SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Size: px
Start display at page:

Download "SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1"

Transcription

1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1

2 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

3 Correct decryption requirement Formally: For all K and M we have Pr[D K (E K (M)) = M] = 1, where the probability is over the coins of E Mihir Bellare UCSD 3

4 Block cipher modes of operation E : {0,1} k {0,1} n {0,1} n a block cipher Notation: x[i] is the i-th n-bit block of a string x, so that x = x[1]...x[m] if x = nm. Always: Alg K K $ {0,1} k return K Mihir Bellare UCSD 4

5 Block cipher modes of operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks? Mihir Bellare UCSD 5

6 ECB: Electronic Codebook Mode SE = (K,E,D) where: Alg E K (M) for i = 1,...,m do C[i] E K (M[i]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) return M Correct decryption relies on E being a block cipher, so that E K is invertible Mihir Bellare UCSD 6

7 Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because E K is deterministic: M 1 [1] M 1 [m] M 2 [1] M 2 [m] E K... E K E K... E K C 1 [1] C 1 [m] C 2 [1] C 2 [m] Why does this matter? Mihir Bellare UCSD 7

8 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) = E K (M). M E K C Mihir Bellare UCSD 8

9 Security of ECB Votes M 1,M 2 {Y,N} are ECB encrypted and adversary sees ciphertexts C 1 = E K (M 1 ) and C 2 = E K (M 2 ) M 1 M 2 E K E K C 1 C 2 Adversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N Mihir Bellare UCSD 9

10 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Mihir Bellare UCSD 10

11 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Yes, if E is deterministic. Mihir Bellare UCSD 11

12 Randomized encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let then $ $ C 1 E K (M 1 ) and C 2 E K (M 2 ) Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E. Mihir Bellare UCSD 12

13 Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. C 1 C 2 M E K D K M C s Mihir Bellare UCSD 13

14 Randomized encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. Mihir Bellare UCSD 14

15 CBC$: Cipher Block Chaining with random IV mode SE = (K,E,D) where: Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher. Mihir Bellare UCSD 15

16 CTR$ mode If X {0,1} n and i N then X +i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M Mihir Bellare UCSD 16

17 CTR$ mode Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M D does not use E 1 K! So one can run CTR$ with a PRF that is not a blockcipher. Encryption and Decryption are parallelizable. Mihir Bellare UCSD 17

18 Voting with CBC$ Suppose we encrypt M 1,M 2 {Y,N} with CBC$. M 1 M 2 E K E K {0,1} n $ C 1 [0] C 1 [1] {0,1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? Mihir Bellare UCSD 18

19 Voting with CBC$ Suppose we encrypt M 1,M 2 {Y,N} with CBC$. M 1 M 2 E K E K {0,1} n $ C 1 [0] C 1 [1] {0,1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? NO! Mihir Bellare UCSD 19

20 Assessing security So CBC$ is better than ECB. But is it secure? CBC$ is widely used so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. Mihir Bellare UCSD 20

21 Security requirements Suppose sender computes $ $ C 1 E K (M 1 ); ; C q E K (M q ) Adversary A has C 1,...,C q What if A Retrieves K Bad! Retrieves M 1 Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1,M 2? Something we won t hide: the length of the message Mihir Bellare UCSD 21

22 What we seek We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies ALL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Mihir Bellare UCSD 22

23 Intuition for definition of IND-CPA The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either or M 1 0,...,Mq 0 M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. Mihir Bellare UCSD 23

24 Games for ind-cpa-advantage of an adversary A Let SE = (K,E,D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities [ ] Pr Left A SE 1 [ ] Pr Right A SE 1 that A outputs 1 in each world. The (ind-cpa) advantage of A is ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 24

25 The measure of success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0 (or 0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage. Mihir Bellare UCSD 25

26 ECB is not IND-CPA-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 26

27 ECB is not IND-CPA-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Exploitable weakness of SE: M 1 = M 2 implies E K (M 1 ) = E K (M 2 ). Mihir Bellare UCSD 27

28 ECB is not IND-CPA-secure Let E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Mihir Bellare UCSD 28

29 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = Mihir Bellare UCSD 29

30 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = 1 because C 1 = E K (0 n ) and C 2 = E K (0 n ). Mihir Bellare UCSD 30

31 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = Mihir Bellare UCSD 31

32 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = 0 because C 1 = E K (0 n ) E K (1 n ) = C 2. Mihir Bellare UCSD 32

33 ECB is not IND-CPA secure adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Adv ind-cpa SE (A) = = 1 1 { [ }} ]{ { [ }} ]{ Pr Right A SE = 1 Pr Right A SE = 1 And A is very efficient, making only two queries. Thus ECB is not IND-CPA secure. 0 Mihir Bellare UCSD 33

34 Exercise Let SE = (K,E,D) be any symmetric encryption scheme for which E is deterministic. Show that SE is not IND-CPA secure by giving pseudo-code for an efficient adversary A that achieves Adv ind-cpa SE (A) = 1. Assume the message space is some non-empty subset of {0,1} with the property that if M is a legitimate message then so is any other string of length M. Mihir Bellare UCSD 34

35 Exercise: Setup Let K be the key-generation algorithm that returns a random 128-bit string as the key K. Define Alg E K (M) R $ {0,1} 128 ; M[1]...M[m] M; C[0] R for i = 1,...,m do W[i] (R +i) mod ; C[i] AES K (M[i] W[i]) C C[0]C[1]...C[n]; Return C Above W[i] (R +i) mod means we regard R as an interger, add i to it, take the result modulo 2 128, view this as a 128-bit string, and assign it to W[i]. The message space is the set of all strings whose length is a positive multiple of 128. Mihir Bellare UCSD 35

36 Exercise: Questions 1. Specify a decryption algorithm D such that SE = (K,E,D) is a symmetric encryption scheme satisfying the correct decryption condition. 2. Show that this scheme is insecure by presenting a practical adversary A such that Adv ind-cpa SE (A) is high. State the value of the advantage achieved by your adversary and the number of oracle queries it makes. Your adversary for 2. should as usual be specified in clear pseudo-code, not in a text description. There should be a succinct analysis justifying the claimed advantage. Mihir Bellare UCSD 36

37 Why is IND-CPA the master property? We claim that if encryption scheme SE = (K,E,D) is IND-CPA secure then the ciphertext hides ALL partial information about the plaintext. $ $ For example, from C 1 E K (M 1 ) and C 2 E K (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1,M 2 etc. Exercise: State and prove such claims formally. This could be a quiz question! Mihir Bellare UCSD 37

38 Birthday attack on CTR$ Let E : {0,1} k {0,1} n {0,1} n be a blockcipher and SE = (K,E,D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0,M 1 are encrypted: $ $ C 0 [0]C 0 [1] E(K,M 0 ) C 1 [0]C 1 [1] E(K,M 1 ) Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA. Mihir Bellare UCSD 38

39 Birthday attack on CTR$ Let 1 q < 2 n be a parameter and let i be integer i encoded as an n-bit string. adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Mihir Bellare UCSD 39

40 Birthday attack on CTR$: Right game analysis adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) $ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 1 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = 0 E K (C j [0]+1) = 0 E K (C l [0]+1) = C l [1] so [ ] Pr Right A SE 1 = Pr[S ] = C(2 n,q) Mihir Bellare UCSD 40

41 Birthday attack on CTR$: Left game analysis adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) $ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 0 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = j E K (C j [0]+1) l E K (C l [0]+1) = C l [1] so [ ] Pr Left A SE 1 = 0. Mihir Bellare UCSD 41

42 Birthday attack on CTR$ ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 = C(2 n,q) q(q 1) 2 n Conclusion: CTR$ can be broken (in the IND-CPA sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. Mihir Bellare UCSD 42

43 Exercise The above attack on CTR$ uses 1-block messages. Letting SE be the same scheme, give an adversary A that makes q LR-queries, each consisting of two m-block messages, and achieves ( Adv ind-cpa m 2 q 2 ) SE (A) = Ω The running time of A should be about O(mqn log(mqn)). 2 n Mihir Bellare UCSD 43

44 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Mihir Bellare UCSD 44

45 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most σ 2 2 n where σ is the total number of blocks encrypted. Example: If q 1-block messages are encrypted then σ = q so the adversary advantage is not more than q 2 /2 n. For E = AES this means up to 2 64 blocks may be securely encrypted, which is good. Mihir Bellare UCSD 45

46 Security of CTR$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 46

47 Intuition and proof We first give some intuition for the proof and then the proof itself. We assume for simplicity that A makes q = σ/m LR queries in each of which both messages are m blocks long. Extending the proof to the general case is an exercise. We let C i = C i [0]C i [1]...C i [m] denote the response of the LR oracle to A s i-th query. Mihir Bellare UCSD 47

48 Intuition for IND-CPA security of CTR$ Consider the CTR$ scheme with E K replaced by a random function Fn. Alg E Fn (M) $ C[0] {0,1} n for i = 1,...,m do P[i] Fn(C[0]+i) C[i] P[i] M[i] return C Analyzing this is a thought experiment, but we can ask whether it is IND-CPA secure. If so, the assumption that E is a PRF says CTR$ with E is IND-CPA secure. Mihir Bellare UCSD 48

49 CTR$ with a random function Let E be the event that the points C 1 [0]+1,...,C 1 [0]+m,...,C q [0]+1,...,C q [0]+m, on which Fn is evaluated across the q encryptions, are all distinct. Case 1: E happens. Then the encryption is a one-time-pad: ciphertexts are random, independent strings, regardless of which message is encrypted. So A has zero advantage. Case 2: E doesn t happen. Then A may have high advantage but it does not matter because Pr[E] doesn t happen is small. (It is the small additive term in the theorem.) Mihir Bellare UCSD 49

50 Alternative formulation of advantage Let SE = (K,E,D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K; b $ {0,1} procedure LR(M 0,M 1 ) return C $ E K (M b ) procedure Finalize(b ) return (b = b ) ] Proposition: Adv ind-cpa SE (A) = 2 Pr [Guess A SE true 1. Proof: Observe Pr [ b = 1 b = 1 ] [ ] = Pr Right A SE 1 Pr [ b = 1 b = 0 ] [ ] = Pr Left A SE 1 Mihir Bellare UCSD 50

51 Proof of Proposition, continued [ ] Pr Guess A SE true = Pr [ b = b ] = Pr [ b = b b = 1 ] Pr[b = 1]+Pr [ b = b b = 0 ] Pr[b = 0] = Pr [ b = b b = 1 ] 1 2 +Pr[ b = b b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +Pr[ b = 0 b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +( 1 Pr [ b = 1 b = 0 ]) 1 2 = (Pr [ b = 1 b = 1 ] Pr [ b = 1 b = 0 ]) 2 = ( [ ] [ ]) 2 Pr Right A SE 1 Pr Left A SE 1 = Advind-cpa SE (A). Mihir Bellare UCSD 51

52 A game-playing proof The proof uses a sequence of games and invokes the fundamental lemma of game playing [BR96]. The games have the following Initialize and Finalize procedures: Initialize // G 0 b $ {0,1}; S K $ {0,1} k Initialize // G 1,G 2,G 3 b $ {0,1}; S Finalize // All games Return (b = b ) For brevity we omit writing these procedures explicitly in the games, but you should remember they are there. Also for brevity if G is a game and A is an adversary then we let Pr[G A ] = Pr[G A true] Mihir Bellare UCSD 52

53 Games G 0,G 1 for the proof Game G 0 procedure LR(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P S then T[P] E K (P) C[i] T[P] M b [i] S S {P} return C Then [ ] Adv ind-cpa SE (A) = 2 Pr G0 A 1 Game G 1 procedure LR(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i $ if P / S then T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Mihir Bellare UCSD 53

54 Analysis Clearly Pr[G A 0 ] = Pr[GA 1 ]+( Pr[G A 0 ] Pr[GA 1 ]). Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] σ2 2 n+1 Given these, we have Adv ind-cpa SE (A) 2 Pr[G A 0 ] Pr[GA 1 ] Advprf E (B) ( ) σ2 2 n Adv prf E (B) = σ2 2 n +2 Advprf E (B) which proves the theorem. It remains to prove the claims. Mihir Bellare UCSD 54

55 Proof of Claim 1 adversary B b $ {0,1}; S b $ A LRSim if (b = b ) then return 1 else return 0 subroutine LRSim(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P / S then T[P] Fn(P) C[i] T[P] M b [i] S S {P} return C Pr ] Pr [Real B E 1 ] [Rand B {0,1} n 1 [ ] = Pr G0 A [ ] = Pr G1 A Subtracting, we get Claim 1. Mihir Bellare UCSD 55

56 Where we are It remains to prove: Claim 2: Pr[G A 1 ] σ2 2 n+1 Mihir Bellare UCSD 56

57 Introducing the bad flag Game G 1 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do P C[0] +i If P / S then $ T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Game G 2, G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i $ C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i] S S {P} return C Pr[G A 1 ] = Pr[GA 2 ] = Pr[GA 3 ]+ ( Pr[G A 2 ] Pr[GA 3 ] ) Mihir Bellare UCSD 57

58 Analysis of G 3 Game G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C Ciphertext C in G 3 is always random, independently of b, so [ ] Pr G3 A = 1 2. Mihir Bellare UCSD 58

59 Fundamental Lemma of game playing Games G, H are identical-until-bad if their code differs only in statements following the setting of bad to true. Lemma: [BR96] If G,H are identical-until-bad, then for any adversary A and any y [ ] [ ] [ ] Pr G A y Pr H A y Pr H A setsbad Mihir Bellare UCSD 59

60 Using the fundamental lemma Game G 2, G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies [ ] [ ] [ ] Pr G2 A Pr G3 A Pr G3 A setsbad. Mihir Bellare UCSD 60

61 Bounding the probability that G 3 sets bad Game G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C ] Pr [G3 A setsbad q m i=1 = m2 q(q 1) 2 n+1 σ2 2 n+1 m(i 1) 2 n Mihir Bellare UCSD 61

62 Security of CTR$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 62

63 Security of CBC$ Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K,E,D) the corresponding CBC$ symmetric encryption scheme. Exercise: Give an adversary A that makes q LR-queries, each consisting of two 1-block messages, and achieves ( ) Adv ind-cpa q 2 SE (A) = Ω The running time of A should be about O(qn log(qn)). Can you generalize this to m-block messages? What is the best advantage you can get? 2 n Mihir Bellare UCSD 63

64 Security of CBC$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Exercise: Prove the above theorem. Mihir Bellare UCSD 64

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1 ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

More information

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

CS 6903 Modern Cryptography February 20th, 2010

CS 6903 Modern Cryptography February 20th, 2010 CS 6903 Modern Cryptography February 20th, 2010 Lecture 5: Constructions of Symmetric Encryption Scheme Instructor: Nitesh Saxena Scribe: SherinSyriac, AvisDsouza, SaiTeja Can we use the Pseudo Random

More information

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Authenticated encryption

Authenticated encryption Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3

CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3 CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has

More information

Lecture 9. Lecturer: Yevgeniy Dodis Spring 2012

Lecture 9. Lecturer: Yevgeniy Dodis Spring 2012 CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Macrh 21, 2012 Lecture 9 Lecturer: Yevgeniy Dodis Spring 2012 Last time we introduced the concept of Pseudo Random Function Family (PRF),

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

1 Pseudorandom Permutations

1 Pseudorandom Permutations Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

Contents. Foundations of cryptography

Contents. Foundations of cryptography Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations

More information

Shift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied?

Shift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied? One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Basic Ciphers Shift Cipher Brute-force attack can easily break Substitution Cipher Frequency analysis

More information

On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

Stream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography

Stream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function

More information

Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Modes of Operation of Block Ciphers

Modes of Operation of Block Ciphers Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Cryptographic Agility and its Relation to Circular Encryption

Cryptographic Agility and its Relation to Circular Encryption Cryptographic Agility and its Relation to Circular Encryption Tolga Acar 1 Mira Belenkiy 2 Mihir Bellare 3 David Cash 4 Abstract We initiate a provable-security treatment of cryptographic agility. A primitive

More information

MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

More information

T Cryptology Spring 2009

T Cryptology Spring 2009 T-79.5501 Cryptology Spring 2009 Homework 2 Tutor : Joo Y. Cho joo.cho@tkk.fi 5th February 2009 Q1. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K 1, K 2, K 3 }, and the

More information

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12. Digital signatures. 12.1 Digital signature schemes Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

More information

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Motivation Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

More information

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11 CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

More information

Ciphertext verification security of symmetric encryption schemes

Ciphertext verification security of symmetric encryption schemes www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

More information

Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

Multi-Recipient Encryption Schemes: Efficient Constructions and their Security This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

More information

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1 Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

More information

Chapter 7. Message Authentication. 7.1 The setting

Chapter 7. Message Authentication. 7.1 The setting Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

Standard Security Does Not Imply Security Against Selective-Opening

Standard Security Does Not Imply Security Against Selective-Opening Standard Security Does Not mply Security Against Selective-Opening Mihir Bellare, Rafael Dowsley, Brent Waters, Scott Yilek (UCSD, UCSD, UT Austin, U. of St. Thomas) Full version on ACR eprint archive

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

More information

Reconsidering Generic Composition

Reconsidering Generic Composition Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

More information

Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

More information

Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

More information

Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Roadmap on symmetric ciphers

Roadmap on symmetric ciphers Roadmap on symmetric ciphers Lecture 01: Historical ciphers (badly broken) Lecture 02: OTP (the One Time Pad cipher) Perfect Secrecy (first notion of security) Stream ciphers (making OTP practical) PRG

More information

Stronger Security Bounds for OMAC, TMAC and XCBC

Stronger Security Bounds for OMAC, TMAC and XCBC Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,

More information

DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Nonce-Based Symmetric Encryption

Nonce-Based Symmetric Encryption Nonce-Based Symmetric Encryption Phillip Rogaway Dept. of Computer Science, University of California, Davis, CA 95616, USA, and Dept. of Computer Science, Fac. of Science, Chiang Mai University, Chiang

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography

Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl

More information

Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions

Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 0, 3st Annual International Cryptology Conference, P. Rogaway ed., LNCS, Springer, 0. Order-Preserving Encryption Revisited:

More information

Overview of Symmetric Encryption

Overview of Symmetric Encryption CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

More information

Network security and all ilabs

Network security and all ilabs Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4

AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Submission to the CAESAR competition AES-COPA v.2 Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Affiliation: 1 Dept.

More information

Homework 7. Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj.

Homework 7. Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj. Problems: 1 to 11. Homework 7 Question: 1 Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj. This is an easy problem. > uasi

More information

Lecture 2: Universality

Lecture 2: Universality CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

More information

14.1 Rent-or-buy problem

14.1 Rent-or-buy problem CS787: Advanced Algorithms Lecture 14: Online algorithms We now shift focus to a different kind of algorithmic problem where we need to perform some optimization without knowing the input in advance. Algorithms

More information

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

More information

Reading 13 : Finite State Automata and Regular Expressions

Reading 13 : Finite State Automata and Regular Expressions CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model

More information

IEEE P Wireless Sensor Interface Working Group. Security Proposal Revision 1.10

IEEE P Wireless Sensor Interface Working Group. Security Proposal Revision 1.10 Document number: P1451.5-Prop1_V1 IEEE P1451.5 Wireless Sensor Interface Working Group Security Proposal Revision 1.10 Updated 4/8/03 Prepared by: R. K. Coleman 3e Technologies International, Inc. 700

More information

Finite and discrete probability distributions

Finite and discrete probability distributions 8 Finite and discrete probability distributions To understand the algorithmic aspects of number theory and algebra, and applications such as cryptography, a firm grasp of the basics of probability theory

More information

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information

Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES

More information

Code-Based Game-Playing Proofs and the Security of Triple Encryption

Code-Based Game-Playing Proofs and the Security of Triple Encryption Code-Based Game-Playing Proofs and the Security of Triple Encryption Mihir Bellare Phillip Rogaway February 27, 2006 (Draft 2.2) Abstract The game-playing technique is a powerful tool for analyzing cryptographic

More information

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

More information

CS 161 Computer Security

CS 161 Computer Security Song Spring 2015 CS 161 Computer Security Discussion 11 April 7 & April 8, 2015 Question 1 RSA (10 min) (a) Describe how to find a pair of public key and private key for RSA encryption system. Find two

More information

Data Encryption A B C D E F G H I J K L M N O P Q R S T U V W X Y Z. we would encrypt the string IDESOFMARCH as follows:

Data Encryption A B C D E F G H I J K L M N O P Q R S T U V W X Y Z. we would encrypt the string IDESOFMARCH as follows: Data Encryption Encryption refers to the coding of information in order to keep it secret. Encryption is accomplished by transforming the string of characters comprising the information to produce a new

More information