Provable Security of BLAKE with Non-Ideal Compression Function
|
|
- Barbara Watts
- 5 years ago
- Views:
Transcription
1 Provable Security o BLAKE with No-Ideal Compressio Fuctio Elea Adreeva, Atul Luykx, ad Bart Meik (KU Leuve) Selected Areas i Cryptography Widsor, Caada August 17,
2 Prelimiaries BLAKE H : {0, 1} 2 {0, 1} {0, 1} H(s, M) = h SHA-3 alist HAIFA desig m 1,..., m k padded message blocks o 2 bits t 1,..., t k HAIFA-couter blocks o 4 bits s, m 1, t 1 s, m 2, t 2 s, m k, t k h 0 2, 2, 4 h 1 h h k 1 h k = h 2 13
3 Prelimiaries BLAKE : {0, 1} {0, 1} 2 {0, 1} 2 {0, 1} 4 {0, 1} (h i 1, s, m i, t i ) = h i Local wide-pipe desig uses E : {0, 1} 2 {0, 1} 2 {0, 1} 2 m i h i 1 s t l i t r i C 2 v i 2 2 E w i 2 s s h i 3 13
4 Prelimiaries State o the Art pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal BLAKE ollows HAIFA desig: preseccolidi security or ideal 4 13
5 Prelimiaries State o the Art pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal BLAKE ollows HAIFA desig: preseccolidi security or ideal lacks security aalysis 4 13
6 Prelimiaries State o the Art pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal BLAKE ollows HAIFA desig: preseccolidi security or ideal lacks security aalysis Aalysis o BLAKE's H ad with uderlyig E ideal 4 13
7 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries adversary A Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E 5 13
8 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries adversary A distict (s, M), (s, M ) s.t. H(s, M) = H(s, M ) Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A success probability A (similar deitios i A attacks ) 5 13.
9 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries (s, M ) {0, 1} λ adversary A Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A success probability A (similar deitios i A attacks ) 5 13.
10 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries (s, M ) {0, 1} λ adversary A (s, M) (s, M ) s.t. H(s, M) = H(s, M ) Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A Adv esec[λ] H (q) = max A success probability A max (s,m ) {0,1} λ success probability A (similar deitios i A attacks ) 5 13.
11 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries h {0, 1} (s, M) s.t. H(s, M) = h adversary A Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A Adv esec[λ] H Adv epre H (q) = max A (q) = max A success probability A max (s,m ) {0,1} max h {0,1} λ success probability A success probability A (similar deitios i A attacks ) 5 13.
12 Prelimiaries Ideal Model Security: Idieretiability Idieretiability o H rom a radom oracle H E is idieretiable rom RO i simulator S such that (H, E) ad (RO, S) idistiguishable (similar deitios i D attacks ) 6 13.
13 Prelimiaries Ideal Model Security: Idieretiability Idieretiability o H rom a radom oracle H E is idieretiable rom RO i simulator S such that (H, E) ad (RO, S) idistiguishable Extesio o idistiguishability: D may kow structure o H (similar deitios i D attacks ) 6 13.
14 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator (idepedetly oud by [Chag+11]) 7 13.
15 Dieretiability o Dieretiability Attack 2 2 E 2 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries (idepedetly oud by [Chag+11]) 7 13.
16 Dieretiability o Dieretiability Attack m h 2 2 E dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h (idepedetly oud by [Chag+11]) 7 13.
17 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y (idepedetly oud by [Chag+11]) 7 13.
18 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y h = y with probability 1 (idepedetly oud by [Chag+11]) 7 13.
19 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y h = y with probability 1 Simulated world D queries S 1 (m, 0) h D queries RO(h, m) y (idepedetly oud by [Chag+11]) 7 13.
20 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y h = y with probability 1 Simulated world D queries S 1 (m, 0) h D queries RO(h, m) y h = y with probability O(12 2 ) (idepedetly oud by [Chag+11]) 7 13.
21 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries (idepedetly oud by [Chag+11]) 7 13.
22 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries BLAKE's : duplicate couter prevets this attack S 1 -resposes o-compliat with duplicate couter are useless to D Ater 2 4 queries, this gets suspicious (idepedetly oud by [Chag+11]) 7 13.
23 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries BLAKE's : duplicate couter prevets this attack S 1 -resposes o-compliat with duplicate couter are useless to D Ater 2 4 queries, this gets suspicious Ivalidates assumptio ideal (idepedetly oud by [Chag+11]) 7 13.
24 Dieretiability o State o the Art, ctd. pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 8 13
25 Dieretiability o State o the Art, ctd. pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Dieretiability attack o pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 8 13
26 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H BLAKE preserves epre (q) Advepre (q) = O(q2 ) 9 13
27 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries 9 13
28 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y 9 13
29 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y Forward query: with probability O(12 ) 9 13
30 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y Forward query: with probability O(12 ) Iverse query: with probability O(12 ) 9 13
31 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y Forward query: with probability O(12 ) Iverse query: with probability O(12 ) Similarly, Adv col H (q) Advcol (q) = O(q2 2 ) 9 13
32 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! 10 13
33 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A 10 13
34 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A -coll (h i 1, s, m i, t i ) {h 1,..., h l } Ay E-query: -coll with probability O(l2 ) 10 13
35 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A -coll (h i 1, s, m i, t i ) {h 1,..., h l } Ay E-query: -coll with probability O(l2 ) BLAKE achieves better secod preimage resistace! t i xes particular target state value rom {h 1,..., h l } 10 13
36 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A -coll (h i 1, s, m i, t i ) {h 1,..., h l } Ay E-query: -coll with probability O(l2 ) BLAKE achieves better secod preimage resistace! t i xes particular target state value rom {h 1,..., h l } Ay E-query: -coll with probability O(12 ) 10 13
37 Security o BLAKE Idieretiability o BLAKE s, m 1, t 1 s, m 2, t 2 s, m k, t k h 0 2, 2, 4 h 1 h h k 1 h k = h Adv idi H (D) = O((Kq) 2 2 ) (where D makes at most q queries o legth at most K blocks) We restore old idieretiability boud o BLAKE i ICM High-level proo idea S maitais graph: edges correspod to -evaluatios Complete paths should be i correspodece with RO Techical details i paper (idepedetly oud by [Chag+11])
38 Coclusios Coclusios pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 12 13
39 Coclusios Coclusios pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Dieretiability attack o pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 12 13
40 Coclusios Coclusios pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Dieretiability attack o pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Fix i ideal cipher model pre sec col pre H sec H col H idi H E ideal E ideal E ideal E ideal E ideal E ideal 12 13
41 Coclusios Compariso o SHA-3 Fialists [AMPS12] l m pre sec col idi assumptio BLAKE E ideal Grøstl L P, Q ideal JH P ideal Keccak P ideal Skei E ideal NIST's requiremets L l m pre sec col idi assumptio BLAKE E ideal Grøstl L P, Q ideal JH P ideal Keccak P ideal Skei E ideal NIST's requiremets L
42 Supportig Slides Supportig Slides SUPPORTING SLIDES 14 13
43 Supportig Slides Idieretiability o BLAKE s, m 1, t 1 s, m 2, t 2 s, m k, t k h 0 2, 2, 4 h 1 h h k 1 h k = h Adv idi H (D) = O((Kq) 2 2 ) (where D makes at most q queries o legth at most K blocks) Idieretiability: costruct a simulator that tricks ay distiguisher S maitais graph: edges correspod to -evaluatios Ay S-query dees at most oe edge h s m t h s m 1 t 1 Complete path: h 0 h 1 s m k t k hk or correctly padded (m 1,..., m k ), (t 1,..., t k ) 15 13
44 Supportig Slides Idieretiability o BLAKE Forward Query S(m, v) i ew query creates complete path the (ew query likely results i at most 1 complete path) geerate w i accordace with RO else geerate w uiormly at radom ed i add ew edge to graph Iverse Query S 1 (m, w) (ew query likely results i o complete path) geerate v uiormly at radom add ew edge to graph 16 13
Hash Functions Based on Three Permutations: A Generic Security Analysis
Hash Fuctios Based o Three Permutatios: A Geeric Security Aalysis Bart Meik ad Bart Preeel KU Leuve CRYPTO 2012 August 21, 2012 1 / 18 Motivatio Hash fuctios based o block ciphers Davies-Meyer '84, PGV
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationLecture 11: Pseudorandom functions
COM S 6830 Cryptography Oct 1, 2009 Istructor: Rafael Pass 1 Recap Lecture 11: Pseudoradom fuctios Scribe: Stefao Ermo Defiitio 1 (Ge, Ec, Dec) is a sigle message secure ecryptio scheme if for all uppt
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationLecture 11: Hash Functions and Random Oracle Model
CS 7810 Foudatios of Cryptography October 16, 017 Lecture 11: Hash Fuctios ad Radom Oracle Model Lecturer: Daiel Wichs Scribe: Akshar Varma 1 Topic Covered Defiitio of Hash Fuctios Merkle-Damgaård Theorem
More informationReview of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage
Review of Elemetary Cryptography For more material, see my otes of CSE 5351, available o my webpage Outlie Security (CPA, CCA, sematic security, idistiguishability) RSA ElGamal Homomorphic ecryptio 2 Two
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationOPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES
OPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES Peter M. Maurer Why Hashig is θ(). As i biary search, hashig assumes that keys are stored i a array which is idexed by a iteger. However, hashig attempts to bypass
More informationMessage Authentication Codes. Reading: Chapter 4 of Katz & Lindell
Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice.
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationEfficient Hashing using the AES Instruction Set
Efficiet Hashig usig the AES Istructio Set Joppe Bos 1 Our Öze 1 Martij Stam 2 1 Ecole Polytechique Fédérale de Lausae 2 Uiversity of Bristol Nara, 1 October 2011 Outlie 1 Itroductio AES ad Hash Fuctios
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationTheory and practice for hash functions
Theory and practice for hash functions Bart Preneel www.ecrypt.eu.org eu Title of Presentation Katholieke Universiteit it it Leuven - COSIC firstname.lastname@esat.kuleuven.be Cambridge, 1 February 2012
More informationHash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms
A prelimiary versio o this paper appears i Iteratioal Colloquim o Automata, Laguages, ad Progammig ICALP 07, Lecture Notes i Computer Sciece Vol. 4596, pp. 399 410, L. Arge et al. ed., Spriger-Verlag,
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationMulti-property-preserving Domain Extension Using Polynomial-based Modes of Operation
Multi-property-preservig Domai Extesio Usig Polyomial-based Modes of Operatio Jooyoug Lee ad Joh Steiberger Abstract. I this paper, we propose a ew double-piped mode of operatio for multiproperty-preservig
More informationFurther More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata
Further More o Key Wrappig 011//17 SKEW011 Lygby Nagoya Uiversity Yasushi Osaki, Tetsu Iwata 1 What is key wrappig? Used to ecrypt specialized data, such as cryptographic keys A key wrappig that also esures
More informationCS321. Numerical Analysis and Computing
CS Numerical Aalysis ad Computig Lecture Locatig Roots o Equatios Proessor Ju Zhag Departmet o Computer Sciece Uiversity o Ketucky Leigto KY 456-6 September 8 5 What is the Root May physical system ca
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationNew Definition of Density on Knapsack Cryptosystems
Africacryt008@Casablaca 008.06.1 New Defiitio of Desity o Kasac Crytosystems Noboru Kuihiro The Uiversity of Toyo, Jaa 1/31 Kasac Scheme rough idea Public Key: asac: a={a 1, a,, a } Ecrytio: message m=m
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More information11. Hash Tables. m is not too large. Many applications require a dynamic set that supports only the directory operations INSERT, SEARCH and DELETE.
11. Hash Tables May applicatios require a dyamic set that supports oly the directory operatios INSERT, SEARCH ad DELETE. A hash table is a geeralizatio of the simpler otio of a ordiary array. Directly
More informationOn the Influence of Message Length in PMAC s Security Bounds
1 On the Influence of Message Length in PMAC s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationThe Discrete-Time Fourier Transform (DTFT)
EEL: Discrete-Time Sigals ad Systems The Discrete-Time Fourier Trasorm (DTFT) The Discrete-Time Fourier Trasorm (DTFT). Itroductio I these otes, we itroduce the discrete-time Fourier trasorm (DTFT) ad
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationIndifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier
Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Dustin Moody NIST, USA dustin.moody@nist.gov Souradyuti Paul NIST, USA, KULeuven, Belgium souradyuti.paul@nist.gov
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationFirst Year Quantitative Comp Exam Spring, Part I - 203A. f X (x) = 0 otherwise
First Year Quatitative Comp Exam Sprig, 2012 Istructio: There are three parts. Aswer every questio i every part. Questio I-1 Part I - 203A A radom variable X is distributed with the margial desity: >
More information1 Counting and Stirling Numbers
1 Coutig ad Stirlig Numbers Natural Numbers: We let N {0, 1, 2,...} deote the set of atural umbers. []: For N we let [] {1, 2,..., }. Sym: For a set X we let Sym(X) deote the set of bijectios from X to
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationFIR Filter Design: Part II
EEL335: Discrete-Time Sigals ad Systems. Itroductio I this set of otes, we cosider how we might go about desigig FIR filters with arbitrary frequecy resposes, through compositio of multiple sigle-peak
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationCS537. Numerical Analysis and Computing
CS57 Numerical Aalysis ad Computig Lecture Locatig Roots o Equatios Proessor Ju Zhag Departmet o Computer Sciece Uiversity o Ketucky Leigto KY 456-6 Jauary 9 9 What is the Root May physical system ca be
More informationFIR Filter Design: Part I
EEL3: Discrete-Time Sigals ad Systems FIR Filter Desig: Part I. Itroductio FIR Filter Desig: Part I I this set o otes, we cotiue our exploratio o the requecy respose o FIR ilters. First, we cosider some
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationChapter 13, Part A Analysis of Variance and Experimental Design
Slides Prepared by JOHN S. LOUCKS St. Edward s Uiversity Slide 1 Chapter 13, Part A Aalysis of Variace ad Eperimetal Desig Itroductio to Aalysis of Variace Aalysis of Variace: Testig for the Equality of
More informationFactoring Algorithms and Other Attacks on the RSA 1/12
Factorig Algorithms ad Other Attacks o the RSA T-79550 Cryptology Lecture 8 April 8, 008 Kaisa Nyberg Factorig Algorithms ad Other Attacks o the RSA / The Pollard p Algorithm Let B be a positive iteger
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationPixel Recurrent Neural Networks
Pixel Recurret Neural Networks Aa ro va de Oord, Nal Kalchbreer, Koray Kavukcuoglu Google DeepMid August 2016 Preseter - Neha M Example problem (completig a image) Give the first half of the image, create
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationCS 270 Algorithms. Oliver Kullmann. Growth of Functions. Divide-and- Conquer Min-Max- Problem. Tutorial. Reading from CLRS for week 2
Geeral remarks Week 2 1 Divide ad First we cosider a importat tool for the aalysis of algorithms: Big-Oh. The we itroduce a importat algorithmic paradigm:. We coclude by presetig ad aalysig two examples.
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationCourse Outline. Designing Control Systems. Proportional Controller. Amme 3500 : System Dynamics and Control. Root Locus. Dr. Stefan B.
Amme 3500 : System Dyamics ad Cotrol Root Locus Course Outlie Week Date Cotet Assigmet Notes Mar Itroductio 8 Mar Frequecy Domai Modellig 3 5 Mar Trasiet Performace ad the s-plae 4 Mar Block Diagrams Assig
More informationA Block Cipher Using Linear Congruences
Joural of Computer Sciece 3 (7): 556-560, 2007 ISSN 1549-3636 2007 Sciece Publicatios A Block Cipher Usig Liear Cogrueces 1 V.U.K. Sastry ad 2 V. Jaaki 1 Academic Affairs, Sreeidhi Istitute of Sciece &
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationPermutations & Combinations. Dr Patrick Chan. Multiplication / Addition Principle Inclusion-Exclusion Principle Permutation / Combination
Discrete Mathematic Chapter 3: C outig 3. The Basics of Coutig 3.3 Permutatios & Combiatios 3.5 Geeralized Permutatios & Combiatios 3.6 Geeratig Permutatios & Combiatios Dr Patrick Cha School of Computer
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationDiscrete-Time Systems, LTI Systems, and Discrete-Time Convolution
EEL5: Discrete-Time Sigals ad Systems. Itroductio I this set of otes, we begi our mathematical treatmet of discrete-time s. As show i Figure, a discrete-time operates or trasforms some iput sequece x [
More informationAN EXTENSION OF A RESULT ABOUT THE ORDER OF CONVERGENCE
Bulleti o Mathematical Aalysis ad Applicatios ISSN: 8-9, URL: http://www.bmathaa.or Volume 3 Issue 3), Paes 5-34. AN EXTENSION OF A RESULT ABOUT THE ORDER OF CONVERGENCE COMMUNICATED BY HAJRUDIN FEJZIC)
More informationProblem Set 2 Solutions
CS271 Radomess & Computatio, Sprig 2018 Problem Set 2 Solutios Poit totals are i the margi; the maximum total umber of poits was 52. 1. Probabilistic method for domiatig sets 6pts Pick a radom subset S
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationSTA Learning Objectives. Population Proportions. Module 10 Comparing Two Proportions. Upon completing this module, you should be able to:
STA 2023 Module 10 Comparig Two Proportios Learig Objectives Upo completig this module, you should be able to: 1. Perform large-sample ifereces (hypothesis test ad cofidece itervals) to compare two populatio
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationPseudo-random Functions
Pseudo-radom Fuctos Debdeep Mukhopadhyay IIT Kharagpur We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom
More informationTitle of Presentation
The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Title of Presentation Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash
More information1 Hash tables. 1.1 Implementation
Lecture 8 Hash Tables, Uiversal Hash Fuctios, Balls ad Bis Scribes: Luke Johsto, Moses Charikar, G. Valiat Date: Oct 18, 2017 Adapted From Virgiia Williams lecture otes 1 Hash tables A hash table is a
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationBecause it tests for differences between multiple pairs of means in one test, it is called an omnibus test.
Math 308 Sprig 018 Classes 19 ad 0: Aalysis of Variace (ANOVA) Page 1 of 6 Itroductio ANOVA is a statistical procedure for determiig whether three or more sample meas were draw from populatios with equal
More informationA meta-converse for private communication over quantum channels
A meta-coverse for private commuicatio over quatum chaels Mario Berta with Mark M. Wilde ad Marco Tomamichel IEEE Trasactios o Iformatio Theory, 63(3), 1792 1817 (2017) Beyod IID Sigapore - July 17, 2017
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationMixed Criticality Systems with Weakly-Hard Constraints
Mixed Criticality Systems with Weakly-Hard Costraits Oliver Gettigs Uiversity of York oliver@cs.york.ac.uk Sophie Quito INRIA Greoble sophie.quito@iria.fr Rob Davis Uiversity of York rob.davis@york.ac.uk
More informationCONSTRUCTING TRUNCATED IRRATIONAL NUMBERS AND DETERMINING THEIR NEIGHBORING PRIMES
CONSTRUCTING TRUNCATED IRRATIONAL NUMBERS AND DETERMINING THEIR NEIGHBORING PRIMES It is well kow that there exist a ifiite set of irratioal umbers icludig, sqrt(), ad e. Such quatities are of ifiite legth
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationOn the Security of Hash Functions Employing Blockcipher Postprocessing
On the Security of Hash Functions mploying Blockcipher Postprocessing Donghoon Chang 1, Mridul Nandi 2, and Moti Yung 3 1 National Institute of Standards and Technology, USA pointchang@gmail.com 2 C R
More informationImproved Indifferentiability Security Bound for the JH Mode
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody Souradyuti Paul Daniel Smith-Tone National Institute of Standards and Technology Gaithersburg, MD, USA dustin.moody@nist.gov National
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More information19.1 The dictionary problem
CS125 Lecture 19 Fall 2016 19.1 The dictioary proble Cosider the followig data structural proble, usually called the dictioary proble. We have a set of ites. Each ite is a (key, value pair. Keys are i
More informationCS284A: Representations and Algorithms in Molecular Biology
CS284A: Represetatios ad Algorithms i Molecular Biology Scribe Notes o Lectures 3 & 4: Motif Discovery via Eumeratio & Motif Represetatio Usig Positio Weight Matrix Joshua Gervi Based o presetatios by
More information5.6 Absolute Convergence and The Ratio and Root Tests
5.6 Absolute Covergece ad The Ratio ad Root Tests Bria E. Veitch 5.6 Absolute Covergece ad The Ratio ad Root Tests Recall from our previous sectio that diverged but ( ) coverged. Both of these sequeces
More informationCryptographic Hash Functions and Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell
Cryptographic Hah Fuctio ad Meage Autheticatio Code Readig: Chapter 4 of Katz & Lidell 1 Hah fuctio A fuctio mappig from a domai to a maller rage (thu ot ijective). Applicatio: Fat looup (hah table) Error
More informationMATH301 Real Analysis (2008 Fall) Tutorial Note #7. k=1 f k (x) converges pointwise to S(x) on E if and
MATH01 Real Aalysis (2008 Fall) Tutorial Note #7 Sequece ad Series of fuctio 1: Poitwise Covergece ad Uiform Covergece Part I: Poitwise Covergece Defiitio of poitwise covergece: A sequece of fuctios f
More informationThe Paillier Cryptosystem
E-Votig Semiar The Paillier Cryptosystem Adreas Steffe Hochschule für Techik Rapperswil adreas.steffe@hsr.ch Adreas Steffe, 17.1.010, Paillier.pptx 1 Ageda Some mathematical properties Ecryptio ad decryptio
More informationThis chapter focuses on two experimental designs that are crucial to comparative studies: (1) independent samples and (2) matched pair samples.
Chapter 9 & : Comparig Two Treatmets: This chapter focuses o two eperimetal desigs that are crucial to comparative studies: () idepedet samples ad () matched pair samples Idepedet Radom amples from Two
More informationECEN 655: Advanced Channel Coding Spring Lecture 7 02/04/14. Belief propagation is exact on tree-structured factor graphs.
ECEN 655: Advaced Chael Codig Sprig 014 Prof. Hery Pfister Lecture 7 0/04/14 Scribe: Megke Lia 1 4-Cycles i Gallager s Esemble What we already kow: Belief propagatio is exact o tree-structured factor graphs.
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More information(I.C) THE DISTRIBUTION OF PRIMES
I.C) THE DISTRIBUTION OF PRIMES I the last sectio we showed via a Euclid-ispired, algebraic argumet that there are ifiitely may primes of the form p = 4 i.e. 4 + 3). I fact, this is true for primes of
More informationHashing. Algorithm : Design & Analysis [09]
Hashig Algorithm : Desig & Aalysis [09] I the last class Implemetig Dictioary ADT Defiitio of red-black tree Black height Isertio ito a red-black tree Deletio from a red-black tree Hashig Hashig Collisio
More informationLecture 4: Unique-SAT, Parity-SAT, and Approximate Counting
Advaced Complexity Theory Sprig 206 Lecture 4: Uique-SAT, Parity-SAT, ad Approximate Coutig Prof. Daa Moshkovitz Scribe: Aoymous Studet Scribe Date: Fall 202 Overview I this lecture we begi talkig about
More information7.7 Hashing. 7.7 Hashing. Perfect Hashing. Direct Addressing
Dictioary: S.isertx): Isert a elemet x. S.deletex): Delete the elemet poited to by x. S.searchk): Retur a poiter to a elemet e with key[e] = k i S if it exists; otherwise retur ull. So far we have implemeted
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationw (1) ˆx w (1) x (1) /ρ and w (2) ˆx w (2) x (2) /ρ.
2 5. Weighted umber of late jobs 5.1. Release dates ad due dates: maximimizig the weight of o-time jobs Oce we add release dates, miimizig the umber of late jobs becomes a sigificatly harder problem. For
More information