Introduction to Cryptography
|
|
- Jane Franklin
- 5 years ago
- Views:
Transcription
1 B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12
2
3 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2 MAC k (m 2 ) t 2 t n MAC k (m n ) m n t n m n M {m} (m,t) 2 Let E be the event that (m,t) {(m 1,t 1 ),,(m n,t n )} yet Ver k (m,t)=1 Define A s advantage to be Adv MAC-strong-ex-forge (A) Pr[E]
4 Recall: Naïve CBC-MAC Let {f k } k {0,1} * be a PRF family Gen(1 n ) outputs a uniform random key k {0,1} n MAC k (m) does the following: 1. Split m into n-bit blocks m 1,,m n 2. Initialize t 0 ={0} n 3. Compute t i =F k (t i-1 m i ) 4. Output the tag t t n Ver k (m,t) outputs 1 if t=mac k (m) and 0 otherwise 3
5 Recall: Naïve CBC-MAC m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k 0ⁿ t 1 t 2 t l t l 4
6 Recall: Attacking naïve CBC-MAC Challenger (C) Forger (A) 1 n 1 n k Gen(1 n ) m m {0,1} n t MAC k (m) t m m (m t) (m,t) 5 A s output is a valid forgery because F k (m )=F k ((m t) t)=f k (m)=t
7 CBC-MAC fix #1: Prepend the block-length m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k F k (l) t 1 t 2 t l 6 Intuitively, MAC on n-block message is useless for forging MACs on n -block messages t l
8 CBC-MAC fix #2: Length-specific key m m 1 m 2 m l k l k l k l m 1 m 2 m l Π kl Π kl Π kl 0ⁿ t 1 t 2 t l 7 Again, MAC on n-block message is useless for forging MACs on n -block messages t l
9 CBC-MAC fix #3: Nested CBC-MAC (NMAC) m m 1 m 2 m l k 1 k 1 k 1 m 1 m 2 m l Π k1 Π k1 Π k1 0ⁿ t 1 t 2 k 2 Π k2 8 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key t
10 CBC-MAC versus CBC mode encryption CBC mode encryption requires uniform random IV Otherwise, it is not IND-CPA secure! CBC-MAC requires fixed IV Otherwise, it is not existentially unforgeable! CBC mode encryption outputs each block Otherwise, it is not correct! CBC-MAC only outputs a single block (the last one) Otherwise, it is not existentially unforgeable! 9 CBC mode encryption requires a PRP Otherwise, it is not correct! CBC-MAC only requires a PRF
11 Hash functions 10 Def n : A hash function is a PPT function H: {0, 1} * {0, 1} s that maps arbitrary-length bit strings into fixed-length bit strings. The output of a hash function is called a hash, digest, or fingerprint of the input Alice Bob Charlie Eve Hash function Fingerprints
12 Hash function collisions Def n : Let H be a function taking on values in {0, 1} *. A collision for H is an ordered pair (m 0, m 1 ) {0, 1} * of distinct inputs such that H(m 0 ) = H(m 1 ). Pigeon-hole principle: If the domain of H is (much) larger than its range, then (many) collisions must exist! more pigeons more collisions 11 "TooManyPigeons" by en:user:mckay - Transferred from en.wikipedia; Original text : Edited from Image:Pigeons-in-holes.jpg by en:user:benfrantzdale. Licensed under CC BY-SA 3.0 via Wikimedia Commons -
13 Collision resistance Intuitively, we want to say that no PPT algorithm can find a collision for H, except with a probability that is negligible in s (the length of the output) Q: How do we formalize this notion? A: Very carefully Difficulty: once H is fixed, it is trivial to define a PPT algorithm that has a collision for H hard-coded 12
14 Keyed hash functions Def n : A keyed hash function with output length l(s) is a pair of PPT algorithms (Gen, H) such that Gen(1 s ) outputs a uniform random key in k {0, 1} s H(k, x) outputs a fingerprint y {0, 1} l( 1k1) x {0, 1} * 13 Idea: Define collision resistance to require that no PPT algorithm can find a collision for H when the key is selected at random, except with probability negligible in s.
15 Collision-finding game Challenger (C) 1 s k Gen(1 s k ) Attacker (A) 1 s (m 0, m 1 ) 14 Let E be the event that m 0 m 1 and H(k, m 0 ) = H(k, m 1 ) Define A s advantage to be Adv collision (A) := Pr[E] Def n : A keyed hash function (Gen, H) is collision resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv collision (A) ε(s).
16 Second preimage resistance Informally, a keyed hash function (Gen, H) is second preimage resistant if no PPT attacker can, given m 0 {0, 1 } * and k Gen(1 s ), output m 1 {0, 1}* such that m 0 m 1 and H(k,m 0 ) = H(k, m 1 ) except with probability negligible in s. 15
17 Second-preimage-finding game Challenger (C) 1 s k Gen(1 s k ) Attacker (A) 1 s, m 0 {0, 1} * m 1 Let E be the event that m 0 m 1 and H(k, m 0 ) = H(k, m 1 ) Define A s advantage to be Adv 2-preimage (A) := Pr[E] 16 Def n : A keyed hash function (Gen, H) is second preimage resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv 2-preimage (A) ε(s).
18 Second preimage resistance Thm: If (Gen, H) is collision resistant, then it is also second preimage resistant. Proof: Just note that a second preimage is a collision. Q: Is the converse of this theorem true? A: No! (But why?) 17
19 Preimage resistance Informally, a keyed hash function (Gen, H) is preimage resistant if no PPT attacker can, given k Gen(1 s ) and y {0, 1} l(s) output m {0, 1}* such that H(k, m) = y except with probability negligible in s. 18
20 Preimage-finding game Challenger (C) 1 n k Gen(1 n k ) Attacker (A) 1 n, y {0,1} l(n m Let E be the event that H(k, m) = y Define A s advantage to be Adv preimage (A) := Pr[E] 19 Def n : A keyed hash function (Gen, H) is preimage resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv preimage (A) ε(s).
21 Preimage resistance Thm: If (Gen, H) is preimage resistant for randomly selected inputs, then it is also second preimage resistant. Proof (sketch): Suppose that A breaks preimage resistance. - Given k and m, compute y = H(k, m) - Now use A to find a preimage of y. - Since y has many preimages, with high probability that preimage that A finds will not be m! Q: Is the converse of this theorem true? 20 A: No! (But why?)
22 (One-way) compression functions Intuitively, a (one-way) compression function is a keyed function h with three properties: Efficient: There exists a PPT algorithm that evaluates h Compression: h maps 2s-bit strings and to s-bit strings One-way: Given an output of h, it is difficult to find any input that maps to that output Q: On average, how many inputs map to each output? A: About 2 s 21
23 Merkle-Damgård construction m m 1 m 2 m n m 1 m 2 m n h k h k... h k z 1 z n 1 H k (m) := zn 0 s 22
24 Davies-Meyer compression function m i Thm: If F is a PRF, then the Davies-Meyer compression function is collision resistant. In particular, finding a collision requires O(2 n/2 ) evaluations of F on average. Fm i (z i-1 ) := F mi (z i-1 ) z i-1 z i-1 z i 23
25 Recall: Nested CBC-MAC (NMAC) m m 1 m 2 m n m 1 m 2 k 1 k 1 k 1 m n F k1 F k1... F k1 0 s k 2 F k2 t 24 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key
26 Hash-based MAC (HMAC) The most widely used MAC algorithm in practice HMAC s,k (m) := H s ( (k opad) 11 H s ( (k ipad) 11 m ) ) H s is a collision-resistant (keyed) hash function k is the secret MAC key opad = 0x5c5c5c... 5c ipad = 0x
27 HMAC m m 1 m 2 m n k ipad m 1 m n h s h s... h s 0 s k opad 0 s h s h s t 26
28 Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A: No! (But why?) Suppose H is constructed using Merkle-Damgård construction Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well...sort of!? It's not as secure as HMAC! (But why?) If H(m 0 ) = H(m 1 ) then H(m 0 11 k) = H(m 1 11 k) Weakness in collision-resistance of H implies weakness in HMAC 27
29 Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? This is essentially HMAC without ipad and opad Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! H(k 11 m 11 k) falls to "target prefix collision" attacks against H 28
30 Generic birthday attack Let H: {0, 1} * {0, 1} s and consider the following algorithm: Choose N := (5/4) 2 s/2 distinct messages, m 1,..., m N, each uniformly at random For i = 1,..., N, compute y i := H(m i ) If y i = y j for some i j, then output (m i, m j ) Thm (birthday paradox): Let r 1,..., r N be independently and identically distributed random variables taking on values in {0, 1} s. If N = (5/4) 2 s/2, then Pr[ i j, r i = r j ] 1/2. 29
31 Generic birthday attack Thm (birthday paradox): Let r 1,..., r N be independently and identically distributed random variables taking on values in {0, 1} s. If N = (5/4) 2 s/2, then Pr[ i j, r i = r j ]> 1/2. 30 Proof (for uniform random variables): Pr[ i j, r i = r j ]= 1 - Pr[ i j, r i r j ] = 1 - ((2 s -1)/2 s ) ((2 s -2)/2 s )... ((2 s -N+1)/2 s ) n 1 = 1 - ς i = 1 (1 i/2 s ) n 1 e -i/2 s (1-x e -x ) 1 - ς i = 1 = 1 - e -1/2s i 1 - e -(N2 /2)/2 s = 1 - e -((5/4 2s/2 ) 2 /2)/2 s = 1-e -25/
32 Generic birthday attack Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Adv collision (A) > 1/2 in O(s 2 s/2 ) time (albeit with O(s 2 s/2 ) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) Real hash functions have fixed-length outputs Need to ensure that 2 s/2 work is infeasible...or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s 2 s/2 bits? A: Perhaps surprisingly, no! 31
33 "Small-space" birthday attack Consider an attacker A that works as follows: 1. Choose a random initial value m 0 2. Set m := m 0 and m' := m 0 3. For i = 1, 2, 3,..., do the following Compute m := H(m) and m' := H(H(m')) // now m = H (i) (m 0 ) and m' = H (2i) (m 0 ) If m == m', break from loop 4. Set m' := m and m := m 0 5. For j = 1,..., i, do the following If H(m) == H(m'), return (m, m') Else, set m := H(m) and m' := H(m') // now m = H (j) (m 0 ) and m' = H (i+j) (m 0 ) 32 Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s 2 s/2 ) time using O(1) storage.
34 That s all for today, folks! 33
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF)
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationMessage Authentication
Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationMESSAGE AUTHENTICATION 1/ 103
MESSAGE AUTHENTICATION 1/ 103 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit 2/ 103 Integrity and authenticity
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More information