A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
|
|
- Shona Copeland
- 5 years ago
- Views:
Transcription
1 A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland Abstract The security for authenticated encryption schemes is often captured by demanding CCA security (IND-CCA) and integrity of plaintexts (INT-PTXT). In this short note, we prove that this implies in particular integrity of ciphertexts, i.e., INT-CTXT. Hence, the two sets of requirements mentioned in the title are equivalent. 1 The Security Games We treat the stateful notions in this short note since they are the most widely used notions for authenticated encryption (the main use case is realizing a cryptographic channel). A proof for the non-stateful versions would follow along the same lines. We restate the relevant stateful notions from [BKN04 formally in Figure 1 and Figure. A (stateful) authenticated encryption scheme consists of a triple of algorithms Ψ = (Gen, E, D) for key generation, encryption, and decryption, respectively, as defined in detail in [BKN04 (including the definitions of correctness and being stateful). The message space is denoted by M and the ciphertext space is denoted by C. Our notation follows basically the notation of [BN08; BKN04. IND-sfCCA Ψ b {0, 1} Sampling u.a.r. from {0, 1}. sync 1 Oracle LR Input: (m 0, m 1 ) M M c E(k, m b ) Oracle Dec sync 0 if sync = 0 then return m return Input: d {0, 1} return (d = b) Figure 1: IND-sfCCA Ψ security for stateful CCA security of an authenticated encryption scheme. 1
2 INT-sfCTXT Ψ INT-sfPTXT Ψ sync 1 win 0 c E(k, m) sync 0 if m sync = 0 then win 1 return win sync 1 win 0 c E(k, m) S[i m sync 0 if m sync = 0 then win 1 return win Figure : The INT-sfPTXT Ψ and INT-sfCTXT Ψ security games for stateful plaintext- and ciphertext-integrity, respectively, of an authenticated encryption scheme. INT-PTXT & IND-CCA implies INT-CTXT Let A denote an INT-sfCTXT attacker. In the following we show that Adv IND-sfCTXT Ψ,A Adv IND-sfCCA Ψ,A 1 + Adv IND-sfCCA Ψ,A +3 Adv IND-sfPTXT Ψ,A 3 where A 1, A, and A 3 denote slight modifications of A with roughly the same efficiency. As a first hybrid, we consider the game H 0 depicted in Figure 3, that essentially works like INT-sfCTXT Ψ, but initially flips a uniform random bit z, and then the encryption oracle instead of encrypting the message m encrypts z m, i.e., either the all-zero or all-one bit string of the length of m. By definition of the advantage of an adversary in the forgery game, we have Adv IND-sfCTXT Ψ,A := Pr [ A INT-sfCTXTΨ 1 = Pr [ A H0 1 + ( Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 ) (1) In the following, we will first upper bound the second term, and then proceed to upper bound Pr [ A H0 1 as a second step..1 Upper bounding the second term Consider the following bit-guessing game G 0, shown in Figure 4, that initially flips a bit b and then either behaves exactly like INT-sfCTXT Ψ, if b = 0, or like H 0 if b = 1, and the goal of the adversary is to guess b in the end. In addition, the adversary also gets access to an oracle HasWon that allows him to query the win flag of INT-sfCTXT Ψ or H 0, respectively. We now define A 0 as follows: A 0 internally runs A forwarding all queries and responses to the Enc and VF oracles. Once A calls, A 0 first queries the HasWon oracle, and then calls with d = 0 if HasWon returned true and d = 1 otherwise. Observe that the bit-guessing game G 0 behaves exactly as INT-sfCTXT Ψ if b = 0 and exactly like H 0 if b = 1. By definition of G 0 and A 0 we obtain [ Pr A G0 0 1 b = 0 = Pr AG 0 0 [d = b b = 0 = Pr AG 0 0 [d = 0 b = 0 = Pr AG 0 0 [win = 1 b = 0 = Pr [ A INT-sfCTXTΨ 1
3 INT-sfCTXT Ψ and H 0 sync 1 win 0 c E(k, m) sync 0 if m sync = 0 then win 1 return win Figure 3: The first hybrid H 0 compared to the original INT-sfCTXT Ψ security game. G 0 and G 1 b {0, 1} sync 1 win 0 if b = 0 then c E(k, m) sync 0 if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 4: The bit-guessing games G 0 and G 1. 3
4 G 1 and G b {0, 1} sync 1 win 0 if b = 0 then c E(k, m) m 0 m m 1 z m c E(k, m b ) sync 0 if sync = 0 then m m m if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 5: The bit-guessing games G in comparison to G 1. and [ Pr A G0 0 1 b = 1 = Pr AG 0 0 [d = b b = 1 = Pr AG 0 0 [d = 1 b = 1 which yields G 1 G = Pr AG 0 0 [win = 0 b = 1 = 1 Pr [ A H0 1, Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 [ [ = Pr A G0 0 1 b = 0 + Pr A G0 0 1 b = 1 1 ( [ = Pr A G ). [ We now proceed by bounding Pr A G0 0 1 using a sequence of simple modifications: The game G 1, as depicted in Figure 4, behaves like G 0 except that the VF oracle returns true instead of (m ) if sync = 1. Since sync = 1 implies c = C[j and / M, however, by correctness of the scheme this behavior is equivalent. Consider the game G as depicted in Figure 5. Observe that in the Enc oracle the same message gets encrypted as in G 1. In the VF oracle it sets m to if sync 0. Note however, that in this case the value of m does not matter anymore. Thus, G 1 and G behave equivalently. It is now easy to see that winning G can be reduced to winning IND-sfCCA Ψ as sketched in Figure 6. For every adversary A 0 against G we can build A 1 against IND-sfCCA Ψ that works as follows: it initially flips a bit z and then internally runs A 0 and for every query m of the Enc oracle it queries the LR oracle of IND-sfCCA Ψ with m 0 = m and m 1 = z m. In addition, A 1 keeps track whether A 0 is still in sync, so that on a query c to the VF oracle by () 4
5 G b {0, 1} sync 1 win 0 m 0 m m 1 z m c E(k, m b ) sync 0 if sync = 0 then m m m if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 6: The reduction from G to IND-sfCCA Ψ. The lines with the blue shade and the solid border belong to the IND-sfCCA Ψ game, whereas the green shaded ones with the dashed border belong to the reduction. The uncolored lines are for bookkeeping that is replicated in both the IND-sfCCA Ψ game as well as the reduction. A 0 it can query the decryption oracle on c and then reply correctly to A 0. It is easy to see that A 1 guesses b correctly if and only if A 0 guesses b correctly by simply forwarding the guess. Thus we obtain [ [ [ [ Pr A G0 0 1 = Pr A G1 0 1 = Pr A G 0 1 = Pr A IND-sfCCAΨ 1 1, and combining this with () yields the desired bound Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 ( [ = Pr A G ) ( [ = Pr A IND-sfCCAΨ ) =: Adv IND-sfCCA Ψ,A 1, (3) where in the last step we used the definition of the (bit-guessing) advantage of a CCA adversary.. Bounding the first winning probability In the following section we upper bound the probability Pr [ A H0 1 using the hybrids H 1 and H, depicted in Figure 7 and Figure 8, respectively. H 1 The game H 1 replaces the sync and the win flags of H 0 by two pairs of flags (sync 1, sync ) and (win 1, win ), respectively. Note that sync in H 1 is defined exactly equivalent to sync of H 0, and thus win 1 win is true in H 1 if and only if win is true in H 0. Hence, the two games behave equivalently. 5
6 H 0 and H 1 sync 1 win 0 win 1 0 win 0 sync 0 if m sync = 0 then win 1 if m sync 1 = 0 sync = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win return win 1 win Figure 7: The game H 1 is equivalent to H 0, which is best seen by observing that the sync flag is identical to the sync one of H 0. H 1 and H win 1 0 win 0 if m sync 1 = 0 sync = 0 then win 1 1 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 win Figure 8: The game H is equivalent to H 1 as well. Observe that sync 1 = 0 implies that j > i or m S[j for some j. In the latter case, the correctness of the scheme however implies that c[j C[j and thus sync = 0 as well. 6
7 P 0 and C 0 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 return win Figure 9: The games P 0 and C 0 are identical to H, except that the winning condition win 1 win of the latter has been replaced by checking only one of the respective flags. H The game H is equivalent to H 1 except that the former no longer checks for sync = 0 when setting win 1 to true. Observe however that by the correctness of the scheme we have that m S[j implies c C[j and thus sync 1 = 0 implies sync = 0. Hence, the two games are equivalent as well. Now, consider the two games P 0 and C 0 as depicted in Figure 9. Observe that each of those games is equivalent to H except for the winning condition that only checks for win 1 or win, respectively, instead of win 1 win. Using the union bound we therefore obtain Pr [ A H0 1 = Pr [ A H1 1 = Pr [ A H 1 Pr [ A P0 1 + Pr [ A C0 1. (4) We proceed by bounding those two terms separately in the next sections..3 Upper bounding the advantage on P 0 Consider the game P 1 as shown in Figure 10, which basically corresponds to P 0 with all code related to the two unused flags win and sync removed. Moreover, the Enc-oracle has slightly been rewritten without changing the behavior. It is now easy to reduce any adversary A winning P 1 to another adversary A 3 winning INT-sfPTXT Ψ, as highlighted in Figure 11: A 3 initially flips a bit z and then whenever A queries the Enc oracle on m, A 3 queries the actual Enc-oracle on m = z m. Clearly, A 3 wins INT-sfPTXT Ψ if and only if A wins P 1. As a consequence, we have Pr [ A P0 1 = Pr [ A P1 1 [ = Pr A INT-sfPTXTΨ 3 1 = Adv IND-sfPTXT Ψ,A 3. (5).4 Upper bounding the advantage on C 0 In the following section, we upper bound Pr [ A C0 1 using a sequence of hybrids C 1, C, C 3, C 4, C 5, and C 6. 7
8 P 0 and P 1 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 m z m c E(k, m ) S[i m Figure 10: The game P 1 that is equivalent to P 0. P 1 win 1 0 if m sync 1 = 0 then win 1 1 return win 1 m z m c E(k, m ) S[i m Figure 11: The reduction from P 1 to INT-sfPTXT Ψ. The lines with the blue shade and the solid border belong to the INT-sfPTXT Ψ game, whereas the green shaded ones with the dashed border belong to the reduction. 8
9 C 0 and C 1 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win Figure 1: The game C 1 that is equivalent to C 0. C 1 C C 3 The game C 1, as depicted in Figure 1, corresponds to C 0 with all code related to the unused flag win 1 removed. Hence, the two games behave obviously equivalent. The game C corresponds to C 1 with the winning flag win replaced by a variable d guessing z. It is depicted in Figure 13. Note that sync 1 = 1 implies m = S[j, and thus m = z l for some length l > 0 (we use here that the empty bit-string is not in the message space). Hence, setting d to the first bit of m implies that the game is won, and is thus equivalent to setting the winning flag in C 1. The game C 3, as depicted in Figure 14, corresponds to C but with d initialized to 0 instead of giving an adversary a fifty percent chance of winning the game without setting the win flag. This makes C 3 a bit-guessing game. Observe that Pr AC 3 [win = 1 = Pr AC [win = 1 = Pr [ A C 1 and yielding Pr AC 3 [d = z win = 1 = Pr AC 3 [win = 1, Pr [ A C3 1 = Pr AC 3 [d = z = Pr AC 3 [d = z win = 1 + Pr AC 3 [d = z win = 0 = Pr AC 3 [d = z win = 1 + Pr AC 3 [d = z win = 0 Pr AC 3 [win = 0 = Pr AC 3 [d = z win = ( ) 1 Pr AC 3 [win = 1 = Pr [ A C ( 1 Pr [ A C 1 ). Rewriting the last equation we obtain Pr [ A C 1 ( = Pr [ A C3 1 1 ). (6) 9
10 C 1 and C win 0 d if m sync 1 = 1 sync = 0 then win 1 return win return (d = z) Figure 13: The game C, where m(1) denotes the first bit of m. Note that sync = 1 implies m = S[j = z l for some l > 0 (since λ / M). Hence, we have win = 1 iff d = z. C and C 3 win 0 d d 0 if m sync 1 = 1 sync = 0 then win 1 return (d = z) Figure 14: The bit-guessing game C 3. Observe that in comparison to C, the adversary has a fifty percent chance of winning the game without managing to set the win flag. 10
11 C 3 and C 4 d 0 bad 0 if m sync 1 = 1 sync = 0 then if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 15: The game C 4, that introduces the bad flag. It behaves equivalent to C 3, however, since bad is an internal variable only. C 4 C 5 The game C 4, as depicted in Figure 15, corresponds to C 3 with a bad flag introduced. The two games behave obviously equivalent. The game C 5 is depicted in Figure 16 and is identical until bad to C 5. Hence, by the Fundamental Lemma of game-playing we have Pr [ A C4 1 Pr [ A C5 1 + Pr [ A C4 sets bad. (7) C 6 C 7 We defer bounding the probability of bad being set to the end of the proof and continue bounding Pr [ A C5 1. The game C 6, as depicted in Figure 17, is a version of C 5 with the internal bad flag removed. This, in addition, allows removing all code related to the sync 1 flag without altering the behavior. The game C 7 is depicted in Figure 18. First, compared to C 6 the Enc-oracle has slightly been rewritten without modifying the behavior. Then, in the VF-oracle, in case of sync = 1 we no longer but true. Since sync = 1 implies c = C[j, however, we have by correctness that m M and thus m. Moreover, if sync = 1, we then reset m to without affecting the behavior. Hence, C 7 and C 6 behave equivalently. Now, observe that C 7 can be easily reduced to IND-sfCCA Ψ, as shown in Figure 19. For every adversary A against C 7 we can build A against IND-sfCCA Ψ that works as follows: it internally runs A and for every query m of the Enc oracle it queries the LR oracle of IND-sfCCA Ψ with m 0 = 0 m and m 1 = 1 m. In addition, A keeps track whether A is still in sync, so that on a query c to the VF oracle by A it queries the decryption oracle on c and then replies correctly to A. Moreover, once it detects that A is out of sync and the ciphertext decrypted to a valid ciphertext, it uses the first bit of the decrypted message as the guess of z. It is now easy to see that Pr [ A C7 1 [ = Pr A IND-sfCCAΨ 1. (8) 11
12 C 4 and C 5 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 16: The game C 4 that is identical until bad to the game C 5. C 5 and C 6 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 17: The game C 6. Since bad is an internal variable only, removing this flag and all then unused code related to setting it does not affect the behavior. 1
13 C 6 and C 7 d 0 m 0 0 m m 1 1 m c E(k, m z) if sync = 0 then m m m if m sync = 0 then if sync = 0 then return 1 return (d = z) Figure 18: The game C 7. Observe that in the VF oracle, if sync = 1, then we have c = C[j, which by correctness in turn implies that the cyphertext decrypts to the original message that is not equal to. Moreover, if sync = 1, then m is unused for the rest of the oracle call. C 7 d 0 m 0 0 m m 1 1 m c E(k, m z) if sync = 0 then m m m if m sync = 0 then if sync = 0 then return 1 return (d = z) Figure 19: The reduction from C 7 to IND-sfCCA Ψ. The lines with the blue shade and the solid border belong to the IND-sfCCA Ψ game, whereas the green shaded ones with the dashed border belong to the reductions. The uncolored lines are for bookkeeping that is replicated in both the IND-sfCCA Ψ game as well as the reduction. 13
14 Putting all together especially (6), (7), and (8) we obtain Pr [ A C0 1 = Pr [ A C1 1 = Pr [ A C 1 ( = Pr [ A C3 1 1 ) ( = Pr [ A C4 1 1 ) ( Pr [ A C5 1 + Pr [ A C4 sets bad 1 ) ( = Pr [ A C6 1 + Pr [ A C4 sets bad 1 ) ( = Pr [ A C7 1 + Pr [ A C4 sets bad 1 ) ( [ = Pr A IND-sfCCAΨ 1 + Pr [ A C4 sets bad 1 ) = Adv IND-sfCCA Ψ,A + Pr [ A C4 sets bad. (9) It remains to bound Pr [ A C4 sets bad. To this end, consider the game B 0, depicted in Figure 0, which is identical to C 4 except that the winning condition is no longer win being set, but bad being set. Hence, by definition we have Pr [ A C4 sets bad = Pr [ A B0 1, and moreover, it is easy to see that both B 1 and B behaves equivalently as well, as seen in Figures 0 and 1. Finally, observe that B is almost identical to the game P 1 defined above, as shown in Figure. Thus, using (5) we obtain Pr [ A C4 sets bad [ = Pr A INT-sfPTXTΨ 3 1. (10) Combining (1), (3), (4), (5), (9), and (10) concludes the proof. 14
15 B 0 and B 1 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 if sync 1 = 0 then bad 1 return bad Figure 0: The games B 0 and B 1. The former is identical to C 4 except that in the finalization now the bad flag gets checked. Moreover, B 1 behaves equivalent to B 0, since d is unused. B 1 and B bad 0 if m sync = 0 then if sync 1 = 0 then bad 1 if m sync 1 = 0 then bad 1 return bad Figure 1: The game P. Note that by correctness sync 1 = 0 implies sync = 0, and thus removing the former check does not change the behavior. 15
16 B and P 1 bad 0 win 1 0 if m sync 1 = 0 then bad 1 win 1 1 return bad return win 1 m z m c E(k, m ) S[i m Figure : It is easy to verify that B is equivalent to the game P 1 that has already been defined above. 16
17 References [BKN04 [BN08 M. Bellare, T. Kohno, and C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme, ACM Transactions on Information and System Security, vol. 7, no., pp , 004. doi: / [Online. Available: M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, vol. 1, no. 4, pp , 008. doi: /s x. [Online. Available: pdf. 17
CTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationCascade Encryption Revisited
Cascade Encryption Revisited Peter Gaži 1,2 and Ueli Maurer 1 1 ETH Zürich, Switzerland Department of Computer Science {gazipete,maurer}@inf.ethz.ch 2 Comenius University, Bratislava, Slovakia Department
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationNon-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999. This revised version corrects some mistakes
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationUnforgeable Quantum Encryption
Unforgeable Quantum Encryption Gorjan Alagic 1,2, Tommaso Gagliardoni 3, and Christian Majenz 4,5 1 Joint Center for Quantum Information and Computer Science, University of Maryland, College Park, MD 2
More informationEfficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE
Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE Yang Cui 1,2, Kirill Morozov 1, Kazukuni Kobara 1,2, and Hideki Imai 1,2 1 Research Center for Information
More informationOAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland
OAEP Reconsidered Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract The OAEP encryption scheme was introduced by Bellare and
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationStandard Security Does Not Imply Indistinguishability Under Selective Opening
Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More information