CPSC 91 Computer Security Fall Computer Security. Assignment #2
|
|
- Wilfrid Carson
- 5 years ago
- Views:
Transcription
1 CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible solutions during the lab on Friday Sept. 30. Show that the following are bad pseudorandom functions. 1. H : {0, 1} k {0, 1} n+1 {0, 1} n+1 defined by H(K, b x) = b E(K, x) where b is a single bit ask 0 n+1 to its oracle, receive result y if the first bit of y is a 0, output 1, else output 0 If the oracle is H, then the first bit of the value returned by the oracle is always a 0, so the probability that A outputs 1 is 1. On the other hand, if the oracle is a random function, then the answer to the query is a random string of length n 1, so the probability that the first bit is a 0 is 1 2. Adv P RF A,E = = 1 2
2 2. J : {0, 1} k+n 2n {0, 1} 2n defined by J(K 1 K 2, x 1 x 2 ) = E(K 1, x 2 ) K 2 x 2 ask 0 02n to its oracle, receive result y ask 0 1n 0 n to its oracle, receive result y split y into two halves y 1 y 2 split y into two halves y 3 y 4 if y 2 = y 4, output 1, else output 0 If the oracle is J, then the second halves of y and y will always be the same because the second halves of 0 2n and 1 n 0 n are the same. So the adversary will output 1 with probability 1. On the other hand, if the oracle is a random function, then the answer to both queries are random strings of length 2n. The second half of the first string string can be anything so 2 n possible choices, but the second half of the second string has to be the same. So in total, there are 2 n possible choices for the two second halves that can make the adversary output 1, compared to a total of 2 2n choices for two strings of length n. So the probability that the adversary outputs 1 when the oracle is a random function is 2n = 1 2 2n 2. n 3. L : {0, 1} k {0, 1} 2n {0, 1} 2n defined by L(K, x 1 x 2 ) = E(K, x 1 ) E(K, 0 n ) x 2 where 0 n is the string composed of n zeroes The exact same adversary as in the previous problem will work for the exact same reason.
3 Show that the following pseudorandom function is good. 4. C : {0, 1} k+n {0, 1} n {0, 1} n defined by C(K 1 K 2, x) = E(K 1, x) K 2 Suppose there is an adversary A O( ) against C. We construct adversary B O ( ) against E as follows: pick a random key K 2 $ {0, 1} n run A O( ). When A O( ) makes a query x to its oracle, B answers it as follows: ask x to oracle O, get answer y calculate z = y K 2 give z back to A as the answer to its query When A is done and outputs a bit b, B outputs the same bit b. Note that, by construction, when B s oracle is the block cipher E, then B s answer to A s oracle queries perfectly simulate the computation of the function C. In addition, B outputs the same result as A. P (K 1 $ {0, 1} k : B E(K 1, ) = 1) = P (K 1 K 2 $ {0, 1} k+n : A C(K 1 K 2, ) On the other hand, when B s oracle is a random function, then B s answers to A s oracle queries are that of a slightly different random function (all the outputs of the function are shifted by an exclusive or with K 2 ), but the probability space is unchanged because for every random function f, there is another random function f whose outputs are exactly the outputs of f exclusive-or-ed with K 2, and both functions have the same probability. P (f $ Rand n n : B f( ) = 1) = P (f $ Rand n n : A f( ) Thus AdvA,G P RF = AdvP RF B,E. In addition, A and B have essentially the same running time. So if A is a good adversary against G, then B is a good adversary against E. Conversely, if no good adversary exist against E, then no good adversary against G can exist either.
4 The remaining questions are from the assignment. 5. Suppose that E : {0, 1} K {0, 1} n {0, 1} n is a secure block cipher (or PRF). Consider E : {0, 1} K {0, 1} 2n {0, 1} 2n defined as follows: E (k, x 0 x 1 ) = E(k, x 0 ) E(k, x 0 x 1 ) where both x 0 and x 1 are bitstrings of lentgh n and denotes the string concatenation operation. Show that E is not a secure PRF by describing a PRF-adversary that can distinguish E from a random function. ask 0 2n to its oracle (so x 0 = x 1 = 0 n ), receive result y split y into two halves y 1 y 2 if y 1 = y 2 output 1, else output 0 If the oracle is E, then x 0 = x 0 x 1, so the two halves y 1 and y 2 will always be equal, so the probability that the adversary outputs 1 when the oracle is the block cipher is 1. On the other hand, if the oracle is a random function, then the answer to the query is a random string of length 2n. The first half of that string can be anything so 2 n possible choices, but the second half has to be the same, so only 1 choice for the second half. So in total, there are 2 n possible strings that can make the adversary output 1, compared to a total of 2 2n strings of length 2n. So the probability that the adversary outputs 1 when the oracle is a random function is 2n 2 2n = 1 2 n. Adv P RF A,E = n
5 6. Suppose that F : {0, 1} n {0, 1} n {0, 1} n is a secure block cipher. Consider F : {0, 1} n {0, 1} 2n {0, 1} 2n defined as follows: Show that F is not a secure PRF. E (k, x 0 x 1 ) = E(k, x 0 ) E(x 0, x 1 ) ask 0 2n to its oracle (so x 0 = x 1 = 0 n ), receive result y split y into two halves y 1 y 2 calculate z = E(0 n, 0 n ) if y 2 = z output 1, else output 0 If the oracle is F, then the second half of y will always be E(0 n, 0 n ), so A outputs 1 with probability 1. On the other hand, if the oracle is a random function, then the answer to the query is a random string of length 2n. The first half of that string can be anything so 2 n possible choices, but the second half would have to be exactly E(0 n, 0 n ) for the adversary to output 1, so only 1 choice for the second half. Similarly as in the previous problem, the probability that A outputs 1 is 1 2. n AdvA,F P RF = n
6 7. Suppose that G : {0, 1} K {0, 1} 2n {0, 1} 2n is a secure pseudo-random function (PRF). Consider G : {0, 1} K {0, 1} 2n {0, 1} n defined as follows: G : on input (k,x), compute C = G(k, x) and return the first half of the bits of C. Prove that G is a secure PRF by showing that an adversary that breaks the PRF-security of G could be used to create an adversary that breaks the PRF-security of G. Solution To show that G is a secure PRF if G is a secure PRF, we show that if G was insecure, then G would be insecure as well. Let A be a PRF-adversary that breaks G. Construct a PRF-adversary B against G as follows: run A. Whenever A asks a query M to its oracle, B makes the query M to its own oracle, receives a string C = C 0 C 1 where each of C 0 and C 1 are strings of n bits, and gives C 0 to A as the answer to its query. eventually, A terminates and outputs a bit b. B outputs this b as its output. Note that if B s oracle is G, then the answer to A s queries are exactly G since G consists exactly of the first half of the bits of G s output. So we have that P (k $ {0, 1} K : B G(k, ) = 1) = P (k $ {0, 1} K : A G (k, ) = 1) On the other hand, if B s oracle is a random function from Rand 2n 2n, then the output of the random function is 2n random bits. The first half of those bits will be n random bits, which is exactly what a random function from Rand n n would give A. Therefore, Hence, P (f $ Rand 2n 2n : B f( ) = 1) = P (f $ Rand n n : A f( ) = 1) Adv P RF B = P (k $ {0, 1} K : B G(k, ) = 1) P (f $ Rand 2n 2n : B f( ) = 1) = P (k $ {0, 1} K : A G (k, ) = 1) P (f $ Rand n n : A f( ) = 1) = Adv P RF A So that if F is insecure, then F is insecure as well. Since we assume that F is a secure PRF, then it must be the case that F is secure as well.
CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationLecture 20: conp and Friends, Oracles in Complexity Theory
6.045 Lecture 20: conp and Friends, Oracles in Complexity Theory 1 Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode:
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationPseudo-Random Number Generators
Unit 41 April 18, 2011 1 Pseudo-Random Number Generators Recall the one-time pad: k = k 1, k 2, k 3... a random bit-string p = p 1, p 2, p 3,... plaintext bits E(p) = p k. We desire long sequences of numbers
More informationMessage Authentication
Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationLecture 5: Pseudo-Random Generators and Pseudo-Random Functions
CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationChapter 2 Balanced Feistel Ciphers, First Properties
Chapter 2 Balanced Feistel Ciphers, First Properties Abstract Feistel ciphers are named after Horst Feistel who studied these schemes in the 1960s. In this chapter, we will only present classical Feistel
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationAnother Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India
Another Look at XCB Debrup Chakraborty 1, Vicente Hernandez-Jimenez 1, Palash Sarkar 2 1 Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508 San Pedro Zacatenco, Mexico City 07360, Mexico debrup@cs.cinvestav.mx,
More informationarxiv: v1 [cs.cr] 16 Dec 2014
How many ueries are needed to distinguish a truncated random permutation from a random function? Shoni Gilboa 1, Shay Gueron,3 and Ben Morris 4 arxiv:141.504v1 [cs.cr] 16 Dec 014 1 The Open University
More informationBetter proofs for rekeying
Better proofs for rekeying 1 D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0); : : : ; AES k (n 1)) is distinguishable from uniform with probability n(n 1)=2 129,
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationDistinguishing a truncated random permutation from a random function
Distinguishing a truncated random permutation from a random function Shoni Gilboa Shay Gueron July 9 05 Abstract An oracle chooses a function f from the set of n bits strings to itself which is either
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationEfficient Amplification of the Security of Weak Pseudo-Random Function Generators
J. Cryptology (2002) OF1 OF24 DOI: 10.1007/s00145-002-0007-1 2002 International Association for Cryptologic Research Efficient Amplification of the Security of Weak Pseudo-Random Function Generators Steven
More informationPseudorandom functions and permutations
Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationA Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 03, Lecture Notes in Computer Science Vol.??, E. Biham ed., Springer-Verlag, 2003. This is the full version. A Theoretical
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationNotes for Lecture 27
U.C. Berkeley CS276: Cryptography Handout N27 Luca Trevisan April 30, 2009 Notes for Lecture 27 Scribed by Madhur Tulsiani, posted May 16, 2009 Summary In this lecture we begin the construction and analysis
More information