Solution of Exercise Sheet 7

Similar documents
Solution of Exercise Sheet 6

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Block Ciphers/Pseudorandom Permutations

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Exam Security January 19, :30 11:30

Lecture 12: Block ciphers

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Block ciphers And modes of operation. Table of contents

1 Cryptographic hash functions

Authentication. Chapter Message Authentication

CPA-Security. Definition: A private-key encryption scheme

2 Message authentication codes (MACs)

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 5: Pseudorandom functions from pseudorandom generators

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

ECS 189A Final Cryptography Spring 2011

Notes for Lecture 9. 1 Combining Encryption and Authentication

Introduction to Cybersecurity Cryptography (Part 4)

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

1 Cryptographic hash functions

Exercise Sheet Cryptography 1, 2011

CS 6260 Applied Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 5, CPA Secure Encryption from PRFs

Symmetric Crypto Systems

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Public-key Cryptography: Theory and Practice

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Introduction to Cryptography Lecture 4

A survey on quantum-secure cryptographic systems

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

CPSC 467: Cryptography and Computer Security

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

SPCS Cryptography Homework 13

Cryptography Lecture 4 Block ciphers, DES, breaking DES

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Lecture 10 - MAC s continued, hash & MAC

Message Authentication

CS 6260 Applied Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 15: Message Authentication

Symmetric Crypto Systems

1 Number Theory Basics

EME : extending EME to handle arbitrary-length messages with associated data

10 Concrete candidates for public key crypto

Modern Cryptography Lecture 4

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Provable Security in Symmetric Key Cryptography

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

A Pseudo-Random Encryption Mode

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Cryptographic Hash Functions

CTR mode of operation

Leftovers from Lecture 3

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Symmetric Encryption

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Lattice Cryptography

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Perfectly-Crafted Swiss Army Knives in Theory

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 4: DES and block ciphers

Akelarre. Akelarre 1

Lecture 7: CPA Security, MACs, OWFs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Known and Chosen Key Differential Distinguishers for Block Ciphers

Modern symmetric-key Encryption

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Asymmetric Encryption

Pseudorandom Generators

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

CPSC 467: Cryptography and Computer Security

New Attacks against Standardized MACs

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Chapter 2 : Perfectly-Secret Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Quantum Differential and Linear Cryptanalysis

All-Or-Nothing Transforms Using Quasigroups

Message Authentication Codes from Unpredictable Block Ciphers

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

A Domain Extender for the Ideal Cipher

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Foundations of Network and Computer Security

Transcription:

saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K, E, D) be a block cipher. Consider the following modes of operation: m1 m2 m1 m2 c1 c2 + c1 (5 points) c2 Encryption of CBC* Encryption of ECB (a) Show how decryption is done for the CBC* (showing by picture is fine). The solution is shown in Figure 1. Figure 1: Decryption of CBC* (10 points) (b) Given a ciphertext c = c1... cn that was created for a message m using ECB mode, show how to compute a ciphertext c that corresponds to a ciphertext of m encrypted under CBC* mode only given input c. Show that your construction is correct. 1/7

For an ECB ciphertext c = c 1... c n compute c = c 1... c n by Proof by induction over i. { c ci, if i = 1 i = c i 1 c i, otherwise Induction Basis: The construction is correct for i = 1. Induction Hypothesis: The construction is correct for all i n. Induction Step: computed by By the above construction, the n + 1st ciphertext is c n+1 = c n c n+1. Since by the induction hypothesis, c n was computed correctly, this exactly corresponds to the encryption in CBC* mode. The construction is therefore correct. (5 points) (c) Compared to ECB, is CBC* more, less or equally secure? Explain your answer. Makes both equally secure. If I can break ECB mode, I can use the transformation above and break CBC*. So it is at most as secure as ECB. The transformation can be inverted, so we can transform ECB ciphertexts to CBC* ciphertexts, i.e., the argument is symmetric giving us equal security. (5 points) (d) Show how you can construct two messages m 0 and m 1 such that you can always determine which of these two messages was encrypted by CBC* just given the ciphertext c of that message. Consider the messages m 0 = 0 n 0 n and m 1 = 0 n 1 n. CBC* encrypts m 0 to c 0 = c 00 0 n where c 00 = E(K, 0 n ) and encrypts m 1 to c 1 = c 00 c 11 where c 11 = c 00 E(K, 1 n ). In particular, E(K, 1 n ) c 00 (otherwise (K, E, D) is not a correct encryption scheme). Thus c 11 0 n. An adversary can thus always distinguish the cases whether m 0 or m 1 is encrypted. 2 Insecure MACs Let F : {0, 1} n {0, 1} n {0, 1} n be a pseudorandom function. Show that each of the following message authentication codes is insecure, i.e. show that, given a finite 2/7

number of valid message/tag pairs {(m i, t i )} n i=1 for messages m i chosen by yourself, you can forge a message/tag pair (m, t ) (m i, t i ) that is valid. (5 points) (a) To authenticate a message m = m 1 m 2 with m i {0, 1} n, compute the tag t = S(K, m) via S(K, m) := F (K, F (K, m 2 )) F (K, m 1 ) The following adversary A wins with probability 1: First, A queries a random message m = m 1 m 2 getting back a tag t = t 2 t 1 = F (K, F (K, m 2 )) F (K, m 1 ). Second, A queries the random message m = m 3 m 4 yielding t = t 4 t 3 = F (K, F (K, m4)) F (K, m 3 ). Finally, A outputs a message / tag pair (m 1 m 4, t 4 t 1 ) which is valid and has not been queried before. (5 points) (b) To authenticate a message m = m 1... m l with m i {0, 1} n, compute the tag t = S(K, m) via S(K, m) := i l K F (K, m i ) Consider the adversary B that queries the message m = 0 (l 2)n 1 2n for an even l yielding a tag t = K F (K, 0 n )... K F (K, 0 n ) F (K, 1 n ) F (K, 1 n ) }{{} l 2 = K }. {{.. K } F (K, 0 n )... F (K, 0 n ) F (K, 1 n ) F (K, 1 n ) }{{} l 2 l 2 = 0 n F (K, 0 n )... F (K, 0 n ) 0 n = F (K, 0 n )... F (K, 0 n ) B finally outputs (0 ln, t) which has not been queried before and is indeed valid: t = F (K, 0 n )... F (K, 0 n ) = F (K, 0 n )... F (K, 0 n ) 0 n = F (K, 0 n )... F (K, 0 n ) F (K, 0 n ) F (K, 0 n ) = F (K, 0 n )... F (K, 0 n ) K }{{}}. {{.. K } l l = K F (K, 0 n )... K F (K, 0 n ) }{{} l 3/7

3 Combining Hash Functions (5 points) (a) Let H 1 : {0, 1} {0, 1} n, H 2 : {0, 1} {0, 1} m and H 3 : {0, 1} {0, 1} m be hash functions. Prove that if at least one of them is collision resistant, then G : {0, 1} {0, 1} n+m defined as G(x) := H 3 (x) H 1 (x) H 2 (x) is collision resistant. Assume (without loss of generality) H 1 to be collision resistant. We show by reduction that if an adversary finds a collision for G, then it also finds a collision for H 1. Let g 0 g 1 be a collision for G, hence G(g 0 ) = G(g 1 ). This implies H 3 (g 0 ) H 1 (g 0 ) H 2 (g 0 ) = H 3 (g 1 ) H 1 (g 1 ) H 2 (g 1 ). In particular, H 1 (g 0 ) = H 1 (g 1 ). Thus, g 0, g 1 is also a collision for H 1. We conclude that G is collision resistant if H 1 is collision resistant. The same argumentation holds for H 2. (10 points) (b) Let H 1, H 2 : {0, 1} {0, 1} n be two collision resistant hash functions. For each i, prove or disprove that G i is a collision resistant hash function. b 1 ) G 1 : {0, 1} {0, 1} n defined as G 1 (x) := H 1 (H 2 (x)) b 2 ) G 2 : {0, 1} {0, 1} n defined as G 2 (0 n 1 y) := H n 1 (y) b 3 ) G 3 : {0, 1} {0, 1} n defined as G 3 (0 n 1 y) := H 1 (y H 2 (0 n )) b 1 ) G 1 is collision resistant. Assume for contradiction, an adversary is known that outputs a collision x 1, x 2 with x 1 x 2 and H 1 (H 2 (x 1 )) = H 1 (H 2 (x 2 )). This means that either H 2 (x 1 ) = H 2 (x 2 ), hence x 1, x 2 is a collision for H 2, a contradiction. Or, H(x 1 ) H(x 2 ), hence H(x 1 ), H(x 2 ) is a collision for H 1, a contradiction. Both cases violate the assumption that H 1 and H 2 are collision resistant. We conclude that G 1 is indeed collision resistant. b 2 ) G 2 is not collision resistant. Consider the collision x 1, x 2 {0, 1} n with x 1 = 001 0 n and x 2 = 01 H 1 (0 n ). Indeed, we see that G 2 (x 1 ) = G 2 (001 0 n ) = H 2 1 (0 n ) = H 1 (H 1 (0 n )) = G 2 (01 H 1 (0 n )) = G 2 (x 2 ) 4/7

b 3 ) G 3 is indeed collision resistant. Assume for contradiction, an adversary is known that outputs a collision x 1 = 0 m 1 y 1 and x 2 = 0 n 1 y 2 with x 1 x 2 and G 3 (x 1 ) = G 3 (x 2 ). This implies that y 1 y 2 or n m. Now, since x 1 and x 2 are a collision for G 3, we have that H 1 (y 1 H 2 (0 m )) = H 1 (y 2 H 2 (0 n )). Since H 1 is collision-resistant, however, we have that y 1 H 2 (0 m ) = y 2 H 2 (0 n ). By definition, H 2 returns a bit-string of length n. Hence y 1 = y 2 and H 2 (0 m ) = H 2 (0 n ). But since H 2 is collision resistant as well, we get that m = n. We thus contradict our initial condition that y 1 y 2 or n m. Hence G 3 is collision-resistant. 4 BONUS: Key Complementarity of DES (+10 bonus) (a) Show that in the DES structure, E DES (K, m) = E DES (K, m), where x denotes the bitwise complement of x and E DES (K, m) is the DES encryption function using key K and message m. (Note: The complement of a bit b is defined as b 1.) Given m {0, 1} 2 32 and K {0, 1} 56. We have to show E DES (K, m) = E DES (K, m). Let us first note that the initial permutation preserves the bitwise complement. Furthermore, by inspection of the algorithm, we see that the key schedule preserves bitwise complement as well, as it consists of permutations and shifts only. So it is sufficient if we examine a single round and prove E i (K, m) = E i (K, m) for the i-th round of DES. Let us consider the application of the i-th round of DES with key K and input message L i 1 R i 1, written E i (K, L i 1 R i 1 ) = L i R i. We want to show that E i (K, L i 1 R i 1 ) = L i R i. Since R i 1 = L i, we immediately know that E i (K, L i 1 R i 1 ) = L i R i. So it suffices to show that R i = R i. Let us take a look on the round function f i which is used in the computation of R i as R i = L i 1 f i (R i 1 ). It is easy to see that if the Expansion Permutation E applied to R i 1 yields V i, then E applied to R i 1 yields V i. As the round key results in K i, this leads to the equation V K i. 5/7

Using the associativity and the commutativity of and X = X 1 we get (V i 1) (K i 1) = (V i K i ) (1 1) = V i K i So the input to the remaining parts of the round function is identical in both cases, so the final output of the round function W i is identical in both cases f i (K i, R i 1 ) = f i (K i, R i 1 ). Using this property we get L i 1 f i (K i, R i 1 ) = L i 1 f i (K i, R i 1 ) = 1 (L i 1 f i (K i, R i 1 )) = R }{{} i R i We get that after one round, the output is inverted. By a trivial induction, it follows that after an arbitrary number of rounds the output is inverted as well. This proves the claim. (+5 bonus) (b) Show how an attacker can use the above property to perform an exhaustive key search by only performing half the number of DES encryptions you would need for the regular exhaustive key search. Try to be precise in which assumptions you make (on the capabilities of the attacker, speed of DES as opposed to other operations, etc.). More precisely, assume you are given one plaintext/ciphertext pairs (m, c m ) for which you want to determine the key used for encryption using exhaustive key search. (Note: You might still need additional operations (such as complementations or xors), but may only use half as many DES encryption operations as used in the regular exhaustive key search.) The goal is to reduce the amount of DES operations by 1/2 using the insights from part (a). In order to achieve this, we half the number of keys that we need to try for the exhaustive key search. If K = {0, 1} k, it suffices to use all keys in K = {0 k : k {0, 1} k 1 }. This is the case because K K = K and we can try two keys with one DES operation as follows: For each k for which we compute E(k, m) we get E(k, m) almost for free by just flipping each bit, i.e., computing 1. Thus for the m we know, we compute E(k, m) and check whether it is equal to c m and we check whether E(k, m) = E(k, m) is equal to c m. So we have tried the keys k and k with only one DES operation. It is only roughly a factor of two because we need to two (fast) operations 6/7

to check the second key k in addition to checking k. 7/7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback