Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Similar documents
Exam Security January 19, :30 11:30

5199/IOC5063 Theory of Cryptology, 2014 Fall

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Introduction to Cybersecurity Cryptography (Part 4)

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Notes for Lecture 9. 1 Combining Encryption and Authentication

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptography Lecture 4

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

DTTF/NB479: Dszquphsbqiz Day 26

Leftovers from Lecture 3

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Public-key Cryptography: Theory and Practice

ECS 189A Final Cryptography Spring 2011

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Introduction to Cryptography

A block cipher enciphers each block with the same key.

Lecture 7: ElGamal and Discrete Logarithms

Introduction to Information Security

Solution of Exercise Sheet 7

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Attacks on hash functions. Birthday attacks and Multicollisions

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 5, CPA Secure Encryption from PRFs

Modern Cryptography Lecture 4

Number theory (Chapter 4)

Lecture Note 3 Date:

SPCS Cryptography Homework 13

Introduction Description of MD5. Message Modification Generate Messages Summary

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Lecture Notes. Advanced Discrete Structures COT S

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Public Key Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Network Security: Hashes

Foundations of Network and Computer Security

Week 12: Hash Functions and MAC

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Foundations of Network and Computer Security

Avoiding collisions Cryptographic hash functions. Table of contents

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 1. Crypto Background

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Topics. Probability Theory. Perfect Secrecy. Information Theory

Historical cryptography. cryptography encryption main applications: military and diplomacy

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Solution to Midterm Examination

Message Authentication Codes (MACs)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Provable Chosen-Target-Forced-Midx Preimage Resistance

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

CPSC 467: Cryptography and Computer Security

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Digital Signatures. Adam O Neill based on

Cryptographic Hash Functions

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Asymmetric Encryption

CPSC 467: Cryptography and Computer Security

Lecture 10: NMAC, HMAC and Number Theory

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467: Cryptography and Computer Security

Introduction to Modern Cryptography. Benny Chor

RSA RSA public key cryptosystem

Breaking H 2 -MAC Using Birthday Paradox

Lecture 14: Cryptographic Hash Functions

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Avoiding collisions Cryptographic hash functions. Table of contents

Lecture 1: Introduction to Public key cryptography

Beyond the MD5 Collisions

CPSC 467: Cryptography and Computer Security

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Question: Total Points: Score:

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography 2017 Lecture 2

New Attacks on the Concatenation and XOR Hash Combiners

Chapter 8 Public-key Cryptography and Digital Signatures

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

CS 6260 Applied Cryptography

Lecture 4: DES and block ciphers

Foundations of Network and Computer Security

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

ASYMMETRIC ENCRYPTION

Introduction to Cryptology. Lecture 2

Solutions to homework 2

Transcription:

Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2

Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical Aspects of Modern Cryptography 3

Problem 1 Let b = n m be the number of blocks. Plaintext P 0, P 1,, P b, ciphertext C 0, C 1,, C b. We care about C b 1, C b, P b 1 and P b. We know k, the number of bits removed from the penultimate block, since k = m (n mod m). Recall that for CBC decryption, we have plaintext block P i = Decrypt(K, C i ) C i i

Problem 1 P i = Decrypt(K, C i ) C i i 1. Compute X b = Decrypt(K, C b ) (intermediate value of final block) 2. We also know X b = P b XOR C b 1 if we have all the bits in C b. 3. Finally, we know the last k bits of P b are 0 (pad). 4. So for each of the padding bits P b,m k+1,, P b,m we have X b,i = P b,i XOR C b 1,i for i = m k + 1,, m 5. Since P b,i = 0, then X b,i = C b 1,i

Problem 1: text Stealing IV Plaintext 110101 00 0 Inverse Inverse Inverse Inverse 110101 text

Problem 2 Decrypt a k-block segment in the middle of a long CBCencrypted ciphertext. What is the minimum number of blocks of ciphertext that need to be decrypted? Which blocks do you need to decrypt and how will you decrypt them?

Problem 2 In CBC decryption, we have plaintext block P i = Decrypt(K, C i ) C i i NOTE: Boundary case "C 1 " = IV. Each plaintext block we want requires one decryption of the corresponding plaintext plus one XOR. So the minimum number of ciphertext blocks to be decrypted is k. If you want plaintext blocks P i, P i+1,, P i+k 1, then you need ciphertext blocks C i 1, C i, C i+1,, C i+k 1. If i = 0, instead of C i 1 you need the IV.

Problem 3 H is a Merkle-Damgård hash function w/ compression function F. Black box takes inputs IV and y and outputs an x such that F IV, x = y. Show how by using the black box at most 2k times you can find a set of 2 k messages that all have the same hash value when input into the full hash function H.

Problem 3 Solution 1 Basic idea: find pairs of messages x i, x i satisfying F IV i, x i = F IV i, x i = y i, i = 1,.., k y i = IV i+1 IV 1 = IV Start at the end. Choose a random target output value y k and a random input value y k 1 = IV k. Call the black box twice with IV k, y k to generate x k, x k. Now move back a block. We have y k 1, choose random IV k 1 = y k 2. Run the box twice, get x k 1, x k 1.

Problem 3 Solution 1 We now have 4 two-block messages that hash to the same value when F is the compression function: x k 1 x k, x k 1 x k, x k 1 x k, x k 1 x k Repeat this procedure k times and you ll have made 2k calls to the black box to generate k pairs x i, x i. To generate 2 k messages that hash to the same value, make k-block messages where the ith block is either x i or x i. Two choices per block, k blocks == 2 k.

Problem 3 Solution 2 The fixed point solution Choose a fixed value for IV. Now call the black box to find an x such that F IV, x = IV. Concatenate x as many times as you want, the hash will still be IV. So to get 2 k messages: x, xx, xxx, xxxx,, xxx xxx (2 k total times)

Problem 4 G(x) = H(x) H (x), H(x) and H (x) are hash functions with n-bit outputs, so G(x) has 2n-bit outputs. Normally, with a birthday attack we would expect to have to generate 2 2n/2 = 2 n messages to find a collision. However, H(x) is badly broken (as in Prob. 3) so assume we can generate 2 n/2 messages that all have the same hash value in H x.

Problem 4 Now compute H (x) for each of the 2 n/2 that have the same hash value in H(x). By the birthday attack we expect to find a collision from those 2 n/2 messages.

Problem 4 Was it a good idea to construct G(x) = H(x) H (x)?

Problem 4 Was it a good idea to construct G(x) = H(x) H (x)? Well, it depends

Problem 4 Was it a good idea to construct G(x) = H(x) H (x)? Well, it depends YES: At the cost of computing two hashes vs. one, you get resistance if one of H, H breaks.

Problem 4 Was it a good idea to construct G(x) = H(x) H (x)? Well, it depends YES: At the cost of computing two hashes vs. one, you get resistance if one of H, H breaks, but NO: However, G(x) doesn t have the security margin you d expect of a 2n-bit hash function. It s only as strong as the better of its two components

Problem 5 Alice Bob: m = please pay the bearer $1, H(k, m). m is an exact multiple of H s block size (so you don t need to do any padding). What can Bob do?

Problem 5 Note that k is only an input to the first application of H s compression function (e.g. it s the IV to the hash of the first block of m) Bob can append data to m, create m = m,000,000, and compute H k, m from H(k, m).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback