CS 6260 Applied Cryptography
|
|
- Octavia Gilmore
- 6 years ago
- Views:
Transcription
1 CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. M K E C or A C K D M or Sender S Receiver R It is required that for every M MsgSp and every K that can be output by K, D(K,E(K,M))=M 1 2 Often the key generation algorithm simply picks a random string from some key space KeySp (e.g. {0,1} k for some integer k). In this case we will say that a scheme is defined by KeySp and two algorithms: =(KeySp,E,D) The encryption algorithm can be either randomized (take as input a random string) or stateful (take as input some state (e.g. counter) that it can update) Block cipher modes of operation Modes of operation define how to use a block cipher to encrypt long messages We will often assume that the message space consists of messages whose length is multiple of a block length 3 4
2 Eleonic Code Book (ECB) mode Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. ECB=({0,1} k,e,d): Encryption algorithm E M2 Mm Eleonic Code Book (ECB) mode algorithm (M) if ( M mod n 0 or M = 0) then return Break M into n-bit blocks Mm Ci (Mi) C return C Decryption algorithm D C2 C algorithm D K (C) if ( C mod n 0 or C = 0) then return Break C into n-bit blocks Mi EK 1 (Ci) M Mm return M M2 Mm 5 6 Cipher-block chaining (CBC) mode with random IV Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBC=({0,1} k,e,d): IV"{0,1} n IV M2 Mm Cipher-block chaining (CBC) mode with random IV algorithm (M) if ( M mod n 0 or M = 0) then return Break M into n-bit blocks Mm C0 IV {0, 1} n Ci (Ci 1 Mi) C return IV, C Decryption algorithm D IV IV C2 C algorithm D K ( IV, C ) if ( C mod n 0 or M = 0) then return Break C into n-bit blocks C0 IV Mi EK 1 (Ci) Ci 1) M Mm return M M2 Mm 7 8
3 Stateful Cipher-block chaining (CBC) mode with counter IV Stateful Cipher-block chaining (CBC) mode with counter IV Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBCC=({0,1} k,e,d): "0 n The counter is incremented for each new message Decryption algorithm D M2 C2 C2 Mm algorithm (M) static 0 if ( M mod n 0 or M = 0) then return Break M into n-bit blocks Mm if 2 n then return C0 IV n Ci (Ci 1 Mi) C + 1 return IV, C algorithm D K( IV, C ) if ( C mod n 0 or C = 0) then return Break C into n-bit blocks if IV + m > 2 n then return C0 IV Mi EK 1 (Ci) Ci 1) M Mm return M M2 Mm 9 10 Randomized counter mode (CTR) Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): R"{0,1} l Decryption algorithm D R R R+1 R+2 R+m C2 M2 Mm R+1 R+2 R+m Randomized counter mode (CTR) algorithm (M) m M /L R {0, 1} l Pad (R + 1) (R + 2) (R + m) Pad the first M bits of Pad C M Pad C R C return C algorithm D K (C) if C < l then return Parse C into R C where R = l m C /L Pad (R + 1) (R + 2) (R + m) Pad the first C bits of Pad M C Pad return M C2 M2 Mm 11 12
4 Stateful counter mode (CTRC) Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): is initially 0 l A current counter is maintained as a state m M2 Mm Stateful counter mode (CTRC) algorithm (M) static 0 m M /L If + m 2 l then return Pad ( + 1) ( + 2) ( + m) Pad the first M bits of Pad C M Pad + m return m, C Decryption algorithm D C m algorithm D K( i, C ) m C /L Pad (i + 1) (i + 2) (i + m) Pad the first C bits of Pad M Pad C return M C2 M2 Mm What is a secure encryption scheme? Recall, perfectly secure schemes are impractical We assume that adversaries are computationally bounded A scheme is secure when it is not insecure. Insecure = adversaries can do bad things. Bad things: an adversary, who sees ciphertexts can compute the secret key can compute some plaintexts can compute the first bit of a plaintext can compute the sum of the bits of a plaintext can see when equal messages are encrypted can compute... So what is a secure encryption scheme? Informally, an encryption scheme is secure if no adversary with reasonable resources who sees several ciphertexts can compute any* partial information about the plaintexts, besides some a-priori information. * Any information, except the length of the plaintexts. We assume the length of the plaintexts is public. Note, that the above implies that the bad things we mentioned do not happen. And the other bad things. While the above definition captures the right intuition, it s too informal to be useful
5 Indistinguishability under chosen-plaintext attacks Fix =(KeySp,E,D) K"KeySp For an adversary A and a bit b consider an experiment Exp ind-cpa-b (A) b d A M 0,M 1 Adv ind-cpa (A) = Pr LR(!,!,!) The experiment returns d The IND-CPA advantage of A is: Mb (LR(!,!,!)) A symmetric encryption scheme is indistinguishable under chosenplaintext attacks (IND-CPA secure) if for any adversary A with reasonable resources Adv ind-cpa (A) is small (close to 0). C=(Mb ) () Exp ind-cpa-1 (A) = 1 Experiment Exp ind-cpa-1 (A) K K d A EK(LR(,,1)) Return d Pr Exp ind-cpa-0 (A) = 1 Experiment Exp ind-cpa-0 (A) K K d A EK(LR(,,0)) Return d 17 Fix =(KeySp,E,D) K"KeySp A M 0,M 1 Alternative interpretation For an adversary A consider an experiment Exp ind-cpa-cg (A) Claim. b b LR(!,!,!) M b The experiment returns 1 iff A b =b EK() Adv ind-cpa (A) = 2 Pr Exp ind-cpa-cg (A) = 1 1. experiment, adversary is run with an oracle for wor Experiment Exp ind-cpa-cg (A) b {0, 1} ; K K b A EK(LR(,,b)) if b = b then return 1 else return 0 18 Proof of the claim Pr Exp ind-cpa-cg (A) = 1 = Pr = Pr = b = b = Pr b = b b = 1 Pr b = 1 + Pr b = b b = 0 Pr b = = Pr b = b b = Pr b = b b = = Pr b = 1 b = Pr b = 0 b = ) = Pr b = 1 b = ( 1 Pr b ) = 1 b = 0 ) 1 ( ) 2 ) = (Pr b = 1 b = 1 Pr b = 1 b = 0 ) 2 2 ( ) ( ( = ) 2 ( Pr Exp ind-cpa-1 (A) = 1 Pr Exp ind-cpa-0 (A) = 1 = Advind-cpa (A) Why IND-CPA ensures that no partial information is leaked? Fix =(KeySp,E,D) with MsgSp={0,1} m. Assume there exists an adversary B that after seeing a few plaintexts-cipertexts pairs and a challenge ciphertext can compute the challenge plaintext. Namely, in Experiment Exp pr-cpa (B) K K M {0, 1} m C (M ) M B EK( ) (C) If M = M then return 1 else return 0 Then is not IND-CPA secure. Claim. IND-CPA Fix =(KeySp,E,D) with MsgSp={0,1} m. Then for every adversary B there exists an adversary A such that Adv pr-cpa (B) Adv ind-cpa (A) m and q A = q B + 1,µ A = µ B + m,t A = t B = O(µ+ m + c) Adv pr-cpa (B) = Pr Exp pr-cpa (B) = 1 is non-negligible 19 20
6 Proof. We define A as follows: Adversary A EK(LR(,,b)) E We now analyze the adversary: Pr Pr M 0 {0, 1} m ; M 1 {0, 1} m C (LR(M 0, M 1, b)) Run adversary B on input C, replying to its oracle queries as follows When B makes an oracle query X to g do When B makes an oracle query X do Y (LR(X, X, b)) return Y to B as the answer When halts and outputs plaint When B halts and outputs a plaintext M If M = M 1 then return 1 else return 0 Exp ind-cpa-1 (A) = 1 Adv pr-cpa (B) S - - Exp ind-cpa-0 (A) = 1 2 m. Adv ind-cpa (A) = Pr Exp ind-cpa-1 (A) = 1 Pr Exp ind-cpa-0 (A) = 1 Adv pr-cpa (B) 2 m. The resources of A are justified by the description of A. Analysis of the ECB mode. Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. ECB=({0,1} k,e,d): Encryption algorithm E M2 C2 Conjecture. ECB is PR-CPA secure. Is ECB a good encryption scheme? Is ECB IND-CPA secure? Mm ECB is not IND-CPA Adversary A EK(LR(,,b)) M 1 0 2n ; M 0 0 n 1 n C2 (LR(M 0, M 1, b)) If = C2 then return 1 else return 0 Claim. Any deterministic, stateless scheme is not IND-CPA Why? Above, denotes the -th block of a string, a Adv ind cpa ECB (A) = Pr Exp ind cpa 1 ECB (A) = 1 Pr Exp ind cpa 0 ECB (A) = 1 = 1 0 =
7 Analysis of the CTRC Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): is initially 0 l A current counter is maintained as a state m C2 M2 Mm The scheme is used to encrypt at most 2 l blocks (so that the counter does not wrap around) Security of CTRC Theorem. For any adversary A there exists an adversary B such that Adv ind cpa where Proof idea. We present an adversary B who needs to distinguish whether it is given an oracle access to a truly random function or an instance of F. B will use A s ability to break the CTRC encryption scheme. B will run A as a subroutine, simulating the ind-cpa experiment for it. B will answer A s oracle queries using its own oracle. Finally, if A wins, B will win. CT RC f (A) 2 Advpr (B) F t B = t A + O(q A + (l + L) µ A l ),q B = µ A l,µ B = µ A How good is the scheme? The flaws seem hard to find. Q. But may be they exist and we just don t see them? A. The mode is as good as it can be and we can prove it Proof. Let A be any ind-cpa adversary attacking CTRC. We present a prf adversary B: b R {0,1} M 0,M 1 M b A E (!) g/ b B g / B can simulate the CTRC encryption algorithm because it makes only oracle use of the underlying function F. 1 iff b =b Adversary B g b {0, 1} Run adversary A, replying to its oracle queries as follows When A makes an oracle query (M 0, M 1 ) do C E g (M b ) Return C to A as the answer Until A stops and outputs a bit b If b = b then return 1 else return 0 g is a random instance of Func(l,L) Let us analyze B. Note that Pr Exp prf-1 F (B) = 1 = Pr Exp ind-cpa-cg F (A) = 1 Pr Exp prf-0 F (B) = 1 = Pr Exp ind-cpa-cg Func(l,L) (A) = 1 Equations (4.4) and (4.5) we can now apply Proposition 4. and thus Adv prf F (B) = Pr Exp prf-1 F (B) = 1 Pr Exp prf-0 F (B) = 1 We will show that = 1 2 Advind-cpa F (A) 1 2 Advind-cpa Func(l,L) (A) 1 Adv ind-cpa Func(l,L) (A) = 0 = Advind-cpa F (A) = Advind-cpa Func(l,L) (A) and the statement of the theorem follows.finally the resources of B are justified by the algorithm for B
8 Adv ind-cpa Func(l,L) (A) = 0 because all the values corresponding to the red dots on the picture below are random and independent (since they are the results of a random function applied to distinct points) and thus,..., are also random values, independent from the adversary A s challenge bit. Analysis of the CTR Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): R"{0,1} l R+1 R+2 R+m m F K M2 Mm g g g R C2 M2 Mm C Theorem. For any adversary A there exists an adversary B such that Adv ind cpa CT R where What does the security statement tell us? Let F be AES, l=l=128. Assume one encrypts q=2 30 messages, 1 Kb each (2 13 bits), recall Adv ind cpa CT R (A) 2 q2 AES µ2 A L 2 2 l = 3 µ2 L (A) 2 Adv pr f Security of CTR F (B) + µ2 A l 2 2 l t B = t A + O(q A + (l + L) µ A l ),q B = µ A l,µ B = µ A = Adv pr f AES (A) q2 AES Proof idea. As in the proof of the previous theorem. Proof. The adversary B is exactly like one in the proof of the previous theorem. But now we claim that Adv ind cpa Given this and the previous proof, the statement of the theorem follows. To prove the claim note that after q queries A made the inputs to the random function are r 1 + 1, r 1 + 2,, r 1 + m 1 r 2 + 1, r 2 + 2,, r 2 + m 2. r q + 1, r q + 2,, r q + m q Adv ind cpa CT RFunc(l,L) (A) = Pr 1 A = 1 Pr 0 A = 1 = Pr 1 A = 1 Col Pr 1 Col + Pr 1 A = 1 NoCol Pr 1 NoCol Pr 0 A = 1 Col Pr 0 Col Pr 0 A = 1 NoCol Pr 0 NoCol = (Pr 1 A = 1 Col Pr 0 A = 1 Col) Pr 0 Col Pr 0 Col.. µ2 A CT RFunc(l,L) (A) 2 l 2 2 l Let NoCol be the event that these values are all distinct, and Col is the complement of NoCol. Then 31 32
9 It remains to calculate Pr Col Pr Col = Pr Col q (we drop the subscript 0 in the notation) (Col i is the event that there is is collision in the first i rows) = Pr Col q 1 + Pr Col q NoCol q 1 Pr NoCol q 1 Pr Col q 1 + Pr Col q NoCol q 1 Security of CBCC Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBCC=({0,1} k,e,d): Stateful. q Pr Col 1 + Pr Col i NoCol i 1 i=2 q = Pr Col i NoCol i 1. i=2 Pr Col i NoCol i 1 (m i + m 1 1) + (m i + m 2 1) + + (m i + m i 1 1) 2 l Pr Col = (i 1)m i + m i m 1 (i 1) 2 l, q Pr Col i NoCol i 1 i=2 q (i 1)m i + m i m 1 2 i=2 l = (q 1)(m1 + + mq) 2 l. The statement follows after we note that m m q = µ A /l "0 n incremented for each new message M2 C2 Mm Theorem. There exists an adversary A such that Proof idea. Adversary A EK(LR(,,b)) M 0,1 0 n ; M 1,1 0 n M 0,2 0 n ; M 1,2 0 n 1 1 IV 1, C 1 (LR(M 0,1, M 1,1, b)) IV 2, C 2 (LR(M 0,2, M 1,2, b)) If C 1 = C 2 then return 1 else return 0 Adv ind cpa CBCC (A) = 1 33 We claim that 34 Security of CBC Did we get all we wanted? Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBC=({0,1} k,e,d): Is IND-CPA security definition strong enough (does it take into account all the bad things that can happen?) IV"{0,1} n IV M2 Mm An adversary wants to win: to get some partial information about the plaintext from a challenge ciphertext IV C2 What if the adversary can make the receiver to decrypt other ciphertexts of the adversary s choice, learn the plaintexts and this helps it to win? Theorem. For any adversary A there exists an adversary B such that Our definition didn t consider such chosen-ciphertext attacks Adv ind cpa CBC (A) 2 Adv pr f E (B) + µ2 A n 2 2 n where t B = t A + O(q A + µ A ), q B = µ A n, µ B = µ A 35 36
10 Indistinguishability under chosen-ciphertext attacks Fix =(KeySp,E,D) K"KeySp For an adversary A and a bit b consider an experiment b d A M 0,M 1 C M LR(!,!,!) C=(Mb ) D K () The experiment returns d The IND-CCA advantage of A is: Adv ind cca M b () (LR(!,!,!)) Exp ind cca b (A) A is not allowed to query its decryption oracle on ciphertexts returned by its LR encryption oracle (A) = Pr Exp ind cca 1 (A) = 1 Pr Exp ind cca 0 (A) = 1 A symmetric encryption scheme is indistinguishable under chosenciphertext attacks (IND-CCA secure) if for any adversary A with reasonable resources Adv ind cca (A) is small (close to 0). 37
CS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationAn Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 04, Lecture Notes in Computer Science Vol., C. Cachin and J. Camenisch ed., Springer-Verlag, 2004. This is the full version.
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationEfficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE
Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE Yang Cui 1,2, Kirill Morozov 1, Kazukuni Kobara 1,2, and Hideki Imai 1,2 1 Research Center for Information
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationRelations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions
Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationNon-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999. This revised version corrects some mistakes
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationBuilding Secure Cryptographic Transforms, or How to Encrypt and MAC
Building Secure Cryptographic Transforms, or How to Encrypt and MAC Tadayoshi Kohno Adriana Palacio John Black August 28, 2003 Abstract We describe several notions of cryptographic transforms, symmetric
More informationCLASSICAL ENCRYPTION. Mihir Bellare UCSD 1
CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationSolution of Exercise Sheet 6
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationContents 1 Introduction 1 2 Re-keying processes as pseudorandom generators 3 3 Generalization: Tree-based re-keying Construction
Extended abstract appears in Advances in Cryptology ASIACRYPT 2000, Tatsuaki Okamoto, editor, volume 1976 of Lecture Notes in Computer Science, Springer-Verlag, 2000. cfl IACR Increasing the Lifetime of
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More information