will encrypt movies.[br]So it turns out this is easy to break 0:08:35.830,0:08:41.222 in time roughly two to the seventeen. Now let me show you how. 0:08:41.222,0:08:45.734 So suppose you[br]intercept the movies, so here we have an 0:08:45.734,0:08:50.647 encrypted movie that you want to decrypt.[br]So let's say that this is all encrypted so 0:08:50.647,0:08:55.279 you have no idea what's inside of here.[br]However, it so happens that just because 0:08:55.279,0:08:59.970 DVD encryption is using MPEG files, it so[br]happens if you know of a prefix of the 0:08:59.970,0:09:04.250 plaintext, let's just say maybe this is[br]twenty bytes. Well, we know if you 0:09:04.250,0:09:08.589 XOR these two things together, so in other words, you do the XOR here, 0:09:08.589,0:09:13.523 what you'll get is the initial segment of the PRG. So, you'll get the 0:09:13.523,0:09:18.472 first twenty bytes of the output of CSS,[br]the output of this PRG. Okay, so now 0:09:18.472,0:09:23.986 here's what we're going to do. So we have[br]the first twenty bytes of the output. Now 0:09:23.986,0:09:31.405 we do the following. We try all two to the[br]seventeen possible values of the first 0:09:31.405,0:09:37.088 LFSR. Okay? So two to the seventeen[br]possible values. So for each value, so for 0:09:37.088,0:09:42.622 each of these two to the seventeen initial[br]values of the LFSR, we're gonna run the 0:09:42.622,0:09:47.953 LFSR for twenty bytes, okay? So we'll[br]generate twenty bytes of outputs from this 0:09:47.953,0:09:53.284 first LFSR, assuming—for each one of the[br]two to the seventeen possible settings. 0:09:53.284,0:09:58.615 Now, remember we have the full output of[br]the CSS system. So what we can do is we 0:09:58.615,0:10:03.814 can take this output that we have. And[br]subtract it from the twenty bites that we 0:10:03.814,0:10:08.928 got from the first LFSR, and if in fact our[br]guess for the initial state of the first 0:10:08.928,0:10:14.042 LFSR is correct, what we should get[br]is the first twenty-byte output of the 0:10:14.042,0:10:19.222 second LFSR. Right? Because that's by[br]definition what the output of the CSS 0:10:19.222,0:10:24.501 system is. Now, it turns out that looking[br]at a 20-byte sequence, it's very easy 0:10:24.501,0:10:29.763 to tell whether this 20-byte sequence[br]came from a 25-bit LFSR or not. If it 0:10:29.763,0:10:33.561 didn't, then we know that our guess[br]for the 17-bit LFSR was 0:10:33.561,0:10:37.416 incorrect and then we move on to the next[br]guess for the 17-bit LFSR and 0:10:37.416,0:10:41.904 the next guess and so on and so forth.[br]Until eventually we hit the right initial 0:10:41.904,0:10:46.937 state for the 17-bit LFSR, and[br]then we'll actually get, we'll see that 0:10:46.937,0:10:51.969 the 20 bytes that we get as the[br]candidate output for the 25-bit LFSR is 0:10:51.969,0:10:56.936 in fact a possible output for a 25-bit LFSR. And then, not only will we have 0:10:56.936,0:11:02.164 learned the correct initial state for the[br]17-bit LFSR, we will have also 0:11:02.164,0:11:07.523 learned the correct initial state of the[br]25-bit LFSR. And then we can predict the 0:11:07.523,0:11:12.796 remaining outputs of CSS, and of course,[br]using that, we can then decrypt the rest of 0:11:12.796,0:11:17.565 the movie. We can actually recover the[br]remaining plaintext. Okay. This is 0:11:17.565,0:11:22.335 things that we talked about before. So, I[br]said this a little quick, but hopefully, 0:11:22.335,0:11:27.331 it was clear. We're also going to be doing[br]a homework exercise on this type of stream 0:11:27.331,0:11:31.444 ciphers and you'll kind of get the point[br]of how these attack algorithms 0:11:31.444,0:11:36.018 work. And I should mention that there are[br]many open-source systems now that actually 0:11:36.018,0:11:41.453 use this method to decrypt CSS-encrypted[br]data. Okay, so now that we've seen two 0:11:41.453,0:11:45.888 weak examples, let's move on to better[br]examples, and in particular the better 0:11:45.888,0:11:49.370 pseudo-random generators come from what's[br]called the eStream Project. This is a 0:11:49.370,0:11:55.556 project that concluded in 2008, and they[br]qualify basically five different stream 0:11:55.556,0:12:00.207 ciphers, but here I want to present just[br]one. So first of all the parameters for 0:12:00.207,0:12:04.029 these stream ciphers are a little[br]different than what we're used to. So these 0:12:04.029,0:12:08.340 stream ciphers as normal they have a seed.[br]But in addition they also have, what's 0:12:08.340,0:12:12.821 called a nonce and we'll see what a[br]nonce is used for in just a minute. So 0:12:12.821,0:12:17.487 they take two inputs a seed and a nonce.[br]We'll see what the nonce is used for in 0:12:17.487,0:12:21.274 just a second. And the of course they[br]produce a very large output, so n here is 0:12:21.274,0:12:26.603 much, much, much bigger than s. Now, when[br]I say nonce, what I mean is a value that's 0:12:26.603,0:12:31.218 never going to repeat as long as the key[br]is fixed. And I'll explain that in more 0:12:31.218,0:12:35.400 detail in just a second. But for now, just[br]think of it as a unique value that never 0:12:35.400,0:12:40.527 repeats as long as the key is the same.[br]And so of course once you have this PRG, 0:12:40.527,0:12:45.357 you would encrypt, you get a stream cipher[br]just as before, except now as you see, the 0:12:45.357,0:12:49.955 PRG takes as input both the key and the[br]nonce. And the property of the nonce is 0:12:49.955,0:12:56.350 that the pair, k comma r, so the key comma[br]the nonce, is never—never repeats. It's 0:12:56.350,0:13:03.096 never used more than once. So the bottom[br]line is that you can reuse the key, reuse 0:13:03.096,0:13:09.710 the key, because the nonce makes the[br]pair unique, because k and r are only 0:13:09.710,0:13:16.135 used once. I'll say they're unique. Okay[br]so this nonce is kind of a cute trick that 0:13:16.135,0:13:21.541 saves us the trouble of moving to a new[br]key every time. Okay, so the particular 0:13:21.541,0:13:26.000 example from the eStream that I want to[br]show you is called Salsa twenty. It's a 0:13:26.000,0:13:30.292 stream cipher that's designed for both[br]software implementations and hardware 0:13:30.292,0:13:33.385 implementations. It's kind of interesting.[br]You realize that some stream ciphers are 0:13:33.385,0:13:38.763 designed for software, like RC4.[br]Everything it does is designed to make 0:13:38.763,0:13:42.689 software implementation run fast, whereas[br]other stream ciphers are designed for 0:13:42.689,0:13:48.143 hardware, like CSS, using an LFSR that's[br]particularly designed to make hardware 0:13:48.143,0:13:50.963 implementations very cheap. It's also, the[br]nice thing about that is that it's 0:13:50.963,0:13:55.008 designed so that it's both easy to[br]implement it in hardware and its software 0:13:55.008,0:13:59.747 implementation is also very fast. So let[br]me explain how Salsa works. Well, Salsa 0:13:59.747,0:14:05.130 takes either 128 or 256-bit keys. I'll[br]only explain the 128-bit version of Salsa. 0:14:05.130,0:14:11.244 So this is the seed. And then it also[br]takes a nonce, just as before, which 0:14:11.244,0:14:15.425 happens to be 64 bits. And then it'll[br]generate a large output. Now, how does it 0:14:15.425,0:14:21.060 actually work? Well, the function itself[br]is defined as follows. Basically, given 0:14:21.060,0:14:26.378 the key and the nonce, it will generate a[br]very long, well, a long pseudorandom 0:14:26.378,0:14:31.222 sequence, as long as necessary. And it'll do[br]it by using this function that I'll denote by 0:14:31.222,0:14:35.653 H. This function H takes three inputs.[br]Basically the key. Well, the seed k, 0:14:35.653,0:14:40.498 the nonce r, and then a counter that[br]increments from step to step. So it goes 0:14:40.498,0:14:45.263 from zero to one, two, three, four as long as[br]we need it to be. Okay? So basically, 0:14:45.263,0:14:49.956 by evaluating this H on this k r, but using[br]this incrementing counter, we can get a 0:14:49.956,0:14:54.882 sequence that's as long as we want. So all[br]I have to do is describe how this function 0:14:54.882,0:14:59.460 H works. Now, let me do that here for you.[br]The way it works is as follows. Well, we 0:14:59.460,0:15:04.693 start off by expanding the states into[br]something quite large which is 64 bytes 0:15:04.693,0:15:10.156 long, and we do that as follows. Basically[br]we stick a constant at the beginning, so 0:15:10.156,0:15:15.552 there's tao zero, these are four bytes,[br]it's a four byte constant, so the spec for 0:15:15.552,0:15:20.611 Salsa basically gives you the value for[br]tao zero. Then we put k in which is 0:15:20.611,0:15:25.467 sixteen bytes. Then we put another[br]constant. Again, this is four bytes. And 0:15:25.467,0:15:30.795 as I said, the spec basically specifies[br]what this fixed constant is. Then we put 0:15:30.795,0:15:37.435 the nonce, which is eight bytes. Then we[br]put the index. This is the counter zero, 0:15:37.435,0:15:43.063 one, two, three, four, which is another[br]eight bytes. Then we put another constant 0:15:43.063,0:15:49.056 tau two, which is another four bytes.[br]Then we put the key again, this is another 0:15:49.056,0:15:54.714 sixteen bytes. And then finally we put the[br]third constant, tau three, which is 0:15:54.714,0:15:59.948 another four bytes. Okay so as I said, if you[br]sum these up, you see that you get 64 0:15:59.948,0:16:05.249 bytes. So basically we've expanded the key[br]and the nonce and the counter into 64 0:16:05.249,0:16:10.886 bytes. Basically the key is repeated twice[br]I guess. And then what we do is we apply a 0:16:10.886,0:16:16.321 function, I'll call this functional little h.[br]Okay, so we apply this function, little h. 0:16:16.321,0:16:21.659 And this is a function that's one to one[br]so it maps 64 bytes to 64 bytes. It's a 0:16:21.659,0:16:26.005 completely invertible function, okay? So[br]this function h is, as I say, it's an 0:16:26.005,0:16:30.260 invertable function. So given the input[br]you can get the output and given the 0:16:30.260,0:16:34.906 output you can go back to the input. And[br]it's designed specifically so it's a- easy 0:16:34.906,0:16:39.553 to implement in hardware and b- on an x86,[br]it's extremely easy to implement because 0:16:39.553,0:16:44.199 x86 has this SSE2 instruction set which[br]supports all the operations you need to do 0:16:44.199,0:16:48.622 for this function. It's very, very fast.[br]As a result, Salsa has a very fast stream 0:16:48.622,0:16:52.764 cipher. And then it does this basically[br]again and again. So it applies this 0:16:52.764,0:16:57.744 function h again and it gets another 64[br]bytes. And so on and so forth, basically 0:16:57.744,0:17:05.318 it does this ten times. Okay so the whole[br]thing here, say repeats ten times, so 0:17:05.318,0:17:17.961 basically apply h ten times. And then by[br]itself, this is actually not quite random. 0:17:17.961,0:17:22.144 It's not gonna look random because like we[br]said, H is completely invertable. So given 0:17:22.144,0:17:25.521 this final output, it's very easy to[br]just invert h and then go back to the original 0:17:25.521,0:17:31.831 inputs and then test that the input has[br]the right structure. So you do one more 0:17:31.831,0:17:36.979 thing, which is to basically XOR the[br]inputs and the final outputs. Actually, 0:17:36.979,0:17:42.405 sorry. It's not an XOR. It's actually an[br]addition. So you do an addition word by 0:17:42.405,0:17:47.762 word. So if there are 64 bytes, you do a[br]word-by-word addition four bytes at a 0:17:47.762,0:17:52.980 time, and finally you get the 64-byte[br]output, and that's it. That's the whole 0:17:52.980,0:17:57.175 pseudo-random generator. So that, that's[br]the whole function, little h. And as I 0:17:57.175,0:18:01.758 explained, this whole construction here is[br]the function big H. And then you evaluate 0:18:01.758,0:18:06.009 big H by incrementing the counter I from[br]zero, one, two, three onwards. And that 0:18:06.009,0:18:10.408 will give you a pseudo-random sequence[br]that's as long as you need it to be. And 0:18:10.408,0:18:15.325 basically, there are no signifigant[br]attacks on this. This has security that's 0:18:15.325,0:18:20.371 very close to two to the 128. We'll see[br]what that means more precisely later on. 0:18:20.371,0:18:25.417 It's a very fast stream cipher, both in[br]hardware and in software. And, as far as 0:18:25.417,0:18:30.431 we can tell, it seems to be unpredictable[br]as required for a stream cipher. So I 0:18:30.431,0:18:34.797 should say that the eStream project[br]actually has five stream ciphers like 0:18:34.797,0:18:39.395 this. I only chose Salsa 'cause I think[br]it's the most elegant. But I can give you 0:18:39.395,0:18:44.053 some performance numbers here. So you can[br]see, these are performance numbers on a 0:18:44.053,0:18:48.768 2.2 gigahertz, you know, x86 type machine.[br]And you can see that RC4 actually is the 0:18:48.768,0:18:53.017 slowest. Because essentially, well it[br]doesn't really take advantage of the 0:18:53.017,0:18:57.475 hardware. It only does byte operations.[br]And so there's a lot of wasted cycles that 0:18:57.475,0:19:01.182 aren't being used. But the E-Stream[br]candidates, both Salsa and other 0:19:01.182,0:19:05.202 candidate called Sosemanuk. I should say these[br]are eStream finalists. These are 0:19:05.202,0:19:09.588 actually stream ciphers that are approved[br]by the eStream project. You can see that 0:19:09.588,0:19:13.712 they have achieved a significant rate.[br]This is 643 megabytes per second on this 0:19:13.712,0:19:18.150 architecture, more than enough for a movie[br]and these are actually quite impressive 0:19:18.150,0:19:22.432 rates. And so now you've seen examples of[br]two old stream ciphers that shouldn't be 0:19:22.432,0:19:26.661 used, including attacks on those stream ciphers.[br]You've seen what the modern stream ciphers 0:19:26.661,0:19:30.480 look like with this nonce. And you[br]see the performance numbers for these 0:19:30.480,0:19:34.546 modern stream ciphers so if you happen to[br]need a stream cipher you could use one of 0:19:34.546,0:19:37.991 the eStream finalists. In particular you[br]could use something like Salsa.