SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
|
|
- Erika Newman
- 6 years ago
- Views:
Transcription
1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1
2 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
3 Correct decryption requirement Formally: For all K and M we have Pr[D K (E K (M)) = M] = 1, where the probability is over the coins of E Mihir Bellare UCSD 3
4 Modes of operation E : {0, 1} k {0, 1} n {0, 1} l a family of functions Usually a block cipher, in which case l = n. Notation: x[i] is the i-th block of a string x, so that x = x[1]... x[m]. Length of blocks varies. Always: Alg K K $ {0, 1} k return K Mihir Bellare UCSD 4
5 Modes of operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks? Mihir Bellare UCSD 5
6 ECB: Electronic Codebook Mode SE = (K, E, D) where: Alg E K (M) for i = 1,..., m do C[i] E K (M[i]) return C Alg D K (C) for i = 1,..., m do M[i] E 1 K (C[i]) return M Correct decryption relies on E being a block cipher, so that E K is invertible Mihir Bellare UCSD 6
7 Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because E K is deterministic: M 1 [1] M 1 [m] M 2 [1] M 2 [m] E K... E K E K... E K C 1 [1] C 1 [m] C 2 [1] C 2 [m] Why does this matter? Mihir Bellare UCSD 7
8 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) = E K (M). M E K C Mihir Bellare UCSD 8
9 Security of ECB Votes M 1, M 2 {Y, N} are ECB encrypted and adversary sees ciphertexts C 1 = E K (M 1 ) and C 2 = E K (M 2 ) M 1 M 2 E K E K C 1 C 2 Adversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N Mihir Bellare UCSD 9
10 Is this avoidable? Let SE = (K, E, D) be ANY encryption scheme. Suppose M 1, M 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Mihir Bellare UCSD 10
11 Is this avoidable? Let SE = (K, E, D) be ANY encryption scheme. Suppose M 1, M 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Yes, if E is deterministic. Mihir Bellare UCSD 11
12 Randomized encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let then $ $ C 1 E K (M 1 ) and C 2 E K (M 2 ) Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E. Mihir Bellare UCSD 12
13 Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. C 1 C 2 M E K D K M C s Mihir Bellare UCSD 13
14 Randomized encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. Mihir Bellare UCSD 14
15 CBC$: Cipher Block Chaining with random IV mode SE = (K, E, D) where: Alg E K (M) $ C[0] {0, 1} n for i = 1,..., m do C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i = 1,..., m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher. Mihir Bellare UCSD 15
16 CTR$ mode Let E: {0, 1} k {0, 1} n {0, 1} l be a family of functions. If X {0, 1} n and i N then X + i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Below the message is a sequence of l-bit blocks: Alg E K (M) $ C[0] {0, 1} n for i = 1,..., m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,..., m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M Mihir Bellare UCSD 16
17 CTR$ mode Alg E K (M) $ C[0] {0, 1} n for i = 1,..., m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,..., m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M D does not use E 1 K! This is why CTR$ can use a family of functions E that is not required to be a blockcipher. Encryption and Decryption are parallelizable. Mihir Bellare UCSD 17
18 Voting with CBC$ Suppose we encrypt M 1, M 2 {Y, N} with CBC$. M 1 M 2 E K E K {0, 1} n $ C 1 [0] C 1 [1] {0, 1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? Mihir Bellare UCSD 18
19 Voting with CBC$ Suppose we encrypt M 1, M 2 {Y, N} with CBC$. M 1 M 2 E K E K {0, 1} n $ C 1 [0] C 1 [1] {0, 1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? NO! Mihir Bellare UCSD 19
20 Assessing security So CBC$ is better than ECB. But is it secure? CBC$ is widely used so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. Mihir Bellare UCSD 20
21 Security requirements Suppose sender computes Adversary A has C 1,..., C q $ $ C 1 E K (M 1 ) ; ; C q E K (M q ) What if A Retrieves K Retrieves M 1 Bad! Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1, M 2? Something we won t hide: the length of the message Mihir Bellare UCSD 21
22 What we seek We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies ALL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Mihir Bellare UCSD 22
23 Intuition for definition of IND-CPA The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either or M 1 0,..., M q 0 M 1 1,..., M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. Mihir Bellare UCSD 23
24 Games for ind-cpa-advantage of an adversary A Let SE = (K, E, D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities [ ] Pr Left A SE 1 [ ] Pr Right A SE 1 that A outputs 1 in each world. The (ind-cpa) advantage of A is [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 Mihir Bellare UCSD 24
25 The measure of success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0 (or 0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage. Mihir Bellare UCSD 25
26 ECB is not IND-CPA-secure Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K, E, D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 Mihir Bellare UCSD 26
27 ECB is not IND-CPA-secure Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K, E, D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 Exploitable weakness of SE: M 1 = M 2 implies E K (M 1 ) = E K (M 2 ). Mihir Bellare UCSD 27
28 ECB is not IND-CPA-secure Let E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Mihir Bellare UCSD 28
29 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = Mihir Bellare UCSD 29
30 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = 1 because C 1 = E K (0 n ) and C 2 = E K (0 n ). Mihir Bellare UCSD 30
31 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = Mihir Bellare UCSD 31
32 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = 0 because C 1 = E K (0 n ) E K (1 n ) = C 2. Mihir Bellare UCSD 32
33 ECB is not IND-CPA secure adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Adv ind-cpa SE (A) = = 1 1 { [ }} ]{{ [ }} ]{ Pr Right A SE = 1 Pr Right A SE = 1 And A is very efficient, making only two queries. Thus ECB is not IND-CPA secure. 0 Mihir Bellare UCSD 33
34 Exercise Let SE = (K, E, D) be any symmetric encryption scheme for which E is deterministic. Show that SE is not IND-CPA secure by giving pseudo-code for an efficient adversary A that achieves Adv ind-cpa SE (A) = 1. Assume the message space is {0, 1}, meaning any string is a legitimate message. Mihir Bellare UCSD 34
35 Exercise Let K be the key-generation algorithm that returns a random 128-bit string as the key K. Define Alg E K (M) R $ {0, 1} 128 ; M[1]... M[m] M; C[0] R for i = 1,..., m do W [i] (R + i) mod ; C[i] AES K (M[i] W [i]) C C[0]C[1]... C[n]; Return C Above W [i] (R + i) mod means we regard R as an interger, add i to it, take the result modulo 2 128, view this as a 128-bit string, and assign it to W [i]. A message must be a string whose length is a positive multiple of 128. Mihir Bellare UCSD 35
36 Exercise 1. Specify a decryption algorithm D such that SE = (K, E, D) is a symmetric encryption scheme satisfying the correct decryption condition. 2. Present in pseudocode a practical adversary A making one LR query and achieving Adv ind-cpa SE (A) = 1. There should be a succinct analysis justifying the claimed advantage. Mihir Bellare UCSD 36
37 Why is IND-CPA the master property? We claim that if encryption scheme SE = (K, E, D) is IND-CPA secure then the ciphertext hides ALL partial information about the plaintext. $ $ For example, from C 1 E K (M 1 ) and C 2 E K (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1, M 2 etc. Exercise: State and prove such claims formally. This could be a quiz question! Mihir Bellare UCSD 37
38 Birthday attack on CTR$ Let E : {0, 1} k {0, 1} n {0, 1} l be a family of functions and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0, M 1 are encrypted: $ $ C 0 [0]C 0 [1] E(K, M 0 ) C 1 [0]C 1 [1] E(K, M 1 ) Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA. Mihir Bellare UCSD 38
39 Birthday attack on CTR$ Let 1 q < 2 n be a parameter and let i be integer i encoded as an l-bit string. adversary A for i = 1,..., q do C i [0]C i $ [1] LR( i, 0 ) S {(j, t): C j [0] = C t [0] and j < t} If S, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 Mihir Bellare UCSD 39
40 Birthday attack on CTR$: Right game analysis adversary A for i = 1,..., q do C i [0]C i $ [1] LR( i, 0 ) S {(j, t): C j [0] = C t [0] and j < t} If S, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) $ C[0] {0, 1} n P E(K, C[0] + 1) C[1] P M 1 Return C[0]C[1] If C j [0] = C t [0] (lucky) then C j [1] = 0 E K (C j [0] + 1) = 0 E K (C t [0] + 1) = C t [1] so [ ] Pr Right A SE 1 = Pr [S ] = C(2 n, q) Mihir Bellare UCSD 40
41 Birthday attack on CTR$: Left game analysis adversary A for i = 1,..., q do C i [0]C i $ [1] LR( i, 0 ) S {(j, t): C j [0] = C t [0] and j < t} If S, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) $ C[0] {0, 1} n P E(K, C[0] + 1) C[1] P M 0 Return C[0]C[1] If C j [0] = C t [0] (lucky) then C j [1] = j E K (C j [0] + 1) t E K (C t [0] + 1) = C t [1] so [ ] Pr Left A SE 1 = 0. Mihir Bellare UCSD 41
42 Birthday attack on CTR$ [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 = C(2 n, q) q(q 1) 2 n Conclusion: CTR$ can be broken (in the IND-CPA sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. Mihir Bellare UCSD 42
43 Exercise The above attack on CTR$ uses 1-block messages. Letting SE be the same scheme, give an adversary A that makes q LR-queries, each consisting of two m-block messages, and achieves ( ) Adv ind-cpa mq 2 SE (A) = Ω The running time of A should be about O(mq(n + l) log(mq(n + l))). 2 n Mihir Bellare UCSD 43
44 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Mihir Bellare UCSD 44
45 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most 2(q 1)σ 2 n where σ is the total number of blocks across all messages encrypted. Example: If q 1-block messages are encrypted then σ = q so the adversary advantage is not more than 2q 2 /2 n. For E = AES this means up to about 2 64 blocks may be securely encrypted, which is good. Mihir Bellare UCSD 45
46 Security of CTR$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n {0, 1} l be a family of functions and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf 2(q 1)σ E (B) + 2 n Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ (n + l)). Mihir Bellare UCSD 46
47 Intuition and proof We first give some intuition for the proof and then the proof itself. We assume for simplicity that both messages in each LR query of A are m blocks long. Thus σ = mq. Note a block is l bits, so each message in a query is ml bits. Extending the proof to the general case is an exercise. We let C i = C i [0]C i [1]... C i [m] denote the response of the LR oracle to A s i-th query. Mihir Bellare UCSD 47
48 Intuition for IND-CPA security of CTR$ Consider the CTR$ scheme with E K replaced by a random function Fn with range {0, 1} l. Alg E Fn (M) $ C[0] {0, 1} n for i = 1,..., m do P[i] Fn(C[0] + i) C[i] P[i] M[i] return C Analyzing this is a thought experiment, but we can ask whether it is IND-CPA secure. If so, the assumption that E is a PRF says CTR$ with E is IND-CPA secure. Mihir Bellare UCSD 48
49 CTR$ with a random function Let E be the event that the points C 1 [0] + 1,..., C 1 [0] + m,..., C q [0] + 1,..., C q [0] + m, on which Fn is evaluated across the q encryptions, are all distinct. Case 1: E happens. Then the encryption is a one-time-pad: ciphertexts are random, independent strings, regardless of which message is encrypted. So A has zero advantage. Case 2: E doesn t happen. Then A may have high advantage but it does not matter because Pr[E] doesn t happen is small. (It is the small additive term in the theorem.) Mihir Bellare UCSD 49
50 The Union bound Let E 1,..., E n be events in a probability space. Then Pr[ n 1 i n E i] Pr[E i ]. Example: In the case n = 2 we have Pr[E 1 E 2 ] = Pr[E 1 ] + Pr[E 2 ] Pr[E 1 E 2 ] Pr[E 1 ] + Pr[E 2 ]. i=1 Mihir Bellare UCSD 50
51 Interval intersection probability Let N, q, m 1 be integers and let Z N = {0, 1,..., N 1}. Let + be addition modulo N. Consider the game For i = 1,..., q do c i $ Z N ; I i {c i + 1,..., c i + m} For 1 i < j q define the events Then let B i,j : S i S j and B : 1 i<j q B i,j. IIP(N, q, m) = Pr[B]. Problem: Upper bound IIP(N, q, m) as a function of N, q, m. Mihir Bellare UCSD 51
52 Interval intersection probability Claim: IIP(N, q, m) q(q 1) (2m 1) 2 N Why? For any 1 i < j q we have Pr[B i,j ] = Pr[S i S j ] Then by the Union bound = Pr[c j {c i m + 1,..., c i + m 1}] = 2m 1 N IIP(N, q, m) = Pr[ 1 i<j q ] = ( ) q 2m 1. 2 N 1 i<j q Pr[B i,j ]. Mihir Bellare UCSD 52
53 Alternative formulation of advantage Let SE = (K, E, D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K ; b $ {0, 1} procedure LR(M 0, M 1 ) return C $ E K (M b ) procedure Finalize(b ) return (b = b ) [ ] Proposition: Adv ind-cpa SE (A) = 2 Pr Guess A SE true 1. Proof: Observe Pr [ b = 1 b = 1 ] = [ ] Pr Right A SE 1 Pr [ b = 1 b = 0 ] = [ ] Pr Left A SE 1 Mihir Bellare UCSD 53
54 Proof of Proposition, continued [ ] Pr Guess A SE true = Pr [ b = b ] = Pr [ b = b b = 1 ] Pr [b = 1] + Pr [ b = b b = 0 ] Pr [b = 0] = Pr [ b = b b = 1 ] Pr [ b = b b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] Pr [ b = 0 b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] ( 1 Pr [ b = 1 b = 0 ]) 1 2 = (Pr [ b = 1 b = 1 ] Pr [ b = 1 b = 0 ]) = ( ] [ ]) 2 Pr [Right ASE 1 Pr Left A SE 1 = Advind-cpa SE (A). Mihir Bellare UCSD 54
55 A game-playing proof The proof uses a sequence of games and invokes the fundamental lemma of game playing [BR96]. The games have the following Initialize and Finalize procedures: Initialize // G 0 b $ {0, 1} ; S K $ {0, 1} k Initialize // G 1, G 2, G 3 b $ {0, 1} ; S Finalize // All games Return (b = b ) For brevity we omit writing these procedures explicitly in the games, but you should remember they are there. Also for brevity if G is a game and A is an adversary then we let Pr[G A ] = Pr[G A true] Mihir Bellare UCSD 55
56 Games G 0, G 1 for the proof Game G 0 procedure LR(M 0, M 1 ) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i if P S then T[P] E K (P) C[i] T [P] M b [i] S S {P} return C Then [ ] Adv ind-cpa SE (A) = 2 Pr G0 A 1 Game G 1 procedure LR(M 0, M 1 ) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i $ if P / S then T[P] {0, 1} l C[i] T[P] M b [i] S S {P} return C Mihir Bellare UCSD 56
57 Analysis Clearly Pr[G A 0 ] = Pr[G A 1 ] + ( Pr[G A 0 ] Pr[G A 1 ]). Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] 1 2 Given these, we have Adv ind-cpa SE (A) 2 Pr[G0 A ] Pr[G1 A ] Adv prf E (B) (q 1)σ + 2 n = ( ) 1 (q 1)σ n 2(q 1)σ 2 n + 2 Adv prf E (B) which proves the theorem. It remains to prove the claims Adv prf E (B) Mihir Bellare UCSD 57
58 Proof of Claim 1 adversary B b $ {0, 1} ; S b $ A LRSim if (b = b ) then return 1 else return 0 subroutine LRSim(M 0, M 1 ) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i if P / S then T [P] Fn(P) C[i] T [P] M b [i] S S {P} return C Pr ] Pr [Real B E 1 ] [Rand B {0,1} n 1 [ ] = Pr G0 A [ ] = Pr G1 A Subtracting, we get Claim 1. Mihir Bellare UCSD 58
59 Where we are It remains to prove: Claim 2: Pr[G A 1 ] (q 1)σ 2 n Mihir Bellare UCSD 59
60 Introducing the bad flag Game G 1 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i If P / S then $ T[P] {0, 1} l C[i] T[P] M b [i] S S {P} return C Game G 2, G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i $ C[i] {0, 1} l If P S then bad true ; T[P] C[i] M b [i] S S {P} return C Pr[G A 1 ] = Pr[G A 2 ] = Pr[G A 3 ] + C[i] T[P] M b [i] ( ) Pr[G2 A ] Pr[G3 A ] Mihir Bellare UCSD 60
61 Analysis of G 3 Game G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do $ P C[0] + i; C[i] {0, 1} l If P S then bad true T[P] C[i] M b [i]; S S {P} return C Ciphertext C in G 3 is always random, independently of b, so [ ] Pr G3 A = 1 2. Mihir Bellare UCSD 61
62 Fundamental Lemma of game playing Games G, H are identical-until-bad if their code differs only in statements following the setting of bad to true. Lemma: [BR96] If G, H are identical-until-bad, then for any adversary A and any y [ ] [ ] [ ] Pr G A y Pr H A y Pr H A sets bad Mihir Bellare UCSD 62
63 Using the fundamental lemma Game G 2, G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do $ P C[0] + i; C[i] {0, 1} l If P S then bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies [ ] [ ] [ ] Pr G2 A Pr G3 A Pr G3 A sets bad. Mihir Bellare UCSD 63
64 Bounding the probability that G 3 sets bad Game G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do $ P C[0] + i; C[i] {0, 1} l If P S then bad true T[P] C[i] M b [i]; S S {P} return C [ ] Pr G3 A sets bad IIP(2 n, q, m) mq(q 1) 2 n (q 1)σ 2 n. q(q 1) 2m n Mihir Bellare UCSD 64
65 Security of CTR$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n {0, 1} l be a family of functions and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf 2(q 1)σ E (B) + 2 n Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ (n + l)). Mihir Bellare UCSD 65
66 Security of CBC$ Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Exercise: Give an adversary A that makes q LR-queries, each consisting of two 1-block messages, and achieves ( ) Adv ind-cpa q 2 SE (A) = Ω The running time of A should be about O(qn log(qn)). Can you generalize this to m-block messages? What is the best advantage you can get? 2 n Mihir Bellare UCSD 66
67 Security of CBC$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf E (B) + σ2 Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ n). Exercise: Prove the above theorem. 2 n Mihir Bellare UCSD 67
68 Exercise You are hired at a top company with an extravagant salary. Your boss asks you how secure is CBC$ based on AES. Give a clear and full answer which includes an explanation of security metrics, their relative merits, attacks and proofs. This should include an interpretation of the theorem we just saw. Your description should cover both the value and the limitations of this theorem and give a realistic picture of security aimed at someone with little understanding of cryptography. Have a friend play the role of boss and make this a conversation. Your friend should be critical and curious about what you say. Mihir Bellare UCSD 68
69 Exercise In CTR$ and CBC$ based on a family of functions E: {0, 1} k {0, 1} n {0, 1} l, the message must have length a positive multiple of l. Specify by giving clear pseudocode for all three algorithms a symmetric encryption scheme SE = (K, E, D) based on E in which the message M can be a string of arbitrary length. Encryption and decryption should use at most M /l applications of E or E 1 and the length of the ciphertext should be M + n. The scheme should achieve IND-CPA with the same kinds of bounds as in the theorems about CTR$ and CBC$. You may assume E is a block cipher if needed. Mihir Bellare UCSD 69
SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationCLASSICAL ENCRYPTION. Mihir Bellare UCSD 1
CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More information7 Security Against Chosen Plaintext
7 Security Against Chosen Plaintext Attacks Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Clearly it would be more useful to have
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationSolution of Exercise Sheet 6
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationPost-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.
OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016 Table of contents In CBC 1 2 3 4 In CBC PRF under quantum 5 6 Being optimistic about the emergence
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationContents 1 Introduction 1 2 Re-keying processes as pseudorandom generators 3 3 Generalization: Tree-based re-keying Construction
Extended abstract appears in Advances in Cryptology ASIACRYPT 2000, Tatsuaki Okamoto, editor, volume 1976 of Lecture Notes in Computer Science, Springer-Verlag, 2000. cfl IACR Increasing the Lifetime of
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More information