A Fast and Key-Efficient Reduction from Chosen-Ciphertext to Known-Plaintext Security
|
|
- Bryan Patterson
- 6 years ago
- Views:
Transcription
1 Intrductin wprfs Encryptin frm wprfs Cnclusins A Fast and Key-Efficient Reductin frm Chsen-Ciphertext t Knwn-Plaintext Security Ueli Maurer Jhan Sjödin Department f Cmputer Science ETH Zurich, Switzerland May 24, 2007
2 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy
3 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient
4 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key
5 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Cnditinal security (i.e., security is based n certain primitives)
6 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Cnditinal security (i.e., security is based n certain primitives) Pseudrandm Functin (PRF) b =? Y,...,Y i X i Y i key F R b=0 b= Adaptive Chsen-Plaintext Attack Adv CPA t,q (F, R)
7 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Cnditinal security (i.e., security is based n certain primitives) Pseudrandm Functin (PRF) b =? Y,...,Y i X i Y i key F R b=0 b= Adaptive Chsen-Plaintext Attack Adv CPA t,q (F, R)...but is AES really a pseudrandm permutatin (and thus als a PRF)?
8 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Gal: weaken assumptins, imprve efficiency Cnditinal security (i.e., security is based n certain primitives) Pseudrandm Functin (PRF) b =? Y,...,Y i X i Y i key F R b=0 b= Adaptive Chsen-Plaintext Attack Adv CPA t,q (F, R)...but is AES really a pseudrandm permutatin (and thus als a PRF)?
9 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R)
10 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x.
11 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x. cmmute, i.e., F k (F k (x)) = F k (F k (x)).
12 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x. cmmute, i.e., F k (F k (x)) = F k (F k (x)). exp : Z G G G (fr DDH-grupG) (k, x) x k
13 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x. cmmute, i.e., F k (F k (x)) = F k (F k (x)). exp : Z G G G (fr DDH-grupG) (k, x) x k be self inverse, i.e., F k (F k (x)) = x.
14 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I R
15 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I R
16 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I R
17 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?
18 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?
19 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?
20 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?
21 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?
22 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R
23 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R I r R under a KPA?
24 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R I r R under a KPA?
25 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R I r R under a KPA? I KPA R
26 Intrductin wprfs Encryptin frm wprfs Cnclusins Efficient Symmetric Encryptin based n wprfs? wprf OWF [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] PRP CPA-sec. encryptin CBC [BKR00]
27 Intrductin wprfs Encryptin frm wprfs Cnclusins Efficient Symmetric Encryptin based n wprfs? wprf OWF [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-mac [BN00] exelna MAC CCA-sec. encryptin
28 Intrductin wprfs Encryptin frm wprfs Cnclusins Feistel-Netwrks? Feistel-Netwrks with PRFs d prduce a PRP. LX F k RX F k 2 F k 3 LY RY
29 Intrductin wprfs Encryptin frm wprfs Cnclusins Feistel-Netwrks? Feistel-Netwrks with wprfs d nt prduce a PRP....even fr infinitely many runds! LX F k RX F k 2 F k 3 LY RY
30 Intrductin wprfs Encryptin frm wprfs Cnclusins Feistel-Netwrks? Feistel-Netwrks with wprfs d nt prduce a PRP....even fr infinitely many runds! Reasn The wprf F can have 0 as fixpint, LX F k RX F k (0) = 0 (fr all keys k) F and hence ψ[ F k3 ](0) = 0. k 2 F k 3 LY RY
31 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m [NaRei98]
32 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ]
33 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := x [ x, (x) m (x) m 2 [NaRei98] ] y y 2
34 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := x [ x, (x) m (x) m 2 [NaRei98] ] y y 2 Hw t extend this further (using as few keys as pssible)?
35 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x y y 2 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?
36 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x y y 2 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?
37 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y y 2 y 3 y 4 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?
38 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y y 2 y 3 y 4 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?
39 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y 3 y y 2 y 3 y 4 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?
40 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y 3 y y 2 y 3 y 4 y y 2 y 3 y 4 GOOD BAD UGLY Hw t extend this further (using as few keys as pssible)?
41 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R Adv KPA t,q (C, R)?
42 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R α β γ Adv KPA t,q (C, R) α + β + γ
43 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R Adv KPA t,q (F,R ) Adv KPA t,2q (F,R )+q 2 /2 n+ q 2 /2 n+ Adv KPA t,q (C, R) α + β + γ
44 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R Adv KPA t,q (F,R ) Adv KPA t,2q (F,R )+q 2 /2 n+ q 2 /2 n+ Adv KPA t,q (C, R) α + β + γ Hw can the range f F be extended even mre?
45 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [DN02] x F k x Keying F k Range Extensin F k 2 F k 3 F k 3 F k 4 F k 4 k, k 2, k 3, k 4,... x k k 2 F k3 k 3 k 4
46 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [MT05] x F k x Keying F k Range Extensin F k 2 F k 3 F k 3 F k 4 F k 4 k, k 2, k 3, k 4,... x k k 2 F k3 k 3 F k 3 k 4 F k 4
47 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x x Keying F k Range Extensin F k3 F k3 k, k 2, k 3, k 4,... F k3
48 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x F k3 x Keying F k Range Extensin F k3 F k3 k, k 2, k 3, k 4,... F k3
49 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x F k3 x Keying F k Range Extensin F k3 F k3 F k3 k, k 2, k 3, k 4,... }{{} s generated keys # keys utputs ver- head DN s 2s MT s 2s this 2 s s
50 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x F k3 x Keying F k Range Extensin F k3 F k3 F k3 k, k 2, k 3, k 4,... }{{} s generated keys # keys utputs ver- head DN s 2s MT s 2s this 2 s s better n, this is ptimal
51 Intrductin wprfs Encryptin frm wprfs Cnclusins Overview ptimal k [this paper] [DN02,MT05] wprf OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-mac [BN00] exelna MAC CCA-sec. encryptin
52 Intrductin wprfs Encryptin frm wprfs Cnclusins wprf PRF [this paper] x F k3 F k4 k Keying 0 F k 0 F k3 0 k, k 2, k 3, k 4 All Outputs 0 0 F k Input: 4-bits b b 2 b 3 b 4 Output: blck b b 2 b 3 b 4 0 F k3 0 0
53 Intrductin wprfs Encryptin frm wprfs Cnclusins wprf PRF [this paper] x F k3 F k4 k Keying 0 F k 0 F k3 0 k, k 2, k 3, k 4 All Outputs F k3 F k Input: 4-bits b b 2 b 3 b 4 Output: blck b b 2 b 3 b 4 DDH-based wprf: x x k DDH-based PRF [NaRei97]: (b, b 2, b 3, b 4 ) x Π k i b i =
54 Intrductin wprfs Encryptin frm wprfs Cnclusins Cnclusins ptimal k [this paper] [DN02,MT05] wprf ptimal [this paper] OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-mac [BN00] exelna MAC CCA-sec. encryptin
55 Intrductin wprfs Encryptin frm wprfs Cnclusins Cnclusins ptimal k [this paper] [DN02,MT05] wprf ptimal [this paper] OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-wmac wmac CCA-sec. encryptin
56 Intrductin wprfs Encryptin frm wprfs Cnclusins Cnclusins ptimal k wprf ptimal [this paper] [DN02,MT05]? [this paper] OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-wmac wmac CCA-sec. encryptin
Lecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationChapter Summary. Mathematical Induction Strong Induction Recursive Definitions Structural Induction Recursive Algorithms
Chapter 5 1 Chapter Summary Mathematical Inductin Strng Inductin Recursive Definitins Structural Inductin Recursive Algrithms Sectin 5.1 3 Sectin Summary Mathematical Inductin Examples f Prf by Mathematical
More informationLast Updated: Oct 14, 2017
RSA Last Updated: Oct 14, 2017 Recap Number thery What is a prime number? What is prime factrizatin? What is a GCD? What des relatively prime mean? What des c-prime mean? What des cngruence mean? What
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationApplication Of Mealy Machine And Recurrence Relations In Cryptography
Applicatin Of Mealy Machine And Recurrence Relatins In Cryptgraphy P. A. Jytirmie 1, A. Chandra Sekhar 2, S. Uma Devi 3 1 Department f Engineering Mathematics, Andhra University, Visakhapatnam, IDIA 2
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationCMU Noncooperative games 3: Price of anarchy. Teacher: Ariel Procaccia
CMU 15-896 Nncperative games 3: Price f anarchy Teacher: Ariel Prcaccia Back t prisn The nly Nash equilibrium in Prisner s dilemma is bad; but hw bad is it? Objective functin: scial cst = sum f csts NE
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationModule 3: Gaussian Process Parameter Estimation, Prediction Uncertainty, and Diagnostics
Mdule 3: Gaussian Prcess Parameter Estimatin, Predictin Uncertainty, and Diagnstics Jerme Sacks and William J Welch Natinal Institute f Statistical Sciences and University f British Clumbia Adapted frm
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationAdmin. MDP Search Trees. Optimal Quantities. Reinforcement Learning
Admin Reinfrcement Learning Cntent adapted frm Berkeley CS188 MDP Search Trees Each MDP state prjects an expectimax-like search tree Optimal Quantities The value (utility) f a state s: V*(s) = expected
More informationWhat is Statistical Learning?
What is Statistical Learning? Sales 5 10 15 20 25 Sales 5 10 15 20 25 Sales 5 10 15 20 25 0 50 100 200 300 TV 0 10 20 30 40 50 Radi 0 20 40 60 80 100 Newspaper Shwn are Sales vs TV, Radi and Newspaper,
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationTrigonometric Functions. Concept Category 3
Trignmetric Functins Cncept Categry 3 Gals 6 basic trig functins (gemetry) Special triangles Inverse trig functins (t find the angles) Unit Circle: Trig identities a b c 2 2 2 The Six Basic Trig functins
More informationMedium Scale Integrated (MSI) devices [Sections 2.9 and 2.10]
EECS 270, Winter 2017, Lecture 3 Page 1 f 6 Medium Scale Integrated (MSI) devices [Sectins 2.9 and 2.10] As we ve seen, it s smetimes nt reasnable t d all the design wrk at the gate-level smetimes we just
More informationBiocomputers. [edit]scientific Background
Bicmputers Frm Wikipedia, the free encyclpedia Bicmputers use systems f bilgically derived mlecules, such as DNA and prteins, t perfrm cmputatinal calculatins invlving string, retrieving, and prcessing
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationk-nearest Neighbor How to choose k Average of k points more reliable when: Large k: noise in attributes +o o noise in class labels
Mtivating Example Memry-Based Learning Instance-Based Learning K-earest eighbr Inductive Assumptin Similar inputs map t similar utputs If nt true => learning is impssible If true => learning reduces t
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationTrigonometric Ratios Unit 5 Tentative TEST date
1 U n i t 5 11U Date: Name: Trignmetric Ratis Unit 5 Tentative TEST date Big idea/learning Gals In this unit yu will extend yur knwledge f SOH CAH TOA t wrk with btuse and reflex angles. This extensin
More informationChapter 3: Cluster Analysis
Chapter 3: Cluster Analysis } 3.1 Basic Cncepts f Clustering 3.1.1 Cluster Analysis 3.1. Clustering Categries } 3. Partitining Methds 3..1 The principle 3.. K-Means Methd 3..3 K-Medids Methd 3..4 CLARA
More informationThe general linear model and Statistical Parametric Mapping I: Introduction to the GLM
The general linear mdel and Statistical Parametric Mapping I: Intrductin t the GLM Alexa Mrcm and Stefan Kiebel, Rik Hensn, Andrew Hlmes & J-B J Pline Overview Intrductin Essential cncepts Mdelling Design
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationChapter 2 Balanced Feistel Ciphers, First Properties
Chapter 2 Balanced Feistel Ciphers, First Properties Abstract Feistel ciphers are named after Horst Feistel who studied these schemes in the 1960s. In this chapter, we will only present classical Feistel
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 2: Supervised vs. unsupervised learning, bias-variance tradeoff
Lecture 2: Supervised vs. unsupervised learning, bias-variance tradeff Reading: Chapter 2 STATS 202: Data mining and analysis September 27, 2017 1 / 20 Supervised vs. unsupervised learning In unsupervised
More informationLecture 2: Supervised vs. unsupervised learning, bias-variance tradeoff
Lecture 2: Supervised vs. unsupervised learning, bias-variance tradeff Reading: Chapter 2 STATS 202: Data mining and analysis September 27, 2017 1 / 20 Supervised vs. unsupervised learning In unsupervised
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationHiding in plain sight
Hiding in plain sight Principles f stegangraphy CS349 Cryptgraphy Department f Cmputer Science Wellesley Cllege The prisners prblem Stegangraphy 1-2 1 Secret writing Lemn juice is very nearly clear s it
More informationPattern Recognition 2014 Support Vector Machines
Pattern Recgnitin 2014 Supprt Vectr Machines Ad Feelders Universiteit Utrecht Ad Feelders ( Universiteit Utrecht ) Pattern Recgnitin 1 / 55 Overview 1 Separable Case 2 Kernel Functins 3 Allwing Errrs (Sft
More informationTuring Machines. Human-aware Robotics. 2017/10/17 & 19 Chapter 3.2 & 3.3 in Sipser Ø Announcement:
Turing Machines Human-aware Rbtics 2017/10/17 & 19 Chapter 3.2 & 3.3 in Sipser Ø Annuncement: q q q q Slides fr this lecture are here: http://www.public.asu.edu/~yzhan442/teaching/cse355/lectures/tm-ii.pdf
More informationChE 471: LECTURE 4 Fall 2003
ChE 47: LECTURE 4 Fall 003 IDEL RECTORS One f the key gals f chemical reactin engineering is t quantify the relatinship between prductin rate, reactr size, reactin kinetics and selected perating cnditins.
More informationPublic Key Cryptography. Tim van der Horst & Kent Seamons
Public Key Cryptgraphy Tim van der Hrst & Kent Seamns Last Updated: Oct 5, 2017 Asymmetric Encryptin Why Public Key Crypt is Cl Has a linear slutin t the key distributin prblem Symmetric crypt has an expnential
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationIAML: Support Vector Machines
1 / 22 IAML: Supprt Vectr Machines Charles Suttn and Victr Lavrenk Schl f Infrmatics Semester 1 2 / 22 Outline Separating hyperplane with maimum margin Nn-separable training data Epanding the input int
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationDetermining Optimum Path in Synthesis of Organic Compounds using Branch and Bound Algorithm
Determining Optimum Path in Synthesis f Organic Cmpunds using Branch and Bund Algrithm Diastuti Utami 13514071 Prgram Studi Teknik Infrmatika Seklah Teknik Elektr dan Infrmatika Institut Teknlgi Bandung,
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationLeast Squares Optimal Filtering with Multirate Observations
Prc. 36th Asilmar Cnf. n Signals, Systems, and Cmputers, Pacific Grve, CA, Nvember 2002 Least Squares Optimal Filtering with Multirate Observatins Charles W. herrien and Anthny H. Hawes Department f Electrical
More informationHigh penetration of renewable resources and the impact on power system stability. Dharshana Muthumuni
High penetratin f renewable resurces and the impact n pwer system stability Dharshana Muthumuni Outline Intrductin Discussin f case studies Suth Australia system event f September 2016 System Study integratin
More informationQuantum Chosen-Ciphertext Attacks against Feistel Ciphers
SESSION ID: CRYP-R09 Quantum Chosen-Ciphertext Attacks against Feistel Ciphers Gembu Ito Nagoya University Joint work with Akinori Hosoyamada, Ryutaroh Matsumoto, Yu Sasaki and Tetsu Iwata Overview 3-round
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationLECTURE NOTES. Chapter 3: Classical Macroeconomics: Output and Employment. 1. The starting point
LECTURE NOTES Chapter 3: Classical Macrecnmics: Output and Emplyment 1. The starting pint The Keynesian revlutin was against classical ecnmics (rthdx ecnmics) Keynes refer t all ecnmists befre 1936 as
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationBLAST / HIDDEN MARKOV MODELS
CS262 (Winter 2015) Lecture 5 (January 20) Scribe: Kat Gregry BLAST / HIDDEN MARKOV MODELS BLAST CONTINUED HEURISTIC LOCAL ALIGNMENT Use Cmmnly used t search vast bilgical databases (n the rder f terabases/tetrabases)
More informationENSC Discrete Time Systems. Project Outline. Semester
ENSC 49 - iscrete Time Systems Prject Outline Semester 006-1. Objectives The gal f the prject is t design a channel fading simulatr. Upn successful cmpletin f the prject, yu will reinfrce yur understanding
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationKinetic Model Completeness
5.68J/10.652J Spring 2003 Lecture Ntes Tuesday April 15, 2003 Kinetic Mdel Cmpleteness We say a chemical kinetic mdel is cmplete fr a particular reactin cnditin when it cntains all the species and reactins
More informationPhysics 2010 Motion with Constant Acceleration Experiment 1
. Physics 00 Mtin with Cnstant Acceleratin Experiment In this lab, we will study the mtin f a glider as it accelerates dwnhill n a tilted air track. The glider is supprted ver the air track by a cushin
More informationLecture 17: Free Energy of Multi-phase Solutions at Equilibrium
Lecture 17: 11.07.05 Free Energy f Multi-phase Slutins at Equilibrium Tday: LAST TIME...2 FREE ENERGY DIAGRAMS OF MULTI-PHASE SOLUTIONS 1...3 The cmmn tangent cnstructin and the lever rule...3 Practical
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationPhysical Layer: Outline
18-: Intrductin t Telecmmunicatin Netwrks Lectures : Physical Layer Peter Steenkiste Spring 01 www.cs.cmu.edu/~prs/nets-ece Physical Layer: Outline Digital Representatin f Infrmatin Characterizatin f Cmmunicatin
More informationSecurity and Cryptography 1
Security and Cryptography 1 Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 18 Reprise from the last modules You know CIA, perfect
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationNUROP CONGRESS PAPER CHINESE PINYIN TO CHINESE CHARACTER CONVERSION
NUROP Chinese Pinyin T Chinese Character Cnversin NUROP CONGRESS PAPER CHINESE PINYIN TO CHINESE CHARACTER CONVERSION CHIA LI SHI 1 AND LUA KIM TENG 2 Schl f Cmputing, Natinal University f Singapre 3 Science
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationAerodynamic Separability in Tip Speed Ratio and Separability in Wind Speed- a Comparison
Jurnal f Physics: Cnference Series OPEN ACCESS Aerdynamic Separability in Tip Speed Rati and Separability in Wind Speed- a Cmparisn T cite this article: M L Gala Sants et al 14 J. Phys.: Cnf. Ser. 555
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationECE 2100 Circuit Analysis
ECE 00 Circuit Analysis Lessn 6 Chapter 4 Sec 4., 4.5, 4.7 Series LC Circuit C Lw Pass Filter Daniel M. Litynski, Ph.D. http://hmepages.wmich.edu/~dlitynsk/ ECE 00 Circuit Analysis Lessn 5 Chapter 9 &
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationPerfrmance f Sensitizing Rules n Shewhart Cntrl Charts with Autcrrelated Data Key Wrds: Autregressive, Mving Average, Runs Tests, Shewhart Cntrl Chart
Perfrmance f Sensitizing Rules n Shewhart Cntrl Charts with Autcrrelated Data Sandy D. Balkin Dennis K. J. Lin y Pennsylvania State University, University Park, PA 16802 Sandy Balkin is a graduate student
More information