On the Influence of Message Length in PMAC s Security Bounds
|
|
- Frederick Spencer
- 6 years ago
- Views:
Transcription
1 1 On the Influence of Message Length in PMAC s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016
2 2 Security Bounds Factors: 1. Adversarial Resources
3 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters
4 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level
5 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level Message Length l Secure Number of Queries q
6 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level TLS 1.3: GCM, ChaCha20 + Poly1305 ISO/IEC SC27 WG2: 48 bit block size? Message Length l Secure Number of Queries q
7 3 Example : EMAC m 1 m 2 m 3 m π 1 π 1 π 1 π 1 π 2 c 1 T
8 3 Example : EMAC m 1 m 2 m 3 m π 1 π 1 π 1 π 1 π 2 c 1 q 2 l 2 2 n ɛ T n q l ɛ Block size Number of queries Query length in blocks Confidence
9 3 Example : EMAC m 1 m 2 m 3 m π 1 π 1 π 1 π 1 π 2 n q l ɛ c 1 q 2 l 2 2 n ɛ Block size Number of queries Query length in blocks Confidence T Table: ɛ = 1/2 20, l = 1KB Cipher Block Size Limit AES PRESENT KATAN
10 4 EMAC Bounds Message Length l Number of Queries q
11 4 EMAC Bounds Message Length l Number of Queries q
12 4 EMAC Bounds Message Length l Number of Queries q
13 4 EMAC Bounds Message Length l ? Number of Queries q
14 4 EMAC Bounds Message Length l ? Number of Queries q
15 4 EMAC Bounds Message Length l ? Number of Queries q
16 5 Switching Schemes Message Length l EMAC Number of Queries q
17 5 Switching Schemes Message Length l Sum of CBCs EMAC PMAC Plus 3kf Number of Queries q
18 5 Switching Schemes PMAC w Parity Message Length l LightMAC PMACX Sum of CBCs EMAC PMAC Plus 3kf Number of Queries q
19 6 XOR-Style PRF PMAC w Parity PMACX LightMAC
20 6 XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + +
21 6 XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + +
22 7 PMAC and PHASH 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m)
23 7 PMAC and PHASH 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) ( ) PMAC(m) = OutputTransform PHASH(m)
24 7 PMAC and PHASH 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) ( ) PMAC(m) = OutputTransform PHASH(m) 1. Gray codes 2. Powering up
25 8 PMAC Bounds Message Length l PMAC Number of Queries q
26 8 PMAC Bounds Message Length l PMAC Number of Queries q
27 8 PMAC Bounds Message Length l PMAC w Parity LightMAC PMACX PMAC Number of Queries q
28 8 PMAC Bounds Message Length l PMAC w Parity LightMAC PMACX? PMAC Number of Queries q
29 9 Focusing on Collisions PHASH(m 1 ) = PHASH(m 2 ) PMAC(m 1 ) = PMAC(m 2 )
30 9 Focusing on Collisions PHASH(m 1 ) = PHASH(m 2 ) PMAC(m 1 ) = PMAC(m 2 ) PHASH collision implies a PMAC attack
31 10 Results Message length dependence changes according to masks
32 10 Results Message length dependence changes according to masks PHASH Instances
33 10 Results Message length dependence changes according to masks Gray Codes PHASH Instances
34 10 Results Message length dependence changes according to masks Gray Codes Powering Up PHASH Instances
35 10 Results Message length dependence changes according to masks Infinitely many with collision upper bound 2/2 n or Gray Codes Powering Up PHASH Instances
36 10 Results Message length dependence changes according to masks Infinitely many with collision upper bound 2/2 n or Computationally hard to find high probability collision (based on conjecture) Powering Up Gray Codes PHASH Instances
37 10 Results Message length dependence changes according to masks Infinitely many with collision upper bound 2/2 n or Computationally hard to find high probability collision (based on conjecture) Powering Up Gray Codes Gray codes instances depend on message length PHASH Instances
38 11 Results in Context Message Length l PMAC w Parity LightMAC PMACX PMAC Number of Queries q
39 11 Results in Context Message Length l PMAC w Parity LightMAC PMACX PMAC Number of Queries q
40 12 PHASH vs XOR Hash 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 π π π π XOR Hash(m) 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m)
41 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π
42 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π
43 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π
44 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π
45 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π
46 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π
47 14 PHASH Collision m 1 m 2 m 3 m 4 m 1 m 2 m 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω π π π π π π π
48 14 PHASH Collision m 1 m 2 m 3 m 4 m 1 m 2 m 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω π π π π π π π
49 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) X 2
50 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 1 c 1
51 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4
52 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4
53 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4
54 16 Conclusions and Open Problems PMAC message length dependence is non-trivial
55 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up?
56 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks?
57 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent?
58 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent? Thank you for your attention.
59 17 Connection With PHASH Collision Probability Two messages m 1 and m 2 collide with probability k/2 n if the corresponding set in X 2 is evenly covered by k slopes. Simple proof of l-bound:
60 18 Set Evenly Covered by Two Slopes 0 a a 1 0 Figure: A set of four points evenly covered by the slopes 0 and a 1. The x-coordinates of the points are 0 and a, and the y-coordinates are 0 and 1. Guarantees a collision with probability 2/2 n.
61 19 Set Evenly Covered by Three Slopes b 1 0 a b c a 1 0 Figure: A set of four points evenly covered by the slopes 0, a 1, and b 1. The x-coordinates of the points are 0, a, b, and c, and the y-coordinates are 0 and 1. Exists if and only if a + b + c = 0.
62 20 Another Set Evenly Covered by Three Slopes 0 a b c w v u Figure: A set of points evenly covered by the slopes u, v, and w. Each point is accompanied by another point with the same x-coordinate. The x-coordinates of the pairs are indicated below the lower points. Exists if and only if a 2 + b 2 + c 2 + ab + ac = 0.
63 21 Evenly Covered Sets in General The x-coordinates of evenly covered sets satisfy one of the following: 1. They contain a subset summing to zero (NP-complete) 2. They are the solution to a non-trivial binary quadratic form (similar problem NP-complete) Conjecture Given S X, finding a subset of S satisfying either of the above requirements is computationally hard.
64 22 Searching for Evenly Covered Sets Proposition An evenly covered set with distinct x-coordinates forms a complete graph if and only if the x-coordinates are an additive subgroup of X. 1. For sufficiently long messages, the masks will always contain an additive subgroup 2. Finding additive subgroups in Gray codes is easy for every power of two. Success probability of Gray code attack: 2 k n for l = 2 k
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationBlockcipher-based MACs: Beyond the Birthday Bound without Message Length
Blockcipher-based MACs: Beyond the Birthday Bound without Message Length Yusuke Naito Mitsubishi Electric Corporation, Kanagawa, Japan Naito.Yusuke@ce.MitsubishiElectric.co.jp Abstract. We present blockcipher-based
More informationExact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta, Ashwin Jha and Mridul Nandi Applied Statistics Unit, Indian Statistical Institute, Kolkata. avirocks.dutta13@gmail.com,
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationFast and Secure CBC-Type MAC Algorithms
Fast and Secure CBC-Type MAC Algorithms Mridul Nandi National Institute of Standards and Technology mridul.nandi@gmail.com Abstract. The CBC-MAC or cipher block chaining message authentication code, is
More informationPrivacy of Numeric Queries Via Simple Value Perturbation. The Laplace Mechanism
Privacy of Numeric Queries Via Simple Value Perturbation The Laplace Mechanism Differential Privacy A Basic Model Let X represent an abstract data universe and D be a multi-set of elements from X. i.e.
More informationRelated-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationEncrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC
Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC Nilanjan Datta 1, Avijit Dutta 2, Mridul Nandi 2 and Kan Yasuda 3 1 Indian Institute of Technology, Kharagpur 2 Indian Statistical
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationImproved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationThe HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago
The HMAC brawl Daniel J. Bernstein University of Illinois at Chicago 2012.02.19 Koblitz Menezes Another look at HMAC : : : : Third, we describe a fundamental flaw in Bellare s 2006 security proof for HMAC,
More informationParallelizable and Authenticated Online Ciphers
Parallelizable and Authenticated Online Ciphers Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 1,2, and Kan Yasuda 1,4 1 Department of Electrical Engineering,
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationOMAC: One-Key CBC MAC
OMAC: One-Key CBC MAC etsu Iwata and Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata, kurosawa}@cis.ibaraki.ac.jp
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationFurther More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata
Further More o Key Wrappig 011//17 SKEW011 Lygby Nagoya Uiversity Yasushi Osaki, Tetsu Iwata 1 What is key wrappig? Used to ecrypt specialized data, such as cryptographic keys A key wrappig that also esures
More informationOn the pseudo-random generator ISAAC
On the pseudo-random generator ISAAC Jean-Philippe Aumasson FHNW, 5210 Windisch, Switzerland Abstract. This paper presents some properties of he deterministic random bit generator ISAAC (FSE 96), contradicting
More informationNew Attacks against Standardized MACs
New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)
A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version) Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau ANSSI, France Abstract In this note we show that the
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis John Steinberger July 9, 2009 Abstract We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the
More informationChapter 5. Hash Functions. 5.1 The hash function SHA1
Chapter 5 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis 1 and John Steinberger 2 1 Department of Computer Science, New York University. dodis@cs.nyu.edu 2 Department of Mathematics,
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationAnalysis of Message Injection in Stream Cipher-based Hash Functions
Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationBernstein Bound on WCS is Tight
Bernstein Bound on WCS is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata mridul.nandi@gmail.com Abstract. In Eurocrypt 208, Luykx and Preneel described
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationThanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR 9983950 Alfred P. Sloan Foundation The AES function ( Rijndael 1998 Daemen Rijmen; 2001
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationA new security notion for asymmetric encryption Draft #10
A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationRelaxed Locally Correctable Codes in Computationally Bounded Channels
Relaxed Locally Correctable Codes in Computationally Bounded Channels Elena Grigorescu (Purdue) Joint with Jeremiah Blocki (Purdue), Venkata Gandikota (JHU), Samson Zhou (Purdue) Classical Locally Decodable/Correctable
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More information