Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
|
|
- Jared Underwood
- 6 years ago
- Views:
Transcription
1 Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu Summer School on Foundations of Internet Security June 2002 Duszniki Zdroj, Poland (three two-hour lectures) Slides modified and tweaked by Dan Wallach, with permission 1 0 Opening comments 1 What is "provably security"? Outline from the paper board 2 Blocks ciphers 21 Syntax 22 Notions of security (prp, prf, kr) 3 Symmetric ncryption 31 Syntax 32 Notions of security (sem, ind, ind, all under CP) 4 Relating the notions (ind, ind, 01) 5 Sample block-cipher-using encryption schemes 6 Security of modes 61 CTR-rand 62 CBC-rand 7 MCs and authenticated encryption 71 Notion of authenticated encryption 72 Notion of MCs 73 Ways to MC (CBC, XCBC, CW (w/ poly-based universal hash, UMC) 74 Ways to achieve auth enc (generic composition, IPM/OCB) Concluding comments 2 Recognize Problem Protocol Bug New Protocol Classical pproach Recognize Problem Definition Definition Protocol Protocol π Proof: reduction Provable-Security pproach begins with [GM82] Bug New Protocol Publish Instantiate Publish Implement Implement Ship Bug 3 Ship Done 4 1
2 Primitive π Block Cipher Block Cipher Block Cipher OWF Sym enc scheme MC RS primitive Protocol Sym enc scheme MC OWF Block Cipher sym enc scheme Block-Cipher Syntax : {0,1} n {0,1} n where each ( ) = (, ) is a permutation If primitive π is secure then protocol is secure If / a good adv for attacking π then/ no good adv for attacking If a good adv for attacking then a good adv for attacking π / / g: (X)=X (X)=S128 (X) 5 6 Notions of Block-Cipher Security PRP-sense of a block cipher being good ey-recover (kr) under chosen-plaintext attack (CP) dv kr () = Pr [ : (, ) = ] X 1 X 2 X q () (X 1 ) (X 2 ) (X q ) dv kr (t,q) = max {dv kr () } Runs in time t sks q queries 7 () X 1 X2 X q (X 1 ) (X 2 ) X 1 X π() 2 π(x 1 ) (X q ) X q π(x 2 ) π(x q ) 2 n! 8 2
3 dv prp () = Pr [ : (, ) = 1] Pr [ π Perm(n): π( ) = 1] dv prp (t,q) = max {dv prp () } Runs in time t sks q queries ttacker responds: 0: it s a permutation 1: it s the cipher Breaking (X)=X : sk 0 n, receiving Y if Y=0 n return 1 (cipher returns the identity) else return 0 dv prp () = 1 2 -n (permutation might also) dv prp (t,q) t / Strong assumption S dv prp (t,q) 2-40 if t<2 80, q<2 40 Weaker assumption S 9 10 ( ) dv prf () = Pr [ : (, ) = 1] X 1 X2 X q (X 1 ) (X 2 ) Pr [ ρ Rand(n): ρ( ) = 1] X ρ( ) 2 ρ(x 1 ) (X q ) X q ρ(x 2 ) ρ(x q ) X 1 Switching Lemma If asks queries dv prp () dv prf () 2 / 2 n n/2 dv prf () = 2Pr [ b {0,1}; if b=1 then, f= else f Rand(n): f( ) =b] 1 Pr[ π( ) = 1] Pr[ ρ( ) = 1] 2 / n
4 Def (sym, prob) enc scheme is a 3-tuple = (,, D) Finite set M {0,1}* If M M and M = M then M M : M {0,1}* is a prob function D: {0,1}* M {*} (det funct) M M,, C (M) D (C) =M C = clen( M ) 13 CP Ε Κ () Ε Κ (X 1 ) M q Ε Κ (X 2 ) Ε Κ (X q ) support() only has strings of one length = (,,D) sem dv sem () = Pr [ ; ( f, ) (, ) ( ); M M; C (M): (, ) (C, f ) = f (M)] Pr [ ; ( f, ) (, ) ( ); M,M M; C (M ): (, ) (C, f ) = f (M)] 14 ind dv ind () = Pr [ : (, ) = 1 ] = (,,D) Pr [ : (, 0 ) = 1 ] ind dv ind () = Pr [ : (, ) = 1 ] Pr [ : (, clen( ) ) = 1 ] ( ) Ε Κ (0 ) ( ) clen( )
5 Lecture 2 b {0,1} Consider a weak form of semantic security: can t recover the key: C b Def of B f Compute C f(1) Run (C) When halts, outputting b return b dv ind (B) = Pr[B (, ) = 1 ] Pr[B (, 0 ) = 1] = Pr[ ; C (1): (C)=1] Pr[ ; C (0): (C)=1] dv 01 () = 2 Pr[b {0,1}; ; C (b): (C) = b] 1 ssume does well at breaking in the 01-sense Construct B that does well at breaking in the ind-sense = Pr[ ; C (1): (C)=1] (1 Pr[ ; C (0): (C)=0]) = Pr[ ; C (1): (C)=1] Pr[ ; C (0): (C)=0] 1 = 2 (Pr[ ; C (1): (C)=1](05) Pr[ ; C (0): (C)=0](05)) 1 = 2 (Pr[ returns b b=1] Pr[b=1] Pr[ returns b b=0] Pr[b=0]) 1 = 2 Pr[ returns b] 1 17 = dv 01 () 18 ind ind Let be an ind-adversary think of δ=dv ind () as large Construct B that breaks in the ind-sense dv ind (t,q) 2 dv ind (ttiny, µ) tiny = O(µ) ( ) clen( ) (0 ) Hybrid rgument δ/2 δ/2 Case 1: Set B= dv ind (B) δ/2 Case 2: dv B f behaves as follows: Run When asks its oracle x, sk f(0 x ) and return it to When outputs a bit b, return 1 b 19 Suppose an adv that runs in time t and asks queries totaling µ bits and breaks in the ind-sense with advantage δ Then an adv B that runs in time t O(µ) and asks queries totaling µ bits and breaks in the ind-sense with advantage δ/2 20 5
6 IV M 3 CBC-zero CBC-ctr CBC-zero sk 0 n C 1 sk 1 n C 2 if C 1 = C 2 then return 0 else return 1 violating ind C 1 C 2 C 3 CBC-chain CBC-encctr CBC-rand CBC-ctr sk 0 n C 1 sk 0 n-1 1 C 2 if C 1 = C 2 then return 1 else return 0 CBC-chain sk 0 n IV 1 C 1 sk C 1 IV 2 C 2 sk C 2 IV 3 C 3 if C 2 = C 3 then return 1 else return ctr ctr1 ctr2 CTR-ctr Claim: CTR-rand is secure if its block cipher is a good PRP: Let be an adv attacking CTR[] Construct B that attacks dversary B f behaves as follows: M 3 C 1 C 2 C 3 CBC-rand Run When asks its oracle to encrypt M= M m ctr {0,1} compute pad = f(ctr) f(ctr1)f(ctrm-1) return to (ctr, padm) When halts, outputting a bit b, return b
7 dv prp (B) = Pr[B =1] Pr[B π = 1] Pr[B =1] Pr[B ρ = 1] 2 / 2 n1 (switching lemma) = Pr[ CTR[ ] =1] Pr[ CTR[ρ] = 1] 2 / 2 n1 Let C be the event of a collision in the inputs to the blockcipher * * * * * N = 2 n bins * * * m 1 balls m 2 = Pr[ CTR[ ] =1] Pr[ CTR[ρ] = 1 C] Pr[C] Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 = Pr[ CTR[ ] =1] Pr[ = 1] (1 Pr[C]) Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 = Pr[ CTR[ ] =1] Pr[ = 1] Pr[C] Pr[ =1] Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 Pr[ CTR[ ] =1] Pr[ = 1] Pr[C] 2 / 2 n1 = dv ind CTR[] Pr[C] 2 / 2 n1 The problem is now an information theoretic one Claim Pr[C] 2 / 2 n1 (see next slide) We then have dv ind 2 / 2 n CTR[] * * * * * * * dversary wants to create a collision Best way to do this is to toss one ball at a time Pr[C] 1/N 2/N (-1)/N 2 /2N m 3 m 4 Σ m in = Lecture 3 Th Let : {0,1} n {0,1} n Let attack CBC[] ssume runs in time t and asks total blocks and achieves advantage δ =dv ind () Then an adv B that attacks and runs in time at most t B and asks at most q B queries and achieves advantage at least δ B = dv prp (B) where t B = t O() q B = δ B = δ Α 2 / 2 n CBC[] Def of B f Run When asks its oracle M= M m Choose IV C 0 {0,1} n for i 1 to m do C i f (C i-1 M i ) return to (IV, C 1 C m ) When outputs a bit, b, return b
8 dv prp (B) = Pr[B = 1] Pr[B π = 1] dv ind () = Pr[ CBC =1] Pr[ =1 ] CBC[] Pr[ CBC[π] = 1] dv ind () dv prp (B) = Pr[B π = 1] Pr[ = 1] CBC[] = Pr[ CBC[π] = 1] Pr[ = 1] = Pr[ CBC[ρ] = 1] Pr[ = 1] 2 /2 n1 Now a purely inf theoretic question Game-playing to Show first difference at most 2 / 2 n1 uthenticity Ε Κ () M q C 1 C 2 C q C wins if C {C 1,,C q } and D (C) * ncrypt-with-redundancy MC Message uth Code MC (M) IV 0 n ttack: sk 0 0 IV C 1 C 2 C 3 Forge IV C 1 C 2 S MC ( ) M MC (M) R Compute = MC (M) Check if = C 1 C 2 C 3 31 M q q 2 1 (M, ) wins if =MC (M) and M {,,M q } forgery dv mac () = Pr[ : MC ( ) forges] 32 8
9 M 3 M 3 CBC MC To forge: sk 0 1 Forge (0, ) Fixing the CBC MC ncrypted CBC (from RC project) Shown provably secure (when a PRP) by [Petrank, Rackoff] The CBC MC is Incorrect across msgs of Varying lengths [BR] Correct, with bound 3 2 /2 n one fixed length for msgs of some M 3 different fix Provably security shown in [Black, R] M h h(m) Carter-Wegman paradigm The key for the MC is (h,) h is a random element of H = {h: M {0,1} n } Def: Family of hash functions H = {h: M {0,1} n } is ε-u (almost universal) if for all M, M M, M M, Pr h [h(m)=h(m )] ε
10 g construction h h Unlikely for a random h M = M m M 0 M i =128 M(X) = X m M m-1 X m-1 X M 0 ll operations in GF(2 128 ) There are elements of H, each described by a 128-bit R: h R (M) = M(R) Can be efficiently evaluated M Claim: H is m/ U where m upperbounds the number of blocks on any message M in the message space M Proof: Pr [ M(R ) =M (R )] = Pr[poly(R) =0] m/2 128 because poly( ) is a nonzero polynomial of degree at most m and therefore has at most m zeros, and so that chance that a random point in the field is one of these zeros is at most m / the size of the field m 1 16 k 1 16 m 2 k 2 m 3 k 3 m 4 k 4 m 5 k 5 m 6 k 6 m 7 k 7 m 8 k 8 uthenticated ncryption via Generic Composition (see [Bellare, Namprempre]) ncrypt-and-mc M C MC The function NH used in UMC [BHR] This function is U The above can be computed In just four instructions on a Pentium processor, allowing 32 h(m) MC-then-ncrypt one to MC at about 1cpb C ncrypt-then-mc O! M MC M MC C 10
11 uthenticated ncryption via Fancy Modes (see IPM [J] and OCB [RBB)] N M 3 M 3 R 2R 3R 3R * R R 2R 3R C 1 C 2 C
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationCBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions J. Black P. Rogaway July 21, 2004 Abstract We suggest some simple variants of the CBC MAC that enable the efficient authentication of
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationCBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions J. Black P. ogaway May 24, 2000 Abstract We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary
More informationCBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions J. Black P. Rogaway December 3, 2003 Abstract We suggest some simple variants of the CBC MAC that enable the efficient authentication
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationAn Introduction to Authenticated Encryption. Palash Sarkar
An Introduction to Authenticated Encryption Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata palash@isical.ac.in 20 September 2016 Presented at the Workshop on Authenticated
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationOMAC: One-Key CBC MAC
OMAC: One-Key CBC MAC etsu Iwata and Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata, kurosawa}@cis.ibaraki.ac.jp
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationFRMAC, a Fast Randomized Message Authentication Code
, a Fast Randomized Message Authentication Code Éliane Jaulmes 1 and Reynald Lercier 2 1 DCSSI Crypto Lab, 51 Bd de Latour Maubourg, F-75700 Paris 07 SP, France eliane.jaulmes@wanadoo.fr, 2 CELAR, Route
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationRelated-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationBreaking and Repairing GCM Security Proofs
Breaking and Repairing GCM Security Proofs Tetsu Iwata 1, Keisuke Ohashi 1, and Kazuhiko Minematsu 2 1 Nagoya University, Japan iwata@cse.nagoya-u.ac.jp, k oohasi@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationMessage Authentication
Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives
More informationEasyChair Preprint. Formal Security Proof of CMAC and its Variants
EasyChair Preprint 104 Formal Security Proof of CMAC and its Variants Cécile Baritel-Ruet, François Dupressoir, Pierre-Alain Fouque and Benjamin Grégoire EasyChair preprints are intended for rapid dissemination
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More informationAES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.
AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION. ED KNAPP Abstract. We give a framework for construction and composition of universal hash functions. Using this framework,
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationFast and Secure CBC-Type MAC Algorithms
Fast and Secure CBC-Type MAC Algorithms Mridul Nandi National Institute of Standards and Technology mridul.nandi@gmail.com Abstract. The CBC-MAC or cipher block chaining message authentication code, is
More informationMESSAGE AUTHENTICATION 1/ 103
MESSAGE AUTHENTICATION 1/ 103 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit 2/ 103 Integrity and authenticity
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis John Steinberger July 9, 2009 Abstract We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis 1 and John Steinberger 2 1 Department of Computer Science, New York University. dodis@cs.nyu.edu 2 Department of Mathematics,
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More information