Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
|
|
- Oscar Dennis
- 5 years ago
- Views:
Transcription
1 Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th / 60
2 Last Time (I) Security Notions Hybrid argument Application to pseudo-random generator Remarks, questions, comments? 2 / 60
3 Last Time (II) Exercises done Hybrid Arguement Application: Pseudo-random generator 3 / 60
4 Outline of Today: Security Notions Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 4 / 60
5 Recall Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 5 / 60
6 Recall Symmetric key and public key encryption Symmetric key encryption encryption decryption Public key encryption encryption decryption public key private key 6 / 60
7 Recall Summary of IND-XXX Games Given S = (K, E, D), A = (A 1, A 2 ) of polynomial-time probabilistic algorithms. Ind b XXX (A) follows: Generate (pk,sk) R K(η). (s,m 0,m 1 ) R A O 1 1 (η,pk) b R A O 2 2 (η,pk,s, E(pk,m b)) return b. Adv Ind XXX S,A (η) = Pr[b R Ind 1 XXX (A) : b = 1] Pr[b R Ind 0 XXX (A) : b = 1] IND-CPA, IND-CCA1, IND-CCA2 IND-CPA: O 1 = O 2 = Chosen Plain text Attack IND-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack IND-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 7 / 60
8 Recall The NM-XXX Games Given S = (K, E, D). An adversary A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, m, m, m M. Let NM b XXX (A): Generate (pk, sk) R K(η). (s, M) R A O1 1 (η, pk), m 0, m 1, M (R, C ) R A O2 2 (η, pk, s, M, E(pk, m b)), M D(C ) return R(m b, M ) Then, we define the advantage against the IND-CCA2 game by: Adv NM XXX S,A (η) = Pr[R(m, M ) R NM 1 XXX (A) : R(m, M ) = 1] Pr[R(m, M ) R NM 0 XXX (A) : R(m, M ) = 1] NM-CPA: O 1 = O 2 = Chosen Plain text Attack NM-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack NM-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 8 / 60
9 Block cipher modes Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 9 / 60
10 Block cipher modes Block Cipher Modes NIST standard Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher FeedBack mode (CFB) Output FeedBack (OFB), and Counter mode (CTR). Others DMC,CBC-MAC, IACBC, IAPM, XCB,TMAC, HCTR, HCH, EME, EME*, PEP, OMAC, TET, CMC, GCM, EAX, XEX, TAE, TCH, TBC, CCM, ABL4 10 / 60
11 Block cipher modes ECB Electronic Book Code (ECB) Each block of the same length is encrypted separately. 11 / 60
12 Block cipher modes ECB Electronic Book Code (ECB) Each block of the same length is encrypted separately. 11 / 60
13 Block cipher modes ECB ECB Encryption Algorithm algorithm E K (M) if ( M mod n 0 or M = 0) then return FAIL Break M into n-bit blocks M[1]... M[m] for i = 1 to m do C[i] = E K (M[i]) C = C[1]... C[m] return C 12 / 60
14 Block cipher modes ECB ECB Decryption Algorithm algorithm D K (C) if ( C mod n 0 or C = 0) then return FAIL Break C into n-bit blocks C[1]... C[m] for i = 1 to m do M[i] = D K (C[i]) M = M[1]... M[m] return M 13 / 60
15 Block cipher modes ECB 14 / 60
16 Block cipher modes CBC Cipher-block chaining (CBC) If the first block has index 1, the mathematical formula for CBC encryption is C i = E K (P i C i 1 ),C 0 = IV while the mathematical formula for CBC decryption is P i = D K (C i ) C i 1,C 0 = IV CBC has been the most commonly used mode of operation. 15 / 60
17 Block cipher modes CBC 16 / 60
18 Block cipher modes CBC 17 / 60
19 Block cipher modes CFB The cipher feedback (CFB) A close relative of CBC: C i = E K (C i 1 ) P i P i = E K (C i 1 ) C i C 0 = IV 18 / 60
20 Block cipher modes CFB 19 / 60
21 Block cipher modes CFB 20 / 60
22 Block cipher modes OFB Output feedback (OFB) Because of the symmetry of the XOR operation, encryption and decryption are exactly the same: C i = P i O i P i = C i O i O i = E K (O i 1 ) O 0 = IV 21 / 60
23 Block cipher modes OFB 22 / 60
24 Block cipher modes OFB 23 / 60
25 Block cipher modes OFB ECB vs Others 24 / 60
26 Attack on ECB Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 25 / 60
27 Attack on ECB ECB Attack Let us fix a block cipher E : K {0,1} n {0,1} n. and SE = (K, E, D) an ECB symmetric encryption scheme, where the size of each block is n. We build an adversary A with a high IND-CPA advantage. E K (LR(m l,m r,b)) = { EK (m l ) if b = 1 E K (m r ) if b = 0 26 / 60
28 Attack on ECB Adversary A Adversary A E K(LR(.,.,b) ) M 0 0 n 1 n ; M 1 0 2n ; C[1]C[2] E K (LR(M 0,M 1,b)) If C[1] = C[2] then return 1 else return 0 X[i] denotes the i-th block of a string X, a block being a sequence of n bits. 27 / 60
29 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 28 / 60
30 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 If b = 1, then the oracle returns C[1]C[2] = E K (0 n ) E K (0 n ), so C[1] = C[2] and A returns / 60
31 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 If b = 1, then the oracle returns C[1]C[2] = E K (0 n ) E K (0 n ), so C[1] = C[2] and A returns 1. if b = 0, the oracle returns C[1]C[2] = E K (0 n ) E K (1 n ). Hence C[1] C[2]. So A returns 0 in this case. 28 / 60
32 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 If b = 1, then the oracle returns C[1]C[2] = E K (0 n ) E K (0 n ), so C[1] = C[2] and A returns 1. if b = 0, the oracle returns C[1]C[2] = E K (0 n ) E K (1 n ). Hence C[1] C[2]. So A returns 0 in this case. Adv IND CPA SE (A) = 1 0 = 1 This means that the ECB encryption scheme is insecure. 28 / 60
33 Attack on ECB Exercise 1. Find an attack on CBC with counter IV. 2. Prove that CBC with random IV is not IND-CCA1 secure. 3. Notice that CBC with random IV is IND-CPA secure. 29 / 60
34 Security of CBC Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 30 / 60
35 Attack on CBC with counter Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 31 / 60
36 Attack on CBC with counter CBC counter CBC using a random number IV the first call, and latter IV++. Consider for simplicity IV is 0 and for generating the next IV we just increase by one the value of the previous IV. C i = E K (P i C i 1 ) and C 0 = IV 32 / 60
37 Attack on CBC with counter CBC counter Attack Assuming IV 1 = 0 and IV 2 = 1 Adversary AE K (LR(.,.,b)) M 0,1 0 n ; M 1,1 0 n ; M 0,2 0 n ; M 1,2 0 n 1 1; < IV 1,C 1 > r E K (LR(M 0,1,M 1,1,b)) < IV 2,C 2 > r E K (LR(M 0,2,M 1,2,b)) If C 1 = C 2 then return 1 else return 0 because Adv IND CPA SE (A) = 1 0 = 1 Pr[Exp IND CPA 1 AE K (A) = 1] = 1 Pr[Exp IND CPA 0 AE K (A) = 1] = 0 33 / 60
38 Attack on CBC with counter CBC counter Attack (Proof I) Assuming IV 1 = 0 and IV 2 = 1 Adversary AE K (LR(.,., b)) M 0,1 0 n ; M 1,1 0 n ; M 0,2 0 n ; M 1,2 0 n 1 1; < IV 1, C 1 > r E K (LR(M 0,1, M 1,1, b)) < IV 2, C 2 > r E K (LR(M 0,2, M 1,2, b)) If C 1 = C 2 then return 1 else return 0 b = 0 (right) C 1 = E K (M 1,1 IV 1 ) = E K (0 0) = E K (0) C 2 = E K (M 1,2 IV 2 ) = E K (1 1) = E K (0) Hence C 1 = C 2 34 / 60
39 Attack on CBC with counter CBC counter Attack (Proof II) Assuming IV 1 = 0 and IV 2 = 1 Adversary AE K (LR(.,., b)) M 0,1 0 n ; M 1,1 0 n ; M 0,2 0 n ; M 1,2 0 n 1 1; < IV 1, C 1 > r E K (LR(M 0,1, M 1,1, b)) < IV 2, C 2 > r E K (LR(M 0,2, M 1,2, b)) If C 1 = C 2 then return 1 else return 0 b = 1 (left) C 1 = E K (M 0,1 IV 1 ) = E K (0 0) = E K (0) C 2 = E K (M 0,2 IV 2 ) = E K (0 1) = E K (1) Hence C 1 C 2 35 / 60
40 Hybrid Encryption Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 36 / 60
41 Hybrid Encryption Idea and Motivations Idea AE = (K a, E a, D a ) an asymmetric encryption scheme (pk,sk). SE = (K s, E s, D s ) a symmetric encryption scheme K. We define E pk (M) using E s K (M) and Ea pk (K) Motivation Costly operation (asymmetric encryption) is applied on a message of fixed size, and after efficient algorithm are used to encrypt the data. 37 / 60
42 Hybrid Encryption Encryption Algorithm Algorithm E pk (M) K K s ; C s E s K (M); C a E a pk (K); C (C a,c s ); Return C 38 / 60
43 Hybrid Encryption Decryption Algorithm Algorithm D sk (C) Parse C as (C a,c s ); K D a sk (Ca ); M D s K (Cs ); Return M 39 / 60
44 Hybrid Encryption Security Property If AE and SE are each secure against chosen-plain-text attack, then AE the hybrid encryption is also secure against chosen-plain-text attack. Let B be an IND-CPA adversary attacking AE. Then there exist IND-CPA adversaries A 00,01,A 11,10 attacking AE, and an adversary A attacking SE, such that: Adv IND CPA AE (B) Adv IND CPA AE (A 00,01 ) + Adv IND CPA AE (A 11,10 ) +Adv IND CPA SE (A) 40 / 60
45 Hybrid Encryption Idea of the Proof P(α,β) = Pr[Exp αβ (B) = 1] AE P(1,0) = Pr[Exp IND CPA 1 (B) = 1] AE P(0,0) = Pr[Exp IND CPA 0 (B) = 1] AE Adv IND CPA (B) = P(1,0) P(0,0) AE 41 / 60
46 Hybrid Encryption General Scheme of the Proof P(1,0) P(0,0) = [P(1,0) P(1,1)] + [P(1,1) P(0,1)] + [P(0,1) P(0,0)] P(1,0) P(1,1) Adv IND CPA AE (A 11,10 ) P(1,1) P(0,1) Adv IND CPA SE (A) P(0,1) P(0,0) Adv IND CPA AE (A 00,01 ) 42 / 60
47 OAEP Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 43 / 60
48 OAEP Hash Functions A hash function H takes as input a bit-string and returns a corresponding digest of fixed length. Good hash functions are : collision-free: H(x) = H(y) x = y non-malleable: xry H(x)RH(y) H(Alice) = H(Bob) 44 / 60
49 OAEP Properties of hash functions Definition (Preimage resistance) Given an output y, it is computationally infeasible to compute x such that h(x) = y Definition (2nd preimage resistance) Given an input x, it is computationally infeasible to compute x such that h(x ) = h(x) 45 / 60
50 OAEP Properties of hash functions Definition (Collision resistance) It is computationally infeasible to compute x and x such that h(x) = h(x ) 46 / 60
51 OAEP Properties of hash functions Alternate terminology: pre-image resistant one-way 2nd pre-image resistant weak collision resistant collision resistant strong collision resistant 47 / 60
52 OAEP Use of hash functions Idea: compute a condensed message y from a given message m. The condensed should be specific to the message. Use y in place of m in a trustworthy way. Did you get m correctly? Here s y to check. (file-sharing) Could you decrypt c correctly? I sign y to prove that I wrote m. 48 / 60
53 OAEP List of Hash Functions Algorithm Output size Internal state size Block size Length size Word size Collision HAVAL 256/.../ Yes MD No 8 Almost MD Yes MD Yes PANAMA No 32 Yes RadioGatn Arbitrarily long 58 words 3 words No 1-64 No RIPEMD Yes RIPEMD 128/ / No RIPEMD 160/ / No SHA Yes SHA With flaws SHA-256/ / No SHA-512/ / No Tiger(2) 192/160/ No WHIRLPOOL No 49 / 60
54 OAEP Optimal Asymmetric Encryption Padding (OAEP) The OAEP cryptosystem (K, E, D) obtained from a permutation f, whose inverse is denoted by g. And two hash functions: G : {0,1} k 0 {0,1} k k 0 H : {0,1} k k 0 {0,1} k 0 K(1 k ): specifies an instance of the function f, and of its inverse g. The public key pk is therefore f and the private key sk is g. 50 / 60
55 OAEP OAEP: Encryption E pk (m,r) = c with m {0,1} n, and r {0,1} k 0 s = (m 0 k 1 ) G(r),t = r H(s) c = f (s,t) 51 / 60
56 OAEP OAEP: Decryption D sk (c) g(c) = (s,t) r = t H(s) M = s G(r) If [M] k1 = 0 k 1, the algorithm returns [M] n, otherwise it returns Reject [M] k1 denotes the k 1 least significant bits of M [M] n denotes the n most significant bits of M 52 / 60
57 OAEP Results and References OAEP was first proved IND-CPA then IND-CCA1 and finally IND-CCA2 secure under some assumptions. 1. M. Bellare, P. Rogaway. Optimal Asymmetric Encryption How to encrypt with RSA. Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, LNCS Vol. 950, A. Springer-Verlag, Victor Shoup. OAEP Reconsidered. IBM Zurich Research Lab, September 18, Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA OAEP is secure under the RSA assumption. In J. Kilian, ed., Advances in Cryptology CRYPTO 2001, vol of LNCS, SpringerVerlag, P. Paillier and J. Villar, Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption, Advances in Cryptology Asiacrypt / 60
58 OAEP Examples Bellare & Rogaway 93: Zheng & Seberry 93: f (r) x G(r) H(x r) f (r) G(r) (x H(x)) OAEP 94 (Bellare & Rogaway): where s = x0 k G(r) OAEP+ 02 (Shoup): where s = x G(r) H (r x). Fujisaki & Okamoto 99: f (s r H(s)) f (s r H(s)) where E is IND-CPA. E((x r);h(x r)) 54 / 60
59 Conclusion Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 55 / 60
60 Conclusion Summary Today ECB, CBC, FBC, OFB Attack on ECB Hybrid Encryption OAEP 56 / 60
61 Conclusion Where are we? Introduction Indistinguishability Public Encryption Symmetric encryption Security protocols: Symbolic Model Computational Model Non-interference Problem Access Control and Security Policies And a little more, if possible / 60
62 Conclusion Next Time Symbolic Model: Principles using Examples Playing with Tools: Scyther Avispa: OFMC, Cl-Atse, SATMC, TA4SP Proverif 58 / 60
63 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB 59 / 60
64 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB {N A,N B } KA 59 / 60
65 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB {N A,N B } KA {N B } KB 59 / 60
66 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB {N A,N B } KA {N B } KB Question Is N B a shared secret between A et B? 59 / 60
67 Conclusion Thank you for your attention. Questions? 60 / 60
Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationRSA OAEP is Secure under the RSA Assumption
RSA OAEP is Secure under the RSA Assumption Eiichiro Fujisaki 1, Tatsuaki Okamoto 1, David Pointcheval 2, and Jacques Stern 2 1 NTT Labs, 1-1 Hikarino-oka, Yokosuka-shi, 239-0847 Japan. E-mail: {fujisaki,okamoto}@isl.ntt.co.jp.
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationHow to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan
How to Enhance the Security of Public-Key Encryption at Minimum Cost 3 Eiichiro Fujisaki Tatsuaki Okamoto NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa 239-0847 Japan ffujisaki,okamotog@isl.ntt.co.jp
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationLecture 14 - CCA Security
Lecture 14 - CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More informationOAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland
OAEP Reconsidered Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract The OAEP encryption scheme was introduced by Bellare and
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationEquivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks
Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Yodai Watanabe 1, Junji Shikata 2, and Hideki Imai 3 1 RIKEN Brain Science Institute 2-1 Hirosawa, Wako-shi,
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationKey-Privacy in Public-Key Encryption
The extended abstract of this paper appeared in Advances in Cryptology Proceedings of Asiacrypt 2001 (9 13 december 2001, Gold Coast, Australia) C. Boyd Ed. Springer-Verlag, LNCS 2248, pages 566 582. Key-Privacy
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationEfficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE
Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE Yang Cui 1,2, Kirill Morozov 1, Kazukuni Kobara 1,2, and Hideki Imai 1,2 1 Research Center for Information
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationEvaluation of Security Level of Cryptography: The HIME(R) Encryption Scheme. Alfred Menezes University of Waterloo Contact:
Evaluation of Security Level of Cryptography: The HIME(R) Encryption Scheme Alfred Menezes University of Waterloo Contact: ajmeneze@uwaterloo.ca July 31, 2002 Contents Page 1 Contents 1 Executive Summary
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationRelations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions
Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:
More information