Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
|
|
- Cory Mosley
- 6 years ago
- Views:
Transcription
1 Online Cryptography Course Using block ciphers Review: PRPs and PRFs
2 Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2. AES: n=128 bits, k = 128, 192, 256 bits
3 Abstractly: PRPs and PRFs Pseudo Random FuncAon (PRF) defined over (K,X,Y): F: K X Y such that exists efficient algorithm to evaluate F(k,x) Pseudo Random PermutaAon (PRP) defined over (K,X): E: K X X such that: 1. Exists efficient determinisac algorithm to evaluate E(k,x) 2. The funcaon E( k, ) is one- to- one 3. Exists efficient inversion algorithm D(k,x)
4 Let F: K X Y be a PRF Funs[X,Y]: Secure PRFs the set of all funcaons from X to Y S F = { F(k, ) s.t. k K } Funs[X,Y] IntuiAon: a PRF is secure if a random funcaon in Funs[X,Y] is indisanguishable from a random funcaon in S F S F Size K Funs[X,Y] Size Y X
5 Secure PRF: definiaon For b=0,1 define experiment EXP(b) as: b Chal. f b=0: k K, f F(k, ) b=1: f Funs[X,Y] x 1 X f(x 1 ), x 2,, x q, f(x 2 ),, f(x q ) Adv. A Def: F is a secure PRF if for all efficient A: Adv PRF [A,F] := Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. EXP(b) b {0,1}
6 Secure PRP (secure block cipher) For b=0,1 define experiment EXP(b) as: b Chal. f b=0: k K, f E(k, ) b=1: f Perms[X] x 1 X, x 2,, x q f(x 1 ), f(x 2 ),, f(x q ) Adv. A Def: E is a secure PRP if for all efficient A: Adv PRP [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. b {0,1}
7 Let X = {0,1}. Perms[X] contains two funcaons Consider the following PRP: key space K={0,1}, input space X = {0,1}, PRP defined as: E(k,x) = x k Is this a secure PRP? Yes No It depends
8 Example secure PRPs PRPs believed to be secure: 3DES, AES, AES- 128: K X X where K = X = {0,1} 128 An example concrete assumpaon about AES: All 2 80 Ame algs. A have Adv PRP [A, AES] < 2-40
9 Consider the 1- bit PRP from the previous quesaon: E(k,x) = x k Is it a secure PRF? Note that Funs[X,X] contains four funcaons Yes No It depends Akacker A: (1) query f( ) at x=0 and x=1 (2) if f(0) = f(1) output 1, else 0 Adv PRF [A,E] = 0- ½ = ½
10 PRF Switching Lemma Any secure PRP is also a secure PRF, if X is sufficiently large. Lemma: Let E be a PRP over (K,X) Then for any q- query adversary A: Adv PRF [A,E] - Adv PRP [A,E] < q 2 / 2 X Suppose X is large so that q 2 / 2 X is negligible Then Adv PRP [A,E] negligible Adv PRF [A,E] negligible
11 Final note SuggesAon: don t think about the inner- workings of AES and 3DES. We assume both are secure PRPs and will see how to use them
12 End of Segment
13 Online Cryptography Course Using block ciphers Modes of operaaon: one Ame key example: encrypted , new key for every message.
14 Using PRPs and PRFs Goal: build secure encrypaon from a secure PRP (e.g. AES). This segment: one- 8me keys 1. Adversary s power: Adv sees only one ciphertext (one- Ame key) 2. Adversary s goal: Learn info about PT from CT (semanac security) Next segment: many- Ame keys (a.k.a chosen- plaintext security)
15 Incorrect use of a PRP Electronic Code Book (ECB): PT: m 1 m 2 CT: c 1 c 2 Problem: if m 1 =m 2 then c 1 =c 2
16 In pictures (courtesy B. Preneel)
17 SemanAc Security (one- Ame key) EXP(0): Chal. k K m 0, m 1 M : m 0 = m 1 Adv. A c E(k,m 0 ) b {0,1} one Ame key adversary sees only one ciphertext EXP(1): Chal. k K m 0, m 1 M : m 0 = m 1 Adv. A c E(k,m 1 ) b {0,1} Adv SS [A,OTP] = Pr[ EXP(0)=1 ] Pr[ EXP(1)=1 ] should be neg.
18 ECB is not SemanAcally Secure ECB is not semanacally secure for messages that contain more than one block. Chal. k K b {0,1} Two blocks m 0 = Hello World m 1 = Hello Hello (c 1,c 2 ) E(k, m b ) Adv. A Then Adv SS [A, ECB] = 1 If c 1 =c 2 output 0, else output 1
19 Secure ConstrucAon I DeterminisAc counter mode from a PRF F : E DETCTR (k, m) = m[0] m[1] F(k,0) F(k,1) m[l] F(k,L) c[0] c[1] c[l] Stream cipher built from a PRF (e.g. AES, 3DES)
20 Det. counter- mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E DETCTR is sem. sec. cipher over (K,X L,X L ). In paracular, for any eff. adversary A akacking E DETCTR there exists a n eff. PRF adversary B s.t.: Adv SS [A, E DETCTR ] = 2 Adv PRF [B, F] Adv PRF [B, F] is negligible (since F is a secure PRF) Hence, Adv SS [A, E DETCTR ] must be negligible.
21 Proof chal. k K c m 0, m 1 m0 F(k,0) F(k,L) p adv. A b 1 p chal. f Funs c m 0, m 1 m0 f(0) f(l) p adv. A b 1 chal. k K c m 0, m 1 m1 F(k,0) F(k,L) adv. A b 1 p chal. r {0,1} n c m 0, m 1 m1 f(0) f(l) adv. A b 1
22 End of Segment
23 Online Cryptography Course Using block ciphers Security for many- Ame key Example applicaaons: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets.
24 SemanAc Security for many- Ame key Key used more than once adv. sees many CTs with same key Adversary s power: chosen- plaintext akack (CPA) Can obtain the encrypaon of arbitrary messages of his choice (conservaave modeling of real life) Adversary s goal: Break semaac security
25 SemanAc Security for many- Ame key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. k K m 1,0, m 1,1 M : m 1,0 = m 1,1 Adv. c 1 E(k, m 1,b )
26 SemanAc Security for many- Ame key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. k K m 2,0, m 2,1 M : m 2,0 = m 2,1 Adv. c 2 E(k, m 2,b )
27 SemanAc Security for many- Ame key (CPA security) E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. for i=1,,q: Adv. k K m i,0, m i,1 M : m i,0 = m i,1 c i E(k, m i,b ) b {0,1} if adv. wants c = E(k, m) it queries with m j,0 = m j,1 =m Def: E is sem. sec. under CPA if for all efficient A: Adv CPA [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible.
28 Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: Chal. k K m 0, m 0 M c 0 E(k, m 0 ) m 0, m 1 M c E(k, m b ) Adv. output 0 if c = c 0 So what? an akacker can learn that two encrypted files are the same, two encrypted packets are the same, etc. Leads to significant akacks when message space M is small
29 Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: Chal. k K m 0, m 0 M c 0 E(k, m 0 ) m 0, m 1 M c E(k, m b ) Adv. output 0 if c = c 0 If secret key is to be used mulaple Ames given the same plaintext message twice, encrypaon must produce different outputs.
30 SoluAon 1: randomized encrypaon E(k,m) is a randomized algorithm: m 0 enc dec m 0 m 1 m 1 encrypang same msg twice gives different ciphertexts (w.h.p) ciphertext must be longer than plaintext Roughly speaking: CT- size = PT- size + # random bits
31 Let F: K R M be a secure PRF. R For m M define E(k,m) = [ r R, output (r, F(k,r) m) ] Is E semanacally secure under CPA? Yes, whenever F is a secure PRF No, there is always a CPA akack on this system Yes, but only if R is large enough so r never repeats (w.h.p) It depends on what F is used
32 SoluAon 2: nonce- based EncrypAon Alice m, n E(k,m,n)=c E nonce Bob c, n D(k,c,n)=m D k nonce n: a value that changes from msg to msg. (k,n) pair never used more than once k method 1: nonce is a counter (e.g. packet counter) used when encryptor keeps state from msg to msg if decryptor has same state, need not send nonce with CT method 2: encryptor chooses a random nonce, n N
33 CPA security for nonce- based encrypaon System should be secure when nonces are chosen adversarially. b for i=1,,q: Chal. Adv. k K n i and m i,0, m i,1 : m i,0 = m i,1 c E(k, m i,b, n i ) b {0,1} All nonces {n 1,, n q } must be dis8nct. Def: nonce- based E is sem. sec. under CPA if for all efficient A: Adv ncpa [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible.
34 Let F: K R M be a secure PRF. Let r = 0 iniaally. For m M define E(k,m) = [ r++, output (r, F(k,r) m) ] Is E CPA secure nonce- based encrypaon? Yes, whenever F is a secure PRF No, there is always a nonce- based CPA akack on this system Yes, but only if R is large enough so r never repeats It depends on what F is used
35 End of Segment
36 Online Cryptography Course Using block ciphers Modes of operaaon: many Ame key (CBC) Example applicaaons: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets.
37 ConstrucAon 1: CBC with random IV Let (E,D) be a PRP. E CBC (k,m): choose random IV X and do: IV m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] ciphertext
38 DecrypAon circuit In symbols: c[0] = E(k, IV m[0] ) m[0] = D(k, c[0]) IV IV c[0] c[1] c[2] c[3] D(k, ) D(k, ) D(k, ) D(k, ) m[0] m[1] m[2] m[3]
39 CBC: CPA Analysis CBC Theorem: For any L>0, If E is a secure PRP over (K,X) then E CBC is a sem. sec. under CPA over (K, X L, X L+1 ). In paracular, for a q- query adversary A akacking E CBC there exists a PRP adversary B s.t.: Adv CPA [A, E CBC ] 2 Adv PRP [B, E] + 2 q 2 L 2 / X Note: CBC is only secure as long as q 2 L 2 << X
40 An example Adv CPA [A, E CBC ] 2 PRP Adv[B, E] + 2 q 2 L 2 / X q = # messages encrypted with k, L = length of max message Suppose we want Adv CPA [A, E CBC ] 1/2 32 q 2 L 2 / X < 1/ 2 32 AES: X = q L < 2 48 So, ader 2 48 AES blocks, must change key 3DES: X = 2 64 q L < 2 16
41 Warning: an akack on CBC with rand. IV CBC where akacker can predict the IV is not CPA- secure!! Suppose given c E CBC (k,m) can predict IV for next message Chal. k K 0 X c 1 [ IV 1, E(k, 0 IV 1 ) ] m 0 =IV IV 1, m 1 m 0 c [ IV, E(k, IV 1 ) ] or c [ IV, E(k, m 1 IV) ] Adv. predict IV output 0 if c[1] = c 1 [1] Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i- 1)
42 ConstrucAon 1 : nonce- based CBC Cipher block chaining with unique nonce: key = (k,k 1 ) unique nonce means: (key, n) pair is used for only one message nonce m[0] m[1] m[2] m[3] IV E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] included only if unknown to decryptor ciphertext
43 An example Crypto API (OpenSSL) void AES_cbc_encrypt( const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, user supplies IV AES_ENCRYPT or AES_DECRYPT); When nonce is non random need to encrypt it before use
44 A CBC technicality: padding IV IVʹ m[0] m[1] m[2] m[3] ll pad E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] TLS: for n>0, n byte pad is n n n if no pad needed, add a dummy block n removed during decrypaon
45 End of Segment
46 Online Cryptography Course Using block ciphers Modes of operaaon: many Ame key (CTR) Example applicaaons: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets.
47 ConstrucAon 2: rand ctr- mode Let F: K {0,1} n {0,1} n be a secure PRF. E(k,m): choose a random IV {0,1} n and do: IV msg m[0] m[1] F(k,IV) F(k,IV+1) m[l] F(k,IV+L) IV c[0] c[1] c[l] ciphertext note: parallelizable (unlike CBC)
48 ConstrucAon 2 : nonce ctr- mode msg IV m[0] m[1] F(k,IV) F(k,IV+1) m[l] F(k,IV+L) IV c[0] c[1] c[l] ciphertext To ensure F(k,x) is never used more than once, choose IV as: IV: 128 bits nonce counter 64 bits 64 bits starts at 0 for every msg
49 rand ctr- mode (rand. IV): CPA analysis Counter- mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E CTR is a sem. sec. under CPA over (K,X L,X L+1 ). In paracular, for a q- query adversary A akacking E CTR there exists a PRF adversary B s.t.: Adv CPA [A, E CTR ] 2 Adv PRF [B, F] + 2 q 2 L / X Note: ctr- mode only secure as long as q 2 L << X. Beker than CBC!
50 An example Adv CPA [A, E CTR ] 2 Adv PRF [B, E] + 2 q 2 L / X q = # messages encrypted with k, L = length of max message Suppose we want Adv CPA [A, E CTR ] 1/2 32 q 2 L / X < 1/ 2 32 AES: X = q L 1/2 < 2 48 So, ader 2 32 CTs each of len 2 32, must change key (total of 2 64 AES blocks)
51 Comparison: ctr vs. CBC CBC ctr mode uses PRP PRF parallel processing No Yes Security of rand. enc. q^2 L^2 << X q^2 L << X dummy padding block Yes No 1 byte msgs (nonce- based) 16x expansion no expansion (for CBC, dummy padding block can be solved using ciphertext stealing)
52 Summary PRPs and PRFs: a useful abstracaon of block ciphers. We examined two security noaons: 1. SemanAc security against one- Ame CPA. 2. SemanAc security against many- Ame CPA. Note: neither mode ensures data integrity. (security against eavesdropping) Stated security results summarized in the following table: Goal Power one-time key Many-time key (CPA) CPA and integrity Sem. Sec. steam-ciphers det. ctr-mode rand CBC rand ctr-mode later
53 Further reading A concrete security treatment of symmetric encrypaon: Analysis of the DES modes of operaaon, M. Bellare, A. Desai, E. Jokipii and P. Rogaway, FOCS 1997 Nonce- Based Symmetric EncrypAon, P. Rogaway, FSE 2004
54 End of Segment
Security and Cryptography 1
Security and Cryptography 1 Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 18 Reprise from the last modules You know CIA, perfect
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationOnline Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh
Online Cryptography Course Block ciphers What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2.
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationDan Boneh. Introduction. Course Overview
Online Cryptography Course Introduction Course Overview Welcome Course objectives: Learn how crypto primitives work Learn how to use them correctly and reason about security My recommendations: Take notes
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More information7 Security Against Chosen Plaintext
7 Security Against Chosen Plaintext Attacks Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Clearly it would be more useful to have
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationImproved security analysis of OMAC
Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate
More informationPost-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.
OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016 Table of contents In CBC 1 2 3 4 In CBC PRF under quantum 5 6 Being optimistic about the emergence
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationMessage Authentication
Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationA Generic Method to Design Modes of Operation Beyond the Birthday Bound
A Generic Method to Design Modes of Operation Beyond the Birthday Bound David Lefranc 1, Philippe Painchault 1,Valérie Rouat 2, and Emmanuel Mayer 2 1 Cryptology Laboratory Thales 160 Boulevard de Valmy
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationRelations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions
Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More information