Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Similar documents
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

CTR mode of operation

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Modern Cryptography Lecture 4

ECS 189A Final Cryptography Spring 2011

BEYOND POST QUANTUM CRYPTOGRAPHY

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Block Ciphers/Pseudorandom Permutations

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A survey on quantum-secure cryptographic systems

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

Lecture 18: Message Authentication Codes & Digital Signa

Provable Security in Symmetric Key Cryptography

CS 6260 Applied Cryptography

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 10 - MAC s continued, hash & MAC

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Foundations of Network and Computer Security

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Foundations of Network and Computer Security

Symmetric Encryption

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

The Random Oracle Model and the Ideal Cipher Model are Equivalent

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Lectures 2+3: Provable Security

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

An Introduction to Authenticated Encryption. Palash Sarkar

Introduction to Cryptography

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 6260 Applied Cryptography

Lecture 9 - Symmetric Encryption

CPA-Security. Definition: A private-key encryption scheme

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Introduction to Cryptography Lecture 4

OMAC: One-Key CBC MAC

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation

Solution of Exercise Sheet 7

On the Security of CTR + CBC-MAC

Provable security. Michel Abdalla

On the Round Security of Symmetric-Key Cryptographic Primitives

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Improving Upon the TET Mode of Operation

Public-Seed Pseudorandom Permutations

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

FRMAC, a Fast Randomized Message Authentication Code

1 Indistinguishability for multiple encryptions

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

1 Cryptographic hash functions

III. Pseudorandom functions & encryption

1 Cryptographic hash functions

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

Stronger Security Variants of GCM-SIV

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

SPCS Cryptography Homework 13

Breaking and Repairing GCM Security Proofs

Leftovers from Lecture 3

2 Message authentication codes (MACs)

EME : extending EME to handle arbitrary-length messages with associated data

A Pseudo-Random Encryption Mode

Lecture 7: CPA Security, MACs, OWFs

Message Authentication

EasyChair Preprint. Formal Security Proof of CMAC and its Variants

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Message Authentication. Adam O Neill Based on

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Fast and Secure CBC-Type MAC Algorithms

MESSAGE AUTHENTICATION 1/ 103

Modes of Operations for Wide-Block Encryption

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Message Authentication Codes from Unpredictable Block Ciphers

Foundations of Network and Computer Security

New Proofs for NMAC and HMAC: Security without Collision-Resistance

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Block ciphers And modes of operation. Table of contents

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

Message Authentication Codes from Unpredictable Block Ciphers

REMARKS ON IBE SCHEME OF WANG AND CAO

Symmetric Encryption. Adam O Neill based on

Lecture 5, CPA Secure Encryption from PRFs

Lecture 14: Cryptographic Hash Functions

Post-quantum security models for authenticated encryption

Message Authentication Codes (MACs) and Hashes

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Lecture 10: NMAC, HMAC and Number Theory

Homework 7 Solutions

Transcription:

Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet Security 17-19 June 2002 Duszniki Zdroj, Poland (three two-hour lectures) Slides modified and tweaked by Dan Wallach, with permission 1 0 Opening comments 1 What is "provably security"? Outline from the paper board 2 Blocks ciphers 21 Syntax 22 Notions of security (prp, prf, kr) 3 Symmetric ncryption 31 Syntax 32 Notions of security (sem, ind, ind, all under CP) 4 Relating the notions (ind, ind, 01) 5 Sample block-cipher-using encryption schemes 6 Security of modes 61 CTR-rand 62 CBC-rand 7 MCs and authenticated encryption 71 Notion of authenticated encryption 72 Notion of MCs 73 Ways to MC (CBC, XCBC, CW (w/ poly-based universal hash, UMC) 74 Ways to achieve auth enc (generic composition, IPM/OCB) Concluding comments 2 Recognize Problem Protocol Bug New Protocol Classical pproach Recognize Problem Definition Definition Protocol Protocol π Proof: reduction Provable-Security pproach begins with [GM82] Bug New Protocol Publish Instantiate Publish Implement Implement Ship Bug 3 Ship Done 4 1

Primitive π Block Cipher Block Cipher Block Cipher OWF Sym enc scheme MC RS primitive Protocol Sym enc scheme MC OWF Block Cipher sym enc scheme Block-Cipher Syntax : {0,1} n {0,1} n where each ( ) = (, ) is a permutation If primitive π is secure then protocol is secure If / a good adv for attacking π then/ no good adv for attacking If a good adv for attacking then a good adv for attacking π / / g: (X)=X (X)=S128 (X) 5 6 Notions of Block-Cipher Security PRP-sense of a block cipher being good ey-recover (kr) under chosen-plaintext attack (CP) dv kr () = Pr [ : (, ) = ] X 1 X 2 X q () (X 1 ) (X 2 ) (X q ) dv kr (t,q) = max {dv kr () } Runs in time t sks q queries 7 () X 1 X2 X q (X 1 ) (X 2 ) X 1 X π() 2 π(x 1 ) (X q ) X q π(x 2 ) π(x q ) 2 n! 8 2

dv prp () = Pr [ : (, ) = 1] Pr [ π Perm(n): π( ) = 1] dv prp (t,q) = max {dv prp () } Runs in time t sks q queries ttacker responds: 0: it s a permutation 1: it s the cipher Breaking (X)=X : sk 0 n, receiving Y if Y=0 n return 1 (cipher returns the identity) else return 0 dv prp () = 1 2 -n (permutation might also) dv prp (t,q) t / 2 128 Strong assumption S dv prp (t,q) 2-40 if t<2 80, q<2 40 Weaker assumption S 9 10 ( ) dv prf () = Pr [ : (, ) = 1] X 1 X2 X q (X 1 ) (X 2 ) Pr [ ρ Rand(n): ρ( ) = 1] X ρ( ) 2 ρ(x 1 ) (X q ) X q ρ(x 2 ) ρ(x q ) X 1 Switching Lemma If asks queries dv prp () dv prf () 2 / 2 n1 1 0 2 n/2 dv prf () = 2Pr [ b {0,1}; if b=1 then, f= else f Rand(n): f( ) =b] 1 Pr[ π( ) = 1] Pr[ ρ( ) = 1] 2 / n1 11 12 3

Def (sym, prob) enc scheme is a 3-tuple = (,, D) Finite set M {0,1}* If M M and M = M then M M : M {0,1}* is a prob function D: {0,1}* M {*} (det funct) M M,, C (M) D (C) =M C = clen( M ) 13 CP Ε Κ () Ε Κ (X 1 ) M q Ε Κ (X 2 ) Ε Κ (X q ) support() only has strings of one length = (,,D) sem dv sem () = Pr [ ; ( f, ) (, ) ( ); M M; C (M): (, ) (C, f ) = f (M)] Pr [ ; ( f, ) (, ) ( ); M,M M; C (M ): (, ) (C, f ) = f (M)] 14 ind dv ind () = Pr [ : (, ) = 1 ] = (,,D) Pr [ : (, 0 ) = 1 ] ind dv ind () = Pr [ : (, ) = 1 ] Pr [ : (, clen( ) ) = 1 ] ( ) Ε Κ (0 ) ( ) clen( ) 15 16 4

Lecture 2 b {0,1} Consider a weak form of semantic security: can t recover the key: C b Def of B f Compute C f(1) Run (C) When halts, outputting b return b dv ind (B) = Pr[B (, ) = 1 ] Pr[B (, 0 ) = 1] = Pr[ ; C (1): (C)=1] Pr[ ; C (0): (C)=1] dv 01 () = 2 Pr[b {0,1}; ; C (b): (C) = b] 1 ssume does well at breaking in the 01-sense Construct B that does well at breaking in the ind-sense = Pr[ ; C (1): (C)=1] (1 Pr[ ; C (0): (C)=0]) = Pr[ ; C (1): (C)=1] Pr[ ; C (0): (C)=0] 1 = 2 (Pr[ ; C (1): (C)=1](05) Pr[ ; C (0): (C)=0](05)) 1 = 2 (Pr[ returns b b=1] Pr[b=1] Pr[ returns b b=0] Pr[b=0]) 1 = 2 Pr[ returns b] 1 17 = dv 01 () 18 ind ind Let be an ind-adversary think of δ=dv ind () as large Construct B that breaks in the ind-sense dv ind (t,q) 2 dv ind (ttiny, µ) tiny = O(µ) ( ) clen( ) (0 ) Hybrid rgument δ/2 δ/2 Case 1: Set B= dv ind (B) δ/2 Case 2: dv B f behaves as follows: Run When asks its oracle x, sk f(0 x ) and return it to When outputs a bit b, return 1 b 19 Suppose an adv that runs in time t and asks queries totaling µ bits and breaks in the ind-sense with advantage δ Then an adv B that runs in time t O(µ) and asks queries totaling µ bits and breaks in the ind-sense with advantage δ/2 20 5

IV M 3 CBC-zero CBC-ctr CBC-zero sk 0 n C 1 sk 1 n C 2 if C 1 = C 2 then return 0 else return 1 violating ind C 1 C 2 C 3 CBC-chain CBC-encctr CBC-rand CBC-ctr sk 0 n C 1 sk 0 n-1 1 C 2 if C 1 = C 2 then return 1 else return 0 CBC-chain sk 0 n IV 1 C 1 sk C 1 IV 2 C 2 sk C 2 IV 3 C 3 if C 2 = C 3 then return 1 else return 0 21 22 ctr ctr1 ctr2 CTR-ctr Claim: CTR-rand is secure if its block cipher is a good PRP: Let be an adv attacking CTR[] Construct B that attacks dversary B f behaves as follows: M 3 C 1 C 2 C 3 CBC-rand Run When asks its oracle to encrypt M= M m ctr {0,1} compute pad = f(ctr) f(ctr1)f(ctrm-1) return to (ctr, padm) When halts, outputting a bit b, return b 23 24 6

dv prp (B) = Pr[B =1] Pr[B π = 1] Pr[B =1] Pr[B ρ = 1] 2 / 2 n1 (switching lemma) = Pr[ CTR[ ] =1] Pr[ CTR[ρ] = 1] 2 / 2 n1 Let C be the event of a collision in the inputs to the blockcipher * * * * * N = 2 n bins * * * m 1 balls m 2 = Pr[ CTR[ ] =1] Pr[ CTR[ρ] = 1 C] Pr[C] Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 = Pr[ CTR[ ] =1] Pr[ = 1] (1 Pr[C]) Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 = Pr[ CTR[ ] =1] Pr[ = 1] Pr[C] Pr[ =1] Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 Pr[ CTR[ ] =1] Pr[ = 1] Pr[C] 2 / 2 n1 = dv ind CTR[] Pr[C] 2 / 2 n1 The problem is now an information theoretic one Claim Pr[C] 2 / 2 n1 (see next slide) We then have dv ind 2 / 2 n CTR[] * * * * * * * dversary wants to create a collision Best way to do this is to toss one ball at a time Pr[C] 1/N 2/N (-1)/N 2 /2N m 3 m 4 Σ m in = 25 26 Lecture 3 Th Let : {0,1} n {0,1} n Let attack CBC[] ssume runs in time t and asks total blocks and achieves advantage δ =dv ind () Then an adv B that attacks and runs in time at most t B and asks at most q B queries and achieves advantage at least δ B = dv prp (B) where t B = t O() q B = δ B = δ Α 2 / 2 n CBC[] Def of B f Run When asks its oracle M= M m Choose IV C 0 {0,1} n for i 1 to m do C i f (C i-1 M i ) return to (IV, C 1 C m ) When outputs a bit, b, return b 27 28 7

dv prp (B) = Pr[B = 1] Pr[B π = 1] dv ind () = Pr[ CBC =1] Pr[ =1 ] CBC[] Pr[ CBC[π] = 1] dv ind () dv prp (B) = Pr[B π = 1] Pr[ = 1] CBC[] = Pr[ CBC[π] = 1] Pr[ = 1] = Pr[ CBC[ρ] = 1] Pr[ = 1] 2 /2 n1 Now a purely inf theoretic question Game-playing to Show first difference at most 2 / 2 n1 uthenticity Ε Κ () M q C 1 C 2 C q C wins if C {C 1,,C q } and D (C) * 29 30 ncrypt-with-redundancy MC Message uth Code MC (M) IV 0 n ttack: sk 0 0 IV C 1 C 2 C 3 Forge IV C 1 C 2 S MC ( ) M MC (M) R Compute = MC (M) Check if = C 1 C 2 C 3 31 M q q 2 1 (M, ) wins if =MC (M) and M {,,M q } forgery dv mac () = Pr[ : MC ( ) forges] 32 8

M 3 M 3 CBC MC To forge: sk 0 1 Forge (0, ) Fixing the CBC MC ncrypted CBC (from RC project) Shown provably secure (when a PRP) by [Petrank, Rackoff] The CBC MC is Incorrect across msgs of Varying lengths [BR] Correct, with bound 3 2 /2 n one fixed length for msgs of some 33 34 M 3 different fix Provably security shown in [Black, R] M h h(m) Carter-Wegman paradigm The key for the MC is (h,) h is a random element of H = {h: M {0,1} n } Def: Family of hash functions H = {h: M {0,1} n } is ε-u (almost universal) if for all M, M M, M M, Pr h [h(m)=h(m )] ε 35 36 9

g construction h h Unlikely for a random h M = M m M 0 M i =128 M(X) = X m M m-1 X m-1 X M 0 ll operations in GF(2 128 ) There are 2 128 elements of H, each described by a 128-bit R: h R (M) = M(R) Can be efficiently evaluated M Claim: H is m/2 128 -U where m upperbounds the number of blocks on any message M in the message space M Proof: Pr [ M(R ) =M (R )] = Pr[poly(R) =0] m/2 128 because poly( ) is a nonzero polynomial of degree at most m and therefore has at most m zeros, and so that chance that a random point in the field is one of these zeros is at most m / the size of the field 37 38 m 1 16 k 1 16 m 2 k 2 m 3 k 3 m 4 k 4 m 5 k 5 m 6 k 6 m 7 k 7 m 8 k 8 uthenticated ncryption via Generic Composition (see [Bellare, Namprempre]) ncrypt-and-mc M C MC 16 16 32 The function NH used in UMC [BHR] This function is 2-15 -U The above can be computed In just four instructions on a Pentium processor, allowing 32 h(m) MC-then-ncrypt one to MC at about 1cpb 39 40 C ncrypt-then-mc O! M MC M MC C 10

uthenticated ncryption via Fancy Modes (see IPM [J] and OCB [RBB)] N M 3 M 3 R 2R 3R 3R * R R 2R 3R C 1 C 2 C 3 41 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback