Provable Security in Symmetric Key Cryptography
|
|
- Justin Watts
- 5 years ago
- Views:
Transcription
1 Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012
2 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X i X i Y i 2. Security Proof of A Feistel Cipher L R f1 f2 f3 S T
3 Blockcipher X n E n Y A k-bit key n-bit blockcipher is a function(algorithm) K E : {0, 1} n {0, 1} k {0, 1} n such that each key K {0, 1} k defines a permutation E(, K ) on {0, 1} n. k
4 Hash Function H * n An n-bit hash function is a function(algorithm) H : {0, 1} {0, 1} n that takes a message of arbitrary length and returns an n-bit message digest.
5 Security Requirements for Hash Functions (Everywhere) Preimage Resistance Hard to find a preimage M such that H(M) = Z for any target image Z. An n-bit hash function should be preimage resistant up to 2 n queries. Collision Resistance Hard to find two different messages M, M such that H(M) = H(M ). An n-bit hash function should be collision resistant up to 2 n 2 queries.
6 Merkle-Damgård Transform Transforms a fixed-size compression function into a hash function Preserves the collision resistance of a compression function Allows one to focus on constructing a secure compression function IV f f f M[1] M[l] <l>
7 Blockcipher-based Hash Function Why Blockcipher-based Hash Functions? 1. Transfer of the trust in the existing blockcipher to the blockcipher-based hash function 2. A single implementation of a blockcipher used for both a blockcipher and a hash function Davies-Meyer Construction M E Blockcipher-based compression function
8 How Can We Prove Security for the DM-scheme? What We Want to Prove If the basing blockcipher is secure, then the resulting DM-scheme is also secure. We Need to Specify What is meant by a secure blockcipher". What an adversary A is able to do What is the goal of A Then we need to prove the probability of A achieving the goal is small. M E Blockcipher-based compression function
9 Ideal Cipher Model Ideal Cipher Model BC(k, n) = {blockciphers with n-bit blocks and k-bit keys} A blockcipher E is randomly chosen from BC(k, n) Attack Model Adversary A is allowed for two types of oracle queries E K (X) and E 1 K (Y ) for X, Y {0, 1}n and K {0, 1} k Information-theoretic security: Consider an adversary with no limit to its available time and memory. * In this talk, we will focus on the information-theoretic security. K,X K,Y E A E -1 E K (X) E -1 K(Y)
10 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1
11 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1
12 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 Y 1 $ n {0,1} \R K 1 R K 1 R K 1 {Y 1 } D K 1 D K 1 {X 1 }
13 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 Y 1 $ n {0,1} \R K 1 R K 1 R K 1 {Y 1 } D K 1 D K 1 {X 1 } Y 1
14 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 (X 1,K 1,Y 1 ) Y 1
15 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 )
16 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D K 2 D K 2 {X 2 } R K 2 R K 2 {Y 2 }
17 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D K 2 D K 2 {X 2 } X 2 R K 2 R K 2 {Y 2 }
18 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) X 2
19 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 )
20 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 K 3 ) R (X 2,K 2,Y 2 ) K 3 R K 3 {Y 3 } D K 3 D K 3 {X 3 }
21 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 K 3 ) R (X 2,K 2,Y 2 ) K 3 R K 3 {Y 3 } D K 3 D K 3 {X 3 } Y 3
22 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Y 3 Adversary (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) E -1
23 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q )
24 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q
25 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q The query history Q determines q evaluations of a blockcipher. Each evaluation again determines a unique evaluation of the DM-scheme.
26 Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i.
27 Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i. The Adversarial Goal Finding a collision
28 Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i. The Adversarial Goal Finding two queries (X i, K i, Y i ) and (X j, K j, Y j ) (i < j) such that X i Y i = X j Y j.
29 Collision Security of the DM-scheme (Black et al. Crypto 2002) K i E X i X i Y i For fixed i and j such that i < j, Therefore, Pr[X i Y i = X j Y j ] 1 2 n q. Pr[X i Y i = X j Y j for some j < i] Pr[ 1 i<j q (X i Y i = X j Y j )] q2 2 n q The DM-scheme is collision resistant up to 2 n/2 queries.
30 Double-block-length Hash Function Security Weaknesses of SBL Hash Functions A SBL hash function is vulnerable to collision attacks due to its short output length Motivates the design of DBL hash functions The output length is twice the block length of the underlying blockcipher(s) Abreast-DM Tandem-DM E E M M E E
31 Security Proof of Tandem-DM E M E A 3n-bit to 2n-bit compression function making two calls to a blockcipher using 2n-bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FSE 2009, its extension given in ProvSec 2010 At Crypto 2011, Lee et. al. pointed out the flaws of the previous proofs and presented a new proof
32 Evaluation of Tandem-DM (A, B L, R), (B, L R, S) Q determine TDM E : {0, 1} 3n {0, 1} 2n A B L A R B S A TL A R B L R BL S B S
33 Collision Security of Tandem-DM Difficulty A single evaluation of Tandem-DM (as most DBL schemes are) is determined by two queries. Naive Approach Consider four queries 1 i, j, i, j q. Two evaluations of Abreast-DM determined by the i, j-th queries and by the i, j -th queries collide with probability at most 1 (2 n q) 2. The collision finding advantage is at most q 4 (2 n q) 2. A TL A R A TR A R B L R BL S B S B L R BR S B S
34 Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S Predicate Coll(Q) is true if and only if such queries exist in Q A TL A R A TR A R B L R BL S B S B L R BR S B S
35 Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S We want to upper bound Pr[Coll(Q)] = Adv Coll TDM E (A) A TL A R A TR A R B L R BL S B S B L R BR S B S
36 Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S We want Pr[Coll(Q)] to be small A TL A R A TR A R B L R BL S B S B L R BR S B S
37 Case Analysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR Ex) Coll 2 (Q) occurs if (A, A A, A), (B, B B, B) s.t. A B exist A TL 0 n B TR 0 n A A A BL A 0 n B B B BR B 0 n
38 Case Analysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr[Coll 1 (Q)] Ex) Coll 2 (Q) occurs if (A, A A, A), (B, B B, B) s.t. A B exist A TL 0 n B TR 0 n A A A BL A 0 n B B B BR B 0 n
39 Upper bounding Pr[Coll 1 (Q)] General Framework 1. Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2. Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) A TL A R A TR A R B L R BL S B S B L R BR S B S
40 Upper bounding Pr[Coll 1 (Q)] General Framework 1. Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2. Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) How can we upper bound Pr[Coll i 1(Q)]? A TL A R A TR A R B L R BL S B S B L R BR S B S
41 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 A TL A R A TR A R B L R BL S B S B L R BR S B S
42 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] A TL A R A TR A R B L R BL S B S B L R BR S B S
43 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] A TL A R A TR A R B L R BL S B S B L R BR S B S
44 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R
45 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R S B S
46 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R S B L R S B S B S
47 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? A A R B L R S B L R S B S B S
48 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event") A R R A R A A R B L R S B L R S B S B S
49 Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L?
50 Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L R S
51 Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L R S
52 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? A B L?
53 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? A B L R S
54 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? It is hard to probabilistically restrict this number! A B L R S
55 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? We want to eliminate this case A B L R S
56 Main Idea: Modified Adversary A A runs A as a subroutine and records its query history Q If A makes a forward query E L R (B), then A makes a query E L R (B), and an additional query E 1 B L (R) If A makes a backward query E 1 B L (R), then A makes a query E 1 B L (R), and an additional query E L R(B) A A B L R
57 The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) If A obtains the BL position of a certain evaluation by a forward query, then A will immediately make an additional backward query and place it at the TL position A A B L R
58 The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) If the TL position of a certain evaluation is obtained by a forward query after the BL position is determined, then the BL query should have been obtained by a backward query A A B L R
59 The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) It means that A does not create Subcase 2b A A B L R
60 Bad Events Xor(Q) FB(Q) Probability of the Bad Events max {i : X Z {0,1} n i Y i = Z } > α max {i : (Y Z {0,1} n i = Z Fwd[i] = 1) (X i = Z Bwd[i] = 1)} > α. For a fixed Z {0, 1} n, ( ) ( ) 2q 1 α Pr[ {i : X i Y i = Z } > α] α N 2q ( ) 2qe α ( 1 Therefore α N 2q ) α Pr[Xor(Q)] Pr[ Z {0,1} n ( {i : X i Y i = Z } > α)] ( ) 2eq α N α(n 2q)
61 Main Result Theorem For N = 2 n, q < N/2 and 1 α 2q, ( Adv coll TDM (q) 2N E 2eq α(n 2q) ) α + 4qα N 2q + 4q N 2q Asymptotically, using α = n/ log n lim n Advcoll TDM E (N/n) = 0 Numerically, for n = 128, using α = 16 Adv coll TDM E ( ) < 1 2
62 Exercises Question Prove or disprove the collision resistance of the following SBL compression functions. K K X E K Y X E K Y
63 Security Proof of A 4-round Feistel Cipher Question Is DES secure? Answer We cannot guarantee. Question Is DES secure under the assumption that its round functions and the key schedule are secure? Answer Yes, we can prove it.
64 Provable Security: Assumption L R f K0 Assumption 1. The round function f K1 f : {0, 1} k {0, 1} n {0, 1} n is secure. f K2 2. Round keys K i, i = 1, 2, 3, 4, are securely generated f K3 We can prove The 4-round Feistel cipher is secure. S T
65 Provable Security: Assumption L f R K0 Assumption 1. The round function f K1 f : {0, 1} k {0, 1} n {0, 1} n is secure. f K2 2. A random master key K generates independent random keys K i, i = 1, 2, 3, 4. f K3 We can prove The 4-round Feistel cipher is secure. S T
66 Provable Security: Security Notions Question What does it mean by a block cipher is secure"? We will consider a weaker model than an ideal cipher. What does it mean by a round function is secure"? Answer Even though an adversary is allowed a certain type of attacks with a certain amount of resources, it cannot achieve a certain adversarial goal. * Resources: Time, Memory and Data Information-theoretic security If a certain protocol is secure against an adversary with no limit to its available time and memory, then we say the protocol is secure in the information-theoretic sense.
67 Security of a Blockcipher: Pseudorandom Permutation What an adversary A is able to do Blockcipher E is public A is able to compute EK (X) and E 1 K (Y ) for X, Y {0, 1}n and K {0, 1} k For a secret key K, A adaptively makes two types of oracle queries E K ( ) and E 1 ( ) (CPCA-2) K The goal of A Distinguishing the permutation family E from a truly random permutation Such adversaries are often called distinguishers X Y EK EK -1 A E K (X) E -1 (Y) K
68 Pseudorandom Permutation (PRP) Let P n,n = {g : {0, 1} n {0, 1} n, where g is a permutation} For a keyed permutation family E : {0, 1} k {0, 1} n {0, 1} n Experiment Exp prp A K $ {0, 1} k, g $ $ P n,n, i {0, 1} δ A O i ( ),O 1 i ( ), where O 0 ( ) = E(K, ) and O 1 0 ( ) = E 1 (K, ) O 1 ( ) = g( ) and O 1 ( ) = g 1 ( ) if δ = i then output 1 else output 0 [ Pr Exp prp Adv prp E A = 1] 1 2 = Adv prp E (q) = max A Adv prp (A) E (A)
69 Security of a Round Function: Pseudorandom Function What an adversary A is able to do Round function f is public A is able to compute fk (X) for X {0, 1} n and K {0, 1} k For a secret key K, A adaptively makes oracle queries X Y f K ( ) (CPA-2) EK EK -1 E K (X) The goal of A Distinguishing the function family f from a truly random function A E -1 K (Y) fk X f K (X) A
70 Pseudorandom Function (PRF) Let F n,m = {g : {0, 1} n {0, 1} m } For a keyed function family f : {0, 1} k {0, 1} n {0, 1} m Experiment Exp prf A K $ {0, 1} k, g $ $ F n,m, i {0, 1} δ A O i ( ), where O 0 ( ) = f (K, ) and O 1 ( ) = g( ) if δ = i then output 1 else output 0 [ ] Pr Exp prf A = = Adv prf (A) Adv prf f (q) = max A Adv prf (A) f f
71 PRP vs. PRF Definition If an adversary that adaptively makes encryption and decryption queries is able to distinguish a block cipher from a truly random permutation only with a small probability, then the block cipher is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).
72 PRP vs. PRF Definition If an adversary that adaptively makes forward and backward queries is able to distinguish a keyed permutation family from a truly random permutation only with a small probability, then the keyed permutation family is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).
73 PRP vs. PRF Definition If an adversary that adaptively makes forward and backward queries is able to distinguish a keyed permutation family from a truly random permutation only with a small probability, then the keyed permutation family is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).
74 Deterministic Adversary Making No Redundant Query We can assume: a distinguisher is deterministic Given a probabilistic distinguisher, we can fix its random coin so that the corresponding deterministic algorithm provides the best distinguishing advantage. a distinguisher makes no redundant query Given a distinguisher A that makes redundant queries, we can construct a distinguisher A that makes no redundant query using A as a subroutine.
75 Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. We will prove that if a round function f : {0, 1} k {0, 1} n {0, 1} n is a CPA-2 secure PRF, a random master key K generates independent random round keys K i, i = 1, 2, 3, 4, then ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )] is a CPCA-2 secure PRP.
76 Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. It is sufficient to prove that if a round function f : {0, 1} k {0, 1} n {0, 1} n is a CPA-2 secure PRF, Round keys K i, i = 1, 2, 3, 4, are chosen independently at random, then ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )] is a CPCA-2 secure PRP.
77 Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. It is sufficient to prove that if Round functions f i : {0, 1} n {0, 1} n, i = 1, 2, 3, 4, are chosen independently at random, then ψ[f 1, f 2, f 3, f 4 ] is a CPCA-2 secure PRP.
78 Game Hopping Consider distinguishing games ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )]? ψ[f 1, f (K 2, ), f (K 3, ), f (K 4, )]? ψ[f 1, f 2, f (K 3, ), f (K 4, )]? ψ[f 1, f 2, f 3,, f (K 4, )]? ψ[f 1, f 2, f 3, f 4 ]? g f 1,f 2, f 3, f 4 are truly random functions. g is a truly random permutation.
79 Security Proof: What We Want to Prove Theorem Suppose that round functions f i : {0, 1} n {0, 1} n, i = 1, 2, 3, 4, are chosen independently at random. Then for any distinguisher A making q queries, Adv prp q2 ψ[f 1,f 2,f 3,f 4 ](q) 2 n. * If A is allowed 2 n 2 queries, then A would not be able to distinguish ψ[f 1, f 2, f 3, f 4 ] from a random permutation.
80 How a Distinguisher Works After making q queries to O i ( ) and O 1 i ( ), A obtains a q-tuple of responses T is called a transcript. T = (Z 1,... Z q ) ({0, 1} 2n ) q. The output of A is a function of transcript T, denoted by A(T ). From T, we can recover q distinct evaluations of O i ( ), say (L i, R i ) (S i, T i ), i = 1,... q. Thus Z i is either (L i, R i ) or (S i, T i ) for i = 1,... q.
81 How We Upper Bound the Advantage Probability P 2 that A outputs δ = 1 conditioned on i = 1 P 2 = Number of g P 2n,2n such that 1 A g,g 1 P 2n,2n Number of g P 2n,2n yielding T = 2 2n! T such that A(T )=1 = M(22n q)! 2 2n! = M = 2 2n (2 2n 1) (2 2n q + 1) M 2 2nq (1 1 )(1 2 ) (1 q 1 ), 2 2n 2 2n 2 2n where M is the number of transcripts T such that A(T ) = 1. Permutation g uniquely determines T.
82 How We Upper Bound the Advantage Probability P 1 that A outputs δ = 1 conditioned on i = 0 P 1 = Number of (f 1, f 2, f 3, f 4 ) such that 1 A ψ[f 1,f 2,f 3,f 4 ],ψ[f 1,f 2,f 3,f 4 ] 1 = T s.t. A(T )=1 where F 0 = 2 n2n. F 4 0 Num. of (f 1, f 2, f 3, f 4 ) such that ψ[f 1, f 2, f 3, f 4 ] yield T F 4 0 F 0 is the size of F n,n = {g : {0, 1} n {0, 1} n }. Functions (f 1, f 2, f 3, f 4 ) uniquely determines T.,
83 How We Upper Bound the Advantage Since Adv prp ψ[f 1,f 2,f 3,f 4 ] (A) = Pr [ Exp prp A = 1] 1 2 = 1 2 (1 P 1) P = 1 2 P 2 P 1, we want to upper bound P 2 P 1. We can assume P 2 P 1. If P 2 (A) < P 1 (A), then construct A that uses A as a subroutine and outputs δ 1 if A outputs δ. Since P1 (A ) = 1 P 1 (A) and P 2 (A ) = 1 P 2 (A), P 2 (A ) > P 1 (A ). Adv prp ψ[f 1,f 2,f 3,f 4 ](A) = Advprp ψ[f 1,f 2,f 3,f 4 ] (A ).
84 The Number of Round Functions Compatible with T Lemma Let (L i, R i ) and (S i, T i ), 1 i q, be distinct inputs and the corresponding outputs. Then the number of 4-tuples of functions (f 1, f 2, f 3, f 4 ) such that for all 1 i q ψ[f 1, f 2, f 3, f 4 ](L i, R i ) = (S i, T i ) is at least where F 0 = 2 n2n. F0 4 ( 2 2qn 1 ) q(q 1) 2 2 n+1,
85 How We Upper Bound the Advantage Using the previous lemma, F 4 ( 0 q(q 1) P 1 M 2 2nq F n+1 ( P ) 2 2n ( q(q 1) P n ) 2 ( 1 q 1 2 2n q(q 1) 2 n ) ( 1 where we use inequalities P 2 1 and q q (1 a i ) 1 a i, i=1 i=1 for any a 1,..., a q > 0. Therefore we have q(q 1) 2 n+1 ) P 2 q2 2 n 1, Adv prp ψ[f 1,f 2,f 3,f 4 ] (A) = 1 2 P 2 P 1 = 1 2 (P 2 P 1 ) q2 2 n. ) 2
86 Proof of Lemma: Choosing f 1 1. Choose f 1 such that L i f 1 (R i ) L j f 1 (R j ) for any 1 i < j q. 2. For fixed i and j, if Ri = R j, then L i L j and hence any f 1 satisfies L i f 1 (R i ) L j f 1 (R j ), if Ri R j, then the number of f 1 such that L i f 1 (R i ) = L j f 1 (R j ) is exactly F 0 /2 n. At most q(q 1) 2 F0 2 n functions f 1 satisfy L i f 1 (R i ) = L j f 1 (R j ) for some i and j. Li Si f1 f2 f3 f4 Ri Li f1(ri) Ti
87 Proof of Lemma: Choosing f 1 Li Ri f1 Li f1(ri) 3. Therefore there are at least F 0 q(q 1) 2 F0 2 n functions f 1 such that L i f 1 (R i ), i = 1,..., q, are all distinct. f2 f3 f4 Si Ti
88 Proof of Lemma: Choosing f 2 1. Fix f 1 satisfying the condition described in the previous slides. 2. f 2 should satisfy Li f1 Ri S i = S j U i = U j, Ri Li f1(ri) where U i = T i R i f 2 (L i f 1 (R i )). f2 WLOG, let S 1 = S 2 = = S i1 = S 1, S i1 +1 = S i1 +2 = = S i2 = S 2, Ri f2(li f1(ri)) f3 S il 1 +1 = S il 1 +2 = = S il = S l. Exactly (2 n ) l (2 n ) 2n q = F 0 /2 (q l)n functions f 2 satisfy the above condition.. Ri f2(li f1(ri)) Si f4 Si Ti
89 Proof of Lemma: Choosing f 2 3. Among those functions, we would like to collect functions f 2 such that Li f1 Ri R i f 2 (L i f 1 (R i )) R j f 2 (L j f 1 (R j )) for any 1 i < j q. 4. For fixed i and j, if Si = S j, then T i T j and hence any f 2 satisfies the above condition, if Si S j, then the number of f 2 satisfying R i f 2 (L i f 1 (R i )) = R j f 2 (L j f 1 (R j )) and the q l equations for the first condition is exactly F 0 /2 (q l+1)n. Ri Ri f2(li f1(ri)) Si f2 Li f1(ri) Ri f2(li f1(ri)) f3 Si f4 Ti
90 Proof of Lemma: Choosing f 2 Li Ri f1 5. Excluding the bad functions for each (i, j), we have at least F 0 q(q 1) 2 (q l)n 2 = F 0 2 (q l)n F 0 2 (q l+1)n ( 1 q(q 1) 2 n+1 functions f 2 such that Si = S j U i = U j, Ri f 2 (L i f 1 (R i )) are all distinct. ) Ri Ri f2(li f1(ri)) f2 f4 Li f1(ri) Ri f2(li f1(ri)) f3 Si Si Ti
91 Proof of Lemma: Choosing f 3 Li Ri f1 1. Fix f 1 and f 2 satisfying the conditions described in the previous slides. 2. Choose f 3 such that Ri f2 Li f1(ri) f 3 (R i f 2 (L i f 1 (R i ))) = S i L i f 1 (R i ) for i = 1,..., q, 3. The number of such functions is exactly Li f1(ri) Ri f2(li f1(ri)) f3 F 0 2 qn. Ri f2(li f1(ri)) f4 Si Si Ti
92 Proof of Lemma: Choosing f 4 Li Ri 1. Fix f 1, f 2 and f 3 satisfying the conditions described in the previous slides. 2. We would like to choose f 4 such that Ri f1 f2 Li f1(ri) for i = 1,..., l. f 4 (S i ) = U i 3. The number of such functions is exactly Li f1(ri) Ri f2(li f1(ri)) f3 F 0 2 ln. Ri f2(li f1(ri)) f4 S * i Si Ti
93 Proof of Lemma: Putting Pieces Together To summarize, the number of (f 1, f 2, f 3, f 4 ) satisfying ψ[f 1, f 2, f 3, f 4 ](L i, R i ) = (S i, T i ), i = 1,..., q, is at least ( q(q 1) F 0 2 F0 2 n F 0 2 (q l)n ) ( 1 ) ( q(q 1) F0 2 n+1 2 qn = F qn ) ( ) F0 ( 1 2 ln q(q 1) 2 n+1 ) 2.
94 What Provable Security Provides The Feistel network is a secure structure for the design of a blockcipher. If a Feistel block cipher is turned out to be insecure, its weakness lies in its round function or key schedule algorithm, not the Feistel network itself.
95 A 3-round Feistel Cipher is NOT a PRP Given a permutation φ 1. A chooses L and R {0, 1} n, and asks φ(l, R) = (S, T ). 2. A chooses L such that L L, and asks φ(l, R) = (S, T ). 3. A asks φ 1 (S, T L L ) = (L, R ). 4. A outputs 1 if R = S S R, and 0 otherwise. Analysis P 1 = Pr [A outputs 1 φ is a random permutation] 1/2 n. P 2 = Pr [A outputs 1 φ = ψ[f 1, f 2, f 3 ]] = 1. Therefore Adv prp ψ[f 1,f 2,f 3 ] (A) = 1 2 P 2 P 1 = n+1
96 Why P 2 = 1 ψ[f 1, f 2, f 3 ](L, R) = (S, T ) S = R f 2 (L f 1 (R)) ψ[f 1, f 2, f 3 ] 1 (S, T ) = (L, R) L f1 R R = S f 2 (T f 3 (S )) L = T f 3 (S ) f 1 (S f 2 (T f 3 (S ))) = T f 3 (S ) f 1 (R) f2 ψ[f 1, f 2, f 3 ] 1 (S, T L L ) = (L, R ) R = S f 2 (T L L f 3 (S )) f3 = S f 2 (L f 1 (R)) = S (S R) S T
97 Exercises Question Prove that a 3-round Feistel cipher is a CPA-2 secure pseudorandom function up to 2 n 2 queries. L R f1 f2 f3 S T
98 References 1. J. Black, P. Rogaway and T. Shrimpton. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. Crypto 2002, LNCS 2442, pp , Springer-Verlag, J. Lee, M. Stam and J. Steinberger. The Collision Security of Tandem-DM in the Ideal Cipher Model. Crypto 2011, LNCS 6841, pp , Springer-Verlag, J. Patarin. Pseudorandom permutations based on the DES scheme. EUROCODE 1990, LNCS 514, pp , Springer-Verlag, 1991.
The Collision Security of Tandem-DM in the Ideal Cipher Model
The Collision ecurity of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn tam 2 John teinberger 3 1 Faculty of Mathematics and tatistics, ejong University, eoul, Korea 2 Department of Computer
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationThe Collision Security of Tandem-DM in the Ideal Cipher Model
The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1, Martijn Stam 2,, and John Steinberger 3, 1 Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea jlee05@sejong.ac.kr
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationThe preimage security of double-block-length compression functions
The preimage security of double-block-length compression functions Frederik Armknecht 1, Ewan Fleischmann 2, Matthias Krause 1, Jooyoung Lee 3, Martijn Stam 4, and John Steinberger 5 1 Arbeitsgruppe Theoretische
More informationThe preimage security of double-block-length compression functions
The preimage security of double-block-length compression functions Frederik Armknecht 1, Ewan Fleischmann 2, Matthias Krause 1, Jooyoung Lee 3, Martijn Stam 4, and John Steinberger 5 1 Arbeitsgruppe Theoretische
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationAdaptive Preimage Resistance and Permutation-based Hash Functions
daptive Preimage Resistance and Permutation-based ash Functions Jooyoung Lee, Je ong Park The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationMJH: A Faster Alternative to MDC-2
MJH: A Faster Alternative to MDC-2 Jooyoung Lee 1 and Martijn Stam 2 1 Sejong University, Seoul, Korea, jlee05@sejongackr 2 University of Bristol, Bristol, United Kingdom, martijnstam@bristolacuk Abstract
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationPreimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing
Preimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing Matthias Krause 1, Frederik Armknecht 1, and Ewan Fleischmann 2 1 Arbeitsgruppe Theoretische Informatik und Datensicherheit,
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationOptimal Collision Security in Double Block Length Hashing with Single Length Key
Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.
More informationSecurity of Cyclic Double Block Length Hash Functions including Abreast-DM
Security of Cyclic Double Block Length Hash Functions including Abreast-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks {ewan.fleischmann,michael.gorski,stefan.lucks}@uni-weimar.de Bauhaus-University
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationOn the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model
On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More informationBlack-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV J. Black P. Rogaway T. Shrimpton May 31, 2002 Abstract Preneel, Govaerts, and Vandewalle [7] considered the 64 most basic
More informationThe Sum of PRPs is a Secure PRF
The Sum of PRPs is a Secure PRF Stefan Lucks Theoretische Informatik, Universität Mannheim 68131 Mannheim, Germany lucks@th.informatik.uni-mannheim.de Abstract. Given d independent pseudorandom permutations
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationIndifferentiability of Double Length Compression Functions
Indifferentiability of Double Length Compression Functions Bart Mennink Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium bart.mennink@esat.kuleuven.be Abstract. Double block length
More informationCascade Encryption Revisited
Cascade Encryption Revisited Peter Gaži 1,2 and Ueli Maurer 1 1 ETH Zürich, Switzerland Department of Computer Science {gazipete,maurer}@inf.ethz.ch 2 Comenius University, Bratislava, Slovakia Department
More informationMix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles
Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles Mohammad Reza Reyhanitabar and Willy Susilo Centre for Computer and Information Security Research School of Computer
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationEWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benoît Cogliati and Yannick Seurin University of Versailles, France benoitcogliati@hotmail.fr ANSSI, Paris, France yannick.seurin@m4x.org
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-Sébastien Coron 1, Jacques Patarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationImproved security analysis of OMAC
Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationConstructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers Phillip Rogaway 1 and John Steinberger 2 1 Department of Computer Science, University of California, Davis, USA 2 Department of Mathematics,
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationOn Generalized Feistel Networks
On Generalized Feistel Networks Viet Tung Hoang and Phillip Rogaway Dept. of Computer Science, University of California, Davis, USA Abstract. We prove beyond-birthday-bound security for most of the well-known
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationOptimally Secure Block Ciphers from Ideal Primitives
Optimally Secure Block Ciphers from Ideal Primitives Stefano Tessaro Department of Computer Science University of California, Santa Barbara tessaro@cs.ucsb.edu http://www.cs.ucsb.edu/~tessaro/ Abstract.
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis John Steinberger July 9, 2009 Abstract We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More information