Leftovers from Lecture 3

Similar documents
Introduction to Cryptography Lecture 4

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Introduction to Modern Cryptography Lecture 5

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Foundations of Network and Computer Security

Foundations of Network and Computer Security

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Introduction to Information Security

Foundations of Network and Computer Security

Introduction to Cryptography

Lecture 1: Introduction to Public key cryptography

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Authentication. Chapter Message Authentication

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Lecture 10: NMAC, HMAC and Number Theory

CPSC 467: Cryptography and Computer Security

Notes for Lecture 9. 1 Combining Encryption and Authentication

Message Authentication Codes (MACs)

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Week 12: Hash Functions and MAC

Introduction to Cybersecurity Cryptography (Part 4)

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Lecture 10: NMAC, HMAC and Number Theory

Introduction to Cybersecurity Cryptography (Part 4)

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Question: Total Points: Score:

Chapter 8 Public-key Cryptography and Digital Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

1 Number Theory Basics

Cryptographic Hash Functions

Lecture 10 - MAC s continued, hash & MAC

Lecture 10: HMAC and Number Theory

Symmetric Crypto Systems

Secret Key: stream ciphers & block ciphers

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Symmetric Crypto Systems

ECS 189A Final Cryptography Spring 2011

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Asymmetric Encryption

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

1 Cryptographic hash functions

Message Authentication. Adam O Neill Based on

ASYMMETRIC ENCRYPTION

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

1 Cryptographic hash functions

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Exam Security January 19, :30 11:30

Introduction to Modern Cryptography Lecture 4

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CPSC 467: Cryptography and Computer Security

Block Ciphers/Pseudorandom Permutations

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Computer Science A Cryptography and Data Security. Claude Crépeau

Introduction to Modern Cryptography. Benny Chor

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Lecture Notes. Advanced Discrete Structures COT S

Lecture 5, CPA Secure Encryption from PRFs

Public-key Cryptography: Theory and Practice

Minimum Number of Multiplications of U Hash Functions

Solution of Exercise Sheet 7

Public Key Cryptography

CPSC 467: Cryptography and Computer Security

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Message Authentication Codes (MACs) and Hashes

Lecture V : Public Key Cryptography

Attacks on hash functions. Birthday attacks and Multicollisions

Avoiding collisions Cryptographic hash functions. Table of contents

Lecture 15: Message Authentication

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

RSA RSA public key cryptosystem

STORY of SQUARE ROOTS. and QUADRATIC RESIDUES. Part I. Public-key cryptosystems II. Other cryptosystems and cryptographic primitives

Public-Key Cryptosystems CHAPTER 4

Digital Signatures. p1.

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Foundations of Network and Computer Security

Lecture Note 3 Date:

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Modern Cryptography Lecture 4

CPSC 467b: Cryptography and Computer Security

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

10 Concrete candidates for public key crypto

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

CPSC 467: Cryptography and Computer Security

Katz, Lindell Introduction to Modern Cryptrography

Transcription:

Leftovers from Lecture 3

Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite field, a lookup table is the most efficient method for implementing multiplication.

Implementing GF(2 5 ) in XMAPLE Irreducible polynomial

More GF(2 5 ) Operations in XMAPLE Addition: b+c test primitive element e <--inverse of a Multiplication: a*e Loop for finding primitive elements

LECTURE 4 Data Integrity & Authentication Message Authentication Codes (MACs)

Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran (forger) Remark: Authentication is orthogonal to secrecy, yet systems often required to provide both.

Definitions Authentication algorithm - A Verification algorithm - V ( accept / reject ) Authentication key k Message space (usually binary strings) Every message between Alice and Bob is a pair (m, A k (m)) A k (m) is called the authentication tag of m

Definition (cont.) Requirement V k (m,a k (m)) = accept The authentication algorithm is called MAC (Message Authentication Code) A k (m) is frequently denoted MAC k (m) Verification is by executing authentication on m and comparing with MAC k (m)

Properties of MAC Functions Security requirement adversary can t construct a new legal pair (m, MAC k (m)) even after seeing (m i, MAC k (m i )) (i=1,2,,n) Output should be as short as possible The MAC function is not 1-to-1

Adversarial Model Available Data: The MAC algorithm Known plaintext Chosen plaintext Note: chosen MAC is unrealistic Goal: Given n legal pairs (m 1, MAC k (m 1 )),, (m n, MAC k (m n )) find a new legal pair (m, MAC k (m))

Adversarial Model We will say that the adversary succeeded even if the message Fran forged is meaningless. The reason is that it is hard to predict what has and what does not have a meaning in an unknown context, and how will Bob, the reciever, react to such successful forgery.

Efficiency Adversary goal: given n legal pairs (m 1, MAC k (m 1 )),, (m n, MAC k (m n )) find a new legal pair (m, MAC k (m)) efficiently and with non negligible probability. If n is large enough then n pairs (m i, MAC k (m i )) determine the key k uniquely (with high prob.). Thus a non-deterministic machine can guess k and verify it. But doing this deterministically should be computationally hard.

MACs Used in Practice We describe a MAC based on CBC Mode Encryption, and a MAC based on cryptographic hash functions.

Reminder: CBC Mode Encryption (Cipher Block Chaining) S 0 P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 Previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector S 0 is used as a seed for the process. Seed can be openly transmitted.

CBC Mode MACs Start with the all zero seed. Given a message consisting of n blocks M 1,M 2,,M n, apply CBC (using the secret key k). 0000000 M 1 M 2 M n E k C 1 E k C 2.......... E k C n Produce n cipertext blocks C 1,C 2,,C n, discard first n-1. Send M 1,M 2,,M n & the authentication tag MAC k (M)=C n.

Security of CBC MAC [BKR] Claim: If E k is a pseudo random function, then CBC MACis resilient to forgery. Proof outline: Assume CBC MAC can be forged efficiently. Transform the forging algorithm into an algorithm distinguishing E k from random function efficiently.

Combined Secrecy & MAC Given a message consisting of n blocks M 1,M 2,,M n, apply CBC (using the secret key k1) to produce MAC k1 (M). Produce n cipertext blocks C 1,C 2,,C n under a different key, k2. Send C 1,C 2,,C n & the authentication tag MAC k1 (M).

Hash Functions Map large domains to smaller ranges Example h: {0,1,,p 2 } {0,1,,p-1} defined by h(x) = ax+b mod p Used extensively for searching (hash tables) Collisions are resolved by several possible means chaining, double hashing, etc.

Collision Resistance A hash function h: D R is called weakly collision resistant for x D if it is hard to find x x such that h(x )=h(x) A function h: D R is called strongly collision resistant if it is hard to find x, x such that x x but h(x)=h(x )

The Birthday Paradox If 23 people are chosen at random the probability that two of them have the same birth-day is greater than 0.5 More generally, let h:d R be any mapping. If we chose 1.17 R 1/2 elements of D at random, the probability that two of them are mapped to the same image is greater than 0.5.

Cryptographic Hash Functions Cryptographic hash functions are hash functions that are strongly collision resistant. Notice: No secret key. Should be very fast to compute, yet hard to find coliding pairs (impossible if P=NP). Usually defined by: Compression function mapping n bits (e.g. 512) to m bits (e.g 160), m < n.

Extending to Longer Strings Seed H H H h(m) M 1 M 2 M k Η : D --> R (fixed sets, typically {0,1} n and {0,1} m )

Extending the Domain (cont.) The seed is usually constant Typically, padding (including text length of original message) is used to ensure a multiple of n. Claim: if the basic function H is collision resistant, then so is its extension.

Lengths Input message length should be arbitrary. In practice it is usually up to 2 64, which is good enough for all practical purposes. Block length is usually 512 bits. Output length should be at least 160 bits to prevent birthday attacks.

Real-World Hash Functions MD family ( message digest ) MD-2 MD-4 (full description in Stinson s book) MD-5 SHA and SHA-1 (secure hash standard, 160 bits) (www.itl.nist.gov/fipspubs/fip180-1.htm) RIPE-MD SHA-256, 384 and 512 (proposed standards, longer digests)

Basing MACs on Hash Functions First goal: combine message and secret key, hash and produce MAC Second goal: work with any cryptographic hash function First attempt: MAC k (m)=h(k,m) Second attempt: MAC k (m)=h(m,k)

HMAC Proposed in 1996 by [BCK] Receives as input a message m, a key k and a hash function h Outputs a MAC by: HMAC k (m,h)= h(k opad, h(k ipad,m)) Theorem [BCK]: HMAC can be forged if and only if the underlying hash function is broken (collisions found).

HMAC in Practice SSL / TLS WTLS IPSec: AH ESP

Back to Number Theory

Quadratic Residues An element x is a quadratic residue modulo n if there exists y such that y 2 x mod n If x is a quadratic residue then so is x mod n If p is prime there are exactly (p-1)/2 quadratic residues If p is prime, and g is a generator of the multiplicative group, the quadratic residues are even powers of g.

One-Way Functions A function f: D R is called one-way if: Computing f(x) is easy Computing f -1 (y) for almost all the images is hard Given the real-world definition of hard a oneway function may be a single function (e.g. SHA- 1) Given the theoretical definition, we refer to a family of one-way functions

Example The Domain is all the pairs of prime numbers. The function is f(p,q) = pq Multiplication is easy naïve algorithm is O(n 2 ) Factoring is difficult simple algorithm is O(2 n/2 ). NFS and ECM are better but not polynomial. The function f(p,q) = pq maintains length

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback