Modern Cryptography Lecture 4
|
|
- Dwain McCarthy
- 5 years ago
- Views:
Transcription
1 Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018
2 2 Webpage Page for first part, Homeworks, Slides
3 3-1 Recall: Security against Chosen-Plaintext Attacks (CPA) security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b
4 3-2 Recall: Security against Chosen-Plaintext Attacks (CPA) security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} challenge phase guess m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b pre- & post-challenge query phase
5 3-3 Recall: Security against Chosen-Plaintext Attacks (CPA) Definition 3.22 Π = security (Gen, Enc, parameter Dec) is n (adaptively) N ind-cpa secure if for every PPT adversary Pr[PrivK A eav A,Π(n) m = {0, 1] def = 1} Pr[b = b ] 1/2 + negl(n) k Gen(1 n ) b {0, 1} Enc k (m) m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b
6 3-4 Recall: Security against Chosen-Plaintext Attacks (CPA) Definition 3.22 Π = security (Gen, Enc, parameter Dec) is n (adaptively) N ind-cpa secure if for every PPT adversary Pr[PrivK A eav A,Π(n) m = {0, 1] def = 1} Pr[b = b ] 1/2 + negl(n) k Gen(1 n ) b {0, 1} Enc k (m) m 0, m 1 {0, 1} m 0 = m 1 To construct a CPA secure Enc scheme k (m b ) we first need to introduce the notion of pseudorandom functions. But first we ll mention m yet {0, another 1} equivalent security notion. Enc k (m) b
7 4-1 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b
8 4-2 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b Definition 3.23 Π = (Gen, Enc, Dec) is (adaptively) LR-ind-CPA a secure if for every PPT adversary Pr[b = b ] 1/2 + negl(n) a in the book this is called CPA secure for multiple encryptions.
9 4-3 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b security against LR-ind-CPA implies secrity against ind-cpa (trivial, tight reduction). other direction also holds, but reduction is not tight (loses a poly factor, namely # of queries, in advantage).
10 5 Recall: Pseudorandom Generators Definition 3.14 A (deterministic) poly-time algorithm G : {0, 1} n {0, 1} l(n) is a pseudorandom generator if 1. (Expansion: ) n : l(n) > n 2. (Pseudorandomness: ) {G(U n )} n N is a sequence of pseudorandom distributions, i.e., for all PPT alg. D Pr[D(Ul(n) ) = 1] Pr[D(G(U n )) = 1] = negl(n)
11 Pseudorandom Functions Pseudorandom generator: efficiently expands a random seed so the output can t be efficiently distinguished from a uniformly random string. Pseudorandom function: a keyed, efficiently computable function that can t be efficiently distinguished from a random function. 6-1
12 Pseudorandom Functions Pseudorandom generator: efficiently expands a random seed so the output can t be efficiently distinguished from a uniformly random string. Pseudorandom function: a keyed, efficiently computable function that can t be efficiently distinguished from a random function. Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: F(k, ) with a random key k {0, 1} n cannot be distinguished from a random function {0, 1} n {0, 1} n. How do we actually formalize this? 6-2
13 Pseudorandom Functions Let Func n denote the functions {0, 1} n {0, 1} n. Func n = 2 2n n, so f Func n requires 2 n n bits to describe. Can t even read description in poly(n) time (we could set l in = log(n), but that s not interesting). Idea: give distinguisher only oracle access to the function it needs to distinguish! Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: F(k, ) with a random key k {0, 1} n cannot be distinguished from a random function {0, 1} n {0, 1} n. How do we actually formalize this? 6-3
14 7-1 The PRF security game security parameter n N b {0, 1} k {0, 1} n f Func n
15 7-2 The PRF security game security parameter n N b {0, 1} k {0, 1} n x if b = 0 f Func n (x)
16 7-3 The PRF security game security parameter n N b {0, 1} k {0, 1} n if b = 1 x f Func n f(x)
17 7-4 The PRF security game security parameter n N b {0, 1} k {0, 1} n b f Func n
18 7-5 The PRF security game Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length l out are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: for every PPT D Pr[b = 1 b = 0] Pr[b = 1 b = 1] = Pr n[df(k, ) = 1] Pr [D f( ) = 1] k {0,1} f Func n = negl(n)
19 Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. 8-1
20 Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. Definition F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom permutation (PRF) if 1. efficient: defined like for PRFs. 2. ( ) is a permutation (so in particular, l in (n) = l out (n) for all n). 3. secure: for every PPT D Pr [D F(k, ) = 1] Pr [D f( ) = 1] k {0,1} l key (n) f Perm lin (n) = negl(n) 8-2
21 Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. Proposition 3.27 If F is a pseudorandom permutation and l in (n) n (actually, l in (n) w(log(n)) is sufficient), then F is also a pseudorandom function. Follows from the PRP/PRF switching lemma : the advantage in distinguishing a random permutation over {0, 1} m from a random function {0, 1} m {0, 1} m making q queries is q2 2 m. 8-3
22 9-1 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. Definition 3.28 F : {0, 1} l key {0, 1} l in {0, 1} l out is a strong pseudorandom permutation if for every k, F(k, ) is a permutation where ( ) and F 1 k ( ) can be efficiently computed, and for every PPT D Pr [D F(k, ),F 1 (k, ) = 1] k {0,1} l key (n) Pr f Perm lin (n) [D f( ),f 1 ( ) = 1] = negl(n)
23 9-2 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. In practice, block-ciphers are designed to be strong PRPs, but not in an asymptotic sense, but for fixed key-lenghts and block-size, and assuming that brute-force is the best attack to distinguish. DES, 1975 l in = 64, l key = 56 AES, 1998 l in = 128, l key {128, 192, 256}
24 9-3 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. In practice, block-ciphers are designed to be strong PRPs, but not in an asymptotic sense, but for fixed key-lenghts and block-size, and assuming that brute-force is the best attack to distinguish. DES, 1975 l in = 64, l key = 56 AES, 1998 l in = 128, l key {128, 192, 256}
25 10-1 CPA secure encryption from PRFn/PRPs For a strong PRP F : {0, 1} n {0, 1} {0, 1} n consider Enc(m) = (m), Dec k (c) = F 1 k (c)
26 10-2 CPA secure encryption from PRFn/PRPs For a strong PRP F : {0, 1} n {0, 1} {0, 1} n consider Enc(m) = (m), Dec k (c) = F 1 k (c) Single encryption (m) doesn t leak anything about m, but not CPA secure because the scheme is deterministic, so m = m implies (m) = (m ).
27 10-3 CPA secure encryption from PRFn/PRPs Construction 3.30 F : {0, 1} n {0, 1} n {0, 1} n Enc(k, m {0, 1} n ) : sample r {0, 1} n, output c := r, m (r) Dec(c = r, s ) : output m := (r) s Enc k (m) $ r F k m r s F m k Dec k ( r, s )
28 10-4 CPA secure encryption from PRFn/PRPs Construction 3.30 F : {0, 1} n {0, 1} n {0, 1} n Enc(k, m {0, 1} n ) : sample r {0, 1} n, output c := r, m (r) Dec(c = r, s ) : output m := (r) s Enc k (m) $ r F k m F k Dec k ( r, s ) Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. r s m
29 Proof of Thm Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. Enc k (m) $ r F k m r s F k Dec k ( r, s ) m 11-1
30 11-2 $ r Proof of Thm Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. Enc k (m) f m r s Dec k ( r, s ) Proof sketch: Consider new scheme Π, where, k {0, 1} n is replaced with a random function f Func n. If F is a PRF then no adversary can distinguish original construction from Π (with non-negligible probability). Π is CPA seucre: let r, s denote the challenge ciphertext. If r is was not used in any other the other q(n) encryptions then challenge ciphertext r, s = f(r ) m b perfectly hides b. Prob. that r has been used before is q(n)/2 n = negl(n). f m
31 Block-Cipher Modes of Operation Construction 3.30, where Enc k (m) = r, (r) m, only works for messages of fixed length n. Can encrypt long message m = m 1,..., m l {0, 1} n l as Enc k (m 1 ),..., Enc k (m l ) but the ciphertext is twice as long as the message and it uses a lot of randomness. block-cipher modes of operation provide a way of encrypting arbitrary length messages with less (ciphertext size, randomness) overhead. In general, the term mode of operation refers to a construction which turns a simple building block (e.g. PRF,PRP/block-cipher,hash function) into a useful cryptographic scheme (e.g. encryption/authentication for arbitrary length messages). 12
32 13-1 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3
33 13-2 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3 Is deterministic (i.e., encrypting same message twice gives the same ciphertext both times), and thus can t be CPA secure.
34 13-3 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3 ECB in practice
35 14-1 IV IV Cipher Block Chaining (CBC) mode m 1 m 2 m 3 c 1 c 2 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n c 0 := IV c i := (c i 1 m i ) c := IV, c 1,..., c l homework: what if IV s are just distinct, not random.
36 Cipher Block Chaining (CBC) mode Enc k (m 1,..., m l ) m 1 m 2 m 3 random IV {0, 1} n c IV 0 := IV c i := (c i 1 m i ) c := IV, c 1,..., c l homework: what if IV s IV c 1 c 2 c 3 are just distinct, not random. chained CBC (SSL 3.0 and TLS 1.0) reuse last ciphertext block as new IV. Susceptible to CPA attack! m 1 m 2 m 3 m 4 m 5 IV c 3 IV 14-2 c 1 c 2 c 3 c 4 c 5
37 IV IV c 1 Output Feedback (OFB) mode. c 2 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n y 0 := IV, y i := (y i 1 ) c i := y i m i c := IV, c 1,..., c l 15-1
38 IV IV 15-2 c 1 Output Feedback (OFB) mode. c 2 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n y 0 := IV, y i := (y i 1 ) c i := y i m i c := IV, c 1,..., c l Comparison to CBC does not need to be invertible, can use any PRF instead of PRP. Plaintext length does not need to be multiple of n, can be capped at any point. Unlike for CBC, the stateful variant (where last y l is used as IV for next encryption) is secure (synchronized stream-cipher mode). Still sequential like CBC, but the y i can be computed before the m i are known. Computing c i from y i, m i is extremely fast and parallelizable.
39 ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l 16-1
40 ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Fully parallelizable! Can decode individual blocks. Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l 16-2
41 ctr 16-3 ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l ctr Theorem 3.2 If F is a PRF then the CTR mode is CPA-secure. Proof sketch Define scheme Π where we replace, k {0, 1} n with random function f Func n. If adversary can distinguish Π from actual scheme we have a distinguisher for the PRF. The security of Π can now be proven using information theoretic arguments: if the inputs ctr + 1,..., ctr + l used in the challenge ciphertext do not collide with any other inputs ever used, encryption is perfect. So we can bound the advantage by the probability of a collision. The collision probability is q(n) 2 /2 n where q(n) is the total number of encrypted blocks. As q(n) = poly(n) this probability is negligible.
42 ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l Concrete Security CTR, CBC, OFB can all be broken with advantage q(n) 2 /2 n by an attacker making q(n) queries. So the concrete security is only around 2 n/2, one thus should use PRFs with large enough blocks size. n = 64 like in DES is not enough as 2 n/2 is only 34GB of plaintexts. AES where n = 128 is plenty. 16-4
43 17-1 Chosen-Ciphertext Attacks 3.7 A chosen-ciphertext (CCA) attack is defined like a chosen-plaintext attack (CPA), but the attacker is not only given access to an encryption oracle Enc k ( ), but additionally given access to a decryption oracle Dec k ( ).
44 17-2 Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m)
45 Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m) 17-3 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c
46 Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m) 17-4 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c b
47 Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} Enc k (m) k Gen(1 n ) b {0, 1} Definition 3.33 Π c = {0, (Gen, 1} Enc, Dec) is (adaptively) ind-cca secure if for every PPT adversary Pr[b Dec = b k ](m) 1/2 + negl(n) 17-5 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c b
48 18-1 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m
49 18-2 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m Assume adversary is given the challenge ciphertext r, s := (r) m b. For any x 0 n he can ask for s x (r) }{{} =m b x := Dec k ( r, s x ) and learns m b x, and thus b.
50 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m Assume adversary is given the challenge ciphertext r, s := (r) m b. For any x 0 n he can ask for s x (r) }{{} =m b x := Dec k ( r, s x ) and learns m b x, and thus b. CCA security implies/requires non-malleability. Very informally, this means that a ciphertext cannot be changed into a ciphertext of a related message. 18-3
51 19-1 Padding-Oracle Attacks We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not.
52 19-2 Padding-Oracle Attacks We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not. PKCS#5 padding CBC can only encrypt messages whose length is a multiple of the blocksize of the underlying PRP (typically 16 bytes). If the message does not have this property, it needs to be padded to the right length. Assume m is L bytes long and let b := 16 L mod 16 (so L + b is a multiple of 16) To pad m, just append b times the value b to the end (except if b = 0 then add it 16 times) e.g. Hello Hello BBBBBBBBBBB (here B is 11 in hexadecimal). HelloWorld HelloWorld abcdefghijklmnop abcdefghijklmnop
53 Padding-Oracle Attacks We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not. To remove padding, read last byte 0xb, then check if last b bytes are all 0xb, if yes, remove last b bytes and output remaining string, otherwise output padding error. Hello Hello BBBBBBBBBBB (here B is 11 in hexadecimal). HelloWorld HelloWorld abcdefghijklmnop abcdefghijklmnop
54 19-4 IV IV c 1 Padding-Oracle Attacks m 1 m 2 c 2 Encryption of (padded) message m 1 m 2. A observes c := (IV, c 1, c 2 ). m 2 = F 1 k (c 2) c 1 ends in } b {{ b } b times
55 19-5 IV IV c 1 Padding-Oracle Attacks m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message!
56 IV IV Padding-Oracle Attacks m 1 m 2 c 1 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! If we change c 1 to a c 1 = c 1, the last block will be decoded to m 2 = F 1 k (c 2) c 1 = m 2. An adversary given access to a decryption oracle which only tells if decryption failed can learn b: change first byte of c 1, if decryption fails then b = 16, otherwise change 2nd byte of c 1, if decryption fails b = 15, etc.. Hello BBBBBBBBBBB Xello BBBBBBBBBBB padding ok Hello BBBBBBBBBBB XXXXX XBBBBBBBBBB not ok 19-6
57 IV IV c 1 Padding-Oracle Attacks m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! If we change c 1 to a c 1 = c 1, the last block will be decoded to m 2 = F 1 k (c 2) c 1 = m 2. An adversary given access to a decryption oracle which only tells if decryption failed can learn b: change first byte of c 1, if decryption fails then b = 16, otherwise change 2nd byte of c 1, if decryption fails b = 15, etc.. Hello BBBBBBBBBBB Xello BBBBBBBBBBB padding ok Hello BBBBBBBBBBB XXXXX XBBBBBBBBBB not ok 19-7
58 19-8 IV IV c 1 Padding-Oracle Attacks m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! Once A learned b, he known m 2 ends in β b b }{{} b times define i def = i (b + 1)... (b + 1) }{{} b times b... b }{{} b times for some β. Replacing c 2 with c 2 i will return padding error except if the last b + 1 bytes of m 2 i are (b + 1) which holds iff β i = (b + 1). Can learn β in at most 2 8 queries.
Block ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationBlock encryption of quantum messages
Block encryption of quantum messages Min Liang 1 and Li Yang,3 1 Data Communication Science and Technology Research Institute, Beijing 100191, China liangmin07@mails.ucas.ac.cn State Key Laboratory of
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More information7 Security Against Chosen Plaintext
7 Security Against Chosen Plaintext Attacks Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Clearly it would be more useful to have
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 14 - CCA Security
Lecture 14 - CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More information