Block Ciphers/Pseudorandom Permutations

Similar documents
CPA-Security. Definition: A private-key encryption scheme

Constructing secure MACs Message authentication in action. Table of contents

Block ciphers And modes of operation. Table of contents

III. Pseudorandom functions & encryption

CTR mode of operation

1 Number Theory Basics

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

2 Message authentication codes (MACs)

Computational security & Private key encryption

Homework 7 Solutions

Modern symmetric-key Encryption

Solution of Exercise Sheet 7

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Lecture 15: Message Authentication

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

John Hancock enters the 21th century Digital signature schemes. Table of contents

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Lecture 7: CPA Security, MACs, OWFs

Katz, Lindell Introduction to Modern Cryptrography

Lecture 18: Message Authentication Codes & Digital Signa

Avoiding collisions Cryptographic hash functions. Table of contents

Lecture 5, CPA Secure Encryption from PRFs

Symmetric Encryption

Notes for Lecture 9. 1 Combining Encryption and Authentication

Scribe for Lecture #5

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Lecture 13: Private Key Encryption

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

1 Cryptographic hash functions

CS 6260 Applied Cryptography

A survey on quantum-secure cryptographic systems

ECS 189A Final Cryptography Spring 2011

Lecture 10: NMAC, HMAC and Number Theory

Modern Cryptography Lecture 4

Message Authentication

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

1 Basic Number Theory

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CPSC 91 Computer Security Fall Computer Security. Assignment #2

II. Digital signatures

El Gamal A DDH based encryption scheme. Table of contents

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Private-Key Encryption

Block encryption of quantum messages

Authentication. Chapter Message Authentication

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

1 Cryptographic hash functions

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lectures 2+3: Provable Security

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

CS 6260 Applied Cryptography

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Introduction to Cryptography

1 Indistinguishability for multiple encryptions

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Cryptographic Security of Macaroon Authorization Credentials

Lecture 10 - MAC s continued, hash & MAC

The Random Oracle Model and the Ideal Cipher Model are Equivalent

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Security II: Cryptography

Memory Lower Bounds of Reductions Revisited

Security II: Cryptography

Proofs of Storage from Homomorphic Identification Protocols

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 10: NMAC, HMAC and Number Theory

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Leftovers from Lecture 3

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Digital signature schemes

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Digital Signatures. p1.

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Lecture 7: Pseudo Random Generators

On the Round Security of Symmetric-Key Cryptographic Primitives

Notes on Property-Preserving Encryption

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

5 Pseudorandom Generators

From Non-Adaptive to Adaptive Pseudorandom Functions

Perfectly-Secret Encryption

RSA and Rabin Signatures Signcryption

Transcription:

Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable from a random permutation.

Strong Pseudorandom Permutation Definition: Let F: 0,1 0,1 0,1 be an efficient, length-preserving, keyed permutation. We say that F is a strong pseudorandom permutation if for all ppt distinguishers D, there exists a negligible function negl such that: Pr D F k,f 1 k 1 n = 1 Pr D f,f 1 1 n = 1 negl n. where k 0,1 n is chosen uniformly at random and f is chosen uniformly at random from the set of all permutations mapping n-bit strings to n-bit strings.

Modes of Operation Stream Cipher If sender and receiver are willing to maintain state, can encrypt multiple messages.

Modes of Operation Block Cipher

Modes of Operation Block Cipher

Message Integrity Secrecy vs. Integrity Encryption vs. Message Authentication

Message Authentication Codes Definition: A message authentication code (MAC) consists of three probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key-generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm Mac takes as input a key k and a message m 0,1, and outputs a tag t. t Mac k (m). 3. The deterministic verification algorithm Vrfy takes as input a key k, a message m, and a tag t. It outputs a bit b with b = 1 meaning valid and b = 0 meaning invalid. b Vrfy k (m, t). It is required that for every n, every key k output by Gen(1 n ), and every m 0,1, it holds that Vrfy k m, Mac k m = 1.

Security of MACs The message authentication experiment MACforge A,Π n : 1. A key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k. The adversary eventually outputs m, t. Let Q denote the set of all queries that A asked its oracle. 3. A succeeds if and only if (1) Vrfy k m, t = 1 and (2) m Q. In that case, the output of the experiment is defined to be 1.

Security of MACs Definition: A message authentication code Π = (Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen message attack if for all probabilistic polynomial-time adversaries A, there is a negligible function neg such that: Pr MACforge A,Π n = 1 neg n.

Strong MACs The strong message authentication experiment MACsforge A,Π n : 1. A key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k. The adversary eventually outputs m, t. Let Q denote the set of all pairs m, t that A asked its oracle. 3. A succeeds if and only if (1) Vrfy k m, t = 1 and (2) (m, t) Q. In that case, the output of the experiment is defined to be 1.

Strong MACs Definition: A message authentication code Π = (Gen, Mac, Vrfy) is a strong MAC if for all probabilistic polynomial-time adversaries A, there is a negligible function neg such that: Pr MACsforge A,Π n = 1 neg n.

Constructing Secure Message Authentication Codes

A Fixed-Length MAC Let F be a pseudorandom function. Define a fixed-length MAC for messages of length n as follows: Mac: on input a key k 0,1 n and a message m 0,1 n, output the tag t F k m. Vrfy: on input a key k 0,1 n, a message m 0,1 n, and a tag t 0,1 n, output 1 if and only if t = F k m.

Security Analysis Theorem: If F is a pseudorandom function, then the construction above is a secure fixed-length MAC for messages of length n.

Security Analysis Let A be a ppt adversary trying to break the security of the construction. We construct a distinguisher D that uses A as a subroutine to break the security of the PRF. Distinguisher D: D gets oracle access to oracle O, which is either F k, where F is pseudorandom or f which is truly random. 1. Instantiate A Mack( ) (1 n ). 2. When A queries its oracle with message m, output O(m). 3. Eventually, A outputs (m, t ) where m, t 0,1 n. 4. If m Q, output 0. 5. If m Q, query O(m ) to obtain output z. 6. If t = z output 1. Otherwise, output 0.

Security Analysis Consider the probability D outputs 1 in the case that O is truly random function f vs. O is a pseudorandom function F k. When O is pseudorandom, D outputs 1 with probability Pr MACforge A,Π n = 1 = ρ(n), where ρ is non-negligible. When O is random, D outputs 1 with probability at most 1 2n. Why?

Security Analysis D s distinguishing probability is: 1 2 n ρ n = ρ n 1 2 n. Since, 1 2n is negligible and ρ n is non-negligible, ρ n 1 2n is non-negligible. This is a contradiction to the security of the PRF.

Domain Extension for MACs

CBC-MAC Let F be a pseudorandom function, and fix a length function l. The basic CBC-MAC construction is as follows: Mac: on input a key k 0,1 n and a message m of length l n n, do the following: 1. Parse m as m = m 1,, m l where each m i is of length n. 2. Set t 0 0 n. Then, for i = 1 to l: Set t i F k (t i 1 m i ). Output t l as the tag. Vrfy: on input a key k 0,1 n, a message m, and a tag t, do: If m is not of length l n n then output 0. Otherwise, output 1 if and only if t = Mac k (m).

CBC-MAC

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback