Message Authentication Codes (MACs)
|
|
- Molly Alexander
- 5 years ago
- Views:
Transcription
1 Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, / 22
2 About Me 2 / 22
3 About Me Tung Chou (Tony) 2 / 22
4 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein & Tanja Lange 2 / 22
5 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein & Tanja Lange Research topics: Post-quantum crypto, ECC, MAC design. 2 / 22
6 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein & Tanja Lange Research topics: Post-quantum crypto, ECC, MAC design. 2 / 22
7 Outline 3 / 22
8 Outline Introduction 3 / 22
9 Outline Introduction HMAC 3 / 22
10 Outline Introduction HMAC Universal-hash based MACs Poly1305 security issues software implementation issues 3 / 22
11 Outline Introduction HMAC Universal-hash based MACs Poly1305 security issues software implementation issues Diffie Hellman key exchange 3 / 22
12 What are MACs? 4 / 22
13 What are MACs? On Wikipedia: a message authentication code (often MAC) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message s origin 4 / 22
14 Digital Signatures 5 / 22
15 Digital Signatures Construction: sk message (m) hash h TP signature (s) pk 5 / 22
16 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) pk 5 / 22
17 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). pk 5 / 22
18 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). pk 5 / 22
19 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk 5 / 22
20 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk Security 5 / 22
21 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk Security attacker should not be able to forge a valid (m, s) pair 5 / 22
22 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk Security attacker should not be able to forge a valid (m, s) pair attacker might have collected many (m, s) pairs 5 / 22
23 Message Authentication Codes 6 / 22
24 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) 6 / 22
25 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: 6 / 22
26 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). 6 / 22
27 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). 6 / 22
28 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. 6 / 22
29 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. Security 6 / 22
30 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. Security attacker should not be able to forge a valid (m, t) pair 6 / 22
31 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. Security attacker should not be able to forge a valid (m, t) pair attacker might have collected many (m, t) pairs 6 / 22
32 MACs vs Signatures 7 / 22
33 MACs vs Signatures MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key 7 / 22
34 MACs vs Signatures MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key Non-repudiation is about Alice showing to Bob a proof that some data really comes from Alice, such that not only Bob is convinced, but Bob also gets the assurance that he could show the same proof to Charlie, and Charlie would be convinced, too 7 / 22
35 MACs vs Signatures MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key Non-repudiation is about Alice showing to Bob a proof that some data really comes from Alice, such that not only Bob is convinced, but Bob also gets the assurance that he could show the same proof to Charlie, and Charlie would be convinced, too secret-key crypto is fast 7 / 22
36 HMAC 8 / 22
37 HMAC Build MAC from hash functions 8 / 22
38 HMAC Build MAC from hash functions A naive construction: t = H(r m) 8 / 22
39 HMAC Build MAC from hash functions A naive construction: t = H(r m) Merkle Damgård construction based hashes (e.g., MD5, SHA1) m 1 m 2 m l IV f f f h 8 / 22
40 HMAC Build MAC from hash functions A naive construction: t = H(r m) Merkle Damgård construction based hashes (e.g., MD5, SHA1) m 1 m 2 m l IV f f f h Length extension attack: h = f(h, m l+1 ) 8 / 22
41 HMAC (cont.) 9 / 22
42 HMAC (cont.) Another construction: t = H(m r) 9 / 22
43 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) 9 / 22
44 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 9 / 22
45 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 widely used in Internet applications 9 / 22
46 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 widely used in Internet applications 5.18 Sandy Bridge cycles/byte 9 / 22
47 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 widely used in Internet applications 5.18 Sandy Bridge cycles/byte Reality: the most commonly used scheme might not be the best 9 / 22
48 SHA3 The Sponge construction: 10 / 22
49 The Wegman Carter construction 11 / 22
50 The Wegman Carter construction Why? 11 / 22
51 The Wegman Carter construction Why? provides information theoretic security 11 / 22
52 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic 11 / 22
53 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC 11 / 22
54 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC 11 / 22
55 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction 11 / 22
56 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction universal hash function + one-time pad: h r (m n ) s n 11 / 22
57 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction universal hash function + one-time pad: h r (m n ) s n universal hash: low differential probability 11 / 22
58 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction universal hash function + one-time pad: h r (m n ) s n universal hash: low differential probability one-time pad hides all information about the key 11 / 22
59 Poly / 22
60 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod / 22
61 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values 12 / 22
62 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by / 22
63 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by 1. Without proper padding? 12 / 22
64 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by 1. Without proper padding? m = FF, m = FF, 00 zero-pad the message obtain a 128-bit block m 1 = m 1 = FF, 00,..., / 22
65 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by 1. Without proper padding? m = FF, m = FF, 00 zero-pad the message obtain a 128-bit block m 1 = m 1 = FF, 00,..., 00 Speed: 1.22 Sandy Bridge cycles/byte 12 / 22
66 Poly1305: avoiding security issue 13 / 22
67 Poly1305: avoiding security issue What is wrong with real polynomial evaluation? t = m 1 r l 1 + m 2 r l m l + s 13 / 22
68 Poly1305: avoiding security issue What is wrong with real polynomial evaluation? t = m 1 r l 1 + m 2 r l m l + s The attacker forges a valid message tag pair easily: t + = m 1 r l 1 + m 2 r l (m l + ) + s 13 / 22
69 Poly1305: avoiding security issue What is wrong with real polynomial evaluation? t = m 1 r l 1 + m 2 r l m l + s The attacker forges a valid message tag pair easily: t + = m 1 r l 1 + m 2 r l (m l + ) + s This does not provide low differential probability 13 / 22
70 Poly1305: avoiding security issue 14 / 22
71 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s 14 / 22
72 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r 14 / 22
73 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r nonce-misuse issue 14 / 22
74 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r nonce-misuse issue In practice s is usually replaced by stream cipher output, e.g., AES k (n) for m n 14 / 22
75 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r nonce-misuse issue In practice s is usually replaced by stream cipher output, e.g., AES k (n) for m n HMAC does not use nonce 14 / 22
76 Poly1305: polynomial evaluation 15 / 22
77 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r 15 / 22
78 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r Horner s rule: r m 1 m 2 m 3 m 4 m 5 m 6 m 7 m / 22
79 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r Horner s rule: r m 1 m 2 m 3 m 4 m 5 m 6 m 7 m n multiplications (and n 1 additions) 15 / 22
80 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r Horner s rule: r m 1 m 2 m 3 m 4 m 5 m 6 m 7 m n multiplications (and n 1 additions) The issue of being on-line 15 / 22
81 GMAC 16 / 22
82 GMAC The NIST-standard authenticated encryption scheme GCM 16 / 22
83 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode 16 / 22
84 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs 16 / 22
85 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs Polynomial evaluation MAC: t = (m 1 r l + m 2 r l m l r) + s 16 / 22
86 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs Polynomial evaluation MAC: t = (m 1 r l + m 2 r l m l r) + s Based on arithmetic in F = F 2 [x]/(x x 7 + x 2 + x + 1) 16 / 22
87 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs Polynomial evaluation MAC: t = (m 1 r l + m 2 r l m l r) + s Based on arithmetic in F = F 2 [x]/(x x 7 + x 2 + x + 1) Binary fields: better in hardware 16 / 22
88 GCM 17 / 22
89 GMAC: speeds reference platform PCLMUQDQ cycles per byte Käsper Schwabe 2009 Core 2 no Sandy Bridge no Krovetz Rogaway 2011 Westmere yes 2.00 Gueron 2013 Sandy Bridge yes 1.79 Haswell yes / 22
90 Auth / 22
91 Auth256 Construction 19 / 22
92 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s 19 / 22
93 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F / 22
94 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC 19 / 22
95 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 19 / 22
96 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 0.5/1 multiplications per block 19 / 22
97 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 0.5/1 multiplications per block larger key size 19 / 22
98 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 0.5/1 multiplications per block larger key size very different field construction for low bit operation count 19 / 22
99 Wegman Carter construction: security δ-xor-universal hash : For all distinct (m, m ) and, we have P r ( Hash r (m) = Hash r (m ) ) δ 20 / 22
100 Wegman Carter construction: security δ-xor-universal hash : For all distinct (m, m ) and, we have P r ( Hash r (m) = Hash r (m ) ) δ The one-time pad hides all information about the key r. The best strategy for the attacker is to guess. 20 / 22
101 Auth256: Security Proof Hash values: h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ), h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ). 21 / 22
102 Auth256: Security Proof Hash values: h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ), h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ). Then h = h + if and only if r 1(m 2 m 2) + r 2(m 1 m 1) + r 3(m 4 m 4) + r 4(m 3 m 3) + = + m 1m 2 m 1m 2 + m 3m 4 m 3m / 22
103 Auth256: Security Proof Hash values: h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ), h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ). Then h = h + if and only if r 1(m 2 m 2) + r 2(m 1 m 1) + r 3(m 4 m 4) + r 4(m 3 m 3) + = + m 1m 2 m 1m 2 + m 3m 4 m 3m 4 +. m m implies that there are at most K 2l 1 solutions for r. 21 / 22
104 CBC-MAC 22 / 22
McBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationHILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction
HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction Daniel J. Bernstein 1 Leon Groot Bruinderink 2 Tanja Lange 2 Lorenz Panny 2 1 University of Illinois at Chicago 2
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationMinimum Number of Multiplications of U Hash Functions
Minimum Number of Multiplications of U Hash Functions Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Authentication: The Popular Story 1 Alice and Bob share a secret
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationThanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR 9983950 Alfred P. Sloan Foundation The AES function ( Rijndael 1998 Daemen Rijmen; 2001
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationAES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.
AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION. ED KNAPP Abstract. We give a framework for construction and composition of universal hash functions. Using this framework,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationRelated-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationHigh Performance GHASH Function for Long Messages
High Performance GHASH Function for Long Messages Nicolas Méloni 1, Christophe Négre 2 and M. Anwar Hasan 1 1 Department of Electrical and Computer Engineering University of Waterloo, Canada 2 Team DALI/ELIAUS
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationUMAC: Fast and Secure Message Authentication
The proceedings version of this paper appears in Advances in Cryptology CRYPTO 99 [7]. This is the full version. It is available from www.cs.ucdavis.edu/~rogaway/umac/ UMAC: Fast and Secure Message Authentication
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationHans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References
Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009 Die Unterlagen sind ausschliesslich zum persoenlichen Gebrauch der Vorlesungshoerer bestimmt. Die Herstellung von elektronischen
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationBadger - A Fast and Provably Secure MAC
Badger - A Fast and Provably Secure MAC Martin Boesgaard, Ove Scavenius, Thomas Pedersen, Thomas Christensen, and Erik Zenner CRYPTICO A/S Fruebjergvej 3 2100 Copenhagen Denmark info@cryptico.com Abstract.
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationOverview. Public Key Algorithms II
Public Key Algorithms II Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationDaniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven. Tanja Lange Technische Universiteit Eindhoven
ECCHacks: a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven ecchacks.cr.yp.to
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationFRMAC, a Fast Randomized Message Authentication Code
, a Fast Randomized Message Authentication Code Éliane Jaulmes 1 and Reynald Lercier 2 1 DCSSI Crypto Lab, 51 Bd de Latour Maubourg, F-75700 Paris 07 SP, France eliane.jaulmes@wanadoo.fr, 2 CELAR, Route
More informationCIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CIS 6930/4930 Computer and Network Security Topic 4. Cryptographic Hash Functions 1 The SHA-1 Hash Function 2 Secure Hash Algorithm (SHA) Developed by NIST, specified in the Secure Hash Standard, 1993
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationAnalysis of Underlying Assumptions in NIST DRBGs
Analysis of Underlying Assumptions in NIST DRBGs Wilson Kan Security and Privacy Group Pitney Bowes Inc. September 4, 2007 Abstract In [1], four different DRBGs are recommended for cryptographic purpose.
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More information