# SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1

2 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

3 Correct decryption requirement Formally: For all K and M we have Pr[D K (E K (M)) = M] = 1, where the probability is over the coins of E Mihir Bellare UCSD 3

4 Block cipher modes of operation E : {0,1} k {0,1} n {0,1} n a block cipher Notation: x[i] is the i-th n-bit block of a string x, so that x = x[1]...x[m] if x = nm. Always: Alg K K \$ {0,1} k return K Mihir Bellare UCSD 4

5 Block cipher modes of operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks? Mihir Bellare UCSD 5

6 ECB: Electronic Codebook Mode SE = (K,E,D) where: Alg E K (M) for i = 1,...,m do C[i] E K (M[i]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) return M Correct decryption relies on E being a block cipher, so that E K is invertible Mihir Bellare UCSD 6

7 Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because E K is deterministic: M 1 [1] M 1 [m] M 2 [1] M 2 [m] E K... E K E K... E K C 1 [1] C 1 [m] C 2 [1] C 2 [m] Why does this matter? Mihir Bellare UCSD 7

8 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) = E K (M). M E K C Mihir Bellare UCSD 8

9 Security of ECB Votes M 1,M 2 {Y,N} are ECB encrypted and adversary sees ciphertexts C 1 = E K (M 1 ) and C 2 = E K (M 2 ) M 1 M 2 E K E K C 1 C 2 Adversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N Mihir Bellare UCSD 9

10 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Mihir Bellare UCSD 10

11 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Yes, if E is deterministic. Mihir Bellare UCSD 11

12 Randomized encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let then \$ \$ C 1 E K (M 1 ) and C 2 E K (M 2 ) Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E. Mihir Bellare UCSD 12

13 Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. C 1 C 2 M E K D K M C s Mihir Bellare UCSD 13

14 Randomized encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. Mihir Bellare UCSD 14

15 CBC\$: Cipher Block Chaining with random IV mode SE = (K,E,D) where: Alg E K (M) \$ C[0] {0,1} n for i = 1,...,m do C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher. Mihir Bellare UCSD 15

16 CTR\$ mode If X {0,1} n and i N then X +i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Alg E K (M) \$ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M Mihir Bellare UCSD 16

17 CTR\$ mode Alg E K (M) \$ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M D does not use E 1 K! So one can run CTR\$ with a PRF that is not a blockcipher. Encryption and Decryption are parallelizable. Mihir Bellare UCSD 17

18 Voting with CBC\$ Suppose we encrypt M 1,M 2 {Y,N} with CBC\$. M 1 M 2 E K E K {0,1} n \$ C 1 [0] C 1 [1] {0,1} n \$ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? Mihir Bellare UCSD 18

19 Voting with CBC\$ Suppose we encrypt M 1,M 2 {Y,N} with CBC\$. M 1 M 2 E K E K {0,1} n \$ C 1 [0] C 1 [1] {0,1} n \$ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? NO! Mihir Bellare UCSD 19

20 Assessing security So CBC\$ is better than ECB. But is it secure? CBC\$ is widely used so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. Mihir Bellare UCSD 20

21 Security requirements Suppose sender computes \$ \$ C 1 E K (M 1 ); ; C q E K (M q ) Adversary A has C 1,...,C q What if A Retrieves K Bad! Retrieves M 1 Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1,M 2? Something we won t hide: the length of the message Mihir Bellare UCSD 21

22 What we seek We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies ALL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Mihir Bellare UCSD 22

23 Intuition for definition of IND-CPA The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either or M 1 0,...,Mq 0 M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. Mihir Bellare UCSD 23

24 Games for ind-cpa-advantage of an adversary A Let SE = (K,E,D) be an encryption scheme Game Left SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) Return C \$ E K (M 0 ) Game Right SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) Return C \$ E K (M 1 ) Associated to SE, A are the probabilities [ ] Pr Left A SE 1 [ ] Pr Right A SE 1 that A outputs 1 in each world. The (ind-cpa) advantage of A is ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 24

25 The measure of success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0 (or 0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage. Mihir Bellare UCSD 25

26 ECB is not IND-CPA-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 26

27 ECB is not IND-CPA-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Exploitable weakness of SE: M 1 = M 2 implies E K (M 1 ) = E K (M 2 ). Mihir Bellare UCSD 27

28 ECB is not IND-CPA-secure Let E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Mihir Bellare UCSD 28

29 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = Mihir Bellare UCSD 29

30 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = 1 because C 1 = E K (0 n ) and C 2 = E K (0 n ). Mihir Bellare UCSD 30

31 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = Mihir Bellare UCSD 31

32 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = 0 because C 1 = E K (0 n ) E K (1 n ) = C 2. Mihir Bellare UCSD 32

33 ECB is not IND-CPA secure adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Adv ind-cpa SE (A) = = 1 1 { [ }} ]{ { [ }} ]{ Pr Right A SE = 1 Pr Right A SE = 1 And A is very efficient, making only two queries. Thus ECB is not IND-CPA secure. 0 Mihir Bellare UCSD 33

34 Exercise Let SE = (K,E,D) be any symmetric encryption scheme for which E is deterministic. Show that SE is not IND-CPA secure by giving pseudo-code for an efficient adversary A that achieves Adv ind-cpa SE (A) = 1. Assume the message space is some non-empty subset of {0,1} with the property that if M is a legitimate message then so is any other string of length M. Mihir Bellare UCSD 34

35 Exercise: Setup Let K be the key-generation algorithm that returns a random 128-bit string as the key K. Define Alg E K (M) R \$ {0,1} 128 ; M[1]...M[m] M; C[0] R for i = 1,...,m do W[i] (R +i) mod ; C[i] AES K (M[i] W[i]) C C[0]C[1]...C[n]; Return C Above W[i] (R +i) mod means we regard R as an interger, add i to it, take the result modulo 2 128, view this as a 128-bit string, and assign it to W[i]. The message space is the set of all strings whose length is a positive multiple of 128. Mihir Bellare UCSD 35

36 Exercise: Questions 1. Specify a decryption algorithm D such that SE = (K,E,D) is a symmetric encryption scheme satisfying the correct decryption condition. 2. Show that this scheme is insecure by presenting a practical adversary A such that Adv ind-cpa SE (A) is high. State the value of the advantage achieved by your adversary and the number of oracle queries it makes. Your adversary for 2. should as usual be specified in clear pseudo-code, not in a text description. There should be a succinct analysis justifying the claimed advantage. Mihir Bellare UCSD 36

37 Why is IND-CPA the master property? We claim that if encryption scheme SE = (K,E,D) is IND-CPA secure then the ciphertext hides ALL partial information about the plaintext. \$ \$ For example, from C 1 E K (M 1 ) and C 2 E K (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1,M 2 etc. Exercise: State and prove such claims formally. This could be a quiz question! Mihir Bellare UCSD 37

38 Birthday attack on CTR\$ Let E : {0,1} k {0,1} n {0,1} n be a blockcipher and SE = (K,E,D) the corresponding CTR\$ symmetric encryption scheme. Suppose 1-block messages M 0,M 1 are encrypted: \$ \$ C 0 [0]C 0 [1] E(K,M 0 ) C 1 [0]C 1 [1] E(K,M 1 ) Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA. Mihir Bellare UCSD 38

39 Birthday attack on CTR\$ Let 1 q < 2 n be a parameter and let i be integer i encoded as an n-bit string. adversary A for i = 1,...,q do C i [0]C i \$ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S \$ If C j [1] = C l [1] then return 1 return 0 Mihir Bellare UCSD 39

40 Birthday attack on CTR\$: Right game analysis adversary A for i = 1,...,q do C i [0]C i \$ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S \$ If C j [1] = C l [1] then return 1 return 0 Game Right SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) \$ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 1 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = 0 E K (C j [0]+1) = 0 E K (C l [0]+1) = C l [1] so [ ] Pr Right A SE 1 = Pr[S ] = C(2 n,q) Mihir Bellare UCSD 40

41 Birthday attack on CTR\$: Left game analysis adversary A for i = 1,...,q do C i [0]C i \$ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S \$ If C j [1] = C l [1] then return 1 return 0 Game Left SE procedure Initialize K \$ K procedure LR(M 0,M 1 ) \$ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 0 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = j E K (C j [0]+1) l E K (C l [0]+1) = C l [1] so [ ] Pr Left A SE 1 = 0. Mihir Bellare UCSD 41

42 Birthday attack on CTR\$ ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 = C(2 n,q) q(q 1) 2 n Conclusion: CTR\$ can be broken (in the IND-CPA sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. Mihir Bellare UCSD 42

43 Exercise The above attack on CTR\$ uses 1-block messages. Letting SE be the same scheme, give an adversary A that makes q LR-queries, each consisting of two m-block messages, and achieves ( Adv ind-cpa m 2 q 2 ) SE (A) = Ω The running time of A should be about O(mqn log(mqn)). 2 n Mihir Bellare UCSD 43

44 Security of CTR\$ So far: A q-query adversary can break CTR\$ with advantage q2 2 n+1 Question: Is there any better attack? Mihir Bellare UCSD 44

45 Security of CTR\$ So far: A q-query adversary can break CTR\$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most σ 2 2 n where σ is the total number of blocks encrypted. Example: If q 1-block messages are encrypted then σ = q so the adversary advantage is not more than q 2 /2 n. For E = AES this means up to 2 64 blocks may be securely encrypted, which is good. Mihir Bellare UCSD 45

46 Security of CTR\$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR\$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 46

47 Intuition and proof We first give some intuition for the proof and then the proof itself. We assume for simplicity that A makes q = σ/m LR queries in each of which both messages are m blocks long. Extending the proof to the general case is an exercise. We let C i = C i [0]C i [1]...C i [m] denote the response of the LR oracle to A s i-th query. Mihir Bellare UCSD 47

48 Intuition for IND-CPA security of CTR\$ Consider the CTR\$ scheme with E K replaced by a random function Fn. Alg E Fn (M) \$ C[0] {0,1} n for i = 1,...,m do P[i] Fn(C[0]+i) C[i] P[i] M[i] return C Analyzing this is a thought experiment, but we can ask whether it is IND-CPA secure. If so, the assumption that E is a PRF says CTR\$ with E is IND-CPA secure. Mihir Bellare UCSD 48

49 CTR\$ with a random function Let E be the event that the points C 1 [0]+1,...,C 1 [0]+m,...,C q [0]+1,...,C q [0]+m, on which Fn is evaluated across the q encryptions, are all distinct. Case 1: E happens. Then the encryption is a one-time-pad: ciphertexts are random, independent strings, regardless of which message is encrypted. So A has zero advantage. Case 2: E doesn t happen. Then A may have high advantage but it does not matter because Pr[E] doesn t happen is small. (It is the small additive term in the theorem.) Mihir Bellare UCSD 49

50 Alternative formulation of advantage Let SE = (K,E,D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K \$ K; b \$ {0,1} procedure LR(M 0,M 1 ) return C \$ E K (M b ) procedure Finalize(b ) return (b = b ) ] Proposition: Adv ind-cpa SE (A) = 2 Pr [Guess A SE true 1. Proof: Observe Pr [ b = 1 b = 1 ] [ ] = Pr Right A SE 1 Pr [ b = 1 b = 0 ] [ ] = Pr Left A SE 1 Mihir Bellare UCSD 50

51 Proof of Proposition, continued [ ] Pr Guess A SE true = Pr [ b = b ] = Pr [ b = b b = 1 ] Pr[b = 1]+Pr [ b = b b = 0 ] Pr[b = 0] = Pr [ b = b b = 1 ] 1 2 +Pr[ b = b b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +Pr[ b = 0 b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +( 1 Pr [ b = 1 b = 0 ]) 1 2 = (Pr [ b = 1 b = 1 ] Pr [ b = 1 b = 0 ]) 2 = ( [ ] [ ]) 2 Pr Right A SE 1 Pr Left A SE 1 = Advind-cpa SE (A). Mihir Bellare UCSD 51

52 A game-playing proof The proof uses a sequence of games and invokes the fundamental lemma of game playing [BR96]. The games have the following Initialize and Finalize procedures: Initialize // G 0 b \$ {0,1}; S K \$ {0,1} k Initialize // G 1,G 2,G 3 b \$ {0,1}; S Finalize // All games Return (b = b ) For brevity we omit writing these procedures explicitly in the games, but you should remember they are there. Also for brevity if G is a game and A is an adversary then we let Pr[G A ] = Pr[G A true] Mihir Bellare UCSD 52

53 Games G 0,G 1 for the proof Game G 0 procedure LR(M 0,M 1 ) \$ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P S then T[P] E K (P) C[i] T[P] M b [i] S S {P} return C Then [ ] Adv ind-cpa SE (A) = 2 Pr G0 A 1 Game G 1 procedure LR(M 0,M 1 ) \$ C[0] {0,1} n for i = 1,...,m do P C[0]+i \$ if P / S then T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Mihir Bellare UCSD 53

54 Analysis Clearly Pr[G A 0 ] = Pr[GA 1 ]+( Pr[G A 0 ] Pr[GA 1 ]). Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] σ2 2 n+1 Given these, we have Adv ind-cpa SE (A) 2 Pr[G A 0 ] Pr[GA 1 ] Advprf E (B) ( ) σ2 2 n Adv prf E (B) = σ2 2 n +2 Advprf E (B) which proves the theorem. It remains to prove the claims. Mihir Bellare UCSD 54

55 Proof of Claim 1 adversary B b \$ {0,1}; S b \$ A LRSim if (b = b ) then return 1 else return 0 subroutine LRSim(M 0,M 1 ) \$ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P / S then T[P] Fn(P) C[i] T[P] M b [i] S S {P} return C Pr ] Pr [Real B E 1 ] [Rand B {0,1} n 1 [ ] = Pr G0 A [ ] = Pr G1 A Subtracting, we get Claim 1. Mihir Bellare UCSD 55

56 Where we are It remains to prove: Claim 2: Pr[G A 1 ] σ2 2 n+1 Mihir Bellare UCSD 56

57 Introducing the bad flag Game G 1 procedure LR(M 0,M 1) \$ C[0] {0,1} n for i = 1,...,m do P C[0] +i If P / S then \$ T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Game G 2, G 3 procedure LR(M 0,M 1) \$ C[0] {0,1} n for i = 1,...,m do P C[0]+i \$ C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i] S S {P} return C Pr[G A 1 ] = Pr[GA 2 ] = Pr[GA 3 ]+ ( Pr[G A 2 ] Pr[GA 3 ] ) Mihir Bellare UCSD 57

58 Analysis of G 3 Game G 3 procedure LR(M 0,M 1) \$ C[0] {0,1} n for i = 1,...,m do \$ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C Ciphertext C in G 3 is always random, independently of b, so [ ] Pr G3 A = 1 2. Mihir Bellare UCSD 58

59 Fundamental Lemma of game playing Games G, H are identical-until-bad if their code differs only in statements following the setting of bad to true. Lemma: [BR96] If G,H are identical-until-bad, then for any adversary A and any y [ ] [ ] [ ] Pr G A y Pr H A y Pr H A setsbad Mihir Bellare UCSD 59

60 Using the fundamental lemma Game G 2, G 3 procedure LR(M 0,M 1) \$ C[0] {0,1} n for i = 1,...,m do \$ P C[0] +i; C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies [ ] [ ] [ ] Pr G2 A Pr G3 A Pr G3 A setsbad. Mihir Bellare UCSD 60

61 Bounding the probability that G 3 sets bad Game G 3 procedure LR(M 0,M 1) \$ C[0] {0,1} n for i = 1,...,m do \$ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C ] Pr [G3 A setsbad q m i=1 = m2 q(q 1) 2 n+1 σ2 2 n+1 m(i 1) 2 n Mihir Bellare UCSD 61

62 Security of CTR\$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR\$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 62

63 Security of CBC\$ Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K,E,D) the corresponding CBC\$ symmetric encryption scheme. Exercise: Give an adversary A that makes q LR-queries, each consisting of two 1-block messages, and achieves ( ) Adv ind-cpa q 2 SE (A) = Ω The running time of A should be about O(qn log(qn)). Can you generalize this to m-block messages? What is the best advantage you can get? 2 n Mihir Bellare UCSD 63

64 Security of CBC\$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CBC\$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Exercise: Prove the above theorem. Mihir Bellare UCSD 64

### Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### CS 6903 Modern Cryptography February 20th, 2010

CS 6903 Modern Cryptography February 20th, 2010 Lecture 5: Constructions of Symmetric Encryption Scheme Instructor: Nitesh Saxena Scribe: SherinSyriac, AvisDsouza, SaiTeja Can we use the Pseudo Random

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3

CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has

### Lecture 9. Lecturer: Yevgeniy Dodis Spring 2012

CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Macrh 21, 2012 Lecture 9 Lecturer: Yevgeniy Dodis Spring 2012 Last time we introduced the concept of Pseudo Random Function Family (PRF),

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Contents. Foundations of cryptography

Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations

### Shift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied?

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Basic Ciphers Shift Cipher Brute-force attack can easily break Substitution Cipher Frequency analysis

### On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Stream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Modes of Operation of Block Ciphers

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Cryptographic Agility and its Relation to Circular Encryption

Cryptographic Agility and its Relation to Circular Encryption Tolga Acar 1 Mira Belenkiy 2 Mihir Bellare 3 David Cash 4 Abstract We initiate a provable-security treatment of cryptographic agility. A primitive

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### T Cryptology Spring 2009

T-79.5501 Cryptology Spring 2009 Homework 2 Tutor : Joo Y. Cho joo.cho@tkk.fi 5th February 2009 Q1. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K 1, K 2, K 3 }, and the

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Chapter 7. Message Authentication. 7.1 The setting

Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Standard Security Does Not Imply Security Against Selective-Opening

Standard Security Does Not mply Security Against Selective-Opening Mihir Bellare, Rafael Dowsley, Brent Waters, Scott Yilek (UCSD, UCSD, UT Austin, U. of St. Thomas) Full version on ACR eprint archive

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

### Reconsidering Generic Composition

Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

### Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

### Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

Roadmap on symmetric ciphers Lecture 01: Historical ciphers (badly broken) Lecture 02: OTP (the One Time Pad cipher) Perfect Secrecy (first notion of security) Stream ciphers (making OTP practical) PRG

### Stronger Security Bounds for OMAC, TMAC and XCBC

Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Nonce-Based Symmetric Encryption

Nonce-Based Symmetric Encryption Phillip Rogaway Dept. of Computer Science, University of California, Davis, CA 95616, USA, and Dept. of Computer Science, Fac. of Science, Chiang Mai University, Chiang

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography

Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl

### Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions

A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 0, 3st Annual International Cryptology Conference, P. Rogaway ed., LNCS, Springer, 0. Order-Preserving Encryption Revisited:

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Network security and all ilabs

Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4

Submission to the CAESAR competition AES-COPA v.2 Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Affiliation: 1 Dept.

### Homework 7. Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj.

Problems: 1 to 11. Homework 7 Question: 1 Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj. This is an easy problem. > uasi

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

CS787: Advanced Algorithms Lecture 14: Online algorithms We now shift focus to a different kind of algorithmic problem where we need to perform some optimization without knowing the input in advance. Algorithms

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Reading 13 : Finite State Automata and Regular Expressions

CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model

### IEEE P Wireless Sensor Interface Working Group. Security Proposal Revision 1.10

Document number: P1451.5-Prop1_V1 IEEE P1451.5 Wireless Sensor Interface Working Group Security Proposal Revision 1.10 Updated 4/8/03 Prepared by: R. K. Coleman 3e Technologies International, Inc. 700

### Finite and discrete probability distributions

8 Finite and discrete probability distributions To understand the algorithmic aspects of number theory and algebra, and applications such as cryptography, a firm grasp of the basics of probability theory

### A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES

### Code-Based Game-Playing Proofs and the Security of Triple Encryption

Code-Based Game-Playing Proofs and the Security of Triple Encryption Mihir Bellare Phillip Rogaway February 27, 2006 (Draft 2.2) Abstract The game-playing technique is a powerful tool for analyzing cryptographic

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)