COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Similar documents
Introduction to Cryptography

Introduction to Cryptography Lecture 4

Block Ciphers/Pseudorandom Permutations

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Notes for Lecture 9. 1 Combining Encryption and Authentication

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 9 - Symmetric Encryption

Lecture 10: NMAC, HMAC and Number Theory

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

CPA-Security. Definition: A private-key encryption scheme

Foundations of Network and Computer Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A survey on quantum-secure cryptographic systems

An introduction to Hash functions

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Foundations of Network and Computer Security

BEYOND POST QUANTUM CRYPTOGRAPHY

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Lecture 5, CPA Secure Encryption from PRFs

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Modern Cryptography Lecture 4

Lecture 18: Message Authentication Codes & Digital Signa

Leftovers from Lecture 3

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Avoiding collisions Cryptographic hash functions. Table of contents

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 14: Cryptographic Hash Functions

CTR mode of operation

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Introduction to Information Security

Lecture 10 - MAC s continued, hash & MAC

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Provable Security in Symmetric Key Cryptography

2 Message authentication codes (MACs)

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Lecture 7: CPA Security, MACs, OWFs

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Lectures 2+3: Provable Security

Message Authentication Codes (MACs)

Public-Seed Pseudorandom Permutations

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Solution of Exercise Sheet 7

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

1 Cryptographic hash functions

SPCS Cryptography Homework 13

III. Pseudorandom functions & encryption

Foundations of Network and Computer Security

ECS 189A Final Cryptography Spring 2011

Lecture 1. Crypto Background

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Message Authentication Codes from Unpredictable Block Ciphers

Block ciphers And modes of operation. Table of contents

Lecture 10: NMAC, HMAC and Number Theory

Authentication. Chapter Message Authentication

Public-seed Pseudorandom Permutations EUROCRYPT 2017

Modern symmetric-key Encryption

Avoiding collisions Cryptographic hash functions. Table of contents

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

1 Cryptographic hash functions

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Message Authentication Codes from Unpredictable Block Ciphers

CPSC 467: Cryptography and Computer Security

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Symmetric Encryption

Week 12: Hash Functions and MAC

Perfectly-Crafted Swiss Army Knives in Theory

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Introduction to Cybersecurity Cryptography (Part 4)

Computational security & Private key encryption

Introduction to Cybersecurity Cryptography (Part 4)

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Provable Chosen-Target-Forced-Midx Preimage Resistance

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Collapsing sponges: Post-quantum security of the sponge construction

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

12 Hash Functions Defining Security

1 Number Theory Basics

MESSAGE AUTHENTICATION 1/ 103

Chapter 2 : Perfectly-Secret Encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

On the Security of Hash Functions Employing Blockcipher Post-processing

Transcription:

COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017

Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m

Unforgeability m i M c* k ß K λ c i c ß Enc(k,m i ) Output 1 iff: c* {c 1, } Dec(k,c*)

Definition: An encryption scheme (Enc,Dec) is an authenticated encryption scheme if it is unforgeable and CPA secure

Constructing Authenticated Encryption Encrypt- then- MAC Inner encryption scheme guarantees secrecy, regardless of what MAC does (strongly secure) MAC provides integrity, regardless of what encryption scheme does Theorem: Encrypt- then- MAC is an authenticated encryption scheme for any CPA- secure encryption scheme and strongly CMA- secure MAC

Constructing Authenticated Encryption Just because MAC- then- Encrypt and Encrypt- and- MAC are insecure for some MACs/encryption schemes, they may be secure in some settings Ex: MAC- then- Encrypt with CTR or CBC encryption For CTR, any one- time MAC is actually sufficient Theorem: MAC- then- Encrypt with any one- time MAC and CTR- mode encryption is an authenticated encryption scheme

IV k F IV In general, don t use the same key for encryption and authentication k F k F

Using Same Key for Encrypt and MAC In general, do not use same key for multiple purposes Schemes may interact poorly when using the same key However, some modes of operation do allow same key to be used for both authentication and encryption

CCM Mode CCM = Counter Mode with CBC- MAC in Authenticate- then- Encrypt combination Possible to show that using same key for authentication and encryption still provides security

Today More Authenticated Encryption Collision Resistance

Efficiency of Authenticated Encryption So far, most modes can be implemented well in streaming applications Only need to read ciphertext once Can compute MAC and ciphertext at the same time However, most modes seen require two block cipher operations per block 1 for encryption 1 for authentication Ideally, would have only 1 block cipher op per block

OCB Mode

OCB Mode Twice as fast as other block cipher modes of operation However, not used much in practice Patents! Another mode: GCM: Roughly CTR mode then Carter- Wegman MAC

Deterministic Encryption

Deterministic Encryption So far, we have insisted on CPA/CCA/Auth Enc security, which implies scheme must be randomized However, sometimes deterministic encryption is necessary E.g. encrypting database records How to resolve discrepancy?

Deterministic CPA Security b m 0 (i), m 1 (i) c (i) Challenger k ß K λ c (i) ß Enc(k,m b (i) ) b Where m 1 (1),,m 1 (q) are distinct and m 1 (1),,m 1 (q) are distinct

Achieving Det. CPA Security Idea? used fixed det. IV CTR mode? CBC mode? Better options: Derive IV as IV = PRF(k,m) If using Auth Enc, get Det. Auth Enc Use large PRP: c = PRP(k,m) Can get Det. Auth Enc by padding message

Collision Resistant Hashing

Expanding Message Length for MACs Suppose I have a MAC (MAC,Ver) that works for small messages (e.g. 256 bits) How can I build a MAC that works for large messages? One approach: MAC blockwise + extra steps to insure integrity Problem: extremely long tags

Hash Functions Let h:{0,1} n à {0,1} m be a function, m << n MAC (k,m) = MAC(k, h(m)) Ver (k,m,σ) = Ver(k, h(m), σ) Correctness is straightforward Security? Pigeonhole principle: m 0 m 1 s.t. h(m 0 )=h(m 1 )

Collision Resistance Hashing Syntax: Key Space K λ (typically {0,1} λ ) Domain D λ (typically {0,1} l(λ) or {0,1}*) Range R λ (typically {0,1} l (λ) where l (λ)<l(λ) ) Function H: K λ D λ à R λ Security: for every PPT, negl ε Pr[H(k,x 0 ) = H(k,x 1 ) x 0 x 1 : (x 0,x 1 )ß (k), kß K λ ] < ε(λ)

Collision Resistance and MACs Let h(m) = H(k,m) for a random choice of k MAC (k MAC,m) = MAC(k MAC, h(m)) Ver (k MAC,m,σ) = Ver(k MAC, h(m), σ) For now, think of k as part of key for MAC

Theorem: If (MAC,Ver) is CMA- secure and H is collision resistant, then so is (MAC,Ver )

Proof Hybrid 0 k H ß K H k MAC ß K MAC m i σ i ti ß H(kH,mi) (m*,σ*) σß MAC(k MAC, t i ) Output 1 iff: m* {m 1, } Ver(k,t*,σ*) where t* ß H(k H,m*)

Proof Hybrid 1 k H ß K H k MAC ß K MAC m i σ i ti ß H(kH,mi) (m*,σ*) σß MAC(k MAC, t i ) Output 1 iff: t* {t 1, } Ver(k,t*,σ*) where t* ß H(k H,m*)

Proof In Hybrid 1, negligible advantage using MAC security m i σ i (m*,σ*) k H ß K H t i ß H(k H,m i ) (t*,σ*) where t*ß H(k H,m*) σ i If forges with t* {t 1, }, then also forges

Proof If succeeds in Hybrid 0 but not Hybrid 1, then m* {m 1, } But, t* {t 1, } Suppose t* = t i Then (m i,m*) is a collision for H

Theory vs. Practice Hashing key is public: even adversary can know it What role does it play? In practice, Hash functions are un- keyed Hash functions have fixed output size, say {0,1} 256 Problem?

We said 128 bit security is usually enough Why 256- bit outputs?

Birthday Attack If the range of a hash function is R, a collision can be found in time T=O( R ½ ) Attack: Given key k for H For i=1,, T, Choose random x i in D Let t i ß H(k,x i ) Store pair (x i, t i ) Look for collision amongst stored pairs

Birthday Attack Analysis: Expected number of collisions = Number of pairs Prob each pair is collision (T choose 2) 1/ R By setting T=O( R ½ ), expectend number of collisions found is at least 1 likely to find a collision

Birthday Attack Space? Possible to reduce memory requirements to O(1)

Other Security Notions Collision resistance as a game: k x0,x1 1 iff x0 x1 H(k,x0) = H(k,x1)

Other Security Notions 2nd Preimage Resistance (or target collision resistance): x0 x1 k 1 iff x0 x1 H(k,x0) = H(k,x1)

Other Security Notions 2- Universal: x0 x1 k 1 iff x0 x1 H(k,x0) = H(k,x1)

Other Security Notions One- wayness (or pre- image resistance): x1 k,y x0ß D yß H(k,x0) 1 iff y = H(k,x1)

Implications Collision Resistance 2 nd Pre- image Resistance One- wayness

Domain Extension Goal: given h that compresses small inputs, construct H that compresses large inputs Shows that even compressing by a single bit is enough to compress by arbitrarily many bits Useful in practice: build hash functions for arbitrary inputs from hash functions with fixed input lengths Called compression functions Easier to design

Merkle- Damgard IV (fixed) h h h h h

Theorem: If an adversary knows a collision for fixed- length Merkle- Damgard, he can also compute a collision for h

Proof m 1 m 2 m 3 m 4 m 5 IV (fixed) h h h h h t m 1 m 2 m 3 m 4 m 5 IV (fixed) h h h h h t

Proof m 1 m 2 m 3 m 4 m 5 IV (fixed) h h h h h t 6 t 5 m 1 m 2 m 3 m 4 m 5 Collision OR (m 5 =m 5 AND t 5 =t 5 ) IV (fixed) h h h h h t 6 t 5

Proof m 1 m 2 m 3 m 4 IV (fixed) h h h h t 4 m 1 m 2 m 3 m 4 t 5 Collision OR (m 4 =m 4 AND t 4 =t 4 ) IV (fixed) h h h h t 4 t 5

Proof m 1 m 2 m 3 IV (fixed) h h t 3 m 1 m 2 m 3 h t 4 Collision OR (m 3 =m 3 AND t 3 =t 3 ) IV (fixed) h h t 3 h t 4

Proof m 1 m 2 IV (fixed) h t 2 m 1 m 2 h t 3 Collision OR (m 2 =m 2 AND t 2 =t 2 ) IV (fixed) h t 2 h t 3

Proof m 1 IV (fixed) h t 2 Collision OR m 1 =m 1 m 1 IV (fixed) h t 2 But, if m 1 =m 1, then m=m

Merkle- Damgard So far, assumed both inputs in collision has to have the same length As described, cannot prove Merkle- Damgard is secure if inputs are allowed to have different length What if I know an input x such that h(x IV) = IV? Need proper padding Ex: append message length to end of message

Constructing h Common approach: use block cipher Davies- Meyer x y F h(x,y)=x F(y,x)

Constructing h Some other possibilities are insecure x y F h(x,y)=f(y,x) x y F h(x,y)=f(y,x) y

Constructing h x y F h(x,y)=x F(y,x) Why do we think Davies- Meyer is reasonable? Cannot prove collision resistance just based on F being a secure PRP Instead, can argue security in ideal cipher model Pretend F, for each key y, is a uniform random permutation

SHA- 1,2,3 SHA- 1,2 are hash functions built as follows: Build block cipher (SHACAL- 1, SHACAL- 2) Convert into compression function using Davies- Meyer Extend to arbitrary lengths using Merkle- Damgard SHA- 3 is very different Compression function built using unkeyed permutation Extension to arbitrary lengths via sponge construction

Basing MACs on Hash Functions Idea: MAC(k,m) = H(k m) Thought: if H is a good hash function and k is random, should be hard to predict H(k m) without knowing k Unfortunately, cannot prove secure based on just collision resistance of H

Random Oracle Model Pretend H is a truly random function Everyone can query H on inputs of their choice Any protocol using H The adversary (since he knows the key) A query to H has a time cost of 1

MAC in ROM MAC H (k,m) = H(k m) Ver H (k,m,σ) = (H(k m) == σ) Theorem: H(k m) is a secure MAC in the random oracle model

Meaning H Hß Funcs k ß K m i σ i σ i ß MAC H (k,m i ) (m*,σ*) Output 1 iff: m* {m 1, } Ver H (k,m*,σ*)=1

Meaning H Hß Funcs k ß K m i σ i σ i ß H(k m i ) (m*,σ*) Output 1 iff: m* {m 1, } H(k m*)==σ*

Proof Idea Value of H(k m*) independent of adversary s view unless she queries H on k m* Only way to forge better than random guessing is to learn k Adversary only sees truly rand and indep H values and MACs, unless she queries H on k m i for some i Only way to learn k is to query H on k m i However, this is very unlikely without knowing k in the first place

The ROM A random oracle is a good PRF: F(k,x) = H(k x) PRG (assuming H is expanding): Given a random x, H(x) is pseudorandom since adv is unlikely to query H on x CRHF: Given poly- many queries, unlikely for find two that map to same output

The ROM The ROM is very different from security properties like collision resistant What does it mean that Sha- 1 behaves like a random oracle? No satisfactory definition Therefore, a ROM proof is a heuristic argument for security If insecure, adversary must be taking advantage of structural weaknesses in H

When the ROM Fails MAC H (k,m) = H(k m) Ver H (k,m,σ) = (H(k m) == σ) Instantiate with Merkle- Damgard (variable length)? k m 1 m 2 m 3 m 4 IV (fixed) h h h h h σ

When the ROM Fails ROM does not apply to regular Merkle- Damgard Even if h is an ideal hash function Takeaway: be careful about using ROM for non- monolithic hash functions Though still possible to pad MD in a way that makes is an ideal hash function if h is ideal

HMAC k m 1 m 2 m 3 ipad IV (fixed) h h h h k Append padding opad IV (fixed) h h σ

HMAC Hash k m 1 m 2 m 3 ipad IV (fixed) h h h h k Append padding opad IV (fixed) h h σ MAC

HMAC ipad,opad? Two different (but related) keys for hash and MAC ipad makes hash a secret key hash function Even if not collision resistant, maybe still impossible to find collisions when hash key is secret Turned out to be useful after collisions found in MD5

After Spring Break Wrap up symmetric key cryptography Commitment schemes, relationships between symmetric primitives Number- theoretic constructions Public key cryptgoraphy

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback