Symmetric Encryption

Size: px
Start display at page:

Download "Symmetric Encryption"

Transcription

1 1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently computable algorithms K is a randomized key generation algorithm that outputs a key K K() We let Keys(SE) denote all keys that are output by K() with nonzero probability. E is a randomized or stateful encryption algorithm that takes a key K and plaintext M {0,1} * as input, and outputs or a ciphertext C E K (M) The plaintext space is {M : E K (M) }. D takes a ciphertext C and key K as input, and outputs or a plaintext M D K (C) If C E K (M) and C then M D K (C) 1

2 One-Time Pad Encryption 3 Algorithm K(): K R {0,1} k return K Algorithm E K (M): static ctr 0 m M if (ctr + m > k) return C M K[ctr ctr + m 1] ctr ctr + m return ctr m, C K M = C Algorithm D K ( ctr, C ): m M if (ctr + m > k) return M C K[ctr ctr + m 1] return M ECB Encryption 4 ECB = Electronic Code Book Let f: {0,1} k {0,1} n {0,1} n be a pseudorandom permutation Algorithm K(): K R {0,1} k return K M 1 f K C 1 M 2 f K C 2 M m f K C m Algorithm E K (M): if ( M mod n 0 or M = 0) return M 1 M m M : M i {0,1} n for i = 1 m do C i f K (M i ) return C 1 C m Algorithm D K (C): if ( C mod n 0 or C = 0) return C 1 C m C : C i {0,1} n for i = 1 m do M i f K 1 (C i ) return M 1 M m 2

3 Randomized CBC Encryption 5 CBC = Cipher Block Chaining Let f: {0,1} k {0,1} n {0,1} n be a pseudorandom permutation Algorithm E K (M): if ( M mod n 0 or M = 0) return M 1 M m M : M i {0,1} n C 0 R {0,1} n for i = 1 m do C i f K (C i 1 M i ) return C 0 C 1 C m Algorithm D K (C): if ( C mod n 0 or C = 0) return C 0 C 1 C m = C : C i {0,1} n for i = 1 m do M i f K 1 (C i ) C i 1 return M 1 M m C 0 C 0 M 1 f K C 1 M 2 C 2 f K M n f K C n Stateful CBC Encryption 6 Let f: {0,1} k {0,1} n {0,1} n be a pseudorandom permutation Algorithm E K (M): static ctr 0 if ( M mod n 0 or M = 0) return M 1 M m M : M i {0,1} n if (ctr + m 2 n ) return C 0 ctr for i = 1 m do C i f K (C i 1 M i ) ctr ctr + m return C 0 C 1 C m Algorithm D K (C): if ( C mod n 0 or C = 0) return C 0 C 1 C m = C : C i {0,1} n if (C 0 + m 2 n ) return for i = 1 m do M i f K 1 (C i ) C i 1 return M 1 M m 3

4 Randomized Counter Mode Encryption 7 Let f: {0,1} k {0,1} n {0,1} l be a pseudorandom function Algorithm E K (M): if ( M mod l 0 or M = 0 or M > l2 n ) return M 1 M m M : M i {0,1} l R R {0,1} n for i = 1 m do C i f K (R+i mod 2 n ) M i return R C 1 C m Algorithm D K (C): if ( C n mod l 0 or C < n or C > n + l2 n ) return R C 1 C m C : R {0,1} n and C i {0,1} l for i = 1 m do M i f K (R+i mod 2 l ) C i return M 1 M m R R M 1 C 1 R+1 M 2 R+2 R+m f K f K M m C m f K C 2 Stateful Counter Mode Encryption 8 Let f: {0,1} k {0,1} n {0,1} l be a pseudorandom function Algorithm E K (M): static ctr 0 if ( M mod l 0 or M = 0) return M 1 M m M : M i {0,1} l if (ctr + m 2 n ) return for i = 1 m do C i f K (ctr+i) M i ctr ctr + m return (ctr m) C 1 C m Algorithm D K (C): if ( C n mod l 0 or C < n or C n + l2 n ) return M m ctr C 1 C m C : ctr {0,1} n and C i {0,1} l for i = 1 m do M i f K (ctr+i mod 2 l ) C i ctr+m f K return M 1 M m C m ctr M 1 C 1 ctr+1 M 2 ctr+2 f K f K ctr C 2 4

5 IND-CPA 9 IND-CPA = Indistinguishability under Chosen Plaintext Attack Let SE = K, E, D be a symmetric encryption scheme Consider an adversary A that is given access to a left or right encryption oracle E K (LR(,, b)), b {0,1} defined as: Oracle E K (LR(M 0, M 1, b)) C E K (M b ) return C A can invoke this oracle repeatedly with arguments M 0, M 1 of its choosing Intuitively, A s job is to determine b IND-CPA 10 Unfortunately, A can easily determine b if it makes certain types of queries: M 0 M 1 E K (M 0 ) = but E K (M 1 ) So, in our definition we rule out illegitimate adversaries, defined as those that can ever call E K (LR(M 0, M 1, b)) where M 0 M 1 E K (M 0 ) = or E K (M 1 ) = Legitimate adversaries are those that are not illegitimate 5

6 IND-CPA 11 Definition: Let SE = K, E, D be a symmetric encryption scheme, and let A be an algorithm that has access to an oracle that takes as input a pair of strings and returns a string. Define Experiment K K() b A E K return b (LR(,, b)) The IND-CPA advantage of A is defined as if A is legitimate, and 0 otherwise. IND-CPA 12 For any t, q, and we define the IND-CPA advantage of SE as where the maximum is over all A having time complexity t and making at most q oracle queries, the sum of the lengths of these queries being at most bits. Time complexity is the worst-case time for the entire experiment Length of a query E K (LR(M 0, M 1, b)) is M 0 Informally, SE is IND-CPA secure if the IND-CPA advantage of SE is small 6

7 IND-CPA Advantage for ECB 13 Proposition: Let SE = K, E, D denote ECB encryption using pseudorandom permutation f: {0,1} k {0,1} n {0,1} n. Then, where t = O(n) plus the time for two applications of f. Proof: We describe an adversary A that makes 1 query to its oracle of length 2n, and having IND-CPA Advantage for ECB 14 Now it is easy to see that Adversary A E K (LR(,, b)) M 1 0 2n M 0 0 n 1 n C 0 C 1 E K (LR(M 0, M 1, b)) if (C 0 = C 1 ) return 1 else return 0 7

8 Deterministic and Stateless Encryption 15 Proposition: Let SE = K, E, D denote a deterministic, stateless symmetric encryption system. Assume there is an integer m such that the plaintext space of SE contains two elements of length m. Then where t = O(m) plus the time for two encryptions. Proof: Consider the following adversary: Adversary A E K (LR(,, b)) let X, Y be distinct m-bit plaintexts C 1 E K (LR(X, Y, b)) C 2 E K (LR(Y, Y, b)) if (C 1 = C 2 ) return 1 else return 0 IND-CPA Advantage for Stateful CBC 16 Proposition: Let SE = K, E, D denote stateful CBC encryption using pseudorandom permutation f: {0,1} k {0,1} n {0,1} n. Then, for t = O(n) plus time for two applications of the block cipher. 8

9 IND-CPA Advantage of Stateful CBC 17 Proof. Consider the following adversary A: IND-CPA Advantage of Stateful CBC 18 First note that and because in the stateful CBC, the initialization vector is determined by a counter. If b = 1, then If b = 0, then So, iff b = 1. 9

10 Plaintext Recovery 19 Definition: Let SE = K, E, D denote a stateless symmetric encryption scheme whose plaintext space includes {0,1} m, and let B be an algorithm that has access to an oracle. Consider the following experiment: Experiment K K() M R {0,1} m C E K (M ) M B E K ( ) (C) if (M = M ) return 1 else return 0 Plaintext Recovery 20 The pr-advantage of B is defined as For any t, q, and we define the pr-advantage of SE as where the maximum is over all B having time complexity t and making at most q oracle queries, the sum of the lengths of these queries being at most bits. 10

11 Indistinguishability and Plaintext Recovery 21 Proposition: Let SE = K, E, D denote a stateless symmetric encryption scheme whose plaintext space includes {0,1} m. Then, Proof: Given any adversary B with resources restricted to t, q,, we construct an adversary A B that uses resources t, q+1, +m, such that Indistinguishability and Plaintext Recovery 22 Given B, define A B as follows: Algorithm M 0 R {0,1} m M 1 R {0,1} m C E K (LR(M 0, M 1, b)) Execute B(C), replying to its oracle queries as follows: When B makes oracle query X, return Y E K (LR(X, X, b)) Until B stops and outputs a plaintext M if (M = M 1 ) return 1 else return 0 11

12 Indistinguishability and Plaintext Recovery 23 First note that since when B succeeds, so does A B if b = 1. If b = 0, then since B is given M 0 and has no other information about M 1, So, IND-CPA-CG 24 Definition: Let SE = K, E, D be a symmetric encryption scheme, and let A be an algorithm that has access to an oracle that takes as input a pair of strings and returns a string. Define Let Experiment b R {0,1} K K() b A E K (LR(,, b)) if (b = b ) return 1 else return 0 Proposition: Let SE = K, E, D be a symmetric encryption scheme, and let A be an adversary. Then 12

13 IND-CPA-CG 25 Proof: Security for Stateful Counter Mode 26 Proposition: Let F: {0,1} k {0,1} n {0,1} l be a family of functions and let SE = K, E, D denote stateful counter mode encryption. For any t, q, and with < l 2 n, where q = / l. Proof: Let A be any IND-CPA adversary attacking SE that uses resources bounded by t, q, and. 13

14 Security for Stateful Counter Mode 27 First define a generalized version of stateful counter mode encryption that uses a function g: {0,1} n {0,1} l as the key. Algorithm E g (M): static ctr 0 if ( M mod l 0 or M = 0) return M 1 M m M : M i {0,1} l if (ctr + m 2 n ) return for i = 1 m do C i g(ctr+i) M i ctr ctr + m return (ctr m) C 1 C m Let SE[G] denote this encryption scheme in which key generation selects a random element of the family G. Lemma: Security for Stateful Counter Mode 28 We construct a distinguisher D A for F that makes q queries to its oracle, as follows: Algorithm b R {0,1} Run A, replying to its oracle queries as follows: When A makes oracle query (M 0, M 1 ) return C E g (M b ) Until A stops and outputs a bit b if (b = b ) return 1 else return 0 That is, D A guesses that g is a random member of F if A guesses correctly, and that g is a random member of Func(n, l) otherwise. 14

15 Security for Stateful Counter Mode 29 Note So, And then Security for Randomized Counter Mode 30 Proposition: Let F: {0,1} k {0,1} n {0,1} l be a family of functions and let SE = K, E, D denote randomized counter mode encryption. For any t, q, and with < l 2 n, where q = / l. Proof: Very similar to previous, given the following lemma: Lemma: For any A, 15

16 Practical Implications 31 These theorems give us a basis for answering questions that you will probably have to tackle in the wild Ex: you wish to encrypt q = 2 40 plaintexts, each 2 10 bits long That is, a total of = 2 50 bits of data Suppose you estimate any reasonable adversary to invest at most t = 2 60 compute cycles Finally, suppose you encrypt using AES and assume that first term captures cost of key search c 1 is a small constant T AES is number of cycles required for one AES computation q = /128 = 2 43 Practical Implications 32 If you encrypt using stateful counter mode, then 16

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

Modern Cryptography Lecture 4

Modern Cryptography Lecture 4 Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html

More information

Block ciphers And modes of operation. Table of contents

Block ciphers And modes of operation. Table of contents Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation

More information

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography 1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to

More information

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of

More information

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6 U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom

More information

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement

More information

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CSA E0 235: Cryptography March 16, (Extra) Lecture 3 CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which

More information

Block Ciphers/Pseudorandom Permutations

Block Ciphers/Pseudorandom Permutations Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable

More information

Symmetric Encryption. Adam O Neill based on

Symmetric Encryption. Adam O Neill based on Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,

More information

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary

More information

Computational security & Private key encryption

Computational security & Private key encryption Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability

More information

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall

More information

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5 Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security

More information

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).

More information

Lecture 9 - Symmetric Encryption

Lecture 9 - Symmetric Encryption 0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,

More information

Notes on Property-Preserving Encryption

Notes on Property-Preserving Encryption Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption

More information

A block cipher enciphers each block with the same key.

A block cipher enciphers each block with the same key. Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block

More information

Lecture 7: CPA Security, MACs, OWFs

Lecture 7: CPA Security, MACs, OWFs CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

8 Security against Chosen Plaintext

8 Security against Chosen Plaintext 8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly

More information

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers 1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and

More information

III. Pseudorandom functions & encryption

III. Pseudorandom functions & encryption III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:

More information

A Pseudo-Random Encryption Mode

A Pseudo-Random Encryption Mode A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of

More information

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3. COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption

More information

Lecture 5: Pseudorandom functions from pseudorandom generators

Lecture 5: Pseudorandom functions from pseudorandom generators Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But

More information

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it

More information

Chapter 2 : Perfectly-Secret Encryption

Chapter 2 : Perfectly-Secret Encryption COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability

More information

Lectures 2+3: Provable Security

Lectures 2+3: Provable Security Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption

More information

Modern symmetric-key Encryption

Modern symmetric-key Encryption Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his

More information

RSA-OAEP and Cramer-Shoup

RSA-OAEP and Cramer-Shoup RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security

More information

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n + Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch

More information

Lecture 5, CPA Secure Encryption from PRFs

Lecture 5, CPA Secure Encryption from PRFs CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia

More information

Semantic Security of RSA. Semantic Security

Semantic Security of RSA. Semantic Security Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against

More information

Solution of Exercise Sheet 7

Solution of Exercise Sheet 7 saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,

More information

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m] Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )

More information

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Authenticated Encryption Mode for Beyond the Birthday Bound Security Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key

More information

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:

More information

Pseudorandom Generators

Pseudorandom Generators Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability

More information

1 Indistinguishability for multiple encryptions

1 Indistinguishability for multiple encryptions CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message

More information

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated

More information

Provable security. Michel Abdalla

Provable security. Michel Abdalla Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only

More information

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 04, Lecture Notes in Computer Science Vol., C. Cachin and J. Camenisch ed., Springer-Verlag, 2004. This is the full version.

More information

Identity-based encryption

Identity-based encryption Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages

More information

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5 Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security

More information

Lecture 10 - MAC s continued, hash & MAC

Lecture 10 - MAC s continued, hash & MAC Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy

More information

5.4 ElGamal - definition

5.4 ElGamal - definition 5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is

More information

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation. OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016 Table of contents In CBC 1 2 3 4 In CBC PRF under quantum 5 6 Being optimistic about the emergence

More information

Lecture 13: Private Key Encryption

Lecture 13: Private Key Encryption COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define

More information

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.

More information

2 Message authentication codes (MACs)

2 Message authentication codes (MACs) CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from

More information

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet

More information

Perfectly-Secret Encryption

Perfectly-Secret Encryption Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation

More information

Introduction to Cryptography Lecture 4

Introduction to Cryptography Lecture 4 Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M

More information

BLOCK CIPHERS KEY-RECOVERY SECURITY

BLOCK CIPHERS KEY-RECOVERY SECURITY BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote

More information

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know

More information

Advanced Cryptography 1st Semester Public Encryption

Advanced Cryptography 1st Semester Public Encryption Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability

More information

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2 0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod

More information

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection

More information

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization A preliminary version of this paper appears in Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999. This revised version corrects some mistakes

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes

More information

Lecture Note 3 Date:

Lecture Note 3 Date: P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................

More information

Public-Key Encryption

Public-Key Encryption Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to

More information

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1 MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified

More information

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017 Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total

More information

Modes of Operations for Wide-Block Encryption

Modes of Operations for Wide-Block Encryption Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key

More information

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department

More information

10 Concrete candidates for public key crypto

10 Concrete candidates for public key crypto 10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see

More information

DD2448 Foundations of Cryptography Lecture 3

DD2448 Foundations of Cryptography Lecture 3 DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the

More information

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits

More information

New Proofs for NMAC and HMAC: Security without Collision-Resistance

New Proofs for NMAC and HMAC: Security without Collision-Resistance A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for

More information

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,

More information

Building Secure Cryptographic Transforms, or How to Encrypt and MAC

Building Secure Cryptographic Transforms, or How to Encrypt and MAC Building Secure Cryptographic Transforms, or How to Encrypt and MAC Tadayoshi Kohno Adriana Palacio John Black August 28, 2003 Abstract We describe several notions of cryptographic transforms, symmetric

More information

Characterization of EME with Linear Mixing

Characterization of EME with Linear Mixing Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi

More information

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section

More information

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations

More information

Exercise Sheet Cryptography 1, 2011

Exercise Sheet Cryptography 1, 2011 Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information