Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata
|
|
- Tracey Grant
- 5 years ago
- Views:
Transcription
1 Further More o Key Wrappig 011//17 SKEW011 Lygby Nagoya Uiversity Yasushi Osaki, Tetsu Iwata 1
2 What is key wrappig? Used to ecrypt specialized data, such as cryptographic keys A key wrappig that also esures itegrity is called a autheticated key wrappig (AKW) Used i key maagemet systems Used as a adapter betwee icompatible systems e.g. betwee a key maagemet system for 3DES ad AES etc.
3 What is key wrappig? Key wrappig ad AKW are widely used i practice ANSI X (008) IETF RFC 6030 (010) OASIS : Key Maagemet Iteroperability Protocol Specificatio Versio 1.0 NIST is i the process of specifyig a AKW scheme 3
4 Two approaches i desigig a AKW scheme Dedicated costructio Determiistic autheticated ecryptio (DAE) [RS06] SIV mode [RS06] HBS mode Geeric compositio Hash-the-Ecrypt [GH09] Hash-the-ECB, Hash-the-CBC, Hash-the-CTR, etc. 4 [GH09]R.Gearo,S.Halevi. More o Key Wrappig. SAC009. [RS06] Rogaway. P., Shrimpto. T.: A Provable-Security Treatmet of the Key-Wrap Problem. EUROCRYPT 006.
5 Gearo ad Halevi s results They examied combiatios of some ecryptio modes ad some hash fuctios Hash XOR Liear d-preimage uiversal Ecryptio resistat hash CTR broke broke secure secure ECB broke somewhat secure broke CBC broke somewhat secure ope problem masked ECB/CBC somewhat somewhat secure secure 5 XEX secure secure secure secure
6 Gearo ad Halevi s results They examied combiatios of some ecryptio modes ad some hash fuctios Hash XOR Liear d-preimage uiversal Ecryptio resistat hash CTR broke broke secure secure ECB broke somewhat secure broke CBC broke somewhat secure ope problem masked ECB/CBC somewhat somewhat secure secure 6 XEX secure secure secure secure
7 Gearo ad Halevi s results 7 ECB ad CBC modes are likely deployed already i existig systems There are a large umber of efficiet costructios of a uiv-hash fuctio, e.g. a polyomial hash fuctio, MMH, etc. Hash XOR Liear d-preimage uiversal Ecryptio resistat hash CTR broke broke secure secure ECB broke somewhat secure broke CBC broke somewhat secure ope problem masked ECB/CBC somewhat somewhat secure secure XEX secure secure secure secure
8 Our goal We show there exists a subset of uiv-hash fuctios that ca securely be used with ECB mode there exists a subset of uiv-hash fuctios that ca securely be used with CBC mode (It is a partial aswer to the ope problem) a moic polyomial is icluded i these subsets uiv-hash uiv-hash secure ECB? secure CBC 8
9 AKW scheme Wrappig key W Ecrypt a plaitext D {0,1} l uder W C AKW W (D ) Decrypt a ciphertext C {0,1} (l+1) uder W D or AKW -1 W (C ) meas reject 9
10 Security for AKW (1) [GH09] Radom-Plaitext Attack (RPA-security) Adversary A b'{0,1} ivoke D, D, C 0 i 1 i i q times Challege Wrappig D C 0 i i, D 1 i AKW AKW oracle bit: b key : W W D b i 0,1 : chose at radom 10 Adv rpa AKW A Prb' 1 b 1 Prb' 1 b 0
11 Security for AKW () [GH09] Itegrity of ciphertext (INT-security) Adversary A * C Adv it AKW : Challege ivoke D i, C i ciphertext q times A PrA forges Wrappig key:w D : chose at radom C i i AKW AKW oracle W D i 11 The AKW scheme is secure, if Adv rpa (A) ad Adv it (A) are sufficietly small
12 Hash-the-ECB [GH09] ad Hash-the-CBC [GH09] Hash-the-ECB (HtECB) Hash-the-CBC (HtCBC) 1
13 Our results The HtECB scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal C uiform C hash fuctio The HtCBC scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal CC uiform CC hash fuctio uiv-hash uiv-hash 13
14 Our results The HtECB scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal C uiform C hash fuctio The HtCBC scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal CC uiform CC hash fuctio uiv-hash We preset these ew otios uiv-hash 14
15 Classical otios of hash fuctio uiversal l Let X, X ' {0,1} ( X X ') be arbitrary bit strigs A keyed hash fuctio H is a ε 1 -uiversal hash fuctio if Pr[ H ( X ) H ( X ')] L L uiform l Let X { 0,1}, Y {0,1 } be arbitrary bit strigs A keyed hash fuctio H is a ε -uiform hash fuctio if Pr[ ( X ) Y] 1 15
16 New otios of hash fuctio uiversal C (uiversal with compositio) l Let X 1,, X l {0,1}, Z[1], Z[ l] {0,1 } ad l X ' {0,1} ( X ' ( Z[1],, Z[ l])) be arbitrary bit strigs A keyed hash fuctio H is a ε 3 -uiversal C hash fuctio if, for each of the l possible choices of X { Z[1], HL( X1)} { Z[ l], HL( Xl )}, Pr[ H L ( X ) H L ( X ')] 3 16
17 New otios of hash fuctio uiversal C For example, if l =, we require Pr[ ( Z[1], Z[]) Pr[ HL( HL( X1), Z[]) Pr[ H Z[1], H ( X )) Pr[ H L( L L( HL( X1), HL( X )) ( X ')] 3 ( X ')] 3 ( X ')] ( X ')] 3 3 Z [1] Z[] X 1 Z[] Z[1] X X 1 X 17 (X ) (X ) (X ) (X )
18 New otios of hash fuctio uiform C (uiform with compositio) l Let 1,, X l {0,1}, Z[1], Z[ l] {0,1 be arbitrary bit strigs X } A keyed hash fuctio H is a ε 4 -uiform C hash fuctio if, for each of the l possible choices of X { Z[1], HL( X1)} { Z[ l], HL( Xl )}, ad Y {0,1 } Pr[ ( X ) Y] 4 18
19 New otios of hash fuctio uiversal CC (uiversal with compositio ad xor costat) l Let X,, X {0,1}, Z[1], Z[ l] {0,1}, V[1],, V[ l] 1 l {0,1} l ad X ' {0,1} ( X ' ( Z[1],, Z[ l])) be arbitrary bit strigs A keyed hash fuctio H is a ε 5 -uiversal CC hash fuctio if, for each of the l possible choices, of X { Z[1], H ( X1) V[1]} { Z[ l], H ( X ) V[ l]} L L l Pr[ H L ( X ) H L ( X ')] 5 19
20 New otios of hash fuctio uiform CC (uiform with compositio ad xor costat) l Let X,, Xl {0,1}, Z[1], Z[ l] {0,1}, V[1],, V[ l] ad Y {0,1 } be arbitrary bit strigs A keyed hash fuctio H is a ε 6 -uiform CC hash fuctio if, for each of the l possible choices, of 1 X { Z[1], H ( X1) V[1]} { Z[ l], H ( X ) V[ l]} L L l {0,1} Pr[ ( X ) Y] 6 0
21 Theorem 1 (HtECB) Let H be a ε 1 -uiversal, ε -uiform, ε 3 -uiversal C, ε 4 -uiform C hash fuctio E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtECB[H,E] it HtECB[H,E] ( A) ( A) Adv Adv prp E sprp E q l ( A') q 1 4q l q ( A'') 1 q l q( l 1) max{, } where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries
22 Proof of INT Advatage (ituitio)? E * * D [1] D [] E E K K K * * * C [0] C [1] C [] * C * D l = D*[j] (0 j ) are a hash value or a fixed costat If D * [0] is a hash value, Pr[ (D * )=D * [0]] ε 3 because H is ε 3 -uiversal C hash fuctio If D * [0] is a fixed costat, Pr[ (D * )=D * [0]] ε 4 because H is ε 4 -uiform C hash fuctio it sprp q AdvHtECB[H, E] ( A) AdvE ( A'') 1 q l q( l 1) max{ 3, 4}
23 Theorem (HtCBC) Let H be a ε 1 -uiversal, ε -uiform, ε 5 -uiversal CC, ε 6 -uiform CC hash fuctio E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtCBC[H,E] it HtCBC[H,E] ( A) ( A) Adv Adv prp E sprp E ( A') q ( A'') 14q 1 q 1 q ( l 1) l q( l 1) max{, } where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries
24 Costructio of a Hash Fuctio A moic polyomial hash fuctio defied i (1) suffices to obtai a uiversal uiversal C uiversal CC uiform uiform C uiform CC hash fuctio for sufficietly small ε 1,...,ε 6 4 H L l 1 l X L L X[1] L X[ l] (1) X X1,, Xl 0, 1 l 0, Iput : Key : L 1 The multiplicatio is over GF( )
25 A moic polyomial hash fuctio It ca be implemeted easily from a polyomial hash fuctio A polyomial hash fuctio is the basic costructio of a uiversal hash fuctio Used i [MV04][NIST800-38D][Be05] [MV04] McGrew, D., Viega, J.: The Security ad Performace of the Galois/Couter Mode (GCM) of Operatio. [NIST800-38D] NIST: Recommedatio for Block Cipher Modes of Operatio: Galois/Couter Mode (GCM) ad GMAC. [Be05] Berstei, D.J.: The poly1305-aes Message-Autheticatio Code. 5
26 Coclusios We proposed a total of four ew otios of a keyed hash fuctio Based o the ew otios, we showed that HtECB ad HtCBC schemes are secure AKW schemes The result o the HtCBC scheme partially solves the ope problem We showed that there exists a efficiet costructio of a keyed hash fuctio that satisfies all the six otios 6
27 7 Thak you!
28 Lemma 3 The keyed hash fuctio defied i (1) is a l l 1 l 1 - uiversal, - uiform, - uiversal l 1 l 1 - uiversalcc, - uiform CC C l 1, - uiform hash fuctio C, 8
29 Corollary 1 (HtECB) Let H be the keyed hash fuctio defied i (1) E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtECB[H,E] it HtECB[H,E] ( A) Adv ( A) Adv where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries prp E sprp E 8q ( l 1) ( A') 3q ( l 1) ( A'') 9
30 Corollary (HtCBC) Let H be the keyed hash fuctio defied i (1) E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtCBC[H,E] it HtCBC[H,E] ( A) Adv ( A) Adv where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries prp E sprp E 16q ( A') ( A'') 3q ( l 1) ( l 1) 30
31 Hash-the-ECB + (HtECB + ) D[0] D D [1] D[l] D[0] D D [1] D[l] d 31 bit E bit K lsb ~ C[0] EK EK C [1] C[l] d ~ C[0] E? K bit lsb bit E -1-1 K EK C [1] C[l]
32 Corollary 3 64 l q ) Adv it ] ( ),,Perm( [ HtECB A d H d d d H l l q l q A 1 1) ( 1) ( 3 ) ( Adv it ] ),,Perm( [ HtECB
Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell
Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice.
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationReview of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage
Review of Elemetary Cryptography For more material, see my otes of CSE 5351, available o my webpage Outlie Security (CPA, CCA, sematic security, idistiguishability) RSA ElGamal Homomorphic ecryptio 2 Two
More informationLecture 11: Pseudorandom functions
COM S 6830 Cryptography Oct 1, 2009 Istructor: Rafael Pass 1 Recap Lecture 11: Pseudoradom fuctios Scribe: Stefao Ermo Defiitio 1 (Ge, Ec, Dec) is a sigle message secure ecryptio scheme if for all uppt
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationBreaking and Repairing GCM Security Proofs
Breaking and Repairing GCM Security Proofs Tetsu Iwata 1, Keisuke Ohashi 1, and Kazuhiko Minematsu 2 1 Nagoya University, Japan iwata@cse.nagoya-u.ac.jp, k oohasi@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationEfficient Hashing using the AES Instruction Set
Efficiet Hashig usig the AES Istructio Set Joppe Bos 1 Our Öze 1 Martij Stam 2 1 Ecole Polytechique Fédérale de Lausae 2 Uiversity of Bristol Nara, 1 October 2011 Outlie 1 Itroductio AES ad Hash Fuctios
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationStudies on Disk Encryption
Studies on Disk Encryption Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Nov 14, 2011 Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Studies () on Disk Encryption Nov 14, 2011 1 / 74 Disk
More informationOn the Counter Collision Probability of GCM*
On the Counter Collision Probability of GCM* Keisuke Ohashi, Nagoya University Yuichi Niwa, Nagoya University Tetsu Iwata, Nagoya University Early Symmetric Crypto (ESC) seminar January 14 18, Mondorf
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationHash Functions Based on Three Permutations: A Generic Security Analysis
Hash Fuctios Based o Three Permutatios: A Geeric Security Aalysis Bart Meik ad Bart Preeel KU Leuve CRYPTO 2012 August 21, 2012 1 / 18 Motivatio Hash fuctios based o block ciphers Davies-Meyer '84, PGV
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 and Kazuhiko Minematsu 2 1 Nagoya University, Nagoya, Japan, tetsu.iwata@nagoya-u.jp 2 NEC Corporation, Kawasaki, Japan, k-minematsu@ah.jp.nec.com Abstract.
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Electroic Colloquium o Computatioal Complexity, Revisio 1 of Report No 127 (2009) Lossy Trapdoor Fuctios from Smooth Homomorphic Hash Proof Systems July 4, 2010 Abstract I STOC 08, Peikert ad Waters itroduced
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationBreaking and Repairing GCM Security Proofs
Breaking and Repairing GCM Security Proofs Tetsu Iwata 1, Keisuke Ohashi 1, and Kazuhiko Minematsu 2 1 Nagoya University, Japan iwata@cse.nagoya-u.ac.jp, k oohasi@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationAn Introduction to Authenticated Encryption. Palash Sarkar
An Introduction to Authenticated Encryption Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata palash@isical.ac.in 20 September 2016 Presented at the Workshop on Authenticated
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationAnother Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India
Another Look at XCB Debrup Chakraborty 1, Vicente Hernandez-Jimenez 1, Palash Sarkar 2 1 Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508 San Pedro Zacatenco, Mexico City 07360, Mexico debrup@cs.cinvestav.mx,
More informationGCM Security Bounds Reconsidered
GCM Security Bounds Reconsidered Yuichi Niwa 1, Keisuke Ohashi 1, Kazuhiko Minematsu 2, and Tetsu Iwata 1 1 Nagoya University, Nagoya, Japan {y_niwa,k_oohasi}@echonueenagoya-uacjp, iwata@csenagoya-uacjp
More informationLecture 11: Hash Functions and Random Oracle Model
CS 7810 Foudatios of Cryptography October 16, 017 Lecture 11: Hash Fuctios ad Radom Oracle Model Lecturer: Daiel Wichs Scribe: Akshar Varma 1 Topic Covered Defiitio of Hash Fuctios Merkle-Damgaård Theorem
More informationZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication
ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1, Kazuhiko Minematsu 2, Thomas Peyrin 3,4,5, and Yannick Seurin 6 1 Nagoya University, Japan tetsu.iwata@nagoya-u.jp
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationIdentity-Based Cryptography on Hidden-Order Groups
vailable olie at www.sciecedirect.com Procedia Egieerig 9 (0) 067 07 0 Iteratioal Worshop o Iformatio ad Electroics Egieerig (IWIEE) Idetity-Based Cryptography o Hidde-Order Groups Chalgu Li a a Key Laboratory
More information7. Modern Techniques. Data Encryption Standard (DES)
7. Moder Techiques. Data Ecryptio Stadard (DES) The objective of this chapter is to illustrate the priciples of moder covetioal ecryptio. For this purpose, we focus o the most widely used covetioal ecryptio
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationORTHOGONAL MATRIX IN CRYPTOGRAPHY
Orthogoal Matrix i Cryptography ORTHOGONAL MATRIX IN CRYPTOGRAPHY Yeray Cachó Sataa Member of CriptoRed (U.P.M.) ABSTRACT I this work is proposed a method usig orthogoal matrix trasform properties to ecrypt
More informationPadding Oracle Attacks on CBC-mode Encryption with Secret and Random IVs
Paddig Oracle Attacks o CBC-mode Ecryptio with Secret ad Radom IVs Arold K. L. Yau, Keeth G. Paterso ad Chris J. Mitchell Iformatio Security Group, Royal Holloway, Uiversity of Lodo, Egham, Surrey, TW20
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationA Block Cipher Using Linear Congruences
Joural of Computer Sciece 3 (7): 556-560, 2007 ISSN 1549-3636 2007 Sciece Publicatios A Block Cipher Usig Liear Cogrueces 1 V.U.K. Sastry ad 2 V. Jaaki 1 Academic Affairs, Sreeidhi Istitute of Sciece &
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationA Provably Secure Signature Scheme based on Factoring and Discrete Logarithms
Appl. Math. If. Sci. 8, No. 4, 1553-1558 2014) 1553 Applied Mathematics & Iformatio Scieces A Iteratioal Joural http://dx.doi.org/10.12785/amis/080408 A Provably Secure Sigature Scheme based o Factorig
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationDeterministic Authenticated-Encryption
An earlier version of this paper appears in Advances in Cryptology EUROCRYPT 06, Lecture Notes in Computer Science, vol. 4004, Springer, 2006. This is the full version of that paper. Deterministic Authenticated-Encryption
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationTHE combination of quantum mechanics and information science forms a new science quantum information science, in
Block ecryptio of quatum messages Mi Liag ad Li Yag 1 arxiv:181.06050v1 [cs.cr] 14 Dec 018 Abstract I moder cryptography, block ecryptio is a fudametal cryptographic primitive. However, it is impossible
More informationBasics of Probability Theory (for Theory of Computation courses)
Basics of Probability Theory (for Theory of Computatio courses) Oded Goldreich Departmet of Computer Sciece Weizma Istitute of Sciece Rehovot, Israel. oded.goldreich@weizma.ac.il November 24, 2008 Preface.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationOblivious Transfer using Elliptic Curves
Oblivious Trasfer usig Elliptic Curves bhishek Parakh Louisiaa State Uiversity, ato Rouge, L May 4, 006 bstract: This paper proposes a algorithm for oblivious trasfer usig elliptic curves lso, we preset
More informationOn the Influence of Message Length in PMAC s Security Bounds
1 On the Influence of Message Length in PMAC s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016
More informationLesson 10: Limits and Continuity
www.scimsacademy.com Lesso 10: Limits ad Cotiuity SCIMS Academy 1 Limit of a fuctio The cocept of limit of a fuctio is cetral to all other cocepts i calculus (like cotiuity, derivative, defiite itegrals
More informationStatistical Properties of the Square Map Modulo a Power of Two
Statistical Properties of the Square Map Modulo a Power of Two S. M. Dehavi, A. Mahmoodi Rishakai, M. R. Mirzee Shamsabad 3, Hamidreza Maimai, Eiollah Pasha Kharazmi Uiversity, Faculty of Mathematical
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationLecture 4: Unique-SAT, Parity-SAT, and Approximate Counting
Advaced Complexity Theory Sprig 206 Lecture 4: Uique-SAT, Parity-SAT, ad Approximate Coutig Prof. Daa Moshkovitz Scribe: Aoymous Studet Scribe Date: Fall 202 Overview I this lecture we begi talkig about
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationNew Definition of Density on Knapsack Cryptosystems
Africacryt008@Casablaca 008.06.1 New Defiitio of Desity o Kasac Crytosystems Noboru Kuihiro The Uiversity of Toyo, Jaa 1/31 Kasac Scheme rough idea Public Key: asac: a={a 1, a,, a } Ecrytio: message m=m
More informationParallelizable and Authenticated Online Ciphers
Parallelizable and Authenticated Online Ciphers Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 1,2, and Kan Yasuda 1,4 1 Department of Electrical Engineering,
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationMcOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Full and Updated Version 2013-12-05 Ewan Fleischmann, Christian Forler, Stefan Lucks, and Jakob Wenzel Bauhaus-University Weimar,
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationImproved Security Analysis for OMAC as a Pseudo Random Function
c de Gruyter 2007 J. Math. Crypt. 1 (2007), 1 16 DOI 10.1515 / JMC.2007. Improved Security Analysis for OMAC as a Pseudo Random Function Mridul Nandi Communicated by Abstract. This paper shows that the
More informationTweakable Enciphering Schemes From Stream Ciphers With IV
Tweakable Enciphering Schemes From Stream Ciphers With IV Palash Sarkar Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. We
More informationTwo-Input Functional Encryption for Inner Products from Bilinear Maps
Two-Iput Fuctioal Ecryptio for Ier Products from Biliear Maps Kwagsu Lee Dog Hoo Lee Abstract Fuctioal ecryptio is a ew paradigm of public-key ecryptio that allows a user to compute f x o ecrypted data
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication
ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1, Kazuhiko Minematsu 2(B), Thomas Peyrin 3,4,5, and Yannick Seurin 6 1 Nagoya University, Nagoya, Japan tetsu.iwata@nagoya-u.jp
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationOn the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions
O the Impossibility of Highly-Efficiet Blockcipher-Based Hash Fuctios J. Black M. Cochra T. Shrimpto Abstract Fix a small, o-empty set of blockcipher keys K. We say a blockcipher-based hash fuctio is highlyefficiet
More informationDIFFERENTIAL CRYPTANALYSIS FOR A 3-ROUND SPN
IRNTIL RYPTNLYSIS OR -ROUN SPN M. Tolga Sakallı rca uluş daç Şahi atma üyüksaraçoğlu e-mail: tolga@trakya.edu.tr. e-mail: ercab@trakya.edu.tr e-mail: adacs@trakya.edu.tr e-mail: fbuyuksaracoglu@trakya.edu.tr
More informationAn extension of the RSA trapdoor in a KEM/DEM framework
A extesio of the RSA trapdoor i a KEM/DEM framework Bogda Groza Politehica Uiversity of Timisoara Faculty of Automatics ad Computers Bd. Vasile Parva r. 2, 300223 Timisoara, Romaia mail: bogda.groza@aut.upt.ro
More information1 Hash tables. 1.1 Implementation
Lecture 8 Hash Tables, Uiversal Hash Fuctios, Balls ad Bis Scribes: Luke Johsto, Moses Charikar, G. Valiat Date: Oct 18, 2017 Adapted From Virgiia Williams lecture otes 1 Hash tables A hash table is a
More informationAES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:
AES-OTR v3 Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address: k-minematsu@ah.jp.nec.com Date: April 4, 2016 1 Specification OTR, which stands for Offset Two-Round, is a blockcipher
More informationA Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 03, Lecture Notes in Computer Science Vol.??, E. Biham ed., Springer-Verlag, 2003. This is the full version. A Theoretical
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationOn Algorithm for the Minimum Spanning Trees Problem with Diameter Bounded Below
O Algorithm for the Miimum Spaig Trees Problem with Diameter Bouded Below Edward Kh. Gimadi 1,2, Alexey M. Istomi 1, ad Ekateria Yu. Shi 2 1 Sobolev Istitute of Mathematics, 4 Acad. Koptyug aveue, 630090
More informationThe Paillier Cryptosystem
E-Votig Semiar The Paillier Cryptosystem Adreas Steffe Hochschule für Techik Rapperswil adreas.steffe@hsr.ch Adreas Steffe, 17.1.010, Paillier.pptx 1 Ageda Some mathematical properties Ecryptio ad decryptio
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationRevisiting Variable Output Length XOR Pseudorandom Function
Revisiting Variable Output Length XOR Pseudorandom Function Srimanta Bhattacharya, Mridul andi Indian Statistical Institute, Kolkata, India. Abstract. Let σ be some positive integer and C {i, j : 1 i
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationOffset Merkle-Damgård (OMD) version 2.0 A CAESAR Proposal
Offset Merkle-Damgård (OMD) versio 2.0 A CAESAR Proposal Simo Cogliai 1, Diaa Maimut 1, David Naccache 1, Rodrigo Portella 2, Reza Reyhaitabar 3, Serge Vaudeay 3, ad Damia Vizár 3 1 ENS, Frace 2 Uiversité
More informationPolynomial reduction. Outline Lecture. Non deterministic polynomial time. Example 1 : discrete log. Lecture: Polynomial reduction.
Outlie Lecture Part 1 : Asymmetric cryptography, oe way fuctio, complexity Part 2 : arithmetic complexity ad lower bouds : expoetiatio Part 3 : Provable security ad polyomial time reductio : P, NP classes.
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More informationAES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.
AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION. ED KNAPP Abstract. We give a framework for construction and composition of universal hash functions. Using this framework,
More informationLecture 9: Pseudo-random generators against space bounded computation,
Lecture 9: Pseudo-radom geerators agaist space bouded computatio, Primality Testig Topics i Pseudoradomess ad Complexity (Sprig 2018) Rutgers Uiversity Swastik Kopparty Scribes: Harsha Tirumala, Jiyu Zhag
More informationDiscrete Mathematics for CS Spring 2008 David Wagner Note 22
CS 70 Discrete Mathematics for CS Sprig 2008 David Wager Note 22 I.I.D. Radom Variables Estimatig the bias of a coi Questio: We wat to estimate the proportio p of Democrats i the US populatio, by takig
More informationNotes for Lecture 5. 1 Grover Search. 1.1 The Setting. 1.2 Motivation. Lecture 5 (September 26, 2018)
COS 597A: Quatum Cryptography Lecture 5 (September 6, 08) Lecturer: Mark Zhadry Priceto Uiversity Scribe: Fermi Ma Notes for Lecture 5 Today we ll move o from the slightly cotrived applicatios of quatum
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More information, then cv V. Differential Equations Elements of Lineaer Algebra Name: Consider the differential equation. and y2 cos( kx)
Cosider the differetial equatio y '' k y 0 has particular solutios y1 si( kx) ad y cos( kx) I geeral, ay liear combiatio of y1 ad y, cy 1 1 cy where c1, c is also a solutio to the equatio above The reaso
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More information