Alternative Approaches: Bounded Storage Model

Similar documents
Alternative Approaches Quantum Cryptography and Bounded Storage Model

Exercise Sheet Cryptography 1, 2011

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Implementation Tutorial on RSA

Number theory (Chapter 4)

Lecture 12: Block ciphers

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Errors, Eavesdroppers, and Enormous Matrices

Lecture Notes, Week 6

Public-Key Cryptosystems CHAPTER 4

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Classical Cryptography

NET 311D INFORMATION SECURITY

Introduction to Cybersecurity Cryptography (Part 4)

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Introduction to Cybersecurity Cryptography (Part 4)

One can use elliptic curves to factor integers, although probably not RSA moduli.

Implementing Ring-LWE cryptosystems

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

5199/IOC5063 Theory of Cryptology, 2014 Fall

Klein s and PTW Attacks on WEP

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Introduction to Cryptology. Lecture 2

Gurgen Khachatrian Martun Karapetyan

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

The Advanced Encryption Standard

ECS 189A Final Cryptography Spring 2011

Cryptography IV: Asymmetric Ciphers

All-Or-Nothing Transforms Using Quasigroups

Lecture Note 3 Date:

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

A Piggybank Protocol for Quantum Cryptography

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Solution to Midterm Examination

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Security Implications of Quantum Technologies

CPSC 467b: Cryptography and Computer Security

Cryptography and Security Midterm Exam

The security of RSA (part 1) The security of RSA (part 1)

CPSC 467b: Cryptography and Computer Security

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Breaking an encryption scheme based on chaotic Baker map

Introduction to Cryptography. Lecture 8

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Cryptography and Number Theory

Lecture Notes 15 : Voting, Homomorphic Encryption

A block cipher enciphers each block with the same key.

CPSC 467b: Cryptography and Computer Security

Cryptography. P. Danziger. Transmit...Bob...

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

CPA-Security. Definition: A private-key encryption scheme

Question: Total Points: Score:

Cryptographic Hash Functions

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Private-key Systems. Block ciphers. Stream ciphers

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Cryptography. pieces from work by Gordon Royle

Practice Assignment 2 Discussion 24/02/ /02/2018

Jay Daigle Occidental College Math 401: Cryptology

Week 7 An Application to Cryptography

Security of Networks (12) Exercises

Modern symmetric encryption

Perfectly-Secret Encryption

Cook-Levin Theorem. SAT is NP-complete

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

ASYMMETRIC ENCRYPTION

Public Key Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Block ciphers And modes of operation. Table of contents

Digital Signatures. Adam O Neill based on

1 Number Theory Basics

CPSC 467: Cryptography and Computer Security

Analysis of Modern Stream Ciphers

CS 6260 Applied Cryptography

Introduction to Modern Cryptography. Benny Chor

Solution to Problem Set 3

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Cryptography and Security Final Exam

Lecture 4: DES and block ciphers

An Introduction to Probabilistic Encryption

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Can You Hear Me Now?

Public-key Cryptography and elliptic curves

Provable security. Michel Abdalla

Lectures 2+3: Provable Security

Public Key Cryptography

A Byte-Based Guess and Determine Attack on SOSEMANUK

Chapter 11 : Private-Key Encryption

Notes for Lecture 17

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

10 Public Key Cryptography : RSA

8 Elliptic Curve Cryptography

Cryptography 2017 Lecture 2

Transcription:

Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005

1 Motivation Description of the Randomized Cipher 2

Motivation Motivation Description of the Randomized Cipher Common practice in cryptography: If you need an encryption scheme then just take AES (or RSA, ElGamal,... ) and you can be confident that your adversary cannot break it. Why can you be confident? Because several people tried to break these ciphers and nobody succeeded. Question: Can we also be confident that nobody will break it in the future?

Motivation Description of the Randomized Cipher Will the current ciphers be secure in the future? There is a good chance they will not! One of the following disasters can happen: computing power will increase dramatically some non-standard computation model will be implemented (e.g. quantum computers) certain computational tasks (e.g. factoring) will turn out to be easier than expected (or simply someone will show P = NP)

Possible Attack Motivation Description of the Randomized Cipher So the following attack is possible: 1 The adversary stores the transcript of your entire communication 2 Later (maybe in 30 years) he decrypts it.

Motivation Description of the Randomized Cipher Historical Example: VENONA Project Example In 1942-46 Americans read and stored a large number of Soviet cryptograms. Some of them were decrypted decades later.

Main Idea Motivation Description of the Randomized Cipher Instead of assuming that the computing power of the adversary is limited we assume that the memory is limited.

Motivation Description of the Randomized Cipher Strategy of the Strongly-Randomized Cipher The Bounded-Storage-Model is based on a strongly-randomized cipher. It was proposed by Maurer in 1992 new concept of proveable security use of publicly-accesible string of random bits artificial blow-up of data

Terminology Definition capital letters denote random variables, underlined denote random vectors R is the publicly accessible random string of bits X denotes the plaintext, Y the cryptogram and W the keystream X, Y and W are of length N

Preparation Take L = KT bits of R and form a two-dimensional array. Denote the entries with: R[1, 0] R[1, 1]... R[1, T 1] R[2, 0] R[2, 1]... R[2, T 1]... R[K, 0] R[K, 1]... R[K, T 1]

The secret Key The secret Key Z = [Z 1,..., Z K ], where Z k {0,..., T 1} for 1 k K specifies a position within each row of R uniformly distributed over the key space (S Z = {0,..., T 1} K ) key-length: K log 2 T

The Keystream W Key-function Generating the keystream W from the secret key Z and the randomizer R. Definition ( K ) W n = R[k, (n 1 + Z k ) mod T ] k=1 mod 2 where each row of R is considered to be extended cyclically

And finally... The plaintext X and the keystream W are added bitwise modulo 2: Definition Y n = X n W n for 1 n N : a b := (a + b) mod 2

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

Example Example Let T = 20, K = 6, N = 5, Z = [11, 3, 19, 15, 5, 9] Resulting keystream:

by Maurer 92 Theorem Only with probability of 1 Nδ K an eavesdropper will obtain any information about the plaintext where δ = M/KT M: Number of bits examined by the eavesdropper Very simplistic! See paper for exact theorem and proof.

This means: An example with practical relevance: K = 50, T = 2 50 10 15 plaintext: 1 Gbit, i.e.: N = 2 30 10 9. resulting keysize: 50 log 2 2 50 = 2500 bits legitimate users need to examine only 50 randomizer bits per plaintext bit eavesdropper examines δ = 1/2 of all bits, i.e., M = KT /2 = 25 2 50 bits chance of obtaining any new information about the plaintext: not greater than 2 30 (1/2) 50 < 10 6

Application Generating a random string using a deep-space radio-source Satellite broadcasting random bit-stream with high bandwidth (not yet implemented) Current limit for adversary s memory: 2 50 Byte cost 1 Billion $ No possibility to decode cryptogram later

Thank you for your Attention!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback