# Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret key while another has the public key that matches this secret key. This is in contrast to the symmetry in the private key setting, where both parties had the same key. Asymmetric encryption is thus another name for public-key encryption, the mechanism for achieving data privacy in the public key or asymmetric setting. Our study of asymmetric encryption (following our study of other primitives) will begin by searching for appropriate notions of security, and models and formalizations via which they are captured. We then consider constructions, where we look at how to design and analyze various schemes. With regard to notions of security, we will be able to build considerably on our earlier study of symmetric encryption. Indeed, from this point of view there is very little difference between symmetric and asymmetric encryption; not much more than the fact that in the latter the adversary gets the public key as input. This is important (and re-assuring) to remember. All the intuition and examples we have studied before carry over, so that we enter the study of asymmetric encryption already having a good idea of what encryption is, how security is modeled, and what it means for a scheme to be secure. Accordingly we will deal with the security issues quite briefly, just re-formulating the definitions we have seen before. The second issue (namely constructions) is a different story. Designs of asymmetric encryption schemes rely on tools and ideas different from those underlying the design of symmetric encryption schemes. Namely in the asymmetric case, the basis is (typically) computationally intractable problems in number theory, while for the symmetric case we used block ciphers. Thus, the greater part of the effort in this chapter will be on schemes and their security properties Asymmetric encryption schemes An asymmetric encryption scheme is just like a symmetric encryption scheme except for an asymmetry in the key structure. The key pk used to encrypt is different from the key sk used to decrypt. Furthermore pk is public, known to the sender and also to the adversary. So while only a receiver in possession of the secret key can decrypt, anyone in possession of the corresponding public key can encrypt data to send to this one receiver.

2 2 ASYMMETRIC ENCRYPTION Definition An asymmetric encryption scheme = (K, E, D) consists of three algorithms, as follows: The randomized key generation algorithm K (takes no inputs and) returns a pair (pk, sk) of keys, the public key and matching secret key, respectively. We write (pk,sk) K for the operation of executing K and letting (pk,sk) be the pair of keys returned. The encryption algorithm E takes the public key pk and a plaintext (also called a message) M to return a value called the ciphertext. The algorithm may be randomized, but not stateful. We write C E pk (M) or C E(pk,M) for the operation of running E on inputs pk,m and letting C be the ciphertext returned. The deterministic decryption algorithm D takes the secret key sk and a ciphertext C to return a message M. We write M D sk (C) or M D(sk,C). The message space associated to a public key pk is the set Plaintexts(pk) of all M for which E pk (M) never returns. We require that the scheme provide correct decryption, which means that for any key-pair (pk,sk) that might be output by K and any message M Plaintexts(pk), if C was returned by E pk (M) then D sk (C) = M. Let R be an entity that wants to be able to receive encrypted communications. The first step is key generation: R runs K to generate a pair of keys (pk,sk) for itself. Note the key generation algorithm is run locally by R. Anyone in possession of R s public key pk can then send a message M privately to R. To do this, they would encrypt M via C E pk (M) and send the ciphertext C to R. The latter will be able to decrypt C using sk via M D sk (C). Note that an entity wishing to send data to R must be in possession of R s public key pk, and must be assured that the public key is authentic, meaning really is the R s public-key, and not someone else s public key. We will look later into mechanisms for assuring this state of knowledge. But the key management processes are not part of the asymmetric encryption scheme itself. In constructing and analyzing the security of asymmetric encryption schemes, we make the assumption that any prospective sender is in possession of an authentic copy of the public key of the receiver. This assumption is made in what follows. A viable scheme of course requires some security properties. But these are not our concern now. First we want to pin down what constitutes a specification of a scheme, so that we know what are the kinds of objects whose security we want to assess. The key usage is the mirror-image of the key usage in a digital signature scheme. In an asymmetric encryption scheme, the holder of the secret key is a receiver, using the secret key to decrypt ciphertexts sent to it by others. In a digital signature scheme, the holder of the secret key is a sender, using the secret key to tag its own messages so that the tags can be verified by others. The last part of the definition says that ciphertexts that were correctly generated will decrypt correctly. The encryption algorithm might be randomized, and must for security. But unlike in a symmetric encryption scheme, we will not consider stateful asymmetric encryption algorithms. This is because there is no unique sender to maintain state; many different entities are sending data to the receiver using the same public key. The decryption algorithm is deterministic and stateless. We do not require that the message or ciphertext be strings. Many asymmetric encryption schemes are algebraic or number-theoretic, and in the natural formulation of these schemes messages might be group elements and ciphertexts might consist of several group elements. However, it is understood that either messages or ciphertexts can be encoded as strings wherever necessary. (The encodings will usually not be made explicit.) In particular, we might talk of the length of a

8 8 ASYMMETRIC ENCRYPTION Oracle HE i pk (M 0,M 1 ) j j + 1 If j i then C E pk (M 1 ) else C E pk (M 0 ) EndIf Return C Experiment Exp i (B) (pk,sk) K d B HE i pk (, ),D sk( ) (pk) Return d Adversary A E pk(lr(,,b)),d sk ( ) (pk) j 0 ; I {1,...,q} Subroutine OE(M 0,M 1 ) j j + 1 If j < I then C E pk (M 1 ) EndIf If j = I then C E pk (LR(M 0,M 1,b)) EndIf If j > I then C E pk (M 0 ) EndIf Return C End Subroutine d B OE(, ),D sk( ) (pk) Return d Figure 11.1: Hybrid oracles and experiments related to the construction of ind-cca adversary A in the proof of Theorem We will now construct ind-cca-adversary A so that Pr Exp ind-cca-1 (A) = 1 Pr Exp ind-cca-0 (A) = 1 = 1 q q P(i) (11.6) = 1 q 1 q P(i). (11.7) i=0 Then, from the above we would have Re-arranging terms, we get Equation (11.2). Adv ind-cca (A) = 1 q Advind-cca (B). We now specify the hybrid experiments of Equation (11.3) in such a way that Equations (11.4) and (11.5) are true and we are able to construct adversary A such that Equations (11.6) and (11.7) are true. We associate to any i {0,...,q} an oracle and an experiment, as indicated in Fig The oracle associated to i is stateful, maintaining a counter j that is initialized to 0 by the overlying experiment and is incremented by the oracle each time the latter is invoked.

9 Bellare and Rogaway 9 Now, observe that oracles HE 0 pk (, ) and E pk(lr(,,0)) are equivalent, meaning that on any inputs, their responses are identically distributed. Similarly, oracles HE q pk (, ) and E pk(lr(,,1)) are equivalent. Hence, Equations (11.4) and (11.5) are true. Adversary A is specified in Fig It begins by initializing a counter j to 0, and picking I at random from {1,...,q}. It then defines a subroutine OE. Finally A executes B, replacing the B s lr-encryption oracle with the subroutine OE, and providing B a decryption oracle via A s own access to a decryption oracle. We highlight that A s operation depends on the fact that it was provided the public encryption key as an input. This enables it to compute encryptions under this key directly, and it does so inside the subroutine. Had we not given A the public key, this construction would not be posible. To complete the proof it suffices to justify Equations (11.6) and (11.7). Suppose A is in world 1, meaning the challenge bit b equals 1. Then subroutine OE encrypts the right message of its input pair the first I times it is called, and the left-message after that. One the other hand, if A is in world 0, meaning b = 0, subroutine OE encrypts the right message of its input pair the first I 1 times it is called, and the left message after that. Regarding I as a random variable taking values in {1,...,q}, this means that for every i {1,...,q} we have Pr Pr Exp ind-cca-1 Exp ind-cca-0 (A) = 1 I = i (A) = 1 I = i = P(i) = P(i 1). Since the random variable I is uniformly distributed in the range {1,...,q} we have Pr Exp ind-cca-1 (A) = 1 This justifies Equation (11.6). Similarly, Pr Exp ind-cca-0 (A) = 1 = = = = = q q q q q 1 i=0 Pr Exp ind-cca-1 P(i) 1 q. Pr Exp ind-cca-0 P(i 1) 1 q P(i) 1 q, which justifies Equation (11.7). This concludes the proof. (A) = 1 I = i Pr I = i (A) = 1 I = i Pr I = i 11.4 Hybrid encryption Before we present constructions of asymmetric encryption schemes, it is useful to get some idea of the context in which they are used. Given an asymmetric encryption scheme = (K a, E a, D a ), one rarely encrypts data directly with it. Rather, to encrypt M under a public key pk of this scheme, we first pick a random key

10 10 ASYMMETRIC ENCRYPTION K for a symmetric encryption scheme SE = (K s, E s, D s ), encrypt K under pk via the asymmetric scheme to get a ciphertext C a, encrypt M under K via the symmetric scheme to get a ciphertext C s, and transmit (C a,c s ). This is called hybrid encryption. More precisely, hybrid encryption is a transform that given any asymmetric encryption scheme and any symmetric encryption scheme associates to them a new asymmetric encryption scheme: Scheme Let = (K a, E a, D a ) be an asymmetric encryption scheme, and let SE = (K s, E s, D s ) be a stateless symmetric encryption scheme such that Keys(SE) Plaintexts(pk) for every pk that might be output by K a. The hybrid encryption scheme associated to, SE is the asymmetric encryption scheme = (K a, E, D) whose key-generation algorithm is the same as that of and whose encryption and decryption algorithms are defined as follows: Algorithm E pk (M) K K s ; C s EK s (M) If C s = then return C a Epk a (K) ; C (Ca,C s ) Return C Algorithm D sk (C) Parse C as (C a,c s ) K D a sk (Ca ) If K = then return M D s K (Cs ) Return M Under this hybrid encryption scheme, one can (asymmetrically) encrypt any message M that is in the plaintext-space of the underlying symmetric encryption scheme. Hybrid encryption is used for numerous reasons. The principal one is cost. The number-theoretic operations underlying common asymmetric encryption schemes are computationally costly relative to the operations on block ciphers that underly common symmetric encryption schemes. In practice one wants to minimize the amount of data to which these number-theoretic operations are applied. Accordingly, rather than encrypt the possibly long message M directly under pk via the given asymmetric scheme, one uses hybrid encryption. The costly number-theoretic operations are thus applied only to data whose length k is fixed and not dependent on the length of M. This context tells us that when we design asymmetric encryption schemes, we can typically assume that the message space consists of short strings. This will facilitate our constructions. However, before we adopt the hybrid encryption paradigm we need to know that it works, meaning that it is secure. In assessing the strength of hybrid encryption, we use as usual the provable-security philosophy and approach. A hybrid encryption scheme is built from two components: a base asymmetric encryption scheme and a base symmetric encryption scheme. The appropriate question to ask is whether the assumed security of the components suffices to guarantee security of the hybrid scheme based on them. It turns out that it does, and moreover for security under both chosen-plaintext and chosen-ciphertext atttacks. Theorem below addresses the first case, and Theorem the second. (Although the latter implies the former, we state and prove them separately because the proof has some delicate issues and ideas and is best understood via an incremental approach.) Theorem Let = (K a, E a, D a ) be an asymmetric encryption scheme, let SE = (K s, E s, D s ) be a stateless symmetric encryption scheme such that Keys(SE) Plaintexts(pk) for every pk that might be output by K a, and let = (K a, E, D) be the hybrid encryption scheme associated to, SE as per Scheme Let k denote the length of keys output by K s. Let B be

12 12 ASYMMETRIC ENCRYPTION Oracle HEpk 00(M 0,M 1 ) K 0 K s ; K 1 K s C s E s (K 0, M 0 ) If C s = then return C a E a (pk, K 0 ) C (C a,c s ) Return C Oracle HEpk 11(M 0,M 1 ) K 0 K s ; K 1 K s C s E s (K 0, M 1 ) If C s = then return C a E a (pk, K 1 ) C (C a,c s ) Return C Oracle HEpk 01(M 0,M 1 ) K 0 K s ; K 1 K s C s E s (K 0, M 0 ) If C s = then return C a E a (pk, K 1 ) C (C a,c s ) Return C Oracle HEpk 10(M 0,M 1 ) K 0 K s ; K 1 K s C s E s (K 0, M 1 ) If C s = then return C a E a (pk, K 0 ) C (C a,c s ) Return C Figure 11.2: Hybrid lr-encryption oracles used in the proof of Theorem We have now written the ind-cpa-advantage of B as a sum of the differences that adjacent experiments in our experiment sequence return 1. We will then construct the adversaries A 01,00,A,A 10,11 such that P(0,1) P(0,0) P(1,1) P(0,1) P(1,0) P(1,1) Adv ind-cpa (A 01,00 ) (11.13) Adv ind-cpa SE (A) (11.14) Adv ind-cpa (A 10,11 ). (11.15) Equation (11.8) follows. The template above is pretty generic. What we need to do now is to actually specify the hybrid experiments of Equation (11.9) in such a way that Equations (11.11) (11.12) are true and we are able to construct adversaries A 01,00,A,A 10,11 such that Equations (11.13) (11.15) are true. Recall that B has access to an oracle that takes input a pair of messages and returns a ciphertext. In the experiments of Definition that define the ind-cpa-advantage of B, this oracle is either E pk (LR(,,1)) or E pk (LR(,,0)), depending on the world in which B is placed. Our hybrid experiments will involve executing B not only with these oracles, but with others that we will define. Specifically, we will define a sequence of oracles HE 00 pk(, ), HE 01 pk(, ), HE 11 pk(, ), HE 10 pk(, ). (11.16) Each oracle will take input a pair M 0,M 1 of messages and return a ciphertext. Now, to each pair α,β of bits, we associate the (α,β) hybrid experiment defined as follows:

13 Bellare and Rogaway 13 Adversary A Ea pk (LR(,,b)) 01,00 (pk) Subroutine OE(M 0,M 1 ) K 0 K s ; K 1 K s C s E s (K 0,M 0 ) If C s = then return C a Epk a (LR(K 0,K 1,b)) Return (C a,c s ) End Subroutine d B OE(, ) (pk) Return d Adversary A Ea pk (LR(,,b)) 10,11 (pk) Subroutine OE(M 0,M 1 ) K 0 K s ; K 1 K s C s E s (K 0,M 1 ) If C s = then return C a Epk a (LR(K 1,K 0,b)) Return (C a,c s ) End Subroutine d B OE(, ) (pk) Return d Figure 11.3: Adversaries attacking constructed for the proof of Theorem Experiment Exp αβ (B) (pk,sk) K a αβ HE d B pk (, ) (pk) Return d This defines our experiments in terms of the oracles, and, finally, the oracles themselves are specified in Fig Each hybrid lr-encryption oracle is paramterized by a pair (α, β) of bits and takes input a pair M 0,M 1 of messages. Examining the oracles, you will see that they are mostly identical, different only in the quantities that have been boxed. Each oracle picks not one but two keys K 0,K 1, independently at random, for symmetric encryption. It then encrypts M α under K 0 via the symmetric encryption scheme to get a ciphertext C s, and it encrypts K β under the public key via the asymmetric encryption scheme to get a ciphertext C a. It returns the pair (C a,c s ). Note oracles HEpk (, ) and HEpk (, ) do not actually use K 1. We have asked these oracles to pick K 1 only to highlight the common template underlying all four oracles. Observe that oracle HEpk 00(, ) and oracle E pk(lr(,,0)) are equivalent in the sense that their responses to any particular query are identically distributed. Similarly oracle HEpk 10 (, ) and oracle E pk (LR(,,1)) are equivalent. This means that Equations (11.11) and (11.12) are true, which is the first requirement of a successful hybrid argument. The new hybrid lr-encryption oracles we introduce may seem rather bizarre at first since they do not necessarily return valid ciphertexts. For example, oracle (0,1) will return a ciphertext (C a,c s ) in which C s is the encryption of M 0 under a key K 0, but C a is not an encryption of K 0 as it ought to be under the definition of, but rather is the encryption of a random, unrelated key K 1. Thus, in the corresponding hybrid experiment, B is not getting the types of responses it expects. But nonetheless, being an algorithm with access to an oracle, B will execute and eventually return a bit. The meaning of this bit may be unclear, but we will see that this does not matter. Before constructing A 01,00 so that Equation (11.13) is true, let us try to explain the intuition. Consider hybrid lr-encryption oracles (0,0) and (0,1). Note that in both experiments, C s is computed in exactly the same way. This means that the difference between P(0,0) and P(0,1) measures the

14 14 ASYMMETRIC ENCRYPTION ability of the adversary to tell whether C a encrypts the key underling C s or not. This is something we can relate solely to the security of the base asymmetric encryption scheme. Adversary A 01,00 attacking the base asymmetric encryption scheme is specified in Fig As per Definition , it has access to a lr-encryption oracle Epk a (LR(,,b)). Its strategy is to define a subroutine OE and then run B, using OE to reply to B s oracle queries. Subroutine OE takes input a pair M 0,M 1 of messages, picks a pair of keys for symmetric encryption, and finally returns a ciphertext which is computed using a call to the given oracle Epk a (LR(,,b)). Consider A 01,00 in world 1, meaning its oracle is Epk a (LR(,,1)). In that case, the ciphertext Ca computed by subroutine OE(, ) is an encryption of K 1, and thus subroutine OE(, ) is equivalent to oracle HEpk 01(, ). On the other hand, when A 01,00 is in world 0, meaning its oracle is Epk a (LR(,,0)), the ciphertext C a computed by subroutine OE(, ) is an encryption of K 0, and thus subroutine OE(, ) is equivalent to oracle HEpk 00 (, ). Hence Pr Exp ind-cpa-1 (A 01,00 ) = 1 Pr Exp ind-cpa-0 (A 01,00 ) = 1 = Pr Exp 01 (B) = 1 = Pr Exp 00 (B) = 1 Subtracting, and remembering the notation of Equation (11.10), we get which justifies Equation (11.13). Adv ind-cpa (A 01,00 ) = P(0,1) P(0,0), We leave to the reader the task of verifying Equation (11.15) based on the construction of A 11,10 given in Fig. 11.3, and now proceed to the construction of the ind-cpa adversary A attacking the base symmetric encryption scheme. The intuition here is that the (0,1) and (1,1) hybrid experiments both compute C a as an encryption of key K 1, but differ in which message they symmetrically encrypt under K 0, and thus the difference between P(0,1) and P(1,1) measures the ability of the adversary to tell which message C s encrypts under K 0. This is something we can relate solely to the security of the base symmetric encryption scheme. The construction however will require a little more work, introducing another sequence of hybrid experiments. This time there will be q + 1 of them, Exp 0 (B), Exp1 (B),..., Expq (B). Again we associate to any i {0,...,q} an oracle and an experiment, as indicated in Fig The oracle associated to i is stateful, maintaining a counter j that is initially 0 and is incremented each time the oracle is invoked. The oracle behaves differently depending on how its counter j compares to its defining parameter i. If j i it symmetrically encrypts, under K 0, the right message M 1, and otherwise it symmetrically encrypts, under K 0, the left message M 0. The asymmetric component C a is always an encryption of K 1. For i = 0,...,q we let P(i) = Pr Exp i (B) = 1 Now, suppose i = 0. In that case, the value C s computed by oracle HEpk i (, ) on input M 0,M 1 is a symmetric encryption of M 0 regardless of the value of the counter j. This means that oracles HEpk 0 01 (, ) and HEpk (, ) are equivalent. Similarly, oracles HE q 11 pk (, ) and HEpk (, ) are equivalent. Hence P(0,1) = P(0) and P(1,1) = P(q)...

15 Bellare and Rogaway 15 Oracle HE i pk (M 0,M 1 ) j j + 1 K 0 K s ; K 1 K s If j i then C s E s (K 0, M 1 ) else C s E s (K 0, M 0 ) EndIf If C s = then return C a E a (pk, K 1 ) C (C a,c s ) Return C Experiment Exp i (B) (pk,sk) K a d B HE i pk (, ) (pk) Return d Adversary A Es K (LR(,,b)) (pk,sk) K a ; j 0 ; I {1,...,q} Subroutine OE(M 0,M 1 ) j j + 1 K 0 K s ; K 1 K s If j < I then C s E s (K 0, M 1 ) EndIf If j = I then C s EK s (LR(M 0,M 1,b)) EndIf If j > I then C s E s (K 0, M 0 ) EndIf If C s = then return C a E a (pk, K 1 ) Return (C a,c s ) End Subroutine d B OE(, ) (pk) Return d Figure 11.4: Hybrid oracles and experiments related to the construction of ind-cpa adversary A in the proof of Theorem So P(1,1) P(0,1) = P(q) P(0) = P(q) P(q 1) + P(q 1) P(1) + P(1) P(0) q = P(i) P(i 1). (11.17) Our ind-cpa adversary A attacking the base symmetric encryption scheme SE is depicted in Fig It gets a lr-encryption oracle EK s (LR(,,b)) based on a hidden key K and challenge

16 16 ASYMMETRIC ENCRYPTION bit b. It picks a pair of public and secret keys by running the key-generation algorithm of the asymmetric encryption scheme. It then picks an index i at random, and initializes a counter j to 0. Next it defines a subroutine OE(, ) that takes input a pair of messages and returns a ciphertext, and runs B, replying to the latter s oracle queries via the subroutine. The subroutine increments the counter j at each call, and computes the symmetric component C s of the ciphertext differently depending on how the counter j compares to the parameter i. In one case, namely when j = i, it computes C s by calling the given E s K (LR(,,b)) oracle on inputs M 0,M 1. Notice that A makes only one call to its oracle, as required. For the analysis, regard I as a random variable whose value is uniformly distributed in {1,...,q}. Then notice that for any i {1,...,q} Thus Pr Pr Exp ind-cpa-1 SE Exp ind-cpa-0 SE (A) = 1 I = i (A) = 1 I = i Adv ind-cpa SE (A) = Pr Exp ind-cpa-1 SE (A) = 1 = P(i) = P(i 1). Pr Exp ind-cpa-0 SE (A) = 1 q = Pr Exp ind-cpa-1 SE (A) = 1 I = i Pr I = i q Pr Exp ind-cpa-0 SE (A) = 1 I = i PrI = i q q = P(i) Pr I = i P(i 1) PrI = i = 1 q q P(i) P(i 1) = 1 q P(1,1) P(0,1). In the last step we used Equation (11.17). Re-arranging terms, we get Equation (11.14). This completes the proof. We now proceed to the chosen-ciphertext attack case. The scheme itself is unchanged, but we now claim that if the base components are secure against chosen-ciphertext attack, then so is the hybrid encryption scheme. Theorem Let = (K a, E a, D a ) be an asymmetric encryption scheme, let SE = (K s, E s, D s ) be a stateless symmetric encryption scheme such that Keys(SE) Plaintexts(pk) for every pk that might be output by K a, and let = (K a, E, D) be the hybrid encryption scheme associated to, SE as per Scheme Let k denote the length of keys output by K s, and let

18 18 ASYMMETRIC ENCRYPTION Oracle HE 00 pk (M 0,M 1 ) j j + 1 K 0,j K s ; K 1,j K s C s j E s (K 0,j, M 0 ) If Cj s = then return E a (pk, K 0,j ) C a j C j (C a j,cs j ) Return C j Oracle HE 11 pk (M 0,M 1 ) j j + 1 K 0,j K s ; K 1,j K s C s j E s (K 0,j, M 1 ) If Cj s = then return E a (pk, K 1,j ) C a j C j (C a j,cs j ) Return C j Oracle HE 01 pk (M 0,M 1 ) j j + 1 K 0,j K s ; K 1,j K s C s j E s (K 0,j, M 0 ) If Cj s = then return E a (pk, K 1,j ) C a j C j (C a j,cs j ) Return C j Oracle HE 10 pk (M 0,M 1 ) j j + 1 K 0,j K s ; K 1,j K s C s j E s (K 0,j, M 1 ) If Cj s = then return E a (pk, K 0,j ) C a j C j (C a j,cs j ) Return C j Oracle HD sk (C) Parse C as (C a,c s ) l Find(C a ;C a 1,...,Ca j ) If l 0 then M D s (K 0,l,C s ) EndIf If l = 0 then M D(sk,C) EndIf Return M Figure 11.5: Hybrid lr-encryption oracles, and hybrid decryption oracle, used in the proof of Theorem The hybrid lr-encryption oracles, shown in Fig. 11.5, are equivalent to the corresponding ones of Fig in the sense that on any inputs M 0,M 1, the output of the (α,β) hybrid lr-encryption oracle of Fig is distributed identically to the output of the (α,β) hybrid lr-encryption oracle of Fig However, the code of the hybrid lr-encryption oracles has been enhanced to do some extra internal book-keeping. The hybrid decryption oracle invokes a subroutine Find that given a value T and a list T 1,...,T j returns the smallest j such that T = T j if such a j exists, and 0 if T {T 1,...,T j }. It uses this to see whether the asymmetric component of the ciphertext it is given to decrypt was previously returned by a partner (α, β) hybrid lr-encryption oracle. If not, it decrypts the given ciphertext via the decryption algorithm of scheme, using the secret key sk which it is given. Else, it decrypts the symmetric component of the ciphertext under the key K 0,j chosen at the time the asymmetric component was first created.

19 Bellare and Rogaway 19 Adversary A Ea pk (LR(,,b)),Da sk ( ) 01,00 (pk) j 0 Subroutine OE(M 0,M 1 ) j j + 1 K 0,j K s ; K 1,j K s C s j E s (K 0,j,M 0 ) If Cj s = then return Epk a (LR(K 0,j,K 1,j,b)) C a j Return (C a j,cs j ) End Subroutine Subroutine OD(C) Parse C as (C a,c s ) l Find(C a ;C a 1,...,Ca j ) If l 0 then M D s (K 0,l,C s ) If l = 0 then M D(sk,C) Return M End Subroutine d B OE(, ),OD( ) (pk) Return d Adversary A Ea pk (LR(,,b)),Da sk ( ) 10,11 (pk) j 0 Subroutine OE(M 0,M 1 ) j j + 1 K 0,j K s ; K 1,j K s C s j E s (K 0,j,M 1 ) If Cj s = then return Epk a (LR(K 1,j,K 0,j,b)) C a j Return (C a,c s ) End Subroutine Subroutine OD(C) Parse C as (C a,c s ) l Find(C a ;C a 1,...,Ca j ) If l 0 then M D s (K 0,l,C s ) If l = 0 then M D(sk,C) Return M End Subroutine d B OE(, ),OD( ) (pk) Return d Figure 11.6: Adversaries attacking constructed for the proof of Theorem As in the proof of Theorem , for any α,β {0,1}, we let P(α,β) = Pr Exp αβ (B) = 1. Observe that the hybrid decryption oracle is equivalent to D sk ( ) in the cases (α,β) {(0,0),(1,0)} because in these cases, the asymmetric component of the ciphertext produced by the hybrid lrencryption oracle is an encryption of K 0,j. Thus we have P(1,0) = Pr P(0,0) = Pr Exp ind-cca-1 Exp ind-cca-0 (B) = 1 (B) = 1 Following the proof of Theorem , our proof of Equation (11.18) is complete if we can construct adversaries A 01,00,A,A 10,11 such that. P(0,1) P(0,0) P(1,1) P(0,1) P(1,0) P(1,1) Adv ind-cca (A 01,00 ) (11.19) Adv ind-cca SE (A) (11.20) Adv ind-cca (A 10,11 ). (11.21) The constructions of A 01,00 and A 10,11 are shown in Fig Each adversary runs B, replacing B s lr-encryption oracle with a subroutine OE and B s decryption oracle with a subroutine OD.

20 20 ASYMMETRIC ENCRYPTION Note the OD subroutine calls D sk ( ). It does not actually have sk but it can implement this by running the code of D sk ( ) shown in Scheme and using its Dsk a ( ) oracle. We note that A 01,00 and A 10,11 are legal in the sense that they never query their decryption oracle Dsk a ( ) on a ciphertext previously returned by their lr-encryption oracle Ea pk (LR(,,b). This is ensured by the definition of OD, which, if given a ciphertext C = (C a,c s ) whose asymmetric component C a was previously returned by Epk a (LR(,,b), does not call Da sk ( ), but instead directly computes the symmetric decryption of C s under a key K 0,j satisfying Cj a = Ca. We leave to the reader to extend the arguments of the proof of Theorem to verify that Equations (11.19) and (11.21) are true, and proceed to the construction of the ind-cca adversary A attacking the base symmetric encryption scheme. We associate to any i {0,...,q} the oracle and experiment defined in Fig The experiment shown in that figure initializes counter j and then runs B with the shown oracle and also with the hybrid decryption oracle HD sk ( ) that we defined previously. The two oracles share state in the form of a counter j and as well as quantities that are created and stored by HE i pk (, ) and then accessed by HD sk ( ). Our ind-cca adversary A attacking the base symmetric encryption scheme SE is depicted in Fig The novelty here, as compared to Fig. 11.4, is the subroutine OD defined by A. Note that it considers three cases for the value of l. In the second case, it computes a response by invoking A s given decryption oracle DK s ( ). In the third case it computes a response using the fact that it knows sk. We must check that A is legal, meaning that it never queries its decryption oracle with a ciphertext C s previously returned by its lr-encryption oracle. Suppose B makes decryption oracle query C = (C a,c s ). Our concern is that C s = CI s. (The latter is the only ciphertext returned by A s lr-encryption oracle since A makes only one query to this oracle, and thus this is the only concern.) Let l = Find(C a ;C1 a,...,ca j ). If l I then A does not query its decryption oracle at all and thus certainly does not make an illegal query. So suppose l = I. This means C a = CI a. However B is assumed to be legal, which implies (C a,c s ) (CI a,cs I ), so it must be that Cs CI s as desired. The analysis of A is then analogous to the one in the proof of Theorem , and we omit the details El Gamal scheme and its variants Let G be a cyclic group with generator g, meaning G = {g 0,g 1,...,g n 1 }, where n = G is the order of G. Recall that the discrete exponentiation function is DExp G,g : Z n G x g x. The inverse of this function is the discrete logarithm function DLog G,g : G Z n X x, where x Z n is the unique integer such that g x = X in G. The discrete exponentiation function is conjectured to be one-way (meaning the discrete logarithm function is hard to compute) for some groups G. An example is the group G = Z p under

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was

### Elements of Applied Cryptography Public key encryption

Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Chapter 7. Message Authentication. 7.1 The setting

Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

### KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C \$ E pk[a] (M) σ \$ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

### arxiv:1112.0829v1 [math.pr] 5 Dec 2011

How Not to Win a Million Dollars: A Counterexample to a Conjecture of L. Breiman Thomas P. Hayes arxiv:1112.0829v1 [math.pr] 5 Dec 2011 Abstract Consider a gambling game in which we are allowed to repeatedly

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### CHAPTER II THE LIMIT OF A SEQUENCE OF NUMBERS DEFINITION OF THE NUMBER e.

CHAPTER II THE LIMIT OF A SEQUENCE OF NUMBERS DEFINITION OF THE NUMBER e. This chapter contains the beginnings of the most important, and probably the most subtle, notion in mathematical analysis, i.e.,

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### On the Security of the Tor Authentication Protocol

On the Security of the Tor Authentication Protocol Ian Goldberg David R. Cheriton School of Computer Science, University of Waterloo, 00 University Ave W, Waterloo, ON NL 3G1 iang@cs.uwaterloo.ca Abstract.

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### The Mathematics of RSA

The Mathematics of RSA Dimitri Papaioannou May 24, 2007 1 Introduction Cryptographic systems come in two flavors. Symmetric or Private key encryption and Asymmetric or Public key encryption. Strictly speaking,

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG Chung-Chih Li, Hema Sagar R. Kandati, Bo Sun Dept. of Computer Science, Lamar University, Beaumont, Texas, USA 409-880-8748,

### 159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication

### Fast Batch Verification for Modular Exponentiation and Digital Signatures

An extended abstract of this paper appears in Advances in Cryptology Eurocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag, 1998. This is the full version.

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### BRIEF INTRODUCTION TO CRYPTOGRAPHY. By PAGVAC. February 8, 2004

BRIEF INTRODUCTION TO CRYPTOGRAPHY By PAGVAC February 8, 2004 What will I learn from this file? What cryptography is How encryption and decryption works Cryptography terms Symmetric cryptography Asymmetric

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

### Introduction. Chapter 1

Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/crypto-book/ The copyright

### The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

### Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents - Objective - Cryptography: An Overview - Symmetric Key - Asymmetric Key - Transparent Key: A Paradigm Shift - Security

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### On Electronic Payment Systems

On Electronic Payment Systems Ronald Cramer, Ivan Damgård and Jesper Buus Nielsen CPT 2009 April 22, 2009 Abstract This note is an introduction to the area of electronic cash (ecash) schemes. The note