aboutsummaryrefslogtreecommitdiff
path: root/doc/draft-ietf-secsh-newmodes-00.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/draft-ietf-secsh-newmodes-00.txt')
-rw-r--r--doc/draft-ietf-secsh-newmodes-00.txt619
1 files changed, 619 insertions, 0 deletions
diff --git a/doc/draft-ietf-secsh-newmodes-00.txt b/doc/draft-ietf-secsh-newmodes-00.txt
new file mode 100644
index 00000000..1554ac35
--- /dev/null
+++ b/doc/draft-ietf-secsh-newmodes-00.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group M. Bellare
+Internet-Draft T. Kohno
+Expires: September 20, 2003 UC San Diego
+ C. Namprempre
+ Thammasat University
+ March 20, 2003
+
+
+ SSH Transport Layer Encryption Modes
+
+ draft-ietf-secsh-newmodes-00.txt
+
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 20, 2003.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ Researchers have recently discovered that the authenticated
+ encryption portion of the current SSH Transport Protocol is
+ vulnerable to several attacks.
+
+ This document describes new symmetric encryption methods for the SSH
+ Transport Protocol and gives specific recommendations on how
+
+
+
+Bellare, Kohno, and Namprempre [Page 1]
+
+Internet Draft Month, Year
+
+
+ frequently SSH implementations should rekey.
+
+ Bellare, Kohno, and Namprempre [ACM CCS 2002] prove that if an SSH
+ application implements the modifications described in this document,
+ then the symmetric cryptographic portion of that application will
+ provably resist chosen-plaintext, chosen-ciphertext, reaction-based
+ privacy and integrity/authenticity attacks.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
+ 3. Rekeying . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3.1 First Rekeying Recommendation . . . . . . . . . . . . . . . . 3
+ 3.2 Second Rekeying Recommendation . . . . . . . . . . . . . . . . 3
+ 4. Encryption Modes . . . . . . . . . . . . . . . . . . . . . . . 4
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
+ 5.1 Rekeying Considerations . . . . . . . . . . . . . . . . . . . 7
+ 5.2 Encryption Method Considerations . . . . . . . . . . . . . . . 8
+ References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 10
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . 10
+
+1. Introduction
+
+ The symmetric portion of the SSH Transport Protocol was designed to
+ provide both privacy and integrity of encapsulated data. Researchers
+ ([DAI,BKN]) have, however, recently identified several security
+ problems with the symmetric portion of the SSH Transport Protocol as
+ described in [SSH-TRANS]. For example, the encryption mode specified
+ in [SSH-TRANS] is vulnerable to a chosen-plaintext privacy attack.
+ Additionally, if not rekeyed frequently enough, the SSH Transport
+ Protocol may leak information about payload data. This latter
+ property is true regardless of what encryption mode is used.
+
+ In [BKN] Bellare, Kohno, and Namprempre show how to modify the
+ symmetric portion of the SSH Transport Protocol so that it provably
+ preserves privacy and integrity against chosen-plaintext, chosen-
+ ciphertext, and reaction attacks. This document instantiates the
+ recommendations described in [BKN].
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ The used data types and terminology are specified in the architecture
+
+
+
+Bellare, Kohno, and Namprempre [Page 2]
+
+Internet Draft Month, Year
+
+
+ document [SSH-ARCH].
+
+ The SSH Transport Protocol is specified in the transport document
+ [SSH-TRANS].
+
+3. Rekeying
+
+ Section 7 of [SSH-TRANS] suggests that SSH implementations rekey
+ after every gigabyte of transmitted data. [SSH-TRANS] does not,
+ however, discuss all the problems that could arise if an SSH
+ implementation does not rekey frequently enough. This section serves
+ to strengthen the suggestion in [SSH-TRANS] by giving firm upper
+ bounds on the tolerable number of encryptions between rekeying
+ operations. In Section 5 we discuss the motivation for these
+ rekeying recommendations in more detail.
+
+ This section makes two recommendations. Informally, the first
+ recommendation is intended to protects against possible information
+ leakage through the MAC tag and the second recommendation is intended
+ to protect against possible information leakage through the block
+ cipher. Note that, depending on the block length of the underlying
+ block cipher and the length of the encrypted packets, the first
+ recommendation may supersede the second recommendation, or visa-
+ versa.
+
+3.1 First Rekeying Recommendation
+
+ Because of possible information leakage through the MAC tag, SSH
+ implementations SHOULD rekey at least once every 2**32 outgoing
+ packets. More explicitly, after a key exchange an SSH implementation
+ SHOULD NOT send more than 2**32 packets before rekeying again.
+
+ SSH implementations SHOULD also attempt to rekey before receiving
+ more than 2**32 packets since the last rekey operation. The
+ preferred way to do this is to rekey after receiving more than 2**31
+ packets since the last rekey operation.
+
+3.2 Second Rekeying Recommendation
+
+ Because of a birthday property of block ciphers and some modes of
+ operation, implementations must be careful not to encrypt too many
+ blocks with the same encryption key.
+
+ Let L be the block length (in bits) of an SSH encryption method's
+ block cipher (eg, 128 for AES). If L is at least 128 then, after
+ rekeying, an SSH implementation SHOULD NOT encrypt more than 2**(L/4)
+ blocks before rekeying again. If L is at least 128, then SSH
+ implementations should also attempt to force a rekey before receiving
+
+
+
+Bellare, Kohno, and Namprempre [Page 3]
+
+Internet Draft Month, Year
+
+
+ more than 2**(L/4) blocks. If L is less than 128 (which is the case
+ for older ciphers such as 3DES, Blowfish, CAST-128, and IDEA), then,
+ although it may be too expensive to rekey every 2**(L/4) blocks, it
+ is still advisable for SSH implementations to follow the original
+ recommendation in [SSH-TRANS]: rekey at least once every gigabyte of
+ transmitted data.
+
+ Note that if L is less than or equal to 128, then the recommendation
+ in this subsection supersedes the recommendation in Section 3.1. If
+ an SSH implementation uses a block cipher with a larger block size
+ (eg, Rijndael with 256-bit blocks), then the recommendations in the
+ above paragraph may supersede the recommendations in this paragraph
+ (depending on the lengths of the packets).
+
+4. Encryption Modes
+
+ This document describes new encryption methods for use with the SSH
+ Transport Protocol. These encryption methods are in addition to the
+ encryption methods described in Section 4.3 of [SSH-TRANS].
+
+ Recall from [SSH-TRANS] that the encryption methods in each direction
+ of an SSH connection MUST run independently of each other and that,
+ when encryption is in effect, the packet length, padding length,
+ payload, and padding fields of each packet MUST be encrypted with the
+ chosen method. Further recall that the total length of the
+ concatenation of the packet length, padding length, payload, and
+ padding MUST be a multiple of the cipher's block size when the
+ cipher's block size is greater than or equal to 8 bytes (which is the
+ case for all of the following methods).
+
+ This document describes the following new methods:
+
+ aes128-ctr RECOMMENDED AES (Rijndael) in SDCTR mode,
+ with 128-bit key
+ aes192-ctr RECOMMENDED AES with 192-bit key
+ aes256-ctr RECOMMENDED AES with 256-bit key
+ 3des-ctr RECOMMENDED Three-key 3DES in SDCTR mode
+ blowfish-ctr RECOMMENDED Blowfish in SDCTR mode
+ twofish128-ctr RECOMMENDED Twofish in SDCTR mode,
+ with 128-bit key
+ twofish192-ctr OPTIONAL Twofish with 192-bit key
+ twofish256-ctr OPTIONAL Twofish with 256-bit key
+ serpent128-ctr RECOMMENDED Serpent in SDCTR mode, with
+ with 128-bit key
+ serpent192-ctr OPTIONAL Serpent with 192-bit key
+ serpent256-ctr OPTIONAL Serpent with 256-bit key
+ idea-ctr OPTIONAL IDEA in SDCTR mode
+ cast128-ctr OPTIONAL CAST-128 in SDCTR mode
+
+
+
+Bellare, Kohno, and Namprempre [Page 4]
+
+Internet Draft Month, Year
+
+
+ The label <cipher>-ctr means that the block cipher <cipher> is to be
+ used in "stateful-decryption counter" (SDCTR) mode. Let L be the
+ block length of <cipher> in bits. In stateful-decryption counter
+ mode both the sender and the receiver maintain an internal L-bit
+ counter X. The initial value of X should be the initial IV (as
+ computed in Section 5.2 of [SSH-TRANS]) interpreted as an L-bit
+ unsigned integer in network-byte-order. If X=(2**L)-1, then
+ "increment X" has the traditional semantics of "set X to 0." We use
+ the notation <X> to mean "convert X to an L-bit string in network-
+ byte-order." Naturally, implementations may differ in how the
+ internal value X is stored. For example, implementations may store X
+ as multiple unsigned 32-bit counters.
+
+ To encrypt a packet P=P1||P2||...||Pn (where P1, P2, ..., Pn are each
+ blocks of length L), the encryptor first encrypts <X> with <cipher>
+ to obtain a block B1. The block B1 is then XORed with P1 to generate
+ the ciphertext block C1. The counter X is then incremented and the
+ process is repeated for each subsequent block in order to generate
+ the entire ciphertext C=C1||C2||...||Cn corresponding to the packet
+ P. Note that the counter X is not included in the ciphertext. Also
+ note that the keystream can be pre-computed and that encryption is
+ parallelizable.
+
+ To decrypt a ciphertext C=C1||C2||...||Cn, the decryptor (who also
+ maintains its own copy of X), first encrypts its copy of <X> with
+ <cipher> to generate a block B1 and then XORs B1 to C1 to get P1.
+ The decryptor then increments its copy of the counter X and repeats
+ the above process for each block to obtain the plaintext packet
+ P=P1||P2||...||Pn. As before, the keystream can be pre-computed and
+ decryption is parallelizable.
+
+ The "aes128-ctr" method uses AES (the Advanced Encryption Standard,
+ formerly Rijndael) with 128-bit keys [AES]. The block size is 16
+ bytes.
+
+ The "aes192-ctr" method uses AES with 192-bit keys.
+
+ The "aes256-ctr" method uses AES with 256-bit keys.
+
+ The "3des-ctr" method uses three-key triple-DES (encrypt-decrypt-
+ encrypt), where the first 8 bytes of the key are used for the first
+ encryption, the next 8 bytes for the decryption, and the following 8
+ bytes for the final encryption. This requires 24 bytes of key data
+ (of which 168 bits are actually used). The block size is 8 bytes.
+ This algorithm is defined in [SCHNEIER].
+
+ The "blowfish-ctr" method uses Blowfish with 256 bit keys [SCHNEIER].
+ The block size is 8 bytes.
+
+
+
+Bellare, Kohno, and Namprempre [Page 5]
+
+Internet Draft Month, Year
+
+
+ The "twofish128-ctr" method uses Twofish with 128-bit keys [TWOFISH].
+ The block size is 16 bytes.
+
+ The "twofish192-ctr" method uses Twofish with 192-bit keys.
+
+ The "twofish256-ctr" method uses Twofish with 256-bit keys.
+
+ The "serpent128-ctr" method uses the Serpent block cipher [SERPENT]
+ with 128-bit keys. The block size is 16 bytes.
+
+ The "serpent192-ctr" method uses Serpent with 192-bit keys.
+
+ The "serpent256-ctr" method uses Serpent with 256-bit keys.
+
+ The "idea-ctr" method uses the IDEA cipher [SCHNEIER]. IDEA is
+ patented by Ascom AG. The block size is 8 bytes.
+
+ The "cast128-ctr" method uses the CAST-128 cipher [RFC2144]. The
+ block size is 8 bytes.
+
+5. Security Considerations
+
+ This document describes additional encryption methods and
+ recommendations for the SSH Transport Protocol [SSH-TRANS]. [BKN]
+ prove that if an SSH application incorporates the methods and
+ recommendations described in this document, then the symmetric
+ cryptographic portion of that application will resist a large class
+ of privacy and integrity attacks.
+
+ This section is designed to help implementors understand the
+ security-related motivations for, as well as possible consequences of
+ deviating from, the methods and recommendations described in this
+ document. Additional motivation and discussion, as well as proofs of
+ security, appear in the research paper [BKN].
+
+ Please note that the notion of "prove" in the context of [BKN] is
+ that of practice-oriented reductionist security: if an attacker is
+ able to break the symmetric portion of the SSH Transport Protocol
+ using a certain type of attack (eg, a chosen-ciphertext attack), then
+ the attacker will also be able to break one of the transport
+ protocol's underlying components (eg, the underlying block cipher or
+ MAC). If we make the reasonable assumption that the underlying
+ components (such as AES and HMAC-SHA1) are secure, then the attacker
+ against the symmetric portion of the SSH protocol cannot be very
+ successful (since otherwise there would be a contradiction). Please
+ see [BKN] for details. In particular, attacks are not impossible;
+ just extremely improbable (unless the building blocks, like AES, are
+ insecure).
+
+
+
+Bellare, Kohno, and Namprempre [Page 6]
+
+Internet Draft Month, Year
+
+
+ Note also that cryptography often plays only a small (but critical)
+ role in an application's overall security. In the case of the SSH
+ Transport Protocol, even though an application might implement the
+ symmetric portion of the SSH protocol exactly as described in this
+ document, the application may still be vulnerable to non-protocol-
+ based attacks (as an egregious example, an application might save
+ cryptographic keys in cleartext to an unprotected file).
+ Consequently, even though the methods described herein come with
+ proofs of security, developers must still execute caution when
+ developing applications that implement these methods.
+
+5.1 Rekeying Considerations
+
+ Section 3 of this document makes two rekeying recommendations: (1)
+ rekey at least once every 2**32 packets and (2) rekey after a certain
+ number of encrypted blocks (eg, 2**(L/4) blocks if the block cipher's
+ block length L is at least 128 bits). The motivations for
+ recommendations (1) and (2) are different, and we consider each
+ recommendation in turn. Briefly, (1) is designed to protect against
+ information leakage through the SSH protocol's underlying MAC and (2)
+ is designed to protect against information leakage through the SSH
+ protocol's underlying encryption scheme. Please note that, depending
+ on the encryption method's block length L and the number of blocks
+ encrypted per packet, recommendation (1) may supersede recommendation
+ (2) or visa-versa.
+
+ Recommendation (1) states that SSH implementations should rekey at
+ least once every 2**32 packets. As [BKN] show, if more than 2**32
+ packets are encrypted and MACed by the SSH Transport Protocol between
+ rekeyings, then the SSH Transport Protocol's underlying MAC may begin
+ to leak information about the protocol's payload data. In more
+ detail, an adversary looks for a collision between the MACs
+ associated to two packets that were MACed with the same 32-bit
+ sequence number (see Section 4.4 of [SSH-TRANS]); if a collision is
+ found, then the payload data associated with those two ciphertexts is
+ probably identical. Note that this problem occurs regardless of how
+ secure the underlying encryption method is. Implementors who decide
+ not to rekey at least once every 2**32 packets should understand this
+ issue.
+
+ Note that compressing payload data before encrypting and MACing will
+ not significantly reduce the risk of information leakage through the
+ underlying MAC. Similarly, the use of random (and unpredictable to
+ an adversary) padding will not prevent information leakage through
+ the underlying MAC [BKN].
+
+ One alternative to recommendation (1) would be to make the SSH
+ Transport Protocol's sequence number more than 32 bits long. This
+
+
+
+Bellare, Kohno, and Namprempre [Page 7]
+
+Internet Draft Month, Year
+
+
+ document does not suggest increasing the length of the sequence
+ number because doing so could hinder interoperability with older
+ version of the SSH protocol. Another alternative to recommendation
+ (1) would be to switch from HMAC to a privacy-preserving randomized
+ MAC.
+
+ Recommendation (2) states that SSH implementations should rekey
+ before encrypting more than 2**(L/4) blocks with the same key
+ (assuming L is at least 128). This recommendation is designed to
+ minimize the risk of birthday attacks against the encryption method's
+ underlying block cipher. For example, there is a theoretical privacy
+ attack against stateful-decryption counter mode if an adversary is
+ allowed to encrypt approximately 2**(L/2) messages with the same key.
+ It is because of these birthday attacks that implementors are highly
+ encouraged to use secure block ciphers with large block lengths.
+
+5.2 Encryption Method Considerations
+
+ Researchers have recently shown that the original CBC-based
+ encryption methods in [SSH-TRANS] are vulnerable to chosen-plaintext
+ privacy attacks [DAI,BKN]. The new stateful-decryption counter mode
+ encryption methods described in Section 4 of this document were
+ designed to be secure replacements to the original encryption methods
+ described in [SSH-TRANS].
+
+ Many people shy away from counter mode-based encryption schemes
+ because, when used incorrectly (such as when the keystream is allowed
+ to repeat), counter mode can be very insecure. Fortunately, the
+ common concerns with counter mode do not apply to SSH because of the
+ rekeying recommendations and because of the additional protection
+ provided by the transport protocol's MAC. This discussion is
+ formalized with proofs of security in [BKN].
+
+ As an additional note, when one of the stateful-decryption counter
+ mode encryption methods (Section 4) is used, then the padding
+ included in an SSH packet (Section 4 of [SSH-TRANS]) need not be (but
+ can still be) random. This eliminates the need to generate
+ cryptographically-secure pseudorandom bytes for each packet.
+
+ One property of counter mode encryption is that it does not require
+ messages to be padded to a multiple of the block cipher's block
+ length. Although not padding messages can reduce the protocol's
+ network consumption, this document requires padding to be a multiple
+ of the block cipher's block length in order to (1) not alter the
+ packet description in [SSH-TRANS] and (2) not leak precise
+ information about the length of the packet's payload data. (Although
+ there may be some networks savings for padding to only 8-bytes even
+ if the block cipher uses 16-byte blocks, because of (1) we do not
+
+
+
+Bellare, Kohno, and Namprempre [Page 8]
+
+Internet Draft Month, Year
+
+
+ make that recommendation here.)
+
+ In addition to stateful-decryption counter mode, [BKN] describe other
+ provably-secure encryption methods for use with the SSH Transport
+ Protocol. The stateful-decryption counter mode methods in Section 4
+ are, however, the preferred alternatives to the insecure methods in
+ [SSH-TRANS] because stateful-decryption counter mode is the most
+ efficient (both in terms of network consumption and in terms of the
+ number of required cryptographic operations per packet).
+
+References
+
+ [AES] Daemon, J. and Rijmen, V., "AES Proposal: Rijndael",
+ NIST AES Proposal, 1998.
+
+ [BKN] Bellare, M., Kohno, T., and Namprempre, C.,
+ "Authenticated Encryption in SSH: Provably Fixing the
+ SSH Binary Packet Protocol", Ninth ACM Conference on
+ Computer and Communications Security, 2002.
+
+ [BN] Bellare, M. and Namprempre, C., "Authenticated
+ Encryption: Relations among notions and analysis of
+ the generic composition paradigm", Asiacrypt 2000.
+
+ [DAI] Dai, W., "An Attack Against SSH2 Protocol", Email to
+ the ietf-ssh@netbsd.org email list, 2002.
+
+ [KRAWCZYK] Krawczyk, H., "The Order of Encryption and
+ Authentication for Protecting Communications (Or: How
+ secure is SSL?)", Crypto 2001.
+
+ [RFC2119] Bradner, S., "Key Words for Use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC
+ 2144, May 1997.
+
+ [SCHNEIER] Schneier, B., "Applied Cryptography Second Edition:
+ Protocols algorithms and source in code in C", Wiley,
+ 1996.
+
+ [SERPENT] Anderson, R., Biham, E., and Knudsen, L. "Serpent: A
+ proposal for the Advanced Encryption Standard", NIST
+ AES Proposal, 1998.
+
+ [SSH-ARCH] Ylonen, T., et. al., "SSH Protocol Architecture",
+ I-D draft-ietf-architecture-12.txt, January 2002.
+
+
+
+
+Bellare, Kohno, and Namprempre [Page 9]
+
+Internet Draft Month, Year
+
+
+ [SSH-TRANS] Ylonen, T., et. al., "SSH Transport Layer Protocol",
+ I-D draft-ietf-transport-14.txt, March 2002.
+
+ [TWOFISH] Schneier, B., et. al., "The Twofish Encryptions
+ Algorithm: A 128-bit block cipher, 1st Edition",
+ Wiley, 1999.
+
+Authors' Addresses:
+
+ Mihir Bellare
+ Department of Computer Science and Engineering
+ University of California at San Diego
+ 9500 Gilman Drive, MC 0114
+ La Jolla, CA 92093-0114
+
+ Phone: +1 858-822-2977
+ EMail: mihir@cs.ucsd.edu
+
+ Tadayoshi Kohno
+ Department of Computer Science and Engineering
+ University of California at San Diego
+ 9500 Gilman Drive, MC 0114
+ La Jolla, CA 92093-0114
+
+ Phone: +1 858-822-2977
+ EMail: tkohno@cs.ucsd.edu
+
+ Chanathip Namprempre
+ Thammasat University
+ Faculty of Engineering
+ Electrical Engineering Department
+ Rangsit Campus, Klong Luang
+ Pathumthani, Thailand 12121
+
+ EMail: meaw@alum.mit.edu
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+
+
+
+Bellare, Kohno, and Namprempre [Page 10]
+
+Internet Draft Month, Year
+
+
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgments
+
+ Mihir Bellare and Chanathip Namprempre were supported by NSF Grant
+ CCR-0098123, NSF Grant ANR-0129617 and an IBM Faculty Partnership
+ Development Award. Tadayoshi Kohno was supported by a National
+ Defense Science and Engineering Fellowship.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bellare, Kohno, and Namprempre [Page 11]
+ \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 15:05:02 +0000