Symmetric Encryption. Adam O Neill based on
|
|
- Basil Hall
- 5 years ago
- Views:
Transcription
1 Symmetric Encryption Adam O Neill based on
2 Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter
3 - Correctness Pr [ NCK, Eck,M))=M]=1 fm in the message space where the probability is orer,. K # K and the Coins of { if any.
4 Modes of Operation E : {0, 1} k {0, 1} n! {0, 1}` a family of functions Usually a block cipher, in which case ` = n. Notation: x[i] is the i-th block of a string x, so that x = x[1]...x[m]. Length of blocks varies. Always: Alg K K $ {0, 1} k return K
5 Modes of Operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks?
6 - x[ XID... x[ on ) ECB I Ee d Et t d Electronic code book mode Cfl ] CENT Algorithm E ( k Ecb, x ) Algorikm Dabck,c ) let =xti ]. For it Eklxi m ] let EZD. 1 to m do : For i. - In 1 to m do : ] ei ) xitetlcd Let c=c[ is. ) let x=xfd. - In ] - ctn return C return X
7 Security of ECB leaks input equality!
8 Security of ECB Suppose we know that there are only two possible messages, Y =1 n and N =0 n,forexamplerepresenting FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) =E K (M). M E K C
9 Voting with ECB Voters *did IIIIIIIO. "
10 Is this avoidable? Let SE =(K, E, D) beany encryption scheme. Suppose M 1, M 2 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 )andc 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work?
11 Randomized Encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back di erent answers. That is, if M 1 = M 2 and we let C 1 $ E K (M 1 ) and C 2 $ E K (M 2 ) then Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E.
12 Randomized Encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of di erent possible ciphertexts.
13 CBLCTR Cipher. CBC$ block Chaining mode SE =(K, E, D) where: Alg E K (M) µ Called initial :ztn C[0] {0, 1} n for i =1,...,m do vector Eu ) C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i =1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher.
14 Voting with CBC$ Voters # tally =) m9e IIon Pink Ek(. Votenotwn : vote, of IV ) Ecrocsilkyoten 5 ) F. ( )
15 Towards a Definition We see CBC$ is better than ECB in some sense. But is it secure? What does secure mean here?
16 Security Requirements Suppose sender computes Adversary A has C 1,...,C q C 1 $ E K (M 1 ); ; C q $ E K (M q ) What if A Retrieves K Retrieves M 1 Bad! Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1, M 2? Something we won t hide: the length of the message
17 What we seek A master property that
18 What we seek A master property that Can be easily specified
19 What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure
20 What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure Implies a ciphertext reveals NO partial information about plaintext
21 What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure Implies a ciphertext reveals NO partial information about plaintext In the case of a blockcipher the master property was PRF-security. Here it is different because encryption should be randomized
22 Intuition The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either M 1 0,...,M q 0 or lmiklmilti M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted.
23 In distinguish ability under chosen - plaintext attack IND-CPA Games Let SE =(K, E, D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities h i Pr Left A SE)1 Pr h i Right A SE)1 that A outputs 1 in each world. The (ind-cpa) advantage of A is h i h i Adv ind-cpa SE (A) =Pr Right A SE)1 Pr Left A SE)1
24 Measure of Success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0(orapple0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage.
25 in IND-CPA security of ECB Adversary ACRC.,. ) M. Met Il ol C LRLM,µ., ) - In LEFT ret LRCM.,m ) C '. RIGHT at It kcmo ) ' ret 0 Even, ) I Else ret.tn#=prtribtteaast7h-prett.t.aenf c=c Added
26 Right Game Analysis Ctapffmbttteni. A=1. Proof Since Mo # M, and EK is determinate we have Ctd. A returns 1$
27 Left Game Analysis Claim. PELEFTEAA, 17 IO Proof Analogous.
28 Conclusion Adviencdjon (a) = 1-0=1 GCB is not IWD - CPA secure!
29 Any deterministic scheme is not IND-CPA The theorem generalizes to show that the same adversary breaks enc scheme ( any deterministic meaning E is deterministic & Stateless )
30 CTR$ CM - C Let E: {0, 1} k {0, 1} n! {0, 1}` be a family of functions. If X 2 {0, 1} n and i 2 N then X + i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Below the message is a sequence of `-bit blocks: Alg E K (M) C[0] $ {0, 1} n for i =1,...,m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i =1,...,m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M Gnline - offline * parwlli table
31 Birthday Attack on CTR$ Let E : {0, 1} k {0, 1} n! {0, 1}` be a family of functions and SE =(K, E, D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0, M 1 are encrypted: C 0 [0]C 0 [1] $ E(K, M 0 ) C 1 [0]C 1 [1] $ E(K, M 1 ) E f Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA.
32 - The Adversary Let 1 apple q < 2 n be a parameter and let hii be integer i encoded as an `-bit string. adversary A Birthday Of query q for i =1,...,q do C i [0]C i [1] $ LR(hii, h0i) S {(j, t): C j [0] = C t [0] and j < t} If S 6= ;, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 birthday adversary attack µ±fpr[rioheaigm D Preening' D Want to know Adviundrjem ( Aida " ) zoisod zl
33 Then Left Game Analysis Ayr ' Prf letters Abadan If = O. Proof Two cases : Case 1. S=f$. CIED ot Cj > A city # ( Since Cite ]=ct 'Ll ] and j t. Case 2 = 5=4. A always oupits O. So in either case A outputs O
34 i Right Game Analysis Claim Pr[Rl6HEAm $M ] } - o.3q proof If s # then we have Cs 'Ll ]=@' Cozy ) goal ettoftlsool =< since C 's 'LoT=ctZo ].
35 Conclusion Adrien :P " CAbi., ) I G 3
36 Security `of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most where 2(q 1) 2 n is the total number of blocks across all messages encrypted. Example: If q 1-block messages are encrypted then advantage is not more than 2q 2 /2 n. = q so the adversary For E = AES this means up to about 2 64 blocks may be securely encrypted, which is good.
37 The Theorem Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n! {0, 1}` be a family of functions and SE =(K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) apple 2 Adv prf 1) E (B)+2(q 2 n - Furthermore, B makes at most oracle queries and has running time t + ( (n + `)). birthday.
38 Intuition. : replace E thought with random function wl same domain and Runge Now LR, if the adversary is lucky - queries such that Cito and makes then it can gain advantage. Otherwise we are encrypting with a )one-tinepad]
39 Interval Intersection Let N, q, m 1 be integers and let Z N = {0, 1,...,N 1}. Let+be addition modulo N. Consider the game For i =1,...,q do c $ i Z N ;. I i {c i +1,...,c i + m} For 1 apple i < j apple q define the events Then let Pvt Av B) I PREAI + PRIB) B i,j : S i \ S j 6= ; and B : W 1applei<jappleq B i,j. IIP(N, q, m) =Pr[B].. Problem: Upper bound IIP(N, q, m) as a function of N, q, m.
40 . i Interval Intersection Claim: IIP(N, q, m) apple q(q 1) 2 (2m 1) N proof. Pr[ apple apple B ] s RIBI, ;) = (E) PIB ; ;] and PVLBI, ;] = PRICE { ci - MH,.., Citm } = Zm PRTB ) e- 9k Kmt
41 Advantage Revisited Let SE =(K, E, D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K ; b $ {0, 1} Proposition: Adv ind-cpa SE (A) =2 Pr procedure LR(M 0, M 1 ) return C $ E K (M b ) procedure Finalize(b 0 ) return (b = b 0 ) h i Guess A SE)true 1. h i
42 Game Chain Game G 0 procedure LR(M 0, M 1 ) Game G 1 procedure LR(M 0, M 1 ) C[0] {0, 1} n C[0] {0, 1} n Code for i =1,...,m do I ] for i =1,...,m do P C[0] + i P C[0] + i if P 62 S then T[P] E K (P) if P /2 S then T[P] $ {0, 1}` C[i] T [P] M b [i] C[i] T[P] M b [i] S S [ {P} S S [ {P} return C return C { no o } Then Adv ind-cpa SE (A) =2 Pr h G A 0 i 1
43 Claims Clearly Pr[G A 0 ]=Pr[G A 1 ]+ Pr[G A 0 ] Pr[G A 1 ]. Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] apple 1 2 Pr[G A 0 ] + (q 1) 2 n Pr[G A 1 ] apple Adv prf E (B) }
44 Proof of Claim 1 Adversary BFNC. bets { o( 19 Run A ) when A makes ER every no, m, Code ITIP ] FNCP ) ] tf A outputs b then net. 1
45 Proof of Claim 2
46 Games Con t Game G 1 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[0] + i If P /2 S then T[P] $ {0, 1}` C[i] T[P] M b [i] S return C S [ {P} Game G 2, G 3 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[i] C[0] + i $ {0, 1}` If P 2 S then bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i] S return C S [ {P} Pr[G A 1 ]=Pr[G A 2 ]=Pr[G A 3 ]+ Pr[G2 A ] Pr[G3 A ]
47 Using fundamental lemma Game G 2, G 3 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[0] + i; C[i] If P 2 S then $ {0, 1}` bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S [ {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies h i h i h i Pr G2 A Pr G3 A apple Pr G3 A sets bad.
48 Completing the Proof
49 Security of CBC$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n! {0, 1} n be a block cipher and SE =(K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) apple 2 Adv prf 2 E (B)+ 2 n Furthermore, B makes at most t + ( n). oracle queries and has running time
50
51 Padding The TLS 1.0 protocol defines the following padding function for encrypting a v-byte message with AES in CBC mode: let p := 16 (v mod 16), then append p bytes to the message m where the content of each byte is value p 1. For example, consider the following two cases: if m is 29 bytes long then p = 3 and the pad consists of the three bytes 222 so that the padded message is 32 bytes long which is exactly two AES blocks. if the length of m is a multiple of the block size, say 32 bytes, then p = 16 and the pad consists of 16 bytes. The padded message is then 48 bytes long which is three AES blocks.
52 Revocable Broadcast k 15 k 13 k 14 k 9 k 10 k 11 k 12 k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 Figure 5.5: The tree of keys for n = 8 devices; shaded nodes are the keys embedded in device 3.
53 8 >< 9 >= >: >; Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. Let S {1,...,n} be a set of leaves. We say that a set of nodes W {1,...,2n 1} covers the set S if every leaf in S is a descendant of some node in W, and leaves outside of S are not. We use cover(s) to denote the smallest set of nodes that covers S. { } Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every 1 apple r apple n, and every set S of n r leaves, we have cover(s) apple r log 2 (n/r)
54 Broadcast Encryption movies on a stateless standalone movie player, that has no network connection. The studios are worried about piracy, and do not want to send copyrighted digital content in the clear to millions of users. A simple solution could work as follows. Every authorized manufacturer is given a device key k d 2 K, and it embeds this key in every device that it sells. If there are a hundred authorized device manufacturers, then there are a hundred device keys k (1) d,...,k(100) d.a movie m is encrypted as: c m := 8 >< >: k R K for i =1,...,100 : c i R c R E 0 (k, m) output (c 1,...,c 100, c) E(k (i) d, k) 9 >= 0 0 K >;
SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationPost-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.
OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016 Table of contents In CBC 1 2 3 4 In CBC PRF under quantum 5 6 Being optimistic about the emergence
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationContents 1 Introduction 1 2 Re-keying processes as pseudorandom generators 3 3 Generalization: Tree-based re-keying Construction
Extended abstract appears in Advances in Cryptology ASIACRYPT 2000, Tatsuaki Okamoto, editor, volume 1976 of Lecture Notes in Computer Science, Springer-Verlag, 2000. cfl IACR Increasing the Lifetime of
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationCLASSICAL ENCRYPTION. Mihir Bellare UCSD 1
CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More information